How to make a standard in 10 days

    Welcome all! I work in the Information Security Department of LANIT , and I head the design and implementation department. In this article I want to share experience, how at the start of a career in a completely different company I prepared a standard for organizing the protection of personal data in medical institutions. This is a story about how to write 500 pages from scratch in 10 days, mistakes made and difficulties that have not been overcome. I hope my experience will help everyone who has the task of writing a guidance document, standard or law.

    A source

    Month to day X

    The year 2009 in the field of personal data security was a year of anticipation. Persistent rumors circulated that 152-FZ “On Personal Data”, adopted in 2006, was about to become binding. The market and operators were given time to prepare for the mandatory implementation of the law, and it expired. Nobody knew that the law would enter into force only in 2011, and both business and government agencies assumed that in the near future they would have to work long and hard to make it.

    One of the first who began to prepare was the agency that oversaw a huge layer of personal attention data operators - medical institutions that operate on patient health data, and therefore attention to such important information is increased. For brevity, I will call them medical facilities.

    As IT facilities are poorly developed, not to mention information security, they decided to create a standard for all medical institutions to protect personal data that could be used by people who are far from security and IT.

    Most of the guidelines for the protection of personal data were inaccessible to a wide range of people (the so-called “four-booked” with the stamp “For official use”, which only licensees could request), therefore, the option of creating detailed guidelines was optimal.

    In 2009, I was engaged in information security for only three years and was at the level of an experienced junior. He could boast of a couple of projects on personal data (which at that time was a great experience, because it was very difficult to convince the customer to fulfill the optional requirements) and was in a tough battle with one large research institute. Of course, the work of creating the standard went to me.

    A source

    Week to day X

    A week before the start of work, I discussed the upcoming task with the management and it was planned that another specialist would do it, but in the end I had to deal with it. Being young, I acted on the principle of “dementia and courage,” and it was this principle that played a key role in all the work. However, this is common to all specialists at a certain stage in their careers.

    How did my courage manifest in the project? I had to solve such a large-scale task solely on my own - it was like an attack “with drafts on tanks”.

    Much later, I participated in five similar projects, leading groups from 2 to 6 people. Now I can say with confidence: the optimal number of people for a similar task is 2 people, not counting the specialists involved, like technical writers. A total of five people should work in a team (2 analysts, technical writer, consultant and project manager). In my memory, there is a case when a team of five people did a similar job for 9 months.

    Dementia, however, consisted in the periods of work indicated by me — 10 days, which instead of workers became calendar. The underestimation of complexity almost became fatal. This time, courage triumphed, but the path was difficult.

    A source

    1-3 day of work

    Since I had not done anything like this before, I decided to use the existing methods for creating documents. Remembering the largest document that I had written at that time - my diploma, I decided to start from the beginning and finish at the end.

    The first document was “ Methodological recommendations for compiling a Private model of threats to the security of personal data ”. (By the way, all documents can be found on the Internet ). I worked most with threat models, and this task was the most understandable. This was the first mistake.

    Without going into details, I needed to describe three successive stages of protecting personal data:

    1. survey
    2. threat modeling
    3. creation of a set of organizational and regulatory documents.

    Of course, I began to describe in the middle what turned into big problems for 7-10 days.

    The second mistake was to use the consistent principle of writing documents. This is when the title page first, then the table of contents, the list of abbreviations, the introductory part, etc. It doesn’t work, at some point you will definitely fall into a “creative dead end”, most often it comes to section 3-5, when you understand where you came from and where you want to come, but it’s not clear how.

    It was funny with the cuts that were immediately made. So that there is at least some continuity with the current regulatory framework, I copied the abbreviations from the documents of the regulator, and there remained the abbreviation “TKUI - technical channels of information leakage”, which is not found anywhere in the text.

    Life hack: to make the list of abbreviations relevant, use three simple steps while writing:

    1. As soon as you need to make an abbreviation, write in the format "(hereinafter -)". For example, a mandatory abbreviation in the text (hereinafter - OST).
    2. Keep open a separate Excel file, where you enter all the abbreviations (without decryption).
    3. When the text is written, rank the list from A to Z in the Excel and look at the quantity, and in the text you search for the entry "(hereinafter -)". If the numbers match, congratulations - you have an up-to-date list of abbreviations.

    When working with abbreviations, do not use more than three letters. Anything different from this looks awful and poorly remembered. At least in safety, where, as in the army, he rules all TBS.

    Result: 1 file with a volume of 20 pages and several tags in Excel.

    4-6 work day

    After the first days of a quiet regime, I had to plunge into the pool of caffeine and nicotine (now I, of course, are for healthy lifestyle). Firstly, sound work was done - the terms of reference were read. In principle, before it was clear what needed to be done, but the details were important.

    The key words were “guidelines”, i.e. a sequence of actions for people who are new to the subject. It will be either the head physician of the health facility or the secretary. Therefore, I decided that I need to describe all the possible options so that the user does not have the right to uncertainty: either red, or green, or warm, or soft.

    At that moment I worked on a threat model and immediately made tables for all possible types of information systems (I had 10 of them), wrote threats and did other obscure things that were interesting only in the context of protecting personal data.

    After indicating the names of the threats in the plate, it became clear that somewhere there should be a general description of the threats themselves, then that our 10 types of information systems are also good to describe somewhere. So, moving step by step, filled the document.

    In the process, he came to the principle of “reverse movement”, when at the beginning the result is written, which is the essence and purpose of the document, and then iteratively everything that should lead to it.

    In general:

    • result;
    • methodology for achieving the result;
    • description.

    The principle turned out to be quite tenacious. Using it, you can write reports, starting with conclusions, or information security policies, starting with the main activities.

    Much later, I supplemented this method with the concept of “improved JPEG”, which says that work, depending on the term, should always be 100% ready, the only difference is the degree of detail. If someone found the times of the slow Internet, then the usual JPG was displayed as it loaded (the same consistent way of writing documents) from top to bottom, and the entire JPEG image was uploaded and improved its clarity.

    One problem - applying the concept of “advanced JPEG” head-on does not work for complex documents (at least for me). With direct application, you create sections in a new document and write what they are about, expanding the description as you work through it. In standards and tricky techniques, this does not work, which I encountered in the next step.

    The fact is that you can not foresee everything in advance. The concept of presentation can change several times in the process, and change dramatically. Therefore, if you fill out a document with something larger than headings (for example, give explanations, etc.), then you will end up with the fact that you need not just to rearrange several sentences in places (the same headings), but to edit, divide and supplement those very explanations. Believe me, this is very dreary.

    Since the guidelines describing all possible outcomes are of the same type, they should coincide in structure and description logic. It will look strange if in one type there is a structure of the system, and in the other - no. In general, if a user has two types of information systems, he is less likely to get confused in descriptions of the same structure.

    No sooner said than done. I took the most detailed description that I had for a system that included everything (in my case, a distributed information system of type II), and copied it to other types. I reasoned that removing superfluous (and other types of systems were a subset of a distributed type II IP) is easier than adding. Of course, this was not the case. I had to not only remove the excess, but also to add features of a particular type. As a result, a lot of time was spent on checking, rechecking and catching contradictions. In subsequent works, I began to act exactly the opposite - to describe the minimum necessary, adding specificity.

    It took 5 days to create the threat model, and I proceeded to the second document.

    Taught by bitter experience, he first of all created applications that users would have to fill out for themselves, and then proceeded to describe how to organize this filling.

    The result is a ready-made technique for threat models plus half the applications.

    7-9 work day

    It was a time of euphoria, a plan developed in my head, purely mechanical work remained - just do what you add applications and describe correctly. The trouble came from where they did not wait, even two.


    I killed a significant part of the time for processing and re-issuing a bunch of documents. I wanted to do everything beautifully, so I immediately put down internal links to sections and external files. Of course, as soon as there was a need for adjustments (insert a new application, rewrite the document, etc.), all this entailed an alteration of the whole design.

    I don’t remember what I was thinking then, but it seemed to me so important that after each structural change I was engaged in the design and permutation of links. I guess it seemed to me that this particular change would definitely be the last, now I’ll quickly redo it and go to work on others.

    With the acquisition of experience, I began to make colored stubs. Link to section 4, appendix 5 (track number), etc.

    The second trouble was the terminology. The coordination of terms and definitions for all documents took a lot of time. I constantly had to scour the pages to clarify a particular wording (I did everything on one monitor, and, believe me, it was not easy). This is an inevitable evil, gradually your vocabulary will replenish the corresponding severity of clerks, and most of your definitions will be consistent.

    On the ninth day of work, everything was ready - two recommendation files with applications. It remained to finish the little things.

    10 day work

    Having finished the little things, I decided to re-read everything again - to correct errors, to catch small jambs, etc. And then I wanted to do my job even better, so that it was more understandable. I decided to reflect the information from the summary tables in the threat description (all of these are “unlikely to be realized”). What for? Why? Here, I wanted to.

    I started to add, one began to cling to another, and then the resulting tables would be nice to fix ... It seemed to be more beautiful, but the task of proofreading was completely failed. Therefore, do not strive for excellence, you can improve something endlessly, but hardly anyone will appreciate it.

    And for proofreading time and effort must be left. That is why the optimal number of people in the team is two. No longer worth it. When five people solved the similar problem for education in six months, we killed a lot of time for coordination, grinding in parts written by different people, general terminology, proofreading, etc.


    If you are a titan of thought, then you can try to work alone. But keep in mind that when you write 500,000 characters, your eyes will be blurred and it will seem that you are reading one thing, but in fact it is written completely different. Funny and sad.

    I passed the work on time and went to sleep. Later, it was necessary to coordinate documents with the regulator and correct errors. As a result, these recommendations have spread widely and individual parts are present in the vast majority of sets of documents on personal data. After I did a similar job for education and nuclear power. But this is a completely different story.

    PS Brief memo for the brave

    1. Read the terms of reference.
    2. Do not break the sequence of work stages.
    3. Inside the stage, move from the result to the methodology, and then to the definitions.
    4. Complementing the small is easier than cutting the large.
    5. Design last.
    6. Put the links inside the document in the penultimate step.
    7. Take time to recheck.

    A source

    Also popular now: