We protect personal data according to the new order of FSTEC. More answers or questions?

    On May 15, 2013, the Ministry of Justice finally registered the order of the FSTEC No. 21 of February 18, 2013 “On the approval of the composition and content of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems”.

    Why is it "long-awaited"? Yes, because from the moment the RF Government Decree No. 1119 (November 1, 2012) was released, any questions regarding the technical protection of personal data were in an uncertain state of limbo. It turned out this way: a new resolution abolished the old classes of personal data information systems (ISPDn) and introduced the concept of “ISPDn security levels”, but how and with what to defend in each particular case the new FSTEC order that we were waiting for “what then six months.

    Immediately after the publication of the new order on the Internet, a wave of enthusiastic reviews swept over the new document. Like, this is a huge step forward in the field of personal data protection legislation. To some extent, this is indeed so (given that the previous documents came out immediately obsolete and did not take into account many of the nuances of the functioning of modern information systems - mobile platforms, virtualization, etc.), but, personally, I have a lot of complaints about the new document.

    In this article, I will try to analyze in a simple language the new FSTEC document of Russia, weigh its pros and cons, and also try to answer the question "what now do the personal data operators do?"

    What is the whole document

    In general, this is really a step forward in terms of lawmaking in the field of personal data protection. Finally, in the list of measures, we saw the mention of mobile devices and virtualization tools, which earlier legislators carefully tried to avoid. Finally, there is no obligation as in the previous order: “If you have ISPD of class 1, you need to spend n money on information protection means, if it is 2 classes, then nm money, and if 3 classes, then nmk money.”

    Now the situation is this: we have 15 groups of different technical and organizational measures, in each group from 2 to 20 different measures, opposite each measure it is noted whether this measure is basic (I will call them conditionally mandatory below) for a certain level of security (if plus, then the measure is basic, if not - compensating). It should be noted here that there are many measures in the list that can only be compensating, that is, they are not marked with a plus for any of the four levels of security.

    The personal data operator acts according to the following algorithm:
    - determines the security level of its ISPDn according to PP 1119;
    - selects all measures that are marked with a plus for the selected level of security (basic measures);
    - removes measures from the list that are associated with technologies not used in ISPDn (for example, remove measures to protect the virtual infrastructure if virtualization tools are not used);
    - Looks at the list of measures received and compares them with actual threats in the threat model, if not all actual threats are neutralized with the selected measures, adds compensating measures to the list that are necessary to neutralize all remaining threats;
    - adds to the list the measures defined in other normative acts (for example, in PP No. 1119 there are a small number of measures, as well as general requirements in FZ-152), after which it receives a final list of measures that need to be taken;
    - performs measures from the final list ...

    Everything seems to be simple: we determine the level of security, draw a model of threats, select and refine measures from the new order of the FSTEC, we carry out these measures and our nose mosquito will not undermine. But…

    A spoon of tar

    Actually, criticism of both the new document and the rest of the legislation as a whole begins here.

    The problems of the 21 orders of the FSTEC as a whole are the same as those of many other legislative documents - the use of vague wordings, the possibility of a double interpretation of the text, the lack of explanation where they are vital.

    One can understand how thoroughly the document was prepared and how many times it was re-read and edited over the past six months by the fact that after the fourth paragraph in the order immediately goes the sixth ... Well, okay, this is nit-picking, but what is the point?

    Misunderstandings begin with the classics of the genre, which stretches from time immemorial. Clause 2 of the document states that for the performance of work on the protection of personal data ,involve organizations licensed for the technical protection of confidential information (TZKI).
    This phrase has been wandering from the document to the FSTEC document for a long time, but what it means "may" is no clear answer. Naturally, cunning integrators will interpret this as "they can attract third-party organizations if they themselves do not have a license for TZKI." Formally, they will be right, because if you dig up other normative acts, it turns out that even a trivial installation of an antivirus falls under TZKI, and there is no reservation in the licensing provision regarding TZKI that the license is not needed if the work is carried out for personal needs. But operators do not like to throw money away and, unfortunately of cunning integrators, include common sense and interpret this proposal as "they can attract, but they can do it themselves." This is the first place where it would not hurt to more specifically describe the conditions for attracting third-party organizations.

    We are going further. Paragraph 3 tells us that security measures should be aimed at neutralizing current security threats. On the other hand, FZ-152 tells us that organizational and technical measures are applied to fulfill the requirements for the protection of personal data. So still, do we have freedom or another obligation? Again clarification is needed.

    Further. The sixth paragraph states that once every 3 years the operator, alone or with the involvement of third-party organizations, must evaluate the effectiveness of the implemented PD protection measures. It turned out how with the assessment of harm to the subject of personal data in 152-FZ. It turns out that the assessment needs to be carried out, but there is no methodology for conducting such an assessment. Or maybe an assessment of effectiveness is a substitute for certification of an information system? Then why can the operator conduct it independently without a license for TZKI?

    The tenth paragraph of the document at first glance is very promising, it says "If it is impossible to technically implement individual selected measures to ensure the security of personal data, as well as taking into account economic feasibility, other (compensating) measures aimed at neutralizing current threats to the security of personal data may be developed at the stages of adapting the basic set of measures and (or) clarifying the adapted basic set of measures . "

    it would seem, here it is - refer to the economic irrationality and do not buy any certified protection Well then brings us. state of euphoria following paragraph: "In this case, during the development of personal data protection system should be carried out rationale for the use of compensatory measures to ensure the security of personal data" .

    That is how it’s, just telling the inspector, “The guys and I figured it out and decided that it was too expensive to implement certified SZI and installed a free Chinese antivirus”. It is necessary to show some pieces of paper justifying the use of other measures, and not basic ones. How to justify? So far I only think of carrying out a risk analysis procedure in accordance with ISO 27001, which, if a third-party organization is hired for these purposes, can cost a pretty penny in itself. In addition, it is not a fact that a risk analysis will show that it is not economically feasible to implement certified SIS ...

    Actually here we got to the main part of the document - an appendix with a list of measures. Here, too, is not so simple as we would like. It seems that the measures are divided into groups and conveniently numbered, it seems that the convenient columns with pluses show whether in this case this or that measure is conditionally mandatory or not. But, anyway, after studying the table with measures, a sense of uncertainty remains. For example, paragraph four of the main text of the order no longer obliges, it seems, to apply only certified SZI. It's good. But the same paragraph does not say in plain text that it is possible to use non-certified SZI or not to use SZI at all. Here's how it sounds verbatim:
    Measures to ensure the security of personal data are implemented includingthrough the use of information protection tools in the information system that have passed the conformity assessment procedure in the prescribed manner, in cases where the use of such tools is necessary to neutralize current threats to the security of personal data.

    At the same time, the first measure, conditionally mandatory for all levels of security, is: “Identification and authentication of users who are the operator’s employees”.It is clear that this measure can also be implemented by regular means of any OS. And it seems like the fourth paragraph does not oblige you to use the same Secret Net or Dallas Lock, but where is the guarantee that the examiner will not come and say, “You all misunderstood, there should be a certified SZI, here’s a prescription for you?” Who determines how, to neutralize a specific threat, is certified SIS necessary or can it be dispensed with? Why can’t you write in plain text that the use of certified SIS is not necessary, or is necessary in some specific cases?

    Well, the wording of the measures themselves is sometimes very interesting. For example, a conditionally mandatory measure of protection for virtualization environments for security levels from the third and higher:
    "Dividing the virtual infrastructure into segments for processing personal data by an individual user and / or group of users."

    What is the principle of segmenting something? And what is the need? Of course, when refining or adapting a set of measures, we can remove this measure from the list, but again, and if the reviewer says, “You all misunderstood ...”?

    I really hope that someday the representatives of the FSTEC will nevertheless give official clarifications on controversial issues.

    Instead of a resume

    В общем и целом заметны попытки ФСТЭК дать большую свободу действия операторам при выборе стратегии защиты персональных данных, но размытости и неопределенности в формулировках в сочетании с неясностью позиции самого регулятора в спорных моментах, заставляют насторожиться.

    Что же делать операторам сейчас?

    Тем, кто уже защитил свои ИСПДн по «старому стилю», немного подредактировать свою документацию, приведя ее в соответствие действующему законодательству. В любом случае, скорее всего, ваша система защиты в техническом плане будет соответствовать и новому документу, так как раньше требования были жестче.

    The rest is to classify their ISPDs, build a threat model, compile a list of measures and, as far as possible, implement them. Monitor all kinds of news regarding regulatory clarifications, audit practices, expert opinions and general trends in the development of legislation in this area.

    Also popular now: