Personal data protection - implementation experience

As everyone interested in FZ-152 “On Personal Data” remembers, it was adopted back in 2006. The introduction of the Law was delayed for a long time, but once it had to earn. July 1, 2011 it happened.
For us (the state office, a base of approximately 20,000 people at that time), the problem rose in 2008.
At the initial stage, not too much, but then as in a fairy tale: "The farther, the worse."

The first stage is the initial Orgmer.

- An inscription appeared in small letters in each letterhead type paper (in order to keep the previous form size) - “I express my consent to the necessary use of my personal data, including in information systems”.
- In applications for child allowances, an addition was made about minor children.
- Also, separate Applications were taken with the consent of the provision and transfer of data from other institutions (Pension Fund, NPF, etc.).

A lot of papers and very little equipment
The second stage is the development of the correct documentation.
2009 was approaching and it was known that the Law would be postponed again. No funding. No one is in a hurry. You can develop documentation. The higher office gave samples of the following documents:

  • Order on the appointment of officials responsible for the protection of restricted access information that does not contain state secrets;
  • An order to determine the controlled area in which the nodes of the automated system are located designed to process information of limited access that does not contain state secrets;
  • Order prohibiting the processing of restricted access information at non-certified informatization facilities
  • Instructions for the operation of information security facilities of an object of computer technology;
  • Instructions for installing new and modifying the software used on an automated system that processes information of limited access;
  • Instructions for organizing anti-virus protection on an automated system that processes information of limited access;
  • Instructions to the administrator of information security of an automated system that processes information of limited access;
  • Instructions for making changes to the lists of users and granting them authority to access the resources of an automated system that processes information of limited access;
  • Instructions for organizing password protection of an automated system;
  • Instructions for organizing data backup of an automated system processing information of limited access;
  • Instructions to the user of the automated system.
  • Matrix of access to protected resources of the automated system;
  • Technical passport for speakers;
  • Journal of access to work in an automated system that processes information of limited access;
  • Magazine of accounting and issuance of computer storage media designed to store information of limited access that does not contain state secrets;
  • Journal of accounting for information security;
  • Application form for entering speakers;
  • The form of the Act on the performance of technical work at nuclear facilities;
  • List of confidential information;
  • The list of protected information resources;
  • Description of the technological process of information processing in a dedicated local area network;
  • Switching scheme of a dedicated local area network;
  • List of persons allowed to work independently in the AU.

The third stage is the purchase of technical means of information protection.
It’s more correct to say that the head office bought it, we then only took it. The result was:
- Dallas workstations
- Vipnet coordinator for secure access by IP-MPLS link for higher office.
- Jammers
- Windows Server certification has been carried out (this is discussed here)

The fourth stage is mental and physical work.
The protected automated system must be physically protected as well. Here the move of the department working with personal data to another floor turned up very successfully. This department was in a limited room, one of the offices was selected for the server room. As a result, two cables (primary and backup) exit the floor to the router. The computer was formatted, installed a clean updated Windows, office, antivirus, work program. In October 2009, guys from St. Petersburg arrived. They installed Dallas, jammers, set up a vipnet, made all measurements, adjusted the documentation.

The fifth stage is completion.
At the end of October 2009, an internal commission for the protection of personal data gathered. Responsible persons were appointed, who had to prepare documents for a week and carry out work to protect personal data (the same ones that are listed from the second stage). For a week, those responsible did everything. And the commission gladly accepted the secure system into operation. Soon a certificate was obtained for three years, on which it all ended.

It is clear that in reality not everything has ended.
For example, a protected system is a single software and hardware complex. You won’t change the mouse. But once a year, you can call the certifier to verify compliance with all protection indicators. A certifier has the right to change existing documents. So the mouse really change.
Well, the modern idea of ​​electronic interagency interaction. The idea is good. That's just not provided for in the previous concept of personal data protection. So when we implement it, we will do certification again.

Thanks for attention.

Also popular now: