Myths about 152-FZ, which can be expensive for the personal data operator
Hello! I lead the DataLine Cybersecurity Center. Customers come to us with the task of fulfilling the requirements of 152-ФЗ in the cloud or on physical infrastructure.
In almost every project, it is necessary to carry out educational work to debunk the myths surrounding this law. I have compiled the most common misconceptions that can cost a lot to the budget and nervous system of the personal data operator. Immediately make a reservation that the cases of the state controller (GIS) dealing with state secrets, KII, etc. will remain outside the scope of this article.
152-ФЗ - not about protecting systems and servers, but about protecting personal data of entities. Therefore, compliance with 152-FZ does not begin with an antivirus, but with a large number of pieces of paper and organizational issues.
The chief inspector, Roskomnadzor, will look not at the availability and condition of technical means of protection, but at the legal basis for the processing of personal data (PD):
The answers to these questions, as well as the processes themselves, should be recorded in the relevant documents. Here is a far from complete list of what the personal data operator needs to prepare:
After resolving these issues, you can proceed with the selection of specific measures and technical means. Which ones you will need depends on the systems, their working conditions and current threats. But more on that later.
Reality: compliance with the law is the establishment and observance of certain processes, in the first place, and only in the second - the use of special technical means.
When you outsource your personal data to a cloud provider or data center, you will not cease to be a personal data operator.
We call for help a definition from the law:
Processing personal data - any action (operation) or a set of actions (operations) performed using automation tools or without using such tools with personal data, including collection, recording, systematization, accumulation, storage, clarification ( updating, changing), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data.
Source: Article 3, 152-FZ
Of all these actions, the service provider is responsible for the storage and destruction of personal data (when the client terminates the contract with him). Everything else is provided by the operator of personal data. This means that the operator, and not the service provider, determines the policy for processing personal data, receives signed consent for the processing of personal data from its customers, prevents and investigates cases of personal data leakage to the side, and so on.
Therefore, the operator of personal data still must collect the documents listed above and take organizational and technical measures to protect their ISPDn.
Typically, the provider helps the operator by ensuring compliance with the requirements of the law at the infrastructure level where the operator’s ISPD will be located: equipment racks or the cloud. He also collects a package of documents, takes organizational and technical measures for his piece of infrastructure in accordance with 152-FZ.
Some providers help with paperwork and providing technical means of protection for the ISPD themselves, i.e., a level above the infrastructure. The operator can also outsource these tasks, but the responsibility and obligations under the law do not disappear.
Reality:Turning to the services of a provider or data center, you cannot transfer to him the duties of a personal data operator and get rid of responsibility. If the provider promises this to you, then he, to put it mildly, is disingenuous.
Yes, if you did not forget to sign the order. According to the law, the operator can entrust the processing of personal data to another person, for example, to the same service provider. An order is a kind of agreement, which lists what the service provider can do with the operator’s personal data.
The operator has the right to entrust the processing of personal data to another person with the consent of the subject of personal data, unless otherwise provided by the Federal Law, on the basis of an agreement concluded with that person, including a state or municipal contract, or by adoption by the state or municipal body of the relevant act (hereinafter - the order operator). A person who processes personal data on behalf of the operator is required to comply with the principles and rules for the processing of personal data provided for by this Federal Law.
Source: Clause 3, Article 6, 152-ФЗ The
obligation of the provider to protect the confidentiality of personal data and ensure their safety in accordance with the specified requirements is immediately fixed:
The operator’s instructions must determine the list of actions (operations) with personal data that will be performed by the person processing the personal data, and the purpose of the processing, the obligation of such a person to maintain the confidentiality of personal data and ensure the safety of personal data during their processing, as well as must specify the requirements for the protection of processed personal data in accordance with Article 19 of this Federal Law.
Source: Clause 3, Article 6, 152-FZ.
For this, the provider is responsible to the operator, and not to the subject of personal data:
If the operator entrusts the processing of personal data to another person, the operator is responsible to the personal data subject for the actions of the specified person. A person who processes personal data on behalf of the operator is responsible to the operator.
Source: 152-FZ .
It is also important to specify the obligation to ensure the protection of personal data in the order:
The security of personal data during their processing in the information system is ensured by the operator of this system, which processes personal data (hereinafter referred to as the operator), or by a person who processes personal data on behalf of the operator on the basis of an agreement concluded with this person (hereinafter referred to as the authorized person). The contract between the operator and the authorized person must provide for the obligation of the authorized person to ensure the security of personal data when they are processed in the information system.
Source: Decree of the Government of the Russian Federation of November 1, 2012 No. 1119
Reality:if you give personal data to the provider, then sign the order. In the order, indicate the requirement to ensure the protection of personal subjects. Otherwise, you do not comply with the law regarding the transfer of personal data processing work to a third party and the provider regarding compliance with 152-FZ does not owe you anything.
Some customers insistently prove that they have ISPD security level 1 or 2. Most often this is not so. Recall the materiel to figure out why this happens.
KM, or the level of security, determines what you will protect personal data from.
The following points affect the level of security:
About types of threats we are told by the Decree of the Government of the Russian Federation of November 1, 2012 No. 1119 . Here is a description of each with my free translation into human language.
Threats of the first type are relevant for an information system if, for it, threats related to the presence of undocumented (undeclared) capabilities in the system software used in the information system are also relevant for it.
If you recognize this type of threat as relevant, then you firmly believe that CIA, MI-6 or MOSSAD agents placed a bookmark in the operating system to steal the personal data of specific entities from your ISPD.
Threats of the 2nd type are relevant for the information system if, for it, threats related to the presence of undocumented (undeclared) capabilities in the application software used in the information system are also relevant for it.
If you think that the threats of the second type are your case, then you are sleeping and see how the same agents of the CIA, MI-6, MOSSAD, an evil lone hacker or a group placed bookmarks in some office software package to hunt specifically for your personal data. Yes, there is dubious application software like μTorrent, but you can make a list of allowed software for installation and sign an agreement with users, not give users local administrator rights, etc.
Threats of the 3rd type are relevant for an information system if threats relevant to it are not related to the presence of undocumented (undeclared) capabilities in the system and application software used in the information system.
Threats of types 1 and 2 do not suit you, which means you are here.
We sorted out the types of threats, now we are looking at what level of security our ISPD will have.
The table is based on the correspondence prescribed in the Decree of the Government of the Russian Federation of November 1, 2012 No. 1119 .
If we chose the third type of urgent threats, then in most cases we will have UZ-3. The only exception when threats of types 1 and 2 are not relevant, but the level of security will still be high (UZ-2) are companies that process special personal data of non-employees in the amount of more than 100,000. For example, companies engaged in medical diagnostics and rendering medical services.
There is also UZ-4, and it is mainly found in companies whose business is not related to the processing of personal data of non-employees, i.e., customers or contractors, or the personal database is small.
Why is it so important not to overdo it with the level of security? Everything is simple: a set of measures and means of protection to ensure this level of security will depend on this. The higher the ultrasound, the more will need to be done organizationally and technically (read: the more money and nerves you will need to spend).
Here, for example, is how the set of security measures is changing in accordance with the same PP-1119.
Now we are looking at how, depending on the chosen level of security, the list of necessary measures is changing in accordance with the Order of the FSTEC of Russia No. 21 dated February 18, 2013. There is a lengthy annex to this document, where necessary measures are defined. There are 109 of them, for each KM, mandatory measures are identified and marked with a “+” sign - they are precisely calculated in the table below. If you leave only those that are needed for UZ-3, you get 41.
Reality: if you do not collect analyzes or biometrics of clients, you are notparanoid about bookmarks in system and application software, then most likely you have UZ-3. For him there is a sane list of organizational and technical measures that can actually be implemented.
If you want or are required to carry out certification, then most likely you will have to use certified protective equipment. Certification will be carried out by the licensee of the FSTEC of Russia, which:
Если аттестация вам не нужна и вы готовы подтвердить выполнение требований иным способом, названным в Приказе ФСТЭК России № 21 «Оценка эффективности реализованных в рамках системы защиты персональных данных мер по обеспечению безопасности персональных данных», то сертифицированные СЗИ для вас не обязательны. Постараюсь кратко привести обоснование.
В пункте 2 статьи 19 152-ФЗ говорится о том, что нужно использовать средства защиты, прошедшие в установленном порядке процедуру оценки соответствия:
Обеспечение безопасности персональных данных достигается, в частности:
[...]
3)применением прошедших в установленном порядке процедуру оценки соответствия средств защиты информации.
В пункте 13 ПП-1119there is also a requirement for the use of information protection tools that have passed the procedure for assessing compliance with legislation:
[...] the
use of information protection tools that have passed the procedure for assessing compliance with the requirements of the legislation of the Russian Federation in the field of information security, in the case when the use of such tools is necessary to neutralize actual threats.
Paragraph 4 of the Order of the FSTEC No. 21 practically duplicates paragraph PP-1119:
Measures to ensure the security of personal data are implemented, inter alia, through the use of information protection tools in the information system that have passed the conformity assessment procedure in the prescribed manner in cases where the use of such tools is necessary to neutralize current threats to the security of personal data.
What do these formulations have in common? Correct - they do not require the use of certified protective equipment. The fact is that there are several forms of conformity assessment (voluntary or mandatory certification, declaration of conformity). Certification is just one of them. The operator may use uncertified funds, but it will be necessary to demonstrate to the regulator during verification that they have undergone a conformity assessment procedure in some form.
If the operator decides to use certified means of protection, then it is necessary to choose an SZI in accordance with the ultrasound, as explicitly indicated in the Order of FSTEC No. 21 :
Technical measures for protecting personal data are implemented through the use of information protection tools, including software (hardware and software) means in which they are implemented having the necessary security features.
When using information protection means certified in accordance with information security requirements in information systems:
Clause 12 of Order No. 21 of the FSTEC of Russia .
Reality: the law does not require the use of certified remedies.
Here are a few nuances:
For ISPDn with UZ-3 it is possible to use KS1, KS2, KS3. KC1 is, for example, the C-Terra Virtual Gateway 4.2 for channel protection.
KC2, KC3 are represented only by hardware and software systems, such as: ViPNet Coordinator, Continental APKs, S-Terra Gateway, etc.
If you have UZ-2 or 1, then you will need KV1, 2 and KA. These are specific hardware and software systems, they are difficult to operate, and performance characteristics are modest.
Reality: the law does not oblige to use FSIS certified by the FSB.
In almost every project, it is necessary to carry out educational work to debunk the myths surrounding this law. I have compiled the most common misconceptions that can cost a lot to the budget and nervous system of the personal data operator. Immediately make a reservation that the cases of the state controller (GIS) dealing with state secrets, KII, etc. will remain outside the scope of this article.
Myth 1. I put an antivirus, a firewall, fenced racks around the fence. Am I following the law?
152-ФЗ - not about protecting systems and servers, but about protecting personal data of entities. Therefore, compliance with 152-FZ does not begin with an antivirus, but with a large number of pieces of paper and organizational issues.
The chief inspector, Roskomnadzor, will look not at the availability and condition of technical means of protection, but at the legal basis for the processing of personal data (PD):
- for what purpose do you collect personal data;
- Do you collect more than is necessary for your purposes?
- how much store personal data;
- Is there a policy for processing personal data;
- Do you collect consent for processing PD, for cross-border transfer, for processing by third parties, etc.
The answers to these questions, as well as the processes themselves, should be recorded in the relevant documents. Here is a far from complete list of what the personal data operator needs to prepare:
- A standard form of consent to the processing of personal data (these are the sheets that we now sign almost everywhere where we leave our name, passport data).
- Operator policy regarding the processing of personal data ( there are recommendations for registration).
- Order on the appointment of the person responsible for organizing PD processing.
- Job description of the person responsible for organizing PD processing.
- Rules of internal control and (or) audit of compliance of PD processing with the requirements of the law.
- The list of personal data information systems (ISPDn).
- The procedure for granting access to the subject to his PD.
- Incident Investigation Rules.
- The order on the admission of workers to processing PD.
- Rules of interaction with regulators.
- ILV Notification, etc.
- PD processing order form.
- ISPD Threat Model
After resolving these issues, you can proceed with the selection of specific measures and technical means. Which ones you will need depends on the systems, their working conditions and current threats. But more on that later.
Reality: compliance with the law is the establishment and observance of certain processes, in the first place, and only in the second - the use of special technical means.
Myth 2. I store personal data in the cloud, a data center that meets the requirements of 152-FZ. Now they are responsible for enforcing the law.
When you outsource your personal data to a cloud provider or data center, you will not cease to be a personal data operator.
We call for help a definition from the law:
Processing personal data - any action (operation) or a set of actions (operations) performed using automation tools or without using such tools with personal data, including collection, recording, systematization, accumulation, storage, clarification ( updating, changing), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data.
Source: Article 3, 152-FZ
Of all these actions, the service provider is responsible for the storage and destruction of personal data (when the client terminates the contract with him). Everything else is provided by the operator of personal data. This means that the operator, and not the service provider, determines the policy for processing personal data, receives signed consent for the processing of personal data from its customers, prevents and investigates cases of personal data leakage to the side, and so on.
Therefore, the operator of personal data still must collect the documents listed above and take organizational and technical measures to protect their ISPDn.
Typically, the provider helps the operator by ensuring compliance with the requirements of the law at the infrastructure level where the operator’s ISPD will be located: equipment racks or the cloud. He also collects a package of documents, takes organizational and technical measures for his piece of infrastructure in accordance with 152-FZ.
Some providers help with paperwork and providing technical means of protection for the ISPD themselves, i.e., a level above the infrastructure. The operator can also outsource these tasks, but the responsibility and obligations under the law do not disappear.
Reality:Turning to the services of a provider or data center, you cannot transfer to him the duties of a personal data operator and get rid of responsibility. If the provider promises this to you, then he, to put it mildly, is disingenuous.
Myth 3. I have the necessary package of documents and measures. I store personal data with the provider, which promises compliance with 152-ФЗ. Is everything in openwork?
Yes, if you did not forget to sign the order. According to the law, the operator can entrust the processing of personal data to another person, for example, to the same service provider. An order is a kind of agreement, which lists what the service provider can do with the operator’s personal data.
The operator has the right to entrust the processing of personal data to another person with the consent of the subject of personal data, unless otherwise provided by the Federal Law, on the basis of an agreement concluded with that person, including a state or municipal contract, or by adoption by the state or municipal body of the relevant act (hereinafter - the order operator). A person who processes personal data on behalf of the operator is required to comply with the principles and rules for the processing of personal data provided for by this Federal Law.
Source: Clause 3, Article 6, 152-ФЗ The
obligation of the provider to protect the confidentiality of personal data and ensure their safety in accordance with the specified requirements is immediately fixed:
The operator’s instructions must determine the list of actions (operations) with personal data that will be performed by the person processing the personal data, and the purpose of the processing, the obligation of such a person to maintain the confidentiality of personal data and ensure the safety of personal data during their processing, as well as must specify the requirements for the protection of processed personal data in accordance with Article 19 of this Federal Law.
Source: Clause 3, Article 6, 152-FZ.
For this, the provider is responsible to the operator, and not to the subject of personal data:
If the operator entrusts the processing of personal data to another person, the operator is responsible to the personal data subject for the actions of the specified person. A person who processes personal data on behalf of the operator is responsible to the operator.
Source: 152-FZ .
It is also important to specify the obligation to ensure the protection of personal data in the order:
The security of personal data during their processing in the information system is ensured by the operator of this system, which processes personal data (hereinafter referred to as the operator), or by a person who processes personal data on behalf of the operator on the basis of an agreement concluded with this person (hereinafter referred to as the authorized person). The contract between the operator and the authorized person must provide for the obligation of the authorized person to ensure the security of personal data when they are processed in the information system.
Source: Decree of the Government of the Russian Federation of November 1, 2012 No. 1119
Reality:if you give personal data to the provider, then sign the order. In the order, indicate the requirement to ensure the protection of personal subjects. Otherwise, you do not comply with the law regarding the transfer of personal data processing work to a third party and the provider regarding compliance with 152-FZ does not owe you anything.
Myth 4. Mossad spies on me, or I definitely have UZ-1
Some customers insistently prove that they have ISPD security level 1 or 2. Most often this is not so. Recall the materiel to figure out why this happens.
KM, or the level of security, determines what you will protect personal data from.
The following points affect the level of security:
- type of personal data (special, biometric, public and other);
- who the personal data belongs to - employees or non-employees of the personal data operator;
- the number of personal data subjects - more or less than 100 thousand
- types of actual threats.
About types of threats we are told by the Decree of the Government of the Russian Federation of November 1, 2012 No. 1119 . Here is a description of each with my free translation into human language.
Threats of the first type are relevant for an information system if, for it, threats related to the presence of undocumented (undeclared) capabilities in the system software used in the information system are also relevant for it.
If you recognize this type of threat as relevant, then you firmly believe that CIA, MI-6 or MOSSAD agents placed a bookmark in the operating system to steal the personal data of specific entities from your ISPD.
Threats of the 2nd type are relevant for the information system if, for it, threats related to the presence of undocumented (undeclared) capabilities in the application software used in the information system are also relevant for it.
If you think that the threats of the second type are your case, then you are sleeping and see how the same agents of the CIA, MI-6, MOSSAD, an evil lone hacker or a group placed bookmarks in some office software package to hunt specifically for your personal data. Yes, there is dubious application software like μTorrent, but you can make a list of allowed software for installation and sign an agreement with users, not give users local administrator rights, etc.
Threats of the 3rd type are relevant for an information system if threats relevant to it are not related to the presence of undocumented (undeclared) capabilities in the system and application software used in the information system.
Threats of types 1 and 2 do not suit you, which means you are here.
We sorted out the types of threats, now we are looking at what level of security our ISPD will have.
The table is based on the correspondence prescribed in the Decree of the Government of the Russian Federation of November 1, 2012 No. 1119 .
If we chose the third type of urgent threats, then in most cases we will have UZ-3. The only exception when threats of types 1 and 2 are not relevant, but the level of security will still be high (UZ-2) are companies that process special personal data of non-employees in the amount of more than 100,000. For example, companies engaged in medical diagnostics and rendering medical services.
There is also UZ-4, and it is mainly found in companies whose business is not related to the processing of personal data of non-employees, i.e., customers or contractors, or the personal database is small.
Why is it so important not to overdo it with the level of security? Everything is simple: a set of measures and means of protection to ensure this level of security will depend on this. The higher the ultrasound, the more will need to be done organizationally and technically (read: the more money and nerves you will need to spend).
Here, for example, is how the set of security measures is changing in accordance with the same PP-1119.
Now we are looking at how, depending on the chosen level of security, the list of necessary measures is changing in accordance with the Order of the FSTEC of Russia No. 21 dated February 18, 2013. There is a lengthy annex to this document, where necessary measures are defined. There are 109 of them, for each KM, mandatory measures are identified and marked with a “+” sign - they are precisely calculated in the table below. If you leave only those that are needed for UZ-3, you get 41.
Reality: if you do not collect analyzes or biometrics of clients, you are not
Myth 5. All means of protection (SZI) of personal data must be certified by the FSTEC of Russia
If you want or are required to carry out certification, then most likely you will have to use certified protective equipment. Certification will be carried out by the licensee of the FSTEC of Russia, which:
- interested in selling more certified SZI;
- will be afraid of the license revocation by the regulator if something goes wrong.
Если аттестация вам не нужна и вы готовы подтвердить выполнение требований иным способом, названным в Приказе ФСТЭК России № 21 «Оценка эффективности реализованных в рамках системы защиты персональных данных мер по обеспечению безопасности персональных данных», то сертифицированные СЗИ для вас не обязательны. Постараюсь кратко привести обоснование.
В пункте 2 статьи 19 152-ФЗ говорится о том, что нужно использовать средства защиты, прошедшие в установленном порядке процедуру оценки соответствия:
Обеспечение безопасности персональных данных достигается, в частности:
[...]
3)применением прошедших в установленном порядке процедуру оценки соответствия средств защиты информации.
В пункте 13 ПП-1119there is also a requirement for the use of information protection tools that have passed the procedure for assessing compliance with legislation:
[...] the
use of information protection tools that have passed the procedure for assessing compliance with the requirements of the legislation of the Russian Federation in the field of information security, in the case when the use of such tools is necessary to neutralize actual threats.
Paragraph 4 of the Order of the FSTEC No. 21 practically duplicates paragraph PP-1119:
Measures to ensure the security of personal data are implemented, inter alia, through the use of information protection tools in the information system that have passed the conformity assessment procedure in the prescribed manner in cases where the use of such tools is necessary to neutralize current threats to the security of personal data.
What do these formulations have in common? Correct - they do not require the use of certified protective equipment. The fact is that there are several forms of conformity assessment (voluntary or mandatory certification, declaration of conformity). Certification is just one of them. The operator may use uncertified funds, but it will be necessary to demonstrate to the regulator during verification that they have undergone a conformity assessment procedure in some form.
If the operator decides to use certified means of protection, then it is necessary to choose an SZI in accordance with the ultrasound, as explicitly indicated in the Order of FSTEC No. 21 :
Technical measures for protecting personal data are implemented through the use of information protection tools, including software (hardware and software) means in which they are implemented having the necessary security features.
When using information protection means certified in accordance with information security requirements in information systems:
Clause 12 of Order No. 21 of the FSTEC of Russia .
Reality: the law does not require the use of certified remedies.
Myth 6. I need crypto protection.
Here are a few nuances:
- Many people believe that cryptography is required for any ISPDn. In fact, they need to be used only if the operator does not see for himself other security measures, other than the use of cryptography.
- If there is no cryptography at all, then you need to use CPSI certified by the FSB.
- For example, you decide to host ISPD in the cloud of a service provider, but do not trust it. You describe your concerns in the threat and intruder model. You have PDN, so you decided that cryptography is the only way of protection: you will encrypt virtual machines, build secure channels through cryptographic protection. In this case, it is necessary to apply CIPF certified by the FSB of Russia.
- Certified cryptographic information protection measures are selected in accordance with a certain level of security in accordance with Order No. 378 of the FSB .
For ISPDn with UZ-3 it is possible to use KS1, KS2, KS3. KC1 is, for example, the C-Terra Virtual Gateway 4.2 for channel protection.
KC2, KC3 are represented only by hardware and software systems, such as: ViPNet Coordinator, Continental APKs, S-Terra Gateway, etc.
If you have UZ-2 or 1, then you will need KV1, 2 and KA. These are specific hardware and software systems, they are difficult to operate, and performance characteristics are modest.
Reality: the law does not oblige to use FSIS certified by the FSB.