If you work with government organizations
At http://regulation.gov.ru/projects# , the next draft law is available on introducing further amendments to the law “On Information, Information Technologies and the Protection of Information”. More precisely, two such projects have now been posted on this portal, but we are interested in the draft law from the FSTEC of the Russian Federation:
What is supposed to change in the methods of protection and who is affected by the changes?
It is worth paying attention to the fact that the project relates to the protection of “state information systems, as well as other information systems in which, on the basis of contracts or other legal grounds, information is held (processed) by state bodies or state corporations”. Recall that the requirements for the protection of state information systems were described in the seventeenth order of the FSTEC of the Russian Federation. The draft law indicates that the requirements of this order apply not only to state IP, but also to all organizations working with data received from them.
At the same time, “the creation and maintenance of the functioning of information protection systems should include”:
The most interesting thing is traditionally at the end of the draft law:
It is assumed that all organizations working in one way or another with government bodies and receiving data from them will have to transmit data about security incidents. It is logical to assume that following this draft law, there will be a regulation according to which it will be necessary to transfer data in a format that meets the conditions for data acceptance to the incident database, which will be maintained by the FSTEC.
What is supposed to change in the methods of protection and who is affected by the changes?
It is worth paying attention to the fact that the project relates to the protection of “state information systems, as well as other information systems in which, on the basis of contracts or other legal grounds, information is held (processed) by state bodies or state corporations”. Recall that the requirements for the protection of state information systems were described in the seventeenth order of the FSTEC of the Russian Federation. The draft law indicates that the requirements of this order apply not only to state IP, but also to all organizations working with data received from them.
Requirements for the protection of information contained in state information systems, as well as other information systems in which, on the basis of contracts or other legal grounds, contains (processes) information owned by state bodies or state corporations, are established by the federal executive body in the field of security and the federal executive body authorized in the field of countering foreign technical intelligence and technical personal protection of information, within their powers. When creating and operating such information systems, the methods and methods of its protection used to protect information must comply with the specified requirements
At the same time, “the creation and maintenance of the functioning of information protection systems should include”:
1) the appointment by the operator of persons responsible for the organization of information protection, as well as for the planning and development, implementation, monitoring, maintenance and improvement of information protection measures;
2) the publication by the operator of documents defining a policy for ensuring information protection, including local acts on the organization of information protection, as well as local acts establishing procedures aimed at ensuring information protection in accordance with this Federal Law;
4) the implementation of internal control (audit) of the compliance of information protection with information protection requirements ..., the operator’s policy to ensure the protection of information, local acts of the operator;
5) familiarization of the operator’s employees directly involved in the processing and protection of information with information protection requirements, documents defining the operator’s policy for ensuring information protection, local acts of the operator and training of these employees.
The most interesting thing is traditionally at the end of the draft law:
Operators of state information systems, as well as other information systems in which, on the basis of contracts or other legal grounds, contain (process) information owned by state bodies or state corporations, inform the federal executive body in the field of security and the federal executive body, authorized in the field of counteraction to foreign technical intelligence and technical protection of information about security events and, as a result of which the functioning of the information system is disrupted or terminated and (or) the security of the information processed in the information system (computer incidents) is violated.
It is assumed that all organizations working in one way or another with government bodies and receiving data from them will have to transmit data about security incidents. It is logical to assume that following this draft law, there will be a regulation according to which it will be necessary to transfer data in a format that meets the conditions for data acceptance to the incident database, which will be maintained by the FSTEC.