November 5, 2009 at 09:01FZ-152, the new year and the problems of poor customers
In connection with the approach of the starting point for new checks and requisitions - this time not only regarding software licensing, but also in connection with the protection of personal data - you have to carefully re-read the meager regulatory framework summed up for this business. Already starting with FZ-152 (although a strikingly toothless document, but even here they managed to put a mousetrap), an interesting thing is revealed.
So, in article 25 clause 3. it is written “Information systems of personal data created before the effective date of this Federal Law shall be brought into compliance with the requirements of this Federal Law no later than January 1, 2010”. The law entered into force at the very beginning of 2007. Nothing is said about IP created after its entry into force. And this, for example, in the interpretation of the “competent authorities” may mean that by default all IPs created in 2007, 2008 and 2009 must initially comply with this law. Like "you were warned." Does this mean that not only the systems implemented at the enterprises, but also the solutions issued by the developers must be certified in one way or another for compliance with FZ-152 - is still unknown. And it will be known not earlier than the first checks - then we will see from the results which interpretation the testers will choose. There is legal vulnerability here, as it seems to me.
We are going further. Not all in the past three years have introduced new solutions. And with the old zoo - welcome to registering personal data operators. Moreover, as follows from the “order for three,” p. 17: “In the case of allocation of subsystems in the information system, each of which is an information system, the IP as a whole is assigned a class corresponding to the highest class of subsystems included in it” . Here a red poster comes alive with a red soldier menacingly questioning, “Have you already classified your IP?” From the same order No. 55/86/20 p.6 we read: “The following categories of personal data processed in the information system (Xpd) are determined:
- category 1 - personal data relating to racial, ethnicity, political views, religious and philosophical beliefs, state of health, intimate life;
- category 2 - personal data that allows you to identify the subject of personal data and get additional information about him, with the exception of personal data related to category 1 " .
Do you like category 2? To me - very much. If you wish, you can customize anything for “additional information”. Do you have employee addresses in the database? That's great, and why then the software is not certified for the appropriate category?
Dealing with old systems, subsystems, their categories and their certification issues is a real pain in the neck. In addition, as is perfectly understandable, the main operators of personal data of a high category are state institutions and financial institutions. Financiers, I think, somehow manage. And here is how state employees will get out, especially when there is a hole in the budget - this is a very interesting question. Proofing beer lovers, as you know, do not care about explanations - they want to see a piece of paper in which it is written in black and white that the installed software meets the requirements of the party and government. And preferably one piece of paper for everything. And if you have 25 pieces of paper for each component - to understand, respectively, will be 25 longer. And, according to the Code of Administrative Offenses, with the bright prospect of confiscating inappropriately designed information protection tools. Together with the server, yeah.
In this situation, it seems perfectly natural that for two years the developers and integrators had to adhere to and let decisions for the sufferers meet before January 1, 2010. And just certify new solutions for FZ-152 and the relevant regulatory documents. In practice, it turns out - nothing like that! Of course, the components are fully certified. The solution is - well, so that both the server and desktop platform, and at least the basic user software - so far only one can make a search - Open Referent on Software United. It is clear that the IBM Lotus Domino / Notes, which is included there, has long been certified on its own, but the developers received a certificate from the FSTEC specifically for the entire solution, including RHEL, the Open Referent workflow system and office functionality. Exactly what public sector employees need is a document flow is a fundamental thing for them, and the solution costs little money.
Naturally, Microsoft has certified much of a similar set - even though they certify for products, but it's all going to IP quite easily. But even Microsoft has not yet managed to certify its workflow system - all the same, Atlas cannot be rushed. Either it is really so difficult to make a decision through the FSTEC and the FSB, or the Russian IT providers do not catch mice at all, missing such a niche.
But for the customers, it seems, it's time to figure out how not to get into the wave “Ponosov’s case v. 2.0 ".
So, in article 25 clause 3. it is written “Information systems of personal data created before the effective date of this Federal Law shall be brought into compliance with the requirements of this Federal Law no later than January 1, 2010”. The law entered into force at the very beginning of 2007. Nothing is said about IP created after its entry into force. And this, for example, in the interpretation of the “competent authorities” may mean that by default all IPs created in 2007, 2008 and 2009 must initially comply with this law. Like "you were warned." Does this mean that not only the systems implemented at the enterprises, but also the solutions issued by the developers must be certified in one way or another for compliance with FZ-152 - is still unknown. And it will be known not earlier than the first checks - then we will see from the results which interpretation the testers will choose. There is legal vulnerability here, as it seems to me.
We are going further. Not all in the past three years have introduced new solutions. And with the old zoo - welcome to registering personal data operators. Moreover, as follows from the “order for three,” p. 17: “In the case of allocation of subsystems in the information system, each of which is an information system, the IP as a whole is assigned a class corresponding to the highest class of subsystems included in it” . Here a red poster comes alive with a red soldier menacingly questioning, “Have you already classified your IP?” From the same order No. 55/86/20 p.6 we read: “The following categories of personal data processed in the information system (Xpd) are determined:
- category 1 - personal data relating to racial, ethnicity, political views, religious and philosophical beliefs, state of health, intimate life;
- category 2 - personal data that allows you to identify the subject of personal data and get additional information about him, with the exception of personal data related to category 1 " .
Do you like category 2? To me - very much. If you wish, you can customize anything for “additional information”. Do you have employee addresses in the database? That's great, and why then the software is not certified for the appropriate category?
Dealing with old systems, subsystems, their categories and their certification issues is a real pain in the neck. In addition, as is perfectly understandable, the main operators of personal data of a high category are state institutions and financial institutions. Financiers, I think, somehow manage. And here is how state employees will get out, especially when there is a hole in the budget - this is a very interesting question. Proofing beer lovers, as you know, do not care about explanations - they want to see a piece of paper in which it is written in black and white that the installed software meets the requirements of the party and government. And preferably one piece of paper for everything. And if you have 25 pieces of paper for each component - to understand, respectively, will be 25 longer. And, according to the Code of Administrative Offenses, with the bright prospect of confiscating inappropriately designed information protection tools. Together with the server, yeah.
In this situation, it seems perfectly natural that for two years the developers and integrators had to adhere to and let decisions for the sufferers meet before January 1, 2010. And just certify new solutions for FZ-152 and the relevant regulatory documents. In practice, it turns out - nothing like that! Of course, the components are fully certified. The solution is - well, so that both the server and desktop platform, and at least the basic user software - so far only one can make a search - Open Referent on Software United. It is clear that the IBM Lotus Domino / Notes, which is included there, has long been certified on its own, but the developers received a certificate from the FSTEC specifically for the entire solution, including RHEL, the Open Referent workflow system and office functionality. Exactly what public sector employees need is a document flow is a fundamental thing for them, and the solution costs little money.
Naturally, Microsoft has certified much of a similar set - even though they certify for products, but it's all going to IP quite easily. But even Microsoft has not yet managed to certify its workflow system - all the same, Atlas cannot be rushed. Either it is really so difficult to make a decision through the FSTEC and the FSB, or the Russian IT providers do not catch mice at all, missing such a niche.
But for the customers, it seems, it's time to figure out how not to get into the wave “Ponosov’s case v. 2.0 ".