|
|
According to Russian legislation and regulators' requirements, all companies working with PDn are obliged to ensure their safety and protection. To comply with the requirements, it is necessary to understand how secure the system used for their storage and processing is, and what dangers may threaten it.
Today we will tell you what is hidden under the abbreviation ISPDN, how to determine the level of its security and competently choose the appropriate infrastructure for its placement. The article will be useful for companies that work with the personal data of their clients or employees and want to ensure full compliance with the requirements of 152-FZ and regulators.what additional work does it undertake.
In order about ISPDn
Let's start with the terminology. The abbreviation ISPDN stands for personal data information system . It includes not only the PDn themselves, but also the tools used to ensure the security of this data, and the means of processing it. Let's figure out what exactly ISPDN includes, using a simple example.
Let's say you have your own delivery service. As part of your business processes, you are forced to wordpress web design agency collect certain personal data of your users, with whom your company's managers work. Accordingly, your ISPD will include:
the personal data itself ( full name, email addresses, contact phone numbers, and in some cases additional information such as date of birth );
The database where this data is collected;
server equipment used to store these databases;
data processing software - CRM or other customer relationship automation tools;
devices that your employees (managers, couriers, etc.) use to work with personal data;
information security tools - antivirus tools, firewalls, etc.
Please note: the company is obliged to protect the personal data of not only its clients, but also its employees.
We'll talk more about how the level of security changes depending on who owns the data below.
Classification of ISPD
According to the FSTEC methodology , all ISPDN can be divided into groups by 7 parameters. Each type in each group has its own security level (SL). Let's take a closer look at this classification.
By location:
Type of ISPDN UZ
Distributed (located in different subjects, cities or regions
of the Russian Federation or covers the entire territory of the country) Short
Urban (concentrated in one city or town) Short
Corporate distributed (can be located in one or different localities, but is entirely owned by only one organization) Average
Campus (located in different, but close to each other, buildings) Average
Local (concentrated in one building) High
By type of connection to public networks (Internet):
Type of ISPDN UZ
All employees of the company that owns the ISPDN have access to the PD Short
Only certain employees assigned to the list and the personal data subject themselves have access to the data. Average
Regarding operations that can be performed on records of personal data databases:
Type of ISPDN UZ
Exclusively reading and searching data High
Allows recording new data, deleting it and sorting it Average
It is possible to modify and transfer data Short
According to the degree of depersonalization of personal data:
Type of ISPDN UZ
The data is anonymized when provided to the user. High
Data is anonymized only when transferred to other organizations, while the user within the organization is provided without anonymization. Average
There is no depersonalization of data; they allow the identification of the subject of personal data Short
By volume of data provided without processing:
Type of ISPDN UZ
Access to the entire database is provided Short
Access is only available to part of the data. Average
Data not provided High
Using the FSTEC classification, knowing the above parameters of the ISPD, it is possible to establish the general level of its security . Why is this necessary? In the future, this will allow us to assess the types of threats relevant to the information system under consideration and establish the required level of security of the PD.
Levels and classes of personal data protection
Russian regulators distinguish four levels of protection (LOP) of personal data - LOP-1, 2, 3 and 4, where:
UZ-1 requires the most serious protective measures;
UZ-4 is the least demanding in terms of data security tools;
The ultrasound depends on several factors at once:
category of personal data – publicly available, special, biometric or other;
does this data belong only to the operator's employees;
number of subjects;
type of current threats.
To determine the level of protection, you can refer to this table:
For example, you store PDn of 120 thousand subjects, they are of the publicly available type, belong not only to your employees and the third type of threats is relevant for them. Based on these parameters, we can determine the level of protection of PDn - UZ-4 . However, if you store special data of employees for whom the first type of threats is relevant, they already belong to UZ-1 .
Knowing the level of security of the data in your ISPDN, you can select a cloud infrastructure that meets the requirements of regulators for the protection of information in ISPDN.
There is still a myth among companies that personal data cannot be stored in the clouds. In fact, neither Russian legislation nor regulators prohibit this. To avoid misunderstandings, first of all, you need to choose a provider that offers a virtual infrastructure that provides the level of security you need. This information is usually presented not only on the websites of IaaS providers, but also documented.
|
|
發表於