www.i-teco.ru I-Teco company, Information security Department 2012

Structure and organization of works

for ensuring the compliance to the requirements

of Federal Law “On personal data” (152-FL):

what should operator of personal data do?

2 www.i-teco.ru

What does personal data operator expect?

• Compliance with Russian legislation on personal data • Lack of claims from the regulators • Lack of claims from the PD subjects • Capacity to do business and the compliance with the requirements for normal operation of company

What products and services do contractors offer in the field of

personal data? • Survey and the following report on the presence of personal data and proposals

of concerning its protection • Required documents (25 template)

with possible adaptation of them • Technical protection design

• Implementation of technical and organizational protection means

3 www.i-teco.ru

At the moment the authorized agency for regulation in the field of personal data (which is appointed in accordance to the article 23 of FL “On personal data”) is the Federal Supervision Agency for Information Technologies and Communications (Roscomnadzor). This federal agency is responsible for ensuring the control and surveillance concerning the compliance with the requirements of federal law “On personal data” of personal data processing which is implemented by operators. FSB and FSTEC are responsible for ensuring the compliance with 152-FL requirements for technical protection.

4 www.i-teco.ru

Scheduled inspection Inclusion in annual plan

Documentation inspection Field inspection

Notifying PD operator no later than 3 working days before

an inspection (by registered mail or other means)

Inspection of data in documents

supplied by PD operator

In case of doubtful veracity of supplied

information inspectors request with attached

copy of order for inspection, authenticated by

stamp, of PD operator for additional

information

Sending to Roscomnadzor documents

specified in the request (as copies

without notarial certification) during the

next 10 working days

Exposure of discrepancies, non-conformities,

violations — sending the request to PD

operator for supplying the written

explanations during next 10 working days

Signs of violation

Presentment of certificate of employment

and bringing to notice of PD operator the

order or decree concerning the

scheduling of inspection and description

of its purpose

Making documentation available,

providing access to territory, etc.

Up to 20 working days Up to 50 hours for

company of small size

Up to 15 hours for company of very small size

In exceptional cases, related to the need

for complex investigations, the duration

of field inspection could be extended till

20 working days (15 hours for the

companies of small and very small size)

Inspection can be carried out only

by the executives which are

specified in the order for

inspection

Up to 20 working days

5 www.i-teco.ru

This stage

frequently

forgotten!

Resolution of legal issues and

compliance risks

related to PD

Survey

of information systems

with personal data

Development of organizational

and technical means

for PD security

Implementation personal data

protection system

• Correctly written by subject of PD agreement for PD processing

• Agreement for distributing PD to public access

• Correctly composed notification of Roscomnadzor

• Coordinated phrasing and terms in agreements with third parties and in

operator’s internal documentation

• Other legal issues related to PD processing

• Recognition of automatic processing

• Recognition of non-automatic processing

• Classification of information systems with personal data

• Preparing projects assignments

• Approving the acts of classification of information system with

personal data , threats identification, development protection

design documentation

• Development and maintaining necessary organization

documentation

• Installation and configuration of protection software and

appliances

• Trial operation of information security system

• Verification of information systems with personal data (if

necessary)

6 www.i-teco.ru

The goal of the works is conforming to the law of the Russian Federation "On personal data",

including resolution of legal issues with data processing, creation of personal data information

systems and a protection system which includes applying a comprehensive set of

organizational and technical means to insure personal data protection while processing

personal data in information systems in accordance with the Russian law.

Scope of the works

Works are implemented in 4 stages:

1. Gathering and analysis of original data on current state of information security (IS) in personal data

information system, evaluation of compliance of IS in personal data information system to the regulatory

requirements of Russian federation On personal data, preparation of concept for building the personal data

protection system (PDPS) in personal data information system, development of technical enquiry for PDPS.

Resolution of legal issues concerning the processing and transfer of PD;

2. Development of technical design for creation of PDPS;

3. Implementation of necessary organizational and technical protection means in accordance with the

developed technical design of PDPS;

4. Verification of information system with personal data (if necessary).

Objective of the works

7 www.i-teco.ru

Analysis of used systems and standard data storages

Allocation of PD processing Analysis of gathered data

Legal prerequisites evaluation for personal data processing

Usually they are missing. It is necessary to obtain

the agreement in written form.

It’s also necessary to clarify all possible aspects

of PD obtaining without subject’s consent

Resolution of issues of PD transfer

Resolution of issues with open for public access and depersonalized PD

Compliance with legal requirements Resolution of issues related to PD distribution

8 www.i-teco.ru

Generation of processed PD list

Defining the guidelines for PD processing

and the duration of its storage Approving the list by CEO

Defining the limits for storage duration after cancellation

of agreement with employee/client

Defining based on legislative requirements

(labor legislation, pensionary legislation) Period of limitation

Development of Statement of compliance PD security

during its processing in personal data information system

Exclusion of unauthorized access

(by the way accidental access)

Development of procedure for granting access

to PD defined by working requirements

9 www.i-teco.ru

Implementation of PD system classification

Defining processed categories of PD Defining the type of information system

(standard, specialized)

Development of internal regulatory documents concerning the confidential data

List of PD; PD security threat model;

classification acts of information system

with personal data

PD protection system description;

Official letter for personal

data protection system usability

Development of system for controlling the PD processing security

Internal control system State control system

10 www.i-teco.ru

• Gathering and analyzing the

information about information system

with personal data

• Development of recommendations

for personal data information

systems classification

• Resolution of legal issues

concerning PD processing and

transfer of PD to third parties

Development of acts

of classification

for personal data information

systems and notifications

to Roscomnadzor

•Development of project

assignments

• Development technical design

and working documentation

for protecting personal data

in information system

Development of models

of threats for each

personal data information system

• Development of regulatory

documents set which regulate

PD protection

• Verification of protection

system of personal data

System commissioning and

validation of compliance

to regulatory requirements

11 www.i-teco.ru

www.i-teco.ru Oleg Kuzmin, Director of information security

department, I-Teco

Thank you for your

attention!