1119 personal data. Resolution on the approval of requirements for the protection of personal data during their processing in personal data information systems - Rossiyskaya Gazeta

The hands that have long been reaching for the keyboard about the new regulatory masterpiece are already beaten to the bone. It is no longer possible to restrain myself and endure. I'll have to write. Moreover, today the Resolution of 01.11.2012 No. 1119 "On the approval of requirements for the protection of personal data during their processing in personal data information systems", which cancels the Resolution of 17.11.2007 No. 781, comes into force. Seven days from the date of publication will expire.

To be honest, the reaction of colleagues from the professional community to the new resolution, which actually defines the system for building technical security for processing personal data in information systems, not only surprised me, but rather puzzled me. Part, and not a small one, liked it, because, in their opinion, it does not contain anything fundamentally new, and does not tighten the nuts further, and the number of requirements is even reduced in comparison with PP-781. Another part of colleagues scolds the document, but it is very general, mainly for the lack of specifics.

I had a slightly different opinion about the requirements, I briefly expressed it at today's webinar held by our agency together with the company "Security Code", and the number of questions received on this matter finally pushed me to write this post.

In order to systematize my vision, I came up with several shelves, according to which I will spread my assessment of the document. Sorry, there will be a lot of letters. Highly. I carefully selected the words, so that the category of readers can be 0+.

The first shelf. Compliance with the law. The release of PP-1119 is a direct requirement of clauses 1 and 2 of part 3 of article 19 of the new edition of 152-FZ "On personal data". This is what allows me to very sharply assess the state of affairs on this shelf. The Government decree does not comply with the law. The law prescribed to determine the levels of security and the requirements for them, depending on five factors:

· possible harm to the subject of personal data,

· the volume of processed personal data,

· the content of the processed personal data,

· the type of activity in the implementation of which personal data is processed,

· the relevance of threats to the security of personal data.

The types of activities, and, which is especially important, harm to the subject are generally absent in the adopted document as qualifying signs. In clause 7 of the Requirements, the operator is "not at all humane", I cannot say otherwise, it is proposed to independently determine the type of threats to the security of personal data relevant to the information system, taking into account the assessment of possible harm, guided by the documents of the FSB and FSTEC that do not yet exist. Those. the head of the kindergarten or the head of the automation department of the pipe rolling plant (since there is simply no one else to deal with such problems in such organizations) will assess the harm from the disclosure of data from personnel, children, visitors and their relatives. With the complete absence of methodological developments in the country on this problem. Anyone who has come across such questions at least a little knows that the problem of determining the amount of harm in violation of civil rights is one of the most difficult in jurisprudence and legal proceedings. But, apparently, recalling the classic postulate about the capabilities of each cook, the authors decided that crowdsourcing could solve the problem. According to Roskomnadzor, there are about seven million operators. You look what they are inventing. A classic example of shifting a problem from one head to another, you know which ones.

With activities, too, an ambush. Taking into account that the new version of the law does not leave room for industry standards for working with personal data, these same types will have to be taken into account in only one way - coming up with additional security threats to those invented by the FSB and FSTEC, which, in fact, is spelled out in parts 5 and 6 of the same article 19 of the law. Point. Only to identify new threats, and not to provide for any indulgences, similar to those that the Ministry of Health once agreed with the FSTEC in its methodological documents.

Second shelf. Methodology. The shelf is the most ... badly hung. Since the methodology contains the most important, key problems of the document. Declaring the main threats, inevitably leading to the establishment of the highest levels of security (see Table 1), undeclared (undocumented) capabilities in system and application software, the Requirements do not propose any methods and ways to neutralize them at all. For such methods can only be a check of this software itself for the absence of bookmarks and other bad habits. And this from the operators, at least in the PP-1119, no one demands.

Table 1

ISPDN type	Operator staff	Number of subjects	Current threat type
1	2	3
ISPDn-S	No	> 100 000	UZ-1	UZ-1	UZ-2
No	< 100 000	UZ-1	UZ-2	UZ-3
Yes
ISPDn-B			UZ-1	UZ-2	UZ-3
ISPDn-I	No	> 100 000	UZ-1	UZ-2	UZ-3
No	< 100 000	UZ-2	UZ-3	UZ-4
Yes
ISPDn-O	No	> 100 000	UZ-2	UZ-2	UZ-4
No	< 100 000	UZ-2	UZ-3	UZ-4
Yes

They offer treatment for logic bombs, backdoors and other evil spirits using the old proven methods - a klystyr with gramophone needles and plastering of unbroken limbs. See table 2.

table 2

Requirements	Levels security
1	2	3	4
Security mode of premises where personal data is processed
Safety of personal data carriers
List of persons admitted to personal data
Information security systems that have passed the conformity assessment procedure
The official responsible for ensuring the security of personal data in ISPDN
Restricting Access to the Content of the Electronic Message Log
Automatic registration in the electronic security log of changes in the authority of the operator's employee to access personal data
Structural unit responsible for ensuring the security of personal data

How the use of certified firewalls and the appointment of a responsible department (or a responsible person) can help prevent the operating system from affecting the processed data, apparently only the authors know.

The third shelf. Terminology. And this is the most mysterious part of the document. Where did the "operator's employees" come from and why they are not employees whose legal status is clearly described by the Labor Code is a simple and obvious question. But what is an "electronic log of messages" (item 15) and how it differs from the "electronic log of security" (item 16), if it differs at all - there is a great secret. I guess it's about logs. Logs of what? OS? DB? Butt? SZI? All together or something separately? Unanswered questions.

The resolution introduces the concept of an information system that processes publicly available personal data, which is absent in the law, and considers such data obtained only from publicly available sources of personal data created in accordance with Article 8 152-FZ.

And if they are received in a different way, for example, if this is information subject to publication and mandatory disclosure, such as information from the Unified State Register of Legal Entities and USRIP, which are publicly available in accordance with the Federal Law on State Registration of Legal Entities and Individual Entrepreneurs. Or information about the affiliated persons of the securities issuer. Or personal data of candidates for deputies to be published. How to deal with them? Again a question that has no answer.

Finally, conformity assessment. The term, which has no explanation in relation to the information security system in any act, except for the closed Resolution No. 330, continues to wander around the regulatory framework. But even if the operator saw this Resolution, he was not given to understand how the conformity assessment is carried out in the course of state control and supervision. And to assess the consequences of waiting for the arrival of the controller and his behavior at the sight of uncertified funds too. Well, let's not forget that in the new edition of the law, regulatory legal acts concerning the processing of personal data are subject to official publication.

The fourth shelf. Applicability. The resolution can be fully earned only after the adoption of the relevant acts of the FSB and FSTEC, provided for by part 4 of Article 19 152-FZ, as well as by federal executive bodies performing the functions of developing state policy and legal regulation in the established area of activity, bodies state authorities of the constituent entities of the Russian Federation, the Bank of Russia, bodies of state extra-budgetary funds, other state bodies in terms of determining the current threats to the security of personal data (part 5 of article 19 152-FZ, clause 2 of the Requirements), which are absent and it is not known when they will be adopted. Under these conditions, it is practically impossible for an operator to fulfill the established requirements. I return to the head of the kindergarten and the head of the automation department of the pipe rolling plant. Who will be the first to explain what “undeclared system software capabilities” are and by what criteria will she assess the relevance of this threat? What can make the second person recognize these threats as relevant for their plant and take on additional problems? How will they assess the harm that was written about when parsing the first shelf? Let's wait for the documents of the FSB and FSTEC. Something tells me that it will not be possible to simply refuse to neutralize undeclared opportunities. Banks and telecoms will eventually figure it out. And what about the rest, who do not have specialized specialists and licenses of the FSB / FSTEC - schools and universities, hospitals and clinics, registry offices and employment centers, etc., etc.? Such a document cannot cause anything, except to shock them.

I will not write a resume. And so everything is clear.

In accordance with Article 19 of the Federal Law "On Personal Data", the Government of the Russian Federation decides:

1. To approve the attached requirements for the protection of personal data during their processing in personal data information systems.

2. To recognize as invalid the resolution of the Government of the Russian Federation of November 17, 2007 N 781 "On approval of the Regulation on ensuring the security of personal data when processing them in personal data information systems" (Collected Legislation of the Russian Federation, 2007, N 48, Art. 6001) ...

Chairman of the Government of the Russian Federation

D. Medvedev

Requirements for the protection of personal data when processing them in personal data information systems

1. This document establishes the requirements for the protection of personal data during their processing in personal data information systems (hereinafter referred to as information systems) and the security levels of such data.

2. The security of personal data during their processing in the information system is ensured with the help of the personal data protection system that neutralizes the actual threats identified in accordance with Part 5 of Article 19 of the Federal Law "On Personal Data".

The personal data protection system includes organizational and (or) technical measures determined taking into account the current threats to the security of personal data and information technologies used in information systems.

3. The security of personal data during their processing in the information system is ensured by the operator of this system, who processes personal data (hereinafter referred to as the operator), or the person who processes personal data on behalf of the operator on the basis of an agreement concluded with this person (hereinafter referred to as the authorized person). The agreement between the operator and the authorized person should provide for the duty of the authorized person to ensure the security of personal data when processing them in the information system.

4. The choice of information protection means for the personal data protection system is carried out by the operator in accordance with the regulatory legal acts adopted by the Federal Security Service of the Russian Federation and the Federal Service for Technical and Export Control in pursuance of Part 4 of Article 19 of the Federal Law "On Personal Data".

5. An information system is an information system that processes special categories of personal data if it processes personal data concerning race, nationality, political views, religious or philosophical beliefs, health status, intimate life of the subjects of personal data.

An information system is an information system that processes biometric personal data if it processes information that characterizes the physiological and biological characteristics of a person, on the basis of which it is possible to establish his identity and which are used by the operator to establish the identity of the subject of personal data, and information related to special categories of personal data.

An information system is an information system that processes publicly available personal data if it processes personal data of subjects of personal data obtained only from publicly available sources of personal data created in accordance with Article 8 of the Federal Law "On Personal Data".

An information system is an information system that processes other categories of personal data, if it does not process the personal data specified in paragraphs one through three of this clause.

An information system is an information system that processes the personal data of the operator's employees, if it processes the personal data of only the specified employees. In other cases, the personal data information system is an information system that processes personal data of personal data subjects who are not employees of the operator.

6. Under the current threats to the security of personal data is understood a set of conditions and factors that create an actual danger of unauthorized, including accidental, access to personal data during their processing in the information system, which may result in destruction, modification, blocking, copying, provision, distribution personal data, as well as other illegal actions.

Threats of the 1st type are relevant for an information system if, among other things, threats associated with the presence of undocumented (undeclared) capabilities in the system software used in the information system are relevant for it.

Threats of the 2nd type are relevant for an information system if, among other things, threats associated with the presence of undocumented (undeclared) capabilities in the application software used in the information system are relevant for it.

Threats of the 3rd type are relevant for an information system if threats that are not related to the presence of undocumented (undeclared) capabilities in the system and application software used in the information system are relevant to it.

7. The type of threats to the security of personal data relevant to the information system is determined by the operator taking into account the assessment of possible harm carried out in pursuance of paragraph 5 of part 1 of article 18 of the Federal Law "On Personal Data", and in accordance with the regulatory legal acts adopted in execution Part 5 of Article 19 of the Federal Law "On Personal Data".

8. When processing personal data in information systems, 4 levels of personal data security are established.

9. The need to ensure the 1st level of protection of personal data during their processing in the information system is established in the presence of at least one of the following conditions:

a) type 1 threats are relevant to the information system and the information system processes either special categories of personal data, or biometric personal data, or other categories of personal data;

b) type 2 threats are relevant to the information system and the information system processes special categories of personal data from more than 100,000 personal data subjects who are not employees of the operator.

10. The need to ensure the 2nd level of protection of personal data during their processing in the information system is established if at least one of the following conditions is present:

a) type 1 threats are relevant to the information system and the information system processes publicly available personal data;

b) type 2 threats are relevant for the information system and the information system processes special categories of personal data of the operator's employees or special categories of personal data of less than 100,000 personal data subjects who are not employees of the operator;

c) type 2 threats are relevant to the information system and the information system processes biometric personal data;

d) type 2 threats are relevant for the information system and the information system processes publicly available personal data of more than 100,000 personal data subjects who are not employees of the operator;

e) type 2 threats are relevant for the information system and the information system processes other categories of personal data from more than 100,000 personal data subjects who are not employees of the operator;

f) type 3 threats are relevant for the information system and the information system processes special categories of personal data from more than 100,000 personal data subjects who are not employees of the operator.

11. The need to ensure the 3rd level of protection of personal data during their processing in the information system is established if at least one of the following conditions is present:

a) type 2 threats are relevant to the information system and the information system processes publicly available personal data of the operator's employees or publicly available personal data of less than 100,000 personal data subjects who are not employees of the operator;

b) type 2 threats are relevant to the information system and the information system processes other categories of personal data of the operator's employees or other categories of personal data of less than 100,000 personal data subjects who are not employees of the operator;

c) threats of the third type are relevant for the information system and the information system processes special categories of personal data of the operator's employees or special categories of personal data of less than 100,000 personal data subjects who are not employees of the operator;

d) type 3 threats are relevant for the information system and the information system processes biometric personal data;

e) threats of the 3rd type are relevant for the information system and the information system processes other categories of personal data of more than 100,000 personal data subjects who are not employees of the operator.

12. The need to ensure the 4th level of security of personal data during their processing in the information system is established if at least one of the following conditions is present:

a) threats of the 3rd type are relevant for the information system and the information system processes publicly available personal data;

b) threats of the third type are relevant for the information system and the information system processes other categories of personal data of the operator's employees or other categories of personal data of less than 100,000 personal data subjects who are not employees of the operator.

13. To ensure the 4th level of protection of personal data during their processing in information systems, the following requirements must be met:

a) the organization of a regime for ensuring the security of the premises in which the information system is located, preventing the possibility of uncontrolled entry or stay in these premises by persons who do not have the right to access these premises;

b) ensuring the safety of personal data carriers;

c) approval by the head of the operator of the document defining the list of persons whose access to personal data processed in the information system is necessary for them to perform their official (labor) duties;

d) the use of information security tools that have passed the procedure for assessing compliance with the requirements of the legislation of the Russian Federation in the field of information security, in the case when the use of such means is necessary to neutralize current threats.

14. To ensure the 3rd level of protection of personal data when processing them in information systems, in addition to fulfilling the requirements provided for in paragraph 13 of this document, it is necessary that an official (employee) be appointed responsible for ensuring the security of personal data in the information system.

15. To ensure the 2nd level of protection of personal data during their processing in information systems, in addition to fulfilling the requirements provided for in paragraph 14 of this document, it is necessary that access to the content of the electronic message log is possible only for officials (employees) of the operator or an authorized person, to whom the information contained in the specified journal is necessary for the performance of official (labor) duties.

16. To ensure the 1st level of protection of personal data during their processing in information systems, in addition to the requirements provided for in paragraph 15 of this document, the following requirements must be met:

a) automatic registration in the electronic security log of changes in the authority of the operator's employee to access personal data contained in the information system;

b) the creation of a structural unit responsible for ensuring the security of personal data in the information system, or entrusting one of the structural units with the functions of ensuring such security.

17. Control over the fulfillment of these requirements is organized and carried out by the operator (authorized person) independently and (or) with the involvement on a contractual basis of legal entities and individual entrepreneurs licensed to carry out activities for the technical protection of confidential information. The specified control is carried out at least once every 3 years within the time frame determined by the operator (authorized person).

GOVERNMENT OF THE RUSSIAN FEDERATION

RESOLUTION

On the approval of requirements for the protection of personal data during their processing in personal data information systems

In accordance with Article 19 of the Federal Law "On Personal Data", the Government of the Russian Federation

decides:

1. To approve the attached requirements for the protection of personal data during their processing in personal data information systems.

Prime Minister
Russian Federation
D. Medvedev

Requirements for the protection of personal data when processing them in personal data information systems

APPROVED BY
government decree
Russian Federation
dated November 1, 2012 N 1119

An information system is an information system that processes other categories of personal data, if it does not process the personal data specified in paragraphs one through three of this clause.

7. The type of threats to the security of personal data relevant to the information system is determined by the operator taking into account the assessment of possible harm carried out in pursuance of paragraph 5 of part 1 of Article 18_1 of the Federal Law "On Personal Data", and in accordance with the regulatory legal acts adopted in execution Part 5 of Article 19 of the Federal Law "On Personal Data".