SOT

SOT

SOAR
Security Orchestration, Automation and Response

Automation of response to information security incidents using dynamic playbooks and information security tools, building an attack chain and with an object-oriented approach

NG SOAR
Next Generation SOAR

Automation of response to information security incidents with built-in basic correlation (SIEM), vulnerability Scanner (VS), collection of raw events directly from information security tools, dynamic playbooks, building an attack chain and an object-oriented approach. AM and VM are included

AM
Asset Management

Description of the IT landscape, detection of new objects on the network, categorization of assets, inventory, life cycle management of equipment and software on automated workstations and servers of organizations

VS
Vulnerability Scanner

Scanning information assets with enrichment from any external services (additional scanners, The Data Security Threats Database and other analytical databases) to analyze the security of the infrastructure.

VM
Vulnerability Management

Building a process for detecting and eliminating technical vulnerabilities, collecting information from existing security scanners, update management platforms, expert external services and other solutions

FinCERT
Financial Computer Emergency Response Team

Bilateral interaction with the Central Bank, namely the transfer of information about incidents and receipt of prompt notifications/bulletins from the regulator

GovCERT
Government Computer Emergency Response Team

Bilateral interaction with the state coordination center for computer incidents, namely the transfer of information about incidents and receipt of prompt notifications/bulletins from the regulator

Mail us to sales@securityvision.ru or get demo presentation

SDA

SDA

TIP
Threat Intelligence Platform

Cybersecurity threat data collection, analysis, enrichment, infrastructure detection, investigation and response.

UEBA
User and Entity Behavior Analytics

Building behavior models and detecting deviations from them using several dozen built-in static analysis rules.

AD + ML
User and Entity Behavior Analysis

Dynamic behavioral analysis to search for anomalies using machine learning and to search for possible incidents.

Mail us to sales@securityvision.ru or get demo presentation

GRC

GRC

RM
Risk Management

Formation of a register of risks, threats, protection measures and other control parameters, assessment using the chosen methodology, formation of a list of additional measures to change the level of risk, control of execution, periodic reassessment.

ORM
Operational Risk Management

Accounting and recording of operational risk events, monitoring of key risk indicators and self-assessment/control

CM
Compliance Management

Audit of compliance with various methodologies and standards

BCM
Business Continuity Management

Automation of ensuring continuity and restoration of activities after emergencies.

OTS
Operational Technology Security

Operational Technology Security

Mail us to sales@securityvision.ru or get demo presentation

DEMO
presentation

SOT

Technology
SOAR

Security Orchestration, Automation and Response
NG SOAR

Next Generation SOAR
AM

Asset Management
VS

Vulnerability Scanner
VM

Vulnerability Management
FinCERT

Financial Computer Emergency Response Team
GovCERT

Government Computer Emergency Response Team

GRC

Processes
RM

Risk Management
ORM

Operational Risk Management
CM

Compliance Management
BCM

Business Continuity Management
OTS

Operational Technology Security

SDA

Analytics
TIP

Threat Intelligence Platform
UEBA

User and Entity Behavior Analytics
AD + ML

User and Entity Behavior Analysis

All products

SOT

Technology

SOAR

Security Orchestration, Automation and Response

NG SOAR

Next Generation SOAR

AM

Asset Management

VS

Vulnerability Scanner

VM

Vulnerability Management

FinCERT

Financial Computer Emergency Response Team

GovCERT

Government Computer Emergency Response Team

GRC

Processes

RM

Risk Management

ORM

Operational Risk Management

CM

Compliance Management

BCM

Business Continuity Management

OTS

Operational Technology Security

SDA

Analytics

TIP

Threat Intelligence Platform

UEBA

User and Entity Behavior Analytics

AD + ML

User and Entity Behavior Analysis
All products
Clients FAQ

Biometric personal data, changes in regulation of its processing and market impact

Biometric personal data, changes in regulation of its processing and market impact
17.01.2022

|  Listen on Google Podcasts  |   Listen on Mave  |   Listen on Yandex Music  |   


Ruslan Rakhmetov, Security Vision


In the last few years, the government has significantly increased its interest in the field of biometric data processing (primarily face and voice recognition technologies). This interest is due to both the opportunities offered by these technologies and new (generated) threats.


If we talk about new opportunities, it is the simplification of the process and increasing the accuracy of human authentication, which is convenient for users and beneficial for businesses. At the same time, these technologies allow for the full realisation of remote authentication. In the case of the credit and financial sector, this resulted in prioritising this area at the level of the Central Bank and initiating (together with the Ministry of Communications) the creation of the Unified Biometric System (UBS). The developer and operator of the UBS is Rostelecom.


This system was supposed to have a positive effect on the credit and financial sector in terms of simplifying competition between organisations - providers of financial services and, as a consequence, reducing the cost of services for the population and enabling small organisations to attract clients more easily. At the same time, new threats related to interception, changes in the authentication process and even biometric forgery (make-up, deep fake technology, etc.) have also emerged.


In order to minimise information security risks, the EBS has been created using a set of technical, organisational and technological measures. And for banks (business users), the mega-regulator separately issued the Bank of Russia's Directive No. 4859-U dated 9 July 2018 with a list of current threats and the Bank of Russia's Methodological Recommendations No. 4-MR dated 14 February 2019 on neutralisation by banks of security threats relevant to the processing, including collection and storage, of biometric personal data, their verification and transmission of information on the degree of their compliance with the provided biometric personal data of a citizen of the Russian Federation. In order to motivate the use of EBS, a tariff policy with elements of ‘cashback’ was developed, when for the use of biometrics a fee is charged from the organisation and 50% of it is transferred to the organisation that collected and provided to EBS the samples of biometric personal data. Also, through the requirements it is enforced to equip bank branches with biometrics submission points - the Federal Law of 7 August 2001 N 115-FZ ‘On Combating Legalisation (Laundering) of Proceeds of Crime and Financing of Terrorism ’ establishes a mandatory possibility to use EBS for remote identification. At the moment the solution, judging by statistics, is not particularly favourable to banks - the simplest version costs from 1 million rubles, and the number of biometric copies is approximately 200 thousand and is growing slowly. Judging by the statements of the authorities, the security of biometric data comes to the fore, and all measures will be reduced to centralisation of biometrics processing and protection in one place, which is generally understandable - from the point of view of confidentiality the advantages of storing and verifying biometrics in a single system are obvious. Creation of a single state system based on the Unified Biometric System (UBSS) and working only with it will change the current ‘landscape’ of technologies that use biometric personal data - all commercial systems will have to ensure integration with the UBSS and work not with biometrics itself, but with vectors.


At the moment, in order to implement this policy, amendments have been made (some of the requirements come into force from 01.09.2022) to 149-FZ of 27 July 2006 ‘On Information, Information Technologies and Information Protection’, as well as published Government Resolutions (#1815 of 23.10.2021, #1799 of 20.10.2021) and Order of the Ministry of Finance of the Russian Federation (#930 of 10.09.2021), which defines a number of requirements and features of operation. Let's consider the key ones.


What we would like to draw attention to in 149-FZ:

  • The operation of the EBS is essentially determined by the Government of the Russian Federation in coordination with the FSB, Roskomnadzor and the Bank of Russia.
  • Individuals can place their own biometric data using the EUIA and a foreign passport with a chip.
  • At the moment, the EBS stores information about face and voice, but it will be expanded. The composition of biometrics is determined by the Russian Government.
  • Processing of biometrics (and work with the EBS) must be carried out in accordance with the requirements for the protection of biometric personal data.
  • Organisations can be checked by FSB, FSTEC, Roskomnadzor, Bank of Russia within their competences.
  • The Ministry of Finance of Russia defines
    • requirements for work with UBS (collection of biometrics, storage, etc.)
    • determines the forms of confirmation of compliance of technical means with the requirements
    • determines methods of biometric data quality verification
    • defines the list of security threats relevant to the processing of biometric personal data
    • distributes on a free of charge basis for individuals and legal entities the cryptographic information protection software (FSS certified) necessary for work with UBS
    • ensures work with biometrics in MFCs
    • accredit organisations that carry out identification and (or) authentication using biometric personal data of individuals.
  • EBS operator (Rostelecom)
    • ensures interaction with external users of the UBS
    • provides information from the UBS upon request to the Ministry of Internal Affairs and the Federal Security Service
    • at the request of an individual (or state special services) delete biometrics from the UBS
    • maintains the register of users (state bodies, local self-government bodies, financial market organisations, other organisations, individual entrepreneurs, notaries) of the UBS.
  • Separates organisations that carry out identification and (or) authentication using biometrics from those that carry out only authentication (i.e. the user is pre-identified by other means).
  • Collection and processing of biometrics in other systems is prohibited, but is allowed in cases established by the Government of the Russian Federation in coordination with the Central Bank of the Russian Federation (seems to be for large biometric data operators, e.g., such as Sberbank) provided that:
    • fulfilment of the security requirement
    • meeting the requirements of the law of 26 July 2017 N 187-FZ ‘On the security of critical information infrastructure of the Russian Federation’ and connecting to GOSSOPKA
    • passing accreditation in the Ministry of Finance of Russia
  • All systems with biometrics must either connect to the EBS by submitting previously collected biometrics there, or obtain an exemption (by decision of the Government), or stop working with biometrics.
  • Organisations and their management are not on lists of involvement in extremist activities, terrorism or proliferation of weapons of mass destruction.
  • The organisation's management has no unexpunged or unexpunged criminal record.
  • There is no record of unreliable information about a legal entity in the Unified State Register of Legal Entities in respect of the organisation.
  • Data transmission channels must be protected with the use of SCSI.
  • Tariffs (including mandatory ‘cashback’ for biometrics providers) are set by Rostelecom, but in accordance with the fee calculation methodology approved by the Ministry of Finance of Russia in coordination with the Bank of Russia.
  • Organisations can use information systems of organisations accredited to work with biometrics, provided they meet the basic requirements (in fact, everything except accreditation by the Ministry of Digital Data Protection of Russia).
  • Accreditation is carried out if the organisation fulfils the following conditions:
    • the share of foreign participation is less than 49% (unless it is a special case determined by the Government
    • minimum capital of not less than 50 million roubles
    • availability of insurance against incorrect authentication in the amount of not less than 50 million roubles
    • availability of a licence from the Federal Security Service for the development, production, distribution of encryption (cryptographic) means, information systems and telecommunication systems protected with the use of encryption (cryptographic) means, performance of works, provision of services in the field of information encryption, maintenance of encryption (cryptographic) means, information systems and telecommunication systems protected with the use of encryption (cryptographic) means
    • ownership of hardware encryption systems
    • at least two employees with higher education in the field of information technologies or information security.
    • compliance with the requirements for the business reputation of the sole executive body or members of the collegial executive body established by the Ministry of Information Technologies and Information Security of the Russian Federation.
    • compliance with additional requirements for the sole executive body, such as Russian citizenship, absence of an unexpunged or unexpunged criminal record, not having been held criminally liable under Articles 183 and 283 of the Criminal Code of the Russian Federation for illegal receipt and disclosure of information constituting state, commercial, tax or banking secrets, absence in the lists of information on involvement in terrorism, etc. during the five years preceding the date of application for accreditation.
    • the organisation applying for accreditation has not had its accreditation prematurely terminated within three years preceding the day of submission of a new application
    • the person entitled to act without a power of attorney on behalf of the organisation applying for accreditation was not a person entitled to act without a power of attorney on behalf of another organisation carrying out identification and (or) authentication using biometric personal data of individuals, the accreditation of which was early terminated within three years preceding the day of application submission.
  • Additional increased requirements are imposed on organisations performing identification or identification and authentication:
    • minimum capital of at least RUB 500 million
    • insurance against incorrect biometric verification in the amount of at least RUB 100 million
    • connection to GOSSOPKA
  • Scheduled inspections of accredited organisations must be carried out at least once every three years.

The next document - Government Decree No. 1799 of 20.10.2021 defines the rules for accreditation of organisations working with biometric personal data. These rules define the requirements to the form of application for accreditation and related documents confirming the fulfilment of requirements to organisations, as well as regulate the terms of application review and fixation of accreditation in the specialised list of accredited organisations. We would like to pay special attention to the requirements for foreign organisations - they are required to place technical facilities on the territory of the Russian Federation and not to be representatives of a foreign state included in the list of foreign states committing unfriendly actions against the Russian Federation, its citizens and legal entities.


The Government Decree No. 1815 of 23.10.2021, in its turn, defines a list of cases of collection and processing used for identification or identification and authentication of biometric personal data in information systems of organisations - a kind of white list of application of information systems using biometrics, in particular for identification (authentication):

  • drivers of passenger taxis
  • carsharing drivers (for renting cars for up to 24 hours)
  • when entering the territory of organisations via ACS on the territory of these organisations, except for organisations of the defence industry, nuclear power industry, nuclear weapons, chemical, fuel and energy complexes, organisations belonging to transport infrastructure facilities, critical information infrastructure entities, facilities, facilities the commission of a terrorist act on the territory of which may lead to emergencies with dangerous socio-economic consequences, regime facilities, pre-schools, and other organisations.
  • when participating in a meeting of participants of the civil law community.

Also the order of the Ministry of Finance of the Russian Federation №930 from 10.09.2021 defined the order of processing biometrics, where it is worth paying attention to the following features:

  • the requirement is specified (for those unsupervised by the Bank of Russia) to inform the Ministry of Finance of Russia about identified IS incidents, not later than 1 working day
  • the requirement for annual assessment of compliance with information protection requirements by an external organisation with a licence and informing the Ministry of Finance of the Russian Federation of the results of the assessment
  • technical requirements for biometrics (images and voice) are defined, such as resolution, colour depth, head rotation angles, illumination, data formats, signal-to-noise level for voice, quality, etc.
  • quality check is performed using software provided by Rostelecom. Low-quality biometrics shall not be collected.
  • biometrics (for identification/authentication purposes) shall not be stored except in the EBS.
  • only biometrics not older than 5 years should be used
  • maximum (acceptable) false match probabilities for different cases of biometrics analysis are defined
  • the requirement to use at least 5 different algorithms for detecting an attack on a biometric submission

When analysing this set of requirements, a functional question also arises - what about autonomous systems for recognising, for example, faces (for example, such a feature is now available in smart intercoms)? Such technologies are, in fact, now prohibited.


As we can see, at the moment there is strict regulation and restriction of biometric technologies, which increases security. However, such a restriction may cause the Russian Federation to lag behind in these technologies - the development of new directions, testing and, most importantly, the entry threshold to this market will be significantly complicated.



What is biometric personal data?

Biometric personal data are unique physiological and biological characteristics of an individual that can be used to identify them. These characteristics include fingerprints, facial scans, iris scans, voice analyses, hand geometry and other biometrics.

The main feature of biometric data is its uniqueness. No two people have exactly the same biometric characteristics, making it an ideal tool for authentication and identification. When biometric personal data is used to access systems or data, it increases security and eliminates the problem of lost or stolen passwords.


Applications of biometric personal data

1- Authentication: One of the most common uses of biometric personal data is user authentication. Using fingerprint scanning or facial recognition, devices can ensure that only an authorised person is granted access.

2- Mobile Device Security: Many modern smartphones and tablets are equipped with sensors for fingerprint scanning or facial recognition. This makes the devices more secure and prevents unauthorised access.

3. Data protection: Biometric personal data can also be used to protect sensitive data. For example, a biometric scanner can be integrated into a system to access servers with sensitive corporate information.

4. Password Replacement: Biometrics provide an opportunity to forget about complex passwords and PINs. Instead, you can use your unique biometric characteristics to access your devices and data.

5. Medical Security: In healthcare facilities, biometric personal data can be used to secure access to medical records and patient personal data.


Features of biometric data

However, despite all the benefits associated with the use of biometric personal data, there are also certain risks. For example, biometric data can be compromised if leaked and cannot be changed like a password or PIN. Therefore, protecting and encrypting biometric data becomes a critical task.

Recommended

Features of the new version of the Asset and Inventory Management product on the Security Vision 5 platform
Features of the new version of the Asset and Inventory Management product on the Security Vision 5 platform
information security

13.05.2024

Review of the publication NIST SP 800-82 Rev. 2 "Guide to Industrial Control Systems (ICS) Security"
Review of the publication NIST SP 800-82 Rev. 2 "Guide to Industrial Control Systems (ICS) Security"
information security

28.02.2022

More alive than ever: business continuity
More alive than ever: business continuity
information security

16.05.2024

Review of NIST Publication SP 800-61 "Computer Security Incident Handling Guide". Part 2
Review of NIST Publication SP 800-61 "Computer Security Incident Handling Guide". Part 2
information security IRP SOAR

12.12.2022

Situational awareness in cyber security
Situational awareness in cyber security
information security

13.09.2021

The Hive. Parsing an open source solution
The Hive. Parsing an open source solution
information security IRP SOAR

07.12.2023

SGRC by law. Finance
SGRC by law. Finance
information security

08.11.2021

Features of the new versions of UEBA and Anomaly Detection products on the Security Vision 5 platform
Features of the new versions of UEBA and Anomaly Detection products on the Security Vision 5 platform
information security UEBA (User and Entity Behavior Analytics)

25.04.2024

Lessons Learned: why it's never a shame to take on and redo everything
Lessons Learned: why it's never a shame to take on and redo everything
information security SOC TIP

28.03.2024

Security Vision features: reports and analytics
Security Vision features: reports and analytics
information security

06.03.2023

The usefulness of IT systems in the work of an IS analyst
The usefulness of IT systems in the work of an IS analyst
information security SOC

26.02.2024

Webinars on analytics and report builders on the Security Vision platform
Webinars on analytics and report builders on the Security Vision platform
information security

28.08.2023

Recommended

Features of the new version of the Asset and Inventory Management product on the Security Vision 5 platform
information security

13.05.2024

Features of the new version of the Asset and Inventory Management product on the Security Vision 5 platform
Review of the publication NIST SP 800-82 Rev. 2 "Guide to Industrial Control Systems (ICS) Security"
information security

28.02.2022

Review of the publication NIST SP 800-82 Rev. 2 "Guide to Industrial Control Systems (ICS) Security"
More alive than ever: business continuity
information security

16.05.2024

More alive than ever: business continuity
Review of NIST Publication SP 800-61 "Computer Security Incident Handling Guide". Part 2
information security IRP SOAR

12.12.2022

Review of NIST Publication SP 800-61 "Computer Security Incident Handling Guide". Part 2
Situational awareness in cyber security
information security

13.09.2021

Situational awareness in cyber security
The Hive. Parsing an open source solution
information security IRP SOAR

07.12.2023

The Hive. Parsing an open source solution
SGRC by law. Finance
information security

08.11.2021

SGRC by law. Finance
Features of the new versions of UEBA and Anomaly Detection products on the Security Vision 5 platform
information security UEBA (User and Entity Behavior Analytics)

25.04.2024

Features of the new versions of UEBA and Anomaly Detection products on the Security Vision 5 platform
Lessons Learned: why it's never a shame to take on and redo everything
information security SOC TIP

28.03.2024

Lessons Learned: why it's never a shame to take on and redo everything
Security Vision features: reports and analytics
information security

06.03.2023

Security Vision features: reports and analytics
The usefulness of IT systems in the work of an IS analyst
information security SOC

26.02.2024

The usefulness of IT systems in the work of an IS analyst
Webinars on analytics and report builders on the Security Vision platform
information security

28.08.2023

Webinars on analytics and report builders on the Security Vision platform

Other articles

Information security trends. Part 2
Information security trends. Part 2
information security

09.08.2021

Review of the Application Software Protection Profile. Methodological document of the Bank of Russia
Review of the Application Software Protection Profile. Methodological document of the Bank of Russia
information security

13.12.2021

Using MITRE ATT&CK in the Threat Intelligence Platform
Using MITRE ATT&CK in the Threat Intelligence Platform
information security TIP MITRE

24.07.2023

SOAR maturity model
SOAR maturity model
information security SOAR SOC

18.12.2023

Review of NIST Publication SP 800-124 Rev. 2 (Draft) "Guidelines for Managing the Security of Mobile Devices in the Enterprise"
Review of NIST Publication SP 800-124 Rev. 2 (Draft) "Guidelines for Managing the Security of Mobile Devices in the Enterprise"
information security

05.04.2022

SGRC by law. Finance
SGRC by law. Finance
information security

08.11.2021

What social engineering is and how to protect yourself from it
What social engineering is and how to protect yourself from it
information security

29.07.2024

Vulnerability Management module on the Security Vision platform
Vulnerability Management module on the Security Vision platform
information security

28.04.2022

Features of the new version of the Security Vision UEBA product
Features of the new version of the Security Vision UEBA product
information security SOAR UEBA (User and Entity Behavior Analytics)

04.04.2024

Other articles

Information security trends. Part 2
information security

09.08.2021

Information security trends. Part 2
Review of the Application Software Protection Profile. Methodological document of the Bank of Russia
information security

13.12.2021

Review of the Application Software Protection Profile. Methodological document of the Bank of Russia
Using MITRE ATT&CK in the Threat Intelligence Platform
information security TIP MITRE

24.07.2023

Using MITRE ATT&CK in the Threat Intelligence Platform
SOAR maturity model
information security SOAR SOC

18.12.2023

SOAR maturity model
Review of NIST Publication SP 800-124 Rev. 2 (Draft) "Guidelines for Managing the Security of Mobile Devices in the Enterprise"
information security

05.04.2022

Review of NIST Publication SP 800-124 Rev. 2 (Draft) "Guidelines for Managing the Security of Mobile Devices in the Enterprise"
SGRC by law. Finance
information security

08.11.2021

SGRC by law. Finance
What social engineering is and how to protect yourself from it
information security

29.07.2024

What social engineering is and how to protect yourself from it
Vulnerability Management module on the Security Vision platform
information security

28.04.2022

Vulnerability Management module on the Security Vision platform
Features of the new version of the Security Vision UEBA product
information security SOAR UEBA (User and Entity Behavior Analytics)

04.04.2024

Features of the new version of the Security Vision UEBA product

This website uses cookies to ensure you get the best experience.