Ruslan Rakhmetov, Security Vision
One of the main drivers of corporate IS has traditionally been compliance, i.e. compliance with legal requirements in terms of information protection. With the entry into force of key laws related to information security, there has been a characteristic demand for information protection tools and services. Recent years have been accompanied by high activity of attackers and an increase in the number of targeted destructive attacks, so more and more companies realize the importance of practical, effective cybersecurity rather than "paper" cybersecurity. Nevertheless, this division is no longer relevant, since both fines for non-compliance with legal requirements and destruction of infrastructure as a result of a viper virus attack will lead to the same result - financial and reputational damage for the company. In this article, we will tell you what the main regulatory requirements for information protection are and how to combine compliance in IS with effective cybersecurity.
The key legislative requirements for IS at the moment are:
- Federal Law No. 149-FZ dated 27.07.2006 "On Information, Information Technologies and Information Protection";
- Federal Law of 27.07.2006 No. 152-FZ "On Personal Data";
- Federal Law No. 187-FZ dated 26.07.2017 "On the Security of Critical Information Infrastructure of the Russian Federation";
- Presidential Decree No. 250 of 01.05.2022 "On additional measures to ensure information security of the Russian Federation".
Of course, there are many other requirements and standards that relate to the security of financial transactions, protection of commercial secrets, computer incident management and so on. But it is the above-mentioned regulatory documents that are mandatory for most commercial and state organizations, and also imply the most severe liability for non-compliance. For example, violation of the requirements in the field of ensuring the security of Russian CII and violation of the procedure for informing the NCCI about cyber incidents will result in a fine under Article 13.12.1 of the CAO RF, violation of the procedure for categorizing CII facilities will result in a fine under Article 19.7.15 of the CAO RF, and criminal liability for unlawful impact on Russian CII is stipulated by Article 274.1 of the Criminal Code of the RF. The recently published laws significantly increase liability for illegal processing of personal data (PDN): thus, the fine for companies for the initial violation now depends on the volume of leakage and sensitivity of data and may range from 3 to 20 million rubles, and for repeated violation - from 1% to 3% of the total revenue, but not less than 20 and not more than 500 million rubles. In addition, in case of failure to notify or untimely notification of RosComNadzor (RCN) about the fact of illegal or accidental leakage of personal data, companies will be fined from 1 to 3 million rubles, and in case of illegal processing of personal data, criminal liability under Article 272.1 of the Criminal Code of the Russian Federation is possible.
As we can see, the penalties for non-compliance with legal requirements are quite strict. However, automation systems, such as SGRC class solutions, come to the aid of scarce and overburdened IS specialists. In terms of protection of CII objects, automation platforms, such as Security Vision CII product, allow to form lists of critical processes and CII objects, perform their categorization, carry out threat and intruder modeling, assess scenarios of computer attacks and their consequences, conduct internal audit of compliance with the requirements of orders of FSTEC of Russia № 239, 235, 236, set tasks and monitor their implementation to eliminate non-compliances. In terms of protecting personal data, automation solutions will help to create the necessary package of preliminary documents, including, for example, a policy on processing personal data, a regulation on personal data protection, a list of processed personal data, a plan of measures to ensure personal data protection, standard consent forms for personal data subjects, and instructions for officials. Next, it will be necessary to audit the storage locations and methods of processing PII, create a list of ISPDNs, determine the required level of PII security, create an intruder model and a model of threats to the security of PII when processed in ISPDNs. Next, a notification must be submitted to the RCN on the commencement of processing of personal data or a notification on changes to the information already contained in the register of PII operators. A number of additional documents will also need to be developed, for example, regulations on accounting for personal data carriers, regulations on backing up personal data, regulations on responding to appeals and requests from personal data subjects, regulations on cross-border transfer of personal data, etc. It is also important to be prepared for scheduled and unscheduled inspections by the Federal Tax Service, which may include requests for information on persons authorized to process Personal Data, storage locations for Personal Data, properties and characteristics of the ISPDN and the Personal Data protection system, completed consent forms for processing Personal Data, and other documents. Automation systems will help develop these documents, which will also make it possible to form and send a notification on the detection of an incident involving personal data to the RCN within 24 hours after the leak is detected, and then send another notification on the results of an internal investigation into the incident within 72 hours.
In addition to governmental legal norms articulated in regulatory legal acts (RLAs), companies are often required to comply with the IS requirements of parent companies within the holding structure of subsidiaries and affiliates. There are also industry-specific cybersecurity norms, standards of various associations, voluntarily adopted requirements and so on - these obligations must also be taken into account when managing corporate cybersecurity, and they are also related to IS compliance. Based on such mandatory and voluntary standards and requirements, the provisions of internal regulatory documents (IRD), organizational and regulatory documents (ORD), and local regulations (LNA) are formed. As a result, a company is obliged to comply with a number of requirements of different nature, while non-compliance with an internal requirement may result in internal difficulties, while non-compliance with the requirements of the current legislation may lead to reputational damage, fines or even license revocation and suspension of operations. Automation platforms compliance IS automation platforms will be able to help by embedding and updating the database of applicable NPAs, building a database of applicable ORDs, GDPRs, LNAs, decomposition of all requirements from applicable regulations followed by deduplication. Deduplication is important because one and the same requirement may appear in several documents at once, and fulfillment of this requirement "closes" a number of compliance issues at once.
IS-compliance automation systems will help to generate questionnaires with a list of requirements of NAPs, ORDs, VNDs and LNAs that need to be fulfilled. The questionnaires can be sent out automatically via email and the responses can be further processed; in addition, the questionnaires can be filled out on the automation system's web portal - this is the preferred option that allows all employees to work in a single interface and not overload their email. Questionnaires can contain forms, drop-down lists and elements for creating free text when answering a question about meeting a standard, and can also support attachment functionality for capturing relevant documents. The timing and order of completion of questionnaires can be controlled through the ticketing subsystem built into the automation platform or through integration with corporate task trackers and ServiceDesk solutions. Completion results will be displayed on visualization panels, graphs, dashboards and in reports automatically generated by the same IS compliance automation platform.
Let's move on to the issue of linking "paper IS" (i.e., compliance processes) with practical cybersecurity. Let's start with the fact that all IS norms and requirements listed in NAPs, ORDs, IRDs and LNAs are usually formed based on the broad expertise in implementing reliable cybersecurity possessed by the authors of the documents; however, not all normative requirements are clear to end-users, and their implementation often degenerates to trivial "ticking off" the corresponding "tick boxes" in questionnaires. In order to move from "paper IS" to practical cybersecurity, it is important to build compliance in IS on the basis of objective data received from protection systems. For example, Order No. 21 of the Federal Service for Technical and Export Control of the Russian Federation (FSTEC of Russia), which deals with the implementation of protective measures to ensure the security of personal data, specifies such requirements as "RSB.3 - Collection, recording and storage of information about security events for a specified retention time" and "AVZ.1 - Implementation of anti-virus protection". The fulfillment of these requirements can be objectively monitored through the IS compliance automation platform, which will only need to request the state of IS event sources and retention-period from the SIEM system, and from the anti-virus solution will receive a report on the state of all clients and compare their list with all accounted corporate devices. If deficiencies are detected, the administrators of the relevant antivirus protection systems and information systems can be tasked with remediation and the deadlines for its fulfillment can be monitored.
It is also important to effectively process and present information, including to managers for risk-oriented decision-making, taking into account the level of compliance with individual NAPs, ORDs, IRDs and LNAs. Visualization will help to visually assess the completeness of compliance with various requirements, the effectiveness of measures applied and the efficiency of individual processes, technologies and the IS team as a whole. Formation of various reporting forms will be useful both during internal IS audits and during inspections by regulators (RKN, CBR, FSTEC, FSB, etc.). IS compliance automation platforms offer the functionality of visualizing the state of compliance in IS on various dashboards, widgets, graphs and tables, as well as allow you to automatically generate and send various reports - both taking into account corporate requirements for design, and according to the forms of government agencies. All the above functionality is implemented in the Security Vision SGRC solution, which contains CII, Risk Management, Operational Risk Management, Compliance Management, Business Continuity Planning modules.
Compliance in IS is closely related to asset, vulnerability and configuration management processes - for example, in order to implement various requirements for the protection of PII and CII objects, it is important to know where the protected data and information systems are located, what characteristics they possess, what their security level is, including vulnerabilities and secure settings on devices. Vulnerability Management class systems can be used to manage vulnerabilities and configurations, such as Security Vision VM, which allows scanning the network for devices, inventorying and classifying them by importance level, identifying applicable regulatory requirements and assessing their compliance, analyzing their security level, including a list of unclosed vulnerabilities and insecure configurations.
.jpg)
.jpg)
