Practical protection of personal data. What are the information protection means that have undergone the conformity assessment procedure in accordance with the established procedure

28.06.2021

Continuing the series of articles on the practical protection of personal data, let's consider the question of what is the conformity assessment of information protection means and what forms are permissible in the framework of personal data protection.

As we said in the previous article, ("Practical Personal Data Protection. How a company should process and protect personal data. Part 2‘), the issue of conformity assessment, the requirements for which were first established by paragraph 5 of the Resolution of the Government of the Russian Federation of 17.11.2007 № 781 “On Approval of the Regulations on ensuring the security of personal data during their processing in information systems of personal data ” (hereinafter - PP 781), and then and to this day, the Federal Law of 25.07.2011 № 261-FZ “On Amendments to the Federal Law ”On Personal Data’, which added paragraph 3 of part 2 of Art. 19 of the Federal Law of 25.07.2011 № 261-FZ ‘On Amendments to the Federal Law on Personal Data’, which added paragraph 3 of Art. 19 of the Federal Law on Personal Data. 2 of Art. 19 para. 2 of the Federal Law of 27.07.2006 No. 152-FZ ‘On Personal Data’ is still relevant today.

According to the established practice, as in previous articles, let us turn to the background. With the release of the 152-FZ companies have the task of personal data protection and as a consequence the question of what means of protection are necessary and sufficient for this purpose. The law established the following responsible agencies in the field of personal data protection:

Federal executive authority authorised in the field of security (note: Federal Security Service of Russia) - part. 3 of Article 19 152-FZ
Federal executive authority authorised in the field of countering technical intelligence and technical protection of information (note: FSTEC of Russia) - part 3 of Article 19 152-FZ. 3 of Article 19 152-FZ.

According to paragraph 1 of the Decree of the President of the Russian Federation dated 06.03.1997 No. 188 ‘On Approval of the List of Confidential Information’ (hereinafter referred to as Decree 188), personal data was classified as confidential information, and according to part 2 of Article 5 of the Federal Law dated 27.07.2006 No. 149-FZ ‘On Information, Information Technologies and Information Protection ’ was classified as restricted information. Prior to the release of 152-FZ, the requirements for the protection of confidential information were defined in the following documents:

Federal Law of 20.02.1995 No. 24-FZ ‘On Information, Informatisation and Protection of Information’
Decree 188
Presidential Decree No. 611 of 12 May 2004 ‘On Measures to Ensure Information Security of the Russian Federation in the Sphere of International Information Exchange’.
Resolution of the Government of the Russian Federation No. 608 of 26 June 1995 ‘On the Certification of Information Protection Equipment ’ (hereinafter Resolution 608)
Resolution of the Government of the Russian Federation No. 691 of 23 September 2002 ‘On Approval of Provisions on Licensing of Certain Types of Activities Related to Encryption (Cryptographic) Means’
Resolution of the Government of the Russian Federation No. 504 of 15.08.2006 ‘On licensing activities related to technical protection of confidential information’.
Guiding document of the State Technical Commission of Russia ‘Concept of protection of computer hardware and automated systems against unauthorised access to information’ (approved by the decision of the State Technical Commission of Russia dated 30.03.1992).
Guiding document of the State Technical Commission of Russia ‘Automated Systems. Protection against unauthorised access to information. Classification of automated systems and information protection requirements’ (approved by the decision of the Chairman of the State Technical Commission of Russia dated 30.03.1992) (hereinafter - RD AS).
Guiding document of the State Technical Commission of Russia ‘Computer facilities. Protection against unauthorised access to information. Indicators of protection against unauthorised access to information’ (approved by the State Technical Commission of Russia on 30.03.1992) (hereinafter - RD SVT).
Guiding document of the State Technical Commission of Russia ‘Computer facilities. Firewalls. Protection against unauthorised access to information. Indicators of protection against unauthorised access to information’ (approved by the State Technical Commission of Russia on 25.07.1997) (hereinafter referred to as the DOE RD).
Guiding document of the State Technical Commission of Russia dated 04.06.1999 No. 114 ‘Protection against unauthorised access to information. Part 1. Software of information protection means. Classification by the level of control over the absence of undeclared capabilities ‘ (hereinafter - NDV)
Regulations on certification of informatisation objects on information security requirements (approved by the State Technical Commission of Russia on 25.11.1994) (hereinafter - Regulations on certification).
Special Requirements and Recommendations for Technical Protection of Confidential Information (STR-K)’ (approved by Order No. 282 of the State Technical Commission of Russia dated 30.08.02), restriction marking “For Official Use”.
FAPSI Order No. 152 of 13.06.2001 ‘On Approval of the Instruction on Organisation and Security of Storage, Processing and Transmission through Communication Channels with the Use of Cryptographic Protection Means of Restricted Access Information Not Containing State Secret Information ’ (Instruction 152)
Order of the Federal Security Service of Russia No. 66 dated 09.02.2005 ‘On Approval of the Regulation on Development, Production, Implementation and Operation of Encryption (Cryptographic) Means of Information Protection (Regulation PKZ-2005)’.
GOST R 51583-2000 ‘Procedure for creation of automated systems in a secure version’, restriction marking ‘For official use’
GOST R 51624-2000 ‘Protection of information Automated systems in a protected version’, restriction marking ‘For official use’.
If we consider the above documents, they mostly operated with only one concept of conformity assessment (although they did not call it so) of information protection means - certification of information protection means:
Decree 611 - item 1
AC RD - item 3.3, item 4.6 of the tables. Certified means are obligatory for use in ACs of protection class against unauthorised access to information - 3A, 2A, 1B, 1B, 1A.
Regulations on certification p. 2.6, p. 3.1, p. 3.4, p. 3.4.1, p. 3.4.2, p. 3.7.1
Instruction 152 - clause 1, clause 7, clause 69, clause 72.

We will not cite the provisions of the documents marked as DSP (what it is, see Resolution of the Government of the Russian Federation No. 1233 dated 03.11.1994 ‘On Approval of the Regulations on the Procedure for Handling Official Information of Limited Dissemination in Federal Executive Authorities, Authorised Body for Managing the Use of Atomic Energy and Authorised Body for Space Activities’). We only want to note that if you want to certify an information object (automated system) processing confidential information, the certification authority or certification centre (a licensee of the FSTEC of Russia for technical protection of confidential information with the permitted type of activity of works and services for certification tests and certification for compliance with information protection requirements (means and systems of informatisation)) will point out to you the necessity to install/use only certified information protection equipment (means and systems of informatisation) at the information object.

The PKZ-2005 stands apart from these documents. This document does not explicitly state that the cryptographic protection means used must be certified. This aspect will be discussed later in the section ‘Approach of the Federal Security Service of Russia’.

Leaving the intermediate documents on personal data protection, which were issued and cancelled, let's move to our days. Some of the previously mentioned documents, namely Instruction 152, PKZ-2005 and RD SVT, are still in force within the framework of personal data protection (see the article ‘Practical protection of personal data. How a company should process and protect personal data. Part 2").

In 2021, the application of information protection means in personal data information systems is determined by the following documents:

Approach of the FSTEC of Russia

If we consider the main documents of the FSTEC of Russia listed above, we can see that they do not contain a direct instruction to use only certified information protection means, as it was in the ‘Recommendations on ensuring the security of personal data during their processing in information systems of personal data’ (approved by the Deputy Director of the FSTEC of Russia on 15.02.2008) and ‘Basic measures for the organisation and technical security of personal data processed in information systems of personal data’ (approved by the Deputy Director of the FSTEC of Russia on 15.02.2008). Starting with the Order of the FSTEC of Russia No. 58 dated 05.02.2010 ‘On Approval of the Regulation on Methods and Methods of Information Protection in Information Systems of Personal Data ’ (Registered with the Ministry of Justice of Russia on 19.02.2010 No. 16456), the documents of the FSTEC of Russia specify the use of information protection means that have undergone the conformity assessment procedure in accordance with the established procedure (clauses 2.1, 3.2 of Order No. 58).

Let us emphasise a separate point: a number of experts point out that Order 21 establishes requirements for the use of certified information protection means only. In this case, the experts refer to clause 12 of Order 21. However, if we examine this paragraph, we can see that it gives the company the right to use certified information protection means, but does not establish the obligation to use them, because the wording in which this paragraph is mentioned operates with the analogue ‘if’. I.e. if a company wants to use certified information protection means, it must use information protection means of a certain class, security level and/or confidence level.

What is the conformity assessment procedure is disclosed in the Federal Law dated 27.12.2002 No. 184-FZ ‘On Technical Regulation ’ (hereinafter - 184-FZ).

Art. 2 of 184-FZ defines conformity assessment as a direct or indirect determination of compliance with the requirements imposed on an object. The key norm of 184-FZ in relation to the information protection means used for personal data protection is Art. 5. This article defines the requirements to the specifics of technical regulation in relation to defence products (works, services) supplied under the state defence order, products (works, services) used for the protection of information constituting a state secret or related to other restricted information protected in accordance with the legislation of the Russian Federation, products (works, services) used for the protection of information protected under the legislation of the Russian Federation, products (works, services) used for the protection of personal data. As we mentioned above, in accordance with part 2 of article 5 of Federal Law No. 149-FZ dated 27.07.2006 ‘On Information, Information Technologies and Information Protection’, personal data are classified as restricted information. Part 1 of Article 5 of 184-FZ states that ‘With regard to ... products (works, services) used for protection of ... other restricted information protected in accordance with the legislation of the Russian Federation ... mandatory requirements, along with the requirements of technical regulations, are the requirements established by state customers, federal executive bodies authorized in the field of security, defence, foreign intelligence, countering technical intelligence and technical protection of information...’.

At the moment there are no technical regulations for information protection means in the list of valid technical regulations of Rosstandart, and the provisions of the Resolution of Gosstandart of Russia dated 30.01.2004 No. 4 ‘On National Standards of the Russian Federation’ do not apply to the field of application of information protection means for personal data protection.

Part 2 of Article 5 of 184-FZ indicates that ‘Specifics of technical regulation in terms of development and establishment of mandatory requirements ... by federal executive authorities authorised in the field of security, ... countering technical intelligence and technical protection of information, ... in respect of products (works, services) specified in paragraph 1 of this article, as well as, respectively, the processes of their design (including surveys), production, construction, installation, adjustment, operation, storage, transportation, sale, recycling, disposal, storage, transportation, and use...’. Guided by the above norm, let us turn to Resolution 608. Having considered the above provision, we can see that it regulates the certification of information protection means used to protect information constituting a state secret.

In addition to the abovementioned provision with regard to restricted access information, there was also adopted the Resolution of the Government of the Russian Federation No. 330 dated 15.05.2010 ‘On peculiarities of conformity assessment of products (works, services) used for the purpose of protection of information related to restricted access information protected in accordance with the legislation of the Russian Federation, not containing information constituting a state secret, as well as the processes of its design (including surveys), production, construction, assembly, installation, adjustment, operation, storage, transportation, rea But the applicability of PP 330 to the field of personal data protection by companies is questionable, because the documents marked as CPD violate one of the key requirements of 152-FZ, namely the publicity of requirements, which is enshrined in part 2 of article 4 of 152-FZ: "On the basis of and in pursuance of federal laws, state bodies, the Bank of Russia, local authorities within the limits of their powers may adopt regulatory legal acts, normative acts, legal acts (hereinafter - normative legal acts) on certain issues related to the processing of personal data. Such acts may not contain provisions restricting the rights of personal data subjects, establishing restrictions on the activities of operators that are not provided for by federal laws or imposing obligations on operators that are not provided for by federal laws, and shall be subject to official publication’.

The question arises: if the decrees of the Government of the Russian Federation and certain regulatory and legal acts of federal executive authorities do not establish the use of exclusively certified information protection means, what other forms of assessment are admissible? Part 3 of Article 7 of 184-FZ states: ‘Conformity assessment is carried out in the forms of state control (supervision), testing, registration, confirmation of conformity, acceptance and commissioning of the facility, the construction of which is completed, and in other forms’. Since it is impossible for a company planning to use information protection means to use the forms of conformity assessment in the form of state control (supervision), commissioning of a facility, the construction of which has been completed, let's consider the remaining forms.

Let's consider the form ‘Confirmation of conformity’. Art. 20 184-FZ establishes the following forms of confirmation of conformity:

Voluntary confirmation of conformity (Art. 21 184-FZ)
Mandatory confirmation of conformity (Art. 22 184-FZ).

Since in para. 3 part. 2 part 2 of article 19 152-FZ establishes the obligation to use information protection means that have undergone conformity assessment, the company is forced to follow the path of ‘Mandatory confirmation of conformity’. Mandatory confirmation of conformity in Article 20 184-FZ is established in the following forms:

declaration of conformity (hereinafter - declaration of conformity)
mandatory certification.

Since the resolutions of the Government of the Russian Federation on mandatory certification (resolutions No. 609 and No. 330) are not applicable in the field of personal data protection (discussed above), let us consider the form of the Declaration of Conformity. Ч. 1 of Art. 24 184-FZ establishes the following requirements for declaration of conformity:

acceptance of the declaration of conformity on the basis of own evidence
acceptance of the declaration of conformity on the basis of its own evidence, evidence obtained with the participation of the certification body and (or) accredited testing laboratory (centre) (hereinafter - third party).

If we study Article 24, we will see that declaration of conformity can be made only for compliance with the provisions of technical regulations. Since there are no technical regulations for information security devices (see above), this approach is not applicable.

Let us consider the option in the form of registration. At the moment, there is no regulatory legal act defining the conditions of conformity assessment in the form of registration for data protection equipment (example of norms - Section IX of Rostechnadzor Order No. 52 dated 06.02.2018 ‘On approval of federal norms and rules in the field of atomic energy use ’Rules for conformity assessment of products for which requirements related to ensuring safety in the field of atomic energy use are established, as well as the processes of their design (including surveys), production, construction, installation, commissioning and installation). Thus, the following forms of conformity assessment remain possible for the company: testing, acceptance and other forms.

The 184-FZ does not specify separate requirements for these forms, which means that the company itself can determine how it will conduct them, but in compliance with the condition of Article 3 (direct or indirect determination of compliance with the requirements imposed on the object). The proof of this conclusion is the provisions that became the development of the idea and experience gained under Order 21, namely the requirements of para. 28 of the order of the FSTEC of Russia dated 25.12.2017 No. 239 ‘On Approval of Requirements for ensuring the security of significant objects of critical information infrastructure of the Russian Federation’ : ‘...Information protection means that have undergone conformity assessment in the form of mandatory certification shall be used in cases established by the legislation of the Russian Federation, as well as in the case of a decision made by the subject of critical information infrastructure.

In other cases, information protection means that have undergone conformity assessment in the form of testing or acceptance, which are carried out by critical information infrastructure subjects independently or with the involvement of organisations licensed in accordance with the legislation of the Russian Federation for information protection activities, shall beused ...’.

An additional issue that should also be considered is the form of conformity assessment of protection means in cases of determining the actual type of actual threats associated with the presence of undocumented (undeclared) capabilities in the software used in the information system (clause 6 of Resolution 1119).

As of 01.01.2021, key changes related to the recognition of these types of threats as actual threats have taken place. This is due to the fact that the provisions of the Order of the Federal Service for Technical and Export Control of Russia No. 68 dated 14.05.2020 ‘On Amendments to the Composition and Content of Organisational and Technical Measures to Ensure the Security of Personal Data when Processing in Personal Data Information Systems Approved by Order of the Federal Service for Technical and Export Control No. 21 dated 18 February 2013’ came into force, which cancelled subparagraph 11 of paragraph 12 of Order 21. 12 of Order 21. Previously, this paragraph established the following requirements: ‘To ensure the 1st and 2nd level of personal data protection, as well as to ensure the 3rd level of personal data protection in information systems, for which the threats of the 2nd type are classified as relevant, certified information protection devices are used, the software of which has been verified at least by the 4th level of control of the absence of undeclared capabilities’. I.e. if in relation to other functions of information protection means companies could determine the form of conformity assessment, in the case of type 2 actual threats there are no actual threats, only certification for compliance with the provisions of the RD NDV.

Now (after 01.01.2021) in case these types of threats are recognised as relevant, companies will have to use/implement certain protection measures, which are specified in clause 11 of Order 21.

Approach of the Federal Security Service of Russia

If we consider the current documents of the Federal Security Service of Russia, we can see that they do not establish a form of conformity assessment in the form of certification. In the provisions of Order 378 (subparagraph ‘d’ of paragraph 5) there is a requirement - the use of information protection means that have passed the conformity assessment procedure to the requirements of the legislation of the Russian Federation in the field of information security, when the use of such means is necessary to neutralise current threats. However, in addition to the requirement for conformity assessment, clause 4 of Order 378 states that the operation of cryptographic protection equipment (hereinafter referred to as ‘cryptographic protection equipment’) shall be carried out in accordance with the documentation on cryptographic protection equipment and the requirements established herein, as well as in accordance with other regulations governing relations in the relevant area.

The relevant clarification on the applicability of documents related to cryptographic protection in the field of personal data security was given by the Federal Security Service of Russia - Information of the Federal Security Service of Russia dated 21.06.2016 ‘On regulatory and methodological documents in force in the field of personal data security’. The document defining the conditions of operation of the ACS is - PKZ-2005. The PKZ-2005 states:

п. 43. - SCII are implemented (distributed) together with the rules for their use agreed with the Federal Security Service of Russia.
п. 46 - FSCI shall be operated in accordance with the rules for their use. All changes to the conditions for the use of SCII specified in the rules for their use shall be agreed with the FSC of Russia and the specialised organisation that has conducted case studies of SCII.

In addition, on 15.06.2017 the FSS of Russia issued a clarification ‘On the strict compliance of personal data operators with the requirements of the forms for ACPIs’.

In my practice, I have never met non-certified ACS, designed to protect personal data, where the FSS of Russia would agree on the rules of operation without certification of the said tool. Additionally, it should be noted that a number of experts point out that the FSS of Russia issued an information letter (Notice on the use of non-certified coding (encryption) means for the transmission of messages in the information and telecommunications network ‘Internet’), informing that there are no mandatory requirements for the certification ofencryption systems that are not designed to protect information containing information constituting a state secret. However, if we examine the said letter, we will see that:

1) there is no indication of personal data in the notification

2) there is only one form of conformity assessment of SCII - mandatory certification.

Taking into account all this, as well as the above provisions on the forms of conformity assessment under 184-FZ, the approach of the FSS of Russia, the above and the position voiced by the representatives of the FSS of Russia at various public events, we will come to the problem with the rules of use and forms for SCZI and again return to the issue of the need for certification of SCZI.