Practical protection of personal data. How should a company handle and protect personal data? Part 2

21.06.2021

Ruslan Rakhmetov, Security Vision

Finally we have got to the question of how a company should protect personal data. By tradition, let's quickly run through the previously discussed topics.

So, a company that has decided to bring its personal data processing processes in line with Russian legislation and regulatory requirements will face the following questions:

1) What is personal data?

2) Where does the Company process personal data?

3) How should the Company process and protect personal data?

What is personal data? Studying the provisions of the Federal Law dated 27.07.2006 No. 152-FZ ‘On Personal Data “ and the Resolution of the Government of the Russian Federation dated 01.11.2012 No. 1119 ”On Approval of Requirements for Protection of Personal Data during their Processing in Information Systems of Personal Data ’ will allow the Company to understand what personal data is, what types/categories of personal data there are, what (what criteria) to set when searching for and localising places of their processing. We have considered this topic in more detail in the first article - Practical protection of personal data.

Where does the company process personal data? Studying the provisions of the Resolution of the Government of the Russian Federation dated 01.11.2012 No. 1119 ‘On Approval of the Requirements for Personal Data Protection during their Processing in Personal Data Information Systems’ and the Resolution of the Government of the Russian Federation dated 15.09.2008 No. 687 ‘On Approval of the Regulation on the Peculiarities of Personal Data Processing Performed Without the Use of Means of Automation ’ will allow to understand the principles of allocation of processes within the framework of which personal data processing takes place (how personal data processing takes place). We have considered this topic in more detail in the second article - Practical protection of personal data. Where a company processes personal data.

How should a company process and protect personal data? Studying the provisions of the Federal Law of 27.07.2006 No. 152-FZ ‘On Personal Data’ will help to understand the main stages/moments of personal data processing, principles and conditions of organisation of their processing. We have considered this topic in more detail in the third article - Practical protection of personal data. How a company should process and protect personal data. Part 1.

Approaches to personal data protection before 2012

With the release of the 152-FZ, companies were faced with the task of protecting personal data. But most companies had questions about how to do it. They were caused primarily by the fact that there were no public documents or any similar mass practice on this issue before. No one doubted that the issue of personal data protection would be regulated by the relevant agencies.

The law established the following responsible agencies:

Federal executive authority authorised in the field of security (note: Federal Security Service of Russia) - part. 3 of Article 19 152-FZ;
Federal executive authority authorised in the field of countering technical intelligence and technical protection of information (note: FSTEC of Russia) - part 3 of article 19 152-FZ; Federal executive authority authorised in the field of countering technical intelligence and technical protection of information (note: FSTEC of Russia) - part 3 of article 19 152-FZ. 3 of Article 19 152-FZ;
Authorised body for the protection of the rights of personal data subjects (note first Rossvyazokhrankultura, later Rossvyazkomnadzor, now Roskomnadzor) - Art. 23 of 152-FZ.

The current situation has revealed the following main approaches to the execution of works. The first way - we are a licensee of FSTEC of Russia or a governmental company/organisation, which means that we use the documents of the relevant regulatory bodies (FSTEC of Russia and FSB of Russia) in the field of confidential information protection. Despite the fact that the Federal Law of 20.02.1995 No. 24-FZ ‘On Information, Informatisation and Information Protection “ has been cancelled and the very concept of ”confidential information’ (Art. 2 of 24-FZ) is gone, but there is still the Decree of the President of the Russian Federation of 06.03.1997 No. 188 ‘On Approval of the List of Confidential Information’, which clause. 1 introduced personal data into this list. According to this approach companies/organisations used as key documents:

Special Requirements and Recommendations for Technical Protection of Confidential Information (STR-K) (approved by Order of the State Technical Commission of Russia dated 30.08.02 No. 282), restriction marking ‘For official use’
Guiding document of the State Technical Commission of Russia ‘Automated Systems. Protection against unauthorised access to information. Classification of automated systems and information protection requirements’ (approved by the decision of the Chairman of the State Technical Commission of Russia dated 30.03.1992) (hereinafter - RD AS).
FAPSI Order No. 152 of 13.06.2001 ‘On Approval of the Instruction on Organisation and Security of Storage, Processing and Transmission via Communication Channels with the Use of Cryptographic Protection Means of Restricted Access Information Not Containing State Secret Information ’ (Instruction 152).

However, this method had several significant disadvantages:

1) STR-K bears the mark ‘For Official Use’ (hereinafter - FUU) and is restricted for distribution (for what it is, see Resolution of the Government of the Russian Federation No. 1233 dated 03.11.1994 ‘On Approval of the Regulations on the Procedure for Handling Official Information of Restricted Distribution in Federal Executive Authorities, Authorised Body for Management of Atomic Energy Use and Authorised Body for Space Activities’), it is inaccessible to most companies

2) the status of STR-K as mandatory for all is questioned by a number of experts. As a basis for such a conclusion, clause 10 of the Decree of the President of the Russian Federation dated 23.12.2009 is used. 10 of Presidential Decree No. 763 of 23.05.1996 ‘On the Procedure for the Publication and Entry into Force of Acts of the President of the Russian Federation, the Government of the Russian Federation and Normative Legal Acts of Federal Executive Bodies’, namely: ‘Normative legal acts of federal executive authorities, except for acts and some of their provisions containing information constituting a state secret or confidential information, which have not undergone state registration, as well as those registered but not published in accordance with the established procedure, do not entail legal consequences as not having entered into force, and cannot serve as a basis for regulating the relevant legal relations, applying sanctions to citizens, officials and organisations for non-compliance with the acts contained therein. These acts cannot be referred to in the resolution of disputes’.

The second way - since there are no public documents other than 152-FZ, and Art. 19 indicates that the Government of the Russian Federation shall establish the relevant requirements, we will fulfil only what is prescribed for us in part 1 of Art. 19 of 152-FZ, namely: ‘When processing personal data, the operator is obliged to take the necessary organisational and technical measures, including the use of encryption (cryptographic) means, to protect personal data from unlawful or accidental access to them, destruction, modification, blocking, copying, dissemination of personal data, as well as from other unlawful actions’.

Companies used to develop a minimum set of documents and apply a selective set of protection tools. But this approach also had a number of certain disadvantages:

1) sooner or later the Government of the Russian Federation and the above-mentioned agencies would have to issue the relevant regulations. This means that the previously performed work is very likely to be crossed out, which in some cases may lead to complaints from the company's management about the misuse of the company's and departments' resources.

2) FSTEC of Russia and FSB of Russia are used to work within a certain layer of documents, which will not allow free interpretation or approach to the issue of confidential information protection. However, the mechanisms implementing these requirements were costly to implement and in some cases impossible to apply in commercial companies, which also limited their application.

Before 152-FZ was issued (i.e. before 2006), companies interested in protecting confidential information were generally guided by the following regulations:

As history has shown, the second approach won. It consists in the following. Following the 152-FZ some time later the following normative-legal acts are issued:

Decree of the President of the Russian Federation of 17.03.2008 No. 351 ‘On measures to ensure information security of the Russian Federation when using information and telecommunication networks of international information exchange’
Resolution of the Government of the Russian Federation No. 781 of 17.11.2007 ‘On Approval of the Regulation on Ensuring the Security of Personal Data when Processing in Personal Data Information Systems ’ (hereinafter - PP 781)
Resolution of the Government of the Russian Federation No. 687 dated 15.09.2008 ‘On Approval of the Regulation on the Peculiarities of Personal Data Processing Performed Without the Use of Automation Means’ (hereinafter - PP 687)
Order of FSTEC of Russia, FSB of Russia, Mininformsvyaz of Russia No. 55/86/20 dated 13.02.2008 ‘On Approval of the Procedure for Classification of Information Systems of Personal Data’.
Basic measures on organisation and technical security of personal data processed in information systems of personal data (approved by the Deputy Director of FSTEC of Russia on 15.02.2008), restriction marking of CPDs
Recommendations on ensuring the security of personal data during their processing in personal data information systems (approved by the Deputy Director of the FSTEC of Russia on 15.02.2008), marked as restricted by the CPD.
Basic model of threats to the security of personal data during their processing in personal data information systems. (approved by the FSTEC of Russia, 2008), marked as restricted by the DSP
Methodology of determination of actual threats to personal data security during their processing in personal data information systems (approved by the FSTEC of Russia, 2008), restriction marking CPD.
Standard requirements on organisation and ensuring the functioning of encryption (cryptographic) means intended for protection of information not containing information constituting state secret, in case of their use for ensuring the security of personal data during their processing in the information systems of personal data (approved by the management of the 8 Centre of the Federal Security Service of Russia dated 21.02.2008, No. 149/6/6-622).
Methodical Recommendations on ensuring by means of crypto-means the security of personal data at their processing in the information systems of personal data with the use of means of automation (approved by the Federal Security Service of the Russian Federation on 21.02.2008 N 149/54-144).

However, many companies pointed out that by issuing the above documents labelled as CPD, the FSTEC of Russia violates one of the key requirements of the 152-FZ, namely the publicity of the requirements, which is enshrined in part 2 of Article 4 of the 152-FZ: "On the basis of and in pursuance of federal laws, state bodies within the limits of their authority may adopt regulatory legal acts on certain issues related to the processing of personal data. Normative legal acts on certain issues related to the processing of personal data may not contain provisions restricting the rights of personal data subjects. These normative legal acts shall be subject to official publication, except for normative legal acts or certain provisions of such normative legal acts containing information, access to which is restricted by federal laws’.

Some time later (16.11.2009) the FSTEC of Russia removed the restriction mark of CPD from some of the documents. Some of the said documents existed until 2021. In particular:

Basic model of threats to the security of personal data during their processing in information systems of personal data (extracts) (approved by the FSTEC of Russia, 2008)
Methodology for determination of actual threats to personal data security during their processing in personal data information systems (approved by FSTEC of Russia, 2008).

In parallel, there was a struggle to eliminate as a mandatory requirement the use of cryptographic protection means in the information system of personal data, as required by the provisions of part 1 of article 19 152-FZ, which sounded as follows: ‘When processing personal data, the operator is obliged to take the necessary organisational and technical measures, including the use of encryption (cryptographic) means, to protect personal data from unlawful or accidental access to them, destruction, modification, blocking, copying, dissemination of personal data, as well as from other unlawful actions". In 2009 the Federal Law dated 27.12.2009 N 363-FZ ‘On Amendments to Articles 19 and 25 of the Federal Law “On Personal Data ” cancelled this provision.

Now we sometimes have to face the results of works that were performed according to the mentioned documents. The obvious markers of the works/approaches, which were guided by these documents, are:

classification of the personal data information system as standard or specialised
the use for personal data protection purposes only of certified information protection means
gradation of security violators when determining the necessary crypto protection class _H1, _H2, _H3, _H4, _H5, _H6
requirements for the use of cryptographic protection means (electronic signature means excluded) of class KV1 or KV2
mandatory certification of personal data information systems
the necessity for a company, even if it processes personal data of its employees only, to have a licence from the Federal Service for Technical Protection of Confidential Information.

Understanding these aspects will help you to plan your work competently, justify the need for the required adjustments and carry out the necessary work. In the meantime, let's move on. In 2010, the previously formed requirements in the field of personal data protection are changed:

1) Order of the FSTEC of Russia No. 58 dated 05.02.2010 ‘On Approval of the Regulation on Methods and Methods of Information Protection in Information Systems of Personal Data ’ (Registered with the Ministry of Justice of Russia on 19.02.2010 No. 16456) is approved.

2) By the Decision of the FSTEC of Russia dated 05.03.2010 the following documents in the field of personal data protection are recognised as invalid:

Basic measures for organisation and technical security of personal data processed in personal data information systems (approved by the Deputy Director of the FSTEC of Russia on 15.02.2008)
Recommendations on ensuring security of personal data during their processing in information systems of personal data (approved by the Deputy Director of the FSTEC of Russia on 15.02.2008).

In Order 58 there are no words about certification by classes of SVT and DOE and the need for attestation. There is still a reference to certification according to RD NDV, but only for class 1 systems or at the operator's/company's choice.

The question of the form of conformity assessment of the applied information protection means for personal data security becomes one of the key issues. In addition, the approval of the Resolution of the Government of the Russian Federation of 15.05.2010 № 330 ‘On the peculiarities of conformity assessment of products (works, services) used for the protection of information related to the information protected in accordance with the legislation of the Russian Federation information of limited access, not containing information constituting a state secret, as well as the processes of its design (including research), production, construction, installation, commissioning, operation, storage, transportation, realisation, disposal and burial, on the specifics of the assessment of the conformity of products (works, services) used for the protection of information related to the information protected in accordance with the legislation of the Russian Federation. But the applicability of PP 330 in the field of personal data protection is also questioned by companies on the basis of part 2 of Article 4 of the 152-FZ.

The question of what form of conformity assessment the protection equipment should undergo in order to protect personal data will not be considered in this article. Perhaps, it will be considered in one of the following articles. Let's say the key thing: 152-FZ, the currently valid orders of the FSTEC of Russia and the FSB of Russia state only that information protection equipment must undergo a conformity assessment procedure. What is the conformity assessment procedure and what are its forms are established by the Federal Law of 27.12.2002 No. 184-FZ ‘On Technical Regulation’.

Approaches to personal data protection after 2012

In 2012-2013 there are next changes in the field of personal data protection. Approved are:

1) Resolution of the Government of the Russian Federation No. 1119 dated 01.11.2012 ‘On Approval of Requirements for the Protection of Personal Data during their Processing in Information Systems of Personal Data’

2) Resolution of the Government of the Russian Federation No. 79 dated 03.02.2012 ‘On licensing of activities on technical protection of confidential information’

3) Resolution of the Government of the Russian Federation No. 313 dated 16.04.2012 ‘On Approval of the Regulation on Licensing Activities in the Development, Production, Distribution of Encryption (Cryptographic) Tools, Information Systems and Telecommunication Systems Protected by Encryption (Cryptographic) Tools, Performance of Work, Provision of Services in the Field of Information Encryption, Maintenance of Encryption (Cryptographic) Tools, Information Systems and Telecommunication Systems Protected by Encryption (Cryptographic) Tools, Information Systems and Telecommunication Systems Protected by Encryption (Cryptographic) Tools, Information Systems and Telecommunication Systems Protected by Encryption (Cryptographic) Tools’.

4) Order of the FSTEC of Russia No. 21 dated 18.02.2013 ‘On Approval of the Composition and Content of Organisational and Technical Measures to Ensure the Security of Personal Data during its Processing in Personal Data Information Systems ’ (hereinafter referred to as Order 21)

5) Order of FSTEC of Russia, FSS of Russia, Mininformsvyaz of Russia from 31.12.2013 No. 151/786/461 ‘On invalidation of the Order of the Federal Service for Technical and Export Control, the Federal Security Service of the Russian Federation and the Ministry of Information Technologies and Communications of the Russian Federation from 13 February 2008 No. 55/86/20 “On approval of the Procedure for classification of information systems of personal data”.

The Resolution of the Government of the Russian Federation of 01.11.2012 No. 1119 ‘On Approval of the Requirements for the Protection of Personal Data during their Processing in Personal Data Information Systems’ (hereinafter referred to as PP 1119) in p. 2 indicates the invalidation of PP 781.

Order 21 indicates in p. 2 that Order of the FSTEC of Russia No. 58 dated 05.02.2010 ‘On Approval of the Regulation on Methods and Techniques of Information Protection in Personal Data Information Systems’ has been declared null and void.

Decrees of the Government of the Russian Federation on licensing enshrine the norm that the performance of measures to protect confidential information by companies for their own purposes (for themselves) does not require the company to have a licence, as it was previously, and often for some it was not very feasible (for example, for banks, where it was due to the complexity of changing the company's Charter).

A little later (in 2014), the Federal Security Service of Russia, pursuant to PP 1119, issues documents in the field of personal data security using cryptographic means:

1) Order of the Federal Security Service of Russia No. 378 dated 10.07.2014 ‘On Approval of the Composition and Content of Organisational and Technical Measures to Ensure the Security of Personal Data during their Processing in Personal Data Information Systems with the Use of Cryptographic Information Protection Means Necessary to Meet the Personal Data Protection Requirements Established by the Government of the Russian Federation for Each of the Security Levels’

2) Methodological Recommendations for the development of regulatory legal acts defining threats to the security of personal data relevant to the processing of personal data in information systems of personal data operated in the implementation of relevant activities’ (approved by the Federal Security Service of Russia 31.03.2015 No. 149/7/2/6-432).

However, with the release of these documents, companies have a misunderstanding as to which documents on encryption systems they are obliged to apply in the field of personal data security, since these documents do not cancel the previous ones.

The relevant clarification on the applicability of documents related to cryptographic protection in the field of personal data security is provided by the Federal Security Service of Russia in 2016 - Information of the Federal Security Service of Russia dated 21.06.2016 ‘On regulatory and methodological documents in force in the field of personal data security’. From this moment comes a new stage in the field of personal data protection.

In parallel with the release of profile documents on personal data protection since 2011, the FSTEC of Russia and the FSB of Russia approve the requirements for information protection means:

1) Requirements for intrusion detection systems approved by the order of FSTEC of Russia dated 06.12.2011 No. 638 (information letter of FSTEC of Russia ), marking the restriction of CPD

2) Requirements for anti-virus protection means approved by Order of the FSTEC of Russia No. 28 dated 20.03.2012 (FSTECof Russia informational message No. 240/24/3095 dated 30.07.2012), restriction marking CPD

3) Requirements for trusted download tools approved by Order of the FSTEC of Russia No. 119 dated 27.09.2013 (information letter of the FSTEC of Russia No. 240/24/405 dated 06.02.2014), marking the restriction of DSPs

4) Requirements for Control Devices for Removable Machine Data Carriers approved by Order of the FSTEC of Russia No. 87 dated 28.07.2014 (information message of the FSTEC of Russia No. 240/24/4918 dated 24.12.2014), restriction marking CPD

5) Requirements for firewalls approved by Order of the FSTEC of Russia No. 9 dated 09.02.2016 (information message of the FSTEC of Russia No. 240/24/1986 dated 28.04.2016), restriction marking CPD

6) Information Security Requirements for Operating Systems, approved by Order of the FSTEC of Russia No. 119 dated 19.08.2016 (information message of the FSTEC of Russia No.240/24/4893 dated 18.10.2016), restriction marking CPD

7) Information security requirements establishing confidence levels for means of technical protection of information and means of ensuring security of information technologies, approved by Order of the FSTEC of Russia dated 30.07.2018 No. 131 (information message of the FSTEC of Russia dated 29.03.2019 No. 240/24/1525), DSP restriction marking.

Note: At present, the above requirements have been replaced by the Information Security Requirements Establishing Trust Levels for Means of Technical Information Protection and Means of Information Technology Security approved by Order of the FSTEC of Russia dated 02.06.2020 No. 76 (information message of the FSTEC of Russia dated 15.10.2020 No. 240/24/4268), with the CPD restriction marking.

8) Order of the Federal Security Service of Russia dated 27.12.2011 No. 796 ‘On Approval of Requirements for Electronic Signature Facilities and Requirements for Certification Centre Facilities’.

In addition, during the mentioned period of time, the FSTEC of Russia provides clarification on the admissibility of the companies' approach when the assessment of the efficiency of the measures taken to ensure personal data security in the personal data information system is carried out as part of the attestation procedure (p. 3 of the information message of the FSTEC of Russia dated 15.07.2013 No. 240/22/2637).

Stages of work on personal data protection

Below we will outline the main stages of personal data protection work, guided by the principle that in the current realities there are very few companies that do not use computers, laptops and other means of computing equipment in their activities. Therefore, we first of all focus the issue of personal data protection on the processing of personal data using automated means.

In addition, we will analyse the information protection measures, to a greater extent guided by the provisions of Order 21, because the measures specified in it include a set of requirements set out in Art. 19 152-FZ and p. 13-16 of PP 1119.

Within the framework of the above mentioned documents (mainly in Order 21) the following approach to personal data protection in personal data information systems (hereinafter referred to as ISPDN) is established:

1) The Company determines the conditions of functioning of the system as an object of protection. The conditions of functioning are understood as:

the purpose of the system and its functions/tasks it fulfils
the legal framework within which the system exists and what regulatory/contractual requirements apply to it.

Note: an important aspect here is that the functioning/existence of the system may be regulated by various regulatory and/or contractual/contractual requirements, which may establish both special functioning conditions (connectivity, location, fault tolerance, etc.) and class/categories (e.g. as a state information system or critical information infrastructure object).

what components/modules/subsystems comprise it and the intended purpose of each module/subsystem
composition of application and system software, as well as hardware components used in the system
the territorial distribution/location of the system and the communication channels used, indicating connection to public networks (including the Internet)
interaction with other (including third-party systems owned by other legal entities) information systems (including ISPDN)
system users, their access levels and functions
third-party companies involved in the operation and use of the system, as well as companies that have and/or may, in theory, have access to various components of the system
system administration environment
system users, their access levels and functions
location of physical components (sites, boundaries of zones controlled by your company (hereinafter referred to as ‘CPs’) at the sites, the order of access to CPs, the order of maintenance, obligations of contractors)
list of protected information resources of the system and the degree/level of their confidentiality (including classification as restricted information in accordance with part 2 of article 5 of Federal Law No. 149-FZ ‘On Information, Information Technologies and Information Protection’ dated 27.07.2006).

2) The Company determines actual threats to the security of personal data during their processing in the system.

Within the framework of determining the actual threats it is necessary to take into account several aspects:

The assessment of the relevance of threats is carried out without taking into account the applied technical means of information protection. This means that protection means, even if they already exist/are implemented in the system, should not be taken into account during the assessment. The FSTEC of Russia adheres to this position
As we mentioned in previous articles, any third-party company, even if it is a subsidiary, is considered a potential intruder. This means that information about it should be reflected in the assessment of potential intruders, ownership/ possession of various system components, access to system components, and so on;
If the company decides to ensure the security of personal data using cryptographic information protection means or mechanisms that use/implement cryptographic transformations, then within the framework of threat modelling it will be necessary, in addition to the regulatory and methodological documents of the FSTEC of Russia, to use the documents of the Federal Security Service of Russia and determine the necessary class of crypto-protection.

Also, when modelling threats, we suggest that you assess the current type of threats as set out in clauses 6 and 7 of PP 1119. It will be necessary to do this in any case, because otherwise you will not be able to determine the necessary level of personal data protection, as established by PP 1119.

3) Determine the necessary level of protection of personal data.

A more detailed description of this aspect was previously discussed in the first article - Practical protection of personal data.

We just want to point out an important aspect in determining the level of protection of personal data: if during the study of the system you see that the system processes different amounts of different categories/groups of personal data (public, special biometric or other) that relate to different subjects, the level of protection should be selected according to the criteria that come to the highest level of protection.

4) Definition/description of the personal data protection system to be created taking into account the already existing means of protection.

The normative documents do not establish the form of the document in which the protection system should be described. However, guided by our experience, we suggest you to consider the approach that has long been established within the description of automated systems - using the provisions of the following documents to describe the information system:

GOST 34.201-89 Information technology. Complex of standards for automated systems. Types, completeness and designation of documents when creating automated systems
GOST 34.601-90 Information technology. Complex of standards for automated systems. Automated systems. Stages of creation
RD 50-34.698-90. Methodological instructions. Information technology. Automated systems. Requirements to the content of documents.

It is proposed not to fully adopt the provisions of the above documents, but to use the approach and developments set out in them. Let you not be confused by the fact that RD 50-34.698-90 has been cancelled (Order of Rosstandart from 12.02.2019 № 216 ‘On the recognition as invalid in the territory of the Russian Federation acts issued by state bodies, the successor of which is the Federal Agency for Technical Regulation and Metrology’). Unfortunately, at the moment there is no any adequate replacement of RD 50-34.698-90 (letter of Rosstandart from 16.04.2019 №6620-IK/03 ‘On the issue of application of documents replacing RD 50-34.698-90 and R 50-34.119-90’).

In addition, it should be noted that if a company decides to use certified information protection means in the certification system of FSTEC of Russia No. ROSS RU.0001.01BI00, the company should take into account:

Presence of the said means in the register of certified information protection means
Compliance of the conditions/classes for which the information protection means to be used is certified and the requirements set forth in clause 12 of Order 21.
Restrictions on operation and use, which are specified in the operational documentation (forms, passports, etc.) for the means of protection
Provisions on the procedure of validity of the certificate of conformity, which are specified in the order of the FSTEC of Russia from 03.04.2018 № 55 ‘On approval of the Regulations on the system of certification of information protection means’.

In addition, if a company decides to use certified means of cryptographic protection of information, the company should take into account:

Availability of the said means in the register of information protection means certified by the Federal Security Service of Russia
Restrictions on operation and use, which are specified in the rules of use and operational documentation (forms, passports, etc.) for the means of protection
Restrictions on export of cryptographic protection means outside the Russian Federation, even for the company's own needs (a separate procedure has been established - Decision of the Board of the Eurasian Economic Commission of 21.04.2015 No. 30 ‘On non-tariff regulation measures’).

An additional help in understanding what FSTEC of Russia means by each measure specified in Order 21 can be a document that FSTEC of Russia has developed according to a similar methodology, but in relation to state information systems. This document is the Methodological Document ‘Information Protection Measures in State Information Systems’ (approved by the FSTEC of Russia on 11.02.2014).

5) Development of the required set of organisational and administrative documentation.

There is no approved set, as well as the form of the documents themselves in the regulatory documents, but it is necessary to take into account a number of aspects:

The development should take into account the provisions of PP 1119 and PP 687, which define different conditions of personal data processing. This is due to the fact that often within the process that the protected system provides, as a rule, one form of processing may be supplemented by another (i.e., paper documents may be withdrawn from the system or you will develop some forms of accounting access to the system or its components, which will reflect the personal data of subjects).
If the company decides to use cryptographic information protection means to protect personal data, it is necessary to take into account the provisions of Instruction 152. This document establishes a certain set of documents, record-keeping forms and procedures to be implemented by the company
Determine the persons involved in the processing of personal data and responsible for ensuring the personal data protection system:

responsible for ensuring the security of personal data
administrators of personal data protection means
users of cryptographic means
system users
persons authorised to access the electronic log of messages and security of the system
persons admitted to the locations of the system components
persons authorised to access personal data carriers.

Additional help in understanding which measures should be regulated/described can be the same document of the FSTEC of Russia - Methodological document ‘Information protection measures in state information systems’ (approved by the FSTEC of Russia on 11.02.2014).

6) Implementation of the personal data protection system.

Based on the developed/designed protection system, the purchase and installation of protection means neutralising the current security threats is performed. What advice can be given within this stage:

If the company decides to use cryptographic information protection means for the protection of personal data, it is necessary to take into account the provisions of Instruction 152. This document establishes a certain set of documents, record-keeping forms and procedures that must be implemented by the company, including during installation, relocation and use
If the company has decided to use certified information protection means in the FSTEC certification system, it should take into account the restrictions on operation and use, which are specified in the operational documentation (forms, passports, etc.) for the protection means
If the company decides to use the means of cryptographic protection of information certified by the Federal Security Service of Russia, it shall take into account the restrictions on operation and use specified in the rules of use and operational documentation (forms, passports, etc.) for the means of protection.
If the company decides to use protection means or information protection services leased from another company, the relevant provisions regarding the assessment of threats, intruders and description of these conditions and mechanisms should be reflected in the documents being developed for the personal data protection system, and the company providing information protection services should have a licence from the FSTEC of Russia for the technical protection of confidential information (with the relevant authorised type of activity), and for cryptographic information means with a licence for the technical protection of confidential information.

7) Efficiency evaluation.

There is no established form for assessing the effectiveness of the created/implemented information protection system. The company chooses the form of assessment itself: it can carry it out within the framework of acceptance tests, within the framework of some complex tests combined with the acceptance of the system into operation, within the framework of certification tests on information security requirements. The main thing is to assess the completeness and sufficiency of the implemented protection measures necessary to neutralise current security threats, as well as the mandatory requirements of regulatory legal acts and operational documentation for the applied protection means.

As part of this stage, it is advisable to consider attestation only as one of the most extreme ways. Attestation is more aimed at fixing/staticity of the protection object and its protection system. This form of assessment is poorly linked to the classical life of the information system of a commercial company, where the system is constantly in the process of change, modernisation, development.

8) System decommissioning.

During the decommissioning of the system it must be ensured that personal data are removed from the media connected to the system. The deletion should be accompanied by a commission act and a corresponding mark in the logbook.

Additionally, it is also necessary to pay attention to the decommissioning conditions specified in the documentation for the cryptographic information protection means applied in the system and the provisions of Instruction 152.

As we can see, the requirements for the protection of personal data do not stand still and are constantly changing. Thus, in 2021 the following main changes took place:

1) The requirements in Order 21 for mandatory certification of protection means were cancelled, if 1 or 2 types of actual threats were determined relevant for the system (item 6 of PP 1119). These changes came into force on 01.01.2021 in accordance with Order No. 68 of the Federal Service for Technical and Export Control of Russia dated 14.05.2020 ‘On Amendments to the Composition and Content of Organisational and Technical Measures to Ensure the Security of Personal Data in the Processing of Personal Data in Personal Data Information Systems Approved by Order No. 21 of the Federal Service for Technical and Export Control dated 18 February 2013’.

2) FSTEC of Russia:

Cancelled the Methodology for the determination of actual threats to the security of personal data during their processing in information systems of personal data (approved by the FSTEC of Russia, 2008) (Information message of the FSTEC of Russia dated 15.02.2021 No. 240/22/690)
Approved the methodological document ‘Methodology for Assessing Information Security Threats’ (approved by the FSTEC of Russia on 05.02.2021)
Held a stage of public discussion of the draft order of the FSTEC of Russia ‘On Approval of the Procedure for Organising and Conducting Work on Certification of Information Objects for Compliance with Requirements for Protection of Information Not Constituting a State Secret’
Conducts public discussions of the draft order on amendments to the Regulation on the system of certification of information protection means, approved by the order of the FSTEC of Russia from 3.04.2018 № 55.

Thus, having performed works on protection of the company's personal data, it is necessary to constantly monitor changes/clarifications in this issue and make timely changes/corrections to the created protection system.