Сайт проектной организации Челябэнергопроект на русском языке   Русский
Main To write the mail Map
Die Web-seite der Projektorganisation Tscheljabenergoprojekt in Deutsch   Deutsch




Création de site web société française Chelyabenergoproekt   Française

Projects intellectual skill!
Our News
12/22/2016 Happy New Year!
Happy New Year! Administration ...
12/30/2015 Happy New Year!
Happy New Year! Administration ...
12/21/2015 Happy Energy!
Happy Energy! Administration ...



News of branch
объекты Ростехнадзора
Typical threats of information safety and the recommendation about protection of the personal data
In 2008 the same basic tendencies of development of the threats connected with information safety, as in 2007 as a whole remained. Vandals and hooligans have appeared are definitively superseded on the remote periphery of the IT Underground. Now there was the real cybercriminal business.           

This criminal business is directed on any rendering of the specific services connected with theft of the information or direct plunder of money resources, attacks to networks of competitors, a spam sending and to that similar. Thus economic crisis growth has essentially strengthened many of the tendencies shown last two years. It as believes the majority of experts, is connected by that many IT-experts remained without work and have redirected the activity to criminal sphere.

Let's consider harmful software.

The basic classes harmful software, the Russia revealed in territory in 2 m half-year 2008 Left 2008 as, however, and 2007, was rather “fruitful” on occurrence of new samples of a harmful code. As a result by anti-virus analysts Symantec it has been brought in anti-virus bases as much signatures, how many for all previous period of activity. As before, the Trojans directed on theft of the data about bank accounts and accounts in on-line games (see the table) became the cores of types of viruses.

As well as in 2007, authors of trojans actively used, apparently, thoroughly forgotten (including the anti-virus companies) virus technologies. For example, for complication of work of anti-virus analysts Trojans of last time very often do polymorphic. Wide introduction of protection frames of perimetre of a network which disturbs to traditional ways of distribution malware program, has led to the Renaissance of the code infecting files. So even more often external stores become an infection source. In such a way there was an infection made a noise Conflicker. Thus extended not only viruses and Trojans, but also “hearts”.

Nevertheless in the basic way of infection of a steel of attack through Web with use of the infected sites. If in 2007 the number of the infected knots was measured tens thousand in 2008 of an abacus has gone already on millions. Only as a result “big Chinese hack” it has been infected to 1,2 million sites worldwide. On number of the infected sites the five of leaders was made by China, the USA, Germany, the Netherlands and Russia.

As experts Symantec mark, for breaking of sites a number of the zombie of networks has been reoriented. Thus sets exploits, used for breaking, use vulnerability of an average and even low level. It is connected by that correction of the given sort “holes” less priority both for developers, and for managers. In turn, malicious code, extended in a similar way, maintain vulnerability in browsers and additions to them, in particular Adobe Flash or Apple QuickTime.

However the most dangerous technologies in the total report of anti-virus analysts “Kaspersky's Laboratories” are recognised rootkits: “In them the innovative technologies have been realised, equal which anti-virus industry yet did not meet, and the powerful infrastructures created round them in the scale and complexity were surpassed by early samples – for hearts Zhelatin and Warezov”. For example, model Malware 2.0 in which basis the principle of division of various harmful modules on features, use of universal remedies of interaction between modules and the channels of data exchange protected from external influence and control centers of the zombie of networks lies.

In 2009 cases of mass infection of devices on platform Linux (the client network equipment, in particular, DSL-modems and routers) and Mac are noted. In either case it is a question of creation of the zombie of networks. And if such incident at Linux systems not the first for platform Mac which long time was considered impregnable for malicious, it is the first case of mass infection from the middle 1990 х years. But it is necessary to notice that in both cases it is a question not of lacks of this or that platform as that. In case of Mac use of methods of social engineering where the Trojan extended under the pretext of means of detour of protection against copying commercial software took place. For devices on Linux non-observance of elementary norms of safety, first of all, password use by default took place.

Nevertheless in the left year there were bases for some optimism. First of all, there was steady a tendency to quantity decrease vulnerabilities in software. According to association CVSS, the quantity уязвимостей in software in 2008 has decreased approximately on 25-30% in comparison with level of 2006. However quantity vulnerabilities on former approximately twice above, than in 2004.

Let's consider a spam and phishing.

The left year was the first in which decrease in level of a spam is noted. It it was possible to reach as a result of closing in November of hosting-provider McColo where the control center of a number bot-nets settled down. As a result a share “garbage” mails in Russia has decreased twice, and in the USA three times. However this success has not been developed, and gradually spamers managed to fill the lost platforms. But all the same the precedent which has shown is created that with uninvited mail it is possible to struggle successfully.

As already it was marked above, Russia is one of the basic sources of a spam in the world and following the results of 2008 has come out on top in region Europe –Near East – Africa. This results from the fact that active penetration of technologies of high-speed Internet access which often get to unprepared users proceeds, whose computers quickly catch harmful software and there are this or that part zombies of the network dispatching a spam.

The Russian spamers, according to analysts “Kaspersky's Laboratories” actively used social networks, and it is very frequent not only for advertising, but also on purpose to entice a potential victim on the infected site or a phishing page. Social networks also were applied to the organisation of the SMS swindle connected with sending of paid messages on short number. Thus malefactors often operated on behalf of real users of social networks at whom the registration data has been stolen. Methods of social engineering, and also the special utilities ostensibly raising convenience of use of social networks, and actually forwarding passwords to malefactors were for this purpose used.

As to phishing its share in the Russian post traffic has reached a maximum in first half of 2008 when it has averaged 1.32%, and in the peak which were taking place in May, – 2.5%. However in second half of year the number phishing messages has decreased to level of 0.7-0.8%, and in I quarter 2009 has fallen to 0.54%. Requisites of accounts in banks and on-line payment systems like PayPal or were the basic targets phishing in Russia, as well as in the world as a whole “Yandex Money”.

Let's consider information leakages.

The problem of information leakages not simply kept an urgency, but also continued to be aggravated. And grows both absolute number of leaks, and their scales. As a rule, leaks mentioned the personal data – on them, according to InfoWatch, 98% of all incidents, and among were necessary almost “leaks-million” all are connected with disclosure of the personal data. On the state and commercial secrets it was necessary less than 1%, however number of the incidents connected with disclosure of the state secret, has grown in comparison with last year five times.

The basic sources of the information leakages which were taking place in 2007-2008  yy According to experts InfoWatch, in 2008 considerable growth of a share of deliberate leaks took place. If in 2007 on them 29% of incidents, in 2008 – already 46% were necessary. Experts InfoWatch connect so essential growth with introduction of means of class DLP which allow to prevent casual leaks of the data successfully enough. Also the economic crisis when unfair employees decide to correct the financial position at the expense of the employer or clients directly influences. Especially it concerns the personal data which cost grows from year to year. Thus carelessness of the personnel remains at former level. Besides, crisis conducts to growth of depressions and other problems with mentality that, in turn, promotes the errors of the personnel leading to any incidents. Cases of abusing and from outside the outsourcing companies (drawing see) which abducted the data about the clients for the purpose of the further sale are noted.

The most part of leaks is anyhow connected with physical access to the equipment. Only on thefts, loss and the incidents connected with infringement of norms on recycling, it is necessary more than half of all incidents. Thus distribution of incidents in a cut of data carriers essentially differs for deliberate and casual leaks. As to geography the greatest quantity of leaks is noted in the USA, Britain and Canada. However it is connected only by that in the given countries publicity level in the given sphere is essentially higher and the fact of incident is more difficult for hiding.

As to the further development of a situation forecasts are unfavourable. The quantity of incidents and their scope will grow only, especially in process of occurrence of the new financial services doing possible and expedient everything that is connected with theft of the person.

Let's result recommendations of board of directors IT to IT-directors for protection of the personal data for 2009..

In the legislation of the Russian Federation any presence of data which are protected by the law is provided. One of the greatest streams of the confidential information, its considerable making part, data on citizens are. The legislation base in this area is made by articles of the Constitution of the Russian Federation about the right of citizens on the information, corresponding to the international norms in this area. So, the secret of correspondence, telephone conversations, items of mail, cable and other messages, personal and family secret is protected. Besides, gathering, storage, use and distribution of the information on a private life of the person without its consent are not supposed.

In spite of the fact that today basically speak directly about the federal law which has left in 2006 “About the personal data” it is necessary to pay attention that the list of other legislative and standard legal certificates anyhow mentioning questions of the personal data is already enough great. And consequently, many questions and the problems connected with a different interpretation of already existing statutory acts and order of their application have collected.

In legal relationships the personal data connected with a turn two parties – the subject of the personal data, on the one hand, and on the other hand the operator – a state structure, municipal body, legal or the physical person, organizing and (or) carrying out processing of the personal data, and also defining purposes and the maintenance of processing of the personal data act. Thus, the proprietor of the personal data is the physical person the data about which is in a turn. Representatives state and-or commercial structures become the owner of this information, owing to the duties.

Any documentary information the wrongful reference with which can cause a damage to its proprietor, the owner, the user and other person is subject to protection. The aim of protection of constitutional laws of citizens on preservation of personal secret and confidentiality of the personal data which is available in information systems is thus pursued.

Meanwhile, till January, 1st, 2010 – day to which information systems of the personal data should be brought into accord to requirements of the federal law, remains not so a lot of time. And introduction in the company of system of protection of the personal data catastrophically it is not enough this time for working out.

After the introduction into action federal law “About the personal data” has passed already time enough. Gradually the society began to comprehend value of its acceptance in the course of formation of sense of justice of citizens of Russia – each of us has the information which should be protected by the state from wrongful distribution and use. At the same time, it is necessary to divide positions of the legislator concerning operators who are obliged to process the personal data according to requirements federal law and concerning subjects of the personal data, be right which should the states are protected, first of all, by performance of requirements of regulating bodies, and in the second, by maintenance of the control and supervision of protection of the rights of subjects of the personal data from outside. Thus, operators of the personal data appear that category which in a greater degree should reflect on the organisation of the activity according to the existing legislation.

The very conditionally given activity can be divided on two parts, namely, “nontechnical” the party of a question of protection by the operator of the processed personal data, which, along with “technical” has important value at observance of requirements federal law. It is necessary to understand that for the purpose of observance of such requirements in all organisations there should be new, volume enough layer of the documentation.

If to speak about the second party “technical” it is very important to consider that in modern information system of the enterprise it is a lot of the appendices processing of personal data. Only complex audit of IS allows to spend inventory of information resources and to understand where as well as what personal data are processed.

The legislative basis for carrying out of actions for protection of personal data

1. The basic regulating documents

- The code of the Russian Federation about administrative offences from December, 30th, 2001 N 195
- The labour code of the Russian Federation from December, 30th, 2001 N 197
- The federal law from July, 27th, 2006 N 149 “About the information, an information technology and about information protection”
- The federal law from July, 27th, 2006 N 152 “About the personal data” (with changes from March, 28th, 2008);
- The governmental order of the Russian Federation from September, 27th, 2007 N 612 “About the statement of Rules of sale of the goods in the remote way”
- The governmental order of the Russian Federation from November, 17th, 2007 N 781 “About the Position statement about safety of the personal data at their processing in information systems of the personal data”
- The governmental order of the Russian Federation from September, 15th, 2008 N 687 About the Position statement about features of processing of the personal data which is carried out without use of means of automation
- The order of Federal Agency of the technical and export control, FSB of the Russian Federation and the Ministry of an information technology and communication of the Russian Federation from February, 13th, 2008 N 55/86/20 “About the statement of the Order of carrying out of classification of information systems of the personal data”
- The order of Federal Agency of supervision in sphere of mass communications, communication and protection of a cultural heritage from March, 28th, 2008 N 154 “About the position statement about conducting the register of the operators who are carrying out processing of the personal data”
- Base model of threats of safety of the personal data at their processing in information systems of the personal data. Federal Technical and Export Control of Russia, 02/14/2008.
- A technique of definition of actual threats of safety of the personal data at their processing in information systems of the personal data. Federal Technical and Export Control of Russia, 02/14/2008.
- The basic actions for the organisation and technical safety of the personal data processed in information systems of the personal data. Federal Technical and Export Control of Russia, 02/15/2008.
- Recommendations about safety of the personal data at their processing in information systems of the personal data. Federal Technical and Export Control of Russia, 02/15/2008.
- Typical requirements on the organisation and functioning maintenance cryptographic means intended for protection of the information, not containing the data making the state secret, in case of their use for safety of the personal data at their processing in information systems of the personal data. FSB of Russia, 02/21/2008, N 149/6/6-622
- Methodical recommendations about maintenance with the help encrypting / decrypting means safety of the personal data at their processing in information systems of the personal data with use of means of automation. FSB of Russia, 02/21/2008, N 149/5-144

2. Key points of regulating documents

Let's result a number of reverences on the is standard-legal base regulating responsibility, coming for infringement of the legislation on protection of the personal data.

The code of the Russian Federation about administrative offences

Article 5.39. Refusal in granting to the citizen of the information.
Wrongful refusal in granting to the citizen of the documents collected when due hereunder, the materials directly mentioning the rights and freedom of the citizen, or untimely granting of such documents and materials, an unaccordance of other information in the cases provided by the law, or granting to the citizen incomplete or obviously an unreliable information – attracts imposing of the administrative penalty on officials at the rate from five hundred roubles to one thousand. ( the note: given article is at the bottom for administrative punishment agrees article 3.12 – Administrative stay of activity )

Article 13.11. Infringement of the order of gathering established by the law, storages, uses or distributions of the information on citizens (the personal data).
Infringement of the order of gathering established by the law, storages, uses or distributions of the information on citizens (the personal data) – attracts the prevention or imposing of the administrative penalty on citizens at the rate from three hundred to five hundred roubles; on officials – from five hundred roubles to one thousand; on legal bodies – from five thousand to ten thousand roubles.

Article 13.12. Infringement of rules of protection of the information.
1. Infringement of the conditions provided by the licence for realisation of activity in the field of protection of the information (except for the information making the state secret), – attracts imposing of the administrative penalty on citizens at the rate from three hundred to five hundred roubles; on officials – from five hundred roubles to one thousand; on legal bodies – from five thousand to ten thousand roubles.
2. Use of not certificated information systems, bases and databanks, and also not certificated protection frames of the information if they are subject to obligatory certification (except for protection frames of the information making the state secret), – attracts imposing of the administrative penalty on citizens at the rate from five hundred roubles to one thousand with confiscation of not certificated protection frames of the information or without that; on officials – from one thousand to two thousand roubles; on legal bodies – from ten thousand to twenty thousand roubles with confiscation of not certificated protection frames of the information or without that.
3. Rough infringement of the conditions provided by the licence for realisation of activity in the field of protection of the information (except for the information making the state secret), – attracts imposing of the administrative penalty on the persons who are carrying out enterprise activity without education of the legal person, at the rate from one thousand to one thousand five hundred roubles or administrative stay of activity for the term up to ninety days; on officials – from one thousand to one thousand five hundred roubles; on legal bodies – from ten thousand to fifteen thousand roubles or administrative stay of activity for the term up to ninety days.

Article 19.5. Default in time the lawful instruction (the decision, representation, the decision) the body (official) who is carrying out the state supervision (control)
1. Default when due hereunder the lawful instruction (the decision, representation, the decision) the body (official) who is carrying out the state supervision (control), about elimination of infringements of the legislation – attracts imposing of the administrative penalty on citizens at the rate from three hundred to five hundred roubles; on officials – from one thousand to two thousand roubles or disqualification for the term up to three years; on legal bodies – from ten thousand to twenty thousand roubles.
2. Default the lawful instruction, the decision of the body authorised in the field of the export control, its territorial body – attracts when due hereunder imposing of the administrative penalty on officials at the rate from five thousand to ten thousand roubles or disqualification for the term up to three years; on legal bodies – from two hundred thousand to five hundred thousand roubles.

The criminal code of the Russian Federation

Article 137. Infringement of inviolability of a private life.
1. Illegal collecting or distribution of data on a private life the persons making its personal or family secret, without its consent or distribution of these data to a public statement, publicly shown product or mass media –
The federal law from 12/22/2008 N 272 since January, 1st, 2010 the paragraph of the second part of first article 137 of the given document will be added by words: “or with imprisonment for the term up to two years with right deprivation to occupy certain posts or to be taken by certain activity for the term up to three years” .
Are punished by the penalty at the rate to two hundred thousand roubles or at a rate of wages or other income condemned for the period about eighteen months, or obligatory works for the term from hundred twenty till hundred eight-ten o'clock, or corrective works for the term up to one year, or arrest for the term up to four months.

2. The same acts made by the person with use of the office position, –
The federal law from 12/22/2008 N 272 since January, 1st, 2010 the paragraph of the second part of second article 137 of the given document will be added by words: “or with imprisonment for the term from one year till four years with right deprivation to occupy certain posts or to be taken by certain activity for the term up to five years” .
Are punished by the penalty at the rate from hundred thousand to three hundred thousand roubles or at a rate of wages or other income condemned for the period from one year till two years, or with right deprivation to occupy certain posts or to be engaged in certain activity for the term from two till five years, or arrest for the term from four about six months.

Article 140. Refusal in granting to the citizen of the information
Wrongful refusal of the official in granting of the documents collected when due hereunder and the materials directly mentioning the rights and freedom of the citizen, or granting to the citizen incomplete or obviously a false information if these acts have harmed the rights and legitimate interests of citizens, – are punished by the penalty at the rate to two hundred thousand roubles or at a rate of wages or other income condemned for the period about eighteen months or with right deprivation to occupy certain posts or to be engaged in certain activity for the term from two till five years.

Article 171. Illegal business
1. Realisation of enterprise activity without registration or with infringement of rules of registration, and is equal representation in the body which is carrying out the state registration of legal bodies and individual businessmen, the documents containing obviously false data, or realisation of enterprise activity without the special permission (licence) in cases when such permission (licence) necessarily, or with infringement of licence requirements and conditions if this act has caused a large damage to citizens, to the organisations or the state or is interfaced to income extraction in the large size, – is punished by the penalty at the rate to three hundred thousand roubles or at a rate of wages or other income condemned for the period till two years, or obligatory works for the term from hundred eight-ten till two hundred forty o'clock, or arrest for the term from four about six months.

2. The same act:
Made by the organised group;
Interfaced to income extraction in especially large size, – it is punished by the penalty at the rate from hundred thousand to five hundred thousand roubles or at a rate of wages or other income condemned for the period from one year till three years or imprisonment for the term up to five years with the penalty at the rate to eight-ten thousand roubles or at a rate of wages or other income condemned for the period about six months or without that.

The federal law “About the information, an information technology and about information protection”

Article 17. Responsibility for offences in sphere of the information, an information technology and information protection

1. Persons, the rights and which legitimate interests have been broken in connection with disclosure of the information of the limited access or other wrongful use of such information, have the right to address when due hereunder for judicial protection of the rights, including with actions for damages, indemnifications of moral harm, protection of honour, advantage and business reputation.
The requirement about the indemnification cannot be satisfied in case of a presentation by his face which not accepting measures on observance of confidentiality of the information or has broken established legislation of the Russian Federation the requirements about protection of the information if acceptance of these measures and observance of such requirements were duties of the given person.

The federal law “About the personal data”

Article 22. The notice on processing of the personal data
1. The operator prior to the beginning of processing of the personal data is obliged to notify the authorised body on protection of the rights of subjects of the personal data on the intention to carry out processing of the personal data, except for the cases provided by a part of 2 present articles.
2. The operator has the right to carry out without notice the authorised body on protection of the rights of subjects of the personal data processing of the personal data:
1) the personal data concerning subjects which connect labour relations with the operator;
2) received by the operator in connection with the contract conclusion, which party is the subject of the personal data if the personal data does not extend, and also are not given to the third parties without the consent of the subject of the personal data and are used by the operator only for execution of the specified contract and the conclusion of contracts with the subject of the personal data;
3) concerning members (participants) of public association or the religious organisation and processed corresponding public association or the religious organisation, operating according to the legislation of the Russian Federation, for achievement of the lawful purposes provided by their constituent documents provided that the personal data will not extend without the consent in writing subjects of the personal data;
4) being the popular personal data;
5) including only surnames, names and patronymics of subjects of the personal data;
6) necessary with a view of the unitary admission of the subject of the personal data on territory on which there is an operator, or in other similar purposes;
7) the personal data included in information systems, having according to federal laws the status of the federal automated information systems, and also in the state information systems of the personal data created with a view of protection of safety of the state and a public order;
8) means of automation processed without use according to federal laws or other standard legal certificates of the Russian Federation establishing the requirements to safety of the personal data at their processing and to observance of the rights of subjects of the personal data
Article 24. The Liability of infringement of requirements of the present federal law the Persons guilty of infringement of requirements of the present federal law, bear civil, criminal, administrative, disciplinary and other provided by the legislation of the Russian Federation responsibility.

Chapter 5. The control and supervision of processing of the personal data. A liability of infringement of requirements of the present federal law

Article 23. The authorised body on protection of the rights of subjects of the personal data
3. The authorised body on protection of the rights of subjects of the personal data has the right:
1) to send the statement to the body which is carrying out licensing of activity of the operator, for consideration of a question on acceptance of measures on stay of action or cancellation of the corresponding licence in established by the legislation of the Russian Federation an order if a condition of the licence for realisation of such activity is the interdiction for transfer personal given to the third parties without the consent in writing the subject of the personal data;
2) to direct to bodies of Office of Public Prosecutor, other law enforcement bodies materials for the decision of a question on excitation of criminal cases to signs of the crimes connected with infringement of the rights of subjects of the personal data, according to jurisdiction;
9) to involve in administrative responsibility of the persons guilty of infringement of the present federal law.

Article 25. Final provisions

1. The information systems of the personal data created about one day of coming into force of the present federal law, should be brought into accord with requirements of the present federal law not later than January, 1st, 2010.
2. Operators who carry out processing of the personal data about day of coming into force of the present federal law and continue to carry out such processing after day of its coming into force, are obliged to direct to the authorised body on protection of the rights of subjects of the personal data, except for the cases provided by a part of 2 articles 22 of the present federal law, the notice provided by a part of 3 articles 22 of the present federal law, not later than January, 1st, 2008.

Regulators

1. Maintenance of the control and supervision of performance of requirements on protection of personal data

The federal enforcement authority authorised in the field of safety – FSB of Russia;

The federal enforcement authority authorised in the field of counteraction to technical investigations and technical protection of the information – Federal Technical and Export Control of Russia;

The authorised body on protection of the rights of subjects of the personal data – Federal Agency of supervision in sphere of communication, an information technology and mass communications (Federal Service for Supervision of Communications, Information Technology and Communications of the Ministry of Communications and mass communications).

Area of responsibility at each of these bodies the.
FSB of Russia traditionally supervises questions of protection of the information with use of means of enciphering (cryptography).
Federal Technical and Export Control of Russia are carried out by the control of protection of the information from use of means. Federal Service for Supervision of Communications, Information Technology and Communications is the basic executive and supervising body on protection of the rights of physical persons, whose personal data is processed.

2. Kinds of the checks provided by the legislation

Federal Service for Supervision of Communications, Information Technology and Communications:
- Under the reference of the subject of the personal data about conformity of the maintenance of the personal data and ways of their processing to the purposes of their processing (the federal law N152 from July, 26th, 2006)
- Check of the data containing in the notice on processing of the personal data (the federal law N152 from July, 27th, 2006)
- Off-schedule checks under the control of infringements of obligatory requirements (the federal law N134 from August, 8th, 2001)

Federal Technical and Export Control of Russia:
- Supervision of activity of licensee Federal Technical and Export Control of Russia (the Governmental order from August, 15th, 2006 N504)
- Under the reference of Roskomnadzora (the federal law N152 from July, 27th, 2006)
- Off-schedule checks under the control of infringements of obligatory requirements (the federal law N134 from August, 8th, 2001)

FSB of Russia:
- The control over observance of instructions for use of means of cryptographic protection of the information (The order of FSB of Russia N66 from February, 9th, 2005 – PKZ-2005)
- Supervision of activity of the licensee of FSB of Russia (the governmental order from December, 29th, 2007 N957)
- Off-schedule checks under the control of infringements of obligatory requirements (the federal law N134 from August, 8th, 2001)
- Under the reference of Roskomnadzora (the federal law N152 from July, 27th, 2006)

The general recommendations

Actions for safety of the personal data combine realisation of legal, organizational and technical measures, and all of them are equally significant, thus default of one requirements brings to nothing results of realisation of others.

1. With what to begin
It is necessary for all operators, first of all for itself, to fix the documentary basic concepts of processing of the personal given subjects, as:
- first, a duty of the operator to present to the subject of the personal data on the basis of the reference, inquiry the information, concerning processings of its personal data, including:
- the processing purpose;
- ways of processing;
- data on the persons having access to the personal data;
- the list of the processed personal data;
- a reception source;
- terms of processing and storage of the personal data.

As it is necessary to mean what to give to the subject the such information it is operatively possible only on the basis of already existing documents where principles and criteria of processing are systematically stated. Otherwise, for example, operators of a mobile communication, giving out answers to the same references of subjects owing to a considerable quantity of the processed personal data, can give inconsistent or not correct from the point of view of inquiry the answer.

- Secondly, necessity of the analysis of all personal data processed by the organisation and accumulations of this information in the uniform document (we name it for example “the Detailed list of the personal data”) it is caused by the requirement to technical protection of the personal data processed by the operator. We will explain. Order Federal Technical and Export Control of Russia, FSB of Russia and Federal Service for Supervision of Communications, Information Technology and Communications from 02/13/08 N 55/86/20 “About the statement of an order of carrying out of classification of information systems of the personal data” at classification of information systems for the purpose of definition of level of their protection and degree of an expenditure of means of the organisation on technical protection of the personal given subjects categories of the processed personal data and their volume are considered. Accordingly, there is a necessity such information to fix and document.

- Thirdly, a formulation in “the Detailed list” in particular, concepts of the purpose of processing personal data absence of the consent will help the operator to prove with disputable cases the subject of the personal data, when such possibility is provided federal law (part 2, item 6) because the legislator, describing such cases, adheres their description to concept “the processing purpose”.

- Fourthly, checking the authorised body, finding out a cause of infringement of those or other positions of the legislation in sphere of the personal data, will be guided, first of all, on observance of principles federal law (item 5) which can be checked up only on the basis of the document (documents) of the personal data defining processing in the organisation.

That, the uniform document on processing of the personal data in the organisation “has anticipated” all questions which can arise at the Authorized body, the preliminary analysis of all documentation of the operator which contains is necessary and defines processing of the personal given subjects.

In turn, at carrying out of such analysis and text drawing up “The detailed list” it is necessary to consider possibility of typification of personal data. For example, when the operator processes the personal data of subjects with the uniform purpose (for example, the communication statement processes of personal data for the purpose of granting a telecommunication service), in “The detailed list” concepts of the purpose, ways, the list of the processed personal data and other should be accurately formulated.

In cases when the operator processes the personal data, pursuing the various aims, for example, processing the data of workers for charge of wages, an establishment of a throughput mode, the account in personnel office-work, there is a requirement them to typify concerning the processing purpose, and it should be reflected in “Position”. Such system of the description (concerning criterion of the purpose of processing, for example) will allow the operator to be guided effectively in the documents containing the personal data to give answers to inquiries of subjects and the Authorized body.

Other question concerning the documentation of the operator of the personal data, the question on periods of storage of the personal data is. In this case the legislation, perhaps, establishes for the first time maximum, and besides conditional, a period of storage – “on reaching the processing purposes”. The organisations should establish periods of storage of the personal data, and it is necessary to think over a substantiation of the chosen periods of storage in advance. For example, proceeding from requirements labour, civil (limitation of actions) and the pension legislation the period of storage for cards of form Т-2 is established – 75 years, and for the information on the telecommunication service given to the subscriber, on the basis of the Governmental order N 538 from 2005 the period of storage makes 3 years.

As to technical actions for maintenance of protection of personal data actions for safety of the personal data at their processing in information systems without fail should include the account of the persons admitted to work with the personal data in IS. Thus the persons which access to the personal data processed in information system, is necessary for performance of office (labour) duties, should be supposed to corresponding data on the basis of the list confirmed by the authorised person of the operator.

Thus the in itself confirmed list a little that means. It is important to provide differentiation of access not only to appendices, but also to realise in appendices access to the personal data according to the confirmed list. Will make it without an effective control system of access extremely inconveniently.

Along with access differentiation to the personal data in IS of personal data mechanisms should be realised:
- registration and the account.
- integrity maintenance.
- anti-virus protection.
- cryptographic protection.

Features which should carry out the given mechanisms, it is defined in methodical documents of FSB of Russia and Federal Technical and Export Control of Russia on protection of the personal data.

Mechanisms are directed on prevention of unapproved access to the personal data and, besides, provide timely detection of the facts of unapproved access to them. Besides it is important to understand that what good there would be no the protection mechanisms, responsible persons of the operator should carry out periodically the control and check of their efficiency.

Certain complexity at categorization, protection and certification IS will be had by that fact that modern automated IS use the software products entirely covering all enterprise. If earlier we could speak about local protection of the concrete module (for example, the personnel account) now at universal use of ERP-systems where this module is integrated into system, it is necessary to protect and certify all information system.

2. The list of internal documents of the company

- the order on creation of the commission on protection of the personal data with investment of its powers on carrying out of all actions, concerning the organisations of protection of the personal data;
- position about the personal data and their protection;
- the instruction about an order of maintenance of confidentiality at the reference with the information containing the personal data;
- the order/y on putting on of personal responsibility for protection of the personal data;
- the contract with the subject of the personal data who can contain the separate written approval of the subject of the personal data to their processing, in cases defined according to N152- federal law;
- the standard document (list) accumulating the information on the personal data, processed by the operator (including their category, volume and periods of storage)
- the list of the information systems processing the personal data
- regulations of the admission of employees to processing of the personal data
- the list of the admitted employees to processing of the personal data
- duty regulations of the employees concerning processing of the personal data.

3. The operations procedure on creation of system of protection of personal data

At presence in the organisation of a uniform administrative link it is possible to offer operators the following scheme of the organisation of system of protection of the personal data:
- To organise a management of questions of the organisation of protection of the personal data
- To create two directions on formation of maintenance of protection of the processed personal data: a technical direction and a direction “nontechnical” the protection which duties, in turn, can be redistributed on structural divisions according to the processing purposes, for example, protection of the personal data in personnel office-work, in check system, legal structural division (at formation and the account of contracts with subjects of the personal data). Thus the internal document (duty regulations) personal responsibility of workers of these directions for appropriate protection of the personal data should be established.
To start technical protection it is possible after carrying out categorization the personal data, definition of their volume and features of technological processes of their processing (transfer of personal data within the limits of technological process between territorially isolated divisions of the company, the multiuser access to the personal data, various access rights of employees to personal data). These operations will allow:
- To define a class of protection of the personal data and to carry out selection of necessary means meeting requirements to system of protection of information system of a certain class.
- To design system of protection of the personal data.
- To make preparation and if necessary certification of system of protection of the personal data/certifications of information system of the personal data.
On the basis of the aforesaid the process connected with reduction of an order of processing of the personal data in conformity to requirements of the legislation, it is possible to break into following stages conditionally:
- Inventory of IS, processing of personal data
- An estimation of legality of processing of personal data and presence of the consent of subjects on processing
- The control and updating of contractual relations with subjects
- Formation of list of personal data and carrying out categorization
- Definition of terms and conditions of the termination of processing of personal data
- Differentiation of access of users to personal data in IS of personal data
- Formation of documents regulating work with personal data
- Formation of model of the threats containing actual threats of information safety to the personal data at their processing in information system
- Classification IS of personal data
- At, to necessity defined in federal law N152 to direct the notice on processing personal data to the authorised body on protection of the rights of subjects of the personal data
- Reduction of system of protection of personal data in conformity to requirements of regulators
- At the necessity defined by methodical documents Federal Technical and Export Control of Russia and FSB of Russia to obtain necessary licences
- Certification of IS of personal data
- Operation IS– monitoring, revealing and reaction to incidents

4. Model of threats and classification of IS of personal data

On the basis of order Federal Technical and Export Control of Russia, FSB of Russia and Federal Service for Supervision of Communications, Information Technology and Communications of Russia from February, 13th, 2008 N 55/86/20 “About the statement of the Order of carrying out of classification of information systems of the personal data” the operator of the personal data should carry out classification IS of personal data independently.

Thus the model of threats is created, on the basis of methodical documents Federal Technical and Export Control of Russia and FSB of Russia, and also actual threats of safety to the personal data at their processing in IS of personal data.

The methodical documents defining model of threats:
- Base model of threats of safety of the personal data at their processing in information systems of the personal data. Federal Technical and Export Control of Russia, 02/14/2008
- A technique of definition of actual threats of safety of the personal data at their processing in information systems of the personal data. Federal Technical and Export Control of Russia, 02/14/2008
- Methodical recommendations about maintenance with the help encrypting / decrypting means safety of the personal data at their processing in information systems of the personal data with use of means of automation. FSB of Russia, 02/21/2008, N 149/5-144

It is necessary to consider that in case of safety of the personal data without use cryptographic means at formation of model of threats methodical documents Federal Technical and Export Control of Russia are used.

In case of definition by the operator of necessity of safety of the personal data with use encrypting / decrypting means at formation of model of threats methodical documents Federal Technical and Export Control of Russia and FSB of Russia are used. Thus and FSB of Russia of the same threats gets out of two Russia containing in documents Federal Technical and Export Control more dangerous.

In coordination with Federal Technical and Export Control of Russia and FSB of Russia is supposed formation of model of threats only on the basis of methodical documents of FSB of Russia.

At safety of the personal data at processing in the information systems carried to the competence of FSB of Russia, model of threats are formed only on the basis of methodical documents of FSB of Russia.

5. Requirements to certification of IS of personal data

The general safety requirements IS of personal data are defined in federal law. The operator at processing of the personal data is obliged to take necessary organizational and technical measures, including to use cryptographic means for protection of the personal data against wrongful or casual access to them, destructions, changes, blockings, copyings, distribution and other wrongful actions. Protective mechanisms are substantially specified in the governmental order of 2007 N 781. And concrete requirements on neutralisations of the revealed threats of safety and concrete functional requirements to protective mechanisms are defined after classification of system and actualisation of model of threats on the basis of methodical documents Federal Technical and Export Control of Russia and FSB of Russia.

For reception of the qualified help, in case of occurrence of questions on creation of system of protection of the personal data, it is desirable to address in committee on information safety.

6. What consequences if nothing to do

It is necessary to notice that the legislation establishes the criminal liability for infringement of inviolability of a private life, for infringement of secret of correspondence, telephone conversations, post, cable or other messages. Besides, the civil legislation provides protection of the non-material blessings of the citizens including, in particular, inviolability of a private life, personal and family secret, business reputation. Indemnification of moral harm, requirement possibility on court of the indemnification and a refutation, discrediting honour, advantage and business reputation of the citizen of data is established.

It is necessary to consider also that use of not certificated information systems, bases and the databanks, not certificated protection frames of the information if they are subject to obligatory certification, attracts their confiscation.

And infringement of rules of protection of the information and refusal in granting to the citizen of the information can lead to administrative stay of activity of the organisation within 90 days.

Information disclosure, access to which it is limited by the federal law and in particular, the personal data, (except for cases if disclosure of such information attracts the criminal liability), the person who had to it access on office or professional duties – it is punished by the administrative penalty to ten thousand roubles.


Sources:
1. Shpunt Y. The main threats of information safety//Intelligent enterprise, #9 (203), 2009 [http://www.iemag.ru/analitics/detail.php?ID=18904]
2. Recommendations of SoDiT to IT directors of Russia for protection of the personal data//Intelligent enterprise, #9 (203), 2009 [http://www.iemag.ru/analitics/detail.php?ID=18921]

Date: 07/22/2009

Comments of experts of Челябэнергопроект:
No
Статьи

смета проектных работ
©Chelenergyproject, info@chepr.ru, 2007-2013
DRA.RU - turnkey website; system administrator “Челябэнергопроект”
Main|About Us|Strategy of the company|
The competence / The competence|Contact Us