Interview with the CEO of CorpSoft24 company Konstantin Renzyaev
The CEO of CorpSoft24 company Konstantin Renzyaev in an interview of TAdviser told about what actions the companies need to take to conform to requirements of the Federal law on personal data No. 152 and as it is possible to save on this process.
What it is necessary to begin the companies with to correspond to the Federal law on personal data No. 152?
Konstantin Renzyaev: Let's be defined for a start what is personal data: "Personal data (PDN) – any information relating to directly or indirectly to the defined or defined individual (the subject of personal data), including a full name, the place and date of birth, a residence address, a marital and social status, data on income and other information"
Personal data belong to information of limited access and should be protected in accordance with the legislation of the Russian Federation.
First of all it is necessary to define what personal data are processed in information systems and to determine further the level of security of personal data. From 1 to 4.
Security requirements PDN at their processing in information systems are approved by Government decree No. 1119 of 11/1/2012. If the company has difficulties in determination of level of security, then our specialists will help to solve this problem.
What requirements for personal data protection are based on?
Konstantin Renzyaev: Except Federal Law No. 152 in the latest revision there are tens more of different regulating documents defining and specifying requirements for protection personal including Federal Laws, bylaws, Government decrees, methodical documents of FSTEC and FSB and also a number of other documents. The main documents are:
- The federal law of the Russian Federation of July 27, 2006 No. 152-FZ "About personal data" with changes and changes relevant at the moment;
- Orders of the Government of the Russian Federation of November 01, 2012 No. 1119 "About the approval of security requirements of personal data at their processing in personal data information systems";
- Order of FSTEC of Russia of February 18, 2013 No. 21 "About the statement of regulations on methods and methods of data protection in personal data information systems";
Determined security level. What's next?
Konstantin Renzyaev: After that at once to address us :)
Further it is necessary to make the order on the form of the organization certified by the sign and seal about appointment responsible or creation of the commission on reduction of your personal data information system in compliance with requirements of FZ-152.
After reduction of infrastructure in compliance with the requirement of the Federal law it is necessary to notify Roskomnadzor on entering of your organization into the register of personal data operators. In fact, it is necessary to fill the "Notification on Personal Data Processing" form on the website of the department.
The notification on personal data processing can be not submitted to Roskomnadzor if:
- if personal data are public;
- if personal data include only the Full Name;
- if personal data are necessary only for the single admission of the individual on the territory of the organization or in the similar purposes;
- if personal data processing is performed without use of the automation equipment according to the laws or other regulatory legal acts of the Russian Federation setting requirements to security of personal data at their processing and to observance of the rights of subjects of personal data;
- included in the personal data information systems having the status of federal automated information systems according to federal laws and also in the state personal data information systems created for the purpose of protection of security of the state and public order.
At what moment does it make sense to address you?
Konstantin Renzyaev: It is possible to address right after in the company the decision to conform to requirements of the law on personal data is made.
Ok, what's next?
Konstantin Renzyaev: Further it is necessary to develop model of threats, relying on the Order of the Government of the Russian Federation of November 1, 2012 N 1119 and the Order of FSTEC of Russia No. 21 to make technical specifications on the system of personal data protection.
It can be charged to your company?
Konstantin Renzyaev: Of course, you will save plenty of time and receive the most relevant model of threats which you will be able to use in the future.
Who executes checks?
Konstantin Renzyaev: In the field of personal data protection there are three regulators:
- Roskomnadzor, carries out inspections of fulfillment of requirements on protection of the rights of subjects of personal data.
- FSB checks accomplishment of the requirement in the field of cryptography (if it is used).
- FSTEC of Russia checks fulfillment of requirements on data protection from unauthorized access and leak on technical channels.
How to learn when in the organization or the company conducting check is planned?
Konstantin Renzyaev: Plans of conducting checks of Roskomnadzor, FSTEC and FSB for the 2016th year can be found on the following links:
Also information on all planned checks can be found on the website of the State Office of Public Prosecutor
Now let's talk oh, probably, the most expensive article. I mean ensuring IT security which should conform to requirements of FZ-152.
Konstantin Renzyaev: Everything is right, it is the most expensive party of a question.
In your IT infrastructure the following expensive can be required by the programmena and the protection hardware and software:
- firewalls;
- cryptogateways;
- intrusion prevention system;
- antivirus software;
- security analysis system;
- means of protecting from unauthorized access;
- virtualization environment means of protecting;
- and some other information security tools.
But we have good news to you. It is optional to incur big expenses for ensuring IT security of your infrastructure. It can be unrolled in CorpSoft24 cloud, using service "Federal Law 152 Cloud". We locate all necessary certificates, licenses of FSB and FSTEC, and are also ready to offer as hardware, program, and the protection hardware and software for ensuring compliance to all requirements of Federal Law No. 152 and other regulating documents in the field of personal data protection.
What advantages of service use "Federal Law 152 Cloud"?
Konstantin Renzyaev: You significantly reduce costs for creation of a system of personal data protection and certification as the service "Federal Law 152 Cloud" already includes all necessary. But, at the same time, at you necessary documents should be all the same developed. As it was told earlier, we provide services and in preparation of necessary documents too.
What responsibility is provided in a failure to meet requirements case?
Konstantin Renzyaev: From at least 3000 rub to criminal liability. Everything depends on a type of violation and effects which were caused by absence or insufficient ensuring IT security of personal data.
| The site content is translated by machine translation software powered by PROMT. The machine-translated articles are not always perfect and may contain errors in vocabulary, syntax or grammar. Read original article If you find inaccuracies or errors in the results of machine translation, please write to editor@tadviser.ru. We will make every effort to correct them as soon as possible. |