Inspection of a personal data information system of Federal State Unitary Enterprise ROSRAO on compliance to requirements of information security

Inspection of a personal data information system of Federal State Unitary Enterprise ROSRAO on compliance to requirements of information security. Implementation, setup and training in use of software and hardware tools of firewalling and intrusion prevention

Federal State Unitary Enterprise ROSRAO is specialized enterprise, engaged in treatment of radioactive waste, including collecting, transportation, processing, conditioning, storage of waste of the low and average level of activity and also treatment of spent nuclear fuel and the radioactive waste which is saved up in the course of activity of the VTR of the Russian Federation and which are formed at utilization of nuclear submarines and surface ships with nuclear power stations. Federal State Unitary Enterprise ROSRAO exercises radiation control, carries out works on rehabilitation of the contaminated territories. 8 branches managing activity of 19 departments which platforms are located across all territory of Russia are a part of Federal State Unitary Enterprise ROSRAO. The enterprise is included into Rosatom state corporation.

For accomplishment of different functional tasks within the activity, the enterprise uses a set of diverse information systems and IT infrastructure to which all branches and departments are connected. Among them as the specialized solutions automating sections of primary activity, and the auxiliary accounting systems, including the IC containing and processing personal data. Such IC requires providing measures for data protection at the level regulated by federal Law 152-FZ on personal data, federal Law 149-FZ on information, information technologies and data protection and also according to the regulating order of FSTEC No. 17 on mandatory requirements to data protection in the state information systems (SIS).

For the purpose of accomplishment of regulatory requirements and ensuring due level of the information security (IS) of the target IC of personal data of Federal State Unitary Enterprise ROSRAO held a competition on accomplishment of services in inspection of the target IC on compliance to requirements of cybersecurity, development and deployment of information security tools and to reduction of level of security of the IC to normative. The contractor of the project it was selected by "nuclear heating plant", submitted the first in qualification parameters offer.

Within project implementation of "nuclear heating plant" performed the works following a complex:

• Examination of the IC of personal data of Federal State Unitary Enterprise ROSRAO, including IC infrastructure, its software solution and algorithms of functioning, a point of use and connection, interaction with the connected ICs is conducted.
• The analysis of the used means of cybersecurity and vulnerabilities is made.
• Models of security risks to the personal data processed in the target IC are developed.
• The project of a system of personal data protection in the target IC and the connected ICs is developed.
• Delivery and tuning of software and hardware tools of protection, including means of firewalling and detection and an intrusion prevention is performed.
• Works on implementation of integrated solution are performed.
• Testing of the systems of protection, including modeling of emergence of threats and protection against them is made.
• It is provided user training and administrators of the IC to work with implemented program and hardware.

The project was implemented in 3 months and covered more than 500 users of head office Federal State Unitary Enterprise ROSRAO. In the solution the products Stonesoft Stonegate IPS and FW which are some of the best in the class are applied.

As a result of the carried-out works effective software and hardware tools of data protection were implemented that significantly increased the actual level of providing Information Security target and adjacent ICs of Federal State Unitary Enterprise ROSRAO, including protection against external and internal threats. Works allowed to bring the IC into a full compliance to requirements of the Russian legislation and the regulating documents in the field of security of personal data in GIS.

The achieved results:

• Effective software and hardware tools of data protection are implemented that significantly increased the actual level of providing Information Security target and adjacent ICs of Federal State Unitary Enterprise ROSRAO, including protection against external and internal threats.
• Works allowed to bring the IC into a full compliance to requirements of the Russian legislation and the regulating documents in the field of security of personal data in GIS.

Inna Sergienko, Head of complex information security support of AST company: "Developing the solution on protection of the IC of personal data for Federal State Unitary Enterprise ROSRAO we put big emphasis on comprehensiveness of data security provision and the maximum functionality of the delivered software and hardware tools. It is connected with the fact that the target IC not isolated solution, and is in the general information infrastructure of the enterprise and is connected with other ICs. This in itself imposed expanded functional requirements. And taking into account specifics of activity of the customer, delivered us higher requirements which we fully provided".