The industry standard of personal data protection (PDN) for the non-state pension funds (NSPF)

As expected, application of this standard will accelerate accomplishment and will reduce the cost of projects, will reduce risk of errors and long cycles of their correction, will allow NPF to interact more effectively with contractors and regulators and also will simplify work of supervisory authorities. Moreover, the standard can be applied when implementing and control of execution of rules of law in scales of all market of pension insurance of Russia, emphasized in Leta.^[1]

Need of the industry standard of protection of PDN is caused by a number of features of the market of pension insurance. So, activity of NPF provides receiving, processing and storage in information systems of large volumes of personal data of investors, insurers, participants and the insured persons. At the same time information systems of NPF, as a rule, have geographically distributed character, and the processed PDN belong to the different categories, up to the highest. All this considerably raises organizational technical requirements to the systems of personal data protection and also requires closer interaction with regulators at all stages of lifecycle SZPDN, noted in the company.

The National association of non-state pension funds which is actually representing all industry of non-state pension service of the country acted as the initiator of creation of the standard. Development executed Leta IT-company in permanent cooperation with NAPF. The choice of the contractor is caused, in particular, with the fact that Leta executed a number of the corresponding projects in non-state pension funds (in particular, in NPF Blagosostoyaniye), has original methodical developments in the field of protection of PDN, and their considerable part became public. Besides, implementation of different universal and industry standards in the field of cybersecurity is one of key specializations of the company, reported in Leta IT-company.

As noted, the developed standard offers the complete approach to creation and management of lifecycle SZPDN which is completely adapted to specifics of non-state pension funds and meeting the requirements of the existing regulatory base in the field of protection of PDN. In a work progress over the standard the major problem is solved: the packet of the normative legal documentation on protection of PDN for all vertical of non-state pension funds – members of NAPF is created. At the same time detailing and methodical adjustedness of documents, existence of ready templates and all necessary reference information allow to use directly a packet in real projects, claim in Leta.

The standard regulates an order, rules and a technique of creation and certification of the systems of personal data protection in NPF, and documents cover all processing stages and protection of PDN, including stages of planning, implementation, control and correction of the relevant activities. Detailed recommendations about all range of questions of creation SZPDN – from explanation of the principles of protection of PDN, identification, the description and classification of personal data information systems before application of specific methods of security in ISPDN different classes are also made. At the same time all components SZPDN are considered: physical protection and control of physical access; appointment and cast, duties and powers; access control in ISPDN; organization of antivirus protection, firewalling; application of cryptographic means; detection of the attacks and invasions; monitoring and registration of actions of users, control of work on the Internet; backup of software and information containing personal data; accounting, control of the address and destruction of information media and mobile devices, etc. Also the standard includes a complete packet of the standard organizational and administrative documents (OAD) and the code of detailed recommendations about formation of OAD for ensuring processing and protection of PDN.

Besides, within the project the original technique of drawing up model of threats and determination of relevant security risks of personal data at their processing in information systems of the pension fund was developed. The basic model of security risks of personal data at their processing is also created in ISPDN.

"The practice of reduction of information systems of personal data processing which developed in the market in compliance to requirements of law No. 152-FZ showed all complexity of accomplishment of provisions of a regulatory framework. The distinction of methodical approaches and existence of a set of alternatives when implementing the same requirements quite often leads to the fact that in the companies of one field of activity similar projects yield absolutely different results. Such "dissonance" when implementing the Russian non-state pension funds of the general for all the code of requirements not only would break internal interrelations of the organization, but also could become the destabilizing factor for all market of non-state pension provision, complicate fulfillment of requirements on protection of PDN among NPF, complicate the general course of accomplishment of statutory requirements on protection of PDN in country scales, – Konstantin Ugryumov, the president of National association of non-state pension funds considers. – The industry standard on personal data protection is made to remove all these risks and to receive methodologically and is informative a qualitative product. Participation in development of experts of NAPF and Leta IT-company guarantees compliance of this document to realities of the Russian market".

Notes