2016/11/30 17:32:52

How to organize data protection in a cloud and to undergo testing of Roskomnadzor, FSB and FSTEC TADetails

As by means of modern technologies to implement organizational measures for data protection in the state information systems (SIS) and processing systems of personal data and always to be in complete readiness for checkings of Roskomnadzor, FSB and FSTEC of Russia. We tell about it in the heading TADetails.


Information technologies firmly entered our life. Every year promptly information volume, processed in different information systems increases, technologies are improved, and information transmission rate on the Internet increases. Also technologies of plunder of information, including by cracking of information resources for its use in the mercenary purposes do not stand still.

Forms and different implementation methods of the attacks which purpose is the general destabilization of economy in the country by the organization of failures in work of the important state and commercial websites and portals develop. In the conditions of a difficult foreign policy situation the data protection subject in Russia acquired special relevance: the state pays more and more attention to regulation of questions of information security, drafts new laws, standards, bylaws at the level of the state regulators, strictly controls observance of the set requirements.

Now data protection issues in the state information systems (SIS) and information systems processing personal data (ISPDN) are already in sufficient detail handled. Regulatory authorities – Roskomnadzor, FSB and FSTEC of Russia - regularly carry out inspections of accomplishment of the set requirements for data protection and make violators responsible, as a rule, of administrative.

Need of a compliance with regulatory requirements and regulators sets for the organizations a number of difficult tasks, first-priority of which – acceptance of organizational measures for data protection: carrying out internal audit, appointment of responsible persons, development of organizational and administrative, technical documentation and its maintenance in current status, determination of requirements for information technical protection in relation to specific information systems.

To whom to charge audit and development of documentation

It is traditional to book audit and try to develop documentation on data protection of the organization or by own efforts, or attract for this purpose a third party. There are no qualified specialists in information security in the state, as a rule, or they are loaded by other tasks therefore independent development of documentation is charged to system administrators, personnel officers or lawyers. It negatively affects quality of documentation that, in turn, can lead to imposing of penalties according to the results of checks.

When attracting for development of documentation of the organization contractor the customer often has difficulties with assessment of adequacy of cost of the offered works: the prices of similar services can vary from 5-10 to several hundred thousands of rubles for one document package.

The result in both cases turns out one-time: the legislation, staff of the organization, information infrastructure constantly change, and, respectively, documentation quickly loses the relevance. Therefore through a small period there is a need again or to select employees for updating of documentation, or to pay the contractor.

Recently for solving of tasks on data protection of the organization began a thicket to address online services which automate implementation of organizational measures using modern technologies. The most noticeable similar tool in the Russian market, perhaps, it is possible to call Alfadoc service.

Fig. 1 Alfadoc Service has simple and the intuitive interface

The cloud information security specialist in staff of the organization

In Alfadoc service of the organization in the automatic mode develop a documentation kit on the personal data protection and information which is contained in GIS, including technical specifications, technical data sheet, model of threats and actions of the violator, a matrix of access and others. To create a document package, a system step by step "conducts" the user, suggesting it to answer questions and to enter necessary data. Step-by-step references and consultations with specialists in a hot line allow employees to develop a serious document package without profound knowledge in the field of data protection.

Fig. 2. A system step by step conducts the user for formation of a necessary document package

Development of documentation – an important, but not the only task which the service helps to solve to users. If in the legislation or requirements of regulators there are changes, then documents in service are updated automatically. Specialists of Alfadoc monitor changes of the legislation, removing this problem from the user. At changes in the organization (for example, acceptance and dismissal of employees, purchase or write-off of the equipment, information security tools) it is enough to user to enter the new or changed information in service, and necessary documents will automatically be updated. Thus, documentation is constantly supported in current status that allows users to be always ready to scheduled and unscheduled inspections of regulators.

By the way, users of Alfadoc learn about scheduled inspection in advance: specialists of a support service of service monitor emergence of information on checks on the official sites of regulators and import the found information to service.

The user can independently estimate readiness of the organization for checks of regulators using special functionality. At the same time he not only sees what measures are already taken, but also receives recommendations with the list of actions which need to be undertaken for complete readiness for check.

Fig. 3 of Alfadoc allows not only to create a necessary document package, but also to control the readiness for checks of regulators

One of key features of Alfadoc – the qualified consulting concerning information security. On a hot line, mail and the online consultant users of service quickly get support when passing checks, receiving requests of regulators, a citizens' appeal with complaints concerning processing of their personal data, acceptance of technical measures for data protection and, of course, concerning work in service.

In fact, our users receive for a year in staff of the specialist in information security which they did not have, - the technical director of Alfadoc service Maxim Sorokin notes.

The functionality of service constantly extends: for example, in 2016 in it such opportunities as automatic formation and sending notifications / information letters in Roskomnadzor, maintaining the plan of internal checks and magazines on information security in electronic form appeared. These functions are intended to simplify considerably work of the employee, responsible for data protection.

Data protection in "daughters" and "subveda" under control

For monitoring and control of network of the subordinated or supervised organizations the special module is provided in Alfadoc. With its help the curator receives online data on existence and relevance of documents, degrees of readiness for checks of regulators, information on the used software packages and information security tools, including relevance of their certificates of conformity and so on.

The fig. 4 Curator online obtains in service information on a compliance with regulatory requirements in network of subordinated organizations

Thus, the parent organization sees an objective picture of a status of data protection in the supervised organizations and can control accomplishment of mandatory requirements of the legislation by them.

How to save means, having purchased a subscription to service

There are two methods of implementation of Alfadoc service. The first option – the client buys the license for right to use by service and step by step enters into it all necessary information, getting advice from specialists of Alfadoc within information support. Thus, the organization pays only for the license which cost varies from 35 to 85 thousand rubles a year depending on an organization type, its information systems (ISPDN, GIS) and the needs for development of technical documentation.

The second option – "turnkey" implementation - includes departure in the organization of the specialist for carrying out audit: entering of data into service, formatting of documentation according to requirements of the instruction for office-work and providing a profile to the customer with the developed document package, ready to a statement and signing. At such option to the cost of the license the audit value which depends on the scale of the organization, number of employees is added, quantities of information systems and some other parameters and is always calculated individually. For example, for the companies with the number of staff of 500-600 people the cost of audit will be from 80 thousand to 250 thousand rubles. In case of "turnkey" implementation responsibility for quality and completeness of the entered data lays down on shoulders of specialists of Alfadoc.

Thanks to process automation, the service allows the organization to save considerable means. In comparison with acceptance in staff of the selected employee on data protection or periodic attraction of a third party which should be paid regularly users of Alfadoc receive 12 months of readiness for checks for one payment: relevant documentation package and expert support. At the same time expenses on implementation of organizational measures become transparent and predicted since the cost of the license fixed.

Who suits AlfaDoc

Among the main users of Alfadoc service there are federal and regional executive authorities (mainly in the field of health care, education, informatization and finance), administrations of the cities, areas and districts, hospitals, schools and other organizations.

Among clients – the Ministry of Culture and tourism of the Kaluga region, the Ministry of Education and Science of the Udmurt Republic, AU "Multifunction center of providing the public and municipal services" of the Ministry of Economic Development of Chuvashia, state budgetary institution of the Republic of Mari El "Republican clinical hospital", Financial Management of City administration of Tynda, PJSC TNS energo Mary El and many others. Also large-scale projects are implemented: recently at once 48 medical organizations of the Kaluga region became users of Alfadoc service under coaching regional MIAC which obtains up-to-date information about a compliance with regulatory requirements in the subordinated organizations in real time now.

Why the organizations select AlfaDoc

Unlike the offers existing in the market with functionality of similar orientation, Alfadoc is not just "nabivalka" or the primitive generator of documents after which it is necessary "to grind" documentation long. The highly intellectual algorithms put in a basis of service and setup of an execution of documentation allow the user of service to develop documentation on data protection of expert level completely ready to printout.

You should not forget that documentation is an only one element in the course of information security support: it is necessary to hold internal events, to keep account of information security tools and the passport of information systems, to take technical measures for data protection and many other things. The Alfadoc service helps with it to users because develops as expert system, giving an opportunity to implement the greatest possible complex of the organizational measures for data protection required by regulators and to increase the level of knowledge of specialists by means of the training webinars and consultations with experts.

We aim at creation of the powerful and convenient tool which as much as possible simplifies daily work of the specialist in information security, exempts it from a routine and need of permanent monitoring of changes of a regulatory framework, lists of checks and different registers of regulators, warns when and what measures need to be taken. We will constantly improve and we expand functionality of service, we aim to add qualitatively a packet of the developed documentation, we provide new analytical tools taking into account wishes of our users. And, of course, we try to give to our users expert support in any difficult situation connected with data protection, - Maxim Sorokin notes.

