IT-subsidiary of Russian Post will check tens of thousands of AWS and servers for holes to prevent data leaks

The Post Service company, which is part of the Russian Post circuit, published a request for prices for a survey and classification of information resources on information security on January 28, 2025. The terms of reference for the request published on the Russian Auction House electronic platform indicate that we are talking about the examination and classification of personal data information systems (ISDS) and other information systems within the framework of information security for the needs of Mail Service^[1].

Post Service, which Russian Post created in 2021, specializes in IT support and support of the latter's activities.

Among the purposes of providing information security services, it is indicated that the requirements of the legislation of the Russian Federation in the field of ensuring the safety of personal data, ensuring a given level of stability of the operation of the ISDS by preventing and reducing possible damage from destructive information impacts on the protected ISDS.

𝓲

Фото: Rawpixel.com

The objectives of the project also include blocking and neutralizing information security threats, which can lead to a violation of the normal mode of operation of the ISD and the critical processes they implement, localization and minimization of negative consequences from the possible implementation of information security threats.

Mail Service also expects to minimize costs and choose the optimal strategy for bringing technological processes into full compliance with the requirements of the NPA of the Russian Federation, other regulatory and legal acts and national standards for information protection and ensuring the proper level of information security.

Geographically, the services cover the company's directorates in different macro-regions. And the scope of services provided, as specified in the terms of reference, includes:

• Automated workplaces that are serviced by the customer - no more than 140 thousand pcs.;
• Virtual servers that do not belong to the customer, but on which the customer's personal data can be processed - no more than 21 thousand units;
• Physical servers that do not belong to the customer, but on which the customer's personal data can be processed - no more than 4 thousand units;
• Active network equipment of the customer (routers, switches, crypto switches, etc.) - no more than 800 pcs.;
• Customer's automated workplaces (actual) - not more than 3.6 thousand pcs.;
• Customer's Personal Data System - not more than 10 pcs.

At the last stage of the service provision, which implies the fulfillment of organizational requirements for information protection, it is necessary to develop a model of threats to information security, the terms of reference for the creation/modernization of the information security system. In addition, it is planned to develop/update regulatory, methodological and organizational and administrative documentation related to information security issues.

The Russian Post explained to TAdviser that the terms of reference, among other things, refer to the IT systems of the Russian Post, namely automated workplaces.

Mail Service is a subsidiary of Russian Post, so one way or another the purchase affects Mail, but the goal is exclusively to protect the personal data of Mail Service employees, the company said.

The deadline for the provision of services is indicated by 5 calendar months from the date of signing the contract.

Notes