Moscow, Bratislavskaya st. 16K1
+7 495 740 4333
THE LAW “ON PERSONAL DATA”. INSPECTIONS. WHO AUDITS, WHO IS AUDITED, AND HOW. PART 2.
Inspections by FSTEC and FSB
Article 19 of the federal law “On Personal Data” defines how the security of personal data must be ensured during its processing. FSTEC and FSTEC can check only organizations that use state information systems. For other information systems the law does not stipulate control.
It only says that FSTEC and FSS “by decision of the Government of the Russian Federation, taking into account the importance and content of processed personal data, may be empowered to control the implementation of organizational and technical measures…, at their processing in personal data information systems, operated in the exercise of certain activities and are not state information systems of personal data…”.
FSTEC and FSS inspections can be both scheduled and unscheduled.
Within the framework of inspections FSS draws attention to: availability of a model of intruder and threats, developed in accordance with FSS requirements; organizational measures established in accordance with FSS Order № 378 (appointment of responsible persons, local acts, the order of employees’ access to ISPN, physical protection of objects, etc.); availability of cryptographic information protection tools, their accounting and operation procedure; documentation on cryptographic information protection tools (licenses, certificates, forms, etc.).
Within the framework of inspections FSTEC draws attention to: availability of intruder and threat model, acts of establishing security levels for ISPN; availability of information protection tools, procedure of their accounting and operation; documentation on information protection tools (licenses, certificates, forms etc.); organizational measures established in accordance with FSTEC Decree No 21 (appointment of responsible persons, local acts, procedure of personnel access to ISPN, physical protection of objects etc.); materials of certification tests (in GIS).
So, while in the past some companies preferred to do nothing and wait for a possible audit and on its results to pay a small fine (up to 10 000 rubles), now in light of the increased fines, companies must be more careful with such an important concept as personal data.
But what is the best way to comply with the law?
- Using your own resources.
- Outsource the services of professionals.
The implementation of the law by your own efforts
In order to comply with the regulations, you need not only to be familiar with the Personal Data Act itself and its bylaws, but also to be aware of the technical issues involved in describing personal data information systems in organizational and administrative documentation.
It will take you or your employee up to 2 months to find and develop templates of documents on personal data, study the legislation and practice. And it won’t guarantee a result: you could be wrong about something.
Implementing the law with the help of an outside expert
A good enough way, if the company you trust has the necessary knowledge of information security.
To prepare documents on personal data, in addition to knowledge of the law itself, you also need to know the bylaws of technical content and be able to regulate technical points.
When choosing this option, you should verify with the company what kind of documents its specialists will draft, whether the technical points will be reflected in them, and whether they are experienced in working with Roskomnadzor.
ITI Group specialists have extensive experience and sufficient qualifications to conduct a high-quality audit of compliance with the Federal Law of 27.07.2006 N 152-FZ (ed. from 29.07.2017) “On Personal Data”. They will help to eliminate all deficiencies and gaps identified as a result of the audit, can advise specialists of your company, as well as participate in audits by various services, controlling the legality of the activities of representatives of inspection bodies.