home Recovery

Resolution on approval of requirements for the protection of personal data during their processing in personal data information systems - Rossiyskaya Gazeta. Levels of protection of personal data instead of classes Government Decree 1119

Decree of the Government of the Russian Federation No. 1119 of November 1, 2012 buried classes of personal data information systems that had already become familiar to everyone.

In place of classes, according to the new resolution, four levels of security of personal data during their processing in information systems and requirements for each of them are established. The assignment of information systems to a particular level of security is made depending on the type of personal data that the information system processes, the type of current threats, the number of personal data subjects processed by the information system, and the personal data of which contingent is processed.

Personal data information systems (PDIS), according to paragraph 5 of Resolution No. 1119, are divided into 4 groups:

Special ISPD
if the ISPD processes personal data relating to race, nationality, political views, religious or philosophical beliefs, health status, intimate life of the subjects of personal data;
Biometric ISPD
if the ISPD processes information that characterizes the physiological and biological characteristics of a person, on the basis of which his identity can be established and which is used by the operator to establish the identity of the subject of personal data, and information related to special categories of personal data is not processed;
Public ISPD
if the ISPD processes personal data of subjects of personal data obtained only from publicly available sources of personal data created in accordance with Article 8 of the Federal Law “On Personal Data”;
Other ISPDn
if the ISPD processes personal data of personal data subjects not represented in the three previous groups.

Based on the form of the relationship between your organization and the subjects, processing is divided into 2 types:

processing of personal data of employees (entities with whom your organization has labor relations);
processing of personal data of subjects who are not employees of your organization.

Based on the number of subjects whose personal data is processed, Resolution No. 1119 defines only 2 categories:

less than 100,000 subjects;
more than 100,000 subjects;

And finally, types of current threats:

Type 1 threats are associated with the presence of undeclared (undocumented) capabilities in the system software used in the ISPD;
Type 2 threats are associated with the presence of undeclared capabilities in the application software used in the ISPD;
Type 3 threats are not associated with the presence of undeclared capabilities in the software used in the ISPD.

There is no regulation on how to determine the type of current threats. The requirements of PP-1119 do not offer any methods or methods for their neutralization. If previously the operator could choose to classify a standard ISPD based on a table or classify a special ISPD based on the results of a threat model, now there is no choice. The level of security is always determined based on the relevance of the threats. The operator is unlikely to be able to determine them on his own - he will have to contact a higher organization or a consultant. The easiest way is to follow the path of least resistance, i.e. determine the type of current threat of type 3, and forget about undeclared (undocumented) capabilities in system and application software, but this will need to be justified. The whole question is how?, returning to the beginning of the paragraph.
The topic of the relevance of threats to personal data information systems is very important, because correctly described threats determine how well the system will be protected, as well as how much the protection will cost for the personal data operator.

If you have decided on the initial data for a specific ISPD, including the type of current threats, then you can determine its level of security. To conveniently determine the level of security, use the following table, which is based on PP-1119:

ISPDn type	Operator employees	Number of subjects	Type of current threats
			1 (NDV OS)	2 (NDV PO)	3 (Without NDV)
ISPDn-S (special)	No	> 100 000	UZ-1	UZ-1	UZ-2
	No	< 100 000	UZ-1	UZ-2	UZ-3
	Yes
ISPDn-B (biometric)			UZ-1	UZ-2	UZ-3
ISPDn-I (others)	No	> 100 000	UZ-1	UZ-2	UZ-3
	No	< 100 000	UZ-2	UZ-3	UZ-4
	Yes
ISPDn-O (public)	No	> 100 000	UZ-2	UZ-2	UZ-4
	No	< 100 000	UZ-2	UZ-3	UZ-4
	Yes

Depending on the selected level of PD security, PP-1119 defines a number of requirements for the protection of personal data, which are organized and carried out by the operator (authorized person) independently and (or) with the involvement of legal entities and individual entrepreneurs on a contractual basis, having a license to carry out activities on technical protection of confidential information. Monitoring of compliance with the requirements must be carried out at least once every 3 years within the time frame determined by the operator (authorized person).

Requirements	Levels security
Requirements
Organization of a security regime for the premises in which the information system is located, preventing the possibility of uncontrolled entry or stay in these premises by persons who do not have access to these premises	+	+	+	+
Ensuring the safety of personal data carriers	+	+	+	+
Approval by the head of the operator of a document defining the list of persons whose access to personal data processed in the information system is necessary for the performance of their official (labor) duties	+	+	+	+
The use of information security tools that have passed the procedure for assessing compliance with the requirements of the legislation of the Russian Federation in the field of information security, in cases where the use of such tools is necessary to neutralize current threats	+	+	+	+
Appointment of an official responsible for ensuring the security of personal data in ISPD	+	+	+	-
Restricting access to the contents of the electronic message log	+	+	-	-
Automatic registration in the electronic security log of changes in the powers of the operator’s employee to access personal data contained in the information system	+	-	-	-
Creation of a structural unit responsible for ensuring the security of personal data in the information system, or assigning functions to ensure such security to one of the structural units	+	-	-	-

Having decided on the requirements for the protection of personal data in accordance with PP-1119, you can proceed to the selection of organizational and technical measures to ensure the security of personal data, based on the requirements of Order No. 21 of the FSTEC of Russia dated February 18, 2013. aimed at neutralizing current threats to the security of personal data.

What to do with information security tools, certificates for which were previously issued for certain classes of ISPD?

In accordance with the information message of the FSTEC of Russia dated November 20, 2012 N 240/24/4669 “On the features of the protection of personal data during their processing in personal data information systems and certification of information security tools intended for the protection of personal data”, certificates of conformity issued FSTEC of Russia, before the entry into force of the regulatory legal act of FSTEC of Russia (meaning Order No. 21), establishing the composition and content of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems, are not subject to re-registration.
Information security tools that can be used to protect personal data processed in personal data information systems of class 1 can be used to ensure the security of personal data processed in personal data information systems up to level 1 inclusive;
Information security tools that can be used to protect personal data processed in class 2 personal data information systems can be used to ensure level 4 security of personal data processed in personal data information systems.

GOVERNMENT OF THE RUSSIAN FEDERATION

RESOLUTION

On approval of the Regulations on ensuring the security of personal data during their processing in personal data information systems

Lost force on November 15, 2012 based on
resolutions of the Government of the Russian Federation
dated November 1, 2012 N 1119
____________________________________________________________________

In accordance with Article 19 of the Federal Law "On Personal Data", the Government of the Russian Federation

decides:

1. Approve the attached Regulations on ensuring the security of personal data during their processing in personal data information systems.

2. The Federal Security Service of the Russian Federation and the Federal Service for Technical and Export Control shall approve, within their competence, within a 3-month period, the regulatory legal acts and methodological documents necessary to fulfill the requirements provided for by the Regulations approved by this resolution.

Chairman of the Government
Russian Federation

Regulations on ensuring the security of personal data during their processing in personal data information systems

APPROVED
Government resolution
Russian Federation
dated November 17, 2007 N 781

1. These Regulations establish requirements for ensuring the security of personal data during their processing in personal data information systems, which are a collection of personal data contained in databases, as well as information technologies and technical means that allow the processing of such personal data using automation tools ( hereinafter referred to as information systems). *1)

Technical means that allow the processing of personal data are understood as computer facilities, information and computing complexes and networks, means and systems for transmitting, receiving and processing personal data (means and systems for sound recording, sound amplification, sound reproduction, intercom and television devices, manufacturing means, document replication and other technical means of processing speech, graphic, video and alphanumeric information), software (operating systems, database management systems, etc.), information security tools used in information systems.

2. Security of personal data is achieved by excluding unauthorized, including accidental, access to personal data, which may result in destruction, modification, blocking, copying, distribution of personal data, as well as other unauthorized actions.

The security of personal data during their processing in information systems is ensured using a personal data protection system, including organizational measures and means of protecting information (including encryption (cryptographic) means, means of preventing unauthorized access, information leakage through technical channels, software and hardware impacts on technical means for processing personal data), as well as information technologies used in the information system. Hardware and software must meet the requirements established in accordance with the legislation of the Russian Federation to ensure the protection of information.

To ensure the security of personal data during their processing in information systems, protection is provided for speech information and information processed by technical means, as well as information presented in the form of informative electrical signals, physical fields, media on paper, magnetic, magneto-optical and other bases.

3. Methods and means of protecting information in information systems are established by the Federal Service for Technical and Export Control and the Federal Security Service of the Russian Federation within the limits of their powers. *3.1)

The adequacy of the measures taken to ensure the security of personal data during their processing in information systems is assessed during state control and supervision.

4. Work to ensure the security of personal data during their processing in information systems is an integral part of the work on creating information systems.

5. Information security tools used in information systems undergo a conformity assessment procedure in accordance with the established procedure.

6. Information systems are classified by state bodies, municipal bodies, legal entities or individuals organizing and (or) carrying out the processing of personal data, as well as determining the purposes and content of the processing of personal data (hereinafter referred to as the operator), depending on the volume of personal data processed by them and security threats to the vital interests of the individual, society and state.

The procedure for classifying information systems is established jointly by the Federal Service for Technical and Export Control, the Federal Security Service of the Russian Federation and the Ministry of Information Technologies and Communications of the Russian Federation.*6.2)

7. The exchange of personal data during their processing in information systems is carried out through communication channels, the protection of which is ensured through the implementation of appropriate organizational measures and (or) through the use of technical means.

8. The placement of information systems, special equipment and security of premises in which work with personal data is carried out, the organization of a security regime in these premises must ensure the safety of personal data carriers and information security means, and also exclude the possibility of uncontrolled entry or presence of strangers in these premises persons

9. Possible channels of information leakage during the processing of personal data in information systems are determined by the Federal Service for Technical and Export Control and the Federal Security Service of the Russian Federation within the limits of their powers.

10. The security of personal data when processed in the information system is ensured by the operator or the person to whom, on the basis of an agreement, the operator entrusts the processing of personal data (hereinafter referred to as the authorized person). An essential condition of the contract is the obligation of the authorized person to ensure the confidentiality of personal data and the security of personal data when processed in the information system.

11. When processing personal data in the information system, the following must be ensured:

a) carrying out measures aimed at preventing unauthorized access to personal data and (or) their transfer to persons who do not have the right to access such information;

b) timely detection of facts of unauthorized access to personal data;

c) preventing influence on technical means of automated processing of personal data, as a result of which their functioning may be disrupted;

d) the possibility of immediate restoration of personal data modified or destroyed due to unauthorized access to it;

e) constant monitoring of ensuring the level of security of personal data.

12. Measures to ensure the security of personal data during their processing in information systems include:

a) identification of threats to the security of personal data during their processing, formation of a threat model based on them;

b) development, based on the threat model, of a personal data protection system that ensures the neutralization of alleged threats using methods and methods for protecting personal data provided for the corresponding class of information systems;

c) checking the readiness of information security tools for use with drawing up conclusions on the possibility of their operation;

d) installation and commissioning of information security means in accordance with operational and technical documentation;

e) training of persons using information security tools used in information systems on the rules of working with them;

f) accounting of the information protection means used, operational and technical documentation for them, personal data carriers;

g) accounting of persons authorized to work with personal data in the information system;

h) control over compliance with the conditions for the use of information security tools provided for in the operational and technical documentation;

i) investigation and drawing up conclusions on facts of non-compliance with the storage conditions of personal data carriers, the use of information security measures that may lead to a violation of the confidentiality of personal data or other violations leading to a decrease in the level of security of personal data, development and adoption of measures to prevent possible dangerous consequences of such violations;

j) description of the personal data protection system.

13. To develop and implement measures to ensure the security of personal data during their processing in the information system, an operator or an authorized person may appoint a structural unit or official (employee) responsible for ensuring the security of personal data.

14. Persons whose access to personal data processed in the information system is necessary to perform official (labor) duties are allowed access to the relevant personal data on the basis of a list approved by the operator or authorized person.

15. Requests from users of the information system to obtain personal data, including the persons specified in paragraph 14 of these Regulations, as well as the facts of providing personal data on these requests are registered by automated means of the information system in the electronic log of requests. The contents of the electronic log of requests are periodically checked by the relevant officials (employees) of the operator or authorized person.

16. If violations of the procedure for providing personal data are detected, the operator or authorized person shall immediately suspend the provision of personal data to users of the information system until the causes of the violations are identified and these causes are eliminated.

17. The implementation of requirements for ensuring information security in information security tools rests with their developers.

In relation to the developed encryption (cryptographic) information security tools designed to ensure the security of personal data during their processing in information systems, case studies and control case studies are conducted in order to verify compliance with information security requirements. In this case, case studies are understood as cryptographic, engineering-cryptographic and special studies of information security tools and special work with technical means of information systems, and control case studies are periodically conducted case studies.

Specific deadlines for conducting control case studies are determined by the Federal Security Service of the Russian Federation.

18. The results of conformity assessment and (or) case studies of information security tools designed to ensure the security of personal data during their processing in information systems are assessed during the examination carried out by the Federal Service for Technical and Export Control and the Federal Security Service of the Russian Federation within their powers.

19. Information security measures intended to ensure the security of personal data during their processing in information systems are accompanied by rules for the use of these means, agreed upon with the Federal Service for Technical and Export Control and the Federal Security Service of the Russian Federation within the limits of their powers.

Changes in the conditions for the use of information protection means provided for by these rules are agreed upon with these federal executive authorities within the limits of their powers.

20. Information security measures designed to ensure the security of personal data during their processing in information systems are subject to accounting using indexes or code names and registration numbers. The list of indices, code names and registration numbers is determined by the Federal Service for Technical and Export Control and the Federal Security Service of the Russian Federation within the limits of their powers.

21. Features of the development, production, implementation and operation of encryption (cryptographic) means of information protection and the provision of services for encrypting personal data during their processing in information systems are established by the Federal Security Service of the Russian Federation.

Electronic document text
prepared by Kodeks JSC and verified against:
Collection of legislation
Russian Federation,
N 48, 26.11.2007, art. 6001

Decree of the Government of the Russian Federation of November 1, 2012 N 1119
"On approval of requirements for the protection of personal data during their processing in personal data information systems"

In accordance with Article 19 of the Federal Law "On Personal Data", the Government of the Russian Federation decides:

1. Approve the attached requirements for the protection of personal data during their processing in personal data information systems.

2. Recognize as invalid the Decree of the Government of the Russian Federation of November 17, 2007 N 781 “On approval of the Regulations on ensuring the security of personal data during their processing in personal data information systems” (Collected Legislation of the Russian Federation, 2007, N 48, Art. 6001) .

Requirements
to the protection of personal data during their processing in personal data information systems
(approved by Decree of the Government of the Russian Federation of November 1, 2012 N 1119)

1. This document establishes requirements for the protection of personal data when processed in personal data information systems (hereinafter referred to as information systems) and the levels of security of such data.

2. The security of personal data when processed in the information system is ensured using a personal data protection system that neutralizes current threats identified in accordance with Part 5 of Article 19

The personal data protection system includes organizational and (or) technical measures determined taking into account current threats to the security of personal data and information technologies used in information systems.

3. The security of personal data when processed in an information system is ensured by the operator of this system, who processes personal data (hereinafter referred to as the operator), or by the person processing personal data on behalf of the operator on the basis of an agreement concluded with this person (hereinafter referred to as the authorized person). The agreement between the operator and the authorized person must provide for the obligation of the authorized person to ensure the security of personal data when processed in the information system.

4. The choice of information security means for the personal data protection system is carried out by the operator in accordance with regulatory legal acts adopted by the Federal Security Service of the Russian Federation and the Federal Service for Technical and Export Control in pursuance of Part 4 of Article 19 of the Federal Law "On Personal Data".

5. An information system is an information system that processes special categories of personal data if it processes personal data relating to race, nationality, political views, religious or philosophical beliefs, health status, intimate life of the subjects of personal data.

An information system is an information system that processes biometric personal data if it processes information that characterizes the physiological and biological characteristics of a person, on the basis of which one can establish his identity and which is used by the operator to establish the identity of the subject of personal data, and does not process information related to special categories of personal data.

An information system is an information system that processes publicly available personal data if it processes personal data of personal data subjects obtained only from publicly available sources of personal data created in accordance with Article 8 of the Federal Law “On Personal Data”.

An information system is an information system that processes other categories of personal data, if it does not process the personal data specified in paragraphs one through three of this paragraph.

An information system is an information system that processes personal data of the operator’s employees if it processes only the personal data of specified employees. In other cases, the personal data information system is an information system that processes personal data of personal data subjects who are not employees of the operator.

6. Current threats to the security of personal data are understood as a set of conditions and factors that create the current danger of unauthorized, including accidental, access to personal data during their processing in an information system, which may result in destruction, modification, blocking, copying, provision, distribution personal data, as well as other illegal actions.

Type 1 threats are relevant to an information system if threats associated with the presence of undocumented (undeclared) capabilities in the system software used in the information system are also relevant to it.

Threats of the 2nd type are relevant for an information system if threats associated with the presence of undocumented (undeclared) capabilities in the application software used in the information system are also relevant for it.

Type 3 threats are relevant to an information system if threats that are not related to the presence of undocumented (undeclared) capabilities in the system and application software used in the information system are relevant to it.

7. Determination of the type of threats to the security of personal data relevant to the information system is carried out by the operator taking into account the assessment of possible harm carried out in pursuance of paragraph 5 of part 1 of Article 18.1 of the Federal Law "On Personal Data", and in accordance with regulatory legal acts adopted in pursuance Part 5 of Article 19 of the Federal Law "On Personal Data".

8. When processing personal data in information systems, 4 levels of personal data security are established.

9. The need to ensure the 1st level of security of personal data when processed in an information system is established if at least one of the following conditions is present:

a) type 1 threats are relevant to the information system and the information system processes either special categories of personal data, or biometric personal data, or other categories of personal data;

b) type 2 threats are relevant to the information system and the information system processes special categories of personal data of more than 100,000 personal data subjects who are not employees of the operator.

10. The need to ensure the 2nd level of security of personal data when processing it in the information system is established if at least one of the following conditions is present:

a) type 1 threats are relevant to the information system and the information system processes publicly available personal data;

b) type 2 threats are relevant to the information system and the information system processes special categories of personal data of the operator’s employees or special categories of personal data of less than 100,000 personal data subjects who are not employees of the operator;

c) type 2 threats are relevant to the information system and the information system processes biometric personal data;

d) type 2 threats are relevant to the information system and the information system processes publicly available personal data of more than 100,000 personal data subjects who are not employees of the operator;

e) type 2 threats are relevant to the information system and the information system processes other categories of personal data of more than 100,000 personal data subjects who are not employees of the operator;

f) type 3 threats are relevant for the information system and the information system processes special categories of personal data of more than 100,000 personal data subjects who are not employees of the operator.

11. The need to ensure the 3rd level of security of personal data during their processing in the information system is established if at least one of the following conditions is present:

a) type 2 threats are relevant to the information system and the information system processes publicly available personal data of the operator’s employees or publicly available personal data of less than 100,000 personal data subjects who are not employees of the operator;

b) type 2 threats are relevant to the information system and the information system processes other categories of personal data of the operator’s employees or other categories of personal data of less than 100,000 personal data subjects who are not employees of the operator;

c) type 3 threats are relevant for the information system and the information system processes special categories of personal data of the operator’s employees or special categories of personal data of less than 100,000 personal data subjects who are not employees of the operator;

d) type 3 threats are relevant to the information system and the information system processes biometric personal data;

e) type 3 threats are relevant to the information system and the information system processes other categories of personal data of more than 100,000 personal data subjects who are not employees of the operator.

12. The need to ensure the 4th level of security of personal data when processing it in an information system is established if at least one of the following conditions is present:

a) type 3 threats are relevant to the information system and the information system processes publicly available personal data;

b) type 3 threats are relevant for the information system and the information system processes other categories of personal data of the operator’s employees or other categories of personal data of less than 100,000 personal data subjects who are not employees of the operator.

13. To ensure the 4th level of security of personal data when processing it in information systems, the following requirements must be met:

a) organizing a security regime for the premises in which the information system is located, preventing the possibility of uncontrolled entry or stay in these premises by persons who do not have access to these premises;

b) ensuring the safety of personal data carriers;

c) approval by the head of the operator of a document defining the list of persons whose access to personal data processed in the information system is necessary for the performance of their official (labor) duties;

d) the use of information security tools that have passed the procedure for assessing compliance with the requirements of the legislation of the Russian Federation in the field of information security, in cases where the use of such means is necessary to neutralize current threats.

14. To ensure the 3rd level of security of personal data during their processing in information systems, in addition to fulfilling the requirements provided for in paragraph 13 of this document, it is necessary that an official (employee) be appointed responsible for ensuring the security of personal data in the information system.

15. To ensure the 2nd level of security of personal data during their processing in information systems, in addition to fulfilling the requirements provided for in paragraph 14 of this document, it is necessary that access to the contents of the electronic message log is possible only for officials (employees) of the operator or an authorized person, for whom the information contained in the specified journal is necessary to perform official (labor) duties.

16. To ensure the 1st level of security of personal data when processing it in information systems, in addition to the requirements provided for in paragraph 15 of this document, the following requirements must be met:

a) automatic registration in the electronic security log of changes in the powers of the operator’s employee to access personal data contained in the information system;

b) creating a structural unit responsible for ensuring the security of personal data in the information system, or assigning functions to ensure such security to one of the structural units.

17. Monitoring of compliance with these requirements is organized and carried out by the operator (authorized person) independently and (or) with the involvement of legal entities and individual entrepreneurs on a contractual basis, licensed to carry out activities for the technical protection of confidential information. The specified control is carried out at least once every 3 years within the time limits determined by the operator (authorized person).

GOVERNMENT OF THE RUSSIAN FEDERATION

ABOUT APPROVAL OF REQUIREMENTS

In accordance with Article 19 of the Federal Law "On Personal Data", the Government of the Russian Federation decides:

1. Approve the attached requirements for the protection of personal data during their processing in personal data information systems.

Chairman of the Government
Russian Federation
D.MEDVEDEV

Approved
Government resolution
Russian Federation
dated November 1, 2012 N 1119

REQUIREMENTS
TO THE PROTECTION OF PERSONAL DATA DURING THEIR PROCESSING
IN INFORMATION SYSTEMS OF PERSONAL DATA

An information system is an information system that processes other categories of personal data, if it does not process the personal data specified in paragraphs one through three of this paragraph.

7. Determination of the type of threats to the security of personal data relevant to the information system is made by the operator taking into account the assessment of possible harm carried out in pursuance of paragraph 5 of part 1 of Article 18.1 of the Federal Law "On Personal Data", and in accordance with regulatory legal acts adopted in pursuance of Part 5 of Article 19 of the Federal Law "On Personal Data".