Secures personal data from the bank. Security of personal data at the bank. Rights of the operator of personal data

POSITION

about the protection of personal data

Clients (subscribers)

at LLC "Ortes-Finance"

terms and meaning

1.1. Personal data- any information that is conveyed to the singer or indicated on the platform of such information of a physical person (subject of personal data), including nickname, name, according to Father, Isyats, date and place of people, addresses, email addresses, telephone number, family, social, main status, education, profession, income, other information

1.2. Processing of personal data- operations (operations) with personal data, including collection, systematization, accumulation, saving, clarification (updating, change), revision, expansion (including transfer), unisolation, blocking.

1.3. Confidentiality of personal data- obligatory for a designated representative person to deny access to personal data, in order to prevent their expansion without the subject or other legal representation.

1.4. Expanded personal data- actions directed to the transfer of personal data to the singing stake of the people (transfer of personal data) or to get acquainted with the personal data of an unrelated stake of the people, including the publication of personal data in the mass media, posted in the information and telecommunications Information measures or access to personal data such as -or in another way.

1.5. Personal tribute wiki- actions (operations) with personal data that involve making a decision or performing other actions that will give rise to legal inheritance for the subjects of personal data or otherwise extinguish their rights freedom or rights and freedom of other people.

1.6. Blocking personal data— time-consuming collection, systematization, accumulation, retrieval, distribution of personal data, and the protection of their transfer.

1.7. Poor personal data- actions in which it is impossible to confirm the location of personal data in the information system of personal data or in which the material content of personal data is lost.

1.8. Exclusion of personal data— actions in which it is impossible to determine the ownership of personal data to a specific subject without additional additional information.

1.9. Secretly accessible personal data- personal data, access to an unbounded number of people to whom the subject has been assigned for a year or, in accordance with federal laws, is not expanded in order to maintain confidentiality.

1.10. Information- Reports (reports, data) regardless of the form of their submission.

1.11. Client (subject of personal data)- a physical person – an associate of the employees of LLC “Ortes-Finance”, also known as “Organization”.

1.12. Operator- a government body, a municipal body, a legal or physical person who independently or jointly with other persons organizes and/or processes personal data, as well as the primary purposes of processing personal data, a warehouse of personal data that do things, actions (operations), What to do with personal data. Under the terms of this Regulation, the Operator recognizes the Partnership with the interconnected responsibility “Ortes-Finance”;

2. Ambushes.

2.1. These Regulations on the processing of personal data (hereinafter referred to as the Regulations) are divided into the Constitution of the Russian Federation, the Civil Code of the Russian Federation, the Federal Law "On Information, Information Technologies and information history", Federal Law 152-FZ "On personal data", other federal laws .

2.2. The procedure for processing the Regulations is determined by the order of processing and protection of personal data of all Clients of the Organization, which facilitate processing on the platform of the operator; ensuring the protection of the rights and freedoms of people and citizens when processing their personal data, including the protection of the rights to privacy of private life, special and family secrets, as well as the establishment of the type of personal data that allows access to personal data nevikonannya vimog norms, what to regulate obrobku ta zakhist personal tributes.

2.3. The procedure for putting into effect and changing the Regulations.

2.3.1. This Regulation gains rank from the moment of its approval by the General Director of the Organization and remains in effect until it is replaced by new Regulations.

2.3.2. Changes to the Regulations are made in accordance with the Orders of the General Director of the Organization.

3. Warehouse of personal data.

3.1. The warehouse of personal data of Clients includes:

3.1.1. My father's nickname.

3.1.2. Rick people.

3.1.3. Month of the people.

3.1.4. Date of birth.

3.1.5. Mіstse narodzhennya.

3.1.6. Passport details

3.1.7. Email addresses.

3.1.8. Telephone number (home, personal).

3.2. The following documents and records can be created (created, collected) and saved in the Organization, including in electronic form, which contains data about Clients:

3.2.1. Application for freedom to connect a physical person.

3.2.2. Agreement (public offer).

3.2.3. Proof of accession to the contract.

3.2.5. Copies of documents that identify the person, as well as other documents that are requested by the Client and contain personal data.

3.2.6. Data for payment for goods/services in order to match the Client’s payment and other details.

4. The purpose of processing personal data.

4.1. The purpose of processing personal data is to implement a complex of actions aimed at reaching people, including:

4.1.1. Providing consultation and information services.

4.1.2. Other interests are not protected by law, and there is a complex of actions based on personal data, which is necessary to determine the interests of others.

4.1.3. By this means, Vikonanny was able to comply with the legislation of the Russian Federation.

4.2. The rationale behind the processing of personal data is the liquidation of the Organization, as well as the obvious benefit of the Client.

5. Collection, processing and protection of personal data.

5.1. The procedure for collecting (collecting) personal data:

5.1.1. All personal data of the Client must be kept separately for this letter, except for the differences specified in clauses 5.1.4 and 5.1.6 of this Regulation and other differences provided by the laws of the Russian Federation.

5.1.2. The Client's information on his personal data is stored in the Organization in paper and/or electronic form.

5.1.3. The subject's right to process personal data is subject to this term of the agreement, as well as stretching 5 rocks from the date of application of the contractual payments of the Client and the Organization. After completing the designated term, the action must then be continued on the skin five times for the presence of information about its clicking.

5.1.4. If the Client's personal data can only be collected from a third party, the Client is responsible for providing notifications about this in advance and the letter may be withdrawn. The third person who provides the Client’s personal data is responsible for the consent of the subject for the transfer of personal data to the Organization. The organization is required to withhold confirmation from a third party who transmits the Client’s personal data about those whose personal data is transmitted for them. The organization is obliged, when interacting with third parties, to ensure the confidentiality of information regarding the personal data of Clients.

5.1.5. The organization of the request is required to inform the Client about the purposes, transfer and methods of obtaining personal data, as well as about the nature of the personal data required to be removed and the inheritance of the Client’s personal data and the date of the letter from them.

5.1.6. Processing of personal data of Clients without any purpose occurs in the following cases:

5.1.6.1. Personal data is publicly available.

5.1.6.2. At the same time, the most important government bodies are transferred to federal law.

5.1.6.3. The processing of personal data is subject to the federal law, which establishes a method for the removal of personal data, and the number of subjects whose personal data is subject to processing, and the initial purpose of the operator.

5.1.6.4. The processing of personal data is subject to the terms of the agreement, one of which is the subject of personal data – the Client.

5.1.6.5. The processing of personal data is carried out for statistical purposes for the legal separation of personal data.

5.1.6.6. In other cases, the law applies.

5.1.7. The Organization has no right to remove or process the Client’s personal data about his race, nationality, political views, religious or philosophical views, health, and intimate life.

5.2. The procedure for processing personal data:

5.2.1. The subject of personal data provides the Organization with reliable information about himself.

5.2.2. Before the processing of Clients’ personal data, access may only be granted to the Organization’s security personnel who are authorized to work with the Client’s personal data and have signed an Agreement regarding the confidentiality of the Client’s personal data.

5.2.3. The right to access the Client’s personal data in the Organization may be:

 General Director of the Organization;

 Practitioners who are responsible for the management of financial affairs (manager, accountant).

 Sales clerks work with Clients (sales manager, manager).

 IT specialists (technical director, system administrator).

 The client is a subject of personal data.

5.2.3.1. The permanent transfer of the Organization's security personnel, which allows access to the personal data of Clients, is determined by order of the General Director of the Organization.

5.2.4. The processing of the Client’s personal data can be carried out solely in accordance with the provisions of the provisions of the laws and other regulatory legal acts of the Russian Federation.

5.2.5. When it comes to the obligation to process personal data, the Organization is subject to the Constitution of the Russian Federation, the law on personal data and other federal laws.

5.3. Protector of personal data:

5.3.1. Under the protection of the Client’s personal data, there is a complex of steps (organizational and administrative, technical, legal) aimed at preventing unauthorized or unauthorized access to them, reduction, change, blocking, copying, their data from subjects, as well as other illegal actions.

5.3.2. The protection of the Client’s personal data is subject to the Organization’s procedures established by the federal law of the Russian Federation.

5.3.3. When storing personal data of Clients, the Organization takes care of all necessary organizational, procedural, legal and technical issues, including:

 Antivirus protection.

 Analysis of theft.

 Revealed and captured by invaders.

 Access control.

 Registration and appearance.

 Securing integrity.

 Organization of normative and methodological local activities that regulate the protection of personal data.

5.3.4. The secret organization for the protection of personal data of Clients is carried out by the General Director of the Organization.

5.3.5. Access to the Client’s personal data is provided by the Organization’s security services, which require personal data in connection with their respective employment obligations.

5.3.6. All practitioners involved in the removal, processing and protection of Clients’ personal data are required to sign an Agreement regarding the confidentiality of Clients’ personal data.

5.3.7. The procedure for obtaining access to the Client’s personal data includes:

 Awareness of the practitioner before signing off from these Regulations. For the presence of other regulations (punishments, orders, instructions, etc.) that regulate the processing and protection of the Client’s personal data, you should also be familiar with these acts before signing.

 Viable from the press service (at the request of the General Director) of a written request about maintaining the confidentiality of personal data of Clients and updating the rules for their processing in accordance with the internal activities of the Organization, which regulate It is necessary to ensure the safety of confidential information.

5.3.8. The Organization's secret service, which provides access to personal data of Clients in connection with employment obligations:

 Ensures the storage of information to contain the Client’s personal data, which prevents third parties from accessing it.

 During the time the worker is employed at his place of work, he is not responsible for the presence of documents that misrepresent the personal data of the Clients.

 During the hour of release, during the hour of duty retraining and in other periods of heavy duty at work, in case of requests to transfer documents and other media to personal data of the Clients in particular, according to the local act of the Partnership (mandate, regulations) will be placed Vikonannya of his labor obligations

 If such a person is not designated, documents and other documents that contain the personal data of the Clients are transferred to another security provider who has access to the personal data of the Clients at the request of the General Director of the Organization.

 If an authorized person has access to the Client’s personal data, documents and other documents that contain the Client’s personal data are transferred to another provider who has access to the Client’s personal data and at the request of the General Director.

 By signing the entrusted manager and on the basis of a service note with a positive resolution of the General Director, access to the Client’s personal data can be assigned to another employee. Access to the Client’s personal data by other members of the Organization, if they do not have properly authorized access, is prohibited.

5.3.9. The HR manager will ensure:

 Awareness of the practitioners before signing off from these Regulations.

 Enforcement of written requests to ensure the confidentiality of the Client’s personal data (Confidentiality) and the rules of their processing.

 External control over the processing of logins to protect the Client’s personal data.

5.3.10. Protection of Clients’ personal data stored in the Organization’s electronic databases from unauthorized access, destruction of information, as well as other illegal activities is ensured by the System Administrator inistrator.

5.4. Saving personal data:

5.4.1. Personal data of Clients on paper notes is stored in safes.

5.4.2. Personal data of Clients in electronic form is stored on the local computer network of the Organization, in electronic folders and files on the personal computers of the General Director and employees, allowed before the processing of personal data of Clients c.

5.4.3. Documents containing personal data of Clients are stored in lockers (safes) that are locked to ensure protection against unauthorized access. At the end of the working day, all documents that contain the personal data of Clients are placed in cabinets (safes) to ensure protection against unauthorized access.

5.4.4. Protection of access to electronic databases that contain personal data of Clients is ensured:

 Licensing of licensed anti-virus and anti-hacking programs that prevent unauthorized entry into the Organization’s local network.

 Distribution of access rights for additional cloud records.

 Two-stage password system: at the level of the local computer network and at the level of the databases. Passwords are set by the System Administrator of the Organization and are communicated individually to employees who have access to Clients’ personal data.

5.4.4.1. Unauthorized entry to a PC containing Clients’ personal data is blocked by a password that is set by the System Administrator and does not lead to disclosure.

5.4.4.2. All electronic folders and files that contain Clients’ personal data are protected by a password, which is set by the Organization’s authorized computer security provider and is reported to the System Administrator.

5.4.4.3. Passwords can be changed by the System Administrator at least once every 3 months.

5.4.5. Copying and recording of the Client’s personal data is allowed, including for service purposes, with the written permission of the General Director of the Organization.

5.4.6. Inputs to the written request of other organizations and settings about the personal data of Clients are provided only in accordance with the written consent of the Client himself, unless otherwise provided by law. Confirmations are made in writing, on the Organization’s letterhead, and in such a way that it allows confidentiality of the Client’s personal data to be confidential.

6. Blocking, isolation, impoverishment of personal data

6.1. The procedure for blocking and unblocking personal data:

6.1.1. Blocking of personal data of Clients is subject to a written request from the Client.

6.1.2. Blocking of personal data is subject to respect:

6.1.2.2. Protection of all personal data by any means (e-mail, email, material items).

6.1.2.4. Obtaining paper documents to be sent to the Client and replacing his personal data from the Organization’s internal records and protecting them from corruption.

6.1.3. The blocking of the Client’s personal data can be immediately lifted, if it is necessary to comply with the legislation of the Russian Federation.

6.1.4. The unblocking of the Client’s personal data is subject to his written request (if it is clearly necessary to remove it) or the Client’s application.

6.1.5. The Client is again allowed to process his personal data (if necessary, remove it) and then unblock his personal data.

6.2. The procedure for the exclusion and reduction of personal data:

6.2.1. The non-isolation of the Client’s personal data is subject to a written request from the Client, ensuring that all agreed activities have been completed and that the date of completion of the remaining contract has passed at least 5 years.

6.2.2. When not isolated, personal data in information systems is replaced by a set of characters that makes it impossible to determine the relevance of personal data to a specific Client.

6.2.3. Paper documents are lost if personal data is not isolated.

6.2.4. The organization is required to ensure the confidentiality of personal data when it is necessary to test information systems on the territory of the distributor and to ensure that personal data is not isolated from the information systems that are transferred to the distributor u.

6.2.5. The loss of the Client’s personal data provides access to any access to the Client’s personal data.

6.2.6. If the Client’s personal data is limited, the Organization’s legal team cannot deny access to the subject’s personal data in information systems.

6.2.7. Paper documents are stored whenever there is a shortage of personal data, and personal data in information systems is not respected. Personal data cannot be updated.

6.2.8. The transaction of deprivation of personal data is non-negotiable.

6.2.9. The line, after any possible operation of reducing the Client’s personal data, is indicated by the completed line indicated in clause 7.3 of this Regulation.

7. Transfer and preservation of personal data

7.1. Transfer of personal data:

7.1.1. When transferring the subject's personal data, it is understood that there will be an increase in information through communication channels and material media.

7.1.2. When transferring personal data, employees of the Organization are responsible for the following benefits:

7.1.2.1. Do not disclose the personal data of the Client with a commercial mark.

7.1.2.2. Do not disclose the Client’s personal data to a third party without the Client’s written consent, except for the exceptions established by the federal law of the Russian Federation.

7.1.2.3. Be aware of the fact that you need to select the Client’s personal data about those that this data may be subject to change, for any information, and to confirm that this rule has been followed;

7.1.2.4. Allow access to personal data of Clients only to specially authorized persons, in which case the person responsible has the right to remove those personal data of Clients that are necessary for the implementation of specific functions.

7.1.2.5. Proceed with the transfer of the Client’s personal data within the Organization in accordance with this Regulation, regulatory and technological documentation and planting instructions.

7.1.2.6. Give the Client access to his personal data when downloading or deleting the Client’s request. The organization is required to provide the Client with information about the availability of personal data about him, as well as the opportunity to become aware of them within ten working days from the moment of submission.

7.1.2.7. Transfer the Client’s personal data to the Client’s representatives in accordance with the procedure established by law and regulatory and technological documentation and separate this information with the personal data of the subject, which is necessary for the appointment by their appointed representatives ї functions.

7.2. Saving and vikoristannya of personal data:

7.2.1. When saving personal data, it is understood that records are kept in information systems and material media.

7.2.2. Personal data of Clients is processed and stored in information systems, as well as on paper media of the Organization. Personal data of Clients is also saved in electronic form: on the local computer network of the Organization, in electronic folders and files on the PC of the General Director and employees authorized to process the personal data of Clients.

7.2.3. The preservation of the Client’s personal data may not proceed any longer, subject to any processing that is not otherwise provided by the federal laws of the Russian Federation.

7.3. Term for saving personal data:

7.3.1. Terms of preserving civil law agreements that respect the personal data of Clients, as well as their associated documents – 5 days from the moment of completion of the agreements.

7.3.2. When using the term preservation of personal data, it is impossible to recognize any differences or limitations.

7.3.3. After the end of the term, personal data can be saved in information systems and stored on paper in the manner prescribed by the Regulations and Official Legislation of the Russian Federation. (Addendum Act on the impoverishment of personal data)

8. Rights of the operator of personal data

The organization has the right:

8.1. Advocate your interests to the court.

8.2. Provide personal data of Clients to third parties, as required by applicable law (taxes, law enforcement agencies, etc.).

8.3. Please be aware of your personal data in cases specified by law.

8.4. Vikorize the Client’s personal data without delay, in accordance with the laws of the Russian Federation.

9. Rights of the Client

The client has the right:

9.1. To clarify your personal data, its blocking and depletion in case the personal data is incorrect, outdated, unreliable, illegally stolen or not necessary for the stated purpose of processing, as well as to comply with the requirements passed by law protection of my rights;

9.2. Vimagati transfer of collected personal data that is in the Organization and their removal.

9.3. Obtain information about the terms for processing personal data, including the terms for saving them.

9.4. Please notify all persons who have previously been informed of incorrect or ambiguous personal data, about all the faults found in them, corrected or supplemented.

9.5. To protect the rights of subjects of personal data and in court proceedings, unlawful acts or inactivity in the processing of personal data shall be upheld by the authorized body.

10. Liability for violating the rules that regulate the processing and protection of personal data

10.1. Officers of the Organization, violating the rules that regulate the seizure, processing and protection of personal data, bear disciplinary, administrative, civil and criminal responsibility to the fullest extent of the law. laws of the Russian Federation and internal local acts of the Organization.

Security of personal data at the bank

What are these special tributes?

Subject to federal law, personal data is any information that is communicated to the singer or is indicated on the basis of such information of a physical person (the subject of personal data), including his nickname, name, according to father, rik, month, date and place of birth, addresses, family, social, town, education, profession, income, other information.

Where is the personal data?

Personal data (PDN) from the bank is available in the following systems:

Automated banking system (ABS);

Client-Bank Systems;

Systems for the transfer of pennies;

Accounting systems;

HR systems;

Corporate information system;

Internal web portal.

PDN may be present on paper documents (agreements, forms, instructions, instructions, questionnaires, etc.).

What documents can be installed to protect personal data?

Federal laws

Federal Law No. 149-FZ dated June 27, 2006 “On information, information technologies and information protection”;

Decide the Order

Decree to the Order of the Russian Federation No. 781 dated November 17, 2007 “On confirming the provisions on the security of personal data during their processing in personal data information systems”;

Decree to the Order of the Russian Federation No. 957 dated April 29, 2007 “On approving the licensing of certain types of activities related to encryption (cryptographic) methods”;

Decree to the Order of the Russian Federation No. 687 dated June 15, 2008 “On confirming the provisions on the specifics of processing personal data that operates without the use of automation methods.”

FSTEC of Russia

The final order of the FSTEC of Russia, the FSB of Russia and the Ministry of Communications of Russia dated 13 February 2008. No. 55/86/20 “On the approval of the procedure for the classification of personal data information systems”;

Key document of the FSTEC of Russia “Basic model of threats to the security of personal data during the processing of personal data in information systems”;

Key document of the FSTEC of Russia “Methodology for identifying current threats to the security of personal data during their processing in personal data information systems”;

Order of the FSTEC of Russia dated February 5, 2010. No. 58 “On the approval of the regulations on methods and protection of information in personal information.”

FSB of Russia

Order of FAPSI dated 13 June 2001 No. 152 “On the approval of instructions on the organization and security of storage, processing and transmission of channels in connection with the various features of cryptographic protection of information with shared access, so as not to interfere with information, what to establish a sovereign prison”;

Order of the FSB of the Russian Federation dated February 9, 2005. No. 66 “On the approval of the regulations on the development, development, implementation and operation of encryption (cryptographic) features for the protection of information (formation of PKZ-2005)”;

Official document of the FSB of Russia dated February 21, 2008. No. 149/54-144 “Methodological recommendations for ensuring the security of personal data using cryptographic methods during their processing in personal data information systems using various automation methods”;

Official document of the FSB of Russia dated February 21, 2008. No. 149/6/6-622 “Typical methods for organizing and ensuring the functioning of encryption (cryptographic) features intended for the protection of information, so as not to destroy records and create a state secret place, This is a guide to ensure the safety of your personal data during processing in information systems of personal data";

Standard Bank of Russia

STO BR IBBS-1.0-2010 Information security of the organization of the banking system of the Russian Federation. Zagalni position";

STO BR IBBS-1.1-2007 Information security of the organization of the banking system of the Russian Federation. Information security audit";

STO BR IBBS-1.2-2010 “Information security of the organization of the banking system of the Russian Federation. Methodology for assessing the reliability of information security by the organization of the banking system of the Russian Federation using the STO BR IBBS-1.0-20xx";

RS BR IBBS-2.0-2007 “Information security of the organization of the banking system of the Russian Federation. Methodological recommendations for documentation in the field of information security are consistent with the capabilities of STO BR IBBS-1.0";

RS BR IBBS-2.1-2007 “Information security of the organization of the banking system of the Russian Federation. A guide to self-assessment of the reliability of information security in the organization of the banking system of the Russian Federation using STO BR IBBS-1.0";

RS BR IBBS-2.3-2010 “Security of the IB organization of the banking system of the Russian Federation. How to ensure the security of personal data in information systems of personal data of the organization of the banking system of the Russian Federation";

RS BR IBBS-2.4-2010 “Security of the IB organization of the banking system of the Russian Federation. Galuzev’s private model of threats to the security of personal data during the hour of its processing in the PD information systems of the banking organization of the banking system of the Russian Federation";

Methodical recommendations for the guidance of legislators in the processing of personal data in the organizations of the RF BS, divided jointly by the Bank of Russia, the ARB and the Association of Regional Banks of Russia (Association "Ros Iya").

How to protect personal data?

In accordance with all possible methodological documents for the protection of PDN, which is essential for all types of ISPDN, the following subsystems:

Access control subsystem;

Registration and storage subsystem;

Integrity assurance subsystem;

Inter-boundary security subsystem.

If the ISPD is connected to the Internet, it is necessary to adequately monitor the following subsystems:

Anti-virus security subsystem;

Intrusion detection subsystem;

Security analysis subsystem.

It is also necessary to use electronic locks and/or electronic keys for reliable identification and authentication of holders.

Since the ISPD is distributed in an additional way to prevent unauthorized access, in order to separate information that is protected from being secretly accessible, it is necessary to protect cryptography when transmitting personal data through non-secure channels connection, as well as the EDS, to confirm the correctness of the data.

Such division into subsystems and molding on their basis, the transfer of products for the protection of PDN is inhaled and is used in most cases.

Why is it necessary to protect specific data?

If the data is protected from the confidentiality of PDN, it is necessary to enter into and/or use technical features aimed at preventing unauthorized access, then such an ISPD becomes standard.

It is also possible to ensure the security of other authorities of information security, such as ensuring the integrity, accessibility, as well as the like (invisibility, confidentiality, This is true), then such an ISPD becomes special. In most cases, the ISPD will be special, so that in addition to the PDN classes, for the purpose of determining the protection mechanisms, it is necessary to create a solution for this model of threat.

Yak zmenshiti class PDN?

In order to change and forgive, go to the protection of the PDN, Banks are at the mercy of tricks. Below I will outline typical methods that allow you to change the variety of protection features. Prote, in itself, the “redundancy” of the Bank’s information systems will result in complex and labor-intensive tasks.

Change in the number of Maidans

As it has been shown that the ISPD is divided, then before the end there are changes in the possibilities, in order to change them it is necessary to try to eliminate the divisions of the ISPD.

When distributing ISPD, the PDN is located on different platforms, the PDN is transmitted through communication channels not controlled by the Bank, and in a hidden way, this means that the PDN leaves or deprives the controlled zone. Then, first of all, it is necessary to localize the PDN, having changed the number of Maidans, which will smell. In some cases, it’s not really possible, but if you can see the ABS, then there won’t be such a capacity, which is better for everything.

Change in the number of servers

If the ISPD is local and operates within the local border of the Bank, then the easiest way to change the amount of money spent is to change the amount of server equipment on which PDN is issued.

Change in the number of automated workstations and personnel

For any type of ISPD (in the form of an automated workplace, local, distributed) the end-to-end processing of the PDN is usually handled by the Bank’s staff. If you do not use terminal access, which will be discussed below, it may change the number of Bank personnel who process personal data or have access to them.

Podil ІС for assistance MSE

In order to change the amount of PDN, and therefore change the quality of protection functions, the best way is to divide the information into the segments in which PDN is processed. For this purpose, it is necessary to install and vicorize inter-marginal screens, and add segments from the PDN to the ports of any traces. Often, all servers are located in the demilitarized zone, either in the reinforced segments of the illegally accessible and banking areas between the border screens. This method also promotes the inherent “overlapping” of information boundaries. The method is based on the so-called “linear encryption”, so that the client-client, client-server, server-server encrypted channel. Such encryption of intermediate traffic can be implemented using either special security features or standard IPSec technology, but it is not certified by the FSB of Russia, which is not the case minus.

Another way to apply ISPD at the scale of the entire network could be the technology of virtual networks - VLAN, in fact, VLAN is just an identifier in one of the fields of the network packet, which allows us to talk about this technology as “information technology”. Therefore, the division of the secondary VLAN does not result in information security due to the use of modern technologies.

Divided the databases into parts

Let us assume that there is a database consisting of thousands of records: P.I.B. that amount to contribute.

We create two other databases. Enter your additional unique identifier. Let's divide the table into two parts, in the first we will place the fields P.I.B and identifier, in the other we will place the identifier and the deposit amount.

Thus, since a foreign citizen can only create one of these new databases, the PDN protection will be completely forgotten, as it will not be created again. Obviously, the value of such a data base is essentially lower and less accessible. The offending databases will be transferred to the most secure server. In fact, there are a lot more fields in the database, so this principle can be applied practically to skin lesions, because The number of fields that are significant from a safety perspective is not so great, but rather narrower. At the borderline, you can save key types on your PC so you don’t have to enter the local network or avoid automated processing.

Separate PDN

Subject to the provisions of 152-FZ, the isolation of personal data is for those in which it is impossible to determine the attribution of personal data to a specific personal data subject. From this comes a series of methods, in addition to which it is possible to remove personal data, which cannot be used to determine the ownership of personal data. For example, since for processing purposes the exact data of the smelly fields is not important, they can either not be displayed or displayed only in the ranges in which the stench is consumed. For example, century 20-30, 30-40, etc. The address can be “rounded” to a district, okrug or city: Tsaritsino, Pivdenny, Moscow. Of course, the process of de-isolating PDN can be either negotiable or non-negotiable. Inevitably, there are more methods of “rounding”, and the opposite, for example, encryption. In my opinion, encryption (encoding) can be a way of separating data and may be used for these purposes.

Thin clients and terminal access

The use of thin client technology and similar terminal access technology on servers makes it possible to significantly reduce the risk of personal data protection. On the right, with the use of “thin” clients and terminal access to the computers of the bank’s servers, the Bank does not need to install specialized software, such as client parts of databases, client parts of ABS, etc. d. Moreover, the Bank does not need to install any special security features on the PCs of bank employees. These technologies allow you to display on your desktop information from databases that are saved on servers and manage the processing of personal data. These technologies are a priori safe, because Terminal policies easily limit the possibilities of terminal clients (Bank staff) to copy, and subsequently expand, PDN. The communication channel between servers and PCs with a “thin client” can easily be encrypted, so in simple ways you can ensure the confidentiality of the data being transmitted.

The fluidity of potential flows of data is interconnected only by the visual channel, which is indicated by the fluidity of the camera or video camera, but with the introduction of special organizational steps, such copying becomes even more important.

How can you steal special tributes?

The sense of security against unauthorized access includes a complex of organizational and technical steps. These logins are subject to reasonable mechanisms to prevent unauthorized access on various levels:

Identification and authentication (also two-factor or strict). This can be (operating system, infrastructure software, application software, hardware, for example, electronic keys);

Registration and appearance. This can be done by logging (logging, protocol) in all over-insurance systems, software and processes);

Securing integrity. This may involve securing the control sums of controlled files, ensuring the integrity of software components, protecting the closed software environment, and also ensuring the security of the trusted OS);

Intermediate screen, like a gateway screen, and local;

Anti-virus security (consists of up to three levels of defense, echelon levels or multi-vendor approach);

Cryptography (functionally functions at different levels of the OSI model (interface, transport, etc.), and provides different functionalities).

There are a number of complex products that may be subject to apologies for NSD functionality. All of them are differentiated by types of stagnation, support of ownership, software and topology of implementation.

When distributing or connecting to the limit of the Internet (Internet, Rostelecom, etc.) ISPD, security analysis products (MaxPatrol from Positive Technologies, which has no direct competitors in the Russian Federation), and not to be invading (IDS/IPS) – as in equal to the gateway, and equal to the end node.

How can I convey special tributes?

Since IPDN is distributed, this means that it is necessary to transmit PDN via unprotected communication channels. To the speech, to the unprotected channel, there are “shocks”. To secure PDn, linking channels can be used in a variety of ways:

Encryption of the communication channel. You can secure it in any way, such as VPN between gateways, VPN between servers, VPN between workstations (InfoTecs ViPNet Custom, Informzahist APKSH Continent etc.);

MPLS packet switching. The transmission of packets is carried out in different ways according to the marks that are assigned to the borders. Following, MPLS-Meshezha Rostelecom Certifikat Vidpov, the Merei Pacific Romatatsi Khimogami of the INFORMANY MASHICS FSTEK ROSICHA, SO guaranteeing the nuclear obstacle, ShO will be done to the basic basic;

Encryption of documents. Various security programs may be used to encrypt data files, as well as container files (ViPNet SafeDisk, InfoWatch CryptoStorage, True Crypt, etc.);

Encryption of archives. There may be a variety of archivers that allow you to archive and encrypt files using crypto-secure algorithms such as AES. (WinRAR, WinZIP, 7-ZIP etc.).

Do you need to obtain certified health protection services?

Today, there is only one benefit of FSTEC of Russia to certify personal data protection features. If the 4th level of undeclared capabilities is in trouble, I will give three points for the rest of the food:

Certification system for security services;

Enough visconati vimogi legislation;

There is no need to certify the information system of personal data with a register.

Shauro Evgen

All tributes are considered personal

Strictly apparent, be it any information that can be conveyed directly or indirectly to a specific physical individual – including personal data. Please respect, we are talking about people, not legal entities. To enter, it is enough to indicate your personal address and residence address in order to initiate the protection of these (as well as related to them) data. It’s no less important that removing an electronic sheet containing personal data that appears as a signature and a telephone number will not result in their being stolen. Key term: "Understanding the collection of personal data." To clarify the context of a number of articles in the Law “On Personal Data” I would like to see them clearly.

Article 5 Principles of processing personal data. For clear purposes, it is clear that this information is being collected. Otherwise, there will be possible sanctions for further amendment of the decisions and rules.

Article 10 Special categories of personal data. For example, the personnel service can fix the exchange of money for the purpose of renewing and protecting the labor force. It is clear that such additional information also contributes to the cure. This greatly expands the scope of PDN, as well as the list of divisions and information resources of the company that need to be respected by the guard.

Article 12. Transcordon transfer of personal data. Since the information system with the data of citizens of the Russian Federation is located on the territory of the country, which has not ratified the Convention on the Protection of Personal Data (for example, in Israel), the provisions of Russian legislation must be followed.

Article 22. Notice about the processing of personal data. Obovyazkova Umova in order not to screw up the regulator. If you are conducting business activities related to PDN, please inform us about this yourself, without double-checking.

Where personal data may be

Technically, PD can be used at any time, starting from portable media (paper files) to machine media (hard drives, flash drives, CDs, etc.). Then the focus will be on the storage of data that is used for the identification of ISPD (personal data information systems).

Geography of Roztashuvannya - also great food. On the one hand, the personal data of Russians (physical individuals like the citizens of the Russian Federation) must be protected by the Russian Federation. On the other hand, at the moment there has been a greater vector of development of the situation, but the fact is that it has come to pass. A lot of international and export companies, various holdings, and private enterprises have historically built a distributed infrastructure - and that will not change. In addition to the methods of saving and protecting PDN, which may be collected immediately, immediately.

The minimum list of items that take part in the recording, systematization, accumulated, saved, clarified (updated, changed), PDN collection:

Personnel service.
Made a sale.
Legal branch.

The fragments are rarely found in perfect order, although this “refined” list can often be supplemented by the most advanced subdivisions. For example, personalized information about postal workers may be recorded in a warehouse, or the security service can conduct a thorough report of those who enter the territory. Thus, before speaking, the PDN warehouse for military personnel can be supplemented with data from clients, partners, contractors, as well as casual and other suppliers - PDNs of which become a “criminal” when photographed and for crossover, scanned identification of individuals and in other cases. ACS (control and access management systems) can easily become a source of problems in the context of PD protection. That's the answer to the question: "What?" From the looks of it, the original Law sounds like this: everywhere in the sub-national territory. More precisely, it is possible to provide information only by conducting a secondary audit. First stage project Due to the protection of personal data. New change of key phases:

1) Audit of the company’s flow situation.

2) Design of technical solutions.

3) Preparation for the process of securing personal data.

4) Verification of the technical solution and the process of protecting personal data for compliance with the legislation of the Russian Federation and business regulations.

5) Development of technical solutions.

6) Starting the personal data protection process.

1. Audit of the company’s flow situation

First of all, check with the HR department and other departments about how to handle paper noses with personal data:

What form is required to process personal data? Have you completed and signed?
Do we need to comply with the Regulations on the peculiarities of the processing of personal data, which is carried out without the need for additional automation features as of June 15, 2008 issue No. 687?

The geographical distribution of ISPD:

In which countries is there a stink?
On what base?
What are the agreements on this website?
What kind of technological protection is needed to stop the flow of PDN?
What organizational approaches are used for the protection of PDN?

Ideally, the information system with PDN of Russians can comply with all the requirements of Law 152-FZ “On Personal Data”, which means that it stays behind the border.

Find, pay attention to the important list of documents that are required for verification (not all, just the main change):

A note about the processing of PDN.
A document that is responsible for organizing the processing of personal data.
The number of doctors allowed to process the PDN.
A document that signifies the purpose of saving personal data.
Information about the processing of special and biometric categories of personal data.
Evidence about the development of transcordon transmission of PDN.
Typical forms of documents from PD.
The standard form is ready for PDN testing.
The procedure for transferring PDN to third parties.
The procedure for the registration of subjects of PDN.
Transfer of personal data information systems (ISPD).
Documents that regulate the reservation of data in the ISPDN.
There are a number of features to protect the information that is being accessed.
The procedure for reducing PDN.
Matrix access.
Threat model
Magazine about the appearance of machine noses PDN.
The document, which indicates the level of protection for skin ISPD, is dated PP-1119 dated November 1, 2012 “About confirmation of the protection of personal data during the hour of their processing in personal data information systems.”

2. Design of technical solutions

A description of the organizational and technical steps that may be taken to protect PDN can be found in Chapter 4. “Operator Obligations” of Law 152-FZ “On Personal Data”. The technical solution may be based on the provisions of Article 2 of Law 242-FZ dated June 21, 2014.

How can we comply with the law and issue the PDN of the Russian Federation citizens on the territory of Russia at a disadvantage, if the PDN is still located behind the cordon? There are a number of options here:

Physical transfer of the information system and database to the territory of the Russian Federation. Whatever is technically implemented will be the simplest.
The ISPD is deprived behind the border, but a copy is created in Russia and a one-way replication of the PDN of the citizens of the Russian Federation from a Russian copy to a foreign one is established. If in a foreign system you disable the ability to modify the PDN of Russian citizens, all edits can only be made through the Russian IPDN.
ISPDn descho and all the stinks beyond the cordon. The transfer may be expensive, or technically difficult (for example, it is not possible to see part of the database from the PDN of the Russian Federation citizens and bring it to Russia). In this case, decisions may result in the creation of a new ISPD on any available platform on a server in Russia, and one-way replication will occur in the skin of the foreign ISPD. This means that the choice of platform is left to the company.

If the IPDN has not been exclusively transferred to Russia, do not forget to indicate in the end about the transcordon transfer of data to whom and which set of PDN is being used. In the notification about processing, you must indicate the method of transfer of personal data. I repeat, this meta may be legal and clearly defined.

3. Preparation for the process of securing personal data

The process of securing personal data involves at least the following points:

List of persons responsible for processing personal data from the company.
The procedure for providing access to ISPD. Ideally, there is a peer-to-peer access matrix for the skin or a specific device (read/read-write/modification). Or a list of available skin data. Everything is left here for implementation and for the benefit of the company.
Audit of access to personal data and analysis of access tests with compromised access levels.
Analysis of the reasons for the unavailability of personal data.
The procedure for responding to PDN subjects asking for their PDN.
Review of the flow of personal data that is transferred between companies.
A review of the possessions of personal data, behind the cordon.
Periodic review of the threat model for personal data, as well as changing the level of personal data theft through changing the threat model.
Keeping the company's documents up to date (the list is extensive, and can be added to if necessary).

Here you can go into detail about the skin, but especially if I want to increase my level of safety. VIN is determined on the basis of current documents (read sequentially):

1. “Methodology for addressing current threats safety personal data during the hour of their processing in information systems of personal data" (FSTEC of the Russian Federation on February 14, 2008).

2. Decree to the Order of the Russian Federation No. 1119 dated November 1, 2012 “About confirmation of the protection of personal data during their processing in information systems of personal data.”

3. FSTEC Order No. 21 dated December 18, 2013 “On the approval of the warehouse and change of organizational and technical approaches to ensure the security of personal data during their processing in personal data information systems.”

Also, do not forget to emphasize the necessity of such categories of contributions as:

Organization project team and project management.
Dispensers for skin from ISPDn platforms.
Servers are available (owned or rented in a data center).

Until the completion of the other and third stages of the project, you are to blame:

Rozrakhunok vitrat.
Vimogi until the bitterness.
Terms and calendar plan for the project.
Technical and organizational aspects of the project.

4. Verification of the technical solution and the process of protecting personal data for compliance with the legislation of the Russian Federation and company regulations

A short, but important step, at which boundaries must be crossed so that all plans do not comply with the legislation of the Russian Federation and the company’s rules (for example, safety policies). If nothing can be achieved, a bomb will be placed at the foundation of the project, so that they can “explode” further, having lost their profit from the achieved results.

5. Development of technical solutions

Everything is more or less obvious here. The specifics lie in the outcome situation and decision. If you look at something like this, you might end up with something like this:

Server efforts have been seen.
Merezhev engineers provided sufficient channel capacity between receiving and transmitting PDN.
Retailers have established replication between ISPDN databases.
Administrators have forgotten about changes in ISPD, as they are behind the cordon.

The person responsible for the protection of PDN or the “author of the process” can be one or the same or different. The very fact is that the “author of the process” can prepare all the documentation and organize the entire process of protecting the PDN. For this purpose, all involved individuals will be notified, security specialists will be instructed, and the IT service will be available to carry out technical steps to protect the data.

6. Starting the personal data protection process

This is an important stage, and in the main sense of the whole project - to establish control over the flow. In addition to technical solutions and regulatory documentation, the role of the authority in the process is critically important here. We can monitor changes not only in legislation, but also in IT infrastructure. Also, general skills and competencies are required.

In addition, what is critically important in the minds of real work, the ruler of the PDN protection process requires all the necessary updates and administrative support for the company’s care. Otherwise, he will be an eternal rogue, for whom no one has any respect, and in about an hour the project can be restarted, starting again with the audit.

Nuance

A number of moments that are easy to let go of:

If you operate a data center, you will need a service agreement for server duties, so that your company stores data on legal platforms and controls them.
Required licenses for the security program that you need to use for collecting, saving and processing personal data and rent agreements.
Once the ISPD is expanded abroad, there is a necessary agreement with the company that operates the system there - to guarantee compliance with the legislation of the Russian Federation on one hundred percent of the personal data of Russians.
If personal data is transferred to a contractor of your company (for example, an IT outsourcing partner), then the outsourcer’s personal data is not subject to liability for claims. Your company can file claims with the outsourcer. Possibly, this factor can be influenced by the fact of outsourcing the work.

And once again, the most important thing is that the protection of personal data cannot be taken or secured. This is a process. An uninterrupted iterative process, which is highly dependent on subsequent changes in legislation, as well as the format and speed of stagnation of these norms in practice.

Marina Prokhorova, editor of the magazine "Personal Tributes"

Natalia Samoilova, lawyer of the company "InfoTechnoProject"

The regulatory framework that has developed to date in the field of processing personal data, documents that should be adopted for more effective organization of work from the protection of personal data in organizations, technical aspects of information preparation valuable systems of operators of personal data - the very same ones stuck around a lot the rest of the time Newspaper of magazine Publikatsii, the binding of the problematic Dani at the Tsiy Statti, hot to screech on such an aspect of the Banking of Banking, “Sinkish” Zahist of personal dannia, chatting into the chiro of organizing.

Let's talk about a specific example

There is a question about the judicial review, inquire about the protection of personal data, violations of the Oschadbank in Chernya 2008 rub. The essence of the ship's review was reduced to the offensive. A surety agreement was entered into between the citizen and the bank, apparently until the citizen accepted the obligation to appear before the bank for violating the responsibility for the loan agreement. The rest did not comply with the provisions of the credit agreement, information about the guarantor as an unreliable client was entered into the automated information system of the Stop List bank, which, in its own way, became a basis for Use the loan given to you. In this case, the bank failed to inform the citizen about the improper execution by the principal of his duties for the loan agreement. In addition, the surety agreement did not stipulate that the bank has the right to enter information about the guarantor to the “Stop List” information system if the holder of his/her claims is illegal. In this way, the bank processed the personal data of the citizen by including information about the new Stop List information system without any reason, which violates the powers of Part 1 of Art. 9 of Federal Law No. 152-FZ dated 27 June 2006 “About personal data”, whereby the subject of personal data makes a decision about the provision of his personal data and gives permission for their processing of his own will and in his own interest. Crimea, in order, transferred to Part 1 of Art. 14 of this law, the giant has gone to the bank to give him the opportunity to become aware of the information recorded about him in the Stop List information system, as well as blocking these records and their depletion. The bank was convinced by the satisfied citizen.

The results were reviewed by the Leninsky District Court of Vladivostok, satisfying the calls of the Office of Roskomnaglyad for the Primorsky Territory to the Oschadbank of Russia about the protection of the violated rights of the citizen and the bank to obtain information about the citizen with information ї "Stop list" system.

Why should we show this butt? Banks that save the personal data of a significant number of their clients do not attempt to move them from one database to another, and most often do not inform about the subject of the personal data, seemingly already about those to take away the benefit from such things from him personal data. Of course, banking activity has a number of peculiarities, and often personal data of clients is collected not only for the purpose of confirming the bank’s agreements, but also for the bank’s effective control over the client’s obligations, This means that no matter how personal data is manipulated, the required health of their subject.

Difficulty in a dark situation

Why not carry out any transactions using personal data that are legal? Insanely, for whom, more than everything, it is necessary to obtain third-party fakivs, so that the lawyers of the legal departments of the great banks are first-class professionals, especially in the field of personal data. learn practically from scratch. So the best way out is to work with the organization of personal data protection systems of companies that specialize in providing services for the organization of work with personal data, including those who conduct a security audit entry of non-technical protection to the legislator as you live.

The results of analytical research allow us to obtain information about those that pose the greatest difficulties in compliance with the provisions of Federal Law No. 152-FZ “On Personal Data”.

Subject to Part 1 of Article 22 of this regulatory document, the request operator must notify the relevant authority for the processing of personal data. Among the culprits - an accident, if the processing of personal data was taken away from the connection with the established contract, the party of which is the subject of the personal data... and is victorious by the operator, including for the identification of the contract assigned to paragraph 2 of part 2 of the Federal Law th Law No. 152 -FZ "About personal data. Operating in this very situation, banks do not provide information about the processing of personal data, and most of them do not respect themselves as operators, which is fundamentally wrong.

Also, another extension has been extended to banks as operators of personal data, which is related to the agreement and is pending. Delivery to station. 6, according to the law, the processing of personal data can be carried out by the operator for the purpose of the subjects of personal data due to the consequences of such processing according to the agreement, one of the parties of which is the subject of personal data them. Therefore, many banking regulations explain the existence of the subject of personal data by the very fact of such an agreement.

But let’s think about it, why shouldn’t the bank, being an operator, take away the personal data of the subject at the time of entering into the contract, for example, for sending out notifications about new services, for maintaining “Stop lists”? However, the processing of personal data is carried out for the purposes of completing the contract, and for other purposes, which represent commercial interest for banks, and also:

banks are required to submit a notification about the processing of personal data to the authorized body;
Banks are responsible for processing personal data solely for the benefit of the subject.

This means that banks can organize a robotic system with the personal data of their clients in order to ensure non-technical protection of such data.

Letter of grant for processing of personal tributes

Therefore, if the subject of personal data is required to process personal data, then Federal Law No. 152-FZ “On Personal Data” requires operators to restrict the written consent for the processing of personal data except in cases prescribed by law. At the same time, up to Part 3 of Art. 9 obligations to ensure the removal of the subject from the processing of his personal data rests with the operator. So that, if necessary, you do not waste an hour collecting such evidence (for example, in search of evidence), in our opinion, it would be better to separate the subjects from the written form.

Let us present another argument for the written form of processing personal data. Most often, the activities of banks involve the transfer of data (personal data) to the territory of a foreign power. 3rd drive, part 1, art. 12 of Federal Law No. 152-FZ “On Personal Data” states that before the start of the transcordon transfer of personal data, the operator of the claims will contact the foreign power on the territory of which the transfer of personal data is taking place, will ensure adequate protection of the rights of personal subjects tributes If such protection cannot be ensured, transcordon transfer of personal data is only possible after the written consent of the subject of the personal data. It can be assumed that it would be easier for foreign banks to reject the client’s written request for the processing of personal data, rather than to establish the adequacy of their protection in a foreign power.

We return your respect to the fact that the information that may be in writing from this year has been reinstated in Part 4 of Art. 9 of the well-known Federal Law, and this difference is significant. And the signature under the phrase, for example, in a loan agreement: “I am authorized to recover my personal data,” according to Federal Law No. 152-FZ “On Personal Data,” and there is no right to process them!

It would seem that there are only a few points in the law, and how many complications, right up to the ship’s calls, can be called out incorrectly. Until today, when personal data of subjects often becomes a commodity in the competitive struggle of various structures, the successful supply of their protection, the security of information systems of banking and credit institutions will become a safeguard for saving Eternal reputation, honestly, of any organization.

Every day, people are becoming more aware of the possible negative implications of the discovery of their personal data, which leads to the emergence of profile data. Explore and information resources of various companies. Some of them generally highlight the entire wide range of topics related to the concepts of “information security”, while others are devoted to looking at the approaches to technical security, although, however, they speak about problems related to with a non-technical guard. In other words, information about the protection of personal data will become more accessible, which means that citizens will be more knowledgeable about protecting their rights.

Categories
- Android
- Program
- iOS
- Printers
- Editors
- Play
- Smart TV
- Internet
- Gadgets
- Zalizo

Popular