The information system of any organization contains personal data (PND) about employees and customers, which Federal Law No. 152-FZ must protect.
Pds are subject to encryption by law from impersonal-general to personal, directly impacting a person (health, religious views, features of private life). The highest categorization of protection is required by the data transmitted to the Pension Fund (full name, salary, social status, disability, marital status, number of children, etc.).
The level of protection for each category should be different. Protection against leaks can be built internally within the company through visual or audio channels and using cryptography to use FSB/FSTEC-certified equipment. Different approaches to the levels of protection lead to the need to work with other IT architectures, up to the transfer of personal information to particularly highly protected databases.
Databases are divided into small, medium, and distributed databases. In large systems, it is essential to debug the event correlation system, which establishes the interconnection of messages about potential threats, conducting a comprehensive hazard assessment.
The protection of personal data is carried out to:
- Protection of the rights of employees, customers and management of the company;
- Compliance with the legislation of the Russian Federation;
- Protection of the customer base and information leakage can cause severe losses to the company and its reputation.
The Law on Encryption of Personal Data 152-FZ The Government of the Russian Federation has established an algorithm that allows you to safely work with information and penalties in case of non-compliance with the requirements up to criminal liability and cancellation of licenses. The encryption of personal data is subject to the following criteria:
- Use cryptographic tools that correspond to the levels of protection using the threat model.
- Protect corporate information by encrypting data on remote servers, transparent or asymmetric encryption, including network folders, differentiation of access rights between employees, and use of tokens (private keys of external information carriers).
- Use of firewalls, intrusion prevention systems, firewalls and antiviruses, development and updating of threat models, use of vulnerability scanners, development of protective policies, control over electronic document flow, and monitoring of employees.
- Use of electronic signatures for the security of documents and the speed of their execution.
- Corporate email protection (public and private vital certificates)
Information protection uses encryption mechanisms, the certification of which the FSB checks. Everything is encrypted: databases, their transfer over the network, and all copies of backup databases. For safe operation, it is necessary to integrate Russian encryption algorithms up to the development of its products.
The need for regular updating of protection technologies made it possible to develop GOSTs for encrypting personal data (P 34.11-2012 “Stribog”, block R 34.12-2015 “Magma” / “Grasshopper”, P 34.13-2015). GOST algorithms are resistant to hacking and are characterized by high performance. Good parallelization data), allowing you to select the optimal protection for various (limited or full-fledged) resources of computing equipment.
Data Encryption Algorithms
The algorithm for protecting personal data in the organization includes a typical list of actions that must be performed to preserve:
- Creation of a pd processing methodology.
- Possibility of consent/refusal to process for employees and customers.
- Notification messages about working with PD in the general flow of materials.
- Creation of an information storage structure.
- Create a database.
- Determination of the order and methods of processing, penalties for violations.
- Work to supplement the instructions for employees responsible for the processing and storage of PD.
The algorithm for building a personal data protection system consists of five stages:
- Pre-project assessment of the stop. It is essential to build a privacy threat model for a particular company competently.
- Documentation is developed, and technical specifications are formed.
- Protection design. The work is carried out following the developed TK, technical means of protection are acquired, their certification is carried out, and the circle of officials responsible for the functioning of protective equipment is determined.
- Introduction of the developed means of protection of PD
- Implementation of technical support and support
For the common 1C platform, encryption is performed without external components to completely isolate it from binding to the operating system.