Order of Federal Security Service of the Russian Federation "About statement of structure and content of organizational and technical measures for providing..."

It is registered

Ministry of Justice

Russian Federation

On August 18, 2014 No. 33620

ORDER OF FEDERAL SECURITY SERVICE OF THE RUSSIAN FEDERATION

of July 10, 2014 No. 378

About statement of structure and content of organizational and technical measures for safety of personal data in case of their processing in personal data information systems with use of the means of cryptographic information protection necessary for accomplishment of the security requirements of personal data established by the Government of the Russian Federation for each of security levels

According to part 4 of article 19 of the Federal Law of July 27, 2006 "About personal data" <1> I order to No. 152-FZ:

--------------------------------

<1> Russian Federation Code, 2006, No. 31 (p. I), Art. 3451; 2009, No. 48, Art. 5716; No. 52 (p. I), Art. 6439; 2010, No. 27, Art. 3407; No. 31, Art. 4173, Art. 4196; No. 49, Art. 6409; No. 52 (p. I), Art. 6974; 2011, No. 23, Art. 3263; No. 31, Art. 4701; 2013, No. 14, Art. 1651; No. 30 (p. I), Art. 4038.

approve the enclosed Structure and content of organizational and technical measures for safety of personal data in case of their processing in personal data information systems with use of the means of cryptographic information protection necessary for accomplishment of the security requirements of personal data established by the Government of the Russian Federation for each of security levels.

Director

A. Bortnikov

Appendix

to the Order of Federal Security Service of the Russian Federation of July 10, 2014 No. 378

Structure and content of organizational and technical measures for safety of personal data in case of their processing in personal data information systems with use of the means of cryptographic information protection necessary for accomplishment of the security requirements of personal data established by the Government of the Russian Federation for each of security levels

I. General provisions

1. This document determines structure and content of organizational and technical measures for safety of personal data in case of their processing in personal data information systems (further - information system) with use of means of cryptographic information protection (further - SKZI), the necessary for accomplishment security requirements of personal data established by the Government of the Russian Federation for each of security levels.

2. This document is intended for the operators using SKZI for safety of personal data in case of their processing in information systems.

3. Application of the organizational and technical measures determined hereunder is provided by the operator taking into account requirements of operational documents of SKZI used for safety of personal data in case of their processing in information systems.

4. Operation of SKZI shall be performed according to documentation on SKZI and the requirements established hereunder and also according to other regulatory legal acts governing the relations in the respective area.

II. Structure and content of the organizational and technical measures necessary for accomplishment of the security requirements of personal data established by the Government of the Russian Federation for the 4th level of security

5. According to Item 13 of Security requirements of personal data in case of their processing in the personal data information systems approved by the order of the Government of the Russian Federation of November 1, 2012 No. 1119 <1> (further - Security requirements of personal data), 4 levels of security of personal data in case of their processing in information systems are necessary for providing accomplishment of the following requirements:

--------------------------------

<1> Russian Federation Code, 2012, No. 45, 6257.

a) the organization of the mode of safety of rooms in which the information system, the uncontrollable penetration interfering opportunity or stay in these rooms of persons who do not have access rights to these rooms is placed;

b) ensuring safety of carriers of personal data;

c) approval by the head of the operator of the document determining the list of persons which access to the personal data processed in information system is necessary for accomplishment of service (labor) duties by them;

d) use of the information security products which underwent assessment procedure of compliance to requirements of the legislation of the Russian Federation in the field of safety of information in case application of such means is necessary for neutralization of urgent threats.

6. Accomplishment of the requirement specified in the subitem "an" of Item 5 of this document requires providing the mode interfering possibility of uncontrollable penetration or stay in rooms where the used SKZI are placed, SKZI and (or) carriers of the key, authenticating and password information of SKZI (further - Rooms), persons who do not have access rights to Rooms which is reached in the way are stored:

a) equipment of Rooms input doors with locks, ensuring permanent closing of doors of Placements on the lock and their opening only for the authorized pass, and also sealing of Rooms upon termination of the working day or the equipment of Rooms the corresponding technical devices signaling about unauthorized opening of Rooms;

b) approvals of rules of access to Rooms in working and time off, and also in emergency situations;

c) approvals of the list of persons having right of access to Rooms.

7. It is necessary for accomplishment of the requirement specified in the subitem "b" of Item 5 of this document:

a) perform storage of removable machine carriers of personal data in safes (metal cabinets) equipped with internal locks with two or more twirls and devices for sealing of keyholes or coded locks. If on the removable machine carrier of personal data only personal data are stored in the type ciphered with use by SKZI, storage of such carriers out of safes (metal cabinets) is allowed;

b) perform per copy accounting of machine carriers of personal data which is reached by maintaining register of carriers of personal data with use of registration (factory) numbers.

8. It is necessary for accomplishment of the requirement specified in the subitem "v" of Item 5 of this document:

a) develop and approve the document determining the list of persons which access to the personal data processed in information system is necessary for accomplishment of service (labor) duties by them;

b) support in current state the document determining the list of persons which access to the personal data processed in information system is necessary for accomplishment of service (labor) duties by them.

Warning!!!

This is not a full text of document! Document shown in Demo mode!

If you have active License, please Login, or get License for Full Access.

With Full access you can get: full text of document, original text of document in Russian, attachments (if exist) and see History and Statistics of your work.

Get License for Full Access Now

Disclaimer! This text was translated by AI translator and is not a valid juridical document. No warranty. No claim. More info

Effectively work with search system

Database include more 50000 documents. You can find needed documents using search system. For effective work you can mix any on documents parameters: country, documents type, date range, teams or tags.
More about search system

Get help

If you cannot find the required document, or you do not know where to begin, go to Help section.

In this section, we’ve tried to describe in detail the features and capabilities of the system, as well as the most effective techniques for working with the database.

You also may open the section Frequently asked questions. This section provides answers to questions set by users.