The procedure for classifying personal data information systems. BukvaPrava - free legal consultations On approval of the procedure for classifying personal data information systems
Classification of ISPD is carried out at the stage of its creation or during operation, but always before the construction of the SPPD. In general, everything Information Systems, processing Personal Information, are divided into 2 class depending on the security characteristics of the processed data:
Typical information systems– systems where it is required to provide only confidentiality processed personal data.
Special information systems– systems where it is required to ensure at least one of the security characteristics other than confidentiality (for example, integrity or availability). Special information systems should include:
- ISPD related to the processing of personal data about the health status of personal data subjects;
- ISPD, making decisions based solely on automated processing of PD. In this case, the decisions made may entail legal consequences for the subject of the personal data or otherwise affect his legal rights and interests.
According to the methodology proposed in the Order, ISPD is classified depending on the number of entities whose data is processed and the type of personal data processed.
Depending on the volume of XNPD data processed in the ISPD, the following categories of ISPD are distinguished:
1 category Personal Information more than 100,000 subjects of personal data or Personal Information subjects of personal data within a constituent entity of the Russian Federation or the Russian Federation as a whole;
2nd category– are simultaneously processed in the information system Personal Information from 1000 to 100,000 subjects of personal data or Personal Information PD subjects working in the economic sector of the Russian Federation, in a government body, living within the municipality;
3 category– are simultaneously processed in the information system Personal Information less than 1000 subjects of personal data or Personal Information subjects of personal data within a specific organization.
The following categories of personal data processed in the information system (PDS) are defined:
| CNPD | Category 3 | Category 2 | Category 1 |
|---|---|---|---|
| HFA | |||
| category 4 | K4 | K4 | K4 |
| category 3 | K3 | K3 | K2 |
| category 2 | K3 | K2 | K1 |
| category 1 | K1 | K1 | K1 |
Let's look at what each ISPD class means separately:
- class 1 (K1)– information systems for which violation of the specified security characteristics of personal data processed in them can lead to significant negative consequences for the subjects of personal data;
- class 2 (K2)– information systems for which violation of the specified security characteristics of personal data processed in them may lead to negative consequences for the subjects of personal data;
- class 3 (K3)– information systems for which a violation of the specified security characteristics of personal data processed in them may lead to minor negative consequences for the subjects of personal data;
- class 4 (K4)– information systems for which violation of the specified security characteristics of personal data processed in them does not lead to negative consequences for the subjects of personal data.
Class 1 is considered the highest. If several subsystems are distinguished within the ISPD, then the ISPD class as a whole will correspond to the highest class of incoming components.
Thus, the higher the ISPD class, the higher the requirements for ensuring the security of personal data.
The procedure for defining a class for special systems is somewhat different from standard ones. The class of special ISPD is determined on the basis of the organization’s private threat model in accordance with the methodological documents of the FSTEC. Classifying an information system as a special one can significantly reduce the costs of building a data protection system, since the operator in this case can reasonably select the minimum number of current threats from which personal data protection is necessary. For example, if the system contains information about a person’s income (for example, 1C), such a system can be classified as a special system, since the legitimate interests of a person are affected. The same applies to information about disability, race, etc. Classifying ISPD as special in practice is a rather controversial issue.
The ISPD class may be revised.
Registration No. 11462
In accordance with paragraph 6 of the Regulations on ensuring the security of personal data during their processing in personal data information systems, approved by Decree of the Government of the Russian Federation of November 17, 2007 N 781 “On approval of the Regulations on ensuring the security of personal data during their processing in personal data information systems "(Collected Legislation of the Russian Federation, 2007, No. 48, Part II, Art. 6001), we order:
Approve the attached Procedure for the classification of personal data information systems.
Director
Federal service
on technical and export control
S. Grigorov
Director of the Federal Security Service
Russian Federation
N. Patrushev
Minister of Information Technologies and Communications of the Russian Federation
L. Reiman
The procedure for classifying personal data information systems
1. This Procedure determines the classification of personal data information systems, which are a set of personal data contained in databases, as well as information technologies and technical means that allow the processing of such personal data using automation tools (hereinafter referred to as information systems)1.
2. The classification of information systems is carried out by state bodies, municipal bodies, legal entities and individuals who organize and (or) carry out the processing of personal data, as well as determining the purposes and content of the processing of personal data (hereinafter referred to as the operator)2.
3. The classification of information systems is carried out at the stage of creating information systems or during their operation (for previously put into operation and (or) modernized information systems) in order to establish methods and means of protecting information necessary to ensure the security of personal data.
4. Carrying out the classification of information systems includes the following steps:
collection and analysis of initial data on the information system:
assignment of the appropriate class to the information system and its documentation.
5. When classifying an information system, the following initial data are taken into account:
volume of personal data processed (number of personal data subjects whose personal data is processed in the information system) - X npd;
security characteristics of personal data processed in the information system specified by the operator;
information system structure;
availability of connections of the information system to public communication networks and (or) international information exchange networks;
personal data processing mode;
mode of delimiting access rights of users of the information system;
location of technical means of the information system.
6. The following categories of personal data processed in the information system (XPD) are defined:
7. X npd can take the following values:
1 - the information system simultaneously processes personal data of more than 100,000 personal data subjects or personal data of personal data subjects within a constituent entity of the Russian Federation or the Russian Federation as a whole;
2 - the information system simultaneously processes personal data from 1,000 to 100,000 personal data subjects or personal data of personal data subjects working in the economic sector of the Russian Federation, in a government body, living within a municipality;
3 - the information system simultaneously processes data of less than 1000 personal data subjects or personal data of personal data subjects within a specific organization.
8. According to the security characteristics of personal data processed in the information system specified by the operator, information systems are divided into standard and special information systems.
Typical information systems are information systems that require only ensuring the confidentiality of personal data.
Special information systems are information systems in which, regardless of the need to ensure the confidentiality of personal data, it is necessary to ensure at least one of the security characteristics of personal data other than confidentiality (security from destruction, modification, blocking, as well as other unauthorized actions).
Special information systems should include:
information systems in which personal data relating to the health status of the subjects of personal data are processed;
information systems that provide for the adoption, based solely on automated processing of personal data, of decisions that give rise to legal consequences in relation to the subject of personal data or otherwise affect his rights and legitimate interests.
9. According to their structure, information systems are divided into:
for autonomous (not connected to other information systems) complexes of hardware and software designed for processing personal data (automated workstations);
to complexes of automated workstations integrated into a single information system by means of communication without the use of remote access technology (local information systems);
to complexes of automated workstations and (or) local information systems, combined into a single information system by means of communication using remote access technology (distributed information systems).
10. Based on the presence of connections to public communication networks and (or) international information exchange networks, information systems are divided into systems with connections and systems without connections.
11. According to the mode of processing personal data in the information system, information systems are divided into single-user and multi-user.
12. Based on the delimitation of user access rights, information systems are divided into systems without delimitation of access rights and systems with delimitation of access rights.
13. Information systems, depending on the location of their technical means, are divided into systems, all technical means of which are located within the Russian Federation, and systems, the technical means of which are partially or entirely located outside the Russian Federation.
14. Based on the results of the analysis of source data, a typical information system is assigned one of the following classes:
class 1 (K1) - information systems for which a violation of the specified security characteristics of personal data processed in them can lead to significant negative consequences for the subjects of personal data;
class 2 (K2) - information systems for which a violation of the specified security characteristics of personal data processed in them may lead to negative consequences for the subjects of personal data;
class 3 (K3) - information systems for which a violation of the specified security characteristics of personal data processed in them may lead to minor negative consequences for the subjects of personal data;
class 4 (K4) - information systems for which violation of the specified security characteristics of personal data processed in them does not lead to negative consequences for the subjects of personal data.
15. The class of a typical information system is determined in accordance with the table.
16. Based on the results of the analysis of source data, the class of a special information system is determined on the basis of a model of threats to the security of personal data in accordance with methodological documents developed in accordance with paragraph 2 of the Decree of the Government of the Russian Federation of November 17, 2007 N 781 “On approval of the Regulations on ensuring security personal data when processed in personal data information systems"3.
17. If subsystems are identified within an information system, each of which is an information system, the information system as a whole is assigned a class corresponding to the highest class of its subsystems.
18. The results of the classification of information systems are documented in the corresponding act of the operator.
19. The information system class can be revised:
by decision of the operator based on his analysis and assessment of threats to the security of personal data, taking into account the characteristics and (or) changes of a specific information system;
based on the results of measures to monitor compliance with the requirements for ensuring the security of personal data during their processing in the information system.
1Paragraph one of paragraph 1 of the Regulations on ensuring the security of personal data during their processing in personal data information systems, approved by the Decree of the Government of the Russian Federation of November 17, 2007.
N 781 (Collection of Legislation of the Russian Federation, 2007, N 48, part II,
2Paragraph one of clause 6 of the Regulations.
3Collected legislation of the Russian Federation 2007, N 48, part II,Art. 6001.
In connection with the invalidation of the Decree of the Government of the Russian Federation of November 17, 2007 No. 781 “On approval of the Regulations on ensuring the security of personal data during their processing in personal data information systems” (Collected Legislation of the Russian Federation, 2007, No. 48, Art. 6001 ) we order:
invalidate the order of the Federal Service for Technical and Export Control, the Federal Security Service of the Russian Federation and the Ministry of Information Technologies and Communications of the Russian Federation dated February 13, 2008 No. 55/86/20 “On approval of the Procedure for classifying information systems of personal data” (registered Ministry of Justice of the Russian Federation April 3, 2008, registration No. 11462).
| Minister communications and mass communications Russian Federation |
N. Nikiforov |
Document overview
The joint order of the FSTEC of Russia, the FSB of Russia and the Ministry of Information and Communications of Russia, which approved the procedure for classifying information systems of personal data, is declared invalid.
The fact is that the Regulation on ensuring the security of personal data during their processing in personal data information systems, approved by Decree of the Government of the Russian Federation of November 17, 2007 N 781. The new procedure is set out in Decree of November 1, 2012 N 1119.
We inform you that the joint order of the Ministry of Education and Science of the Republic of Tatarstan and the State Institution “Center for Information Technologies of the Republic of Tatarstan” No. 1156/09/29-o dated May 18, 2009 approved an action plan for ensuring information security of personal data information systems in educational institutions of the Republic of Tatarstan.
Based on the specified plan, as well as in order to bring the information systems of personal data of educational institutions of the Republic of Tatarstan in accordance with the requirements of the Federal Law of the Russian Federation of July 27, 2006 No. 152-FZ “On Personal Data”, I ask you to organize a set of measures to protect personal data.
1. Ensure the appointment in subordinate educational institutions of officials responsible for ensuring the security of personal data.
2. In all subordinate institutions, determine the information systems in which personal data are processed, classify them in accordance with the “Procedure for the classification of personal data information systems” (Appendix No. 2), approve the classification act (Appendix No. 3).
3. Before June 22, 2009, provide information about the personal data information systems of all subordinate educational institutions using the attached form (Appendix No. 4) to the Ministry of Education and Science of the Republic of Tatarstan. Send information in summary form to the following email address:
Applications.
1. Joint order of the Ministry of Education and Science of the Republic of Tatarstan and the State Institution “Information Technology Center of the Republic of Tatarstan” No. 1156/09/29-o dated 05/18/2009 in 1 copy. for 3 l.
2. Order No. 55/86/20 dated February 13, 2008 “On approval of the Procedure for classifying personal data information systems” in 1 copy. for 8 l.
3. An example of an order to create a commission and a classification act in 1 copy. for 3 l.
4. Form “Information on information systems of personal data” in 1 copy. for 1 l.
Spanish Khusnutdinov R.N.
Tel 2929003 
About information security measures
personal data information systems
in educational institutions of the Republic of Tatarstan
In order to implement the requirements of regulatory documents of the Russian Federation and the Republic of Tatarstan in the field of information security
I ORDER:
1.
Approve the attached action plan to ensure
information security of personal data information systems
in educational institutions of the Republic of Tatarstan.
2. I reserve control over the execution of this order.
PLAN
measures to ensure information security of personal data information systems
in educational institutions of the Republic of Tatarstan
| № n\n | Event name | Deadline | Responsible for implementation | Note |
| 1. | Inventory of information systems processing personal data, classify IP and approve the classification act | June 2009 | | Carry out the inventory in the prescribed form |
| 2. | Sending notifications by educational institutions (personal data operators) to the authorized body for the protection of the rights of personal data subjects | June 2009 | Ministry of Education and Science of the Republic of Tatarstan, educational authorities of the Republic of Tatarstan, educational institutions of the Republic of Tatarstan that did not send notifications | |
| 3. | Preparation of a package of standard documents: Statement on the protection of personal data Regulations on the information protection unit; Job regulations of persons responsible for personal data protection Action plan for personal data protection Plan of internal audits of personal data protection status Order on the appointment of responsible persons for PD Logbook for recording control activities Logbook for recording requests from subjects of personal data regarding the fulfillment of their legal rights Sample journal (book) for personal income accounting Rules for using information security tools Sample agreement with an employee on responsibility for disclosure of personal data | July 2009 | GU CIT RT, Ministry of Education and Science of the Republic of Tatarstan | |
| 4. | Survey and identification of several priority groups of educational institutions for subsequent certification of information systems at the expense of the centralized budget of the Republic of Tatarstan | August 2009 | | |
| 5. | Certification of PD information systems in accordance with clause 8 of this plan | November 2009 | GU CIT RT, Ministry of Education and Science of the RT, educational authorities of the RT, educational institutions of the Republic of Tatarstan | |
| 6. | Organize and maintain a system for protecting confidential information from unauthorized access in accordance with the established IP class, using security tools certified in the prescribed manner | Constantly | Ministry of Education and Science of the Republic of Tatarstan, educational authorities of the Republic of Tatarstan, educational institutions of the Republic of Tatarstan |
Registered in
Ministry of Justice of Russia
APPROVED
by order of the FSTEC of Russia,
№ 55/86/20
Order
conducting classification of personal data information systems
This Procedure determines the classification of personal data information systems, which are a set of personal data contained in databases, as well as information technologies and technical means that allow the processing of such personal data using automation tools (hereinafter referred to as information systems) 1.
The classification of information systems is carried out by state bodies, municipal bodies, legal entities and individuals who organize and (or) carry out the processing of personal data, as well as determining the purposes and content of the processing of personal data (hereinafter referred to as the operator) 2.
The classification of information systems is carried out at the stage of creating information systems or during their operation (for previously put into operation and (or) modernized information systems) in order to establish methods and means of protecting information necessary to ensure the security of personal data.
Carrying out the classification of information systems includes the following steps:
5. When classifying an information system, take into account
the following initial data:
"Paragraph one of paragraph 1 of the Regulations on ensuring the security of personal data during their processing in personal data information systems, approved by Decree of the Government of the Russian Federation of November 17, 2007 No. 781 (Collected Legislation of the Russian Federation, 2007, No. 48, Part II, Art. 6001 ) (hereinafter referred to as the Regulations). "Paragraph one of clause 6 of the Regulations.
category of personal data processed in the information system - X P d;
volume of personal data processed (number of personal data subjects whose personal data is processed in the information system) - X N pd;
security characteristics of personal data processed in the information system specified by the operator;
information system structure;
availability of connections of the information system to public communication networks and (or) international information exchange networks; personal data processing mode;
mode of delimiting access rights of users of the information system;
location of technical means of the information system.
6. The following categories of processed items are determined:
personal data information system (X P d):
7. Hnpd can take the following values:
- the information system simultaneously processes personal data of more than 100,000 personal data subjects or personal data of personal data subjects within a constituent entity of the Russian Federation or the Russian Federation as a whole;
- the information system simultaneously processes personal data from 1,000 to 100,000 personal data subjects or personal data of personal data subjects working in the economic sector of the Russian Federation, in a government agency, living within a municipality;
- the information system simultaneously processes data of less than 1000 personal data subjects or personal data of personal data subjects within a specific organization.
data processed in an information system, information systems
are divided into standard and special information systems.
Typical information systems are information systems that require only ensuring the confidentiality of personal data.
Special information systems are information systems in which, regardless of the need to ensure the confidentiality of personal data, it is necessary to ensure at least one of the security characteristics of personal data other than confidentiality (security from destruction, modification, blocking, as well as other unauthorized actions).
Special information systems should include:
information systems in which personal data relating to the health status of the subjects of personal data are processed;
information systems that provide for the adoption, based solely on automated processing of personal data, of decisions that give rise to legal consequences in relation to the subject of personal data or otherwise affect his rights and legitimate interests.
9. According to their structure, information systems are divided into:
for autonomous (not connected to other information systems) complexes of hardware and software designed for processing personal data (automated workstations);
to complexes of automated workstations integrated into a single information system by means of communication without the use of remote access technology (local information systems);
to complexes of automated workstations and (or) local information systems, combined into a single information system by means of communication using remote access technology (distributed information systems).
Based on the presence of connections to public communication networks and (or) international information exchange networks, information systems are divided into systems with connections and systems without connections.
According to the mode of processing personal data in the information system, information systems are divided into single-user and multi-user.
Based on the delimitation of user access rights, information systems are divided into systems without delimitation of access rights and systems with delimitation of access rights.
Information systems, depending on the location of their technical means, are divided into systems, all technical means of which are located within the Russian Federation, and systems, the technical means of which are partially or entirely located outside the Russian Federation.
the system is assigned one of the following classes:
class 1 (K1) - information systems for which a violation of the specified security characteristics of personal data processed in them can lead to significant negative consequences for the subjects of personal data;
class 2 (K2) - information systems for which a violation of the specified security characteristics of personal data processed in them may lead to negative consequences for the subjects of personal data;
class 3 (KZ) - information systems for which a violation of the specified security characteristics of personal data processed in them may lead to minor negative consequences for the subjects of personal data;
class 4 (K4) - information systems for which violation of the specified security characteristics of personal data processed in them does not lead to negative consequences for the subjects of personal data.
15. The class of a typical information system is determined in accordance with
table.
Based on the results of the analysis of source data, the class of a special information system is determined based on a model of threats to the security of personal data in accordance with methodological documents developed in accordance with paragraph 2 of the Decree of the Government of the Russian Federation of November 17, 2007 No. 781 “On approval of the Regulations on ensuring the security of personal data when processing them in personal data information systems" 1.
If subsystems are identified within an information system, each of which is an information system, the information system as a whole is assigned a class corresponding to the highest class of its subsystems.
1 Collection of Legislation of the Russian Federation 2007, No. 48, part II, art. 6001.
18. The results of the classification of information systems are formalized
by the corresponding act of the operator.
19. The information system class can be revised:
by decision of the operator based on his analysis and assessment of threats to the security of personal data, taking into account the characteristics and (or) changes of a specific information system;
based on the results of measures to monitor compliance with the requirements for ensuring the security of personal data during their processing in the information system.
Standard form
list of personal data information systems (PDIS) in which information security must be ensured
| | |||||||||
| No. | | Address of the object | ISPD structure | | PD processing mode | | | ISPD class | * Note |
| 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 |
Example of filling out the list
| Initial data of ISPD classification | |||||||||
| No. | Name of ISPDn (its component part) | Name of the object (full and abbreviated) Industry (departmental) affiliation Facility address | ISPD structure | Availability of connections to SSOP and LEB networks (Internet) | PD processing mode | User access restrictions | Location of ISPDn (its components) within Russia | ISPD class | Note |
| 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 |
| 1 | Air ticket subscription system of the company "AEROTRANS" | CJSC "AEROTRANS", Central Air Terminal building, offices No. 1501, 1502, No. 1720 (server), Moscow, Leningradsky Prospekt, 35 | Distributed system | Connected to the Internet, using SSOP | multi-user | with differentiation of access rights | Subscriber point on the territory of Ukraine (Kyiv, Boryspil airport) | 2 | The system has AP at airports Sheremetyevo, Domodedovo, Vnukovo |
An example of an order to create a commission for ISPD classification
About the classification of information systems
personal data
To classify personal data information systems located in the building ______________, according to the conditions of their functioning from the point of view of information security, for compliance with information security requirements
I ORDER:
1. Appoint a commission consisting of:
Chairman of the commission:
Deputy Head of Educational Institution ***
Members of the commission:
Head of Accounting and Reporting Department ***
Head of HR Policy Department ***
Chief Specialist ***
2. Carry out the classification in accordance with the “Procedure for the classification of personal data information systems”, approved by order of the FSTEC of Russia, the FSB of Russia, the Ministry of Information and Communications of Russia dated February 13, 2008.
3. Based on the results of the work, submit for approval the “Act of classification of personal data information systems located in the building of the educational institution.
4. I reserve control over the execution of this order.
Head of OU ****
Example of an ISPD classification act
ACT No. _/AKl dated ___ ___________200_
classification of personal data information systems located in the building of the educational institution
Commission consisting of:
Chairman of the commission:Deputy Head of Educational Institution
Members of the commission:
and reporting
Head of HR Policy Department
Chief Specialist
installed:
1. The composition of personal data information systems is presented in the “List of information systems in which information security must be ensured” (Appendix 1).
2. The highest category of personal data processed in information systems (X PD) – "category _".
3.The largest volume of personal data processed (X npd) corresponds to value _.
4. In accordance with the “Procedure for the classification of information systems of personal data”, approved by the order of the FSTEC of Russia, the FSB of Russia, the Ministry of Information and Communications of Russia dated February 13, 2008, the information system as a whole is assigned Class _.
Chairman of the commission:
Deputy Head of the Institution
Members of the commission:
Head of Accounting Department
and reporting
Head of HR Policy Department
Chief Specialist
List of personal data information systems (PDIS) in which security must be ensured
information
| No. | Name of ISPDn (its component part) | Name of the object (full and abbreviated) Industry (departmental) affiliation Address of the object | Initial data of ISPD classification | ISPD class | Note |
||||
| ISPD structure | Availability of connections to SSOP and LEB networks (Internet) | PD processing mode | User access restrictions | Location of ISPDn (its components) within Russia |
|||||
| 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 |
| 1 | |||||||||
* column 10 indicates additional information about the system that the owner of the system considers necessary to include in the list. Columns 4-8 indicate information used in the classification of ISPD in accordance with the Procedure for the classification of personal data information systems (Appendix to the Order of the FSTEC of Russia, FSB of Russia, Ministry of Information and Communications Russia dated February 13, 2008 No. 55/86/20 “On approval of the Procedure for classifying personal data information systems”).
Information about the personal data information system.
| № p/p | Issues covered | Answer |
| 1 | Name of the personal data information system (PDIS), system developer. | Example: “1C Enterprise”, 1C company |
| 2 | ISPD class | Indicate the IPDN class in accordance with the classification act |
| 3 | Goals and status of ISPD | Indicate why and on what basis they were created (in accordance with the law, to fulfill a contract with an insurance company, on their own initiative, etc.) Example: maintaining personnel and accounting records for employees, created in accordance with the law |
| 4 | Volume and composition of ISPDn | Indicate the number of subjects of personal data processed in the system and the content of information (full name, address, tax identification number, nationality, etc.) |
| 5 | ISPDn sources | Indicate the sources of obtaining personal data (from a citizen, from other educational institutions, from third parties, etc.) |
| 6 | Processing mode and access to ISPDn | Specify the processing mode (single-user, multi-user), the order of access (with or without delimitation) and the name of the document regulating access, if any. Example: multi-user, with access control, no regulations. |
| 7 | ISPDn users. | Example: internal users (departments, structural units). External users (name of organizations). |
| 8 | Methods of transmitting information to users. | Example: On paper, on magnetic media, via secure communication channels, etc. |
| 9 | Operator (Article 3, Clause 2 of Federal Law-152) or the person entrusted with the processing of PD (Clause 10 of the “Regulations...”). The legal basis for the processing of personal data (who made the decision and what document is it secured). | Indicate the full name (according to the charter) and postal address of the organization, documents on the basis of which the institution operates. Example: Ministry of Education and Science of the Republic of Tatarstan Decree of the President of the Republic of Tatarstan “On the transformation of the Ministry of Education of the Republic of Tatarstan” dated 09.09.2004. No. UP-570 Regulations on the Ministry of Education and Science of the Republic of Tatarstan |
| 10 | Start date of PD processing | |
| 11 | Shelf life | Establish data storage periods for each of the ISPD, if the duration is not established by law |
| 12 | Terms or conditions for termination of processing | Establish deadlines for data processing for each of the ISPD, if the duration is not established by law |
| 13 | Information on the inclusion of ISPD in the state register of databases. |
Note: “Regulations on ensuring the security of personal data during their processing in personal data information systems” was approved by Decree of the Government of the Russian Federation of November 17, 2007 No. 781.
Regulations on ensuring the security of personal data during their processing in personal data information systems, approved by Decree of the Government of the Russian Federation of November 17, 2007 N 781 “On approval of the Regulations on ensuring the security of personal data during their processing in personal data information systems” (Collection of Legislation of the Russian Federation, 2007, N 48, part II, article 6001), we order:
Approve the attached Procedure for the classification of personal data information systems.
Director
Federal service
on technical
and export controls
S.I.GRIGOROV
Director
Federal Security Service
Russian Federation
N.P.PATRUSHEV
Minister
information technology and communications
Russian Federation
L.D.REIMAN
APPROVED
By order
FSTEC of Russia,
FSB of Russia,
Ministry of Information and Communications of Russia
dated February 13, 2008 N 55/86/20
ORDER
CLASSIFICATION OF INFORMATION SYSTEMS OF PERSONAL DATA
1. This Procedure determines the classification of personal data information systems, which are a set of personal data contained in databases, as well as information technologies and technical means that allow the processing of such personal data using automation tools (hereinafter referred to as information systems)<*>.
2. The classification of information systems is carried out by state bodies, municipal bodies, legal entities and individuals who organize and (or) carry out the processing of personal data, as well as determining the purposes and content of the processing of personal data (hereinafter referred to as the operator)<*>.
<*>Paragraph one of clause 6 of the Regulations.
3. The classification of information systems is carried out at the stage of creating information systems or during their operation (for previously put into operation and (or) modernized information systems) in order to establish methods and means of protecting information necessary to ensure the security of personal data.
4. Carrying out the classification of information systems includes the following steps:
collection and analysis of initial data on the information system;
assignment of the appropriate class to the information system and its documentation.
5. When classifying an information system, the following initial data are taken into account:
volume of personal data processed (number of personal data subjects whose personal data is processed in the information system) - X_npd;
security characteristics of personal data processed in the information system specified by the operator;
information system structure;
availability of connections of the information system to public communication networks and (or) international information exchange networks;
personal data processing mode;
mode of delimiting access rights of users of the information system;
location of technical means of the information system.
6. The following categories of personal data processed in the information system (X_PD) are defined:
7. X_npd can take the following values:
1 - the information system simultaneously processes personal data of more than 100,000 personal data subjects or personal data of personal data subjects within a constituent entity of the Russian Federation or the Russian Federation as a whole;
2 - the information system simultaneously processes personal data from 1,000 to 100,000 personal data subjects or personal data of personal data subjects working in the economic sector of the Russian Federation, in a government agency, living within a municipality;
3 - the information system simultaneously processes data of less than 1000 personal data subjects or personal data of personal data subjects within a specific organization.
8. According to the security characteristics of personal data processed in the information system specified by the operator, information systems are divided into standard and special information systems.
Typical information systems are information systems that require only ensuring the confidentiality of personal data.
Special information systems should include:
information systems in which personal data relating to the health status of the subjects of personal data are processed;
information systems that provide for the adoption, based solely on automated processing of personal data, of decisions that give rise to legal consequences in relation to the subject of personal data or otherwise affect his rights and legitimate interests.
9. According to their structure, information systems are divided into:
for autonomous (not connected to other information systems) complexes of hardware and software designed for processing personal data (automated workstations);
to complexes of automated workstations integrated into a single information system by means of communication without the use of remote access technology (local information systems);
to complexes of automated workstations and (or) local information systems, combined into a single information system by means of communication using remote access technology (distributed information systems).
10. Based on the presence of connections to public communication networks and (or) international information exchange networks, information systems are divided into systems with connections and systems without connections.
11. According to the mode of processing personal data in the information system, information systems are divided into single-user and multi-user.
12. Based on the delimitation of user access rights, information systems are divided into systems without delimitation of access rights and systems with delimitation of access rights.
13. Information systems, depending on the location of their technical means, are divided into systems, all technical means of which are located within the Russian Federation, and systems, the technical means of which are partially or entirely located outside the Russian Federation.
14. Based on the results of the analysis of source data, a typical information system is assigned one of the following classes:
class 1 (K1) - information systems for which a violation of the specified security characteristics of personal data processed in them can lead to significant negative consequences for the subjects of personal data;
class 2 (K2) - information systems for which a violation of the specified security characteristics of personal data processed in them may lead to negative consequences for the subjects of personal data;
class 3 (K3) - information systems for which a violation of the specified security characteristics of personal data processed in them may lead to minor negative consequences for the subjects of personal data;
class 4 (K4) - information systems for which violation of the specified security characteristics of personal data processed in them does not lead to negative consequences for the subjects of personal data. paragraph 2 of the Decree of the Government of the Russian Federation of November 17, 2007 N 781 "On approval of the Regulations on ensuring the security of personal data during their processing in personal data information systems"<*>.
<*>Collection of Legislation of the Russian Federation, 2007, N 48, part II, art. 6001.
17. If subsystems are identified within an information system, each of which is an information system, the information system as a whole is assigned a class corresponding to the highest class of its subsystems.
18. The results of the classification of information systems are documented in the corresponding act of the operator.
19. The information system class can be revised:
by decision of the operator based on his analysis and assessment of threats to the security of personal data, taking into account the characteristics and (or) changes of a specific information system;
based on the results of measures to monitor compliance with the requirements for ensuring the security of personal data during their processing in the information system.