U
U
u_story2013-09-02 23:16:45
Personal Information
u_story, 2013-09-02 23:16:45

Designing a system for working with personal data?

Hello. Faced in my work with a new task of organizing the protection of personal data.
Please tell me how it should be in practice.
There is a server with data that fall under the law on the protection of personal data (data on employee income).
It is planned to make a web application (a beautiful web face with autocomplete and hints) so that users can enter data about themselves through the web face.
System requirements:
1. People can access from anywhere in the world
2. People can both be added to the list and removed from it.
3. There will be 2 types of accounts in the system: users - they have access only to their data and administrators - they have access to all data + additional. data upload functions.
How to properly store data in the database, how to protect the web server, how to organize access?
How to properly authenticate people?
The software will most likely be developed on MS technologies, but you can buy additional. software if needed.

Answer the question

In order to leave comments, you need to log in

6 answer(s)
L
Loreweil, 2013-09-03
@Loreweil

If you do everything according to Feng Shui, then a bunch of regulatory documents should be developed.
In general, your sequence of actions in terms of technical protection is as follows:
- develop a threat model in which you define actual threats;
- based on the type of threats (I believe that in 99% of cases it is the third), according to government decree No. 1119, set the level of security for ISPD;
- take FSTEC order No. 21 and choose measures according to the KZ that you have determined, there is a large field for action, there are basic measures, there are compensating ones, you can generally come up with your own measures, proving the “economic inexpediency” of applying measures from the FSTEC order. The main thing is that measures (technical and organizational) neutralize actual threats;
- note that if your organization is commercial, then you do not have to use certified means of protection (the order of the FSTEC says something like "certified information security tools are used if it is necessary to neutralize current threats "). For government agencies, simply the use of information security tools is additionally defined by some other regulations, so they can’t get away, but if you are commerce and can neutralize your threats with regular OS tools (identification and authentication of users using AD tools, for example) or using free software (squid, etc. ), then the flag is in your hands!
As for the “paper” protection of personal data, then everything is written entirely in 152-FZ. You must have appointed responsible persons, a list of persons allowed to work with personal data, a regulation on working with personal data, a number of instructions (password, anti-virus protection, etc.), a number of magazines ...

A
Alexander Borisovich, 2013-09-03
@Alexufo

SMS login with one-time passwords is more than enough against password hijacking and it is convenient to some extent. It’s impossible to tell you the rest) You ask “Make me a pro”) You don’t ask for anything complicated)

T
Tel, 2013-09-03
@ Tel

I didn’t defend projects according to PD, but I heard a little.
Firstly, all users must check the box with the processing of their PD agrees, and in my opinion there should be a list of which PD he agrees to process.
Secondly, in the spirit of the law, the user should be able to revoke permission to process his personal data and be sure that they will be deleted (well, the latter falls on the shoulders of the organization operating the admin panel, but it would be nice to provide a button that sends at least an email)
Thirdly for good, each place of an employee working with other people's PD should be protected by PD (this is an official procedure, quite a few companies carry it out - they will tell you which technologies should be used better than me).
Fourthly, I’m not sure anymore, but it would be great if, again, the entire system would be certified according to PD in the Russian Federation (http://goo.gl/AvkNWn - here someone with lists will help)

L
Loreweil, 2013-09-03
@Loreweil

If you need real protection, then also start with a threat model and an intruder model. And start neutralizing current threats.
Is the threat of interception of information in public networks relevant? We encrypt traffic.
Is the threat of leaking the database by insiders actual? Organize protection against unauthorized access.
Is there a real threat that someone will see important information on the monitor through a window through binoculars? Turn the monitors in the office back to the windows or use blinds. Is this threat irrelevant? Describe why.
etc.

P
Pilat, 2013-09-03
@Pilat

Probably now there will be materials explaining the practical side of FSTEC orders 21 and 17. So far, there are documents like www.ivanboytsov.ru/2013/07/21-17.html , where everything is vague, but leads to reflection.

A
alexey2000, 2013-09-04
@aleksey2000

The requirement of access to this information "from anywhere in the world" is not obvious. What about cross-border transmission?

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question