If you do everything according to Feng Shui, then a bunch of regulatory documents should be developed.
In general, your sequence of actions in terms of technical protection is as follows:
- develop a threat model in which you define actual threats;
- based on the type of threats (I believe that in 99% of cases it is the third), according to government decree No. 1119, set the level of security for ISPD;
- take FSTEC order No. 21 and choose measures according to the KZ that you have determined, there is a large field for action, there are basic measures, there are compensating ones, you can generally come up with your own measures, proving the “economic inexpediency” of applying measures from the FSTEC order. The main thing is that measures (technical and organizational) neutralize actual threats;
- note that if your organization is commercial, then you do not have to use certified means of protection (the order of the FSTEC says something like "certified information security tools are used if it is necessary to neutralize current threats "). For government agencies, simply the use of information security tools is additionally defined by some other regulations, so they can’t get away, but if you are commerce and can neutralize your threats with regular OS tools (identification and authentication of users using AD tools, for example) or using free software (squid, etc. ), then the flag is in your hands!
As for the “paper” protection of personal data, then everything is written entirely in 152-FZ. You must have appointed responsible persons, a list of persons allowed to work with personal data, a regulation on working with personal data, a number of instructions (password, anti-virus protection, etc.), a number of magazines ...

SMS login with one-time passwords is more than enough against password hijacking and it is convenient to some extent. It’s impossible to tell you the rest) You ask “Make me a pro”) You don’t ask for anything complicated)

I didn’t defend projects according to PD, but I heard a little.
Firstly, all users must check the box with the processing of their PD agrees, and in my opinion there should be a list of which PD he agrees to process.
Secondly, in the spirit of the law, the user should be able to revoke permission to process his personal data and be sure that they will be deleted (well, the latter falls on the shoulders of the organization operating the admin panel, but it would be nice to provide a button that sends at least an email)
Thirdly for good, each place of an employee working with other people's PD should be protected by PD (this is an official procedure, quite a few companies carry it out - they will tell you which technologies should be used better than me).
Fourthly, I’m not sure anymore, but it would be great if, again, the entire system would be certified according to PD in the Russian Federation (http://goo.gl/AvkNWn - here someone with lists will help)

If you need real protection, then also start with a threat model and an intruder model. And start neutralizing current threats.
Is the threat of interception of information in public networks relevant? We encrypt traffic.
Is the threat of leaking the database by insiders actual? Organize protection against unauthorized access.
Is there a real threat that someone will see important information on the monitor through a window through binoculars? Turn the monitors in the office back to the windows or use blinds. Is this threat irrelevant? Describe why.
etc.

Probably now there will be materials explaining the practical side of FSTEC orders 21 and 17. So far, there are documents like www.ivanboytsov.ru/2013/07/21-17.html , where everything is vague, but leads to reflection.

The requirement of access to this information "from anywhere in the world" is not obvious. What about cross-border transmission?