linux

How can we protect the personal data we process on a Linux+Apache+MySQL+Django server?

Dear! Tell me how to meet the requirements of the law FZ-152 for the Ubuntu server + Apache + Django + MySQL + self-written software on Django?
There is a development of a workflow automation system for a private school, while DVP. Personal data: full name and phone numbers of students and their parents (publicly available identifying data). I would like to put the server outside so that students and parents can view their data from the outside. By https, we will buy a certificate.
I read and read laws / opinions and there is no understanding - what needs to be done? What software to install and whether it is necessary?
habrahabr.ru/qa/32163/ - I saw that we will do administrative measures (writing internal documents and appointing employees).
PP-1119 dated November 1, 2012 - I read, I understood that we have "Public PD of the operator's employees or public PD of less than 100,000 PD subjects who are not employees of the operator", with an understanding of the level of threats - an ambush ...
And now the questions:
- Possible holes in system software - is this the first type of threat? or third? This depends on the level of protection.
- What kind of beast is the "electronic message log" from the 2nd level of protection? is this syslog?
- Even if we provide the 4th, the lowest, level of security - which certified information security tools should be used for our technology stack and should they? built-in firewalls on IPtables - does it satisfy? Only 2 ports will be open outside (https + non-standard ssh)
- How to compile (and compile) a threat model?
— Should the hosting provider where we install a dedicated server be certified? access to the server room and all that ...
- do I need to register anything with the regulators? and what, if necessary?
Thank you in advance :)