As for reading, it’s difficult, because laws need to be read (and they are difficult to remember), a consultant + to help. And there were several articles on Habré.
You conduct an audit of the processing of personal data (what data, what is done with it, where it is transferred, where it is stored, etc.), you create a threat model, then you determine the level of security. For each action - documents (acts).
You conduct an audit of all systems for processing / transferring / storing PD. If the existing means of protection do not fit the level of security, you finish it.
With Windows - by and large - pofik, the main thing is to close all "undocumented features".
ispdn.ru there are a lot of discussions on the forum, even with examples of acts.

@Koshelenok If it's not a secret, how did the check go?

> What measures should be taken in connection with this?
If no action has been taken yet, then he will shoot himself.
You can't do anything quickly.
Wait for the inspection, the FSTEC will draw up an inspection report with an order to eliminate violations.
1. If your company is a FSTEC licensee, then you do not need to do anything, because if you do not know what to do, then other specially trained people do it.
2. If your company is not a FSTEC licensee, but has an IP protection agreement with a FSTEC licensee, then you don’t need to do anything either, just inform these people about the fact of verification
3. If you do not have a license or an agreement with a licensee, prepare to attract organizations and officials to administrative responsibility.