Answer the question
In order to leave comments, you need to log in
Persian protection data in the intranet application in accordance with the requirements of fz-152?
Hello!
We are a state-owned enterprise (FSUE), non-employees must provide their passport details in order to receive a one-time one-day pass.
Previously, the process looked like this: if you invite a visitor, you request his data by email or write down by phone, fill out and print the form in excel and take it to the security guard for signature, after which it is already printed and sent to the checkpoint, where the visitor's PD is checked against the passport presented to them and on this basis issue him a visitor's pass.
We have written a small web application that is available on the internal network of the enterprise and allows you to enter all the visitor's data (both full name and personal data), but does not allow them to be viewed and edited later, the ability to view and correct the entered passport data is available only to employees of the security department, differentiation access is carried out at the application level in the program code, based on the settings stored in the database.
Microsoft products - IIS and MSSQL Server are used as a stack, the application is implemented on the ASP.NET MVC framework, and the browser acts as a client part.
Now one third-party organization is working on the certification of other systems that process personal data, for the described system they proposed an option using a limited number of PCs, because. according to them processing pers. data occurs (potentially) on all machines in the enterprise. That is, they offer to install special software on, roughly speaking, 50 PCs and make it possible to work with the application only from these machines. This option does not suit us very much, ideally, we would like any user of the enterprise's local network to be able to enter all the visitor's data into the database (we can assume that the visitor's consent to use his data is available).
For other systems, everything was simpler, there was a limited circle of users (for example, all accounting), they were simply taken out to a separate subnet behind the firewall, there is no way to do this here, as far as I understand, because access control occurs not at the network level, but at the application level, in the logic of the server part of the application.
It seems to me that this situation is not unique, can someone tell me what options are there for organizing the protection of personal data in accordance with the requirements of the law, I am interested in schemes that would suit the regulatory authorities.
Thanks in advance.
P.S. I forgot to clarify, many enterprise PCs have Internet access through our proxy server, the entire network is domain-based, authentication in the application is also domain-based. There is a server room for secure server placement, only options for software or hardware data protection are of interest.
Answer the question
In order to leave comments, you need to log in
they proposed a variant using a limited number of PCs, because according to them processing pers. data occurs (potentially) on all machines in the enterprise. That is, they offer to install special software on, roughly speaking, 50 PCs and make it possible to work with the application only from these machines.
If you want to enter PD on all PCs, protect all PCs in accordance with FSTEC Order No. 17.
If you don’t want to protect all cars, think of withdrawing the input data from under 152-FZ: for example, enter only the first name / patronymic and passport series / number - without a registration address this will not be considered identifying data.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question