E
E
Evgeny Ilin2016-11-03 14:18:02
Information Security
Evgeny Ilin, 2016-11-03 14:18:02

What measures should be taken to protect personal data in the data center or in your server room?

Good day to all!
I ask for the help of security specialists, or those who, like me, go through this on their own.
I am a developer and technical director of the project, I have never been a security guard, it just turned out that way.
The situation is the following. There is a project that works with PD, in fact, it is an ISPD, according to the classification of UZ-2 or UZ-1 (actually, in an attempt to more accurately determine the classification, I am spending time now).
1. What needs to be done to implement all the necessary measures in terms of the legislation of the Russian Federation? Where to begin?
2. Will the transfer of all project servers from your own server room to the data center (with FSTEC certification) help with renting a rack? What do you need to organize personal data protection in your own server room?
3. What iron is needed and can be used? Do gateways need to be certified?
I will say right away that we do not have our own security guard now. For attempts to outsource this business, we received a fairly large bill for services, the degree of need for which for the project at the current stage, we cannot determine.
I ask the community for help.
ps And if you have commercial (preferably complex) proposals (from yourself, for example), welcome too.

Answer the question

In order to leave comments, you need to log in

3 answer(s)
M
Max, 2016-11-03
@MaxDukov

free advice:
read 152-FZ, 1119 government decree, 21 order of the FSTEC. If it is supposed to provide access to the ISPD from the outside, then in a good way it is worth looking at order 378 of the FSB. The first thing to do is to write or find ready-made policies, all sorts of regulations, etc. Further, a list of PD and (or maybe before) - registration in the RKN. ISPD classification.
"Data center certification in FSTEC" - sounds menacing. To protect the ISPD at home, you must follow the above orders. Any iron can be used - but it is cheaper to use certified means of protection for nerves. Gateway certification - depending on how you plan to present it as a means of protection.

S
Sanes, 2016-11-03
@Sanes

If I'm not mistaken, then you should have Ch. engineer. If so, then the security guard will have to be taken.

E
Eugene, 2016-11-07
@hokop

The protection of personal data from the point of view of the law and those who check it is more about paper than about technology.
As they said above, you need to read: 152-FZ, 1119-PP, 21 orders of the FSTEC.
About UZ-1 or UZ-2, you got excited for sure, since for this you must determine for yourself the threats of bookmarks in the application / system software, and no one does this voluntarily, as this leads to unnecessary problems during the construction of the protection system .
Everyone defines for themselves the 3rd type of actual threats, which ultimately gives the 3rd or 4th KM for 99% of the ISPD. (UZ-2 will only come out if you process a special category of more than 100 thousand subjects, which is unlikely).
PS I can make turnkey SZPDn after clarifying all the details of your system. (contacts in profile)

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question