I will answer as a practicing security guard:
PD are protected in accordance with Federal Law-152 and its by-laws.
This is where the fun begins. At first, there was FZ-152 in splendid isolation, then Government Decree PP-781 with protection requirements stuck, FSTEC order No. 58 and the “three-headed” order 55/86/20 stuck to PP-781. There is also Decree 687 on non-automated processing and PP-512 on biometer carriers. PDn.
But everything changed in the summer of 2011 - FZ-152 was redesigned . The duties of the operator, terminology, etc. have changed (I especially pay attention to chapter 4 of the Federal Law-152.). And immediately became irrelevant by-laws.
November 1, 2012 PP-1119 was approved, which became a replacement for PP-781 and the three-headed order. PDN classes have been canceled and these are not rumors. This is now called "Security Level". Accordingly, FSTEC Order 58 has ceased to be relevant and a replacement is currently being prepared for it ( by the way, draft documents were posted on the site and comments from the public were accepted ).
Well, what to do now?
First, conduct a survey of the company's business processes and identify where, in what quantity, what type of PD is stored and processed.
Secondly, to find and appoint the person specified in Article 22.1 of the Federal Law-152. He will organize everything.
Thirdly, prepare for writing internal documents: Regulation on the processing of personal data, Regulation on the person from Article 22.1, Instructions to administrators and users inf. PD systems, various rules for tech. protection (password access, antivirus protection, backup, cryptography). If necessary, come up with consent to the processing of PD. And, if necessary, prepare a notification to Roskomnadzor.
There can be a lot of work and you can’t describe it in one answer. As well as manuals you will not give.
Something like this.

In order not to pour a lot of “water”, I will ask you what you have already done in the direction of “protecting personal data when they are processed in automated personal data systems”,
1) Have you registered as a PD processor in accordance with. subdivision of FSTEC?
2) Has a person responsible for the protection of personal data been appointed, have relevant orders been issued at the enterprise level?
3) Has the “Access Matrix” been compiled, have the relevant orders-lists of employees authorized to work with PD been issued, have you disclosed in such an order the differentiation of access to PD of different categories by different officials?
4) Do you have the necessary consent from the objects of the PD you process?
5) What categories of PD do you have to work with. (Whether or not the categorization of PD will be canceled is a moot point, I personally think that it is unlikely that biometric / medical data can be put on the same shelf with registration data and SNILS number, perhaps the system will be changed, but the separation will remain, at least for now - it exists. )
6) Do you use special FSTEC-certified software: firewalls, anti-virus software, ACS (data integrity control).
7) Do you share personal data with other legal entities?
I will try to answer your questions regarding the current state of things, a few months ago they were under review :) passed without violations, with only a couple of comments, and those are rhetoric.

b-152.ru/

If only about the security of PD during their processing (without touching on the other duties of the operator! Because this is a completely different field of activity):
1. read Art. 19 of the Law "On Personal Data".
2. study PP-1119 dated November 1, 2012 (ISPD classes were canceled, classify by security levels).
3. fulfill the requirements found in the documents above.
4. The threat model can be written according to the relevant FSTEC document.
5. study the draft FSTEC order and wait for its final version.

Tell me - what should software developers do?
For example, we make software for a bank. Personal data will be requested there and stored in a database controlled by our software.
Does anything special need to be done?
Or will the customer provide everything with internal regulations for maintaining the security of personal data?
We assume the use of encrypted data exchange protocols, logins and passwords for accessing data through a web client. But is there a mandatory list of requirements that application software must follow?