1s and protection of personal data. What is the technical side of ensuring the confidentiality of PD

06.05.2020

Today you can observe the problem of protecting personal data: they are exposed to the penetration of all kinds of technical means processing and transmission of information. Particularly affected are private and public organizations that use financial and personnel records. Federal Law No. 152-FZ protects the rights and regulates relations related to the processing of personal data produced by personal data operators, with or without automation. According to this law, personal data can be any information that relates to a specific natural person. This data may indicate the name of the person, his date of birth, address of residence, family and social and property status, what education he has, what specialty he works in and what income he has.

What problems can you face?

Our country provides the most popular systems of accounting and personnel records, sales management, CRM processes. These include the following products of the 1C company:

"1C:Enterprise";
"1c accounting";
"1C: salary and personnel management";
"1C: Salary and personnel of a budgetary institution" and many other similar programs.

File databases are available to every user, so there is a possibility of copying information, which in turn brings the organization under violation federal law No. 152-FZ. Therefore, it is necessary to protect personal data in 1C in order to prevent unpleasant global consequences.

Many companies resort to a special database that is stored in a SQL server. It is important to understand that in this case there is a danger: personal data continues to be copied to external storage media, with subsequent transfer to Cell phones, memory cards, cloud storage. Sending stolen information via e-mail Skype, Telegram.

Most attackers take screenshots of the computer screen and transfer data from 1C to a third-party file using a buffering program. This method is considered the most common, and very often the company suffered from just such theft of personal data.

How to protect a company from confidential data theft?

Exists modern system, which provides protection against leakage in 1C. DeviceLock DLP is an effective way to prevent a specific user from copying information. The program also detects the functioning of the clipboard. The system settings are flexible, so you can individually select programs and set a lock.

DeviceLock DLP is able to detect and selectively block screenshots that prevent the actions of specific users or various applications. The program selectively allows and denies access to certain files. The person in charge of the company receives a notification about an attempt to copy information to external devices or send it over the network. Take advantage of a unique offer to eliminate the occurrence of unpleasant consequences.

No related news found.

In accordance with Federal Law No. 359-FZ of December 23, 2010, by July 1, 2011 personal data information systems must be brought in line with the requirements of Federal Law No. 152-FZ of June 26, 2007 "On Personal Data". We bring to your attention the answers to current questions on this topic.

In accordance with this Order, there are means of protecting information from unauthorized access (a system for restricting access to information, anti-virus protection, firewalls, means of blocking input-output devices, cryptographic tools, etc.) and means of protecting information from leakage through technical channels (use of shielded cables; installation of high-frequency filters on communication lines; installation of active noise systems, etc.)

A set of necessary measures to protect the rights of personal data subjects, including the choice of information protection means, is determined by the PD operator based on the results of the classification of the personal data information system (hereinafter referred to as PDIS) based on the volume of personal data being processed and security threats to the vital interests of the individual, society and states.

In order to comply with the requirements of the legislation on the protection of personal data (taking into account the requirements of Order No. 58 of the FSTEC of Russia dated February 5, 2010), special improvements were made to the 1C:Enterprise 8.2 technological platform, including in the access control subsystem and the registration and accounting subsystem. Starting from version 8.2.10, the following features are implemented:

1) registration of authentication and denial of authentication (implemented in version 8.2.9);

2) registration of changes in user rights allows you to determine when which roles were assigned to the user;

3) registration of the facts of denial of access. All facts of refusal of access to the user are registered. For example, to search for mass attempts to access resources that are inaccessible to the user;

4) registration of access to protected resources:
- the developer enables registration to access certain fields on certain metadata objects;
- the developer describes what key information should be included in the log events to search for events;
- the system implements a reflection of all the facts of access to the specified information (for example, the employee whose data was accessed);
- the system provides the ability to select registered events by metadata and data. For example, searching for all accesses to protected data for a specific individual.

Taking into account the improvements made in order to comply with the current legislation in the field of personal data protection, a protected software package 1C:Enterprise version 8.2z, which is a certified release of the 1C:Enterprise 8.2 technological platform.

Using the 1C:Enterprise, 8.2z ZPK allows you to comply with the requirements of the law regarding the protection of PD, provided for in paragraph 5 of the Regulation on ensuring the security of PD when processing them in ISPD, approved by Decree of the Government of the Russian Federation No. 781, as well as the requirements provided for by the Order of the FSTEC of Russia dated 05.02 .2010 No. 58 for ISPD 1 class with a multi-user mode of use and different access rights in terms of access control subsystems (user identification and authentication), registration and accounting (for example, registration of entry (exit) of the subject of access to the system), integrity assurance (for example ., ensuring the integrity of protection means using checksums).

It is impossible to say that with the use of ZPK "1C: Enterprise, version 8.2z" all the requirements stipulated by the Order of the FSTEC of Russia dated February 05, 2010 No. 58 are implemented. A number of mandatory measures relate to organizational and administrative ones (for example, the availability of means for restoring the PD protection system, which provides for the maintenance of two copies of software components of information protection tools, their periodic updating and performance monitoring should be provided by the network administrator, physical protection and accounting of protected information media - does not have attitude to the ZPK, etc.) Other requirements stipulated by Federal Law No. 152-FZ and Order No. 58 of the FSTEC of Russia must be observed by the implementation of other measures (anti-virus programs, firewalls, etc.).

The 8.2z platform provides all the same features as 1C:Enterprise 8.2, including support for working with DBMS: MS SQL, PostgreSQL, DB2 Oracle.

What certification has been done?

The 1C company has certified ZPK "1C:Enterprise 8.2z" for compliance with the requirements of the guidelines:

«Means of computer technology. Protection against unauthorized access to information. Indicators of security from unauthorized access to information” (State Technical Commission of Russia, 1992) - according to the 5th class of security;
"Protection against unauthorized access to information. Part 1. Software means of information protection. Classification by the level of control of the absence of undeclared capabilities (State Technical Commission of Russia, 1999) - by the 4th level of control.

According to the results of the certification, ZPK "1C:Enterprise, 8.2z" was recognized as a general-purpose software tool with built-in means of protection against unauthorized access to information that does not contain information constituting a state secret. It also confirmed the possibility of using the ZPK to protect information in information systems PDN up to class 1 inclusive.

According to the terms of the certification, there are no special requirements for configurations (Enterprise Accounting, Payroll and Enterprise Management, etc.). The current legislation regarding the protection of PD also does not provide for requirements for software that is not a means of protecting information. In connection with the above, ZPK "1C:Enterprise 8.2" can be used with any configurations developed on the 8.2 platform.

Clause 2.12 of the Regulation approved by the Order of the FSTEC of Russia dated 05.02.2010 No. 58 provides that the information security software used in class 1 information systems undergoes control for the absence of undeclared capabilities, while clause 7 of this order determines that it is necessary to use security software information corresponding to the 4th level of control of the absence of undeclared capabilities. The need to control the absence of undeclared software capabilities of information security tools used in information systems of classes 2 and 3 is determined by the operator (authorized person).

In view of the foregoing, the mandatory use of information security tools with the control of the absence of undeclared capabilities is provided only for class 1 ISPDs. Thus, ZPK "1C:Enterprise, 8.2z" can be used to organize the protection of PD in ISPD of any class.

The procedure for selling ZPK "1C:Enterprise, version 8.2z" is defined in the information letter dated December 29, 2010 No. 12891.

ZPK "1C:Enterprise, version 8.2z" can be used for both file-server and client-server modes of operation.

Two versions of the secure software package are offered for sale. The difference between the two products is in the distributions of the software products included in the package. ZPK "1C:Enterprise, version 8.2z" (X86-32) is intended for local computers and 32-bit servers.

ZPK "1C:Enterprise, version 8.2z" (x86-64) is designed for a 64-bit server. It should be taken into account that this version of the complex contains distribution kits of both products.

ZPK delivery set includes:

directly the distribution kit of the certified platform;
a form with a FSTEC holographic sticker and a checksum;
specification;
description of the application;
program description;
a copy of the FSTEC certificate.

The document to be systematically filled in by the PD operator is a form. It is in the form that records should be made about the installation, the results of periodic checks of the integrity of the 1C:Enterprise, 8.2z ZPK, as well as when installing newly released certified releases.

In order to certify newly released releases, an inspection control agreement was concluded. In accordance with the terms of the contract, a quarterly inspection control is provided with the issuance of a conclusion on the extension of the validity of the certificate to the corresponding new version, indicating its checksum.

Activities for maintenance of software products that are not information security tools (including configurations developed on the 1C:Enterprise platform) do not relate to activities for the technical protection of confidential information.

To carry out work on setting up the management of the ZPK "1C: Enterprise, 8.2z", as well as carrying out a set of works on the technical protection of information, it is recommended to involve organizations that have licenses from the FSTEC of Russia.

To provide services for the protection of PD, including measures for technical protection, it is necessary to have an appropriate license from the FSTEC of Russia.

If the organization is limited to organizational and administrative documents, then licenses for technical protection no confidential information is needed.

It is also necessary to remember that there are no special licenses for the implementation of activities to protect personal data by the current legislation.

Current regulatory legal acts in the field of PD protection, do not contain any restrictions regarding the development of the necessary internal documentation by the PD operator's own resources. The only exceptions are work on the formation of a threat model. In accordance with the guidance documents of the FSTEC of Russia, the threat model must be compiled by experts. At the same time, there is currently uncertainty in recognizing a particular specialist as an expert.

Access of representatives of third organizations (auditors, programmers, maintenance software, etc.) to PD must be strictly regulated internal documents PD operator. The procedure for ensuring the security of PD is determined by organizational measures, including the terms of contracts. If there is a need, as part of the execution of an agreement between two legal entities, to provide access to the operator’s personal data or transfer them, then, when negotiating the terms of such an agreement, it is necessary to determine the conditions for maintaining confidentiality when organizing work with PD and provide for measures to protect personal data (for example, , determine the conditions of storage, the admission of persons, etc.) It may be recommended to conclude a confidentiality agreement with customers, as well as agreements on non-disclosure of personal information with the contractor's employees. In addition, the procedure for providing data and transferring PD and access to third parties, if necessary, should be determined in the Regulations on the protection of PD.

The problem of protecting personal data is constantly aggravated by the penetration of technical means of processing and transmitting information into all spheres of our life. This problem is especially relevant for private and government organizations actively using financial and personnel accounting systems.

Federal Law No. 152-FZ regulates relations related to the processing of personal data by personal data operators, with or without the use of automation tools.

According to the 152nd law, personal data is understood as any information relating to a certain or determined on the basis of such information subject of personal data (natural person). In particular: full name, year, month, date of birth, address, marital and social status, education, profession and income.

In our country, the most popular systems of accounting and personnel records, sales, CRM processes are the products of the company "1C", such as: "1C: Enterprise", "1C: Accounting", "1C: Salary and personnel management", "1C: Salary and personnel of a budgetary institution", etc.

File databases of 1C products are easily accessible to all users, and as a result, any user who has the right to work in 1C can copy all the data and thus bring the organization under violation of 152-FZ.

Even if the 1C product is configured to work with databases located in a SQL server (Microsoft SQL Server or PostgreSQL), there is a risk of personal data theft through exporting information to external files and then copying them to mobile media (USB drives, flash drives, memory cards), to a network cloud storage, or sent by e-mail, Skype or Telegram.

In addition, do not forget about the ability to "take screenshots" (take screenshots) and transfer data from 1C to a third-party file via the clipboard. This is one of the most common methods of stealing confidential data from information systems.

DeviceLock DLP helps prevent data leaks while the user is copying confidential information between documents and applications through the clipboard (clipboard). Flexible DeviceLock DLP policies selectively block and log data transfer operations via the clipboard between applications (for example, from "1C: Payroll and Personnel of a Budgetary Institution" to MS Excel). DeviceLock DLP selectively blocks screenshots ("screenshots"), both for individual users and for various applications.

DeviceLock DLP allows you to selectively allow and deny access to certain types of files (in particular, to 1C file databases) at the time of an attempt to copy them to external devices or send them over the network.

DeviceLock DLP is effective solution to protect personal data stored in the 1C system from leakage.

Protected software package "1C:Enterprise 8.3z" (x86-64). 64-bit version.

The structure includes a certified version of the technological platform "1C:Enterprise 8.3" and a set of documentation.

"1C:Enterprise 8.3z" is certified in the Information Security Certification System for Information Security Requirements No. ROSS RU.0001.01BI00 and has a certificate of conformity No. 3442 (issued by the FSTEC of Russia on September 2, 2015). According to the certificate, the product complies with the requirements of the governing document "Protection against unauthorized access to information. Part 1. Information security software. Classification by the level of control of undeclared capabilities" (State Technical Commission of Russia, 1999) - according to the 4th level of control, the governing document "Computer facilities . Protection against unauthorized access to information. Indicators of security against unauthorized access to information "(State Technical Commission of Russia, 1992) - according to the 5th class of security when following the operating instructions given in section 12 of the form included in the product kit.

Certified instances of the platform are marked with conformity marks from No. K 605432 to K 615431.

All configurations developed on the 1C:Enterprise 8.3 platform (for example, 1C:Management manufacturing plant" or "1C: Salary and Personnel Management 8", etc.), can be used to create an information system of personal data of any class and additional certification of applied solutions is not required.

Purposes and procedure for using the protected software package "1C:Enterprise, version 8.3z"

The secure software package "1C:Enterprise, version 8.3z" can be used to ensure the security of personal data in accordance with the Composition and content of organizational and technical measures on ensuring the security of personal data during their processing in personal data information systems, approved by order of the FSTEC of Russia dated February 18, 2013 No. 21, in personal data information systems of all levels of security. ZPK "1C:Enterprise, version 8.3z" can be used both in organizations that are the operator of personal data and process personal data independently, and in organizations that provide services for maintaining ISPD of several operators. ZPK "1C:Enterprise, version 8.3z" can be used both when processing information for one legal entity or entrepreneur, and for a group of companies (holding).

The procedure for selling a software product Protected software package "1C:Enterprise, version 8.3z"

It is allowed to purchase ZPK "1C:Enterprise, version 8.3z" only in addition to the registered software products of the "1C:Enterprise" system, including "1C-Jointly" products.

If for the product for which the 1C:Enterprise, version 8.3z ZPK is purchased, mandatory information technology support (ITS) service has been introduced, then the registered user must have a subscription to the ITS at the time of purchase of the ZPK.

ZPK delivery set includes:

directly the distribution kit of the certified platform on a disk;
sticker of the FSTEC of Russia;
checksum form;
protected product registration card;
specification;
program description;
description of the application;
a copy of the FSTEC certificate.

PAY ATTENTION:

ZPK "1C:Enterprise, version 8.3z" can be used only if there are existing licenses and security keys as part of previously purchased software products "1C:Enterprise 8";

the use of ZPK "1C:Enterprise, version 8.3z" does not require re-registration of previously purchased licenses;

SECURITY KEYS ARE NOT INCLUDED IN THE DELIVERY OF ZPK "1C:Enterprise, version 8.3z"

Procedure for updating the protected software package

1C will systematically certify newly released releases of ZPK 1C:Enterprise, version 8.3z. In order to receive updates to the certified platform, 1C introduces a fee for annual maintenance.

The following method of obtaining updates is provided: self-subscription for 6 or 12 months on the site http://www.online.1c.ru to receive updates in in electronic format(Information on the site is posted as updates are released);

Maintenance fee for one year (the first year) from the date of shipment from the warehouse "1C" of the certified platform is not charged.

The update kit will include up-to-date information on the organization of personal data protection methodological guide and explanations.

The cost of a paid subscription: Updating ZPK "1C: Enterprise 8.3z" (ONLINE subscription) for 6 months, and 12 months can be clarified with the manager of our organization.

If for the product for which the CPK is purchased, mandatory information technology support (ITS) service has been introduced, then the registered user must have a subscription to the ITS at the time of purchasing the 1C:Enterprise, version 8.3z update.

On May 29, 2014, a lecture was held in Moscow at 1C: Lectures (Moscow, Seleznevskaya st., 34). Our readers, who could not attend the lecture, sent their questions within the Internet conference of the same name. During the event, Yuri Kontemirov, Head of the Department for the Protection of the Rights of Personal Data Subjects of Roskomnadzor, and Irina Baimakova, an expert from 1C, answered questions about the protection of personal data, and also analyzed the main errors identified by Roskomnadzor during the implementation of control measures.

User kot : 1C:Enterprise 8.2z for small and medium enterprises. Medicine, State employees, Military...? Who and what is this platform for? In user mode, this should be burrowed with permissions. From third-party connection by means of a DBMS?

For 4 years now I have been guessing that this is a simple pumping of money by analogy with the "problem of the year 2000". When you came, you ran a program on your computer, it did something, you said that everything was fine and you were paid.

Irina Baimakova : The requirements of the Federal Law "On Personal Data" apply to any operators of personal data, i.e. any organization in which personal data is processed. Yes, indeed, the requirements for the protection of personal data, depending on the category of data and their volume, can vary significantly.

: What's so special about version 8.2z? Why is personal data protected in it and what is wrong in terms of protecting personal data in other versions of the eight programs?

Irina Baimakova : ZPK "1C:Enterprise, version 8.2z" is a certified version of the technological platform 1C:Enterprise 8.2. There are no functional differences between the certified version and the regular version. Improvements made taking into account the requirements of the FSTEC of Russia are implemented both in the regular and certified versions of the technological platform.

Using the ZPK "1C:Enterprise, version 8.2z" allows you to fulfill the requirement stipulated by Article 2, Article 19 of the Federal Law "On Personal Data" in terms of the mandatory use of information security tools that have passed conformity assessment in relation to personal data processed using software products 1C.

Unregistered user : I don't really see how the program can become a panacea in the field of personal data protection. How about the notorious human factor? After all, people work in the program.

Irina Baimakova : In this case, we cannot say that the program is a panacea. The secure software package "1C:Enterprise, version 8.2z" is one of the "building blocks" that allows you to build an information security system and ensure compliance with the requirements of the current legislation of the Russian Federation in the field of personal data protection.

Unregistered user : Have there been cases of data leakage of protected 1s?

Irina Baimakova : I do not have such data.

Unregistered user : Does 1C bear any responsibility for data loss and leakage?

Irina Baimakova : Responsibility for the loss of data lies with the operator of personal data.

Unregistered user : Who needs to use ZPK "1C:Enterprise, 8.2z"? What is included in the ZPK package?

Irina Baimakova

The ZPK "1C:Enterprise, version 8.2z" includes a distribution kit of the technological platform, a form, and documentation.

Unregistered user : What other software products can be used to protect personal data?

Irina Baimakova : There is a significant number of information security tools on the market. The need to use a particular product depends on the identified current threats and the requirements for the protection of personal data for a particular operator.

Unregistered user : What are the main potential dangers you see for personal data? What exactly does protection guarantee or exclude?

Yuri Kontemirov : The main danger is the leakage and illegal distribution of personal data, which may lead to Negative consequences for a person, an invasion of his privacy. It is possible to guarantee the real protection of PD only with an integrated approach to the organization of information protection, paying attention to Special attention"human" factor.

Unregistered user : How often do you think small companies face leakage of accounting data?

Yuri Kontemirov : Information on this issue, unfortunately, I do not have.

Unregistered user : Why is "1C:Enterprise 8.2z" called protected? What is its fundamental difference from other products?

Irina Baimakova : In this case, "protected" is the name, i.e. verified testing laboratory for the absence of undeclared capabilities and compliance with other requirements determined by the FSTEC of Russia.

ZPK "1C:Enterprise, version 8.2z" is a special product for ensuring the requirements of the current legislation on personal data by organizations and entrepreneurs using 1C software products.

User Kaufen : The organization purchased ZPK "1C: Enterprise 8.2z". What are the main differences between the platform and 1C:Enterprise 8.2, except for the FSTEC certificate? Has anyone come across such a platform?

Irina Baimakova : ZPK "1C: Enterprise, version 8.2z" - a certified version of the technological platform 1C: Enterprise 8.2. There are no functional differences between the certified version and the regular version.

The main difference is that the certified release is verified by the testing laboratory and confirms compliance with the requirements given in the certificate, and also contains the checksums given in the 1C:Enterprise, version 8.2z ZPK form.

Unregistered user : We are a budget institution. Is there a modification of ZPK "1C:Enterprise 8.2z" specifically for state employees and how much does the version with support cost?

Irina Baimakova : ZPK "1C:Enterprise, version 8.2z" is a certified version of the technological platform 1C:Enterprise 8.2, which can be used with any standard configurations, including for budget institutions(for example, "1C: Salary and personnel public institution"," 1C: Accounting department of a state institution").

The procedure for selling and updating ZPK 1C: Enterprise version 8.2z" is defined in the information letter of the company 1C No. 12891. You can find it at the following link -http://1c.ru/news/info.jsp?id=12891

Unregistered user : The announcement of the lecture and the Internet conference talks about the main errors identified by Roskomnadzor during the implementation of control measures. I would like to know more about this, what errors are most often detected by the department?

Yuri Kontemirov : Most typical violations laws revealed in the course of Roskomnadzor's control actions are reflected in annual reports published on the department's website.

Unregistered user : Please tell us about the certification of ZPK "1C:Enterprise, version 8.2z".

Irina Baimakova : Questions about the goals, procedure, results of certification conducted by 1C are discussed in detail and set out on the website buh.ru, including in the article "Certification of programs in order to comply with personal data protection legislation" on primary certification in 2010 and in article "Protection of personal data - from 2011 to 2013 or two-year changes" about the certification carried out in 2013 and the renewal of the certificate.

Unregistered user : Do you think new measures are needed to prevent the leakage of personal data and increase the level of their protection? If needed, what are they?

Yuri Kontemirov : To prevent leaks of personal data, a reasonable integrated approach is important and special attention should be paid to the "human" factor.

Unregistered user : Does it make sense to use such software products for individual entrepreneurs and small businesses?

Irina Baimakova : In accordance with sub. 3 paragraph 2 of Article 19 of the Federal Law of July 27, 2006 No. 152-FZ "On Personal Data", the use of information security tools that have passed the conformity assessment procedure in accordance with the established procedure is one of the measures to ensure the security of personal data during their processing.

According to the requirements of Government Decree No. 1119 dated November 1, 2012, the use of information security tools that have passed the procedure for assessing compliance with legal requirements Russian Federation in the field of information security is mandatory, in the case when the use of such tools is necessary to neutralize actual threats. Thus, it is possible to determine the need or lack of need to use information protection tools that have passed the conformity assessment, including the 1C:Enterprise version 8.2z ZPK, based on the threat model.

The use of ZPK "1C:Enterprise, version 8.2z" allows you to fulfill the requirements of the current legislation described above, as well as a number of requirements stipulated by the Order of the FSTEC of Russia dated February 18, 2013 No. 21, at the lowest cost.

Unregistered user : What are the adverse effects of a data breach? For example, for individual entrepreneurs without employees.

Irina Baimakova : The main danger is the leakage and illegal distribution of personal data, which can lead to negative consequences for a person, an invasion of his privacy.

If an individual entrepreneur does not have employees, and, accordingly, PD is not processed either by employees or other individuals, then in this case it is hardly possible to assume a possible leakage of PD.