Site menu
Login form
Our poll
Rate my site
Результаты | Архив опросов
Всего ответов: 8
Site friends
  • Create a free website
    • Statistics
    Онлайн всего: 1
    Гостей: 1
    Пользователей: 0
    Main » 2011 » Март » 16 » Self ispdn preparation for certification (Part 1)
    13:30
    Self ispdn preparation for certification (Part 1)
    At the present time, the protection of personal data is one of the most pressing problems for the majority of commercial and governmental organizations. Information systems should be brought into compliance with the requirements of the Federal Law "On Personal Data" not later than July 1 2011.

    I plan to write a series of articles on common methods of protection of personal data that can help your company reduce costs for some services to companies involved in data protection, or at least understand what you are paying. All that we have experienced in their own company.

    According to the results of all actions that will be described, we have successfully received your certificate of compliance with the requirements of the Federal Law ISPDn and saved about 45000r. on the services of integrators (12 AWP + server).

    Survey ISPDn

    Building a security information system of personal data (ISPDn) begins with a survey ISPDn, its classification and compilation of specific requirements for protection.
    The survey conducts a special commission, consisting of a specialist in information security, * administrator IP and IP operator. Accordingly, the need to pre-order the appointment of the commission and the survey.

    Just announced pricing for our city: 200-700r. per hour - pre-screening, 10-20 thousand. p. - Documentation on the results of the survey.

    Before you start any action necessary to establish a list of stored and processed in the company of personal data.
    Here we get a document with a table of three columns: № n \ n; name (file, database, spreadsheet), the contents of a file (Name, Series / passport number, etc.).

    During the test, you need to install the following:

    1. Access to the organization. Who and what time can go through. With a pass or not, whether it is written to the log of visits, etc. Do the employees an opportunity to pass on-site after hours.

    2. Controlled Zone (KZ) organization.
    Controlled zone - an area of ??the object, which excluded the uncontrolled presence of persons not having a permanent or a one-time access.
    So, the boundaries of the controlled area will be walling premises belonging to the Organization (walls, doors, windows and ceiling).

    Perhaps your organization owns the entire floor, or some of its wing. In this case, a hall and a corridor between the offices will be controlled by a zone of only if there is a wicked old woman with a mop guardian / administrator or security cameras.
    In the control zone may be some features. For example, it may be the reception of third parties (clients) - this also should be noted.

    3. Power of the building. Here you must specify in which territory is a transformer substation, and what the organization served. Quite simply, no LLC Mosgorsvet "need not be known (no one is interested) - the answer may be only two: the substation is within BB, or outside the and accordingly it is served may either own unit organization, or an outside organization (name and address of the organization is not required).
    Also, you must specify on what ground the transformer circuit is made and where it is (within or outside the circuit). Knowledge from Wikipedia here bolee than enough ru.wikipedia.org / wiki /% D0% A2N-S

    4. Telephone communication. Organized by its own PBX or general. Leave the cable telephony beyond fault.

    5. Fire and burglar alarms. Where installed, which is connected to. If you are connected to the control of, the point where that console. Do the cables come out of these systems beyond the short-circuit.

    6. The computer network of the organization. On what technology is built, what the scheme, the structure, whether there is a subnet, etc.

    7. Information processing.
    Input information: done in a manual / automatic mode on all machines (ARM) with a manipulator-type of mouse, keyboard, scanner, etc.
    Under manual is usually understood as input from paper, and under the automatic - with flash drives, disks, etc.
    Display information: information is displayed on the monitor during the input and output of information by the user and work with the software.
    Information Processing: produced on a computer with the help of a certain software. No need to write about all the software on your computer, but only about one in which personal data are processed.
    Storage: the information remains on your hard drive or automatically sent to the server.
    The transmission of information: between ARM users, between a computer and a scanner / printer, between the AWP and the server.
    The output of information: the paper / electronic media by means of such a device.

    8. Components of information processing:
    Subjects of access: staff who, because of official duties must interact with TMDs; processes in the application and system software on your computer.
    Access Objects: information resources (for example: files, spreadsheets, files, documents, databases, etc.), elements of the system (flash memory cards, printers, software, the computer itself).

    Access of subjects to objects must somehow be delimited or controlled by the (account passwords on a PC, flash drive just under the signature, file access).

    9. Group of subjects to access: administrators (who are the description and what functions are performed), users (similar), staff (same). It is also desirable separately in this section describe what features of OS administration and information security administrator performs (backup, account creation, etc.)

    10. Backup system: how often, where and / who / how it is then stored.

    11. More ... Here you can specify other important issues specific to your information system.

    As a result of all this, we have compiled a survey ISPDn Act.

    Ru.wikipedia.org / wiki / Kontroliruemaya_zona

    * The presence of a committee of experts on information security is a recommendation and it may well be replaced by senior admin. But not to tempt fate, so a specialist can be of any admin, the last very short course on ZI and has about developments in this paper, either side of the nat. person with appropriate education, which is the contractual agreement.

    In the following article: those. ISPDn passport, a description of the process, the act of classification
    Views: 840 | Added by: w1zard | Rating: 0.0/0
    Total comments: 0
    Имя *:
    Email *:
    Код *: