Order of the Department of Public and External Relations of the Khanty-Mansiysk autonomous region- Ugra
No 169 dated 28/05/2015
Attachments: & nbsp
Download document (pdf format) (0.09 MB)
Download document (format.doc) (1.39 MB)
On establishing the boundaries of the controlled area of the information system personal data"Employees"
Khanty-Mansiysk
Pursuant to the requirements of the Federal Law Russian Federation dated July 27, 2006 No. 152-FZ "On personal data", Decree of the Government of the Russian Federation dated November 01, 2012 No. 1119 "On approval of requirements for the protection of personal data when processing them in information systems ah personal data ", Order of the FSTEC of Russia dated February 18, 2013 No. 21" On approval of the composition and content of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems "and Order of the FSTEC of Russia dated February 11, 2013 No. 17" On the approval of Requirements for the protection of information that does not constitute state secret contained in state information systems "
I ORDER:
1. Establish the boundaries of the controlled area, within which stationary technical means processing information and means of protecting information, as well as means of ensuring the functioning of the personal data information system "Employees" on the external enclosing structures of premises No. 303, No. 307, 312 in accordance with Appendix 1 to this order.
2. The location of employees of the Department of Public and External Relations of the Khanty-Mansiysk Autonomous Okrug - Ugra and visitors within the controlled area established by this order is determined by the "Instruction on Security budgetary institution Khanty-Mansi Autonomous Okrug-Yugra "Directorate for the operation of office buildings."
3. Control over the implementation of the "Instructions for ensuring the security of the budgetary institution of KhMAO-Yugra" Directorate for the operation of office buildings "is assigned to the person responsible for ensuring measures to protect information processed in the personal data information system" Employees "(administrator information security) engineer of the organizational department Administrative Office Shevtsov Yuri Vladimirovich.
4. To familiarize the Organizational Department of the Administrative Directorate under the signature of the interested employees of the Department of Public and External Relations of the Khanty-Mansiysk Autonomous Okrug-Yugra in accordance with Appendix 2 to this order.
5. I reserve control over the execution of this order.
|
Director of the Department I.A. Verkhovsky
Appendix No. 1
and external relations of Ugra
The boundaries of the controlled area of the personal data information system "Employees"
Figure 1 - Border of the controlled area, office No. 312
Figure 2 - Border of the controlled area, room No. 303
Figure 3 - Border of the controlled area, room No. 307
Appendix No. 2
to the order of the Department of Public
and external relations of Ugra
familiarization of employees
with the order "On establishing the boundaries of the controlled area of the personal data information system" Employees "
With the order "On establishing the boundaries of the controlled area of the personal data information system" Employees "from" ___ "________ 2015. No. __________ familiarized with the following employees:
Head of the Administrative Department ____________ Petrova E.V. ________
(signature) (date) Head of department
Administrative Department ____________ Zakharova T.A.____________
(signature) (date)
financial and economic support
Administrative Department ____________ Tikhonova S.A.___________
(signature) (date)
Department consultant
financial and economic support
Administrative Department ____________ Geisler I.V.___________
(signature) (date)
Chief specialist of the department
financial and economic support
Administrative Department ____________ Shishelyakina G.N._______
(signature) (date)
Department consultant
legal and personnel work
Administrative Department ____________ Koltsova E.G.___________
(signature) (date)
Chief specialist-expert of the department
legal and personnel work
Administrative Department ____________ Plastinina Y.S.________ (signature) (date)
Chief specialist-expert of the department
legal and personnel work
Administrative Department ____________ Kireeva I.A.____________ (signature) (date)
organizational department
Administrative Department ____________ Shevtsov Yu.V.____________
(signature) (date)
Prepared by:
Head of the organizational department
Administrative Department I.V. Sokolova
Agreed:
Deputy Director of the Department O.I. Burychkin
Deputy chief
Administrative Office
A controlled zone (KZ) is a space (territory, building, part of a building), in which uncontrolled stay of persons who do not have a permanent or one-time admission, and extraneous transport, technical and other material means are excluded.
The boundary of the short circuit can be:
The perimeter of the protected area of the institution (enterprise);
The enclosing structures of the protected building or the protected part of the building, if it is located in an unprotected area.
Thus, KZ can be limited by the perimeter of the protected area in part, by the protected area covering buildings and structures in which closed events are held, by part of the buildings, a room, an office in which closed events are held.
In some cases, for the period of processing by technical means confidential information KZ can be temporarily installed larger than the protected area of the enterprise. At the same time, organizational, regime and technical measures should be taken that exclude or significantly complicate the possibility of intercepting in this zone.
A permanent controlled area is an area whose boundaries are established for a long time.
A temporary controlled zone is a zone established for holding closed events of a one-time nature.
Allocated premises- premises (offices, assembly rooms, conference rooms, etc.) specially designed for processing speech information (discussions, meetings, etc.) containing information constituting a state secret.
Protected premises- premises (offices, assembly rooms, conference rooms, etc.) specially designed for confidential events, during which speech information containing information of a confidential nature.
4. How many and what security classes are established for automated control systems of production and technological processes at critical facilities, potentially hazardous facilities as well as objects representing increased danger for life and health of people and for the environment natural environment what they depend on. What document regulates the requirements for ensuring the RFI in the AIS data.
Formation of requirements for RFI in an automated control system is carried out taking into account GOST R 51583 “Information security. The procedure for creating automated systems in a protected design. General Provisions"(Hereinafter - GOST R 51583), GOST R 51624" Information security. Protected automated systems. General requirements"(Hereinafter - GOST R 51624) and organization standards, including: making a decision on the need for RFI in an automated control system; classification of the automated control system in accordance with the requirements of the RFI; identification of threats to information security, the implementation of which can lead to a violation of the normal operation of the automated control system, and the development of a model of threats to information security on their basis; determination of requirements for the protection system of the automated control system.
The classification of the automated control system is carried out by the customer or the operator, depending on the level of significance (criticality) of the information, the processing of which is carried out in the automated control system. Three security classes of the automated control system are established, which determine the security levels of the automated control system. The lowest class is the third, the highest is the first.
The procedure for determining the security class of the ACS
1. The security class of the automated control system (first class (K1), second class (K2), third class (K3)) is determined depending on the level of significance (criticality) of the information processed in it (UZ).
2. The level of significance (criticality) of information (UZ) is determined by the degree of possible damage from violation of its integrity (illegal destruction or modification), accessibility (illegal blocking) or confidentiality (illegal access, copying, provision or distribution), as a result of which a violation of the standard the mode of functioning of the automated control system or illegal interference in the processes of functioning of the automated control system.
UZ = [(integrity, degree of damage) (availability, degree of damage) (confidentiality, degree of damage)],
where the degree of possible damage is determined by the customer or operator by an expert or other method and can be:
a) high, if, as a result of violation of one of the properties of information security (integrity, availability, confidentiality), resulting in a violation of the normal operation of the automated control system, an emergency of a federal or interregional nature or other significant Negative consequences in social, political, economic, military or other areas of activity;
b) medium, if as a result of a violation of one of the properties of information security (integrity, availability, confidentiality), which entailed a violation of the normal operation of the automated control system, an emergency of a regional or inter-municipal character * or other moderate negative consequences in social, political, economic , military or other areas of activity;
c) low, if as a result of a violation of one of the properties of information security (integrity, availability, confidentiality), which entailed a violation of the normal operation of the automated control system, an emergency of a municipal (local) nature may occur or other minor negative consequences in social, political, economic, military or other areas of activity.
If the information processed in the automated control system does not require one of the information security properties (in particular confidentiality), the level of significance (criticality) is determined for the other two information security properties (integrity, availability). In this case:
UZ = [(integrity, degree of damage) (availability, degree of damage) (confidentiality, not applicable)].
Information processed in an automated control system has a high level of significance (criticality) (UZ 1), if a high degree of damage is determined for at least one of the information security properties (integrity, availability, confidentiality).
Information processed in an automated control system has an average level of significance (criticality) (UZ 2), if at least one of the information security properties (integrity, availability, confidentiality) has an average degree of damage and there is not a single property for which a high degree of damage.
Information processed in an automated control system has a low level of significance (criticality) (UZ 3), if for all properties of information security (integrity, availability, confidentiality) low degrees of damage are determined.
When processing two or more types of information in an automated control system (measurement information, information about the state of the process), the level of significance (criticality) of information (US) is determined separately for each type of information.
The final level of significance (criticality) is established according to the highest values of the degree of possible damage, determined for the integrity, availability, confidentiality of each type of information. in accordance with the decree of the Government of the Russian Federation of May 21, 2007 No. 304 "On the classification emergencies natural and technogenic character"(Collected Legislation of the Russian Federation, 2007, No. 22, Art. 2640; 2011, No. 21, Art. 2971).
3. The security class of the automated control system is determined in accordance with the table:
Significance (criticality) level
information Security class of the automated control system
The security class can be set separately for each of the levels of the automated control system or other segments, if any. The results of the classification of the automated control system are formalized by the classification act. The requirement for the security class is included in the terms of reference for the creation of an automated control system and (or) terms of reference (private terms of reference) for the creation of a protection system for an automated control system, developed taking into account GOST 34.602 " Information technology... Set of standards for automated systems. Technical task to create an automated system "(hereinafter - GOST 34.602), GOST R 51583, GOST R 51624 and organization standards.
The security class of the automated control system (segment) is subject to revision only in case of its modernization, as a result of which the level of significance (criticality) of the information processed in the automated control system (segment) has changed.
Requirements for providing GI in data automated systems management are regulated by order of the FSTEC of Russia dated 03/14/2014 No. 31 "On approval of the Requirements for the provision of ZI in automated control systems for production and technological processes at critical facilities, potentially hazardous facilities, as well as facilities posing an increased danger to human life and health and to the environment. natural environment ".
Ministry of Health
Sverdlovsk region
dated October 20, 2015 N 1622-p Sample NAME OF A MEDICAL ORGANIZATION _________________________________________________________________________ dated _____________ N _____________ ORDER Determination of the boundaries of the controlled area In order to exclude uncontrolled stay of unauthorized persons when processing personal data and in accordance with the requirements Federal law from 27.07.2006 N 152-FZ "On personal data", "Special requirements and recommendations for the technical protection of confidential information", approved by order of the State Technical Commission of Russia dated 30.08.2002 N 282, by order FSTEC of Russia of 18.02.2013 N 21 "On approval of the composition and content of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems", recommendations of the FSB of Russia " Methodical recommendations for providing with the help of crypto-tools security of personal data during their processing in information personal data systems using automation tools"(approved by the Federal Security Service of the Russian Federation on February 21, 2008 N 149 / 54-144) I order: 1. The boundaries of the controlled area ___________________________________ (name of the MO) shall be considered the perimeter of the enclosing structures of the main medical building at _________________________________________________________________. 2. Approve order access of employees ____________________________ (name of MO) to the premises in which the processing of personal data is carried out. 3. Control over the updating and implementation of this order shall be entrusted to ___________________________________________________________. (position, full name of the employee) Chief physician ______________ (FULL NAME.)
Order access of employees (name of MO) to premises in which personal data is being processed (approved by order _____________________ dated ______ N ____)(name of MO) 1. This Procedure for access of employees _________________ (name of MO) to the premises in which personal data is processed (hereinafter - the Procedure) is developed in accordance with Federal law from 27.07.2006 N 152-ФЗ "On personal data", Decree Of the Government of the Russian Federation dated March 21, 2012 N 211 "On approval of the list of measures aimed at ensuring the fulfillment of the obligations stipulated by Federal law"About personal data". 2. Personal data refers to confidential information. Officials authorized to process personal data are obliged not to disclose to third parties and not to distribute personal data without the consent of the subject of personal data, unless otherwise provided by federal law. 3. The placement of information systems in which personal data is processed is carried out in secure premises, excluding the possibility of uncontrolled entry and presence of unauthorized persons in these premises. 4. When storing carriers of personal data, conditions must be observed that ensure the safety of personal data and exclude unauthorized access to them. 5. The premises where the technical means are located that allow the processing of personal data, as well as storage media, are allowed only officials authorized to process personal data by order ___________________ (name of MO). 6. Responsible for organizing access to the premises in which the processing of personal data is carried out are the heads of structural divisions ____________________________________________ (name of MO). 7. The presence of persons in the premises (name of the MO) intended for the processing of personal data, which are not authorized to process personal data, is possible only if accompanied by an employee authorized to process personal data for a period of time due to production needs. eight. Internal control compliance with the procedure for access to the premises in which personal data is processed is carried out by the person responsible for organizing the processing of personal data and responsible for the security of personal data.
|
<< Приложение. |
1. This Regulation on the processing of personal data establishes procedures aimed at identifying and preventing violations of the legislation of the Russian Federation in the field of personal data, as well as determining for each purpose of processing personal data the content of the processed personal data, the categories of subjects whose personal data is processed, the timing of their processing and storage, the procedure for destruction upon achievement of the processing goals or upon the occurrence of other legal grounds (hereinafter referred to as the Regulation).
The processing of personal data in a healthcare facility is carried out using automation tools or without using such tools, including collection, recording, systematization, accumulation, storage, clarification (update, change), extraction, use, transfer (distribution, provision, access), depersonalization, blocking , deletion, destruction of personal data of subjects whose personal data is processed in a healthcare facility.
2. In accordance with Federal Law No. 152-FZ of July 27, 2006, No. 152-FZ "On Personal Data", the healthcare facility is the operator that processes personal data, as well as determines the purposes of processing personal data, the composition of personal data to be processed, actions (operations) performed with personal data (hereinafter referred to as the operator of personal data).
3. The regulation was developed in accordance with the Federal Law of 27.07.2006 No. 152-FZ "On Personal Data" (hereinafter referred to as the Federal Law), Ch. 14 of the Labor Code of the Russian Federation of 13.12.2001 No. 197-FZ.
4. The subjects of personal data are employees of health care facilities, citizens of the Russian Federation, information about which is contained in the information systems of health care facilities.
5. The objectives of the Regulations are:
a) ensuring the protection of rights and freedoms in the processing of personal data of employees of health care facilities, personal data of citizens contained in the information systems of health care facilities;
b) the establishment of the responsibility of the employees of health care facilities for non-compliance with the regulatory legal acts governing the processing and protection of personal data.
6. Procedures aimed at identifying and preventing violations of the legislation of the Russian Federation in the field of personal data:
a) implementation of internal control over the compliance of the processing of personal data with the Federal Law and the regulatory legal acts adopted in accordance with it, the requirements for the protection of personal data;
b) an assessment of the harm that may be caused to subjects of personal data in case of violation of the Federal Law, the ratio of this harm and the measures taken by the health care facility aimed at ensuring the fulfillment of the duties of the operator of personal data provided for by the Federal Law;
c) familiarization of the employees of health care facilities directly processing personal data with the provisions of the legislation of the Russian Federation on personal data, with the requirements for the protection of personal data.
7. In case of detection of illegal processing of personal data carried out by the operator of personal data, the operator of personal data, within a period not exceeding 3 working days from the date of detection of illegal processing of personal data, is obliged to stop the illegal processing of personal data or ensure the termination of illegal processing of personal data.
If it is impossible to ensure the legality of the processing of personal data, the operator of personal data, within a period not exceeding 10 working days from the date of detection of illegal processing of personal data, is obliged to destroy such personal data or ensure their destruction. The operator of personal data is obliged to notify the subject of personal data or his representative about the elimination of illegal processing of personal data or the destruction of personal data.
8. If the purpose of processing personal data is achieved, the operator of personal data is obliged to stop processing personal data and destroy personal data within a period not exceeding 30 working days from the date the purpose of processing personal data is achieved.
9. In the event that the subject of personal data withdraws consent to the processing of his personal data, the operator of personal data is obliged to stop processing personal data and destroy personal data within a period not exceeding three working days from the date of receipt of the said revocation. The operator of personal data is obliged to notify the subject of personal data about the destruction of personal data within three working days.
10. If it is impossible to destroy personal data within the timeframes specified in clauses 7 - 9 of the Rules, the personal data operator blocks such personal data, ensures the destruction of personal data within up to 6 months, unless another period is established by the current legislation of the Russian Federation.
11. The storage of personal data must be carried out in a form that makes it possible to determine the subject of personal data, no longer than the purpose of storing personal data requires, if the storage period for personal data is not established by Federal Law.
The processed personal data are subject to destruction or depersonalization upon achievement of the goals of processing personal data or in case of loss of the need to achieve these goals, unless otherwise provided by Federal Law.
12. The processing of personal data in information systems of health care facilities (hereinafter referred to as information systems of personal data) is carried out in accordance with the decree of the Government of the Russian Federation of 01.11. 2012 No. 1119 "On approval of requirements for the protection of personal data during their processing in personal data information systems."
13. Ensuring the security of personal data in personal data information systems is achieved by:
a) determining threats to the security of personal data during their processing in personal data information systems;
b) the application of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems;
c) the application of the procedure for assessing the conformity of information protection means that have passed in the prescribed manner;
d) assessing the effectiveness of measures taken to ensure the security of personal data prior to the commissioning of personal data information systems;
e) accounting of machine carriers of personal data;
f) detecting facts of unauthorized access to personal data and taking measures to stop unauthorized access;
g) recovery of personal data modified or destroyed as a result of unauthorized access to them;
h) establishing rules for access (password, login, etc.) to personal data processed in personal data information systems, as well as ensuring registration and accounting of all actions performed with personal data in personal data information systems.
14. Employees of health care facilities who have access to personal data information systems are obliged to:
a) take measures to exclude unauthorized access to the used software and hardware;
b) keep records of electronic media containing personal data and store them in metal cabinets or safes;
c) record personal data (individual files, databases) on electronic media only in cases regulated by the procedure for working with personal data;
d) comply with the established procedure and rules for access to information systems, prevent the transfer of personal codes and passwords to information systems of personal data;
e) take all necessary measures for the reliable safety of codes and passwords for access to information systems of personal data;
f) work with personal data information systems to the extent of their powers, not to allow them to be exceeded;
g) have the skills to work with anti-virus programs to the extent necessary to perform functional duties and information protection requirements.
15. When employees of health care facilities work in personal data information systems, it is prohibited:
a) record the values of codes and passwords for access to personal data information systems;
b) transfer codes and passwords for access to information systems of personal data to other persons;
c) use in the work the codes and passwords of other users of access to information systems of personal data;
d) select codes and passwords for access to information systems of personal data of other users;
e) record extraneous programs and data on electronic media with personal data;
f) copy information with personal data to unaccounted electronic media;
g) take out electronic media with personal data outside the territory of the healthcare facility;
h) leave the workplace with a switched on personal computer without the use of hardware or software blocking, access to the personal computer;
i) bring, independently install and operate on a personal computer any software products not accepted for use;
j) open, disassemble, repair personal computers, make changes to the design, connect non-standard units and devices;
b) transfer information containing personal data subject to protection via open communication channels (fax, e-mail, etc.), as well as use information containing personal data subject to protection in open correspondence and when negotiating by phone.
16. Collecting, systematizing, accumulating, storing, updating, changing, transferring, destroying (hereinafter referred to as processing) documents of employees of health care facilities,
17. All personal data must be obtained directly from the employees of the healthcare facility.
18. Documents containing personal data are destroyed by shredding in a shredder.
19. When changing the employee responsible for recording paper documents containing personal data, an act of acceptance and delivery of these materials is drawn up, which is approved by the head of the corresponding structural unit of the healthcare facility.
20. When working with documents on paper containing personal data, employees of health care facilities authorized to process personal data are obliged to:
a) get acquainted only with those documents containing personal data, to which access is obtained in accordance with business necessity;
b) keep in secret the information that has become known to them, containing personal data subject to protection, inform the immediate supervisor about the facts of violation of the procedure for working with personal data and about attempts of unauthorized access to them;
c) to provide written explanations to immediate supervisors on the violations of the established procedure for work, accounting and storage of documents containing personal data, as well as on the facts of disclosure of information containing personal data subject to protection.
21. Employees guilty of disclosing or losing information containing personal data are liable in accordance with the legislation of the Russian Federation.
22. Control over the fulfillment of the requirements of these Rules by the employees of health care facilities is entrusted to the managers structural units LPU and the person appointed by the order of the LPU for organizing the processing of personal data.
ORDER
Determination of the boundaries of the controlled area
In order to exclude uncontrolled presence of unauthorized persons when processing personal data and in accordance with the requirements of Federal Law No. 152-FZ of July 27, 2006 "On Personal Data", "Special Requirements and Recommendations for the Technical Protection of Confidential Information", approved by order of the State Technical Commission of Russia dated 30.08 .2002 No. 282, by order of the FSTEC of Russia dated February 18, 2013 No. 21 "On approval of the composition and content of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems", recommendations of the FSB of Russia " Guidelines to ensure the security of personal data with the help of cryptographic means during their processing in information systems of personal data using automation tools "(approved by the FSB of the Russian Federation on February 21, 2008 No. 149 / 54-144)
I ORDER:
2. To approve the procedure for access of health care workers to the premises in which the processing of personal data is carried out.
3. Control over the updating and implementation of this order shall be entrusted to __________________________________________________________________.
(position, full name of the employee)
Appendix to the order