hard to get, easy to lose, impossible to forget
For example, in the FSTEC registers you can see that our company (NUBES) There are two valid licenses: No. L050-00107-77/00662128 and No. L024-00107-77/00662125. We received both documents on July 7, 2023 for an indefinite period.
What are the risks for the licensee?
Regulator checks usually take place as planned – you can prepare for them. But there are situations when FSTEC comes to a company unexpectedly. Such checks are initiated based on complaints from other persons (customers, partners, competitors, employees, etc.). How often this happens is difficult to say.
It is not difficult to identify shortcomings during inspections, and this is punishable by law. For negligence, you can get a fine, or you can lose your license.
Let's start with less impressive sanctions. Reading part 3 of article 14.1 of the Code of Administrative Offenses: “Carrying out business activities in violation of the requirements and conditions provided for by a special permit (license)” is subject to a warning or a fine:
● for officials – 3-4 thousand rubles,
● for legal entities – 30-40 thousand rubles.
Further, in the same article of the Code of Administrative Offenses (Part 4) sanctions are indicated for gross violation of the requirements and conditions of the license:
● for officials – 5-10 thousand rubles,
● for legal entities – 100–200 thousand rubles. or (attention!) suspension of activities for up to 90 days.
And finally, Criminal Code of the Russian Federation (Article 171) for especially serious cases, it provides for fines of up to 500 thousand rubles. and imprisonment for responsible persons for up to 5 years.
What to do
Together with the FSTEC of Russia license, you receive not only permission to provide services and perform work to protect confidential information. By default, you also get many requirements that you will have to comply with until the document expires (if we are talking about an indefinite period, then read “always”).
So, most likely, when licensing, you had to certify information objects according to information security requirements. This means that you also certified automated workstations for working with confidential information and the protected premises.
What are we leading to? Moreover, the licensee will have to regularly undergo technical (inspection) control. Such inspections are carried out by organizations that have a license for TKKI with the corresponding type of work (work and services for certification tests and certification for compliance with information security requirements). And this must be done annually, even if you have received certificates of compliance of information objects for an indefinite period.
All marks for passing technical control are affixed in the technical passport of the information object. If they are not there, the regulator may conclude that the company is violating the rules for working with confidential information.
In addition, claims will arise if the company uses outdated programs and security tools at automated workstations, as well as in protected premises. All licenses and certificates of conformity must be valid. The software license confirms that you do not violate the rights to use intellectual property, and the certificate confirms that the version you are using meets current information security requirements.
Often at certified workplaces it is discovered that the antivirus license has expired or it does not have a valid certificate. If you remember story from Dr.Webthen the company itself may not even be to blame for this. But it is necessary to monitor the status of licenses and certificates in any case. For the regulator, such inaction is an obvious signal that the automated workplace is vulnerable and entails “a violation of the conduct of work with confidential information.”
The situation is even more dangerous if the company has confidentiality agreements that it has concluded with its counterparties. These documents usually state that work with confidential information is carried out on certified information objects. This means that if your counterparty does not have protection tools with a valid license and certificate of conformity, then any leak of your data can threaten them with huge fines. In some cases, they reach tens of millions of rubles.
By the way, not only certified automated workstations are important for the regulator. In many cases, FSTEC lookswhat happens on the developer's PC. It’s the same here: we track the validity periods of licenses for the operating system, development tools, anti-virus software, program code analysis tools, etc.
Particular attention should be paid to the means of monitoring information security, guaranteed destruction of information and calculation of checksums. As a rule, we are talking about products such as Scanner BC Inspector or a set of programs: Fix, Terrer, Inspector 1 XP, Inspector 2 XP, Inspector Network. Their licenses must also be current.
In addition, if you have a vibroacoustic protection system installed in protected areas, you must regularly verify it.
Also, when certifying informatization objects and some other types of work, the licensee is required to have a set of control and measuring equipment. It must comply with the requirements of the regulator, and also have valid certificates of verification and (or) calibration – work must be carried out according to the established plan.
In addition, the licensee is obliged to independently track changes in regulatory and technical documents FSTEC in order to respond to changes in a timely manner and comply with new established requirements.
Another important point is personnel. Must work for the licensee company employees who meet the requirements of FSTEC according to experience and qualifications. In our case, it is important what Government Resolutions No. 79 and No. 171 say. One of the requirements that should clearly be taken into account is that employees must undergo advanced training at least once every five years.
If, during an inspection, it suddenly turns out that the company employs insufficiently competent employees or there are fewer of them than necessary, then you will have to pay a fine. It will be presented to the general director and the organization even if the established number of employees was not present for only a couple of months during the validity period of the license.
That's all. Consultants note that the listed measures are quite enough to avoid losing the FSTEC license, money and reputation. Perhaps soon we will return with cases on licensee cases from judicial practice. In the meantime, if you still have questions about the theory, let's discuss them in the comments.
