what has changed in cybersecurity legislation in February

In the latest issue of the digest, I will tell you about the news from the world of information security compliance over the past February. What unscheduled inspections will be able to carry out Roskomnadzor in relation to personal data operators? In what cases can violations in the handling of biometric personal data lead to a fine, and in what cases to a criminal case? What will specialists with secondary vocational education be allowed to do when ensuring the safety of significant CII facilities? The answers to these and other questions are in our digest.

Personal Information

1. Published order of the FSB of Russia dated February 13, 2023 No. 77approving the procedure for the interaction of operators of personal data information systems (hereinafter – ISPD) with the state system for detecting, preventing and eliminating the consequences of computer attacks (hereinafter – GosSOPKA).

The subjects of CII and the FSTEC of Russia are obliged to send data on incidents to the State SOPCU within a day from the moment the incident is discovered. The remaining ISPD operators send data about the incident within 24 hours from the moment it is discovered through the Roskomnadzor website, and within three days – a notification of the results of the internal investigation of the incident. Roskomnadzor transmits this data to the NKTsKI.

The document entered into force on March 1, 2023.

2. Decree of the Government of the Russian Federation approved dated 04.02.2023 No. 161. According to it, Roskomnadzor received the opportunity, in agreement with the prosecutor’s office, to carry out unscheduled control (supervisory) activities and unscheduled checks on the facts of leakage of PD on the Internet. The changes also apply to accredited organizations in the IT sector.

Biometric personal data

3. In connection with the adoption of Federal Law No. 572-FZ dated December 29, 2022, the Government of the Russian Federation must submit draft amendments to the State Duma:

  • in the Code of Administrative Offenses in terms of establishing negotiable administrative fines for violations in the field of processing PD (including violations related to the peculiarities of processing biometric PD);

  • to the Criminal Code regarding the introduction of criminal liability for illegal processing of biometric PD, which entailed socially dangerous consequences.

4. The Federal Law of 02/06/2023 No. 8-FZwhich directly defines genomic information as biometric personal data.

Critical Information Infrastructure

5. Submitted for public comment draft order of the Ministry of Industry and Trade of Russia. He must approve the procedure for assessing the relevance and reliability of the information specified in paragraph 17 of the Rules for categorizing CII objects in relation to CII subjects that work in the defense, metallurgical and chemical industries.

The Federal State Unitary Enterprise NPP Gamma will be involved in the assessment, on the basis of which an industry competence center for information security in industry will be created.

The order assumes that in order to check the relevance and reliability of information on categorization, they will request and evaluate information on the results of assigning one of the categories of significance to CII subjects or on the absence of the need to assign one of such categories to them.

Also, information about the categorization can be confirmed using an on-site assessment at the location of the CII object.

6. Submitted for public comment draft order of the FSTEC of Russia, which allows you to involve specialists with secondary vocational education in ensuring the safety of significant CII facilities (hereinafter – SOKII). The following functions may be assigned to specialists:

  • installation and configuration of ZOKII information security tools;

  • informing employees about violations of information security requirements and rules for the operation of information security tools;

  • maintaining protocols and logs in the implementation
    monitoring means of information security ZOKII.

Activity Licensing

7. Orders of the FSTEC of Russia have been published:

  • dated 12.01.2023 No. 3 “On the approval of the forms of documents used by the FSTEC of Russia in the process of licensing activities for the technical protection of confidential information, and the invalidation of the order of the FSTEC of Russia dated July 17, 2017 No. 134 and the amendments made to it”;

  • dated 12.01.2023 No. 4 “On the approval of the forms of documents used by the FSTEC of Russia in the process of licensing activities for the development and production of means of protecting confidential information, and the invalidation of the order of the FSTEC of Russia dated July 17, 2017 No. 133 and the amendments made to it.”

News in the field of standardization

8. The Ministry of Education of Russia presented draft orders of federal state educational standards for secondary vocational education in specialties “Ensuring information security of information systems” And “Ensuring information security of automated systems”.

The first educational program involves the development of the following activities:

  • operation of information and telecommunication systems and networks;

  • protection of information in information and telecommunication systems and networks using software and hardware, including cryptographic means of protection;

  • operation and security protection of network infrastructure facilities;

  • acceptance, preparation and installation of telecommunication equipment;

  • information and reference support and instructing clients on the operation of technological components of infocommunication systems.

The second program involves the study of the following activities:

  • ensuring the functioning of means and systems for ensuring the protection of communication facilities of telecommunication networks from unauthorized access to them;

  • ensuring the functioning of information security tools in computer systems and networks;

  • operation of automated (information) systems in a secure design;

  • protection of information by technical means;

  • writing technical documentation in the field of information security.

Information messages of regulators

9. The FSTEC of Russia announced the abolition of the state duty as part of the granting of a license for the technical protection of confidential information and a license for the development and production of means of protecting confidential information in 2023.

10. FSB of Russia recognized as invalid the following administrative regulationsrelated to information security:

  • Administrative regulation of the FSB of Russia on the provision of public services for licensing the activities of enterprises, institutions and organizations for carrying out work related to the use of information constituting a state secret, the creation of information security tools, as well as the implementation of measures and (or) the provision of services to protect state secrets.

  • Administrative regulation of the FSB of Russia on the provision of public services for licensing activities for the development and production of means of protecting confidential information.

  • Administrative regulation of the FSB of Russia on the provision of public services for licensing activities for the development, production, distribution of encryption (cryptographic) tools, information systems and telecommunications systems protected using encryption (cryptographic) tools, performance of work, provision of services in the field of information encryption, maintenance encryption (cryptographic) means, information systems and telecommunication systems protected using encryption (cryptographic) means (except for the case when the maintenance of encryption (cryptographic) means, information systems and telecommunication systems protected using encryption (cryptographic) means is carried out to meet the needs of a legal entity or an individual entrepreneur).

Industry changes

11. Submitted for public comment draft resolution of the Government of the Russian Federation “On Approval of the Regulations on the Federal State Information System “Management of the State Unified Cloud Platform”.

The regulation defines the goals and objectives of the system, its structure and main functions, the list of participants, the operator (Mintsifry), the procedure for providing access to the system, as well as the requirements for protecting information contained in it.

GosOblako is a set of unified cloud services provided by independent providers. It is intended for placement and functioning of information systems and resources of state bodies.

12. Presented draft resolution of the Government of the Russian Federationaccording to which the deadline for the implementation of the experiment to increase the level of security of state information systems of federal executive bodies and their subordinate institutions will be extended until March 30, 2024.

13. Submitted for public comment draft resolution of the Government of the Russian Federation “On the Approval of the Rules for the Implementation of Federal State Control over Ensuring the Protection of State Secrets, on the Amendment and Recognition of Certain Acts of the Government of the Russian Federation as invalid.”

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *