strategies of implementation of 242-fz

www.i-teco.ru

Anton Kasimov, consulting group, department of information security

[email protected]

Practical strategies for implementation

of Federal Law #242. Rational approach

mailto:[email protected]

2 www.i-teco.ru242-FZ

Federal Law of Russian Federation on July 21, 2014 г. № 242-FZ"On Amendments to Certain Legislative Acts of the Russian Federation regarding the clarification of the processing of personal data in information and telecommunications networks"

Adopted by the State DumaJuly 4, 2014

Approved by the Federal

CouncilJuly 9, 2014

Signed by the President

July 21, 2014

December 31, 2014 was published a law to postpone the date of entry into force of the 242-FZ on September 1, 2015!

3 www.i-teco.ruStrategy 1. Transfer information system to Russia

4 www.i-teco.ruStrategy 2. Leave as is

5 www.i-teco.ruComplexity of choice

Transfer to Russia Leave as is

Costs Max Min

Risks Min Max

6 www.i-teco.ruStrategy 3. Return to paper technologies

7 www.i-teco.ruStrategy 4. Depersonalization

Guidelines for the use of the order Roskomnadzora from 5 September 2013 №996 «On approval of requirements and methods for depersonalization of personal data"

8 www.i-teco.ruRequirements of 242-FZ

In case of collection of personal data, including by means of the information and telecommunication Internet network, the operator is obliged to ensure the recording, systematization, accumulation, storage, clarification (update, change) and extraction of personal data of RF citizens using databases located in the territory of the Russian Federation, except as specified in para. 2, 3, 4, and 8, Part 1, Clause 6 of this Federal Law

9 www.i-teco.ruStrategy 5. Rejection of operator status by Russian organizational unit

In case of collection of personal data, including by means of the information and telecommunication Internet network, the operator is obliged to ensure the recording, systematization, accumulation, storage, clarification (update, change) and extraction of personal data of RF citizens using databases located in the territory of the Russian Federation

operator - public authority, municipal authority, legal or natural person, alone or jointly with others, organizing and (or) carrying out the processing of personal data, as well as defining the purpose of processing personal data, the composition of personal data to be processed, the actions (operations) in respect of with personal data

10 www.i-teco.ruStrategy 5. Rejection of operator status by Russian organizational unit . Scheme

11 www.i-teco.ruStrategy 6. Transferring only of the database


12 www.i-teco.ruStrategy 6. Transferring only of the database. Scheme

13 www.i-teco.ruStrategy 7. Creating of an personal data collection system


Article 2 of the "Model Law on Personal Data", adopted in St. Petersburg 16.10.1999 Decree 14-19 at the 14th plenary session of the Interparliamentary Assembly of the CIS member states

Collection of personal data - a documented procedure for obtaining personal data holder from data subjects

14 www.i-teco.ruStrategy 7. Creating of an personal data collection system. Scheme

15 www.i-teco.ruStrategy 8. Replication of the database


16 www.i-teco.ruStrategy 8. Replication of the database. Scheme

17 www.i-teco.ruRanking of strategies

1.Transfer of ISPDn

2.Leave as is

3.Return to paper

4.Depersonalization

5.Rejection of operator status

6.Transfer of database

7.ISPDn of collection

8.Database replication

Complexity 4 0 5 3 0 3 2 1

Risks 0 5 0 1 3 3 1 4

Total 4 5 5 4 3 6 3 5

18 www.i-teco.ruStrategies’ chart

0 ₽

5,000,000 ₽

10,000,000 ₽

15,000,000 ₽

20,000,000 ₽

25,000,000 ₽

30,000,000 ₽

35,000,000 ₽

Possible loss

Total costs

19 www.i-teco.ruAssessment of costs

𝐶𝑜𝑠𝑡𝑠=𝑂𝑛𝑒−𝑡𝑖𝑚𝑒𝑐𝑜𝑠𝑡𝑠+𝐴𝑛𝑛𝑢𝑎𝑙𝑐𝑜𝑠𝑡𝑠×𝑆𝑒𝑟𝑣𝑖𝑐𝑒 𝑙𝑖𝑓𝑒𝑖𝑛𝑦𝑒𝑎𝑟𝑠𝑇𝐶𝑂=𝐶𝑎𝑝𝐸𝑥+𝑂𝑝𝐸𝑥

20 www.i-teco.ruExample of costs’ calculations

№ п/пCost and risk factors

concept 1Full migration of application

1.1.1.1Hardware 1 300 000 ₽1.1.1.2Licenses 650 000 ₽1.1.1.3Hosting rent 17 333 ₽1.1.1Implementation of technical solution(one time costs) 1 967 333 ₽1.1.2Implementation workload (Man Days) 401.1.3Implementation workload organizational (Man Days) 81.1.4 1.1Total for implementation and one time costs 3 887 333 ₽

1.2.1.1Hardware 260 000 ₽1.2.1.2Licenses 130 000 ₽1.2.1.3Hosting rent 208 000 ₽1.2.1Infrastructure and licenses annual running costs 598 000 ₽1.2.2Annual application management support (Man Days) 101.2.3Annual organizational workload (Man Days) 21.2.4 1.2Total annual running costs 1 078 000 ₽

1Total costs (OTC+RTC) for the defined lifecycle period 14 667 333 ₽

Planned system lifecycle, years 10

Man rate (M/D)40 000

₽Number of servers for the system 2

Average Server Price$10 000,00

Renting of 1 rack per month

$2 000,00

Number of servers in the rack 15

21 www.i-teco.ruCalculation of risks

𝑅𝑖𝑠𝑘=𝑀𝐼𝑁 (𝑆𝑒𝑟𝑣𝑖𝑐𝑒𝑙𝑖𝑓𝑒×𝑃П×𝑃 И×𝑃В ;1)× (𝑃 Д× (𝐶𝑜𝑠𝑡𝑠𝑜𝑓 𝑟𝑖𝑠𝑘𝑙𝑒𝑠𝑠 𝑠𝑡𝑟𝑎𝑡𝑒𝑔𝑦+𝐹𝑖𝑛𝑒 )+𝑃СМИ×𝑅𝑒𝑝𝑢𝑡𝑎𝑡𝑖𝑜𝑛𝑎𝑙 𝑐𝑜𝑛𝑠𝑒𝑞𝑢𝑒𝑛𝑐𝑒𝑠)𝐸𝑥𝑝𝑒𝑐𝑡𝑒𝑑𝑑𝑎𝑚𝑎𝑔𝑒=𝐶𝑜𝑠𝑡𝑠 𝑓𝑜𝑟 𝑒𝑙𝑖𝑚𝑖𝑛𝑎𝑡𝑖𝑜𝑛𝑜𝑓 𝑛𝑜𝑛𝑐𝑜𝑚𝑝𝑙𝑖𝑎𝑛𝑐𝑒+𝑅𝑒𝑝𝑢𝑡𝑎𝑡𝑖𝑜𝑛𝑎𝑙𝑑𝑎𝑚𝑎𝑔𝑒

22 www.i-teco.ruCalculation template

You can find a simple calculator on the following link

http://1drv.ms/1KueJt0



www.i-teco.ru

Спасибоза внимание

Department of information securityI-Teco

Anton Kasimovtel. +7 (495) 777-1095 ext. 3653E-mail: [email protected]

strategies of implementation of 242-fz

Law

processing of personal

composition of personal

case of collection

russian organizational

transfer information

clarification update

rejection of operator

implementation of federal