strategies of implementation of 242-fz
TRANSCRIPT
www.i-teco.ru
Anton Kasimov, consulting group, department of information security
Practical strategies for implementation
of Federal Law #242. Rational approach
2 www.i-teco.ru242-FZ
Federal Law of Russian Federation on July 21, 2014 г. № 242-FZ"On Amendments to Certain Legislative Acts of the Russian Federation regarding the clarification of the processing of personal data in information and telecommunications networks"
Adopted by the State DumaJuly 4, 2014
Approved by the Federal
CouncilJuly 9, 2014
Signed by the President
July 21, 2014
December 31, 2014 was published a law to postpone the date of entry into force of the 242-FZ on September 1, 2015!
7 www.i-teco.ruStrategy 4. Depersonalization
Guidelines for the use of the order Roskomnadzora from 5 September 2013 №996 «On approval of requirements and methods for depersonalization of personal data"
8 www.i-teco.ruRequirements of 242-FZ
In case of collection of personal data, including by means of the information and telecommunication Internet network, the operator is obliged to ensure the recording, systematization, accumulation, storage, clarification (update, change) and extraction of personal data of RF citizens using databases located in the territory of the Russian Federation, except as specified in para. 2, 3, 4, and 8, Part 1, Clause 6 of this Federal Law
9 www.i-teco.ruStrategy 5. Rejection of operator status by Russian organizational unit
In case of collection of personal data, including by means of the information and telecommunication Internet network, the operator is obliged to ensure the recording, systematization, accumulation, storage, clarification (update, change) and extraction of personal data of RF citizens using databases located in the territory of the Russian Federation
operator - public authority, municipal authority, legal or natural person, alone or jointly with others, organizing and (or) carrying out the processing of personal data, as well as defining the purpose of processing personal data, the composition of personal data to be processed, the actions (operations) in respect of with personal data
11 www.i-teco.ruStrategy 6. Transferring only of the database
In case of collection of personal data, including by means of the information and telecommunication Internet network, the operator is obliged to ensure the recording, systematization, accumulation, storage, clarification (update, change) and extraction of personal data of RF citizens using databases located in the territory of the Russian Federation
13 www.i-teco.ruStrategy 7. Creating of an personal data collection system
In case of collection of personal data, including by means of the information and telecommunication Internet network, the operator is obliged to ensure the recording, systematization, accumulation, storage, clarification (update, change) and extraction of personal data of RF citizens using databases located in the territory of the Russian Federation
Article 2 of the "Model Law on Personal Data", adopted in St. Petersburg 16.10.1999 Decree 14-19 at the 14th plenary session of the Interparliamentary Assembly of the CIS member states
Collection of personal data - a documented procedure for obtaining personal data holder from data subjects
15 www.i-teco.ruStrategy 8. Replication of the database
In case of collection of personal data, including by means of the information and telecommunication Internet network, the operator is obliged to ensure the recording, systematization, accumulation, storage, clarification (update, change) and extraction of personal data of RF citizens using databases located in the territory of the Russian Federation
17 www.i-teco.ruRanking of strategies
1.Transfer of ISPDn
2.Leave as is
3.Return to paper
4.Depersonalization
5.Rejection of operator status
6.Transfer of database
7.ISPDn of collection
8.Database replication
Complexity 4 0 5 3 0 3 2 1
Risks 0 5 0 1 3 3 1 4
Total 4 5 5 4 3 6 3 5
18 www.i-teco.ruStrategies’ chart
0 ₽
5,000,000 ₽
10,000,000 ₽
15,000,000 ₽
20,000,000 ₽
25,000,000 ₽
30,000,000 ₽
35,000,000 ₽
Possible loss
Total costs
19 www.i-teco.ruAssessment of costs
𝐶𝑜𝑠𝑡𝑠=𝑂𝑛𝑒−𝑡𝑖𝑚𝑒𝑐𝑜𝑠𝑡𝑠+𝐴𝑛𝑛𝑢𝑎𝑙𝑐𝑜𝑠𝑡𝑠×𝑆𝑒𝑟𝑣𝑖𝑐𝑒 𝑙𝑖𝑓𝑒𝑖𝑛𝑦𝑒𝑎𝑟𝑠𝑇𝐶𝑂=𝐶𝑎𝑝𝐸𝑥+𝑂𝑝𝐸𝑥
20 www.i-teco.ruExample of costs’ calculations
№ п/пCost and risk factors
concept 1Full migration of application
1.1.1.1Hardware 1 300 000 ₽1.1.1.2Licenses 650 000 ₽1.1.1.3Hosting rent 17 333 ₽1.1.1Implementation of technical solution(one time costs) 1 967 333 ₽1.1.2Implementation workload (Man Days) 401.1.3Implementation workload organizational (Man Days) 81.1.4 1.1Total for implementation and one time costs 3 887 333 ₽
1.2.1.1Hardware 260 000 ₽1.2.1.2Licenses 130 000 ₽1.2.1.3Hosting rent 208 000 ₽1.2.1Infrastructure and licenses annual running costs 598 000 ₽1.2.2Annual application management support (Man Days) 101.2.3Annual organizational workload (Man Days) 21.2.4 1.2Total annual running costs 1 078 000 ₽
1Total costs (OTC+RTC) for the defined lifecycle period 14 667 333 ₽
Planned system lifecycle, years 10
Man rate (M/D)40 000
₽Number of servers for the system 2
Average Server Price$10 000,00
Renting of 1 rack per month
$2 000,00
Number of servers in the rack 15
21 www.i-teco.ruCalculation of risks
𝑅𝑖𝑠𝑘=𝑀𝐼𝑁 (𝑆𝑒𝑟𝑣𝑖𝑐𝑒𝑙𝑖𝑓𝑒×𝑃П×𝑃 И×𝑃В ;1)× (𝑃 Д× (𝐶𝑜𝑠𝑡𝑠𝑜𝑓 𝑟𝑖𝑠𝑘𝑙𝑒𝑠𝑠 𝑠𝑡𝑟𝑎𝑡𝑒𝑔𝑦+𝐹𝑖𝑛𝑒 )+𝑃СМИ×𝑅𝑒𝑝𝑢𝑡𝑎𝑡𝑖𝑜𝑛𝑎𝑙 𝑐𝑜𝑛𝑠𝑒𝑞𝑢𝑒𝑛𝑐𝑒𝑠)𝐸𝑥𝑝𝑒𝑐𝑡𝑒𝑑𝑑𝑎𝑚𝑎𝑔𝑒=𝐶𝑜𝑠𝑡𝑠 𝑓𝑜𝑟 𝑒𝑙𝑖𝑚𝑖𝑛𝑎𝑡𝑖𝑜𝑛𝑜𝑓 𝑛𝑜𝑛𝑐𝑜𝑚𝑝𝑙𝑖𝑎𝑛𝑐𝑒+𝑅𝑒𝑝𝑢𝑡𝑎𝑡𝑖𝑜𝑛𝑎𝑙𝑑𝑎𝑚𝑎𝑔𝑒
22 www.i-teco.ruCalculation template
You can find a simple calculator on the following link
http://1drv.ms/1KueJt0
www.i-teco.ru
Спасибоза внимание
Department of information securityI-Teco
Anton Kasimovtel. +7 (495) 777-1095 ext. 3653E-mail: [email protected]