|
|
One of the tasks of the NKTCKI is to help personal data subjects (PD) in responding to cyber incidents, noted Andrey Raevsky, a representative of the Center, in his speech. He highlighted the main vectors of development of the regulatory framework that the NKTCKI currently adheres to:
Amendments to Federal Law 152 “On Personal Data”, which entered into force on September 1, 2022;
Decree of the President of the Russian Federation No. 250 of May 1, 2022 "On additional measures to ensure information security" and its implementation.
Andrey Raevsky, NKTSKI:
– Article 19 of Federal Law 152 has been supplemented with information on the obligation of personal data operators to interact with the State System for Detection, Prevention and content writing service Elimination of Consequences of Computer Attacks (GosSOPKA) through the NKTsKI. Now they are obliged to inform us about cyber incidents that have resulted in illegal data transfer.
A representative of the Center reported that
the procedure for interaction between PD operators and the NKTsKI is under development and will be determined by order of the FSB of Russia
Most likely, a long period of coordination of this document with the Russian Ministry of Justice is expected, he added.
The procedure will contain two options for notifying the regulator:
PD operators enter into an agreement with the FSB or the NKTsKI and transfer information about the cyber incident to them within three hours. This will be confirmed by the incident identifier assigned by the NKTsKI.
Information will be provided via the Roskomnadzor website https://pd.rkn.gov.ru/incidents/form/ . Information about the cyber incident from RKN will be sent to the NKTsKI.
It is also planned to grant the Computer Incidents Center the right to request clarifying information about information leaks from PD operators. The response to such a request will most likely have to come to the department within 24 hours, noted Andrey Raevsky.
The liability of the PD operator for failure to transfer information about the leak to GosSOPK will be introduced, added the representative of the NKTsKI Sergey Korelov. He emphasized that
The National Coordination Center for Information Security and the Federal Security Service will definitely find out whether the PD operator reported all the leaks – the agencies have the means to do this
Presidential Decree No. 250 places responsibility for ensuring information security (IS) on the head of the organization. A special IS department must also be created within the company's structure.
Andrey Raevsky, NKTSKI:
– Also, government resolution No. 1272 was issued on the approval of a standard regulation on the head and such a structural unit. The document states that the head of the company is obliged to carry out measures to detect, respond to and eliminate computer attacks.
Decree No. 250 requires:
determine the transition period of interaction with the NCCCI on the basis of agreements or regulations;
organize accreditation of GosSOPK centers;
determine the procedure for monitoring the security of information systems.
The representative of the NKTSKI assured that
interaction with GosSOPK is not a duty, but real help to PD operators
The order on accreditation of GosSOPK centers is still being developed. The requirements for applicants for accreditation will be based on previously issued documents, Andrey Raevsky said.
STRENGTHENING RESPONSIBILITY
Deputy Director of the FSTEC of Russia Vitaly Lyutikov spoke about improving legislation to ensure the security of critical information infrastructure (CII).
According to him,
|
|
發表於 2024-11-10 14:01:29