Recommendations for developing a Personal Data Security Threat Model

The personal data security threat model defines the list of actual threats.

The threat model is developed on the basis of the Threat Modeling Methodology.

An example of a Personal Data Security Threat Model.

The threat model should:

1) Be approved by the Head of the Institution, based on the Report on the results of the internal audit.

The date of acceptance of the Threat Model must be subsequent to the internal review and acceptance of the internal review report.

2) Be compiled in accordance with the Methodology for compiling CMU in institutions of the Ministry of Health and Social Development.

3) The Model should list the names of all identified ISPDs.

4) For each identified ISPD, a section in the Model must be allocated.

5) For each ISPD, its structure must be defined, which defines the characteristics of the processing mode (see Section 4).

Specified Personal Data Security Characteristics Typical information system / special information system
Information system structure Automated workplace / Local information system / Distributed information system
Connecting an information system to public networks and / or networks of international information exchange Available / not available
Mode of processing personal data Single user / multi user system
Mode of differentiation of user access rights System with access control / without access control
Location of technical means of the information system All technical means are located within the Russian Federation / technical means are partially or wholly located outside the Russian Federation
Additional Information Personal data is subject to the requirement of integrity and / or availability

Characteristics are recommended to be filled in as follows:

– All systems of Institutions are special .

– The structure of the information system can be represented as:

Automated workplace , if all PD processing is carried out within one workplace.

Local information system, if all PD processing is carried out within the same local area network.

Distributed information system , if the processing of PD is carried out within the framework of a complex of automated workplaces and / or local information systems, combined into a single information system by means of communication using remote access technology. Those. ISPD elements are geographically dispersed, for example, ISPD includes a branch network, and communication between geographically remote elements is carried out via public networks and / or international exchange channels.

Connecting the information system to public networks and / or networks of international information exchange . If ISPD or its elements have a connection to the Internet or other networks, regardless of whether this is due to a business need or not, then ISPD has a connection.

The mode of processing personal data . The system is single-user if the employee processing personal data combines the functions of an administrator (performs configuration and support of hardware and software) and an operator. In all other cases, the ISPD is multi-user.

Mode of differentiation of user access rights . If all users in the system (administrators, operators, developers) have the same set of access rights or log in under a single account and no other accounts are logged in, then ISPD does not have a system for delimiting access rights. In all other cases, ISPD has a system for delimiting access rights.

Location of technical means of the information system . All ISPDs of Institutions are located on the territory of the Russian Federation.

Additional information . Integrity requirements are imposed on the ISPD of Institutions. If the accessibility requirement is also to be met, then appropriate changes must be made.

6) For each ISPD, a list of processed personal data, as well as the composition of the objects of protection, must be determined. The approximate composition of the processed personal data and objects of protection is described in the List of personal data subject to protection.

7) Based on the composition of personal data, a conclusion must be made about the category of personal data being processed (X PD ) (see section 4).

8) The volume of personal data records (X PDN ) must be determined. In ISPD, the volume of PD can take on the following values:

– 1 – the information system simultaneously processes personal data of more than 100,000 personal data subjects or personal data of personal data subjects within a constituent entity of the Russian Federation or the Russian Federation as a whole;

– 2- the information system simultaneously processes personal data from 1,000 to 100,000 personal data subjects or personal data of personal data subjects working in a sector of the economy of the Russian Federation, in a public authority residing within a municipality;

– 3- in the information system, the data of less than 1000 personal data subjects or personal data of personal data subjects within a particular organization are simultaneously processed.

9) For each ISPD, the ISPD configuration should be drawn – a schematic relative position of the system elements. The configuration can be drawn in any graphics editor.

The following conventions can be used when compiling a configuration:

– ISPD user group.

– workstation of ISPD users.

– Server, for example, mail, file, proxy server, application server, and others.

– Database server.

– Firewall.

– Public access and/or international exchange network, such as the Internet.

– Direction of information interaction.

An example of the ISPD configuration is shown in Figure 1. It shows the ISPD, the main element of which is the ORACLE database server. ISPD Operators and Developers access the ORACLE DB by logging in under their domain accounts in the Domain domain.

Branch operators also have remote access to the ORACLE database. Remote access is organized through a public network and international exchange – the Internet. Branch operators first log in to their Domain-F domain, connect via the Internet to the Terminal Server, logging in under the main Domain account. Then Branch Operators are authorized in the ORACLE database.

An example of the ISPD configuration is shown in Figure 3.

Figure 3

10) For each ISPD, the territorial location of the ISPD in relation to the controlled zone should be drawn. The location of the ISPD relative to the controlled area can be drawn in any graphical editor.

The following conventions can be used when compiling a configuration:

– workstation of ISPD users.

– ISPD server.

An example of the location of the ISPD relative to the controlled area is shown in Figure 4.

Figure 4

11) For each ISPD, the structure of PD processing must be described. The processing structure should include the entire sequence of steps for entering PD, processing it, transferring it to other ISPD and other processes. The structure of PD processing can be described both in textual and graphical form.

An example of a description of the ISPD structure:

1) The Registry employee logs in at his workplace in Windows XP OS in the domain.

2) The employee is authorized in the Medialog program.

3) The employee enters data from the patient’s hospital record into the program.

4) Data is stored on MS SQL Server.

12) For each ISPD, user groups involved in the processing of PD must be defined. The list of groups is taken from the Information Security Policy. For all groups, a list of rights and an access level must be defined. All this needs to be reflected in the Access Matrix.

Access Matrix Example:

Group Level of access to PD Permitted Actions Department staff
ISPD administrators They have complete information about the system and application software of the ISPD. They have complete information about the technical means and configuration of the ISPD. Has access to all technical means of information processing and ISPD data. They have the rights to configure and administer the technical means of ISPD. – collection – systematization – accumulation – storage – clarification – use – destruction Department of Information Technology
Security Administrator Possesses the rights of the ISPD Administrator. Has complete information about ISPD. Has access to information security and logging tools and to some of the key elements of ISPD. Has no access rights to configuring network hardware, except for control (inspection) ones. – collection – systematization – accumulation – storage – clarification – use – destruction Petrov P.P.
ISPD operators with write rights They have all the necessary attributes and rights that provide access to all PD. – collection – systematization – accumulation – storage – clarification – use – destruction Registry Department
ISPD operators with read rights They have all the necessary attributes and rights that provide access to a subset of PD. – usage Call center employees

13) For each ISPD, a list of names of employees involved in processing must be determined.

14) For each ISPD, the list of insiders should be supplemented (see Section 1.6. Threat Models) in accordance with the updated list of groups in the Information Security Policy.

15) For each ISPD, the initial level of security must be determined, according to the parameters:

Position Technical and operational characteristics Security level
By location
Connected to public networks
For built-in (legal) operations with personal database records
On the differentiation of access to personal data
By the presence of connections with other PD databases of other ISPDs
By level (depersonalization) PD
By the volume of PD provided to third-party ISPD users without pre-processing

16) For each ISPD, the probabilities of realizing threats to the security of personal data should be determined (based on the Guidelines for compiling a threat model section 8.5).

17) For each ISPD, the feasibility of threats to the security of personal data must be determined (based on the Guidelines for compiling a threat model, section 9).

18) For each ISPD, the danger of the implementation of threats to the security of personal data must be determined (based on the Methodological recommendations for compiling a threat model, section 10).

19) For each ISPD, the relevance of threats to the security of personal data should be determined (based on the Guidelines for compiling a threat model, section 11).

20) For each ISPD, the necessary measures to reduce the risk of actual threats should be determined. The list of possible organizational measures is presented in the Action Plan to ensure the protection of PD.

21) For each ISPD, a generalized table of the Threat Model should be compiled (based on the Methodological Recommendations for Compiling a Threat Model – Appendix).

22) Based on the data obtained for each ISPD, a conclusion should be made on the classification of ISPD and the need for certification.

Example Conclusion:

In accordance with the Procedure for classifying personal data information systems approved by the order of the FSTEC of Russia, the Federal Security Service of Russia, the Ministry of Information and Communications of Russia dated February 13, 2008 No. 55/86/20, based on the category and volume of processed personal data – ISPD “AIS Registry” is classified as special ISPD class K3.

Attestation of ISPD “AIS Registry” is not required.

Recommendations for the development of an Action Plan to ensure the protection of PD

The plan of measures to ensure the protection of PD defines the list of measures to ensure security.

An example of an Action Plan to ensure the protection of PD.

The plan must:

1) Be executed in accordance with the internal procedure for the workflow of the Institution.

2) Be approved by the head of the department responsible for ensuring the security regime or a specially authorized employee, based on the Report on the results of the internal audit.

The date of introduction of the Plan must be subsequent to the conduct of the internal review and the acceptance of the report on the conduct of the internal review.

3) The Plan should clarify the list of measures to ensure the security of PD, taking into account the existing measures. It is not necessary to implement all measures (especially in terms of technical measures, except for the cases described in section 0).

4) The generalized list of events contains:

Event Periodicity Performer / Responsible
ISPD 1
Organizational events
Initial internal review Single term until 01/01/2010.
Definition of the list of ISPD Single term up to
Definition of processed PD and objects of protection Single term up to
Determination of the circle of persons involved in the processing of PD Single term up to
Determining the responsibility of the persons involved in the processing Single term up to
Determining the rights to restrict access to ISPD users necessary to perform job duties Single term up to
Appointment of a person responsible for PD security Single term up to
Introduction of the PD protection mode Single term up to
Approval of the Information Security Concept Single term up to
Approval of the Information Security Policy Single term up to
Meeting of the collegial body for the classification of ISPD Single term up to
Classification of all identified ISPDs Single term up to
Primary analysis of the relevance of UBPD Single term up to
Establishment of a controlled zone around ISPD Single term up to
Selection of premises for the installation of ISPD hardware in the premises, in order to exclude the NSD of persons not allowed to process PD Single term up to
Organization of the regime and access control (security) to the premises in which the ISPD hardware is installed. Single term up to
Organization of the procedure for backing up protected information on hard media Single term up to
Organization of the procedure for restoring the operability of technical means, software, databases from the SZPDn subsystems Single term up to
Enactment of instructions on the procedure for the formation, distribution and use of passwords Single term up to
Organization of informing and training employees on the procedure for processing PD Single term up to
Organization of informing and training employees about the introduced PD protection regime Single term up to
Development of job descriptions on the procedure for processing PD and ensuring the introduced protection regime Single term up to
Development of instructions on how to work when connecting to public networks and / or international exchange Single term up to
Development of instructions for action in case of emergency situations Single term up to
Development of a provision on making changes to the standard software of ISPD elements Single term up to
Development of a regulation on the procedure for making changes to the software of our own design or standard software, specially modified by our own developers or third-party organizations. The regulation should include terms of reference for changes, a technical design, acceptance tests, and an act of commissioning. Single term up to
Organization of a register of requests from PD subjects Single term up to
Organization of a list of accounting for technical means and means of protection, as well as documentation for them Single term up to
physical activities
Organization of guard posts for access to the controlled zone Single term up to
Implementation of a technical access control system to the controlled area and premises (using electronic passes, tokens, biometric data, etc.) Single term up to
Implementation of a technical system for access control to ISPD elements (by electronic passes, token, biometric data, etc.) Single term up to
Implementation of video surveillance Single term up to
Installation of doors at the entrance to the premises with ISPD hardware Single term up to
Installation of locks on doors in rooms with ISPD hardware Single term up to
Installing blinds on windows Single term up to
Installation of bars on the windows of the first and last floor of the building Single term up to
Installation of a fire extinguishing system in rooms where ISPD elements are located Single term up to
Installation of air conditioning systems in the premises where the ISPD hardware is located Single term up to
Installation of uninterruptible power systems on key elements of ISPD Single term up to
Implementation of reserve (duplicate) technical means of key elements of ISPD Single term up to
Technical (hardware and software) measures
Implementation of a unified storage of registered user actions with PD Single term up to
Implementation of a special access control, registration and accounting subsystem (NAME) Single term up to
Implementation of anti-virus protection (NAME) Single term up to
Firewall Implementation (TITLE) Single term up to
Implementation of the security analysis subsystem (NAME) Single term up to
Implementation of intrusion detection subsystem (NAME) Single term up to
Implementation of cryptographic protection (TITLE) Single term up to
Control measures
Creating a log of internal audits and keeping it up to date Monthly
Control over compliance with the PD processing mode Weekly
Monitoring compliance with the protection regime Daily
Control over the execution of anti-virus protection Weekly
Monitoring compliance with the protection regime when connecting to public networks and / or international exchange Weekly
Conducting internal audits to identify changes in the mode of processing and protection of PD Annually
Control over software updates and uniformity of software used on all elements of ISPD Weekly
Backup assurance control Monthly
Organization of analysis and revision of existing threats to the security of personal data, as well as prediction of the emergence of new, still unknown, threats Annually
Maintaining up-to-date regulatory and organizational documents Monthly
Control over the development and introduction of changes to the software of our own design or standard software specially modified by our own developers or third-party organizations. Monthly

5) In case of clarification of security measures, due to the specifics of ensuring the security of a particular Institution, appropriate changes should be made to the Plan.

Be First to Comment

Leave a Reply

Your email address will not be published.