THE GOVERNMENT OF THE KYRGYZ REPUBLIC

RESOLUTION


dated November 21 , 2017 No. 760


On approval of the Requirements for ensuring the security and protection of personal data during their processing in personal data information systems, the implementation of which ensures the established levels of personal data security


        In accordance with the Article 21 of the Law of the Kyrgyz Republic "On Personal Data", Articles 10 and 17 of the Constitutional Law of the Kyrgyz Republic "On the Government of the Kyrgyz Republic", the Government of the Kyrgyz Republic

DECIDES:

  1. To approve the Requirements for ensuring the security and protection of personal data during their processing in personal data information systems, the fulfillment of which ensures the established levels of personal data security (hereinafter- Requirements), according to the Appendix.
  2. The State Committee for Informational Technology of the Kyrgyz Republic   in coordination with the State National Security Committee of the Kyrgyz Republic within a week to develop and approve:
  3.  Model list of threats to the security of personal data when processing personal data in information systems, containing all forms and types of alleged threats;
  4. methodology for determining security threats in the information systems of personal data 
  5. form of a list of threat types.
  6. Ministries, state committees, administrative departments, other state bodies, local authorities (as agreed) within a month:
  7. develop and approve industry-specific lists of threats to the security of personal data when processing personal data in information systems operated in the implementation of relevant activities, taking into account the content of personal data, the nature and methods of their processing;
  8. take comprehensive measures to ensure the implementation of this resolution.

4. To assign control over the execution of this resolution to the Department of Construction, Transport and Communications and the Department of Defense, Law Enforcement and Emergency Situations of the Government Office of the Kyrgyz Republic.

5. This resolution shall  enter into force from the date of its official publication.


Prime Minister                                                                                                                                           S. Isakov






Requirements 

for securing safety and protection of personal data during their processing in personal data information systems , the execution of which ensures the established levels of personal data security 

1. General Provisions

1.  These Requirements establish the levels of protection of personal data during their processing in information systems, criteria for threats to the security of personal data included in the list of threats, as well as requirements for ensuring the security and protection of personal data during their processing in personal data information systems, the implementation of which ensures the established levels of protection of personal data, in accordance with Article 21 of the Law of the Kyrgyz Republic “On personal information".

2. Concepts used in these Requirements are used in the meanings defined by the laws of the Kyrgyz Republic "On Personal Data" and "On Electronic Control".

3. The provisions of these Requirements are mandatory for application by state bodies, local authorities, legal entities with the participation of the state and/or municipalities, as well as organizations financed from the national and local budgets, owners and/or operators of state/municipal information systems, as well as other elements that are part of the state infrastructure of electronic control, in which personal data is processed, as well as by all holders (owners) of personal data arrays.

       2.  Levels of protection of personal data during its processing in information systems.

4. When processing personal data, the following levels of security in information systems are established:

  1. blue;
  2.  green;
  3.  yellow;
  4.  red.

5. The choice of the level of protection of personal data, the provision of which is necessary when processing them in a specific personal data information system, is carried out by the holder (owner) of the personal data array in the following order:

1) the authorized state body for personal data develops and approves a Model list of threats to the security of personal data when processing personal data in information systems (hereinafter- Model List), containing all forms and types of alleged threats, as well as a methodology for determining security threats in personal data information systems (hereinafter-Methodology for determining threats);

2) ministries, state committees, administrative departments, as well as other state bodies, local authorities, on the basis of a Model list, Methodology for determining threats, develops and approve departmental acts mandatory for execution by subordinate holders (owners) of an array of personal data on determining the list of threats to the security of personal data when processing personal data in information systems operated under implementation of relevant activities, taking into account the content of personal data, the nature and methods of their processing;

3) the holder (owner) of the personal data array, based on the specific conditions of working with personal data, the value of the protected information and the cost of measures to protect it, as well as taking into account the level of technical development, approves its own list of threats to the security of personal data (hereinafter- list of threats) in the form approved by the authorized state body for personal data.

     The list of threats by the holder (owner) of the personal data array must necessarily include threats defined in the acts specified in subparagraphs 1 and 2 of this paragraph, as well as, by the decision of the holder (owner) of the personal data array, and other threats.

          The list of threats is subject to revision by the holder (owner) of the personal data array as the composition of the processed personal data changes, the conditions and types of their processing;

4) associations, unions and other unifications of holders (owners) of personal data arrays have the right to determine by their decisions additional threats to the security of personal data when processing personal data in information systems, used in the implementation of certain types of activities by members of such associations, unions and other unifications, taking into account the content of personal data, the nature and methods of their processing, along with threats to the security of personal data defined in departmental regulations specified in subparagraph 2 of this paragraph.

3. Security threat criteria,   rating of threats

6. Each type of threats to the security of personal data included in the list of threats developed by the holder (owner) of the personal data array is assigned a rating depending on the following criteria in accordance with the Methodology for Determining threats specified in subparagraph 1 of paragraph 5 of these Requirements:

 № p/p
 Criteria 
  Range points
 Score (points)
1Relevance of the threat to the security of personal data 
 0-1   points
0-irrelevant
1-relevant
2Possible infliction of harm to the subject of  personal data, whichmay be caused in the event of realization of a threat 
0-3  points 
0 - harm cannot be caused (does not entail damages and moral harm to the subject of personal data); 
 1-little damage, easily compensated by   the holder (minor costs - less than 1000  calculated indicators, for liquidation and compensation of consequences for losses and moral damage caused);

 2 - significant damage that can be compensated by the operator (entails significant costs - more than 1000 calculated indicators, for the elimination/compensation of consequences for losses and moral damage);

3 - critical damage that cannot be compensated (entails harm to   losses and moral damage that cannot be compensated)    

3The amount of personal data processed that are exposed tothis threat 
 1-3 points 
1 - insignificant volume (the information system processed personal data  in a volume not exceeded 10000 subjects of personal data);
2 - significant volume (the information system  processes personal data in the amount of more han 10,000 to 100,000 subjects, personal data);
3 - critical volume (the information system processes  personal data in the amount of more  than 100,000  subjects of personal data).
4The content of the processed personal data that are exposed to this threat 
1-2 points 
1 - personal data that does not belong to special categories;
2 - special categories of personal data (in accordance with Part 1 of Article of the Law of the Kyrgyz Republic “On personal  information) as well as biometric data   (in  accordance with Part 3 of the Article 5 of the Law of the Kyrgyz Republic “On Biometric registration of citizens of the Kyrgyz Republic”.
5The duration of the activityto which the threat applies
 0-1 points
0 - short-term (no more than two (2) weeks of data processing);
1 - long-term

                                                                     

7. The personal data security risk rating is determined as the product of the scores for each of the criteria.

8. The security levels of personal data, depending on the threats to the security of this data, are determined for each information system or group of information systems as follows:

1) "blue" - the presence of threats with a rating of no more than 1 point;

2) "green" - the presence of threats with a rating of 2 points (but no more);

3) "yellow" - the presence of threats with a rating from 3 to 6 points inclusive (but no more);

4) "red" - the presence of threats with a rating of more than 6 points.

4. Requirements for the protection of personal data by security levels

9. The levels of protection of personal data established by paragraph 8 of these Requirements when processing them in personal data information systems are ensured by the following requirements:

1) for the "blue" security level:

- adoption of a document defining the policy of the holder (owner) of the personal data array in relation to the processing of personal data and bringing the contents of this document to the employees and counterparties of the holder (owner) of the personal data array;

- appointment of the individual (individuals) responsible for ensuring the security of personal data during their processing in information systems and conducting their briefing on the requirements of the Law of the Kyrgyz Republic "On personal data" and these Requirements;

- implementation of internal control in compliance with the personal data processing of the requirements of the Law of the Kyrgyz Republic "On Personal Data", these Requirements and other documents adopted on personal data processing;

- inclusion in the employment contracts and job descriptions of employees of the holder (owner) of the personal data array of their duties in relation to the processing of personal data, provisions on strict compliance with the requirements of the Law of the Kyrgyz Republic "On Personal Data", and these Requirements, other documents adopted on the processing of personal data;

- each input of personal data is entered into the data processing system, as well as when it is changed or destroyed - indicating the person who entered (changed, destroyed) such data, the date and time of the transaction;

- creating not less than once a day a backup copy of current personal data processed in the personal data information system;

2) for the "green" security level - the requirements established for the "blue" security level, and additionally the following requirements:

- designing an information system and measures for its development, taking into account the nature of the personal data processed there and the need to protect it;

- assessment of the effectiveness of the measures taken to ensure the security of personal data before the commissioning of the information system and significant updates (extensions) of the information system carried out by the authorized state body for personal data and/or accredited conformity assessment bodies in the field of ensuring personal data security requirements;

3) for the "yellow" security level - the requirements established for the "green" security level, and additionally the following requirements:

- centralized management of the personal data protection system, including by creating a structural division responsible for the implementation of these Requirements;

- the establishment of a control system for premises in which an information system is installed, allowing to restrict physical access to the technical means of the information system only to those individuals who have been granted the appropriate authority;

- maintaining an automatic electronic log (log) that records all operations with personal data, ensuring that it is impossible to make changes to this log retroactively;

- provision of redundancy and high availability of an information system for storing and processing  personal data in real time and an automatic electronic journal provided for in paragraph four of this subparagraph;

- the presence of an automatic system for detection and suppression of an unauthorized access to personal data, as well as their accidental destruction or modification;

4) for the "red" security level - the requirements established for the "yellow" security level, and additionally the following requirements:

- using only secure communication channels when transferring personal data and (or) accessing them;

- protection of personal data from leaks through technical channels;
 - the use of information security tools and/or information systems that have passed the conformity assessment procedure in accordance with the established procedure in the authorized state body for personal data and/or an accredited conformity assessment body in the field of ensuring personal data security requirements;

- regular (at least 1 time a year) audit of the information systems of the holder (owner) of the personal data array of an automatic electronic log (log) recording all operations with personal data by an authorized state body for personal data and/or an accredited conformity assessment body in the field of ensuring personal data security requirements.