2) applied methods and means of authorisation and procedures connected with their management and use;

Transcription

1 Guidelines on the way of developing the instruction specifying the method of managing the computer system used for personal data processing, with particular consideration of the information security requirements. One of the requirements imposed on the controllers, pursuant to 3 paragraph 1, by the Regulation of April 29, 2004, by the Minister of Internal Affairs and Administration as regards personal data processing documentation and technical and organisational conditions which should be fulfilled by devices and computer systems used for personal data processing (Journal of Laws No. 100 item 1024) is to develop an instruction specifying the method of managing the computer system used for personal data processing, hereinafter referred to as the instruction. The developed instruction shall be approved by the controller and adopted for application as a binding document. The procedures and guidelines contained in this instruction shall be provided to persons responsible for their realisation in the organisation in accordance with the assigned rights, scope of duties and liability. For example, the principles and procedures for authorising to personal data processing or the method of keeping record of persons involved in the processing of personal data shall be passed on to persons managing the organisation of data processing, and the method of beginning and ending work, the system usage method or the password change principles to all the persons being its users, the antivirus protection principles and the procedures of making backup copies to persons involved in technical exploitation and keeping system work continuity. The contents of the instruction shall contain general information on the computer system and personal data filing systems which are processed by using these systems, the applied technical solutions, as well as the exploitation procedures and usage principles which were applied to ensure personal data processing security. In case where the controller uses for the processing of data not one but a few computer systems, then relevantly to the similarity of the applied solutions it shall develop one general management instruction or develop separate instructions for each of the applied systems. So, depending on the adopted solution the scope of developed issues will be different in small entities where the personal data are processed by means of one or few computers, and in large entities where function complex local computer networks with a big number of servers and workstations processing the data with the use of many computer systems. In the instruction concerned the computer systems to which this instruction is related, their localisations and the applied methods of access (directly to the computer where the system is 1

2 installed, in local computer network or through telecommunications network, e.g. leased access line, Internet) shall be indicated. This instruction shall cover the issues related to ensuring information security, and in particular the elements enumerated in 5 of the Regulation which include: 1) procedures of granting authorisation to process data and registration of these authorisations in the computer system as well as indication of the person responsible for the aforesaid activities; 2) applied methods and means of authorisation and procedures connected with their management and use; 3) procedures of the beginning, suspension and the end of work by the users of the system; 4) procedures of making backups of the data filing systems and programs and software tools used for the data processing. 5) method, place and period of storage of: a) electronic information media containing personal data, b) backups referred to in point 4, 6) method of the computer system securing against software referred to in paragraph III point 1 of the Appendix to this Regulation; 7) method of implementation of the requirements referred to in 7 paragraph 1 point 4 of the Regulation; 8) procedures of executing the inspection and maintenance of systems and information media used for personal data processing. In order to provide the protection of the data being processed the rules of conduct adequate for each of the applied computer systems shall be indicated in the contents of the instruction in relation to each of the above enumerated points. The general guidelines concerning the issues which shall be included in the instruction in relation to the points enumerated above are presented below. 2

3 1. Procedures of granting authorisation to process data and registration of these authorisations in the computer system as well as indication of the person responsible for the aforesaid activities ( 5 point 1 of the Regulation). In this point the principles of granting an identifier to the user in the computer system, as well as principles of granting or modifying user s authorisation to access the resources of the computer system shall be described. The principles above shall include the operations related to granting users authorisation to work in the computer system from creating user account, through granting and modifying his/her privileges, up to the moment of removing the account from the computer system. The procedure determining the principles of users registration shall unambiguously specify the rules of conduct with privileged users accounts (i.e. users possessing access at the level of computer systems administrators), as well as rules of administering the computer system in emergency cases, for example absence of the administrator. Persons responsible for realisation of the procedures and registering and unregistering users of the computer system shall be indicated in the instruction. 2. Applied methods and means of authorisation and procedures connected with their management and use ( 5 point 2 of the Regulation). In this point the mode of assigning passwords shall be described, i.e. indication whether the passwords of users shall be given in oral or written form and indication of the recommendations regarding the degree of their complexity. Persons responsible for assigning passwords shall also be indicated. This indication may be specified functionally or personally. The recommendation is to avoid giving passwords by third parties or by means of unprotected messages. After having obtained the password the user shall be obliged to immediately change it, unless the system does not enable the performance of such operation. Depending on the used solutions additional information related to passwords shall be given such as requirements concerning their recurrence or requirements regarding the set of characters of which they consist. The information on the required frequency and the password change method shall be also included, e.g. whether password change is forced after specific time by the computer system or whether the user has to remember about it himself/herself. While determining the frequency of password change one has to remember that pursuant to paragraph IV (2) of the Appendix to the Regulation the user s password shall be changed at least every 30 days and shall consist of 3

4 at least 6 characters if the data referred to in Art. 27 of the Act are not processed in the system, or 8 characters if such data are processed (paragraph VII of the Appendix). The passwords shall be kept in the computer system in encrypted form. The method of storing the passwords of users having the rights of computer systems administrators and the method of recording their emergency use shall be indicated. Additionally, in case of using the user s identity verification methods other than the identifier and password, such as microprocessor cards or biometric methods, the guidelines on their application shall be included in the instruction. For microprocessor cards e.g. the method of their personalisation shall be indicated, and for biometric methods the way of downloading biometric data in the process of user s registration in the system and the method of their storage shall be indicated. 3. Procedures of the beginning, suspension and the end of work by the users of the system ( 5 point 3 of the Regulation). In this point consecutive activities which shall be conducted to activate the computer system, and in particular the principles of users conduct when their authentication process (logging into the system) is performed, shall be indicated. The compliance with the principles specified in the instruction shall ensure passwords confidentiality and make unauthorised data processing impossible. The methods of conduct in the situation of stopping work temporarily as a result of leaving workplace or in the circumstances when unauthorised person can inspect the data displayed on the screen shall also be determined. The user shall be instructed that it is necessary to log out of the computer system before switching off the workstation and informed of the activities which shall be done for this purpose. The procedures destined for the system users shall indicate the method of conduct in the situation of suspected violation of system security, e.g. in case of lack of possibility for the user to log into his/her account or in case where physical interference in the processed data or used software or hardware tools is stated. 4. Procedures of making backups of the data filing systems and programs and software tools used for the data processing ( 5 point 4 of the Regulation). In this point the methods and frequency of making backups of the data and backups of the computer system used for the data processing shall be indicated. The following needs to 4

5 be determined: for what data backups will be made, the type of media on which backups will be made and software tools and devices which shall be used for this purpose. In the procedure of making copies the schedule of making backups shall be specified for particular data filing systems with indicating adequate method of making copies (incremental copy, full copy). Part of the instruction regarding making backups in case where the procedures of making these copies are complex may refer to detailed procedures dedicated to particular data filing systems or computer systems. These procedures shall be enclosed to the management instruction. In the procedures specifying the scope and method of making backups the rotation periods and the total time of using particular data media shall be indicated. The procedures of liquidation of media containing data backups after their withdrawal as a result of becoming useless or damaged shall be determined. The procedure of liquidation of media containing personal data shall consider the requirements included in paragraph VI (1) of the Appendix to the Regulation. These requirements order that devices, discs and other electronic information media containing personal data intended to liquidation shall be devoid of those data record, and in the case when it is impossible, the records shall be damaged to make them not readable. 5. Method, place and period of storage of: a) electronic information media containing personal data, b) backups referred to in 5 point 4. In this point of the instruction the method and period of storage of all types of information media (floppy disks, CDs, magnetic tapes) shall be specified. The premises destined for storage of information media, as well as the method of securing these media against unauthorised takeover, readout, copy or destruction shall be also indicated. While developing the recommendations on the method and period of storage of information media one has to consider that pursuant to paragraph IV (4a) of the Appendix to the Regulation backups shall be stored in the premises ensuring security against any unauthorised takeover, change, damage or destruction. The requirements specified in point IV (4b) of the Appendix do the Regulation ordering that backups shall be deleted as soon as their usefulness ceases shall be considered. In case of transferring information media to external entities in order to store them safely, e.g. quite often applied depositing of backups in bank vaults, the procedures of transferring information media to these entities shall be determined and the methods of 5

6 securing the transferred information media against unauthorised takeover during their transport/transfer shall be indicated. 6. Method of the computer system securing against software referred to in paragraph III point 1 of the Appendix to the Regulation ( 5 point 6 of the Regulation). While describing the securing of the computer system against software referred to in paragraph III (1) of the Appendix to the Regulation the areas of the computer system exposed to interference of computer viruses and all types of other malicious software shall be specified. Possible vulnerabilities in the system allowing malicious software to get into the system and the activities which shall be undertaken in order to minimise the possibility of such software being installed shall be indicated. Regardless of indicating the activities preventing from getting into the system of malicious software, also the applied software tools aimed at counteracting the consequences of harmful activity of such software shall be indicated in the instruction. Antivirus software which was installed shall be indicated, the method and frequency of viruses definitions updates shall be specified and the persons responsible for managing this software shall be determined. The procedures of users conduct in a situation of identifying a specific type of threats shall be also presented. The user shall be informed on the activities which he/she shall perform in case where the securing software indicates the existence of a threat. In case where the methods securing against malicious software other than antivirus software are used, they shall be indicated and the procedures related to their use shall be presented. Such methods may include inter alia physical separation of devices enabling readout of data from exchangeable information media of particular workstations (e.g. disconnecting a CD-ROM drive, a floppy drive, etc.) and designating a separate workstation in computer network destined for exchange of data by means of external media. 7. Method of implementation of the requirements referred to in 7 paragraph 1 point 4. Pursuant to 7 paragraph 1 point 4 of the Regulation for each person whose personal data are being processed within the computer system this system should secure keeping records of disclosing information to recipients within the meaning of Art. 7 point 6 of the Act, including information to whom the personal data have been disclosed and the date and the scope of this disclosure, unless the computer system is used for the processing of personal 6

7 data contained in open data filing systems. So it can be concluded that the computer system used for the processing of personal data shall have functionalities which enable keeping records of the information mentioned above. Pursuant to 5 point 7 of the Regulation the method and form of keeping records shall be specified in the instruction. Whereby, special attention shall be paid to the fact that it is not sufficient to keep records of the information referred to in 7 paragraph 1 point 4 of the Regulation in paper form, and thus the instruction cannot provide for such method of realisation of the requirement indicated above, because it would be inconsistent with the definition of the computer system set forth in the Act. It shall be also noted that in case of the processing of personal data not only in one computer system the requirements referred to in 7 paragraph 1 point 4 of the Regulation can be realised in one of these systems or in a separate computer system destined for this purpose. The conclusion is that keeping records of information on disclosures is possible in one system only where the data filing system being processed in two or more systems is related to exactly the same persons. An example of such situation is using the same database by many applications. However, it is not permitted to keep records of the indicated information exclusively in one system of groups of persons whose data are being processed in particular systems are not exactly the same. In the situation where the filing system of persons whose data are being processed in one system differs from the filing system of persons whose data are being processed in the other system and where there is no include relation between these filing systems, it is necessary to keep records of the information on disclosures separately in each system servicing these filing systems or possibly in the system dedicated to keep records of the information referred to in 7 paragraph 1 point Procedures of executing the inspection and maintenance of systems and information media used for personal data processing ( 5 point 8 of the Regulation) In this point the purpose, scope, frequency and procedures of executing the inspection and maintenance of the computer system shall be specified. The entities and persons entitled to execute the inspection and maintenance of the computer system shall be indicated. The procedures of executing maintenance activities of the system, in case where these activities are commissioned to persons not authorised to process the data (e.g. specialists from external companies), shall specify the method of supervising these activities by the controller. In case of handing over the information media containing personal data to be 7

8 repaired the method of deleting personal data from these media shall be determined, before handing them over. The procedures related to repairing the computer software shall consider the requirement specified in paragraph VI (3) of the Appendix to the Regulation which requires that devices, discs and other electronic information media containing personal data intended to be repaired are to be devoid of those data record, thereby to make them not retrievable, or repaired under a supervision of a person who has been authorised by the controller. 8