We inform you that by a joint order of the Ministry of Education and Science of the Republic of Tatarstan and the State Institution “Center information technology Republic of Tatarstan" No. 1156/09/29-o dated May 18, 2009 approved an action plan for ensuring information security information systems personal data in educational institutions of the Republic of Tatarstan.

Based on the specified plan, as well as in order to bring the information systems of personal data of educational institutions of the Republic of Tatarstan in accordance with the requirements of the Federal Law of the Russian Federation of July 27, 2006 No. 152-FZ “On Personal Data”, I ask you to organize a set of measures to protect personal data.

1. Ensure the appointment in subordinate educational institutions of officials responsible for ensuring the security of personal data.

2. In all subordinate institutions, determine the information systems in which personal data are processed, classify them in accordance with the “Procedure for the classification of personal data information systems” (Appendix No. 2), approve the classification act (Appendix No. 3).

3. Before June 22, 2009, provide information about the personal data information systems of all subordinate educational institutions using the attached form (Appendix No. 4) to the Ministry of Education and Science of the Republic of Tatarstan.

1. Joint order of the Ministry of Education and Science of the Republic of Tatarstan and the State Institution “Information Technology Center of the Republic of Tatarstan” No. 1156/09/29-o dated 05/18/2009 in 1 copy. for 3 l.

2. Order No. 55/86/20 dated February 13, 2008 “On approval of the Procedure for classifying personal data information systems” in 1 copy. for 8 l.

3. An example of an order to create a commission and a classification act in 1 copy. for 3 l.

4. Form “Information on information systems of personal data” in 1 copy. for 1 l.

About information security measures

personal data information systems

in educational institutions of the Republic of Tatarstan

In order to implement the requirements of regulatory documents of the Russian Federation and the Republic of Tatarstan in the field of information security
1. Approve the attached action plan to ensure
information security of personal data information systems
in educational institutions of the Republic of Tatarstan.

2. I reserve control over the execution of this order.


measures to ensure information security of personal data information systems

in educational institutions of the Republic of Tatarstan


Event name

Due date

Responsible for implementation



Inventory of information systems processing personal data, classify IP and approve the classification act

June 2009

Carry out the inventory in the prescribed form


Sending notifications by educational institutions (personal data operators) to the authorized body for the protection of the rights of personal data subjects

June 2009

Ministry of Education and Science of the Republic of Tatarstan, educational authorities of the Republic of Tatarstan, educational institutions of the Republic of Tatarstan that did not send notifications


Preparation of a package of standard documents:

Statement on the protection of personal data

Regulations on the information protection unit;

Job regulations of persons responsible for personal data protection

Action plan for personal data protection Plan of internal audits of personal data protection status

Order on the appointment of responsible persons for PD

Logbook for recording control activities

Logbook for recording requests from subjects of personal data regarding the fulfillment of their legal rights

Sample journal (book) for personal income accounting

Rules for using information security tools

Sample agreement with an employee on responsibility for disclosure of personal data

July 2009

GU CIT RT, Ministry of Education and Science of the Republic of Tatarstan


Survey and identification of several priority groups of educational institutions for subsequent certification of information systems at the expense of the centralized budget of the Republic of Tatarstan

August 2009


Certification of PD information systems in accordance with clause 8 of this plan

November 2009

GU CIT RT, Ministry of Education and Science of the RT, educational authorities of the RT, educational institutions of the Republic of Tatarstan


Organize and maintain a system for protecting confidential information from unauthorized access in accordance with the established IP class, using security tools certified in the prescribed manner


Ministry of Education and Science of the Republic of Tatarstan, educational authorities of the Republic of Tatarstan, educational institutions of the Republic of Tatarstan

by order of the FSTEC of Russia,

№ 55/86/20


conducting classification of personal data information systems

  1. This Procedure determines the classification of personal data information systems, which are a set of personal data contained in databases, as well as information technologies and technical means that allow the processing of such personal data using automation tools (hereinafter referred to as information systems) 1.

  2. The classification of information systems is carried out by state bodies, municipal bodies, legal entities and individuals who organize and (or) carry out the processing of personal data, as well as determining the purposes and content of the processing of personal data (hereinafter referred to as the operator) 2.

  3. The classification of information systems is carried out at the stage of creating information systems or during their operation (for previously commissioned and (or) modernized information systems) in order to establish methods and means of protecting information necessary to ensure the security of personal data.

  4. Carrying out the classification of information systems includes the following steps:
collection and analysis of initial data on the information system; assignment of the appropriate class to the information system and its documentation.

5. When classifying an information system, take into account
the following initial data:
"Paragraph one of paragraph 1 of the Regulations on ensuring the security of personal data during their processing in personal data information systems, approved by Decree of the Government of the Russian Federation of November 17, 2007 No. 781 (Collected Legislation of the Russian Federation, 2007, No. 48, Part II, Art. 6001 ) (hereinafter referred to as the Regulations). "Paragraph one of clause 6 of the Regulations.

category of personal data processed in the information system - X P d;

volume of personal data processed (number of personal data subjects whose personal data is processed in the information system) - X N pd;

security characteristics of personal data processed in the information system specified by the operator;

information system structure;

availability of connections of the information system to public communication networks and (or) international networks information exchange; personal data processing mode;

mode of delimiting access rights of users of the information system;

location of technical means of the information system.

6. The following categories of processed items are defined:
personal data information system (X P d):

7. Hnpd can take the following values:

  1. - the information system simultaneously processes personal data of more than 100,000 personal data subjects or personal data of personal data subjects within a constituent entity of the Russian Federation or the Russian Federation as a whole;

  2. - the information system simultaneously processes personal data from 1,000 to 100,000 personal data subjects or personal data of personal data subjects working in the economic sector of the Russian Federation, in a government agency, living within a municipality;

  3. - the information system simultaneously processes data of less than 1000 personal data subjects or personal data of personal data subjects within a specific organization.
8. According to the personal safety characteristics specified by the operator
data processed in an information system, information systems
are divided into standard and special information systems.

Typical information systems are information systems that require only ensuring the confidentiality of personal data.

Special information systems are information systems in which, regardless of the need to ensure the confidentiality of personal data, it is necessary to ensure at least one of the security characteristics of personal data other than confidentiality (security from destruction, modification, blocking, as well as other unauthorized actions).

Special information systems should include:

information systems in which personal data relating to the health status of the subjects of personal data are processed;

information systems that provide for acceptance based solely on automated processing personal data decisions that give rise to legal consequences in relation to the subject of personal data or otherwise affect his rights and legitimate interests.

9. According to their structure, information systems are divided into:

into autonomous (not connected to other information systems) complexes of technical and software devices intended for processing personal data (automated workstations);

to complexes of automated workstations integrated into a single information system by means of communication without the use of remote access technology (local information systems);

to complexes of automated workstations and (or) local information systems, combined into a single information system by means of communication using remote access technology (distributed information systems).

  1. Based on the presence of connections to public communication networks and (or) international information exchange networks, information systems are divided into systems with connections and systems without connections.

  2. According to the mode of processing personal data in the information system, information systems are divided into single-user and multi-user.

  3. Based on the delimitation of user access rights, information systems are divided into systems without delimitation of access rights and systems with delimitation of access rights.

  4. Information systems, depending on the location of their technical means, are divided into systems, all technical means of which are located within the Russian Federation, and systems, the technical means of which are partially or entirely located outside the Russian Federation.
14. Based on the results of the analysis of the initial data of the standard information
the system is assigned one of the following classes:

class 1 (K1) - information systems for which a violation of the specified security characteristics of personal data processed in them can lead to significant negative consequences for the subjects of personal data;

class 2 (K2) - information systems for which a violation of the specified security characteristics of personal data processed in them may lead to negative consequences for the subjects of personal data;

class 3 (KZ) - information systems for which a violation of the specified security characteristics of personal data processed in them may lead to minor negative consequences for the subjects of personal data;

class 4 (K4) - information systems for which violation of the specified security characteristics of personal data processed in them does not lead to negative consequences for the subjects of personal data.

15. The class of a typical information system is determined in accordance with

  1. Based on the results of the analysis of source data, the class of a special information system is determined based on a model of threats to the security of personal data in accordance with methodological documents developed in accordance with paragraph 2 of the Decree of the Government of the Russian Federation of November 17, 2007 No. 781 “On approval of the Regulations on ensuring the security of personal data when processing them in personal data information systems" 1.

  2. If subsystems are identified within an information system, each of which is an information system, the information system as a whole is assigned a class corresponding to the highest class of its subsystems.

18. The results of the classification of information systems are formalized
by the corresponding act of the operator.

19. The information system class can be revised:

by decision of the operator based on his analysis and assessment of threats to the security of personal data, taking into account the characteristics and (or) changes of a specific information system;

based on the results of measures to monitor compliance with the requirements for ensuring the security of personal data during their processing in the information system.

Standard form

list of personal data information systems (PDIS) in which information security must be ensured


Property address

ISPD structure

PD processing mode

ISPD class













Example of filling out the list

Initial data of ISPD classification


Name of ISPDn (its component part)

Name of the object (full and abbreviated)

Industry (departmental) affiliation Facility address

ISPD structure

Availability of connections to SSOP and LEB networks (Internet)

PD processing mode

User access restrictions

Finding ISPDn (its components)within Russia

ISPD class













Air ticket subscription system of the company "AEROTRANS"

CJSC "AEROTRANS", Central Air Terminal building, offices No. 1501, 1502,

No. 1720 (server), Moscow, Leningradsky Prospekt, 35

Distributed system

Connected to the Internet, using SSOP


with differentiation of access rights

Subscriber point on the territory of Ukraine (Kyiv, Boryspil airport)


The system has

AP at airports Sheremetyevo, Domodedovo, Vnukovo

An example of an order to create a commission for ISPD classification

About the classification of information systems

personal data
To classify personal data information systems located in the building ______________, according to the conditions of their functioning from the point of view of information security, for compliance with information security requirements
1. Appoint a commission consisting of:

Chairman of the commission:

Deputy Head of Educational Institution ***

Members of the commission:

Head of Accounting and Reporting Department ***

Head of HR Policy Department ***

Chief specialist ***
2. Carry out the classification in accordance with the “Procedure for the classification of information systems of personal data”, approved by order of the FSTEC of Russia, the FSB of Russia, the Ministry of Information and Communications of Russia dated February 13, 2008.

3. Based on the results of the work, submit for approval the “Act of classification of personal data information systems located in the building of the educational institution.

4. I reserve control over the execution of this order.

Head of OU ****
Example of an ISPD classification act

ACT No. _/AKl dated ___ ___________200_

classification of personal data information systems located in the building of the educational institution

Commission consisting of:

Chairman of the commission:

Deputy Head of Educational Institution

Members of the commission:

and reporting

Head of HR Policy Department

Chief specialist

1. The composition of personal data information systems is presented in the “List of ISPDs in which information security must be ensured” (Appendix 1).
2. The highest category of personal data processed in information systems (X PD) – "category _".
3.The largest volume of personal data processed (X npd) corresponds to value _.
4. In accordance with the “Procedure for the classification of information systems of personal data”, approved by the order of the FSTEC of Russia, the FSB of Russia, the Ministry of Information and Communications of Russia dated February 13, 2008, the information system as a whole is assigned Class _.
Chairman of the commission:

Deputy Head of the Institution

Members of the commission:

Head of Accounting Department

and reporting

Head of HR Policy Department

Chief specialist

List of personal data information systems (PDIS) in which security must be ensured



Name of ISPDn (its component part)

Name of the object (full and abbreviated)

Industry (departmental) affiliation

Property address

Initial data of ISPD classification

ISPD class


ISPD structure

Availability of connections to SSOP and LEB networks (Internet)

PD processing mode

User access restrictions

Location of ISPDn (its components) within Russia












Information about the personal data information system.


Issues covered



Name of the personal data information system (PDIS), system developer.

Example: “1C Enterprise”, 1C company


ISPD class

Indicate the IPDN class in accordance with the classification act


Goals and status of ISPD

Indicate why and on what basis they were created (in accordance with the law, to fulfill a contract with an insurance company, on their own initiative, etc.)

Example: maintaining personnel and accounting records for employees, created in accordance with the law


Volume and composition of ISPDn

Indicate the number of subjects of personal data processed in the system and the content of information (full name, address, tax identification number, nationality, etc.)


ISPDn sources

Indicate the sources of obtaining personal data (from a citizen, from other educational institutions, from third parties, etc.)


Processing mode and access to ISPDn

Specify the processing mode (single-user, multi-user), the order of access (with or without delimitation) and the name of the document regulating access, if any.

Example: multi-user, with access control, no regulations.


ISPDn users.

Example: internal users (departments, structural units). External users (name of organizations).


Methods of transmitting information to users.

Example: On paper, on magnetic media, via secure communication channels, etc.


Operator (Article 3, Clause 2 of Federal Law-152) or the person entrusted with the processing of PD (Clause 10 of the “Regulations...”).

The legal basis for the processing of personal data (who made the decision and what document is it secured by).

Indicate the full name (according to the charter) and postal address organizations, documents on the basis of which the institution operates.

Example: Ministry of Education and Science of the Republic of Tatarstan

Decree of the President of the Republic of Tatarstan “On the transformation of the Ministry of Education of the Republic of Tatarstan” dated 09.09.2004. No. UP-570

Regulations on the Ministry of Education and Science of the Republic of Tatarstan


Start date of PD processing


Shelf life

Establish data storage periods for each of the ISPD, if the duration is not established by law


Terms or conditions for termination of processing

Establish deadlines for data processing for each of the ISPD, if the duration is not established by law


Information on the inclusion of ISPD in the state register of databases.

Classification of ISPD is carried out at the stage of its creation or during operation, but always before the construction of the SPPD. In general, everything information systems, processing personal data, are divided into 2 class depending on the security characteristics of the processed data:

Typical information systems– systems where it is required to provide only confidentiality processed personal data.

Special information systems– systems where it is required to ensure at least one of the security characteristics other than confidentiality (for example, integrity or availability). Special information systems should include:

  1. ISPD related to the processing of personal data about the health status of personal data subjects;
  2. ISPD, making decisions based solely on automated processing of PD. In this case, the decisions made may entail legal consequences for the subject of the personal data or otherwise affect his legal rights and interests.

According to the methodology proposed in the Order, ISPD is classified depending on the number of entities whose data is processed and the type of personal data processed.

Depending on the volume of XNPD data processed in the ISPD, the following categories of ISPD are distinguished:

1 category personal data more than 100,000 subjects of personal data or personal data subjects of personal data within a constituent entity of the Russian Federation or the Russian Federation as a whole;

2nd category– are simultaneously processed in the information system personal data from 1000 to 100,000 subjects of personal data or personal data PD subjects working in the economic sector of the Russian Federation, in a government body, living within the municipality;

3 category– are simultaneously processed in the information system personal data less than 1000 subjects of personal data or personal data subjects of personal data within a specific organization.

The following categories of personal data processed in the information system (PDS) are defined:

Table 6.1. Definition of an information system class
CNPD Category 3 Category 2 Category 1
category 4 K4 K4 K4
category 3 K3 K3 K2
category 2 K3 K2 K1
category 1 K1 K1 K1

Let's look at what each ISPD class means separately:

  • class 1 (K1)– information systems for which violation of the specified security characteristics of personal data processed in them can lead to significant negative consequences for the subjects of personal data;
  • class 2 (K2)– information systems for which violation of the specified security characteristics of personal data processed in them may lead to negative consequences for the subjects of personal data;
  • class 3 (K3)– information systems for which a violation of the specified security characteristics of personal data processed in them may lead to minor negative consequences for the subjects of personal data;
  • class 4 (K4)– information systems for which violation of the specified security characteristics of personal data processed in them does not lead to negative consequences for the subjects of personal data.

Class 1 is considered the highest. If several subsystems are distinguished within the ISPD, then the ISPD class as a whole will correspond to the highest class of incoming components.

Thus, the higher the ISPD class, the higher the requirements for ensuring the security of personal data.

The procedure for defining a class for special systems is somewhat different from standard ones. The class of special ISPD is determined on the basis of the organization’s private threat model in accordance with the methodological documents of the FSTEC. Classifying an information system as a special one can significantly reduce the costs of building a data protection system, since the operator in this case can reasonably select the minimum number of current threats from which personal data protection is necessary. For example, if the system contains information about a person’s income (for example, 1C), such a system can be classified as a special system, since the legitimate interests of a person are affected. The same applies to information about disability, race, etc. Classifying ISPD as special in practice is a rather controversial issue.

The ISPD class may be revised.

