Head of Industrial Enterprise Security at Infosecurity a Softline Company Anatoly Sazonov
Posted: Sun Jan 26, 2025 6:42 am
Andrey Arsenyev, Head of Analytics and Special Projects at InfoWatch Group, attributes this to the fact that, as often happens, organizations generally need more time to adapt to a large package of legislative changes than the regulator provides: "While federal executive bodies and large enterprises have every brazil mobile number database opportunity to get on the updated legislative track as soon as possible, it is much more difficult for medium and small businesses. Companies of different levels have especially many questions about building a risk matrix in the event of a personal data leak. Often, you cannot do without experienced consultants. In addition, new requirements lead to a significant increase in the workload of employees responsible for working with personal data, or to the need to introduce additional units into the staffing schedule, and not everyone is ready for this."
The situation is aggravated by the fact that a number of departments have not yet brought the regulatory framework into line with the new requirements. Thus, Alexey Zhukov, Head of the Department of Scientific and Medical Digital Solutions at the Research Institute of Emergency Children's Surgery and Traumatology, noted that, for example, the regulatory framework of the Ministry of Health still does not provide for the creation of information security units in subordinate institutions, despite the fact that the industry directly falls under the requirements of Decree No. 250 of the President of Russia. And in his opinion, exactly the same situation occurs everywhere where the functioning of the main business depends little on the work of information systems. However, as Alexey Zhukov recalled, the regulations of the same Ministry of Health directly prohibit the storage of personal data outside the country.
warns that in general, the issues of cross-border transfer have not yet been worked out, which may cause serious problems for many companies: "Many questions arise regarding the cross-border transfer of personal data - the transfer of PD across the state border of the Russian Federation to a foreign government agency, an individual or legal entity of a foreign state. Some companies have already sent a notification of cross-border transfer, some companies are waiting for the changes to come into force on March 1 and the subsequent law enforcement practice, since the issue of cross-border transfer within business processes is not clearly defined and companies do not want to stop their business processes due to a possible ban on the transfer of PD abroad. There is no dependence on the industry here, all operators are in approximately the same situation."
Alexey Zhukov also called the shortage and low quality of training of information security personnel a serious problem. Out of 10 graduates of educational institutions, only two can actually start working. Also, as Alexey Zhukov emphasized, when training specialists, the main attention is paid to working with technical means to the detriment of familiarization with the regulatory framework and the use of organizational methods. And this specialist is far from alone in his complaints about the education sector. They were expressed at various forums by representatives of both business and regulators.
The situation is aggravated by the fact that a number of departments have not yet brought the regulatory framework into line with the new requirements. Thus, Alexey Zhukov, Head of the Department of Scientific and Medical Digital Solutions at the Research Institute of Emergency Children's Surgery and Traumatology, noted that, for example, the regulatory framework of the Ministry of Health still does not provide for the creation of information security units in subordinate institutions, despite the fact that the industry directly falls under the requirements of Decree No. 250 of the President of Russia. And in his opinion, exactly the same situation occurs everywhere where the functioning of the main business depends little on the work of information systems. However, as Alexey Zhukov recalled, the regulations of the same Ministry of Health directly prohibit the storage of personal data outside the country.
warns that in general, the issues of cross-border transfer have not yet been worked out, which may cause serious problems for many companies: "Many questions arise regarding the cross-border transfer of personal data - the transfer of PD across the state border of the Russian Federation to a foreign government agency, an individual or legal entity of a foreign state. Some companies have already sent a notification of cross-border transfer, some companies are waiting for the changes to come into force on March 1 and the subsequent law enforcement practice, since the issue of cross-border transfer within business processes is not clearly defined and companies do not want to stop their business processes due to a possible ban on the transfer of PD abroad. There is no dependence on the industry here, all operators are in approximately the same situation."
Alexey Zhukov also called the shortage and low quality of training of information security personnel a serious problem. Out of 10 graduates of educational institutions, only two can actually start working. Also, as Alexey Zhukov emphasized, when training specialists, the main attention is paid to working with technical means to the detriment of familiarization with the regulatory framework and the use of organizational methods. And this specialist is far from alone in his complaints about the education sector. They were expressed at various forums by representatives of both business and regulators.