FSTEC Order 21: what it changes in the practical protection of personal data

In 2013 the Federal Service for Technical and Export Control (FSTEC) of Russia approved Order No. 21, which established the composition and content of measures for ensuring the security of personal data when processed in information systems. This is not the first regulatory act in this field, but it differs from previous approaches in the concreteness of its language.

Where earlier requirements were framed in terms of "ensure protection" without specifying how - the new document introduces four security levels and for each defines a specific set of measures. This changes the conversation with the regulator and changes how companies need to design their protection.

For most companies, this means reviewing which security level their information systems fall under and whether the current set of measures is sufficient.

What changed in substance

Before Order 21, the main document for non-government organisations was a set of earlier FSTEC requirements framed largely through the classification of information systems. The classification was rigid and did not always reflect the actual nature of the data being processed or the relevant threats.

The new order introduces the concept of a personal data security level - from UZ-4 (base) to UZ-1 (highest). The level is determined by three parameters: the type of personal data, the number of data subjects whose data is processed, and the type of threats relevant to the system.

This is a more flexible and more realistic approach. A company processing client contact details in a closed system with no internet connection and a company processing medical data in an online service receive different requirements. Logic replaces formal classification.

Security levels in practice

Most small and mid-sized companies processing standard personal data of employees or clients - names, contact details, contract data - fall under UZ-3 or UZ-4 under standard processing conditions. These are relatively realistic requirements.

UZ-2 and UZ-1 arise when processing special categories of data - medical, biometric, criminal record data - or when processing data for large numbers of subjects in systems with an elevated level of relevant threats.

The key concept here is "relevant threats." The order introduces three threat types: type-one threats relate to undeclared capabilities in system software, type-two to application software, type-three to other threats. For most commercial organisations using standard certified software without specific risks, type-three threats are relevant - which lowers the required security level.

What companies need to do

The first step is inventory. Understand what personal data the company processes, in which information systems, and what threats are relevant to each. Without this picture it is impossible to correctly determine the security level - which is why mapping data flows must come before any protective measures.

The second step is determining the security level for each system. This must be recorded in documents: a threat and intruder model, a classification act.

The third step is comparing current measures against the requirements of the order for the determined level. The annex to the order contains a list of measures - from organisational ones (policies, regulations, training) to technical ones (access control, audit, virtualisation environment protection, and so on). Some measures are mandatory, others are compensating or supplementary.

The fourth step is closing the gaps. Not everything needs to be done immediately. Prioritising by risk and building a plan is a reasonable approach.

What to pay attention to

Documentation is not a formality. The regulator during an inspection looks not only at technical measures but also at whether the decisions made are recorded. Threat models, classification acts, policies - these are not paper for the sake of paper; they are evidence that the company approaches data protection deliberately.

Certified protection tools. The order contains a requirement to use FSTEC-certified information security tools for certain measures. This affects the selection of specific products and requires checking that certifications are current.

Periodic review. Security level and the set of measures are not a one-time decision. When the nature of processing changes, the list of data expands, or the infrastructure changes, the analysis needs to be repeated.

A few questions for an initial self-assessment:

1. Has a list of information systems processing personal data been compiled?
2. Has a security level been determined for each system?
3. Has a current threat model been developed?
4. Does the set of technical measures meet the requirements for the determined level?
5. Is there a designated person responsible for organising personal data protection?

Order 21 is not tightening requirements for the sake of tightening them. It is an attempt to translate requirements from abstract into operational. For companies that approach the question honestly, it simplifies work with the regulator and reduces the risk of formal violations alongside genuine protection of data.