The project's client was a subsidiary of one of Russia's largest vertically integrated oil companies. The company independently conducts operational activities in the areas of prospecting, exploration, and field development.
The client's parent company has an Information Security Center (ISC), which develops corporate templates for personal data protection documentation for all subsidiaries.However, information security functions have historically been concentrated in a related department, which handled the practical implementation of technical security measures. Bringing these processes into compliance with personal data legislation required attention and priority.
Therefore, the decision was made to contact the integrator to further align personal data processing processes with legal requirements.
Key Challenges
- Conduct a pre-project survey and audit of the personal data processing organization for compliance with Russian legislation (Federal Law No. 152 and its bylaws).
- Classify personal data information systems.
- Develop and submit to the client a survey report with identified discrepancies and recommendations for remediation.
- Develop a set of documentation (ORD) regulating personal data processing in accordance with the client's corporate templates and standards.
- Develop a threat and information security violator model (FSTEC BDU).
Implemented our solution
- The project was completed in three key stages.
-
Pre-project survey
The work began with an in-person visit by an ICL Services expert to the client's headquarters, during which employees from 15-20 departments authorized to process personal data were interviewed. This stage resulted in a detailed survey report identifying and describing the following: the personal data information systems in use, their location and ownership; the actual purposes of personal data processing; and areas for improvement. -
Information system classification and documentation development
Based on the collected data, all identified personal data information systems were classified and the required security levels determined. Following this, using approved corporate templates for the Central Information Security System, the ICL Services team developed a complete package of organizational and administrative documentation regulating the processing of personal data. -
Threat modeling
The final stage involved modeling information security threats. Experts identified current threats and their characteristics, taking into account the specifics of the customer's business and industry, and developed a model of the attacker.
-
Results
- The client received a complete set of documentation regulating the processing of personal data in accordance with Russian legislation and the parent company's internal standards.
- The team prepared a detailed report assessing the current level of process maturity and outlining the potential for further information security improvements across various security measures and tools.
- All company information systems processing personal data were classified.
- A threat and intruder model was developed, which served as the basis for determining the requirements for the personal data protection system and the subsequent implementation of technical and organizational security measures.
- The client received a practical basis for minimizing regulatory risks: preparation for potential Roskomnadzor inspections, reducing the likelihood of personal data leaks, and, consequently, reducing the risk of reputational losses and fines.