Читать книгу Digital transformation for chiefs and owners. Volume 3. Cybersecurity - Джимшер Челидзе - Страница 4

Now the head of the organization is responsible for information security, which is reflected in the decree of the President of the Russian Federation V.V. Putin from 01.05.2022 250. Under its action fall federal executive authorities (federal ministries, services and agencies), management of subjects of the Russian Federation, state funds, state corporations and companies (for example, “Rosatom”, “Gazprom”, “Rushydro”, “RZD” and others) strategic and system-making enterprises, critical infrastructure facilities.

And while on April 20, 2020 the list of system-forming organizations included 646 legal entities, by July 2020 there were already about 1300, and in February 2022 – about 1400. However, you’d think if you weren’t on that list, why would you want it? It is necessary to understand that in our country, if you plan to grow, you will somehow start working with such organizations. This means that it is better to know the requirements of this document and be prepared. Overall, more than 500,000 organizations will fall under the new decree.

What is it recommended that organizations do under this decree?

– Establish personal responsibility for providing IS to the head of the organization, while allocating a separate Deputy General Director, who will have authority and resources to provide IS. It is either necessary to create a structural unit responsible for providing IS or to assign such functions to an existing unit.

– It is necessary to make an inventory of contracts with contractors providing IS services. Now such services can be provided only by companies that have a license to carry out activities on technical protection of confidential information from FSTEC Russia.

– Additionally, on March 30, 2022, restrictions were imposed on the acquisition of foreign equipment and software for subjects of critical information infrastructure (KIA), which make purchases for 223-FZ. Since January 1, 2025, organizations are prohibited from using information protection tools produced in unfriendly states, or organizations under their jurisdiction, directly or indirectly controlled by them or affiliated with them. There are 48 such countries in the spring of 2023. And even if the company supplying IS equipment, for example, from China, you still need to check its affiliates.

Going forward, I’ll make one guess. Taking into account all leaks and the importance of this topic for the state, you can expect the introduction of some insurance, following the example of the CTP. Each organization can be forced to insure against IS-risks. Additionally, then how the organization will build the IS function will influence the size of its premium.