Information about the implemented requirements for the processing of personal data. LSR Group

27.09.2023

  1. 1. Personal data protection processed at LSR Group PJSC (hereinafter referred to as the LSR Group) is ensured by the implementation of legal, organizational and technical measures necessary and sufficient to ensure the requirements of the legislation in the field of personal data protection.
  2. 2. Legal measures include the following:
    • development of local acts of the LSR Group that implement the requirements of Russian legislation, including the Policy on Personal Data Processing, and its posting on the LSR Group's website;
    • implementation of the requirements for the confidentiality of personal data;
    • implementation of the requirements to ensure that the subject of personal data exercises its rights, including the right to access information;
    • implementation of requirements for the protection of personal data from unlawful or accidental access to them, destruction, modification, blocking, copying, provision, dissemination of personal data, as well as from other unlawful actions in relation to personal data;
    • implementation of other requirements of the legislation of the Russian Federation;
    • refusal of any methods of processing personal data that do not correspond to the goals predetermined by the LSR Group.
  3. 3. Organizational measures include the following:
    • appointment of the person responsible for the organization of personal data processing;
    • appointment of a person responsible for ensuring the security of personal data in personal data information systems (hereinafter referred to as the PDIS);
    • determination of the list of positions of employees and third parties authorized to process personal data, who have access to personal data;
    • determination of the list of premises where personal data is processed. Restricting the admission of unauthorized persons to the premises of the LSR Group, preventing them from being in the premises where personal data is being processed and technical means of processing them are placed, without control by the LSR Group employees;
    • acknowledgement of the LSR Group employees with the provisions of the legislation of the Russian Federation in the field of personal data, including the requirements for the protection of personal data, with the local acts of the LSR Group on personal data processing;
    • defining in the work duties and job descriptions of the LSR Group employees the responsibilities for ensuring the security of personal data processing and responsibility for violation of the established procedure;
    • regulation of personal data processing processes;
    • organization of accounting of material carriers of personal data and their storage, ensuring the prevention of theft, substitution, unauthorized copying and destruction;
    • identification of threats to the security of personal data during their processing in the PDIS, the formation of threat models based on them;
    • placement of technical means for processing personal data within the protected area;
    • definition of the list of PDIS;
    • determining the type of threats to the security of personal data relevant to personal data information systems, taking into account the assessment of possible harm to personal data subjects that may be caused in case of violation of security requirements, determining the level of protection of personal data and implementing requirements for the protection of personal data during their processing in information systems, the implementation of which ensures the established levels of personal data protection.
  4. 4. Technical measures include the following:
    • development of a personal data protection system based on the threat model for the levels of protection of personal data established by the Government of the Russian Federation during their processing in the PDIS;
    • use of information security tools that have passed the conformity assessment procedure to neutralize current threats;
    • assessment of the effectiveness of measures taken to ensure the security of personal data;
    • implementation of a system for delimiting employees’ access to information containing personal data processed in the PDIS, and hardware and software tools for information protection;
    • registration and accounting of actions with personal data of PDIS users, where personal data is processed;
    • malware detection (application of antivirus programs) on all nodes of the LSR Group information network, providing the appropriate technical capability;
    • secure internetting (application of inter-network shielding);
    • information transmission using information and telecommunication networks is carried out using cryptographic information protection tools;
    • detection of intrusions into the LSR Group PDIS that violate or create prerequisites for violation of the established requirements for ensuring the security of personal data;
    • regular backup of information and databases containing personal data of personal data subjects;
    • periodic monitoring of user actions, proceedings on violations of personal data security requirements;
    • regular checks of the compliance of the personal data protection system, audit of the level of protection of personal data in the LSR Group PDIS, the functioning of information security tools, identification of changes in the processing and protection of personal data.