Personal data protection standard for Yandex Cloud users
Note
This feature is at the Preview stage.
This collection of rules automates legal compliance monitoring in Yandex Cloud resources as per Russian Federal Law No. 152-FZ of July 27, 2006.
These rules ensure protection of personal data in accordance with FSTEC Requirements (Order 21):
|
Requirement ID |
Security standard requirement |
Check IDs in the CSPM module |
|
Identification and authentication of access subjects and access objects (IA) |
||
|
IA.1 |
Identification and authentication of users who are the operator's employees |
|
|
IA.4 |
Management of authentication means including the storage, issue, initialization and blocking of authentication means and taking relevant measures in case of loss and/or compromising a means of authentication |
cspm.crypto.secrets-lockbox |
|
Management of access by access subjects to access objects (MA) |
||
|
MA.2 |
Implementation of necessary access control methods (discretionary, mandate, role-based or other method), types (reading, recording, execution or other type) and rules |
cspm.access.min-privileges |
|
MA.3 |
Management of information flows between devices (filtration, routing, connection control, one-way transmission and other management methods), segments of the information system and information systems |
cspm.network.firewall |
|
MA.4 |
Separation of powers (roles) of users, administrators and persons in charge of the information system's operation |
cspm.access.min-privileges |
|
MA.5 |
Granting minimal necessary rights and privileges to users, administrators and persons in charge of the information system's operation |
cspm.access.min-privileges |
|
MA.6 |
Limiting unsuccessful attempts to log in to the information system (access to the information system) |
|
|
MA.10 |
Blocking access session to the information system upon the expiry of a determined user's idle time (inactivity) or at the user's request |
|
|
MA.11 |
Authorization (ban) of user's acts permitted before identification and authentication |
|
|
MA.13 |
Implementation of protected remote access by access subjects to access objects through external information telecommunication network |
|
|
MA.17 |
Providing trusted loading of computer equipment |
|
|
Software environment restrictions (SER) |
||
|
SER.1 |
Managing execution of software components, including defining components to be executed, configuring the execution parameters of components, and monitoring execution of software components |
|
|
SER.2 |
Managing installation of software components, including defining components to be installed, configuring the installation parameters of components, and monitoring installation of software components |
|
|
SER.3 |
Restrictions for only authorized software and/or installation of its components |
cspm.appsec.periodic-scan |
|
Security event logging (SEL) |
||
|
SEL.1 |
Determining security events to be logged and their storage time |
|
|
SEL.2 |
Determining scope and contents of information about security events to be logged |
|
|
SEL.3 |
Collecting, recording and storing information on security events during the determined storage time |
cspm.o11y.audit-trails |
|
SEL.4 |
Responding to failures when recording security events, including hardware and software errors, failures in information collection mechanisms, and reaching the limit or overflow of memory capacity |
|
|
SEL.7 |
Protection of information on security events |
cspm.s3.used-object-lock |
|
Virus protection (VP) |
||
|
VP.1 |
Implementation of virus protection |
|
|
VP.2 |
Updating the database of malware (virus) signatures |
|
|
Intrusion detection system (IDS) |
||
|
IDS.1 |
Intrusion detection |
|
|
IDS.2 |
Decision rule base update |
|
|
Control (analysis) of personal data security (AS) |
||
|
AS.1 |
Detection and analysis of the information system's vulnerabilities and prompt elimination of newly detected vulnerabilities |
cspm.active.ip-vulnerability-scan |
|
AS.2 |
Control of installation of software updates, including software updates for information protection means |
|
|
AS.3 |
Control of operability, settings and faultless operation of software and information protection means |
|
|
AS.4 |
Control of composition of hardware, software, and information protection means |
|
|
AS.5 |
Password policy |
|
|
Integrity of the information system and information (INT) |
||
|
INT.1 |
Software integrity control, including information protection software |
|
|
INT.2 |
Control of integrity of information stored in the information system databases |
cspm.crypto.data.application-encryption |
|
INT.3 |
Ensuring recoverability of software, including information protection software, in emergencies |
cspm.compute.snapshot |
|
INT.4 |
Detection and response to the receipt of unsolicited electronic messages (letters, documents) and other information that is not related to the functioning of the information system (spam protection) |
cspm.appsec.use-smartcaptcha |
|
INT.6 |
Restricting user permissions to enter information into the information system |
|
|
Availability of personal data (AVL) |
||
|
AVL.4 |
Periodic information backup on machine media reserved for information backups |
|
|
AVL.5 |
Ensuring the possibility of restoring information from machine media reserved for information backups (backup copies) within a specified time interval |
|
|
Protection of hardware (PH) / Virtualization environment protection (VEP) |
||
|
VEP.1 |
Identification and authentication of access subjects and access objects in the virtual infrastructure, including administrators of virtualization means |
|
|
VEP.2 |
Managing access of access subjects to access objects in the virtual infrastructure, including access within virtual machines |
|
|
VEP.3 |
Logging security events in the virtual infrastructure |
|
|
VEP.4 |
Managing (filtering, routing, connection control, unidirectional transmission) information flows between virtual infrastructure components, as well as around the virtual infrastructure perimeter |
|
|
VEP.5 |
Trusted boot of virtualization servers, virtual machine (container), virtualization management servers |
|
|
VEP.6 |
Managing the migration of virtual machines (containers) and the data processed on them |
|
|
VEP.7 |
Control of integrity of the virtual infrastructure and its configurations |
|
|
VEP.8 |
Data backup, redundancy of virtual infrastructure hardware and software, as well as communication channels within the virtual infrastructure |
|
|
VEP.9 |
Anti-virus protection in the virtual infrastructure |
cspm.appsec.upload-policy |
|
VEP.10 |
Segmentation of the virtual infrastructure for processing of information by an individual user and/or group of users |
|
|
Protection of the information system, its equipment, communication and data transmission systems (PIS) |
||
|
PIS.1 |
Segregation of duties for the management (administration) of the information system, management (administration) of the information protection system, information processing functions and other information system functions |
|
|
PIS.3 |
Protection of information against disclosure, modification and forcing (input of false information) during transferring (preparation for transferring) thereof through communication channels which go beyond the controlled zone |
cspm.crypto.certificate-validity |
|
PIS.4 |
Trusted channel, route between the administrator, user, and means of information protection (security features of means of information protection) |
|
|
PIS.11 |
Authenticity of network connections (interaction sessions), including protection against spoofing of network devices and services |
cspm.data.storage-https |
|
PIS.15 |
Archived files protection, protection of information security tools settings and software, and other data that cannot be changed during the processing of information |
|
|
PIS.17 |
Dividing the information system into segments (segmentation of the information system) and ensuring the protection of the perimeters of the information system segments |
|
|
Identifying and responding to incidents (IM) |
||
|
IM.2 |
Incident detection, identification and registration |
cspm.o11y.audit-trails |
|
IM.6 |
Planning and taking measures to prevent the recurrence of incidents |
|
|
Management of configuration of the information system and the personal data protection (MC) |
||
|
MC.1–MC.4 |
Management of configuration of the information system and the personal data protection |
|