The Big Data Association (BDA) has prepared a concept for an industry standard for data protection, Forbes has learned. The concept also includes an independent audit for IT companies to comply with the proposed standard.
The association, whose members include Yandex, Sberbank, Gazprombank, VK, Tinkoff Bank, Qiwi, MTS and other large companies, offers “reliable approaches” to data collection and storage. ABD offers its methods as an alternative to modifications to the Code of Administrative Offenses.
“The more data a company collects, the greater its importance and sensitivity, and the more serious the requirements for the infrastructure and its security,” the DBA explains the principles of its concept.
They add that according to the document, the evaluation of the company to determine compliance with the new standard will be voluntary.
The evaluation criteria proposed in the document include data protection organization and management processes, information protection policies and an action plan to mitigate threats. The assessment will also be affected by how the company detects vulnerabilities, how it responds to emergency situations and whether it trains its staff.
The DBA proposes to conduct such an audit annually. And organizations will evaluate the degree of information security and the effectiveness of methods voluntarily during an internal audit.
How do you propose to conduct an audit?
According to the plan, the personal data operator will create a group of experts in information protection departments. This group, in turn, studies information about the processes and IT infrastructure of the personal data operator. Based on this, a plan is formed to improve the effectiveness of protection. The results of the plan will then be analyzed.
The next step is to validate the audit results. According to the concept, this should happen no later than three months after the conclusions of the expert group. To do this, the industry standard offers specially developed criteria and metrics that allow us to draw a conclusion about the effectiveness of the company’s information security processes.
For each parameter, for example, “Application and software security”, points are awarded. In this case, external audits must be carried out by external companies.
According to a study by Infowatch, more than half of data breaches are due to the fault of company employees. By 2023, according to Roskomnadzor protocols, Russian courts imposed fines of 3.7 million rubles in leak cases.
In 2022, the head of the Ministry of Digital Development, Maksut Shadayev, proposed imposing turnover fines on companies committing such incidents. In the summer of 2023, a corresponding bill was sent to Russian Prime Minister Mikhail Mishustin.
Author:
Natalia Gormaleva
Source: RB
I am a professional journalist and content creator with extensive experience writing for news websites. I currently work as an author at Gadget Onus, where I specialize in covering hot news topics. My written pieces have been published on some of the biggest media outlets around the world, including The Guardian and BBC News.
