Decree “On additional measures to ensure information security of the Russian Federation” was signed in May 2022 and is valid from the date of its official publication. A year and a half has passed since that moment, but questions about the implementation of Decree 250 still concern the public sector and business today.
Maxim Ruban, head of information security at the eXpress corporate communications and mobility platform, commented for Cyber Media on the impact of Russian Presidential Decree No. 250 on the domestic information security sector. We publish the full text of the comment.
The document is aimed at assessing the current level of security of CII, strengthening existing measures to protect information and accreditation of centers for monitoring and responding to computer incidents.
1. The document obliges organizations to pay more attention to the issues of ensuring the security of information and critical information infrastructure as a whole.
2. Personnel (structural) changes:
- it is necessary to appoint a DGD for information security and create an information security department;
- assign personal responsibility to top management for organizing information security.
3. Monitoring computer attacks and responding to computer incidents. Now only accredited organizations can be engaged for such work.
4. Strengthening control over Internet resources, providing for the expansion of the powers of the Russian FSB.
5. Strengthening the fight against cybercrime, providing for the expansion of the powers of law enforcement agencies in the field of information security, including toughening penalties for committing cybercrimes.
Companies primarily see this as additional financial costs for the back office and new responsibility. With the introduction of the practice of assigning personal responsibility to organizational leaders, an active position and interest in information security issues is increasingly being formed. The main “flywheel” of these actions – the need to minimize risks for the organization and one’s own. At this point, the budget is reviewed and funds are allocated for information security.
The main problem is how to import a well-known foreign product with a lesser-known domestic one. In this situation, it is necessary to reconsider the general approach to ensuring information security of the information infrastructure, which requires serious study and large budgets.
There is always a possibility that a set of imported security products will have a negative impact on the compatibility of systems and they will simply stop functioning. Here you need to either design a new information security subsystem for current systems, or use products with built-in information security tools.
Using domestic software with built-in security functions and having a valid certificate of conformity from FSTEC of Russia is the simplest and most inexpensive option. Such solutions already have the necessary set for secure information processing and are ready for use. For example, the communication system eXpress today allows you to meet the requirements of regulators, use multi-layer encryption and, when using crypto containers, integrate adjacent corporate systems in the form of Smart Apps.
