Probably, you also don’t like legislation, just as I don’t like it 🙂 But it happened, and I wrote about it more than once, that the blog about business-oriented information security, which was originally conceived, at some point in time turned into a story about what Regulators had in mind when they wrote their regulatory legal acts. Recently, I stopped doing this, believing that it is better to return to where IS should be, namely, to ensure the result for those who pay the salaries of IS employees. But sometimes, of course, it is impossible not to mention our NLAs, especially since their number is growing like mushrooms after rain.

Therefore, I continue to support the story with monthly legislative digests (for January there were already about 30 new initiatives) and, situationally, I make presentations with an emphasis on a business-oriented story. That is what happened this time as well. I was asked to review the main information security regulations for those who are not ready to read the 800+ articles on my blog or go to my two-day course on information security legislation (especially since I stopped reading it). The result was an hour and a half presentation in which I revealed the answers to the following questions at the top:

• Can I decide how I protect my data and systems?
  • If I can do it myself, then how? If I can’t myself, then in what areas?
• Who sets the mandatory requirements for information security?
  • What information security regulators do we have and what are they responsible for?
• What are the IB requirements?
  • Information, information systems, means of protection, information security processes, organization
• How to protect PD, CII, GIS, etc.?
• How to understand what requirements to establish and implement?
  • Categorization and classification
• What are the key requirements and is it necessary to fulfill them all?
• How are IS requirements implemented?
  • Means of protection – open source, domestic and foreign
  • On-prem vs outsourcing
• How and who assesses compliance with IS requirements?
• What happens if you hammer a bolt?
• And how does all this fit with effective IS?

So here’s the presentation itself:

The plans, and I talk about this in the video, are to reveal individual topics, if necessary. In the comments to the note, you can indicate those topics, the review of which you would be interested to hear.

I will not hide the fact that the presentation was made as part of my official duties, so in a couple of places I mention Positive Technologies, but not much. Therefore, I decided to put the presentation on the blog, although I don’t really like to advertise the employer here (the blog expresses my purely personal position).

The note A high-level overview of all Russian cybersecurity legislation (video) was first published on Business without danger .