Who should be responsible for damages from attacks on KVIN

rakhirhif8963 · Post by **rakhirhif8963** » Sat Feb 08, 2025 4:42 am

Alexey Dankov, adding the domestic GOST R ISO/IEC 27005-2010 to the above-mentioned standards, believes that in practice the most common and effective method is expert risk assessment based on retrospective analysis and precedent experience and implying the monetization of risks (which makes assessments understandable for business). “For municipal and state structures,” he reminds, “it is important to assess risks taking into account compliance with regulatory requirements. It is useful to use risk management automation tools and damage assessment.”

In order to assess possible damage from cyber attacks on KVIN, Vyacheslav Logushev suggests focusing on the assessment of cyber threats in relation to those business processes with which KVIN is directly related. The assessment criteria here can be measurable indicators of business operations, such as a change in the cost or quantity of something, taking into account the time that affects both of these indicators. Financial damage in this case consists of a number of parameters: direct losses from disruption belize mobile database processes, the cost of their restoration, reduction in the value of assets, lost profits, loss of customer loyalty, etc.

If KVIN is related to the type of data to which the requirements of current federal laws apply (personal data, state secrets, commercial secrets, etc.), then those responsible for ensuring the security of KVIN and the penalties for violating it are determined by those same laws.

In less obvious situations, responsibility for the security of COVID-19, as Kirill Shchukin believes, lies with (in descending order): the company's management (since it is they who manage the assets and are responsible for their safety, and information has become the most valuable asset in our time), the head of information security (who, as a rule, decides what data should be especially protected and what tools to use for this), the IT director (in terms of fulfilling the requirements for storing, processing and transferring data within the company, compliance with security requirements from the IT side) and only after them, ordinary employees (who are responsible for compliance with the company's internal regulations and are familiar with the troubles that they may face in the event of incidents with COVID-19; it is on these executives that it depends whether employees will decide to violate the regulations or consider the associated risks unacceptable).