Distribution of responsibilities: distribution of job responsibilities of employees at different levels, procedure for drawing up and signing orders, guidelines for managers

Every competent leader must be able to correctly distribute responsibilities among his subordinates. Only in this case will the structure entrusted to him (company, department, workshop) work properly and achieve the desired results. This article will discuss in detail the term “distribution of responsibilities”, the principles and practical recommendations associated with it.

General provisions about this term

We need to understand why it is important for managers to be able to distribute responsibilities. It is worth going from the opposite: if the boss cannot competently distribute tasks among his subordinates, everyone will not mind their own business - confusion will arise, which will significantly complicate the work process, and then the common goal (in a good company, subordinates work for the same corporate goal) will not be achieved soon, or will not be achieved at all.

If the boss has correctly assigned responsibilities to employees and each of them clearly knows what he needs to do and what is best left untouched, the desired results will be achieved quite quickly.

Theoretically, if a manager knows how to work with a small team, then he can cope with a large one - there is no difference between assigning responsibilities to 200 people or 20. In practice, everything is different: companies of different sizes have their own characteristics in the distribution of responsibilities.

In small organizations, one employee can cope with several responsibilities at once (combining the position of accountant and financier, for example), because the workload allows this.

In large companies, where a huge amount of information passes through one person, it is better to hire two different people for the positions of financier and accountant. This will increase the efficiency of employees.

As a result, the distribution of powers involves determining not only the scope of powers of certain employees or departments, but also specific descriptions of these tasks. For example, the distribution of responsibilities for labor protection implies that each of the employees working at the enterprise will observe safety precautions in their area: electricians will not repair devices connected to the network, turners will not touch the blade with their hands at full speed. This is the basics.

Nuances in the accounting department

Each type of financial activity assumes that a specific specialist will be involved in it and bear responsibility for it.

In this regard, the accounting department must have the following employees (the given list is not exhaustive):

• chief accountant;
• his deputy;
• payroll accountant;
• cashier;
• auditor;
• fixed assets accountant.

The chief accountant reports directly to the manager. His job responsibilities are to control all financial flows, maintain rationality in the use of company resources, ensure the integrity of the organization's property and develop strategies that will increase income levels.

A person with a higher economic education and more than 10 years of work in accounting can apply for such a position. When the chief accountant goes on vacation or is sick, the performance of his duties falls on the shoulders of the deputy, who not only receives the authority of his immediate superior, but will also be held responsible if he makes a mistake in his work.

The chief accountant cannot simply leave the enterprise without verification. This allows you to avoid placing all the responsibility on a new employee who joins the organization. An employee will be able to resign only after a full check has been carried out and all the results have been compiled, and the director has signed the relevant document, thereby certifying its correctness and legality of preparation.

The remaining specialists perform the same duties in their narrow industry, namely:

• Maintain accounting and records of operations related to business activities. This involves monitoring fixed assets and expenses, monitoring the progress of sales and production, and preventing critical situations in the company that will be associated with financial flows.
• They control the papers that come from production and compare them with the available data.
• Reflect information on transactions performed on the relevant accounting accounts.
• Prepare reports and cost estimates for products that are produced to identify areas where unnecessary costs arise.
• Prepare reports and all necessary documents.

Additionally, the employees of this department create a database in which all financial information is stored. They are responsible for constantly monitoring how the enterprise operates. It is their responsibilities to ensure that the parameters do not go beyond the norm in matters of quantity and quality, as well as compliance with planned indicators.

Distribution example

The distribution of responsibilities concerns employees at different levels. The tasks of the company's management and the executive staff can be (most often they are) completely different. To better understand this, it is worth considering the responsibilities of chain store employees.

What should the CEO of an organization do?

1. Develop a company development plan for the future together, for example, with your partners, if any.
2. Solve issues of attracting additional investments.
3. Manage superiors located in the hierarchical ladder below him.

What are the responsibilities of the Director of Variance?

1. Ensuring competent logistics.
2. Ensuring uninterrupted operation of network facilities in technical terms.
3. Opening of new network objects.
4. Analysis of the performance of individual stores of the organization.

What does a commercial director do?

1. Determines the range of products of the network.
2. Organizes the development of standards for product placement in stores.
3. Seeks deliveries on the most favorable terms. Works with suppliers of products and equipment.
4. Raises sales through advertising campaigns.

The distribution of responsibilities of the administration, that is, the management team, will be discussed in more detail below.

Responsibilities of the financial department:

1. Distribution of financial flows.
2. Maintaining financial records.
3. Working with the tax service.
4. Calculation of the most favorable price level for various categories of goods.

There are also employees who directly work at retail outlets, serve customers and perform their duties, which are described in their job description.

Sample order on distribution of responsibilities

The chief accountant reports to the head of the institution and controls all financial flows, ensuring the rational use of the enterprise's resources.

Naturally, no manager can combine his immediate responsibilities (resolving financial and technical issues) with vigilant control over the activities of his subordinates. However, no one demands this from him.

If the employer needs a position with a certain set of responsibilities, and the employee does not agree to such a change, then the employer has the right to introduce a new position into the staffing table and eliminate the unnecessary one.

Deputy head for administrative and economic activities - management of the logistics and economic support department, organization of transport, operation of the building.

Job description

All responsibilities of employees are specified in the job description. This document should always be used as a guide when performing work tasks, because some instructions from superiors may not correspond to the written provisions.

Such instructions are drawn up on the basis of the state management documentation system, which establishes mandatory requirements for the preparation of documents relating to personnel management and work organization.

The job description also has several other side tasks:

1. Elimination of conflict situations in the team. Thanks to this, the psychological climate in the team improves and the work efficiency of its members increases.
2. Unloading of employees who perform additional duties behind the scenes.
3. Creating a comfortable environment for managers who, thanks to the presence of a job description, know exactly who to ask and for what.
4. Likewise for employees. They will know what and who can charge them.

Contents of the document

What does a standard job description contain:

1. General provisions. This paragraph describes the field of activity in which the specialist in this position will subsequently work. It also contains a list of documents that regulate the performance of the employee’s duties.
2. Functions. This section contains provisions that establish the direction of the employee's activities.
3. Responsibilities. The tasks to be performed by a citizen holding a particular position are described.
4. Rights. Accordingly, the rights that an employee has in a particular job position are described.
5. Responsibility. This subsection of the document describes what threatens an employee if he fails to fulfill the duties assigned to him by the same document or does not exercise the rights granted to him by the job description.

The order on the distribution of responsibilities among the management team is issued by the general director of the organization. In other words, this is how the powers of those who represent the chief manager in various areas are designated. The responsibilities of deputy general directors are distributed.

Is it possible to assign additional responsibilities to an employee and how to do this?

It should be said that in some cases, employees of an organization can leave their autographs about familiarization not directly in the order itself, but in a separate act or statement (this is especially true in large companies with a large number of personnel).

Directing and monitoring the activities of heads of classrooms in equipping them with visual aids, technical aids, and teaching materials.

It is important to take into account that when assigning additional work to an employee, it is necessary to conclude an additional or separate agreement, concluded within the framework of labor legislation. The number and date of this document must be referred to in the first paragraph of the order. If a part-time worker or main employee is not needed, then all the functionality for the vacant position is “distributed” among employees, using the norms of Art. 60.2 Labor Code of the Russian Federation. How many employees will perform the work - one, two or more - is decided by the employer; in any case, the last word remains with him.

The secretary stores such documents of the organization or the person who is authorized to conduct document flow in the organization.

Coordinates and controls the preparation and execution of government contracts, participation in auctions, competitions, quotations on the official website of government procurement in supervised areas of activity.

Participates in the development of plans for current and major repairs of fixed assets (buildings, water supply systems, air ducts and other structures), and in drawing up estimates of business expenses.

This is a professional site for lawyers and personnel officers who resolve labor conflicts. To ensure the quality of materials and protect the copyright of the editors, we are forced to place the best articles in closed access.

Drawing up a job description

The choice of the employee who will be appointed responsible for drawing up the job description depends on the scale of the company, that is, not only on financial turnover, but also on the number of employees employed in it.

However, those who work under a contract do not need to be taken into account. Their responsibilities are already defined in the concluded agreement.

If the company for which this document is being drawn up is large in size and consists of many structural departments, then the head of each department himself draws up instructions for his subordinates. For example, an order on the distribution of labor protection responsibilities is issued by the director responsible for labor protection at the enterprise.

How best to divide a company into departments so that it is more convenient for managers to distribute responsibilities among their employees will be described below.

If the company is small and employs no more than 25 people, then you can entrust the preparation of instructions to a specialist in the personnel department. Thus, the latter’s tasks will include not only maintaining work records and drawing up a staffing table, but also drawing up a document such as a job description.

Methods of distribution by departments

Responsibilities across the various company structures can be distributed according to at least five different principles, described below.

1. The principle of dividing departments based on groups of equal size. This principle is used when distributing responsibilities between employees when the company’s staff consists of employees whose professional skills do not differ, while a strictly defined number of employees is required to perform a particular task.
2. A principle based on the main functions of departments. Perhaps this is the most popular principle used when distributing responsibilities between departments. Departments are formed based on the tasks they have to perform: production tasks, marketing, personnel or financial tasks.
3. Territorial principle. They are used when departments are located in different territories (in different regions, for example).
4. The principle according to which the distribution of responsibilities by the manager between departments is carried out depending on the products produced. This principle of separation of duties is very popular in rapidly growing enterprises that are constantly expanding the range of products they produce. Thanks to it, confusion between departments is eliminated and each of them actually becomes a small enterprise within the company.
5. A principle based on consumer preferences. It is most often used in the service sector, where customers (perhaps even indirectly, but still) play a decisive role in the functioning of the company.

Which principle each manager should apply in his company is an entirely individual matter.

Job profile

In order to correctly distribute the responsibilities of employees, you need to create a so-called profile for each position, which contains information about what the employee holding this position should know and be able to do.

Typically, this profile contains the skills, personal qualities and knowledge that a citizen must have in order to occupy a particular position.

To better understand what we are talking about, it is worth returning to the example of a chain of stores and creating a job profile, for example, for a sales floor consultant in this company.

What should an employee applying for this position know?

1. Basic information about the company itself.
2. Signs that characterize this brand.
3. The range of goods that can be found in the store.
4. Labor responsibilities.
5. Rules for servicing site visitors.

What must an employee applying for the position of sales floor consultant in this chain of stores be able to do?

1. Communicate. If a person cannot correctly connect two words, how can he interact with clients to benefit?
2. Sell. If a consultant on the sales floor doesn't know how to sell, what benefit does he have for the company?
3. Work in a team. As mentioned above, employees in a good company work to achieve one corporate goal, and in this situation, teamwork is indispensable.

Sometimes an employee's profile includes information about what he wants and what he can do. The first is to provide him with some kind of motivation (being able to motivate correctly is another important task of a manager), the second is to determine his potential.

Score sheets

The job profile has a direct bearing on the distribution of job responsibilities, but how do you know if a given candidate is suitable for a particular position? Will he cope with the responsibilities entrusted to him? There are score sheets for this.

With their help, as the name implies, it is checked how well the candidate for the position meets the requirements. Each skill (for example, the ability to sell, communicate, etc.) is assessed on a certain scale from the minimum result to the maximum.

Based on the results, a total score is calculated and the results are sent to employees who make hiring decisions.

Completeness of documents

If we rely on information protection legislation, then there is little mention of what specific documents we should develop, so we have to rely on various indirect hints.

As an example, let’s look at Part 2 of Article 19 of Law No. 152-FZ “On Personal Data”. Regular text will be the text of the law, italics will be the author's notes.

2. Ensuring the security of personal data is achieved, in particular:
1) identifying threats to the security of personal data during their processing in personal data information systems; (requires a threat model)

2) the application of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems necessary to fulfill the requirements for the protection of personal data, the implementation of which ensures the levels of personal data security established by the Government of the Russian Federation; (organizational measures for the most part are our documents, plus here we are sent to read further by-laws)

3) the use of information security means that have passed the compliance assessment procedure in accordance with the established procedure;

4) assessing the effectiveness of measures taken to ensure the security of personal data before putting into operation the personal data information system;

5) taking into account computer storage media of personal data; (obviously you need some kind of accounting journal and developed rules for recording machine media)

6) detecting facts of unauthorized access to personal data and taking measures; (it is necessary to develop some rules for detecting incidents and eliminating their consequences, it may be necessary to appoint an incident response team)

7) restoration of personal data modified or destroyed due to unauthorized access to it; (requires backup and recovery rules)

establishing rules for access to personal data processed in the personal data information system, as well as ensuring registration and accounting of all actions performed with personal data in the personal data information system; (the development of a data access system can be done based on roles in the system, and the software itself must be able to keep logs of who accessed what data when and when)

9) control over the measures taken to ensure the security of personal data and the level of security of personal data information systems. (we need some kind of plan for periodic monitoring, plus, probably, a journal in which the results of such monitoring will be recorded)

With this example, we wanted to show the difference: how the law is written and what it actually requires of us.
Here we do not see a direct requirement “the operator must develop a threat model,” but this need still follows from the text of 152-FZ, since the fulfillment of any requirement is documented. FSTEC tells us more specifically about the completeness and content of the ORD. In 2014, this regulator released a methodological document “Measures for protecting information in government information systems.” The document is excellent without sarcasm, if you did not understand something about the order of implementation of the measures of the 17th, 21st or other order of the FSTEC (yes, although the document is intended for GIS, the measures of the FSTEC are for the most part the same), refer to this The document may become much clearer.

So, in this document, FSTEC describes in more detail measures to ensure information security and very often you can find the following text:

The rules and procedures for identifying and authenticating users are regulated in organizational and administrative documents on information protection.
(IAF.1) The rules and procedures for managing user accounts are regulated in the information protection operator’s organizational and administrative documents. (UPD.1)

The rules and procedures for managing information flows are regulated in the operator’s organizational and administrative documents on information protection. (UPD.3)

Great, that’s something, but there’s a whole carload of these rules and procedures.
As a result, I had to write down something like this for myself, in which all the requirements from all the documents were written out and notes and marks were made about fulfillment and non-fulfillment.

The main idea of ​​this section is that there is a mountain of requirements in information protection legislation, the fulfillment of many of them must be documented. Whether to make a separate document for each requirement or merge everything into one big “Information Security Policy” is up to everyone to decide. We add everything additional that we need to write down in the documents not because of requirements, but based on practical necessity, without any problems.

By the way, please note that in the table and in the documents themselves, some sections or paragraphs are marked “K1” or “K2+”. This means that a section or paragraph is required only for information systems of class 2 and above or for the first (maximum class). Everything that is not marked is carried out in all state information systems and ISPD.

It is also obvious that, for example, some sections or even entire documents can be abolished if this is required by the structural and functional characteristics of the information system or other initial conditions. For example, we remove the provision on video surveillance if it does not exist. Or we remove all sections related to the protection of virtualization tools, if it is not used.

Our templates are divided into 4 folders:

General

– documents that need to be developed for all systems (as applicable), be it ISPDn, GIS, process control system or CII facility.

GIS only

– documents for state information systems or municipal information systems, here are only unique documents needed for GIS and MIS.

PDn

– documents on the protection of personal data and in compliance with legislation on the protection of personal data. If, for example, we have a GIS in which personal data is processed, then we must make documents from all folders.

CIPF

– documents related to the use of cryptographic means are needed for the implementation of regulatory documents of the FSB; they are developed for all systems in which certified cryptographic means of information protection are used.

Let's take a closer look at the documents, where they came from and what requirements they fulfill.

Are common

01 Order on the appointment of responsible persons and instructions to these persons

This order appoints: the person responsible for organizing the processing of personal data and the security administrator.
The need to appoint the first is due to Article 18.1 of the federal law:

1. The operator is obliged to take measures... Such measures may, in particular, include:
1) appointment by the operator, who is a legal entity, of a person responsible for organizing the processing of personal data;

Security administrator - the need for this comrade is determined, for example, by paragraph 9 of FSTEC order No. 17:

To ensure the protection of information contained in the information system, the operator appoints a structural unit or official (employee) responsible for information protection.

These persons differ in that the “responsible” is more about the paper part, and the “administrator” is more about the technical part.
In order for the person in charge and the administrator to understand their tasks and powers, they are provided with instructions.

02 Order on the appointment of an information security incident response team (ISIT) and instructions for response

The acronym IRIB, although a little funny, is quite official, introduced by GOST R ISO/IEC TO 18044-2007 “Information technology.
Methods and means of ensuring security. Information Security Incident Management". The need for documents is required by a number of regulatory documents. For example, the same article 19 of the law “On Personal Data”. But the response to incidents is disclosed in more detail in the orders of the FSTEC.

FSTEC Order No. 17:
18.2. When identifying and responding to incidents, the following is carried out:

• identifying those responsible for identifying and responding to incidents;
• detection and identification of incidents, including denials of service, failures (reboots) in the operation of hardware, software and information security tools, violations of access control rules, unlawful actions to collect information, introduction of malicious computer programs (viruses) and other events, leading to incidents;
• timely informing those responsible for identifying incidents and responding to them about the occurrence of incidents in the information system by users and administrators;
• incident analysis, including identifying the sources and causes of incidents, as well as assessing their consequences;
• planning and taking measures to eliminate incidents, including restoring the information system and its segments in the event of a denial of service or after failures, eliminating the consequences of violation of access control rules, unlawful actions to collect information, the introduction of malicious computer programs (viruses) and other events leading to incidents;
• planning and taking measures to prevent reoccurrence of incidents.

The same documents cover a number of organizational measures, for example RSB.1 “Definition of security events that are subject to registration and the periods for their storage” and RSB.2 “Definition of the composition and content of information about security events that are subject to registration.” All these things can be specified in the instructions for responding to incidents, so as not to produce separate documents.

03 User manual

The main legal justification for the need for such instructions is all the places in the legislation where it is said about instructing users on information security issues. For example, Part 1 of Article 18.1 of the Law “On Personal Data”:

6) familiarization of the operator’s employees directly involved in the processing of personal data with the provisions of the legislation of the Russian Federation on personal data, including requirements for the protection of personal data, documents defining the operator’s policy regarding the processing of personal data, local acts on the processing of personal data, and (or) training of these employees.

The indirect need for such a document is the legal formalization of user responsibility for possible information security incidents.
As practice shows, in cases where such instructions do not exist and (or) the user is not familiar with them, the user who violated the information security requirements will most likely not be held accountable. As for the document itself, we decided not to burden users with unnecessary nonsense, to make the document not too difficult to understand and useful not only in relation to information security in the enterprise, but also in information security issues in personal life. For example, they described social engineering methods with examples.

05 Information Security Policy

Probably one of the most voluminous documents from the entire set.
Do you remember above that we wrote about the document “Information Protection Measures in GIS” and about the large number of “rules and procedures” that need to be written down in the ORD? Actually, the “Information Security Policy” is, in fact, a collection of all such rules and procedures. Here, perhaps, it is worth dwelling on the word “Politics”. We are often told that our “Policy” is too focused, but in fact a document with such a name should be more abstract and high-level. Maybe so, but for us, as security specialists, the word “Policy” is primarily associated with a technical background, for example, with domain group policies, which in turn is associated with specific rules and settings.

In fact, what such a document will be called is not important. If you don’t like the word “Policy,” you can rename it to “Information Security Rules and Procedures.” It is not important. The main thing is that these same rules and procedures should already be clearly and specifically spelled out in this document.

Let's go into a little more detail here.

If you open a document and start working with it, you will notice that in some places there are no specific text blanks, but instead there is a dry “Describe”. This is because some things cannot be described in such a way that the text is suitable for at least half of the specific information systems at the same time. For each case, it is better to describe these sections separately. This is why we are still skeptical about various automatic document fillers.

The main text should generally make everything clear; I would like to dwell a little on the appendices.

Application for changes to user lists

Many people think that this procedure for tracking users and their powers in the system is highly bureaucratic, but we have often encountered situations where this approach helped to advance the investigation of information security incidents. For example, it was necessary to establish what powers were initially granted to the user. When requests from the information security policy annex were raised, it turned out that one account had an unauthorized increase in privileges.

In any case, whether to carry out such a user registration procedure or not is up to each operator to decide independently. Here, it’s probably worth immediately making a reservation that explicitly doing exactly as described in our sample information security policy is not required by any legislative act. The document template shows rather the harshest and most depressing option. And then everyone decides for themselves - where to loosen the nuts, and where to tighten them even more.

Regulations on delimitation of access rights and list of persons

Differentiation of user access rights is an obvious measure for any system administrator. Additionally, its necessity is supported by measures from FSTEC orders: UPD.2 “Implementation of the necessary methods (discretionary, mandated, role-based or other method), types (read, write, execute or other type) and access control rules”, UPD.4 “Separation of powers (roles) of users, administrators and persons ensuring the functioning of the information system” and some others.

Since in the overwhelming majority of cases it is optimal to use the role model of access control, the indicated applications to the information security policy are tailored specifically for this case.

List of persons. We are often asked whether it is possible to indicate here not specific people, but positions. This question comes up especially often from representatives of large organizations with a high staff turnover. Our answer is that you can try, but any regulator will tell you about the principle of “personal responsibility” and that the “chief accountant” cannot be punished, but “Marya Ivanovna” can.

List of allowing rules for interaction with external networks

Rules are created mainly in pursuance of measure UPD.3 “Management (filtering, routing, connection control, unidirectional transmission and other management methods) of information flows between devices, information system segments, as well as between information systems.”

Since, as already mentioned, the templates are designed for the most depressing option, here, too, the table is often filled with “white lists”. But any other rules can be entered if the “white lists” are not determined by any special legal requirement. The form of the table is also approximate; you can modify it to suit your vision as you like.

List of approved software

The list is created in pursuance of measure OPS.3 “Installation (installation) of only authorized software and (or) its components.” Accordingly, in order to know what software is allowed in our system, the list must be approved.

Often the list is used to understand whether the user has installed anything unnecessary on his work computer. Although, in a good way, the very possibility of ordinary users installing something themselves should be eliminated.

Next are lists of software and users for remote access. Filled out if there is such access and yes, these are also FSTEC requirements.

Reservation procedure

It’s probably not even necessary to cite FSTEC requirements here. Everyone understands the importance of backups and everyone remembers the saying “there are 2 types of system administrators: those who make backups and those who will make backups.” However, in practice, when auditing information systems, it often happens that administrators say that they definitely make backups, but the questions “what exactly, where exactly and how often are backed up” remain unanswered.

The current table from Appendix 10 to the information security policy will help avoid such situations.

As for backup requirements (although in fact the requirements relate more to restoration), there are also a lot of them. For example, Part 2 of Article 19 of the Federal Law “On Personal Data”:

Ensuring the security of personal data is achieved, in particular:
7) restoration of personal data modified or destroyed due to unauthorized access to it;

Or the requirement from FSTEC:

ODT.4 Periodic backup of information to backup computer storage media

Plan for ensuring the continuity of functioning of the information system
Here we tried to collect a template of various options for emergency situations and options for responding to them. Naturally, this is an approximate list; you can remove what you don’t need and add what you need.

FSTEC requirement, which we partially fulfill with this plan:

ODT.3 Monitoring the trouble-free operation of technical equipment, detecting and localizing operational failures, taking measures to restore failed equipment and testing them

06 Airside Order and Airside Regulations

The need for these documents is due to the requirement of FSTEC: ZTS.2 “Organization of a controlled zone within which stationary technical means that process information, and means of protecting information, as well as means of ensuring operation are permanently located.”
Here we often encounter the misconception that only those premises that are equipped with access control systems, video surveillance, etc. can be considered a controlled zone, but this is not so. A controlled zone is a territory in which unauthorized access to elements of the information system by unauthorized persons is excluded. That is, in essence, it can be a room without video surveillance and access control, but with a single, instructed employee who “watches” and when he leaves the office, kicks out all strangers and locks the office with a key.

07 Security Action Plan…

The action plan can be divided into 2 parts - a list of one-time information security events and a list of periodic events.
Since there are 2 parts, then there are two main goals. We are often asked the following question: “But we are a poor government organization, there are a lot of information security requirements, there is no money to fulfill them, and an audit is coming, what should we do?” Well, if everything is really bad, then at least draw up an action plan. This can show the inspectors that you are aware of what steps you need to take, but for some reason have not yet taken. This is about one-time events.

The second part is periodic activities, this is the fulfillment of a number of requirements for constant internal control of information security. For example, Part 1 of Article 18.1 of the Law “On Personal Data”:

1. The operator is obliged to take measures... Such measures may, in particular, include:
4) implementation of internal control and (or) audit of compliance of the processing of personal data with this Federal Law and the regulatory legal acts adopted in accordance with it, requirements for the protection of personal data, operator’s policy regarding the processing of personal data, local acts of the operator;

08-14 Magazines…

Logs 08-10 are logs for recording storage media. According to FSTEC there are three types of such media:

• hard drives in desktop computers, servers, monoblocks, etc.;
• storage media in various portable devices (laptops, netbooks, tablets, cameras, etc.);
• removable computer media (flash drives, removable HDDs, memory cards).

We really wanted to avoid creating different magazines and make one universal one to take into account all possible information carriers.
But different media types have different parameters. For example, for portable devices, it is necessary to note the possibility of using the device outside the controlled area. As a result, the general magazine turned out to be overloaded, and we decided to make three different ones. Moreover, it often happens that the information system uses only stationary devices, so the need for logs 09 and 10 disappears by itself. The rest of the magazines appeared not out of direct demands, but for indirect reasons. We have a plan of periodic events and inspectors want to see notes about each event held. This is how other magazines appeared.

And the last thing I would like to say about magazines. We considered it important to add instructions for completing it to each magazine. Describe literally for each column what to enter there, sometimes even with examples. This actually saved us from a huge number of identical filling out questions.

GIS only

01 Order of the need to protect information

We are often asked why such an order is needed at all.
The fact is that by the 17th order of the FSTEC, the first measure to formulate requirements for information protection established a certain “decision-making on the need to protect information contained in the information system.” And as we remember, the fulfillment of such requirements must be documented, so an order appeared with which we “make a decision.” Please note that the templates are different for state and municipal information systems.

02-03 Classification order and classification act

Classification of the state information system is a very important stage in the formation of requirements for the information security system.
The number of requirements that we need to fulfill will depend on what class we set. By order we appoint a classification commission, and by act this commission fixes the parameters of the information system and, based on the initial data, assigns the first, second or third security class.

The only thing you need to pay attention to is that if personal data is processed in GIS, then it is also necessary to determine their level of security in the same act.

04 Order to put into effect

In accordance with the 17th order of the FSTEC, a state (or municipal) information system can be put into operation only on the basis of a certificate of compliance with information security requirements.

PDn

01 Regulations on the protection and processing of personal data

The main document on the protection of personal data, where we try to prescribe the maximum aspects of personal data processing required by law. Here we specify whose data, what data and for what purposes we process. Rights and obligations of PD subjects, rights and obligations of PD operator, and so on. In general, the content of this document is largely based on the numerous wishes of inspectors, and not on any specific legal requirements.

02 Rules for processing requests

Chapter 3 of the Law “On Personal Data” is entirely devoted to the rights of the subject of personal data.
The PD subject has the right to write various requests to the PD operator, for example, to clarify what his data is and for what purpose it is being processed, to ask to stop processing his personal data, etc. The law also sets out the maximum time limits within which the PD operator must meet the response. Accordingly, it would be a good idea to have on hand an internal document that regulates the rules and deadlines for considering such requests, as well as containing templates for responses to subjects (both positive and negative). This will greatly simplify the life of the person responsible for organizing the processing of personal data.

03 Order on approval of the list of persons

We need to determine who has access to what personal data. If we have already developed the same document as part of the information security policy regarding access to information systems, then there is no need to duplicate the same thing here. But you need to pay attention to the fact that here, in addition to persons admitted to automated processing of personal data in automated systems, it is also necessary to indicate those who are admitted to non-automated processing of personal data (for example, to paper folders with personal files of employees). Here, just as in information security policy, regulators want to see lists of names.

04 Policy regarding the processing of personal data

Not to be confused with information security policy!
Here one can reasonably ask: “Why do we need another policy?” Part 2 of Article 18.1 of the Federal Law “On Personal Data”:

The operator is obliged to publish
or otherwise
provide unrestricted access
to the document defining its policy regarding the processing of personal data, to information about the implemented requirements for the protection of personal data. An operator collecting personal data using information and telecommunication networks is obliged to publish in the relevant information and telecommunication network a document defining its policy regarding the processing of personal data and information about the implemented requirements for the protection of personal data, as well as provide the possibility of access to the specified document using the appropriate information and telecommunications network.

So, this is a document that must be developed and must be published for everyone to see. But we don’t want to talk too much about the measures taken to protect personal data, so in order to comply with legal requirements, we are creating a separate document, where we describe everything that can be described in the abstract as abstractly as possible.

05-06 Order on determining the level of protection of personal data and the corresponding act

Everything here is the same as with the GIS classification. Important: if we are talking about a GIS with personal data, then these two documents are not needed, since determining the level of PD security is already included in the GIS classification act. We will not dwell on the procedure for determining the level of PD security; much has already been written on this topic.

07 Rules for processing personal data without the use of automation tools

So for some reason, historically, in matters of personal data protection, a lot of attention is paid to this in relation to information systems and often operators forget that there are also requirements for the protection of personal data processed without the use of automation tools.
An entire resolution of the Government of the Russian Federation is devoted to such processing of personal data. The internal document in question is precisely intended to fulfill the requirements of this resolution. The main thing here is to carefully look at which provisions relate to the real situation and which do not. For example, if there is no checkpoint at which the watchman records those entering the territory in a log, then the relevant provisions regarding such logs should be removed.

There is another important point here that needs to be clarified. Many may be confused by the following provisions of the Government resolution discussed here:

1. Processing of personal data contained in the personal data information system or extracted from such a system (hereinafter referred to as personal data) is considered to be carried out without the use of automation tools (non-automated), if such actions with personal data as use, clarification, distribution, destruction of personal data data in relation to each of the subjects of personal data are carried out with the direct participation of a person.
2. The processing of personal data cannot be recognized as carried out using automation tools only on the basis that personal data is contained in the personal data information system or was extracted from it.

It may seem that in many cases the processing of personal data, including in information systems, should be considered non-automated. But this oddity was fixed by introducing the following definition into the Law “On Personal Data”:

4) automated processing
of personal data - processing of personal data
using computer technology
;

Resolution The government cannot contradict Federal law. As a result, non-automated processing of personal data is everything that is outside information systems (mainly paper media).

08 Order on the commission for the destruction of personal data and the form of the act of destruction

The document mostly relates to manual processing, that is, for example, to the destruction of personal files of employees whose storage period has expired. It is better to approve these documents, even if you have not destroyed anything yet, since inspectors often require them.

09 Order on approval of PD storage locations

Another document on manual processing. Here you need to determine the storage locations for the same personal files of employees in paper form and the person responsible for this storage location. The storage location can be a closet, safe, rack, etc.

10 Form of consent of the subject to the processing of his personal data

For cases when it is necessary to obtain written consent from the subjects of personal data. Here, when changing the template, the main thing to remember is that the content of written consent to the processing of personal data is strictly regulated by Part 4 of Article 9 of the Federal Law “On Personal Data”.

11 Regulations on video surveillance

A document that inspectors require if they see video cameras on the premises. It is not regulated by any explicit provisions of the law. The document is simple, we define the goals of video surveillance and other obvious things. The only important thing we have inserted here is a comment from Roskomnadzor representatives that the video image is not biometric PD, otherwise all inspectors have a different opinion on this matter.

12 Form of agreement on non-disclosure of personal data

Signed by our employees authorized to process personal data (both automated and non-automated).

13 Journal of citizens' appeals

Works in conjunction with the rules for considering requests from PD subjects. We register all incoming requests here. Inspectors require a log, even if there has not been a single request.

CIPF

Here are documents that take into account the requirements of the FSB for handling crypto funds. Accordingly, they are not needed if cryptography is not used. Since many of the requirements are quite old and quite strict (one of the governing documents dates back to 2001), we tried to somehow balance the internal documents, so that both you and us, as they say. But our FSB inspectors are the most unpredictable, so these documents are often supplemented and changed.

Skills Assessment Examples

For example, communication skills for a consultant might be assessed as follows:

• 1 point: makes contact difficult, prefers monologue to dialogue, has the same approach to all persons in contact with him;
• 2 points: easily makes contact, often uses dialogue as a form of communication, mostly adapts to the character of the interlocutor;
• 3 points: easily makes contact, uses dialogues to communicate, skillfully masters communication psychology skills.

What does an assessment of sales ability look like:

• 1 point: knowledge about the product and the company represented is limited to the necessary minimum, does not make contact first in the room, feels tension, in difficult situations does not follow the standards prescribed in the instructions, gives initiative in dialogue with the buyer, is not able to work with doubts and objections , which the buyer expresses, easily loses his temper, the sales result for a certain period is below average;
• 2 points: uses knowledge about the product and the company contained in the methodological manual, receives new information in a timely manner, for the most part takes initiative in dialogue with the buyer, initiates communication himself, is active in the room, finds out the needs of clients using questions, actively interacts with the buyer on throughout the entire period of sale of a product or service, does not get lost in a difficult situation, has a professional approach to resolving conflicts, the sales result for a certain period is average;
• 3 points: is well acquainted not only with information about the products of this company, but also with the products of competitors, acquires new knowledge in a timely manner, studies additional literature, takes the initiative when communicating with clients, clarifies in detail the details that the client requires, competently describes those or other products, actively works with the buyer throughout the entire sales period, is good at finding a way out of difficult situations, prevents emerging conflicts, and is a sales leader for a certain period.

Bottom line

To summarize the topic of distribution of powers, it is worth identifying the provisions that are described in this article using theses:

1. Every manager needs to be able to distribute responsibilities among subordinates so that the assigned department or the company as a whole works better and without organizational problems.
2. Each employee must have a strictly defined list of rights, responsibilities and level of responsibility for non-realization of rights and failure to fulfill responsibilities. This list and level are indicated in the job description.
3. The order on the distribution of responsibilities among the management team is issued by the general director. Thus, it is the general manager who generally determines the tasks of each employee. Why? Because he is responsible for distributing responsibilities between deputies.
4. The job description is drawn up either by the head of a department in a large company, or by a personnel officer in a small company. For example, an order on the distribution of labor protection responsibilities is issued by the head of the labor protection department.
5. Departments in the company, for the convenience of distributing powers within them among employees, can be divided according to five principles: equality in the number of groups, functions performed, geographically, depending on the products manufactured, depending on customer preferences.
6. To more conveniently distribute responsibilities between positions, a job profile is compiled, which contains information about what the employee should know and be able to do (sometimes what the employee can do and what the employee wants).
7. All criteria are assessed using a special document - a score sheet, which determines whether a given employee can be assigned this or that duty or not.

Once again, it is worth recalling that the distribution of functional responsibilities is the most important part of organizing the work of not only any department, but also the company as a whole, because it is thanks to the distribution of tasks that each employee clearly understands what is required of him and tries to achieve the goal set for him .

Effective distribution of responsibilities

So, the essence of a leader’s activity is to organize the collaboration of people. In order for it to be coherent and as effective as possible, each employee should be shown from the very beginning his place both on the career ladder and in the organization as a whole (that is, explain official duties and rights, warn about responsibilities).

The provision on the assignment of functions to ensure safe conditions and labor protection between managers and specialists has been implemented for a full-fledged enterprise.

Sometimes in organizations a situation may arise when one employee needs to do not only his own work, but also the work of a temporarily absent colleague. The next day, Glebova was given a notice that changes would be made to her job description in connection with the upcoming closure of the separate division. Glebova expressed her preliminary consent to the changes with a corresponding entry on the notice.

Organize the development and ensure the allocation of financial resources for the implementation of measures to ensure healthy and safe working conditions.

Before signing, the above-mentioned managers must submit draft orders for approval to the head of the legal and personnel sector, Zinevich E.K.

Determining the list of employee responsibilities is the authority of the head of the organization. Letter No. 4412-6 of Rostrud of the Russian Federation dated October 31, 2007 confirms the employer’s right to accept and make changes to the organization’s staffing table and job descriptions of employees.