How to protect the data in the CRM from the point of view of the law and not only?

The planned creation of a CRM for the printing of contracts, accounting of the history of customer requests, gathering statistics of its sales, etc. in the Saas model.
I read a bunch of articles on habré about FSTEC, protection of PD, but did not understand whether there are specific legal requirements for such CRM?
Planned:
PHP +Mysql On Centos VPS
- SSL certificate. I read somewhere that we need guests, and it from 30 to a year, really?))
- access rights within CRM
- authorization by login and password
- after three unsuccessful password attempts limit on the next attempt in 15 minutes by IP user
- logs the actions of each user
on a separate organization has its own Mysql DB

need a notification to Roskomnadzor? The receipt of any licenses?
To lov is to say, not found on the websites of sectoral systems of any protection information in accordance with the requirements of FSTEC and the FSB, and at the same AmoCRM not found. In the end, needed or not? And what security to take into account?
April 3rd 20 at 18:25
2 answers
April 3rd 20 at 18:27
Read FZ 152. Against legal entities separate things.
There are only about paper, from the point of view of technical security, there's no paper-we will make up - Cornelius41 commented on April 3rd 20 at 18:30
@billy_Ondric, are you sure You read?
It is quite clear recommendations are presented.
If without jokes you can make a plan with milestones to implement the system in accordance with the Federal law 152 and licensing FSTEK - adrianna.Collier commented on April 3rd 20 at 18:33
@eden, expensive?) Well, that is licensing necessary? Why not write about it popular crm? They say here, all we have, all the law - Cornelius41 commented on April 3rd 20 at 18:36
@billy_Ondric, They write, only in very small print.
The profile has my contacts, please write to explain. - adrianna.Collier commented on April 3rd 20 at 18:39
@billy_Ondric, don't believe him. Cheat and cast. - carli8 commented on April 3rd 20 at 18:42
April 3rd 20 at 18:29
Let's start with the question of who will have access to the CRM - only the author (the program for their own use), only employees of the organization (separately - "only from local area businesses" or "around the world") or by third parties.
@Carley.Kund Unauthorized persons - Cornelius41 commented on April 3rd 20 at 18:32
Then You have to comply with all the requirements to complete the program...
Alas - no further prompt. - christ commented on April 3rd 20 at 18:35
@Carley.KundWhat you mean by "all the requirements"? - carli8 commented on April 3rd 20 at 18:38
@adonis_Ritchie25, All requirements of the law. Including - to make access to the data officially.
Alas, I'm not very familiar with the topic. - christ commented on April 3rd 20 at 18:41
Maybe this link will help? - carli8 commented on April 3rd 20 at 18:44

Find more questions by tags Information securityData protectionPersonal data