Decree No. 316 / 2014 Coll.
Ordinance on security measures, cyber security incidents, reactive measures and laying down procedural formalities in the field of cyber security (Order on cyber security)
Valid
Order
Effective from 01.01.2015
Text versions:
01.01.2015
19.12.2014
Zobrazeno prvních 200 z celkem 843 ustanovení tohoto předpisu.
Zobrazit celý předpis →
Pro stažení celého znění použijte tlačítko Stáhnout výše.
316
DECLARATION
of 15 December 2014
on security measures, cyber security incidents, reactive measures and laying down procedural formalities in the field of cyber security (Cyber Safety Order)
According to Article 28 (2) of Act No. 181 / 2014 Coll., on Cybersecurity and on the amendment of related laws (the Cybersecurity Act) ("the Act '), the National Security Office provides for the implementation of Sections 6 (a) to (c), 8 (4), 13 (4) and 16 (6) of the Act.
INTRODUCTORY PROVISIONS
Subject matter
This decree sets out the content and structure of the security documentation for the critical information infrastructure information system, the critical information infrastructure communication system or a significant information system, the content of the security measures, the scope of their implementation, the types and categories of cyber security incidents, the formalities and the means of reporting the cyber security incident, the details of the notification of the implementation of the reactive measure and its outcome and the model of the notification of contact data and its form.
Definition of terms
This decree means:
(a) the information security management system part of the organ management system and of the person referred to in Article 3 (c) to (e) of the Act based on access to the risks of the critical information infrastructure information system, the critical information infrastructure communication system or the relevant information system, which provides for the establishment, implementation, operation, monitoring, review, maintenance and improvement of information security;
(b) an asset of a primary asset and a supporting asset;
(c) the primary asset is the information or service it processes or provides to the critical information infrastructure information system, the critical information infrastructure communication system or the significant information system;
(d) a support asset for a technical asset, staff and contractors involved in the operation, development, management or security of the critical information infrastructure information system, the communication system for critical information infrastructure or a significant information system;
(e) the technical asset of the technical equipment, means of communication and software of the information system of the critical information infrastructure, the communication system of the critical information infrastructure or the significant information system and the objects in which those systems are located;
(f) the possibility that a threat will make use of the vulnerability of the information system of the critical information infrastructure, the communication system of the critical information infrastructure or the important information system and cause damage to the asset;
(g) risk assessment of a process in which the significance of the risks and their acceptable level are determined;
(h) risk management activities involving risk assessment, selection and implementation of risk management measures, sharing risk information, monitoring and risk review;
(i) a threat to the potential cause of a cyber security incident or a cyber security incident which may result in damage to an asset;
(j) vulnerability to an asset's weakness or security measure which may be misused by one or more threats;
(k) an acceptable risk of the risk remaining after the application of security measures, the level of which corresponds to the criteria for risk acceptance;
(l) security policy: a set of principles and rules which determine how the protection of assets is ensured by the institution and by the person referred to in § 3 (c) to (e) of the Act;
(m) the guarantor of the asset is the natural person entrusted by the authority or person referred to in § 3 (c) to (e) of the Act to ensure the development, use and security of the asset;
(n) by a user, a natural or legal person or a public authority using primary assets;
(o) the administrator, the natural person entrusted with the guarantee of the asset providing the management, operation, use, maintenance and security of the technical asset.
SECURITY MEASURES
ORGANISATION MEASURES
Information security management system
(1) Authority and person referred to in § 3 (c) and (d) of the Act under the Information Security Management System
(a) establish, with regard to assets and organisational security, the scope and boundaries of the information security management system in which it identifies the organisational parts and technical elements covered by the information security management system;
(b) manage the risks referred to in Article 4 (1);
(c) establish and approve a security policy in the area of the information security management system, which includes key principles, objectives, security needs, rights and obligations in relation to information security management and, on the basis of security needs and risk assessment results, shall establish a security policy in the other areas referred to in Article 5 and establish appropriate security measures;
(d) monitor the effectiveness of security measures;
(e) evaluate the suitability and effectiveness of the security policy in accordance with Section 5;
(f) ensure that the cyber security audit referred to in Article 15 is carried out at least once a year;
(g) ensure an evaluation of the effectiveness of the information security management system, which includes an assessment of the state of the information safety management system including a review of the risk assessment, an assessment of the results of the checks carried out and audits carried out on cyber security and the impact of cyber security incidents on the information security management system at least annually;
(h) update the information security management system and the relevant documentation on the basis of the findings of cyber security audits, the results of the evaluation of the effectiveness of the information security management system and in the context of the changes implemented or planned; and
(i) manage the operation and resources of the information security management system, record the activities associated with the information security management system and risk management.
(2) Authority and person referred to in Section 3 (e) of the Act under the Information Security Management System
(a) manage the risks referred to in Article 4 (2);
(b) establish and approve a security policy in the area of the information security management system, which includes the main principles, objectives, security needs, rights and obligations in relation to information security management and, on the basis of the security needs and the results of the risk assessment, shall establish a security policy in other areas referred to in Article 5 and shall establish appropriate security measures; and
(c) update the report on the assessment of assets and risks, the security policy, the risk management plan and the security awareness development plan, at least every three years or in the context of the changes implemented or planned.
Risk management
(1) Authority and person referred to in § 3 (c) and (d) of the Act in the context of risk management
(a) establish a methodology for the identification and assessment of assets and for the identification and assessment of risks, including the setting of criteria for risk acceptance;
(b) identify and assess the importance of the assets falling within the scope of the information security management system, in accordance with Article 8, within the scope of Annex 1 to this Regulation and incorporate the outputs into the asset and risk assessment report;
(c) identify the risks, taking into account threats and vulnerability, assess the potential impact on the assets, assess those risks at least to the extent set out in Annex 2 to this Regulation, identify and approve acceptable risks and prepare a report on the assessment of assets and risks;
(d) prepare a declaration of applicability based on safety needs and the results of the risk assessment, which shall include an overview of the security measures selected and implemented;
(e) develop and implement a risk management plan containing the objectives and benefits of risk management security measures, identifying the person responsible for promoting risk management security measures, the necessary financial, technical, human and information resources, the date of their introduction and a description of the links between the risks and the relevant security measures; and
(f) take into account, without undue delay, the reactive and protective measures taken by the National Security Authority ("the Authority") in the risk assessment and, where the risk assessment updated on the new vulnerability associated with the implementation of the reactive or protective measure exceeds the specified risk acceptance criteria, the risk management plan shall be supplemented.
(2) Authority and person referred to in § 3 (e) of the Act in the framework of risk management
(a) establish a methodology for the identification and assessment of assets and for the identification and assessment of risks, including the setting of criteria for risk acceptance;
(b) identify and evaluate the importance of primary assets falling within the scope of the Information Security Management System, as provided for in Section 8, at least to the extent of Annex 1 to this Decree, and incorporate the outputs into the asset and risk assessment report;
(c) identify risks taking into account threats and vulnerability, assess potential impacts on primary assets, assess those risks to a minimum, as set out in Annex 2 to this Regulation, and prepare a report on the assessment of assets and risks;
(d) prepare a declaration of applicability based on safety needs and the results of the risk assessment, which shall include an overview of the security measures selected and implemented;
(e) develop and implement a risk management plan containing the objectives and benefits of risk management security measures, the identification of the person ensuring the enforcement of risk management security measures, the financial, technical, human and information resources required, the dates for their implementation and the description of the links between identified risks and relevant security measures; and
(f) take into account, without undue delay, the reactive and protective measures issued by the Authority in the risk assessment and, where the risk assessment updated on the new vulnerability associated with the implementation of the reactive or protective measure exceeds the specified risk acceptance criteria, the risk management plan shall be supplemented.
(3) Risk management may also be ensured by means other than those provided for in paragraphs 1 and 2, provided that the authority and person referred to in § 3 (c) to (e) of the Act ensures that it applies measures ensuring the same or higher level of risk management.
(4) The authority and person referred to in § 3 (c) to (e) of the Act in the assessment of risks is in particular considering these threats
(a) breaches of security policy, the conduct of unauthorised activities, misuse of authorisations by users and administrators;
(b) damage or failure of technical or software equipment;
(c) misuse of the identity of the natural person;
(d) the use of software contrary to licensing conditions;
(e) cyber attack from the communications network;
(f) harmful code (e.g. viruses, spyware, Trojan horses),
(g) deficiencies in the provision of services to critical information infrastructure information system, critical information infrastructure communication system or significant information system;
(h) physical security breach;
(i) interruption of the provision of electronic communications services or of the supply of electricity;
(j) misuse or unauthorised modification of data;
(k) permanent threats; and
(l) alienation or impairment of an asset.
(5) The authority and person referred to in § 3 (c) to (e) of the Act, when assessing risks, is in particular considering these vulnerabilities
(a) insufficient protection of the outer perimeter;
(b) lack of security awareness of users and administrators;
(c) insufficient maintenance of critical information infrastructure information system, critical information infrastructure communication system or significant information system;
(d) inappropriate setting of access permissions;
(e) insufficient procedures to identify and detect negative security phenomena, cyber security incidents and cyber security incidents;
(f) insufficient monitoring of the activities of users and administrators and failure to detect their inappropriate or defective behaviour; and
(g) insufficient identification of security rules, inaccurate or ambiguous definition of the rights and obligations of users, administrators and security roles.
(6) The authority and person referred to in § 3 (c) and (d) of the Act further considers these threats in the assessment of risks
(a) breach of security policy, conduct unauthorised activities, misuse of authorisations by critical information infrastructure administrators;
(b) misconduct by staff;
(c) misuse of internal funds, sabotage,
(d) long-term interruption of the provision of electronic communications services, electricity supply or other important services;
(e) lack of staff with the necessary level of expertise;
(f) a targeted cyber attack using social engineering, the use of spy techniques; and
(g) misuse of interchangeable technical means of data.
(7) The authority and the person referred to in § 3 (c) and (d) of the Act further considers these vulnerabilities in the risk assessment
(a) insufficient protection of critical information infrastructure resources;
(b) inappropriate security architecture;
(c) lack of independent control; and
(d) failure to detect errors by employees in good time.
Security policy
(1) The authority and person referred to in § 3 (c) and (d) of the Act provides for a security policy in the fields of:
(a) the information security management system;
(b) organisational security;
(c) management of relations with suppliers;
(d) the classification of assets;
(e) human resources security;
(f) traffic and communication management;
(g) access management;
(h) user safety behaviour;
(i) backup and renewal;
(j) safe transmission and exchange of information;
(k) management of technical vulnerability;
(l) the safe use of mobile devices;
(m) the provision and acquisition of software and information licences;
n) long-term storage and archiving of information,
(o) the protection of personal data;
(p) physical safety;
(q) security of the communication network;
(r) protection against harmful code;
(s) the deployment and use of a tool for the detection of cyber security incidents;
(t) the use and maintenance of a tool for collecting and evaluating cyber security incidents; and
(u) the use of cryptographic protection.
(2) The authority and person referred to in § 3 (e) of the Act provides for a security policy in the fields of:
(a) the information security management system;
(b) organisational security;
(c) the management of suppliers,
(d) the classification of assets;
(e) human resources security;
(f) traffic and communication management;
(g) access management;
(h) user safety behaviour;
(i) backup and renewal;
(j) the provision and acquisition of software and information licences;
(k) protection of personal data;
(l) the use of cryptographic protection;
(m) protection against harmful code; and
(n) the deployment and use of a tool for the detection of cyber security incidents.
(3) The authority and person referred to in § 3 (c) to (e) of the Act regularly evaluate and update the effectiveness of the security policy.
Organisational security
(1) The authority and person referred to in § 3 (c) to (e) of the Act shall establish an organisation for the management of information security within which it shall designate a committee for the management of cyber security and security roles and their rights and obligations related to the information system of critical information infrastructure, a communication system for critical information infrastructure or a significant information system.
(2) The authority and person referred to in § 3 (c) and (d) of the Act shall determine the security roles
(a) a cyber security manager;
(b) architect of cyber security,
(c) an auditor of cyber security; and
(d) the guarantor of the assets referred to in Article 2 (m).
(3) The authority and the person referred to in Article 3 (e) shall determine the safety roles appropriately in accordance with paragraph 2.
(4) The cyber security manager shall be the person responsible for the information security management system trained for this activity and shall demonstrate the competence of experience in information security management for at least three years.
(5) The cyber security architect shall be the person responsible for the design and implementation of security measures, which shall be trained for this activity and shall demonstrate the competence of experience in the design of security architecture for at least three years.
(6) A cyber security auditor shall be a person carrying out a cyber security audit who shall be trained for this activity and shall demonstrate the competence of the practice of conducting cyber security audits for at least three years. A cyber security auditor shall perform his role impartially and the performance of his role shall be separated from that of the roles referred to in paragraph 2 (a), (b) or (d).
(7) The Cyber Security Management Committee shall be an organised group composed of persons entrusted with the overall management and development of a critical information infrastructure information system, a critical information infrastructure communication system or a significant information system, or involved significantly in the management and coordination of cyber-security activities of such systems.
(8) The authority and person referred to in § 3 (c) to (e) of the Act will provide training for persons who hold security roles in accordance with the Security Awareness Development Plan referred to in § 9 (1) (b).
Determination of safety requirements for suppliers
(1) The authority and person referred to in § 3 (c) to (e) of the Act shall establish rules for suppliers which take into account the needs of information security management and take into account them for suppliers or other persons involved in the development, operation or security of the critical information infrastructure information system, critical information infrastructure communication system or significant information system. The extent to which suppliers are involved in the development, operation or security of critical information infrastructure information system, critical information infrastructure communication system or significant information system can be demonstrated by the authority and person referred to in § 3 (c) to (e) of the Act by a contract which includes a provision on information security.
(2) The authority and person referred to in § 3 (c) and (d) of the Act in respect of suppliers referred to in paragraph 1
(a) carry out the risk assessment referred to in Annex 2 to this Decree, which is linked to substantial deliveries, before the conclusion of the contract;
(b) conclude a service level contract setting out the methods and levels of implementation of security measures and determining the relationship between contractual responsibility for the establishment and control of security measures; and
(c) carry out a regular risk assessment and a regular check of the security arrangements in place for the services provided and eliminate the deficiencies identified or ensure that they are eliminated in agreement with the supplier.
Asset management
(1) Authority and person referred to in § 3 (c) to (e) of the Act in the context of asset management
(a) identify and register primary assets;
(b) identify the guarantees of the assets responsible for the primary assets; and
(c) assess the importance of primary assets in terms of confidentiality, integrity and availability and include them in each level at least to the extent specified in Annex 1 to this Decree.
(2) In assessing the importance of primary assets, it is necessary to assess in particular:
(a) the extent and importance of personal data or business secrets;
(b) the scope of the legal obligations or other obligations concerned;
(c) the extent to which internal management and control activities are affected;
(d) damage to public, commercial or economic interests;
(e) potential financial losses;
(f) the extent to which the normal activities of the institution and the person referred to in § 3 (c) to (e) of the Act are affected;
(g) the effects associated with the breach of confidentiality, integrity and availability; and
(h) the effects on the preservation of a reputation or the protection of reputation.
(3) The authority and person referred to in § 3 (c) and (d) of the Act
(a) identify and register supporting assets;
(b) designate the guarantees of the assets responsible for the ancillary assets; and
(c) identify links between primary and subsidiary assets and assess the consequences of dependencies between primary and subsidiary assets.
(4) The authority and person mentioned in § 3 (c) to (e) of the Act
(a) establish the protection rules necessary to safeguard the different levels of assets by:
1. identify ways of distinguishing between levels of assets;
2. establish rules for the handling and recording of assets by asset level, including rules for secure electronic sharing and physical transfer of assets; and
3. Establishes the permissible arrangements for the use of assets;
(b) establish rules of protection appropriate to the level of assets; and
(c) identify ways of reliably deleting or destroying technical data media with regard to the level of assets.
Human resources security
(1) Body and person referred to in § 3 (c) to (e) of the Act in the framework of human resources security management
(a) establish a security awareness development plan containing the form, content and scope of the training required and identify the persons carrying out the individual activities listed in the plan;
(b) ensure, in accordance with the Security Awareness Development Plan, the education of users, administrators and persons holding security roles on their responsibilities and on the security policy by means of input and regular training;
(c) ensure compliance with security policy by users, administrators and persons representing security roles; and
(d) ensure the return of the assets entrusted and the withdrawal of access authorisations on termination of the contractual relationship with users, administrators or persons representing security roles.
(2) The authority and person referred to in § 3 (c) to (e) of the Act shall keep a summary of the training referred to in paragraph 1 containing the subject matter of the training and a list of the persons who received the training.
(3) The authority and person referred to in § 3 (c) and (d) of the Act
(a) lay down rules for identifying persons who will hold security roles, roles of administrators or users;
(b) evaluate the effectiveness of the plan for the development of safety awareness, training carried out and other activities related to the deepening of safety awareness;
Sign in for notes, favorites and notifications
Regulation Information
| Citation | Decree No. 316 / 2014 Coll., on Security Measures, Cyber Security Incidents, Reactive Measures, and on Determination of Submissions for Cyber Safety (Cyber Safety Order) |
|---|---|
| Regulation Type | Order |
| Author | - |
| Collection | Code of Laws |
| Date of Promulgation | 19.12.2014 |
|---|---|
| Effective from | 01.01.2015 |
| Effective until | - |
| Status | Valid |
The regulation text is for informational purposes only.
Comments 0