Decree No. 378 / 2006 Coll.
Ordinance on procedures of qualified certification service providers, requirements for electronic signature tools and data protection requirements for the creation of electronic brands (Ordinance on procedures of qualified certification service providers)
Valid
Order
Effective from 17.08.2006
Zobrazeno prvních 200 z celkem 589 ustanovení tohoto předpisu.
Zobrazit celý předpis →
Pro stažení celého znění použijte tlačítko Stáhnout výše.
378
DECLARATION
of 19 July 2006
on the procedures of qualified certification service providers, the requirements for electronic signature tools and data protection requirements for the creation of electronic brands (Decree on the procedures of qualified certification service providers)
The Ministry of Informatics (hereinafter referred to as "the Ministry ') provides, pursuant to Article 20 (1), (2), (3) and (5) of Act No. 227 / 2000 Coll., on electronic signature and amending certain other laws (the Act on electronic signature), as amended by Act No. 517 / 2002 Coll. and Act No. 440 / 2004 Coll., hereinafter referred to as" the Act':
GENERAL PROVISIONS
Subject matter
(1) The Order provides for:
(a) the manner in which the information obligation under Article 6 (1) (a) and (f) and Article 6 (3) of the Act is fulfilled, the qualification requirements under Article 6 (1) (b) of the Act, the requirements for safe systems and safe tools under Article 6 (1) (c) and (d) of the Act, the way in which the information and documentation referred to in Article 6 (5) and (6) of the Act are stored and the way in which those requirements are demonstrated;
(b) the method of ensuring the security of the lists referred to in Article 6a (1) (e) and (f) of the Act, the determination of the date and time referred to in Article 6a (1) (g) of the Act, the nature of the measures provided for in Article 6a (1) (h) of the Act, the manner in which the information required under Article 6a (1) (i) of the Act is fulfilled, the method of protecting and ensuring the compliance of the data pursuant to Article 6a (2) of the Act, the method of invalidation of the certificates referred to in Article 6a (3) and (4) of the Act, and the manner in which such compliance is demonstrated;
(c) the method of ensuring the accuracy of the time when creating a qualified time stamp pursuant to Article 6b (1) (b) of the Act, the way in which the data are consistent pursuant to Article 6b (1) (c) of the Act, the details of the measures provided for in Article 6b (1) (d) of the Act, the way in which the information obligation under Article 6b (1) (e) of the Act is fulfilled and the way in which those requirements are demonstrated;
(d) the method of ensuring the procedures which must be supported by means for the safe creation of electronic signatures for the protection of data for the creation of electronic signatures pursuant to Article 17 of the Act and by means of the creation of electronic tags for the protection of data for the creation of electronic brands pursuant to Article 17a of the Act and the way in which compliance with these requirements is demonstrated.
(2) This Decree was notified in accordance with Directive 98 / 34 / EC of the European Parliament and of the Council of 22 June 1998 laying down a procedure for the provision of information in the field of technical standards and regulations and rules and of rules on information society services, as amended by Directive 98 / 48 / EC.
Definition of certain terms
For the purposes of this decree:
(a) senior qualified system certificates of qualified system certificates which contain data for the verification of electronic brands corresponding to the electronic label creation data by which the provider identifies the qualified certificates issued, the qualified system certificates, the lists referred to in Section 6a (1) (f) of the Act and the qualified time stamps issued;
(b) a list of certificates issued, a list which has the formalities laid down in Article 6a (1) (e) of the Act and complies with the requirements of this Decree;
(c) a list of invalidated certificates, a list which has the formalities provided for in Section 6a (1) (f) of the Act and complies with the requirements of this Decree;
(d) security documentation shall set up a set of documents, which the provider shall establish in accordance with this Decree, laying down the principles and all procedures applicable to the provision of qualified certification services;
(e) a secure cryptographic module, an electronic signature tool used by the provider for the activities provided for by this decree and which complies with the requirements of this decree;
(f) the critical activities of the provider of the receipt of applications to invalidate certificates, invalidate certificates and issue a list of invalidated certificates, or any other activities identified by the provider in the risk analysis as critical activities;
(g) an exceptional occurrence which endangers the provision of qualified certification services and is mainly due to a failure of the trusted system, technical equipment, or the occurrence of a factor not under the control of the provider;
(h) uncertainty of time data possible deviation of the time meter from world coordinated time in sum with uncertainty of time measurement.
PROCEDURES FOR QUALIFIED PROVIDERS OF CERTIFICATE SERVICES AND DATA PROTECTION FOR THE EXTENSION OF ELECTRONIC MARKS
TRANSPORT PROCEDURES
Requirements for safe systems
The systems referred to in Article 6 (1) (c) and (d) of the Act ("the Trusted Systems') are safe and secure for the procedures supported by those systems if the qualified certification service provider (" the provider ')
(a) use trusted systems and procedures which meet the requirements of the standard for those systems, as set out in point 1 of Annex 1 to this Decree, and the requirements of the Czech technical standards set out in points 2 and 3 of Annex 1 to this Decree; the requirements of these standards and of the Czech technical standards laid down for trusted systems used for issuing and managing qualified certificates shall apply mutatis mutandis to trusted systems used for issuing and managing qualified system certificates;
(b) in the management of the safety of trusted systems, it shall follow the Czech technical standard referred to in point 4 of Annex 1 to this Regulation and shall have in place and apply the information security management system according to the Czech technical standard referred to in point 5 of Annex 1 to this Regulation;
(c) use premises in which the creation of qualified certificates or qualified system certificates, qualified time stamps, means of creating electronic signatures, invalidation of qualified certificates or qualified system certificates, the creation of lists of invalidated certificates, all data management for the creation of electronic brands and corresponding data for the verification of electronic signs of the provider, the handling of a qualified system certificate of the provider and the recording of events associated with these activities, which are secured in a similar manner as the security areas of the category "Confidential" under special legislation1) and are processed by the documentation provided by this legislation;
(d) it has processing and keeps the safety documentation up to date;
(e) proceed in accordance with the principles and procedures set out in the safety documentation;
(f) carry out a security conformity check in accordance with this Decree;
(g) carry out an audit of the information security management system under this Decree.
Security documentation
(1) Unless otherwise stated, compliance with the obligations laid down by law and the requirements laid down by this Decree is demonstrated by the provider by means of a safety file.
(2) The safety documentation shall consist of the following documents:
(a) a certification policy for issuing qualified certificates where the provider provides the service;
(b) a certification policy for issuing qualified system certificates where the provider provides the service;
(c) a policy for issuing qualified time stamps where the provider provides the service;
(d) a policy for issuing means for the safe creation of electronic signatures, where the provider provides the service;
(e) certification policies for issuing superior qualified system certificates;
(f) reports to users of the services referred to in points (a) to (d), where those services are provided by the provider;
(g) certification implementing directives or other implementing directives for the services referred to in points (a) to (e);
(h) overall security policy;
(i) system security policy;
(j) a crisis management plan and a recovery plan;
(k) other documents of the provider referred to in (a) to (j) or containing detailed rules and detailed procedures by which the provider ensures the security of the qualified certification services provided; the security documentation shall make clear what procedures the provider applies when ensuring the safety of the systems pursuant to Article 6 (1) (c) and (d) of the Act.
Content of the safety documentation
(1) The content of the policies referred to in § 4 (2) (a) to (d) is always
(a) setting out the principles applied by the provider in the provision of a qualified certification service;
(b) in the case of the issue of qualified certificates or qualified system certificates, a description of the characteristics of the data for the creation of electronic signatures or data for the creation of electronic marks and the corresponding data for the verification of electronic signatures or data for the verification of electronic marks, created by the person requesting the issue of the certificate or created by the provider and for which the certificate is to be issued; cryptographic algorithms and their parameters that may be used for such data shall be published by the Ministry on its official record,
(c) in the case of the issue of qualified time stamps:
1. cryptographic algorithms which may be used in the creation of data imprints to be marked with a qualified time stamp and parameters of such algorithms;
2. the accuracy of time in the time stamp in relation to the world coordinated time.
(2) The content of the user report referred to in Article 4 (2) (f) is information on the provider's identification data and a basic overview of the qualified certification service and its use.
(3) The content of the implementing directive referred to in Article 4 (2) (g) is always to determine the procedures that the provider applies in the provision of individual qualified certification services.
(4) The content of the overall security policy referred to in Article 4 (2) (h) is always the setting of objectives and a description of the way in which the provider's trusted systems are secured and a specification of the principles and regulations relating to the management of security in trusted systems and the determination of the powers and responsibilities for the management of security.
(5) The system security policy referred to in Article 4 (2) (i) is carried out on the basis of an analysis of the risks associated with the operation of trusted systems. In the risk analysis, the provider defines the assets of these systems, the threats to them, the vulnerable points of the systems, the likelihood of threats occurring, the estimation of their consequences and the appropriate security measures.
(6) The content of the system security policy is always
(a) setting objectives for the protection of information;
(b) setting out how safety is ensured;
(c) identification of powers and responsibilities in the operation of trusted systems;
(d) rules and procedures specifically defining the way in which information technology is managed and protected, the assets of information systems and the way in which information is distributed within trusted systems and other systems which are linked to trusted systems;
(e) ways of applying an overall security policy in relation to the operation of credible systems;
(f) a description of the trusted systems, their internal, external and mutual links;
(g) an assessment of the risk analysis and a description of the security measures referred to in paragraph 5;
(h) the manner in which time data is disseminated within trusted systems where the provider provides a service of issuing qualified time stamps.
(7) The crisis management plan referred to in Article 4 (2) (j) always contains the procedures to be followed in the event of an emergency.
(8) The recovery plan referred to in Article 4 (2) (j) contains strategies for the recovery of credible systems to be implemented for:
(a) maintaining critical activities of the provider in the shortest possible time;
(b) restoration of the proper functioning of trusted systems.
Requirements for the processing of safety documentation
(1) The structure of the certification policy under Article 4 (2) (a), (b) and (e) and the certification implementing directive under Article 4 (2) (g) is set out in Annex 2 to this Decree.
(2) For the structural items listed in Annex No 2 to this Decree which are not used in the processing of the safety documentation because the provider does not carry out the activity in question, this will be stated.
(3) For the processing of documents, the overall security policy according to § 4 (2) (h) and the system security policy according to § 4 (2) (i) shall be applied according to the requirements of Czech technical standards set out in points 4 and 6 of Annex 1 to this Decree.
Publication of documents
(1) The provider shall publish in full the documents referred to in paragraphs 2 (a) to (d) and 4 (f).
(2) The provider may publish a certification implementation directive or other implementing directives pursuant to Article 4 (2) (g) to an extent that does not jeopardise the safety of the services provided.
(3) The publication referred to in paragraphs 1 and 2 shall mean publication in a manner which allows remote access and in the premises where contact is made with users.
Safety compliance check
(1) The purpose of the verification of the safety conformity referred to in Article 3 (f) is to verify that:
(a) the provider operates trusted systems in accordance with the law and the decree;
(b) the provider shall make changes to the trusted systems in accordance with the provider's security documentation, with its parts governing change management.
(2) The subject of the security conformity check shall be:
(a) any reliable system of the provider (overall security compliance check); or
(b) any changes referred to in paragraph 1 (b) that have been made by the provider since the previous security compliance check and their impact on the provider's trusted systems or the verification that such changes have not occurred (partial security compliance check).
(3) An overall check on safety compliance shall be carried out no later than 1 year after the start of the provision of qualified certification services and thereafter at least 4 years after the previous overall check on safety compliance, provided that during these 4 years partial checks have been carried out on safety compliance between which no more than 1 year and the first one took place within 1 year after the overall check on safety compliance.
(4) Where partial checks on the safety compliance referred to in paragraph 2 (b) are not carried out, total checks on the safety compliance shall be carried out at an interval of not more than 1 year.
(5) The check of safety compliance shall be carried out in accordance with the requirements of the Czech technical standard referred to in point 6 of Annex 1 to this Decree.
(6) The provider shall ensure the processing of a safety compliance check report containing:
(a) the definition of the subject matter of the security conformity check; in the case of an overall check of the security conformity, the definition of all the trusted systems referred to in paragraph 2 (a), with the indication of the qualified certification services that are provided through those systems, or, in the case of a partial check of the security conformity, the definition of the changes referred to in paragraph 2 (b) that the provider has made since carrying out the previous security compliance check and the definition of the qualified certification services that are provided through the trusted systems affected by those changes;
(b) the unambiguous identification of the documentation which has been the subject of a security conformity check;
(c) a description of the progress of the security conformity check;
(d) the name and, where applicable, the name and surname of the person carrying out the security conformity check; that person may be in an employment relationship with the provider;
(e) a statement of the outcome of the security conformity check, including a statement that the provider operates trusted systems in accordance with paragraph 1.
(7) Where it is established during the security conformity check that the provider does not operate trusted systems in accordance with paragraph 1 (a) or does not make changes in trusted systems in accordance with paragraph 1 (b), a remedy the implementation of which is documented and verified during the same security conformity check shall be achieved.
(8) The security conformity control report shall be transmitted by the provider to the Ministry within 30 days of the completion of the inspection.
Audit of the information security management system
(1) The objective of the audit of the information security management system referred to in Article 3 (g) is objective and independent verification by the provider that the information security management system referred to in point 5 of Annex 1 to this Decree is in place and applied in the reliable systems of the provider.
(2) If the implementation of the Information Security Management System in the Trusted Systems of the Provider is certified for compliance with the Czech Technical Standard referred to in point 5 of Annex 1 to this Decree, the audit of the Information Security Management System shall be deemed to have been carried out.
(3) The audit of the Information Security Management System shall be carried out in accordance with the requirements of the standard referred to in point 7 of Annex 1 to this Regulation; the body that carries out the audit of the information security management system is an external independent audit organisation in relation to the provider of the external audit organisation in accordance with the requirements of the standard referred to in point 7 of Annex 1 to this Decree.
(4) The provider shall provide the body that has carried out the audit of the information security management system with a report on the safety compliance check referred to in Section 8 (6), if already carried out, and the safety documentation.
(5) The audit report of the Information Security Management System shall include:
(a) the definition of the subject matter of the audit of the information security management system, with the definition of the subject matter of the audit being the definition of qualified certification services that are provided through trusted systems;
(b) the unambiguous identification of the documentation that has been audited by the information security management system and provided by the provider to the body that carries out the information management system audit;
(c) a statement by the body that has carried out the audit of the information management system on the outcome of the audit of the information management system, including a declaration of compliance with the requirements referred to in paragraph 1.
(6) Where it is established during the audit of the information security management system that the provider has not implemented and is not applying the information security management system in trusted systems in accordance with the requirements referred to in paragraph 1, a correction shall be made. The execution of the correction shall be documented and verified by an audit.
(7) The provider shall ensure that the statement of the outcome of the audit of the information management system is published in the user report.
(8) The provider shall ensure that the audit of the information security management system is carried out before the start of the first qualified certification service and thereafter at least every 2 years.
Means of compliance with the information obligation
(1) The provider fulfils the information obligation by publishing in the documents referred to in Article 4 (2) (a) to (d) and (f)
(a) if he is a legal person, firm or name, legal form and registered office, if he is a natural person, name or, where applicable, name, surname, place of business and identification number, if any;
(b) whether it is accredited by the Ministry;
(c) the precise conditions for the use of qualified certification services, including any restrictions on their use established by the provider, the conditions for complaints and the resolution of disputes arising;
(d) an indication of where and how his superior qualified system certificates are available;
(e) how it ensures the provision of information to third parties pursuant to Article 6a (1) (i) of the Act, where it provides the competent certification service concerned, including the contact details that third parties may use when requesting such information and the maximum period which may elapse between the application of the requirement and the provision of the information;
(f) how it ensures the provision of information to third parties pursuant to Article 6b (1) (e) of the Act, where it provides the competent certification service concerned, including the contact details that third parties may use when requesting such information and the maximum period which may elapse between the application of the requirement and the provision of that information.
(2) The qualified system certificates referred to in paragraph 1 (d) shall be published in at least two independent ways, at least one of which shall be in a manner that allows remote access.
(3) Where an accredited accreditation provider has been withdrawn, the provider shall without delay:
(a) indicate in the documents referred to in Article 4 (2) (a) to (d) and (f) and publish in a manner that allows remote access;
(b) publish in at least one national distribution journal set out in the documents referred to in Article 4 (2) (a) to (d) and (f);
(c) communicate by e-mail the message to the signatory or designating persons having valid qualified certificates or qualified system certificates issued by that provider, if they have indicated it in the application for the certificate.
(4) The information referred to in points (b) and (c) of paragraph 3 includes the communication that qualified certificates issued by that provider cannot continue to be used in accordance with Article 11 (1) of the Act and qualified system certificates issued cannot continue to be used in accordance with Article 11 (2) of the Act.
Qualification requirements
Activities corresponding to roles according to the safety requirements of the Trusted Systems Standard referred to in point 1 of Annex 1 to this Decree may be carried out by persons who:
(a) have obtained higher education under an accredited Bachelor's or Master's degree programme and have at least 3 years of experience in information technology or secondary education and at least 5 years of experience in information technology, of which at least 1 year in the provision of certification services;
(b) have knowledge of public key infrastructure and information security.
Means of keeping information and documentation and particulars of documents and records
(1) The information and documentation referred to in Article 6 (5) and (6) of the Act must be acquired, stored and processed with the maintenance of the demonstrability of their origin, availability, integrity, timeliness and confidentiality.
(2) The provider demonstrates through the safety documentation that:
(a) has identified all types of information and documentation in accordance with Article 6 (5) and (6) of the Act, and the form in which they are kept;
(b) it has an identified location for the storage of information and documentation;
(c) establish procedures for the storage of information and documentation and for the handling of stored information and documentation in order to ensure the demonstrability of their origin, availability, integrity, timeliness and confidentiality in accordance with the requirements of the Law and this Decree;
(d) establish procedures for the storage of information and documentation so that the information and documentation stored can be documented within the legal period following the expiry of the certificate to which the information and documentation relate;
(e) lay down the responsibilities of staff and, where appropriate, other natural persons who ensure the retention of information and documentation, in compliance with the procedures referred to in (c);
(f) establish how information and documentation will be handled after 10 years.
(3) If the provider keeps the information and documentation referred to in Article 6 (5) and (6) of the Act after 10 years, it shall provide evidence that:
(a) it has a fixed period for which the information and documentation will be kept;
(b) it shall be provided for the storage and handling of information and documentation, mutatis mutandis, in accordance with paragraph 2.
Forms of measures against misuse and falsification of certificates
(1) The provider may use its data for the creation of electronic brands intended for the labelling of issued qualified certificates and qualified system certificates only for the labelling of such certificates and for the labelling of the list of invalidated certificates.
(2) The provider ensures in accordance with the requirements of the Trusted Systems Standard set out in point 1 of Annex 1 to this Decree,
(a) the management of the data referred to in paragraph 1 during their life cycle;
(b) the management of data for the verification of their electronic marks corresponding to the data referred to in paragraph 1 during their life cycle;
(c) the creation of qualified certificates and qualified system certificates.
(3) Activities referred to in paragraph 2
(a) may carry out exclusively the natural persons designated for that activity by the provider;
(b) they must be carried out in accordance with the procedures laid down in the certification implementing Directive;
(c) they must be carried out in accordance with the system security policy.
(4) The provider shall destroy the data for the creation of electronic brands referred to in paragraph 1 after the end of their life cycle; it shall make an entry containing:
(a) a description of the method of data destruction;
(b) the date of destruction of the data;
(c) the date of registration;
(d) the name and surname and signature of the person designated by the provider to carry out the destruction of the data, where appropriate.
(5) For the labelling referred to in paragraph 1, the provider shall use a secure cryptographic module.
(6) In the event of misuse or creation of reasonable concerns about misuse of its data pursuant to paragraph 1, the provider shall without delay:
(a) invalidate the qualified system certificate issued on those dates;
(b) invalidate the certificate which has been marked with those dates;
(c) invalidate a certificate which has been marked with data for the creation of electronic marks for which the certificate referred to in (b) has been issued;
(d) cease using the data referred to in paragraph 1.
(7) If the provider disables the qualified system certificate referred to in paragraph 6 (a), without delay:
(a) publish information on the invalidation of this certificate, indicating the reason for the invalidity in a way which allows remote access, in the premises where contact is made with users, and in at least one national distribution journal provided for in the policy set out in points (a) to (d) of Article 4 (2);
(b) inform the signatory or designating persons who have valid qualified certificates or qualified system certificates issued by that provider of the invalidation of such certificates by e-mail, if they have indicated it in the application for certification; Part of this information is the reason for the termination of the superior qualified system certificate of the provider,
(c) inform the Ministry of invalidation of this certificate, stating the reason for the invalidation.
Means of ensuring the safety of lists
(1) The list of certificates issued is safe if the individual certificates in that list are guaranteed integrity.
(2) The provider shall indicate the lists of invalidated certificates issued for the creation of electronic brands in accordance with Section 13 (1) and through a secure cryptographic module.
Method of determining the date and time of issue or invalidation of the certificate
(1) An indication of the date and time with an indication of the hour, minute and second when the qualified certificate or qualified system certificate is invalidated and an indication of the date and time of the issue of the list of invalidated certificates in which the record of the invalidated certificate is provided are included in the invalidation data of that certificate in the list of invalidated certificates; other information in the case of a qualified certificate is at least the certificate number according to § 12 (1) (g) of the Act and in the case of a qualified system certificate at least the certificate number according to § 12a (f) of the Act.
(2) The data referred to in paragraph 1 and the date and time of issue of the certificate are included in the records of events referred to in Article 12 (2) (b).
(3) Synchronisation of the time of trusted systems with coordinated world time shall comply with the requirements of the standard for trusted systems as set out in point 1 of Annex 1 to this Decree.
Method of protecting data generated for users
The provider shall protect the data for the creation of electronic signatures if it creates them for the signatory and ensure compliance of those data with the requirements of the Trusted Systems Standard, as set out in point 1 of Annex 1 to this Decree; the requirements of this standard laid down for the protection of data for the creation of electronic signatures created by the provider for the signatory shall apply mutatis mutandis to the protection of data for the creation of electronic tags, where the provider creates them for the designating person.
Method of invalidation of certificates
Provider when ensuring the invalidation of qualified certificates or qualified system certificates
(a) ensure the continuous receipt of applications for invalidity of qualified certificates or qualified system certificates in at least two independent ways;
Sign in for notes, favorites and notifications
Regulation Information
| Citation | Decree No. 378 / 2006 Coll., on procedures of qualified certification service providers, on requirements for electronic signature tools and data protection requirements for the creation of electronic brands (Decree on procedures of qualified certification service providers) |
|---|---|
| Regulation Type | Order |
| Author | - |
| Collection | Code of Laws |
| Date of Promulgation | 02.08.2006 |
|---|---|
| Effective from | 17.08.2006 |
| Effective until | - |
| Status | Valid |
The regulation text is for informational purposes only.
Comments 0