Decree No. 82 / 2018 Coll.
Ordinance on security measures, cyber security incidents, reactive measures, procedural formalities in the field of cyber security and data destruction (Regulation on cyber security)
Valid
Effective from 28.05.2018
Zobrazeno prvních 200 z celkem 899 ustanovení tohoto předpisu.
Zobrazit celý předpis →
Pro stažení celého znění použijte tlačítko Stáhnout výše.
82
DECLARATION
of 21 May 2018
on security measures, cyber security incidents, reactive measures, procedural formalities in the field of cyber security and data destruction (Cyber Security Order)
The National Bureau of Cyber and Information Security shall determine, pursuant to Article 28 (2) (a) to (d) and (f) of Act No. 181 / 2014 Coll., on Cyber Security and on the amendment of related laws (Cyber Security Act), as amended by Act No. 104 / 2017 Coll. and Act No. 205 / 2017 Coll., ("the Act '):
INTRODUCTORY PROVISIONS
Subject matter
This decree implements the relevant European Union1 Regulation and the Critical Information Infrastructure Information System, Critical Information Infrastructure Communication System, Significant Information System, Basic Service Information System or Electronic Communications System used by the Digital Service Provider (hereinafter referred to as the Information and Communication System)
(a) the content and structure of the security documentation;
(b) the content and scope of the security measures;
(c) types, categories and assessments of the significance of cyber security incidents;
(d) the formalities and means of reporting a cyber security incident;
(e) particulars of the notification of the implementation of the reactive measure and its outcome;
(f) a model for the notification of contact details and its form; and
(g) the manner in which the data, operational data, information and copies thereof are disposed of.
Definition of terms
For the purposes of this decree:
(a) the administrator of the person providing the management, operation, use, maintenance and security of the technical asset;
(b) an acceptable risk which is acceptable to the authority or person who is obliged to introduce security measures under the law (hereinafter referred to as the "obliged person") and does not need to be managed by other security measures;
(c) security policy a set of principles and rules which determine the way in which asset protection is ensured;
(d) risk assessment of the overall process of identifying, analysing and evaluating risks;
(e) a threat to the potential cause of a cyber security incident or a cyber security incident which may cause damage;
(f) a technical asset, staff and suppliers involved in the operation, development, management or security of the information and communication system;
(g) the primary asset is the information or service it processes or provides to the information and communication system;
(h) the risk of a threat taking advantage of the vulnerability of the asset and causing damage;
(i) risk management activities involving risk assessment, selection and implementation of risk management measures, sharing risk information and monitoring and risk review;
(j) the information security management system part of the management system of the obliged entity based on access to the risks of the information and communication system, which provides for the establishment, implementation, operation, monitoring, review, maintenance and improvement of information and data security;
(k) the technical asset of such technical equipment, means of communication and software of the information and communication system and the objects in which such systems are located, the failure of which may have an impact on the information and communication system;
(l) by a user, a natural or legal person or a public authority using assets;
(m) senior management of the person or group of persons under the management of the obliged person or the statutory authority of the obliged person;
(n) an important supplier of the information or communication system operator (hereinafter referred to as "the operator") and anyone entering into a legal relationship with the obliged person that is relevant for the security of the information and communication system;
(o) a significant change which has or may have an impact on cyber security and poses a high risk;
(p) a vulnerability to a weak point of the asset or a weak point of a security measure which may be misused by one or more threats.
SECURITY MEASURES
ORGANISATION MEASURES
Information security management system
Compulsory person under the Information Security Management System
(a) establish, taking into account the requirements of the parties concerned and organisational security, the scope of the information security management system in which it identifies the organisational parts and assets covered by the information security management system;
(b) define the objectives of the information security management system;
(c) implement adequate security measures for the defined scope of the information security management system based on the objectives of the information security management system, safety needs and risk assessment;
(d) manage the risks referred to in Article 5;
(e) establish and approve a security policy in the area of the information security management system, which contains guidelines, objectives, security needs, rights and obligations in relation to information security management, and, on the basis of the security needs and the results of the risk assessment, establish a security policy in the other areas referred to in Article 30 and implement adequate security measures;
(f) ensure that the cyber security audit of the information and communication system (hereinafter referred to as "cyber security audit") is carried out in accordance with Article 16;
(g) ensure regular evaluation of the effectiveness of the information security management system, which includes an assessment of the state of the information security management system including a review of the risk assessment, an assessment of the results of the cyber security audits carried out and the impact of cyber security incidents on the information security management system;
(h) identify continuously and subsequently manage significant changes which fall within the scope of the information security management system in accordance with Article 11;
(i) update the information security management system and the relevant documentation on the basis of the findings of cyber security audits, the results of the evaluation of the effectiveness of the information security management system and in the context of significant changes made; and
(j) manage the operation and resources of the information security management system and record the activities associated with the information security management and risk management system.
Asset management
(1) Compulsory person in asset management
(a) establish a methodology for identifying assets;
(b) establish a methodology for the assessment of assets to at least the extent set out in Annex 1 to this Decree;
(c) identify and register assets;
(d) identify and register asset guarantees;
(e) evaluate and register primary assets in terms of confidentiality, integrity and availability and include them in the different levels referred to in (b);
(f) identify and register links between primary and subsidiary assets and assess the consequences of dependencies between primary and subsidiary assets;
(g) evaluate the ancillary assets, taking into account in particular the interdependence referred to in (f);
(h) on the basis of an asset assessment, define and introduce the protection rules necessary to safeguard the different levels of assets;
(i) establish the permissible means of use of assets and the rules on asset handling with regard to asset level, including rules on safe electronic sharing and physical transfer of assets; and
(j) determine how the data, operational data, information and copies thereof or the technical data media are to be disposed of in respect of the level of assets in accordance with Annex 4 to this Regulation.
(2) In assessing the importance of primary assets, at least
(a) the extent and importance of personal data, specific categories of personal data or business secrets;
(b) the scope of the legal obligations or other obligations concerned;
(c) the extent to which internal management and control activities are affected;
(d) damage to public, commercial or economic interests and potential financial losses;
(e) the effects on the provision of important services;
(f) the extent of disruption of normal activities;
(g) the effects on the preservation of a reputation or the protection of reputation;
(h) impacts on the safety and health of persons;
(i) impacts on international relations; and
(j) the impact on users of the information and communication system.
Risk management
(1) Mandatory in risk management following § 4
(a) establish a methodology for risk assessment, including the setting of criteria for risk acceptance;
(b) identifies relevant threats and vulnerability with regard to assets; consider in particular the categories of threats and vulnerabilities listed in Annex 3 thereto,
(c) carry out the risk assessment at regular intervals referred to in paragraph 2 and in the event of significant changes;
(d) when assessing risks, take into account the relevant threats and vulnerability and assess the potential impact on assets; the risks are assessed at least to the extent of Annex 2 to this Decree;
(e) prepare a risk assessment report;
(f) it shall draw up, on the basis of the safety needs and the results of the risk assessment, a declaration of applicability which shall include an overview of the security measures required by this decree, which:
1. not applied, including justification,
2. has been applied, including the way in which it is carried out;
(g) develop and implement a risk management plan containing the objectives and benefits of security measures for the management of individual risks, the identification of the person ensuring the enforcement of security measures for risk management, the necessary financial, technical, human and information resources, the deadline for their implementation, the description of the links between the risks and the relevant security measures and the way security measures are implemented;
(h) the risk assessment and risk management plan shall take into account:
1. significant changes;
2. changes in the scope of the information security management system;
3. the measure under Article 11 of the Law; and
4. cyber security incidents, including previously addressed; and
(i) implement security measures in accordance with the risk management plan.
(2) The mandatory person referred to in § 3 (c), (d) and (f) of the Act carries out the risk assessment at least once a year and the mandatory person referred to in § 3 (e) of the Act at least every three years.
(3) Risk management may also be ensured in ways other than those provided for in paragraph 1 (d), provided that the obligor ensures that the measures applied ensure the same or higher level of risk management process.
Organisational security
(1) Mandatory person with regard to the information security management system
(a) ensure that the security policy and the objectives of the information security management system are established in accordance with Article 3 compatible with the strategic direction of the obliged entity;
(b) ensure the integration of the information security management system into the processes of the obliged entity;
(c) ensure the availability of the resources necessary for the information security management system;
(d) inform employees of the importance of the information security management system and the importance of reaching compliance with its requirements with all parties concerned;
(e) ensure support to achieve the intended outputs of the information security management system;
(f) it leads employees to develop and support the effectiveness of the information security management system in this development;
(g) promote continuous improvement of the information security management system;
(h) support security actors in promoting cyber security in their areas of responsibility;
(i) ensure that rules are laid down for the identification of administrators and persons representing security roles;
(j) ensure that confidentiality of administrators and persons representing security roles is maintained;
(k) ensure appropriate powers and resources for persons representing security roles, including budgetary means, to fulfil their roles and to perform related tasks; and
(l) ensure testing of continuity plans for activities, recovery and processes associated with the management of cyber security incidents.
(2) The mandatory person in the framework of the information security management system shall determine the composition of the cyber security management committee and their rights and obligations related to the information security management system.
(3) The compulsory person referred to in § 3 (c), (d) and (f) of the Act shall designate the person who will play a security role.
(a) a cyber security manager,
(b) architect of cyber security,
(c) the guarantee of the assets; and
(d) an auditor of cyber security.
(4) The mandatory person referred to in Section 3 (e) of the Act will determine the role of the cyber security manager and the asset guarantor. The other safety roles referred to in paragraph 3 shall be determined accordingly in relation to the scope and needs of the information security management system.
(5) The mandatory person referred to in § 3 (c), (d) and (f) of the Act ensures that the security roles referred to in paragraph 3 (a) and (b) are substitutable.
(6) The mandatory person referred to in Section 3 (e) of the Act ensures the substitutability of the security role of the cyber security manager.
(7) The Cyber Security Management Committee shall be composed of persons with the relevant powers and competence for the overall management and development of the information security management system and of persons significantly involved in the management and coordination of cyber security activities, of which at least one representative of the senior management or of the senior management and a cyber security manager shall be a member. The mandatory person at the Cyber Safety Management Committee shall take into account the recommendations set out in Annex 6 to this Order.
Safety roles
(1) Cyber Security Manager
(a) the security role is responsible for the information security management system, the performance of which may be entrusted to the person who is trained for this activity and demonstrates the competence of experience in the management of cyber security or information security management.
1. for at least three years; or
2. for a period of one year, if she graduated from university,
(b) be responsible for regularly informing the senior management of:
1. activities resulting from the extent of its liability; and
2. the state of the information security management system; and
(c) shall not be entrusted with the performance of the roles responsible for the operation of the information and communication system.
(2) The cyber security architect is responsible for ensuring the design of the implementation of security measures so as to ensure the safe architecture of the information and communication system, the performance of which may be entrusted to the person who is trained for this activity and to demonstrate the competence of the practice of designing the implementation of security measures and ensuring the security architecture.
(a) for at least three years; or
(b) for a period of one year, if she graduated from university.
(3) The asset guarantor is the security role responsible for ensuring the development, use and security of the asset.
(4) Cyber Security Auditor
(a) the security role is responsible for carrying out an audit of cyber security, the performance of which may be entrusted to the person who is trained for this activity and demonstrates the competence of the practice of carrying out cyber security audits or audits of the information security management system.
1. for at least three years; or
2. for a period of one year, if she graduated from university,
(b) ensures that the audit of cyber security is impartial; and
(c) shall not be responsible for the performance of other safety roles.
(5) In determining the persons holding security roles, the mandatory person will take into account the recommendations set out in Annex 6 to this Decree.
Management of suppliers
(1) Compulsory person
(a) lay down rules for suppliers which take into account the requirements of the information security management system;
(b) keep records of its significant suppliers;
(c) verifiably inform its significant suppliers in writing of their records referred to in (b);
(d) notify its suppliers of the rules referred to in (a) and require compliance with those rules;
(e) manage the risks associated with suppliers;
(f) in connection with the management of the risks associated with significant suppliers, ensure that contracts concluded with significant suppliers include the relevant areas listed in Annex 7 to this Decree; and
(g) regularly review the performance of contracts with significant suppliers in terms of the information security management system.
(2) Compulsory person for significant suppliers
(a) in the context of the selection procedure and before the conclusion of the contract, carry out an assessment of the risks related to the performance of the subject-matter of the selection procedure, mutatis mutandis, in accordance with Annex 2 to this Decree;
(b) establish, within the framework of contractual relations concluded, the methods and levels of implementation of security measures and determine the content of mutual contractual responsibility for the establishment and control of security measures;
(c) carry out regular risk assessments and periodic checks on the security measures in place for the performance provided through own resources or through a third party; and
(d) ensure that they are addressed in response to risks and deficiencies identified.
(3) The elements of verifiable information referred to in paragraph 1 (c) are:
(a) identification of the AIFM or operator;
(b) identification of the information and communication system;
(c) identification of a significant supplier;
(d) an understanding that the supplier is an important supplier to the AIFM and, where appropriate, that the significant supplier is also an operator; and
(e) the content of the rules referred to in paragraph 1 (a).
(4) The mandatory person referred to in § 3 (c) to (f) of the Act, which is an operator and has been demonstrably informed in accordance with paragraph 1 (c), reports the contact details in the form set out in § 34.
Human resources security
(1) Compulsory person in human resources security management
(a) in the light of the state and needs of the information security management system, it shall establish a security awareness development plan aimed at ensuring adequate education and improvement of security awareness, which shall include the form, content and scope of:
1. the lessons of users, administrators, security actors and suppliers on their responsibilities and on security policy; and
2. the necessary theoretical and practical training of users, administrators and security actors;
(b) designate the persons responsible for carrying out the individual activities listed in the plan;
(c) ensure, in accordance with the Security Awareness Development Plan, that users, administrators, persons holding security roles and suppliers are informed of their responsibilities and of the security policy by means of input and regular training;
(d) provide regular training for persons holding security roles in accordance with the Security Awareness Development Plan, based on the current needs of the obliged entity in the field of cyber security;
(e) ensure, in accordance with the Security Awareness Development Plan, regular training and verification of the security awareness of staff in accordance with their work capacity;
(f) ensure monitoring of compliance with security policy by users, administrators and persons representing security roles;
(g) in the event of termination of a contractual relationship with administrators and persons holding security roles, ensure that responsibilities are transferred;
(h) assess the effectiveness of the plan for the development of safety awareness, training and other activities related to the improvement of safety awareness; and
(i) identify rules and procedures for dealing with breaches by users, administrators and persons representing security roles.
(2) The mandatory person shall keep a summary of the training referred to in paragraph 1 containing the subject matter of the training and the list of persons who have received the training.
Traffic and communication management
(1) The mandatory person in the context of traffic and communication management ensures the safe operation of the information and communication system and lays down operational rules and procedures which include in particular:
(a) the rights and obligations of administrators, users and persons representing security roles;
(b) procedures for the start and end of the system, for the restart or renewal of the system after failure, and for the treatment of fault conditions or exceptional events;
(c) procedures for monitoring cyber security incidents and measures to protect access to alerts on such incidents;
(d) rules and procedures for protection against harmful code;
(e) management of technical vulnerability;
(f) contact persons responsible for the performance of system and technical support;
(g) procedures for managing and approving operational changes;
(h) procedures for the monitoring, planning and management of human and technical resources;
(i) rules and procedures for the protection of information and data throughout the life cycle;
(j) rules and procedures for the installation of technical assets;
(k) carrying out regular advance payments and checking the applicability of the advance payments made; and
(l) rules and procedures for ensuring the safety of network services.
(2) In the context of traffic and communication management, the mandatory person shall comply with the rules and procedures laid down in accordance with paragraph 1 and shall update those rules and procedures in the context of the changes implemented or planned.
(3) The responsible person shall ensure the separation of the development, testing and operational environment.
Sign in for notes, favorites and notifications
Regulation Information
| Citation | Decree No. 82 / 2018 Coll., on security measures, cyber security incidents, reactive measures, procedural requirements in the field of cyber security and data destruction (Cyber Safety Order) |
|---|---|
| Regulation Type | - |
| Author | - |
| Collection | Code of Laws |
| Date of Promulgation | 28.05.2018 |
|---|---|
| Effective from | 28.05.2018 |
| Effective until | - |
| Status | Valid |
The regulation text is for informational purposes only.
Comments 0