Act 50 of 2013 regarding the state- and local government-owned organisations’ electronical information security comes into effect on 1st July 2013. The act is a highly expected, complementary ruling with normative force about the protection of state and local governmental organisations’ IT systems and of the national data assets under the Act’s effect.The Act is built on the fundaments of numerous former recommendations with non-mandatory force (KIB recommendations 25. and 28.) and standards in accordance with market best practices (CoBit, ISO 27001), formulating the general expectation which the electronical information systems must – in the whole of their lifecycles – implement and ensure to garantee the confidentiality, availability and integrity of the data and information operated with by the systems under the effect of the Act and that the protection of the integrity and availability of the electronical information system itself and its elements is to be closed, full-scale and risk-proportional.In order to achieve compliance with the above presented general criteria, organisations are required to define and implement the protective control measures laid down by the specific ruling for logical, physical and administrative protection. The executional ruling defined as the specific ruling is currently under planning.
The Act mandates compliance with the the following requirements for the organisations affected:
- Electronic information systems must be classified into security classifications, depending on the risk of compromise to confidentiality, integrity and availability of the data operated (scaled from 1 to 5). Classification is to be approved by the leader of the organisation, who is also responsible for its regulatory compliance, risk-proportional protection and the fullness and accurateness of the data handled.
- Should the organisation discover a deficiency in the classification of its electronical information system, the action plan for resolving the deficiency is required to be completed within 90 days after the audit.
- The organisation is required to be classified into security levels based on the preparedness and protection of its electronical information systems. The classification should take place on the basis of the criteria defined in the specific ruling
- If the security level assessed by the audit is lower than that required for the organisation, then the organisation must – within 90 days after the audit – produce an action plan to achieve compliance with the higher security level. If this is required, the organisation must complete the action plan and thus achieve compliance with the higher security level within 2 years. If more than one levels must be ascended to, then 2 years are given to achieve each level.
Other requirements assigned to the leader of the organisation (IT security policy, IT security strategy, publication of the IT security rulebook, periodic risk assessment, etc.) are defined in the 11§ (1) part of the Act.
To comply with the above requirements, the Act defines the following deadlines: Classification of the organisation’s already operational electronic information systems and that of the organisation must be completed within 1 year after this Act comes into effect. Data required to identify the organisation and personal identification data of the person responsible for security of the electronic information system of the organisation must be supplied to the authority within 60 days after this Act comes into effect. The IT security policy must be supplied to the authority within 90 days after this Act comes into effect. These data must be supplied for the purpose of drawing an inventory.
The PCP application of PR-AUDIT Ltd’s own development supports the classification of the organisation and its electronic information systems in compliance with the Act, and also the quick, effective and substantial completion of the assessments required for the classification. Security measures of an organisation is fundamentally dependent on the data it handles and the security classification of its infrastructures, therefore the accurate definition of the security classes on the basis of the real risk-classification of the specific information or infrastructure is of utmost importance.
Functions of the PCP framework (PCP framework contains the functions required by KIB 28, which is the fundament of the executional ruling):
- Recording data classes in accordance with KIB 28. recommendation, using the CIA theory
- Process assessment and dependency inspection
- Conducting business impact analysis
- Completion of data asset inventory and data classification, assigning data classes to IT systems
- Classification of electronic information systems (on the basis of confidentiality, integrity and availability)
- Testing compliance with security level technological requirements – Definition of real security levels and deficiencies of electronic information systems
- Completion of action plans to achieve compliance with the required security levels
- Definition of the organisation’s required security class (SECURITY CLASS organisation =max (SECURITY CLASS electronic information system i) (i=1..n).)
- Assessment of the factual security level of the organisation
- Completion of action plans for achieving compliance with required security level
Advantages of the use of the framework:
- Use of the framework significantly facilitates the SUBSTANTIAL conduction of legally required audits. A difficulty of completing classification lies in that is needs to be done by comparing large quantities of incoming data (such as: from the classification of data handled in the IT system, the system’s classification must be defined based on the high water mark principle). Querying such correlations is largely facilitated by the relational dabase used for data arrangement.
- Assessing compliance with technological security levels is done by using complex matrices, which – if lacks software support – requires high amounts of resources
- Completion of review and maintenance in a resource-conservative manner
- Supplying data to supervisory authorities in systematic, organised and methodologically supported ways.
- PR-AUDIT Ltd is willing to provide full-scale support in the conduction of assessments and classifications, and also in the processes of implementing the system, providing education, and assuming advisory tasks in the course of all of the processes.