Legal Framework on Information Security Ministry of Trade, Tourism and Telecommunication Nebojša Vasiljević
Relevant EU Legislation (1) Regulation No 460/2004 of the European Parliament and of the Council of 10 March 2004 establishing the European Network and Information Security Agency 32004R0460 Council decision 2004/541/EC of 5 July 2004 on the three stakeholders’ representatives and their alternates to the Management Board of the European Network and Information Security Agency 32004D0541 Council Decision 92/242/EEC of 31 March 1992 in the field of security of information systems(OJ L 123, , p. 19–25) 31992D0242 Council Resolution of 28 January 2002 on a common approach and specific actions in the area of network and information security (OJ C 43, , p. 2–4) 32002G0216(02) Council Resolution of 18 February 2003 on a European approach towards a culture of network and information security (OJ C 48, , p. 1–2) 32003G0228(01) Council Resolution of 22 March 2007 on a Strategy for a Secure Information Society in Europe (OJ C 68, , p. 1–4) 32007G0324(01)
Relevant EU Legislation (2) Commission Communication /* COM/2006/0251 final */A strategy for a Secure Information Society - “Dialogue, partnership and empowerment” Commission Communication Commission Communication on Critical Information Infrastructure Protection -/* COM/2009/0149 final */ "Protecting Europe from large scale cyber-attacks and disruptions: enhancing preparedness, security and resilience" Commission Communication on Critical Information Infrastructure Protection ‘Achievements and next steps: towards global cyber- security’* COM/2011/0163 final */ Commission Communication on Critical Information Infrastructure ProtectionCommission Communication on Critical Information Infrastructure Protection Directive 2002/21/EC of the European Parliament and of the Council on a common regulatory framework for electronic communications networks and services (Framework Directive) Directive 2002/21/EC Commission Communication COM(2001) 298 final on Network and Information Security: A proposal for A European Policy Approach 52001DC0298 Commission Communication Regulation (EC) No 1007/2008 of the European Parliament and of the Council of 24 September 2008 amending Regulation (EC) No 460/2004 establishing the European Network and Information Security Agency as regards its duration 32008R1007 Regulation (EC) No 1007/2008 Regulation (EU) No 580/2011 of the European Parliament and of the Council of 8 June 2011 amending Regulation (EC) No 460/2004 establishing the European Network and Information Security Agency as regards its duration 32011R0580 Regulation (EU) No 580/2011 Proposal for a Directive concerning measures to ensure a high common level of network and information security across the Union - COM(2013) 48 final - 7/2/ EN
National Policy Framework Development Strategy for Information Society in the Republic of Serbia by 2020 National Security Strategy of the Republic of Serbia Strategy on Development of Electronic Communications in the Republic of Serbia for period Defense Strategy of the Republic of Serbia Action Plan ( ) on Implementation of the Development Strategy for Information Society in the Republic of Serbia by 2020 Action Plan ( ) on Implementation of the Strategy on Development of Electronic Communications in the Republic of Serbia for period
National Legal Framework Law on Electronic Communications Law on Personal Data Protection Law on Electronic Signature Law on Electronic Document Law on the organization and competences of the state authorities for the fight against cybercrime Criminal Code Criminal Procedure Code Law on Defense The Decision on the determination of large technical systems important for defense Law on Ratification of the Convention on Cybercrime Law on ratification of the CoE Convention on Cybercrime and Law on ratification of its Additional Protocol concerning the criminalization of acts of a racist and xenophobic nature committed through computer system Regulation on Specific Measures for Protection of Classified Information in Information- communications Systems
Institutional Framework Ministry of Trade, Tourism and Telecommunications Ministry of Interior Ministry of Defense Ministry of Public Administration and Local Self-Government Ministry of Justice Administrative Agency for Joint Services of Government Authorities The Academic Network of the Republic of Serbia Regulatory agency for electronic communications and postal service Higher Court in Belgrade Commissioner for Information of Public Importance and Personal Data Protection Special Prosecutor’s Office for Fight Against High-Tech Crime Office of the Council on National Security and Classified Information Protection Intelligence agencies (Security-Information Agency, Military Security Agency and Military Intelligence Agency)
Development Strategy for Information Society in the Republic of Serbia by 2020 INFORMATION SECURITY PRIORITY FIELDS LEGAL AND INSTITUTIONAL FRAMEWORK CRITICAL INFRASTRUCTURE PROTECTION FIGHT AGAINST CYBERCRIME SCIENTIFIC, RESEARCH AND DEVELOPMENT WORK
Improvement of legal and institutional framework The existing legal framework needs to be improved in these matters: Legislation – adopting relevant laws, setting out standards and areas of Information Security, as well as functions of some institutions Institutions – responsible for tasks relating to verification and certification methods, software application, devices and systems, R&D and oversight of the IS standards implementation by state authorities National CERT – Computer Emergency Response Team
Activities relating to adoption of Law on Information Security An interdepartmental work group has been set up Its task is to draft Law on Information Security Defining a national authority responsible for regulating Information Security area, its activities and competences Setting out standards and procedures at the national level and determine role of other state authorities Establishing CERT at national level.
Legal institutional framework CERT (1) Currently there is no estabilished national CERT in Serbia. There are many institutions which have departments which tasks are connected to CERT functions: Administrative Agency for Joint Service of Government Authorities – the main datacenter, network backbone and Internet gateway for State Authorities are managed by AAJS, which has department which performs the tasks of managing security risks in information-communication systems of public administration bodies, protecting the public administration network and data, cooperation and coordination related to information security; Institution`s ICT departments – many institutions have their own ICT departments, datacenters and/or computer network (for example: Ministry of Defense, Ministry of Foreign Affairs, Ministry of Finance, National Tax Agency, Ministry of Interior, Ministry of Justice, Security Information Agency etc.)
Legal institutional framework CERT (2) The Academic Network of the Republic of Serbia (AMRES) performs the CERT activities for the educational and scientific-research institutions in the Republic of Serbia. AMRES CERT team has been listed in TERENA “Trusted Introducer” Service since May AMRES team has a status of listed team, which provides basic information about the team itself as well as shows endorsement of the team by the TI community. AMRES-CERT team members participated in the TERENA’s TRANSITS-I and TRANSITS-II trainings in 2012 which are held with the financial support of ENISA and gained relevant knowledge to work in the efficient CERT environment.
Legal institutional framework Obligations of operators Obligations of operators in accordance with the Law on Electronic Communications: At the request of the regulatory body (RATEL), the operator shall supply all necessary data and information of relevance for ensuring the protection of personal data and privacy of users, and assessment of security and integrity of electronic communications networks and services, including the implementation of policies on security, continuity of work and data protection Operators are obligated to implement the adequate technical and organizational security measures In case of a particular risk related to violation of the security and integrity of public communication networks and services, the operator should inform subscribers of such risks and, in case the risk lies outside the scope of measures to be taken by the operator, of possible means of protection and costs related to the implementation of these measures
Legal institutional framework Obligations of operators Ariticle 125. of Law on Electronic Communications: operator shall inform Regulatory agency for electronic communications and postal service (RATEL) of any violations of security and integrity of public communications networks and services, that significantly affected their operation, and particularly on violations that caused infringement of the personal data protection or privacy of subscribers or users RATEL shall be authorized to inform the public on the infringement of security and integrity or to require from the operator to do it himself, when it assesses that publication of such information is in the public interest.
Fight against cybercrime Criminal Code In the Criminal Code are included criminal offences against information systems: damaging computer data and programs (art. 298) computer sabotage (art. 299) creating and introducing computer viruses (art. 300) computer fraud (art. 301) unauthorized access (art. 302) preventing or restricting access to a public computer network (art. 303) unauthorized use of a computer (art. 304) Making, purchasing and giving for use tools for committing criminal offences against security of computer data (art.304 a) child pornography (art. 185) grooming (art. 185b) criminal offences against intellectual property (art. 198 to 202)
Fight against cybercrime Institutional framework Ministry of Interior - Department for Cyber Crime Higher Court in Belgrade Special Prosecutor’s Office for Fight Against High-Tech Crime
Critical Infrastructure Protection (1) Critical Information Infrastructure Protection is covered by different strategies and laws. Development Strategy for Information Society: It is necessary to develop and improve protection from assaults that arise from the use of information technologies on critical infrastructure systems, in addition to the ICT systems themselves, it could be also the other infrastructure systems that are managed by relying on ICTs, such as the electrical and energetic system The National Security Strategy: identifies risks from cyber crime emphasizes importance of building ICT security system through a system of national security emphasizes capacity building, education, timely collection and sharing of data and information, coordination of security services and strengthen their organizational, human and material resources
Critical Infrastructure Protection (2) Law on Defense: defines that large technical systems in telecommunications and information technology are required to comply with the defense requirements of the country The Decision on the determination of large technical systems important for defense: defines large telecommunication systems important for defense purpose Liaison officer in European Defense Agency and programs regarding Cyber security and Critical information infrastructure protection
Scientific, Research & Development Work Development Strategy for Information Society in the Republic of Serbia by 2020: The dynamic changes linked to the challenges in the area of information safety, which leads to the necessity to constantly introduce new protection methods and measures in this area The necessity to follow the latest achievements in the area of information safety internationally, through the international cooperation Cryptographic techniques are the basis for establishing information safety and the weaknesses of these techniques are directly violating the information safety mechanisms. The safety levels of cryptographic techniques is, as a rule, wearing off with the passage of time due to the constant progress made in the methods for compromising practically all the cryptographic techniques. This is why it is important to constantly maintain research and development of new cryptographic techniques, as well as to constantly re-examine the existing ones.
International cooperation SEENSA workgroup On the second conference of Southeastern Europe National Security Authorities, it is established the cyber defense thematic workgroup SEENSA It is defined that the goal of workgroup is to form common concept of cyber defense and to product relevant documents with the instructions for regulating the cyber defense area Serbian NSA participated on the third conference about information security and cybernetic defense “ISCD 2013” in Hungary
International cooperation Serbia is a member of ITU and IMPACT AMRES CERT team has been listed in TERENA “Trusted Introducer” Service since May 2011
Thank you for your attention