Zakon o informacijskoj sigurnosti izazov informatičkoj industriji (panel) Mr. sc. Aleksandar Klaić, dipl. ing. Ured Vijeća za nacionalnu sigurnost (UVNS) Dr. sc. Miroslav Mađarić, dipl. ing. INA Industrija nafte d.d. Stanko Cerin S&T Group d.d.
The Information Security Act – a challenge to the Information Technology Industry Mr. sc. Aleksandar Klaić, dipl. ing. Ured Vijeća za nacionalnu sigurnost (UVNS)
Zakon o informacijskoj sigurnosti (NN 79/2007) o U fokusu Zakona su klasificirani i neklasificirani podaci državne uprave o Temeljni smjerovi djelovanja Zakona: o Direktni o Državna tijela u širem smislu - nacionalni standardi, središnja državna tijela za informacijsku sigurnost o Indirektni o Poslovni subjekti – suradnja s državnim tijelima, međunarodni klasificirani poslovi (EU, NATO) o Strateški o Informacijsko društvo u cjelini - Nacionalni CERT, nacionalna normizacija
Meaning of the new Croatian legislation – information security context o Information Security Act (07/2007): o Nation-wide regulation framework - security policy (Government Regulation, NSA and NCSA Ordinances, Guidelines, …) o Nation-wide institutional framework (NSA/DSA umbrella body and technical NCSA/SAA/NDA body as state authorities, and National CERT as public authority, CIS P&I bodies, CISO/LISO) o The final aim is to cover in appropriate way all 3 pillars of authorities (executive, parliament and judiciary) and both national and local government o Data Secrecy Act (07/2007): o Contemporary definitions of classified and unclassified data domains o Fundamental principles of data security for Nation-wide approach (need-to-know, PSC, data owner, 4 grade damage based classification, …)
Information Security Act o Principles of data protection with a view of development of information society in Croatia: o Comprehensive information security regulation framework for sub- Acts (Government Regulations, NSA and NCSA Ordinances, Guidelines, …) o Responsible bodies and prescribed period of time for regulation to enter into force o 5 security areas (Personnel, Physical, Industrial Security, INFOSEC, Security of Information) coordinated at national level with a view to comply to NATO/EU security policy o Main national authorities: NSA, NCSA (Security Sector) o Establishment of National CERT (Public, Academic Sector) o Defined Roles of: SAA, NDA, DSA, CIS P&I, CISO/LISO o Interrelation among national authorities that have defined roles
Conceptual Issues Addressed by the Information Security Act o Data Owner and Infrastructure Owner o Interoperability issue o Organizational o Semantic o Technical o Information security concepts and requirements in the foundation of information society o Standardization of ICT and information security field o ISO/IEC and Croatian National Standards from 2006 o UNCLASSIFIED and RESTRICTED infrastructure versus public and Internet infrastructure o NRoI – NATO o s-TESTA - EU o HITRONET – Croatia
Information Security – Process View
Information Security - Organizational View
Information Security - Regulation View
Information Security in INA d.d. Dr. sc. Miroslav Mađarić, dipl. ing. INA Industrija nafte d.d.
ZoIS i INA Ovaj zakon se primarno NE odnosi na INA, d.d., već samo u dijelu: o “Pravne i fizičke osobe koje ostvaruju pristup ili postupaju s klasificiranim i neklasificiranim podacima.” o Npr: uloga u robnim i ratnim rezervama, obrambenim pripremama zemlje, rezultati istraživanja (podzemlje i zalihe), … o Ali: o Nema zapreke primjeni ZoIS u INI kao interne regulacije o Naročito očekujemo korist od Uredbe za mjere i pripadne standarde. o Usklađeno s našim projektima.
Razvoj pogleda na informacijsku sigurnost Gartner CIO survey Information Security rankings: Business priorities (outcome)721 Technology priorities (tools)21n.a. Explanation: 3-5 yrs ago severe security breaches happened … in between IT fixed them through governance and tools … thus business has it in focus no more … but IT has to take care about everyday operation by using tools.
INA major information security activities Last severe security crisis: mid (“Blaster”) Security incidents: 2Q2007: Q2007: 905 Start of ISOP (Information Security Outsourcing Project) June 2007 (King, S&T) … covering all three main areas: Confidentiality Integrity Accessibility According to ISO
Stanko Cerin, CISA, CISM, CBCP S&T Grupa d.o.o.