Legal Framework on Information Security in the Ministry of Trade, Tourism, and Telecommunication

 
L
e
g
a
l
 
F
r
a
m
e
w
o
r
k
 
o
n
 
I
n
f
o
r
m
a
t
i
o
n
 
S
e
c
u
r
i
t
y
 
Ministry of Trade, Tourism and
Telecommunication
Nebojša Vasiljević
 
Relevant 
EU Legislation
 (1)
 
Regulation No 460/2004 
of the European Parliament and of the Council of 10
March 2004 establishing the European Network and Information Security Agency
32004R0460
Council decision 2004/541/EC 
of 5 July 2004 on the three stakeholders’
representatives and their alternates to the Management Board of the European
Network and Information Security Agency 
32004D0541
Council Decision 92/242/EEC 
of 31 March 1992 in the field of security of
information systems(OJ L 123, 8.5.1992, p. 19–25) 
31992D0242
Council Resolution 
of 28 January 2002 on a common approach and specific actions
in the area of network and information security
(OJ C 43, 16.2.2002, p. 2–4) 
32002G0216(02)
Council Resolution 
of 18 February 2003 on a European approach towards a culture
of network and information security
(OJ C 48, 28.2.2003, p. 1–2) 
32003G0228(01)
Council Resolution
 of 22 March 2007 on a Strategy for a Secure Information Society
in Europe
(OJ C 68, 24.3.2007, p. 1–4) 
32007G0324(01)
 
Relevant 
EU Legislation
 (2)
 
Commission Communication 
/* COM/2006/0251 final */A strategy for a Secure Information
Society - “Dialogue, partnership and empowerment”
Commission Communication on Critical Information Infrastructure Protection
 -/*
COM/2009/0149 final */ "Protecting Europe from large scale cyber-attacks and disruptions:
enhancing preparedness, security and resilience" 
Commission Communication on Critical
Information Infrastructure Protection
 ‘Achievements and next steps: towards global cyber-
security’* COM/2011/0163 final */
Directive 2002/21/EC
 of the European Parliament and of the Council on a common
regulatory framework for electronic communications networks and services (Framework
Directive)
Commission Communication
 COM(2001) 298 final  on Network and Information Security: A
proposal for A European Policy Approach 
52001DC0298
Regulation (EC) No 1007/2008
 of the European Parliament and of the Council of 24
September 2008 amending Regulation (EC) No 460/2004 establishing the European Network
and Information Security Agency as regards its duration 
32008R1007
Regulation (EU) No 580/2011
 of the European Parliament and of the Council of 8 June
2011  amending Regulation (EC) No 460/2004 establishing the European Network and
Information Security Agency as regards its duration 
32011R0580
Proposal for a Directive
 
 
concerning measures to ensure a high common level of network
and information security across the Union - COM(2013) 48 final - 7/2/2013 - EN
 
National 
Policy Framework
 
 
Development Strategy for Information Society in the Republic of Serbia by 2020
National Security Strategy of the Republic of Serbia
Strategy on Development of Electronic Communications in the Republic of Serbia
for period 2010-2020
Defense Strategy of the Republic of Serbia
Action Plan (2013-2014) on Implementation of the Development Strategy for
Information Society in the Republic of Serbia by 2020
Action Plan (2013-2014) on Implementation of the Strategy on Development of
Electronic Communications in the Republic of Serbia for period 2010-2020
 
National 
Legal Framework
 
Law on Electronic Communications
Law on Personal Data Protection
Law on Electronic Signature
Law on Electronic Document
Law on the organization and competences of the state authorities for the fight against
cybercrime
Criminal Code
Criminal Procedure Code
Law on Defense
The Decision on the determination of large technical systems important for defense
Law on Ratification of the Convention on Cybercrime
Law on ratification of the CoE Convention on Cybercrime and Law on ratification of its
Additional Protocol concerning the criminalization of acts of a racist and xenophobic nature
committed through computer system
Regulation on Specific Measures for Protection of Classified Information in Information-
communications Systems
 
Institutional Framework
 
Ministry of Trade, Tourism and Telecommunications
Ministry of Interior
Ministry of Defense
Ministry of Public Administration and 
Local Self-Government
Ministry of Justice
Administrative Agency for Joint Services of Government Authorities
The Academic Network of the Republic of Serbia
Regulatory agency for electronic communications and postal service
Higher Court in Belgrade
Commissioner for Information of Public Importance and Personal Data Protection
Special Prosecutor’s Office for Fight Against High-Tech Crime
Office of the Council on National Security and Classified Information Protection
Intelligence agencies (Security-Information Agency, Military Security Agency and
Military Intelligence Agency)
 
    
Development Strategy for Information Society
in the Republic of Serbia by 2020
 
INFORMATION SECURITY PRIORITY FIELDS
LEGAL AND
INSTITUTIONAL
FRAMEWORK
CRITICAL
INFRASTRUCTURE
PROTECTION
FIGHT AGAINST
CYBERCRIME
SCIENTIFIC
, RESEARCH
AND DEVELOPMENT
WORK
 
Improvement
 
of
legal
 
and
 
institutional framework
 
The existing legal framework 
needs to be improved in 
the
s
e
 
matters:
 
Legislation
 – adopting relevant laws, setting out standards and areas of Information
Security, as well as functions of some institutions
 
Institutions
 
– responsible for tasks relating to verification and certification methods,
software application, devices and systems, R&D and oversight of the IS standards
implementation by state authorities
 
National CERT 
– Computer Emergency Response Team
 
Activities relating to adoption of Law on
Information Security
 
 
An interdepartmental work group has been set up
Its task is to draft Law on Information Security
Defining a national authority responsible for regulating Information Security area, its
activities and competences
Setting out standards and procedures at the national level and determine role of other
state authorities
Establishing CERT at national level.
 
Legal institutional framework
CERT (1)
 
Currently there is no estabilished
 national
 CERT in 
Serbia.
There are many institutions which have departments which tasks 
are
 connected to
CERT functions:
Administrative Agency for Joint Service of Government Authorities 
– the main
datacenter, network backbone and Internet gateway for 
State
 Authorities are
managed by AAJS,
 which has department which performs the tasks of
managing security risks in information-communication systems of public
administration bodies, protecting the public administration network and data,
cooperation and coordination related to 
information
 
security
;
Institution`s ICT departments
 
 
– many institutions have their own ICT
departments, datacenters and
/
or computer network (for example: Ministry of
Defense, Ministry of Foreign Affairs, Ministry of Finance, National Tax Agency,
Ministry of Interior, Ministry of Justice, Security Information Agency etc.)
 
 
Legal institutional framework
CERT
 (2)
 
The Academic Network of the Republic of Serbia (AMRES)
 
performs the CERT
activities for the educational and scientific-research institutions in the Republic of
Serbia.
AMRES C
E
RT 
team has been listed in TERENA “Trusted Introducer” Service since
May 2011.
AMRES team has a status of listed team, which provides basic information about
the team itself as well as shows endorsement of the team by the TI community.
AMRES-CERT team members participated in the TERENA’s TRANSITS-I and
TRANSITS-II trainings in 2012 which are held with the financial support of ENISA
and gained relevant knowledge to work in the efficient CERT environment.
 
Legal institutional framework
Obligations of operators
 
Obligations of operators in accordance with the 
Law on Electronic
Communications:
At the request of the regulatory body (RATEL), the operator shall supply all necessary
data and information of relevance for ensuring the protection of personal data and
privacy of users, and assessment of security and integrity of electronic communications
networks and services, including the implementation of policies on security, continuity
of work and data protection
Operators are obligated to implement the adequate technical and organizational
security measures
In case of a particular risk related to violation of the security and integrity of public
communication networks and services, the operator should inform subscribers of such
risks and, in case the risk lies outside the scope of measures to be taken by the operator,
of possible means of protection and costs related to the implementation of these
measures
 
Legal institutional framework
Obligations of operators
 
Ariticle 125. of Law on Electronic Communications
: operator shall inform
Regulatory agency for electronic communications and postal service 
(RATEL)
 
of
any violations of security and integrity of public communications networks and
services, that significantly affected their operation, and particularly on violations
that caused infringement of the personal data protection or privacy of subscribers
or
 
users
 
RATEL
 shall be authorized to inform the public on the infringement of security and
integrity or to require from the operator to do it himself, when it assesses that
publication of such information is in the public interest
.
 
Fight against cybercrime
Criminal Code
 
I
n the 
Criminal Code
 
are included
 criminal offences against information systems:
 
damaging computer data and programs (art. 298)
computer sabotage (art. 299)
creating and introducing computer viruses (art. 300)
computer fraud (art. 301)
unauthorized access (art. 302)
preventing or restricting access to a public computer network (art. 303)
unauthorized use of a computer (art. 304)
Making, purchasing and giving for use tools for committing criminal offences against
security of computer data (art.304 a)
child pornography (art. 185)
g
rooming (art. 185b)
criminal offences against intellectual property (art. 198 to 202)
 
Fight against cybercrime
Institutional framework
 
Ministry of Interior - Department for Cyber Crime
 
Higher Court in Belgrade
 
Special Prosecutor’s Office for Fight Against High-Tech Crime
 
Critical Infrastructure Protection (1)
 
Critical Information Infrastructure Protection is covered by different strategies and
laws.
Development Strategy for Information Society:
It is necessary to develop and improve protection from assaults that arise from the use
of information technologies on critical infrastructure systems, in addition to the ICT
systems themselves, it could be also the other infrastructure systems that are managed
by relying on ICTs, such as the electrical and energetic system
The National Security Strategy:
identifies risks from cyber crime
emphasizes importance of building ICT security system through a system of national
security
emphasizes capacity building, education, timely collection and sharing of data and
information, coordination of security services and strengthen their organizational,
human and material resources
 
Critical Infrastructure Protection (2)
 
Law on Defense:
defines that large technical systems in telecommunications and information technology
are required to comply with the defense requirements of the country
 
The Decision on the determination of large technical systems important for
defense:
defines large telecommunication systems important for defense purpose
 
Liaison officer in European Defense Agency and programs regarding Cyber security
and Critical information infrastructure protection
 
Scientific, Research & Development Work
 
Development Strategy for Information Society in the Republic of Serbia by 2020
:
 
The dynamic changes linked to the challenges in the area of information safety, which
leads to the necessity to constantly introduce new protection methods and measures
in this area
The necessity to follow the latest achievements in the area of information safety
internationally, through the international cooperation
Cryptographic techniques are the basis for establishing information safety and the
weaknesses of these techniques are directly violating the information safety
mechanisms. The safety levels of cryptographic techniques is, as a rule, wearing off
with the passage of time due to the constant progress made in the methods for
compromising practically all the cryptographic techniques. This is why it is important
to constantly maintain research and development of new cryptographic techniques, as
well as to constantly re-examine the existing ones.
 
International cooperation
SEENSA workgroup
 
On the second conference of 
Southeastern Europe National Security Authorities
, it
is established the cyber defense thematic workgroup 
SEENSA
 
It is defined that the goal of workgroup is to form common concept of cyber
defense and to product relevant documents with the instructions for regulating the
cyber defense area
 
Serbian NSA participated on the third conference about information security and
cybernetic defense “ISCD 2013” in Hungary
 
International cooperation
 
Serbia is a member of ITU and IMPACT
 
 
 
 
 
 
 
AMRES C
E
RT 
team has been listed in TERENA “Trusted Introducer” Service since
May 2011
 
Thank you for your attention
Slide Note
Embed
Share

The legal framework on information security in the Ministry of Trade, Tourism, and Telecommunication, outlined by Nebojša Vasiljević, includes relevant EU legislation such as Regulation No. 460/2004 and Council decisions on network and information security. The EU legislation covers various aspects of information security, including critical infrastructure protection, a common regulatory framework for electronic communications, and measures to ensure a high level of network security across the Union. The framework emphasizes collaboration, dialogue, partnership, and empowerment to enhance preparedness, security, and resilience against cyber threats.


Uploaded on Sep 09, 2024 | 1 Views


Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript


  1. Legal Framework on Information Security Ministry of Trade, Tourism and Telecommunication Neboj a Vasiljevi

  2. Relevant EU Legislation (1) Regulation No 460/2004 of the European Parliament and of the Council of 10 March 2004 establishing the European Network and Information Security Agency 32004R0460 Council decision 2004/541/EC of 5 July 2004 on the three stakeholders representatives and their alternates to the Management Board of the European Network and Information Security Agency 32004D0541 Council Decision 92/242/EEC of 31 March 1992 in the field of security of information systems(OJ L 123, 8.5.1992, p. 19 25) 31992D0242 Council Resolution of 28 January 2002 on a common approach and specific actions in the area of network and information security (OJ C 43, 16.2.2002, p. 2 4) 32002G0216(02) Council Resolution of 18 February 2003 on a European approach towards a culture of network and information security (OJ C 48, 28.2.2003, p. 1 2) 32003G0228(01) Council Resolution of 22 March 2007 on a Strategy for a Secure Information Society in Europe (OJ C 68, 24.3.2007, p. 1 4) 32007G0324(01)

  3. Relevant EU Legislation (2) Commission Communication /* COM/2006/0251 final */A strategy for a Secure Information Society - Dialogue, partnership and empowerment Commission Communication on Critical Information Infrastructure Protection -/* COM/2009/0149 final */ "Protecting Europe from large scale cyber-attacks and disruptions: enhancing preparedness, security and resilience" Commission Communication on Critical Information Infrastructure Protection Achievements and next steps: towards global cyber- security * COM/2011/0163 final */ Directive 2002/21/EC of the European Parliament and of the Council on a common regulatory framework for electronic communications networks and services (Framework Directive) Commission Communication COM(2001) 298 final on Network and Information Security: A proposal for A European Policy Approach 52001DC0298 Regulation (EC) No 1007/2008 of the European Parliament and of the Council of 24 September 2008 amending Regulation (EC) No 460/2004 establishing the European Network and Information Security Agency as regards its duration 32008R1007 Regulation (EU) No 580/2011 of the European Parliament and of the Council of 8 June 2011 amending Regulation (EC) No 460/2004 establishing the European Network and Information Security Agency as regards its duration 32011R0580 Proposal for a Directive concerning measures to ensure a high common level of network and information security across the Union - COM(2013) 48 final - 7/2/2013 - EN

  4. National Policy Framework Development Strategy for Information Society in the Republic of Serbia by 2020 National Security Strategy of the Republic of Serbia Strategy on Development of Electronic Communications in the Republic of Serbia for period 2010-2020 Defense Strategy of the Republic of Serbia Action Plan (2013-2014) on Implementation of the Development Strategy for Information Society in the Republic of Serbia by 2020 Action Plan (2013-2014) on Implementation of the Strategy on Development of Electronic Communications in the Republic of Serbia for period 2010-2020

  5. National Legal Framework Law on Electronic Communications Law on Personal Data Protection Law on Electronic Signature Law on Electronic Document Law on the organization and competences of the state authorities for the fight against cybercrime Criminal Code Criminal Procedure Code Law on Defense The Decision on the determination of large technical systems important for defense Law on Ratification of the Convention on Cybercrime Law on ratification of the CoE Convention on Cybercrime and Law on ratification of its Additional Protocol concerning the criminalization of acts of a racist and xenophobic nature committed through computer system Regulation on Specific Measures for Protection of Classified Information in Information- communications Systems

  6. Institutional Framework Ministry of Trade, Tourism and Telecommunications Ministry of Interior Ministry of Defense Ministry of Public Administration and Local Self-Government Ministry of Justice Administrative Agency for Joint Services of Government Authorities The Academic Network of the Republic of Serbia Regulatory agency for electronic communications and postal service Higher Court in Belgrade Commissioner for Information of Public Importance and Personal Data Protection Special Prosecutor s Office for Fight Against High-Tech Crime Office of the Council on National Security and Classified Information Protection Intelligence agencies (Security-Information Agency, Military Security Agency and Military Intelligence Agency)

  7. Development Strategy for Information Society in the Republic of Serbia by 2020 INFORMATION SECURITY PRIORITY FIELDS LEGAL AND INSTITUTIONAL FRAMEWORK CRITICAL INFRASTRUCTURE PROTECTION SCIENTIFIC, RESEARCH AND DEVELOPMENT WORK FIGHT AGAINST CYBERCRIME

  8. Improvement of legal and institutional framework The existing legal framework needs to be improved in these matters: Legislation adopting relevant laws, setting out standards and areas of Information Security, as well as functions of some institutions Institutions responsible for tasks relating to verification and certification methods, software application, devices and systems, R&D and oversight of the IS standards implementation by state authorities National CERT Computer Emergency Response Team

  9. Activities relating to adoption of Law on Information Security An interdepartmental work group has been set up Its task is to draft Law on Information Security Defining a national authority responsible for regulating Information Security area, its activities and competences Setting out standards and procedures at the national level and determine role of other state authorities Establishing CERT at national level.

  10. Legal institutional framework CERT (1) Currently there is no estabilished national CERT in Serbia. There are many institutions which have departments which tasks are connected to CERT functions: Administrative Agency for Joint Service of Government Authorities the main datacenter, network backbone and Internet gateway for State Authorities are managed by AAJS, which has department which performs the tasks of managing security risks in information-communication systems of public administration bodies, protecting the public administration network and data, cooperation and coordination related to information security; Institution`s ICT departments many institutions have their own ICT departments, datacenters and/or computer network (for example: Ministry of Defense, Ministry of Foreign Affairs, Ministry of Finance, National Tax Agency, Ministry of Interior, Ministry of Justice, Security Information Agency etc.)

  11. Legal institutional framework CERT (2) The Academic Network of the Republic of Serbia (AMRES) performs the CERT activities for the educational and scientific-research institutions in the Republic of Serbia. AMRES CERT team has been listed in TERENA Trusted Introducer Service since May 2011. AMRES team has a status of listed team, which provides basic information about the team itself as well as shows endorsement of the team by the TI community. AMRES-CERT team members participated in the TERENA s TRANSITS-I and TRANSITS-II trainings in 2012 which are held with the financial support of ENISA and gained relevant knowledge to work in the efficient CERT environment.

  12. Legal institutional framework Obligations of operators Obligations of operators in accordance with the Law on Electronic Communications: At the request of the regulatory body (RATEL), the operator shall supply all necessary data and information of relevance for ensuring the protection of personal data and privacy of users, and assessment of security and integrity of electronic communications networks and services, including the implementation of policies on security, continuity of work and data protection Operators are obligated to implement the adequate technical and organizational security measures In case of a particular risk related to violation of the security and integrity of public communication networks and services, the operator should inform subscribers of such risks and, in case the risk lies outside the scope of measures to be taken by the operator, of possible means of protection and costs related to the implementation of these measures

  13. Legal institutional framework Obligations of operators Ariticle 125. of Law on Electronic Communications: operator shall inform Regulatory agency for electronic communications and postal service (RATEL) of any violations of security and integrity of public communications networks and services, that significantly affected their operation, and particularly on violations that caused infringement of the personal data protection or privacy of subscribers or users RATEL shall be authorized to inform the public on the infringement of security and integrity or to require from the operator to do it himself, when it assesses that publication of such information is in the public interest.

  14. Fight against cybercrime Criminal Code In the Criminal Code are included criminal offences against information systems: damaging computer data and programs (art. 298) computer sabotage (art. 299) creating and introducing computer viruses (art. 300) computer fraud (art. 301) unauthorized access (art. 302) preventing or restricting access to a public computer network (art. 303) unauthorized use of a computer (art. 304) Making, purchasing and giving for use tools for committing criminal offences against security of computer data (art.304 a) child pornography (art. 185) grooming (art. 185b) criminal offences against intellectual property (art. 198 to 202)

  15. Fight against cybercrime Institutional framework Ministry of Interior - Department for Cyber Crime Higher Court in Belgrade Special Prosecutor s Office for Fight Against High-Tech Crime

  16. Critical Infrastructure Protection (1) Critical Information Infrastructure Protection is covered by different strategies and laws. Development Strategy for Information Society: It is necessary to develop and improve protection from assaults that arise from the use of information technologies on critical infrastructure systems, in addition to the ICT systems themselves, it could be also the other infrastructure systems that are managed by relying on ICTs, such as the electrical and energetic system The National Security Strategy: identifies risks from cyber crime emphasizes importance of building ICT security system through a system of national security emphasizes capacity building, education, timely collection and sharing of data and information, coordination of security services and strengthen their organizational, human and material resources

  17. Critical Infrastructure Protection (2) Law on Defense: defines that large technical systems in telecommunications and information technology are required to comply with the defense requirements of the country The Decision on the determination of large technical systems important for defense: defines large telecommunication systems important for defense purpose Liaison officer in European Defense Agency and programs regarding Cyber security and Critical information infrastructure protection

  18. Scientific, Research & Development Work Development Strategy for Information Society in the Republic of Serbia by 2020: The dynamic changes linked to the challenges in the area of information safety, which leads to the necessity to constantly introduce new protection methods and measures in this area The necessity to follow the latest achievements in the area of information safety internationally, through the international cooperation Cryptographic techniques are the basis for establishing information safety and the weaknesses of these techniques are directly violating the information safety mechanisms. The safety levels of cryptographic techniques is, as a rule, wearing off with the passage of time due to the constant progress made in the methods for compromising practically all the cryptographic techniques. This is why it is important to constantly maintain research and development of new cryptographic techniques, as well as to constantly re-examine the existing ones.

  19. International cooperation SEENSA workgroup On the second conference of Southeastern Europe National Security Authorities, it is established the cyber defense thematic workgroup SEENSA It is defined that the goal of workgroup is to form common concept of cyber defense and to product relevant documents with the instructions for regulating the cyber defense area Serbian NSA participated on the third conference about information security and cybernetic defense ISCD 2013 in Hungary

  20. International cooperation Serbia is a member of ITU and IMPACT AMRES CERT team has been listed in TERENA Trusted Introducer Service since May 2011

  21. Thank you for your attention

Related


More Related Content

giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#