316/2014 Sb.
DECREE
of 15 November 2004. December 2014
on safety measures, cyber security incidents,
reactive measures and the determination of the requirements for filing in the field
Cyber Security (Decree on Cyber Security)
The National Security Bureau determined in accordance with § 28 para. 2 of law No 181/2014
Coll., on cyber security and amending related laws (the law on the
Cyber Security), (hereinafter referred to as the "Act") to implement paragraph 6 (a). and)
to c), § 8 para. 4, § 13 para. 4 and § 16 para. 6 of the Act.
PART THE FIRST
INTRODUCTORY PROVISIONS
§ 1
The subject of the edit
This Decree lays down the content and structure of the safety documentation
for information system critical information infrastructure, communication
the system of critical information infrastructure or significant information
system, the content of the security arrangements, the extent of their establishment, types and
categories of cyber security incidents, essentials and method
Cyber security incident reporting requirements, notice of
implementation of reactive measures and its result and notification pattern
contact information and its form.
§ 2
Definition of terms
In this Ordinance means
and information security management system) part of the authority and the control system
the persons referred to in paragraph 3 (b). (c) to (e)) of the Act) based on access to
risks information system critical information infrastructure,
communication of critical information infrastructure or
significant information system, which provides for the establishment of the method,
the implementation, operation, monitoring, reviewing, maintaining and improving
information security,
(b) the primary asset and asset) supporting an asset
(c)) the primary asset of information or a service that processes or
the information system provides the critical information infrastructure,
communication system critical information infrastructure or significant
information system,
(d) technical support asset an asset), employees and vendors
involved in the operation, development, administration, or security information
critical information infrastructure system, communication system
critical information infrastructure or significant information
the system,
e) technical asset technical equipment, means of communication and
software information system critical information
infrastructure, communication of critical information
infrastructure or significant information system and objects, in
These systems are located,
(f)), that a certain risk option threat exploits the vulnerability of information
critical information infrastructure system, communication system
critical information infrastructure or significant information system
and causes damage to assets,
g) risk assessment process that is determined by the significance of the risks and
their acceptable level,
h) risk management activities involving risk assessment, selection and implementation
measures for risk management, sharing of information on risk and monitoring and
a review of the risks,
even the threat of a potential cause of cyber) security incident
or cyber security incident that results can be
damage to assets,
j) vulnerabilities vulnerability of an asset or security measure that
can be used in one or more threats,
to an acceptable risk the risk remaining) after application of safety
the measure, whose level corresponds to the criteria for the acceptability of the risks
l) safety policy of the set of principles and rules, which determine the way of
ensure the protection of the assets of the authority and a person referred to in paragraph 3 (b). c) to (e))
the law,
m) the guarantor assets of a natural person authorized by the authority or a person referred to
in paragraph 3 (b). (c)) to (e)) of the Act to ensure the development, use and safety
assets,
n) by natural or legal person or a public authority,
which uses the primary assets,
a natural person, the designated administrator) the guarantor assets to ensure
the management, operation, use, maintenance and safety of technical assets.
PART TWO
SECURITY MEASURES
TITLE I OF THE
ORGANISATIONAL MEASURES
§ 3
Information security management system
(1) the Authority and a person referred to in paragraph 3 (b). (c)), and (d)) of the act within the system
information security management
and) determined with regard to the assets and organizational safety and range
the boundaries of the information security management system, which will determine which
organisational components and technical elements of the safety management system
the information relates to,
b) manages risk pursuant to § 4 paragraph 2. 1,
(c)) creates and approves the security policy in the field of management system
information security, which contains the main principles, objectives, security
needs, rights and obligations in relation to the management of information security and
based on security needs, and the results of the risk assessment provides
security policy in other areas according to § 5, and put in place appropriate
security measures
(d)) to monitor the effectiveness of security measures
(e)) evaluates the appropriateness and effectiveness of the security policy under section 5,
(f) implementation of the audit) to ensure cyber security under section 15,
at least once a year,
(g) evaluate the effectiveness of the system) to ensure information security management,
that includes assessing the State of information security management system
including the revision of the risk assessment, the assessment of the results of checks carried out, and
Cyber security audits and impact of cyber security
incidents on the information security management system, and at least once
per year,
h) updates the information security management system and the
documentation on the basis of the findings of the audits, cyber security,
the results of the evaluation of the effectiveness of the information security management system and in
relation with implemented or planned changes and
I) controls the operation and information security management system of the source,
records the activities associated with information security management systems, and
risk management.
(2) the Authority and a person referred to in paragraph 3 (b). e) of the Act in the context of the management system
information security
and manage the risks), pursuant to section 4, paragraph 4. 2,
(b)) creates and approves the security policy in the field of management system
information security, which contains the main principles, objectives, security
needs, rights and obligations in relation to the management of information security and
based on security needs, and the results of the risk assessment provides
security policy in other areas according to § 5, and put in place appropriate
the safety measures and
(c)) performs an update report on the evaluation of assets and security risks
policy, risk management plan, and the plan for the development of safety awareness,
and at least once every three years, or in connection with, or
the planned changes.
§ 4
Risk management
(1) the Authority and a person referred to in paragraph 3 (b). (c)), and (d)) of the Act in the course of proceedings
risks
and methodology) identification and evaluation of assets and for
identification and assessment of risks including the establishment of criteria for the
the acceptability of the risks
(b) identifies and evaluates the importance of) assets which belong to the scope of the
the information security management system, pursuant to section 8, within the scope of Annex No. 1
This Decree shall introduce to the outputs and reports on the evaluation of the assets and
risks,
c) identifies the risk, take into account the threats and vulnerabilities,
assess the potential impact on the assets, assesses these risks at a minimum, to the extent
in accordance with Annex 2 to this Decree, establish and approve acceptable risks and
processes the message on the evaluation of the assets and risks,
d) processes based on security needs, and the results of the risk assessment
statement of applicability, which provides an overview of selected and
established security measures,
e) processes and establish a risk management plan that includes objectives and benefits
security measures for the management of risks, identification of the person providing
the enforcement of security measures for risk management, the necessary
financial, technical, human and information resources, the introduction of the term
and a description of the links between the risk and the relevant safety measures and
f) without undue delay, taking into account the reactive and protective measures issued by the
The National Security Office (hereinafter referred to as "the authority") in risk assessment and in
If the risk assessment updated about new vulnerabilities associated
with the realization of reactive or of a safeguard measure exceeds the established
criteria for the acceptability of the risks, make risk management plan.
(2) the Authority and a person referred to in paragraph 3 (b). e) of the Act in the context of risk management
and methodology) identification and evaluation of assets and for
identification and assessment of risks including the establishment of criteria for the
the acceptability of the risks
(b) identifies and evaluates the importance of) the primary assets that belong to the
the scope of the information security management system, in accordance with § 8 in at least
the scope of annex 1 to this notice, and to report on the implementation of the outputs
evaluation of the assets and risks,
c) identifies the risk, take into account the threats and vulnerabilities,
assess the potential impact on the primary assets, assesses these risks at a minimum,
to the extent referred to in annex 2 to this Decree, and processes the message about
evaluation of the assets and risks,
d) processes based on security needs, and the results of the risk assessment
statement of applicability, which provides an overview of selected and
established security measures,
e) processes and establish a risk management plan that includes objectives and benefits
security measures for the management of risks, identification of the person providing
the enforcement of security measures for risk management, the necessary
financial, technical, human and information resources, the dates of their
introduction and description of the links between the identified risks and the relevant
security measures and
f) without undue delay, taking into account the reactive and protective measures issued by the
Authority in risk assessment and in the case that the risk assessment updated
about new vulnerabilities associated with reactive or implementation
the measure exceeds the specified criteria for the acceptability of the risks, make up
risk management plan.
(3) risk management can be accomplished in other ways than as
provided for in paragraphs 1 and 2, where the authority and a person referred to in paragraph 3 (b).
(c)) to (e)) of the Act shall ensure that the measures to ensure the same or uses
a higher level of risk management.
(4) the Authority and a person referred to in paragraph 3 (b). c) to (e)) of the Act when evaluating the
considering in particular the risks these threats
and a violation of security policy) perform unauthorized activities,
abuse of privileges by users and administrators,
(b) damage or technical failure) or software,
(c) misuse of identity of a natural person),
d) use the software in violation of the license terms,
e) Cyber attack from a communications network
f) malicious code (such as viruses, spyware, Trojans)
g) shortcomings in the provision of services of the information system critical
information infrastructure, critical information communication system
infrastructure or significant information system,
h) breach physical security,
I) interruption of the provision of electronic communications services or supplies
electric power,
j) misuse or unauthorized modification of data,
to permanently acting and threats)
l) theft or damage to assets.
(5) the Authority and a person referred to in paragraph 3 (b). c) to (e)) of the Act when evaluating the
considering, in particular, the risk of vulnerability
and lack of protection outside the perimeter),
(b) insufficient security user awareness) and administrators,
c) inadequate maintenance information system critical information
infrastructure, communication of critical information
infrastructure or significant information system,
d) inappropriate setting access permissions,
(e) inadequate procedures for identifying) and detection of negative
security events, cyber security events and
Cyber security incidents,
(f) insufficient monitoring user activity) and administrators and
inability to reveal their inappropriate or objectionable behaviors and
(g) establishment of safety rules) inadequate, inaccurate, or
ambiguous definition of the rights and obligations of users, administrators, and
security roles.
(6) the Authority and a person referred to in paragraph 3 (b). (c)), and (d)) of the Act when evaluating the
the risks of further considering these threats
and a violation of security policy) perform unauthorized activities,
abuse of privilege by the administrators critical information
infrastructure,
b) misconduct on the part of employees,
(c) misuse of the internal resources) sabotage,
d interruption) long-term provision of electronic communications services,
the supply of electricity or other important services,
(e)) with the necessary professional staff shortages, levels
f) targeted cyber attack using social engineering, the use of
espionage techniques and
g) misuse of removable technical data media.
(7) the Authority and a person referred to in paragraph 3 (b). (c)), and (d)) of the Act when evaluating the
Furthermore, considering the risk of these vulnerabilities
and resource protection) insufficient critical information infrastructure,
b) inappropriate security architecture,
(c) the insufficient level of independent review) and
(d)) the inability of early detection of misconduct on the part of employees.
§ 5
Security policy
(1) the Authority and a person referred to in paragraph 3 (b). (c)), and (d)) of the Act provides for
security policy in the areas of
and information security management system),
(b) organizational, safety)
(c)), supplier relationship management,
(d) the classification of the assets)
e) safety of human resources,
f) traffic management and communications
g) access control,
h) secure user behaviour,
I) backup and recovery,
j) safe transmission and exchange of information,
to the management of the technical vulnerabilities)
l) safe use of mobile devices,
m) the provision and acquisition of licenses of software and information,
n) long-term storage and archiving information
o) privacy policy
p) physical security,
q) safety communications network
r) protection against malicious code,
s) deployment and use tools for the detection of cyber
security events,
t) use and maintenance of tools for the collection and evaluation of cyber
security events and
for) the use of cryptographic protection.
(2) the Authority and a person referred to in paragraph 3 (b). e) of the Act provides for the safety
policy in the areas of
and information security management system),
(b) organizational, safety)
(c)), supplier management,
(d) the classification of the assets)
e) safety of human resources,
f) traffic management and communications
g) access control,
h) secure user behaviour,
I) backup and recovery,
(j)) the provision of licences and the acquisition of software and information,
to) privacy policy,
l) the use of cryptographic protection,
m) protection against malicious code and
n) deployment and use of tools to detect Cyber
security events.
(3) the Authority and a person referred to in paragraph 3 (b). (c)) to (e)) of the Act on a regular basis
evaluate the effectiveness of the security policies, and updates it.
§ 6
Organizational security
(1) the Authority and a person referred to in paragraph 3 (b). (c) to (e))) the law shall establish the Organization
information security management, in the framework of the Management Committee which will determine the
Cyber-Security and security roles, and the rights and
obligations related to information system critical information
infrastructure, critical information communication system
infrastructure or significant information system.
(2) the Authority and a person referred to in paragraph 3 (b). (c)), and (d)) of the Act specifies security
the role of the
and) Cyber Security Manager,
b) Cyber Security Architect,
c) auditor and cyber security
(d)) the guarantor assets under section 2 (b). m).
(3) the Authority and a person referred to in paragraph 3 (b). (e) safety) determine the role
mutatis mutandis pursuant to paragraph 2.
(4) Cyber Security Manager is the person responsible for the system
information security management, which is trained for this activity and
Demonstrates competence in managing information security practice after
for at least three years.
(5) Cyber Security Architect is a person providing the design and
implementing security measures for this activity
trained and demonstrated competence in the design practice
security architecture for at least three years.
(6) the Auditor of a cyber-security is the person performing the audit
Cyber Security, which is trained for this activity and to demonstrate
the competence of the practice with the implementation of cyber security audits
for at least three years. Cyber security auditor performs
its role as an impartial and perform its role is separate from the performance of roles
referred to in paragraph 2 (a). a), b) or (d)).
(7) the Committee for the management of cyber security is an organized group
formed by persons who are responsible for the overall management and development of
information system critical information infrastructure, communication
of critical information infrastructure or significant information
system, or significantly involved in the management and coordination of activities
associated with cyber security of these systems.
(8) the Authority and a person referred to in paragraph 3 (b). (c)) to (e)) of the Act shall ensure that the technical
training of persons who hold a security role in line with the plan
the development of safety awareness in accordance with § 9 para. 1 (b). (b)).
§ 7
The determination of safety requirements for contractors
(1) the Authority and a person referred to in paragraph 3 (b). (c) to (e))) the law shall establish rules
for the vendor, which take into account the needs of information security management,
and taking into account the suppliers or other persons involved in the
development, operation, or to ensure the security of the information system
critical information infrastructure, critical communication system
the information infrastructure or significant information system. Range
the involvement of suppliers in the development, operation, or ensure the safety of
information system critical information infrastructure, communication
of critical information infrastructure or significant information
System proven documents the authority and a person referred to in paragraph 3 (b). (c))
to (e)) of the Treaty, which includes provisions on security
information.
(2) the Authority and a person referred to in paragraph 3 (b). (c)), and (d)) of the Act for suppliers
referred to in paragraph 1 on
a) before concluding the contract risk assessment carried out in accordance with Annex 2 to the
This Decree, which are connected with essential supplies,
(b)) enters into a service level agreement, which sets out the ways and levels
implementation of security measures, and determine mutual contractual relationship
responsibility for the implementation and control of the security measures, and
(c)) shall carry out periodic risk assessments and regular checks established
security measures for the services provided and the deficiencies found
Removes or in agreement with the supplier ensures their elimination.
§ 8
Asset management
(1) the Authority and a person referred to in paragraph 3 (b). (c)) to (e)) of the Act, in proceedings
the assets of the
and) identifies and records the primary assets,
(b)) specifies the guarantors of assets, who are responsible for the primary assets, and
(c) assesses the importance of the primary asset) in terms of confidentiality, integrity,
and availability, and assigns them to the individual levels at least in the range
According to annex 1 to this notice.
(2) in assessing the importance of the primary assets need to be particularly
to assess the
and the scope and importance of) personal data or business secrets
(b) the scope of the relevant legal obligations) or other obligations,
(c) the extent of the distortion of internal) management and control activities,
(d)), commercial or public damage economic interests,
e) possible financial loss,
f) extent of the distortion of the normal activities of the authority and a person referred to in paragraph 3 (b).
c) to (e)) of the Act,
g) impacts related to breaches of confidentiality, integrity, and availability and
h) impacts on maintaining the good name or reputation protection.
(3) the Authority and a person referred to in paragraph 3 (b). (c)), and (d)) of the law on
and identifies and records subsidiary) asset,
(b)) specifies the guarantors of assets, who are responsible for supporting assets, and
(c)) shall determine the links between primary and supporting assets and evaluate the consequences of the
dependencies between primary and supporting assets.
(4) the Authority and a person referred to in paragraph 3 (b). c) to (e)) of the law on
and) lays down rules of protection required for each level of security
assets by
1. determine the ways of distinguishing different levels of assets,
2. establishes rules for handling and recording of assets by level
assets, including rules for the safe electronic sharing and physical
transfer of assets and
3. lay down permissible methods of use of assets,
(b) the corresponding protection rules) establish the level of assets and
c) modalities for reliable deletion or destruction of the technical means of delivery
data with regard to the level of assets.
§ 9
Human resources safety
(1) the Authority and a person referred to in paragraph 3 (b). (c)) to (e)) of the Act, in proceedings
human resources security
and security development plan) provides for awareness, that contains the form,
the content and scope of the necessary training and determine the persons carrying out the implementation
each of the activities that are listed in the schedule,
(b)) in accordance with the development plan will ensure safety awareness lessons
users, administrators and persons holding a security role on the
their obligations, and security policy in the form of the input and
regular training,
(c)) shall ensure compliance with the security policy on the part of
users, administrators and persons holding a security role and
(d) the return of the entrusted assets) and removing access permissions
upon termination of the contractual relationship with users, Admins or people
zastávajícími security role.
(2) the Authority and a person referred to in paragraph 3 (b). (c)) to (e)) of the Act shall keep training
in accordance with paragraph 1, that contain overviews the subject of training and a list of
persons who have undergone training.
(3) the Authority and a person referred to in paragraph 3 (b). (c)), and (d)) of the law on
and lays down the rules for the determination of) person who will act as a safety
role, the role of administrators or users,
b) evaluate the effectiveness of the development plan of safety awareness, carried out
training and other activities connected with the deepening of the safety
awareness,
(c)) shall determine the rules and procedures to deal with cases of violations of the established
safety rules by users, administrators and people
holding a security role and
(d) a change of access privileges) when you change the status of the users,
Administrators or persons holding a security role.
§ 10
Traffic management and communications
(1) the Authority and a person referred to in paragraph 3 (b). (c)) to (e)) of the Act, in proceedings
traffic and communications by technical instruments referred to in section 21 to 23 of the
detects cyber security events, regularly evaluates the
the information obtained and the deficiencies observed reacts in accordance with § 13.
(2) the Authority and a person referred to in paragraph 3 (b). (c)) to (e)) of the Act, in proceedings
traffic and communications also ensures the safe operation of the information
critical information infrastructure system, communication system
critical information infrastructure and major information system.
To this end, establish operational rules and procedures.
(3) the operating rules and procedures of the authority and of the persons referred to in paragraph 3 (b). (c)), and
(d)) of the Act contain
and) the rights and obligations of persons holding a security role
Administrators and users,
(b)) the procedures for starting and stopping the running of the system to reboot or
restore the operation of the system after a failure and for the treatment of error conditions or
extraordinary phenomena,
(c)) the procedures for monitoring of cyber security incidents and for
protect access to the records of these activities,
d) connection to the contact person to whom they are intended as an aid in
unexpected system or solution to a technical problem,
e) management procedures and approval of operational changes and
f) the procedures for monitoring, planning and management capacity of human and
technical resources.
(4) the traffic control authority and a person referred to in paragraph 3 (b). (c) to (e)) of the Act)
consists in regular backups and verification of the applicability of
made backups.
(5) the traffic control authority and a person referred to in paragraph 3 (b). (c)), and (d)) of the Act
lies in the
and Development Department), test and production environment,
(b) reactive measures) issued by that authority and the person
referred to in paragraph 3 (b). (c)), and (d)) of the Act
1. assess the expected impacts of reactive measures on information system
critical information infrastructure or communication system critical
information infrastructure and established security measures
evaluates the possible negative effects and without undue delay, notify the
The Office and the
2. provides a way to quickly perform a reactive measures that
minimizes possible negative effects, and shall determine the timetable for its implementation.
(6) the Authority and a person referred to in paragraph 3 (b). (c)), and (d)) of the Act in the course of proceedings
communications
and) ensures the security and integrity of communications networks and security
communication services under section 17,
(b)) shall determine the rules and procedures for the protection of information that is transmitted
communications networks,
(c)) performs the Exchange and transfer of information on the basis of the rules laid down
the legislation, while ensuring the security of information and this
documents and rules
(d)) with respect to the classification of the assets is performed by the Exchange and transfer of information
on the basis of written agreements, which includes a provision on the
of information security.
§ 11
Access control and secure user behavior
(1) the Authority and a person referred to in paragraph 3 (b). (c) to (e)) of the Act) on the basis of
operational and security needs and controls access to the information system
critical information infrastructure, critical to the communications system
information infrastructure and significant information system and allocate
unique identifier for each user.
(2) the Authority and a person referred to in paragraph 3 (b). (c)) to (e)) of the Act shall take the measures
which is used to ensure data protection, which are used for
log on users and administrators of the information system critical
information infrastructure, critical information communication system
infrastructure and significant information system pursuant to section 18 and 19, and
that prevents the misuse of these data by any unauthorized person.
(3) the Authority and a person referred to in paragraph 3 (b). (c)), and (d)) of the Act later in the
access control
and a separate accessor applications shall be assigned) identifier,
(b) restrict the allocation of administrative privileges),
(c)) allocates and removes the access privileges in accordance with the policy
access control,
(d) carry out regular review) set access permissions
including the distribution of individual users in groups or
rolls,
e) uses a tool for verifying the identity of users, pursuant to section 18 and
a tool for managing access permissions according to § 19 and
(f) introduce security measures necessary) for safe use
mobile devices, or even the security measures associated with the use of
technical devices, which the authority and a person referred to in paragraph 3 (b). (c)), and (d))
the law does not have.
§ 12
The acquisition, development and maintenance
(1) the Authority and a person referred to in paragraph 3 (b). c) to (e)) of the Act provides for
safety requirements for the information system critical changes
information infrastructure, critical information communication system
infrastructure or significant information system associated with their
through the acquisition, development and maintenance of the project and include them in the acquisition, development and
maintenance of the system.
(2) the Authority and a person referred to in paragraph 3 (b). (c)), and (d)) of the law on
and identifies, assesses and) controls the risks associated with the acquisition, development
and maintenance of critical information infrastructure information system or
communication of critical information infrastructure; for the procedures
risk assessment and management methodology pursuant to § 4 paragraph 2. 1 (b). and) apply
Similarly,
(b)) ensure the security of the development environment and ensure the protection of
used test data and
(c)) performs security testing of changes to the information system critical
information or communication system critical infrastructure
information infrastructure before their introduction into service.
section 13 of the
Coping with cyber security events and incidents
Authority and a person referred to in paragraph 3 (b). (c) to (e)) of the Act) to manage the
Cyber-events and incidents
and) shall take the necessary measures to ensure the reporting of cyber
security events in the information system of critical information
infrastructure, communication of critical information
infrastructure and significant information system from users,
Administrators and persons holding a security role, and of the notifications
keep records
(b)) prepares the environment for the evaluation of reported Cyber-
security incidents and cyber security events
detected technical instruments under section 21 to 23, carried their
evaluation and identifies cyber security incidents,
c) classification of cyber security incidents, accepts
measures for averting and mitigating the impact of cyber security
the incident, cyber security incident reporting is performed by
According to § 32 and shall ensure the collection of reliable supporting documents required for the analysis of
Cyber security incident,
(d) investigate and determine the cause) cyber security incident,
shall assess the effectiveness of security incidents and cyber solutions on
based on the evaluation sets out the necessary safety measures to prevent
the repetition of the solution to cyber security incidents and
e) documents the management of cyber security incidents.
§ 14
Business continuity management
(1) the Authority and a person referred to in paragraph 3 (b). (c)) to (e)) of the Act, in proceedings
the continuity of the activities provides for
and the rights and obligations of guarantors) assets, the administrators and the people
holding a security role
(b)) the objectives of business continuity management in the form of specifying
1. the minimum standards of service that is acceptable for
the use, operation and management of the information system critical information
infrastructure, communication of critical information
infrastructure or significant information system,
2. recovery time running, during which, after the cyber security
the incident renewed a minimum level of service provided by the information
critical information infrastructure system, communication system
critical information infrastructure or significant information
system, and
3. time to restore data as of a term to which data will be restored after
Cyber security incident, and
c) business continuity management strategy, which includes the fulfillment of the objectives of the
referred to in subparagraph (b)).
(2) the Authority and a person referred to in paragraph 3 (b). (c)), and (d)) of the law on
and evaluates and documents the) potential impact of cyber security
incidents and assess the possible risks related to threats to the continuity of the
activities,
(b)) provides updates and regularly tests plans for continuity of operations
critical information infrastructure information system and communication
of critical information infrastructure,
c) measures to increase the resilience of the implements of information system
critical information infrastructure and communication system critical
information infrastructure against cyber incidents
and uses a tool for ensuring the levels of availability pursuant to section 26 and
(d)) shall be established and updated procedures for the implementation of the measures issued by the authority
pursuant to section 13 and 14 of the law, which will take into account
1. the results of the risk assessment the implementation of measures,
2. status of the concerned security measures and
3. evaluation of possible negative impacts on the operation and safety
critical information infrastructure information system or
communication of critical information infrastructure.
§ 15
Review and audit of critical information infrastructure and significant
information systems
(1) the Authority and a person referred to in paragraph 3 (b). (c)) to (e)) of the Act under the control of
and audit of critical information infrastructure and important information
systems (hereinafter referred to as "cyber-security audit")
and) assess the consistency of security measures with the law,
the internal regulations, other regulations and contractual obligations relating
to critical information infrastructure information system,
communication of critical information infrastructure and significant
information system and identify measures for its enforcement and
(b)) performs regular checks and documents the compliance with safety
policy and the results of these checks shall take into account in the development plan.
safety awareness and risk management plan.
(2) the Authority and a person referred to in paragraph 3 (b). (c)), and (d)) of the Act provides
Cyber security audit by a person with professional qualifications
According to § 6 paragraph 1. 6, to evaluate the accuracy and effectiveness of the
security measures.
(3) the Authority and a person referred to in paragraph 3 (b). (c)), and (d)) of the Act for the
critical information infrastructure information system and communication
the system performs checks on critical information infrastructure
the vulnerability of the technical means through automated tools, and
their expert evaluation and responds to the identified vulnerabilities.
TITLE II
TECHNICAL MEASURES
section 16 of the
Physical security
(1) the Authority and a person referred to in paragraph 3 (b). (c)) to (e)) of the act within the physical
safety
and) shall take the necessary measures to prevent unauthorized entry into the
defined space where information are processed and placed
technical information system critical information assets
infrastructure, communication of critical information
infrastructure or significant information system,
(b)) shall take the necessary measures to prevent corruption and interference in the
defined space where information is kept and placed technical
assets information system critical information infrastructure,
communication of critical information infrastructure or
significant information system, and
c) damage, theft or misappropriation of assets or discontinuation of
the provision of services of the information system critical information
infrastructure, communication of critical information
infrastructure or significant information system.
(2) the Authority and a person referred to in paragraph 3 (b). (c)), and (d)) of the Act further claims
physical safety
and protection) to ensure that at the level of objects and
(b)) to ensure protection in the context of objects by providing increased safety
defined space in which are located the technical assets
critical information infrastructure information system or
communication of critical information infrastructure.
(3) the means of physical safety are particularly
mechanical barrier devices),
(b) the electrical security alarm device),
c) restrictive effect of the fires, resources
(d) the restrictive effect of the expressions) means natural events
e) systems for controlling access,
f) camera systems
g) devices to provide protection against power supply failures
power supply and
h) equipment to ensure optimal operating conditions.
§ 17
A tool for the protection of the integrity of communication networks
(1) the Authority and a person referred to in paragraph 3 (b). (c)) to (e)) of the Act for the protection of
the integrity of the external interface communication network which is not under the control of
the authority or person, and the internal communications network, which is under the administration of the
the authority or person, shall establish
secure access management) between the external and internal networks
(b) in particular, the segmentation using demilitarizovaných) zones as special
the type of network that is used to increase the security of the applications available from the
external networks and to prevent direct communication with the internal network, external network
c) cryptographic devices (section 25) for remote access, remote
Administration or access through wireless technologies and
d) measures for the removal or blocking of the data transmitted,
do not match the requirements for the protection of the integrity of the communications network.
(2) the Authority and a person referred to in paragraph 3 (b). (c)), and (d)) of the Act also uses
tools for the protection of the integrity of the internal communications network that ensures
its segmentation.
section 18
A tool for verifying the identity of users
(1) the Authority and a person referred to in paragraph 3 (b). (c)) to (e)) of the Act uses the tools
to verify the identity of users and administrators of the information system
critical information infrastructure, critical communication system
information infrastructure and major information system.
(2) a tool for verifying the identity of users and administrators ensures
Verify the identity of users and administrators before the start of their
activities in the information system critical information infrastructure,
communication of critical information infrastructure and significant
the information system.
(3) a tool for user authentication, which uses the authentication
only with a password, ensures
and) a minimum password length of eight characters,
(b)) the minimum password complexity, so that the password will contain at least 3 of the
the following four requirements
1. at least one capital letter,
2. at least one lower case letter,
3. at least one digit, or
4. at least one special character different from the requirements referred to in points
1 to 3,
(c) the maximum period for the compulsory) Exchange password not exceeding one hundred days;
This requirement is not required for standalone application identifiers.
(4) the Authority and a person referred to in paragraph 3 (b). (c)), and (d)) of the law on
and) uses for identity verification tool that
1. avoid the use of previously used passwords again and will not allow more
password changes one user within a specified period, which shall be
at least 24 hours, and
2. performs a re-authentication identity after a specified period of inactivity and
(b)) uses a tool for verifying the identity of the administrators. In the case that
This tool uses password authentication, ensure that the enforcement of the minimum
password length of fifteen characters in compliance with the requirements under paragraph 3 (b).
(b)), and (c)).
(5) a tool for verifying the identity of users may be provided also by other
ways than those laid down in paragraphs 3 to 5, if the authority and the
the person referred to in paragraph 3 (b). (c)) to (e)) of the Act shall ensure that used
measures to ensure the same or higher level of password strength.
§ 19
A tool for managing access permissions
(1) the Authority and a person referred to in paragraph 3 (b). (c)) to (e)) of the Act uses the tool
for the management of access privileges, which shall ensure the control permission
and) for access to individual applications and data, and
(b)) to read data, write data, and to change permissions.
(2) the Authority and a person referred to in paragraph 3 (b). (c)), and (d)) of the Act also uses
a tool for managing access permissions, which records the use of the
access privileges in accordance with the security needs and results
the risk assessment.
section 20
Tool to protect against malicious code
Authority and a person referred to in paragraph 3 (b). (c) to (e))) risk management act
associated with the action of malicious code protection tool uses
information system critical information infrastructure, communication
of critical information infrastructure and major information
the system from malicious code that ensures a constant verification and control
and communication between the internal network) and external networks
b) servers and shared data storage and
c) workstations,
by regular and effective tools for the protection of
against malicious code, its definition and signature.
section 21
Tool for recording the activities of critical information infrastructure and
major information systems, their users and administrators
(1) the Authority and a person referred to in paragraph 3 (b). (c)) to (e)) of the Act uses the tool
the activities of the information system for the recording of critical information
infrastructure, communication of critical information
infrastructure and significant information system, which ensures
and) collect information on the operational and security activities, in particular the type
the activity, the date and time, the identification of technical assets, that the activities of the
recorded, the identification of the originator, and the place of the activity and the success or
failure activity and
(b) the protection of the information received from) the unauthorized reading or changing.
(2) the Authority and a person referred to in paragraph 3 (b). c) to (e)) of the law further by using
tools for recording the activity of an information system critical
information infrastructure, critical information communication system
infrastructure and significant information system records the
and) login and logout users and administrators,
(b)) activity of Admins,
(c)) to change the activities of access privileges,
(d)) the non-activities due to lack of access permissions and
Another unsuccessful user activity,
(e) the start and end of the activities) of technical asset information system
critical information infrastructure, critical communication system
information infrastructure and significant information system,
f) automatic warning or error messages technical assets
g) approaches to the records of the activities, attempts to manipulate records of
activities and changes settings for recording activities and tools
h) the use of identification and authentication mechanisms, including changes to the information,
that is used to log on.
(3) the Authority and a person referred to in paragraph 3 (b). (c)), and (d)) of the records of activities
recorded in accordance with paragraph 2 shall keep for at least three months.
(4) the Authority and a person referred to in paragraph 3 (b). (c)) to (e)) of the Act provides at least
once every 24 hours to synchronize the system time of single
technical assets belonging to the information system critical information
infrastructure, communication of critical information
infrastructure or significant information system.
section 22
A tool for the detection of cyber security events
(1) the Authority and a person referred to in paragraph 3 (b). (c)) to (e)) of the Act uses the tool
for the detection of cyber security events, based on the
set security needs and the results of risk assessment and that
ensure the verification, inspection and, where necessary, blocking the communication between the
internal communication networks and external networks.
(2) the Authority and a person referred to in paragraph 3 (b). (c)), and (d)) of the Act also uses
tool for the detection of cyber security events, which
ensure the verification, inspection and, where necessary, blocking communication
and) within the internal communications network and
b) servers belonging to the information system of critical information
infrastructure and critical information communication system
infrastructure.
Article 23 of the
A tool for collection and evaluation of cyber security events
(1) the Authority and a person referred to in paragraph 3 (b). (c)), and (d)) of the Act uses the tool
for the collection and continuous evaluation of cyber security incidents,
that in accordance with the security needs and the results of the risk assessment
shall ensure
and) integrated collection and evaluation of cyber security
events from the information system critical information infrastructure and
communication of critical information infrastructure,
(b) provision of information for the specified) the security role of the detected
Cyber-security incidents in the information system critical
the information infrastructure or critical information communication system
infrastructure and
(c) continuous evaluation of the cyber-security) events with
the objective identification of cyber security incidents, including
early warning intended for security roles.
(2) the Authority and a person referred to in paragraph 3 (b). (c)), and (d)) of the Act shall ensure that the
a) regular updating of setting rules for the evaluation of
Cyber security events and early warning, to be
constrained instances of incorrect evaluation of the events or cases
false warnings, and
b) use of the information, that are ready for collection and tool
evaluation of cyber security incidents, for optimal
setting the security measures of the information system critical
information infrastructure and critical information communication system
infrastructure.
section 24
Application security
(1) the Authority and a person referred to in paragraph 3 (b). (c)) to (e)) of the Act is performed by
security vulnerability tests applications that are accessible from the
external networks, and prior to their commissioning and after every major
change the security mechanisms.
(2) the Authority and a person referred to in paragraph 3 (b). (c)), and (d)) of the Act later in the
application security will ensure continuous protection
and) applications and information available from external network from unauthorized
the activities carried out by the negation of the activities, or kompromitací
unauthorised modification and
(b) the transaction prior to nedokončením), incorrect routing,
an unauthorized change of the transmitted data content, kompromitací,
unauthorised duplicating or repeat.
§ 25
Cryptographic products
(1) the Authority and a person referred to in paragraph 3 (b). (c) to (e)) of the Act)
and for the use of cryptographic protection) provides
1. level of protection with regard to the type and strength of the cryptographic algorithm, and
2. the rules of cryptographic protection of information in transit over the
communications networks or when stored on mobile devices or
removable data carriers and technical
(b)) in accordance with the security needs and the results of the risk assessment
uses cryptographic resources that ensure the protection of the confidentiality and
the integrity of the transmitted or stored data and supporting identification
person for the work performed.
(2) the Authority and a person referred to in paragraph 3 (b). (c)), and (d)) of the law on
and) provides for use of the cryptographic resources management system
keys, which ensure the generation, distribution, storage, archiving,
change, destruction, control and audit of the keys, and
(b)) uses resistant cryptographic algorithms, and cryptographic keys; in
the case of non-compliance with the minimum requirements on cryptographic algorithms
referred to in annex 3 to this Decree controls the risks associated with this
non-compliance.
section 26
A tool for ensuring the levels of availability
(1) the Authority and a person referred to in paragraph 3 (b). c) to (e)) of the Act in accordance with the
security needs and the results of the risk assessment tool
the level of assurance of the availability of information.
(2) the Authority and a person referred to in paragraph 3 (b). (c)), and (d)) of the Act uses the tool
to provide the level of access to information, which will ensure
and information system) the availability of critical information infrastructure and
communication of critical information infrastructure to meet the
the objectives of the business continuity management,
(b)) the resilience of the critical information infrastructure information system and
communication of critical information infrastructure to
Cyber security incidents, which could reduce the
availability, and
c) backing up important technical asset information system
critical information infrastructure and communication system critical
the information infrastructure
1. using the redundancy in the design of the solution and
2. provision of replacement of technical assets in the specified time.
section 27 of the
Industrial safety and control systems
Authority and a person referred to in paragraph 3 (b). (c)), and (d)) of the Act for the safety
industrial and management systems, which are information system
critical information infrastructure or critical system communication
the information infrastructure or are their parts, used tools,
to ensure
and physical access restrictions) to the network and the device of industrial and
control systems,
(b) restrictions on linking and remote) access to the network of industrial and
control systems,
(c) the protection of the individual technical assets) industrial and control
systems before using the known vulnerabilities and
d) relaunching of industrial and management systems after the Cyber
the security incident.
TITLE III
SAFETY DOCUMENTATION
section 28
Safety documentation
(1) the Authority and a person referred to in paragraph 3 (b). (c)), and (d)) of the Act is kept and updated
Security documentation that contains
According to the security policy) § 5 para. 1,
(b)) messages from cyber security audit in accordance with § 3 (1). 1 (b). (f)),
(c)) messages from information security management system of the examination under section 3
paragraph. 1 (b). (g)),
d) methodology for the identification and evaluation of assets and for the identification and
risk assessment,
e) report on the assets and risks,
f) Declaration of applicability,
g) risk management plan,
(h) security awareness development plan) pursuant to § 9 para. 1 (b). and)
I) coping with cyber security incidents under section 13 (a).
(e)),
j) business continuity management strategy pursuant to § 14 para. 1 (b). (c)), and
for an overview of the legislation), internal rules and other regulations and
contractual obligations in accordance with § 15 para. 1 (b). and).
(2) the Authority and a person referred to in paragraph 3 (b). e) of the Act is kept and updated
Security documentation that contains
According to the security policy) § 5 para. 2,
(b)) a methodology for identifying and evaluating assets and for the identification and
the risk assessment pursuant to section 4, paragraph 4. 2 (a). and)
c) report on the assets and risks pursuant to § 4 paragraph 2. 2 (a). (b)), and (c)),
(d) statement of applicability) pursuant to § 4 paragraph 2. 2 (a). (d)),
e) risk management plan pursuant to § 4 paragraph 2. 2 (a). (e)),
(f) the development of safety awareness) the plan referred to in § 9 para. 1 (b). and)
(g) the management of cyber security incidents), pursuant to section 13 (a).
(e)),
h) business continuity management strategy pursuant to § 14 para. 1 (b). (c)), and
I) an overview of the laws, internal rules and other regulations and
contractual obligations in accordance with § 15 para. 1 (b). and).
(3) the Authority and a person referred to in paragraph 3 (b). (c)) to (e)) of the Act leads security
documentation so that records of the performed activities are complete,
legible, readily identifiable and to make them easy to find.
The measures necessary for the identification, storage, protection, retrieval, time
the validity and the arrangement of the records of the performed activities documented.
(4) the recommended structure of the safety documentation provided for in
Annex No 4 to this notice.
section 29
Proof of certification
Authority and a person referred to in paragraph 3 (b). c) to (e)) of the Act, the information
critical information infrastructure system, communication system critical
the information infrastructure or significant information system is completely
included in the scope of the information security management system, which was
certified according to the relevant technical standards ^ 1) accredited
by the certifying authority and documents containing
description of the scope of the system) and information security management,
(b)) statement by the policy and objectives of information security management,
(c) a description of the methods used) risk assessment and risk assessment report,
(d) statement of applicability),
e) information security management system certificate meeting the requirements of
the relevant technical standards dealing with safety information ^ 1)
(f) a record of the review system) information security management including
related inputs and outputs of the review and
g) message from the audits carried out by the certifying authority including relevant
rectifying the identified records of disagreements with the relevant standard;
meets the requirements for the introduction of safety measures according to the law and
of this order.
PART THREE
CYBER SECURITY INCIDENT
section 30
Types of cyber security incidents
(1) according to the causes of cyber security incidents are divided into
the following types of
and a cyber security incident caused by) Cyber attack
or other events leading to the penetration of the system or to limit the
availability of the services,
(b) a cyber security incident caused by) malicious code
(c) cyber security incident caused) by overcoming the technical
measures,
(d) a cyber security incident caused by) a violation of organizational
measures,
(e) a cyber security incident) associated with the manifestation of the permanently
Active threats and
(f)) other cyber security incidents caused by Cyber
attack.
(2) the impact of cyber security incidents are divided into
the following types of
and a cyber security incident causing), violation of the confidentiality of
assets,
(b) a cyber security incident causing), violation of the integrity of
assets,
(c) cyber security incident), causing disruption to the availability of
assets, or
(d) a cyber security incident) causing a combination of impact
referred to in points (a) to (c)).)
section 31
Categories of cyber security incidents
(1) for the purposes of the management of cyber security incidents to the
According to the consequences and negative manifestations of cyber security
incidents are divided into the following categories
and) category III-a very serious cyber security incident,
which directly and significantly impair the safety of the services provided
or assets. His solution requires the immediate intervention of the operator, with the
all available means must be prevented from spreading
Cyber security incident, including minimizing incurred and
the potential damages.
(b) category II)-serious cyber security incident
which is a breach of the security of the provided services or assets. His
the solution requires the immediate intervention of the operator that must be suitable
resources prevented further spread of cyber incident, including
minimizing damages.
c) category I-less serious cyber security incident
which occurs to a less significant breach of security provided by
services or assets. His solution requires the intervention of an operator that must
be limited by appropriate means and other dissemination of cyber
security incident, including minimizing damages.
(2) the Authority and a person referred to in paragraph 3 (b). (c)) to (e)) of the Act in the categorisation of
each of cyber security incidents referred to in paragraph 1
take into account the
and the assets concerned) the importance of the information system of critical information
infrastructure, communication of critical information
infrastructure or significant information system,
b) impacts on the service provided critical information system
information infrastructure, critical information communication system
infrastructure or significant information system,
c) impacts on the services provided by other information systems are critical
information infrastructure, communication systems, critical information
infrastructure or significant information systems and
(d) the estimated damages and other) impacts.
§ 32
Form and requirements for reporting cyber security incidents
(1) the Authority and a person referred to in paragraph 3 (b). (c) to (e))) law reports
Cyber security incident
and) in electronic form through
1. the electronic form published on the website of the
The Office,
2. e-mail at the e-mail address of the authority designated to receive the message
Cyber security incidents, published on the Internet
the website of the Office,
3. a data message to the data box office, or
4. through the specified data interface, whose description is published
on the website of the Office, or
(b)) in paper format to the address of the National Center of cyber
safety, published on the website of the Office.
(2) the Report shall be sent in paper form only in cases where you cannot
use any of the methods referred to in paragraph 1 (b). and).
(3) the details to report cyber security incidents are
listed in annex 5 to this Decree.
PART FOUR
REACTIVE MEASURES AND CONTACT DETAILS
§ 33
Reactive measures
Authority and a person referred to in paragraph 3 (b). (c)) to (e)) of the Act shall notify the implementation
reactive action and its result on the form of which a specimen is given
in annex 6 to this Ordinance.
§ 34
Contact details
Authority and a person referred to in section 3 of the Act to announce the contact details of the
a form of which a specimen is given in annex 7 to this Decree. Authority and the
the person referred to in paragraph 3 (b). (c) to (e)) of the Act) to announce the contact details
in the form specified in § 32 para. 1 (b). and).
PART FIVE
The EFFECTIVENESS of the
§ 35
This Decree shall enter into force on 1 January 2000. January 2015.
Director:
Ing. He returned in r.
Annex 1
The evaluation and the level of importance of the assets
For the evaluation of the importance of the assets are used for four
levels. The authority or person referred to in paragraph 3 (b). c) to (e)) of the Act may
to use a different number of levels for the evaluation of the importance of assets than what
It is listed in this annex, shall comply with the clear links between the it
used reviews the importance of assets and scales and levels
for the evaluation of the importance of the assets, which are listed in that annex.
In the case of the use of three levels of evaluation of the importance of the assets is permitted
Merge either levels low and medium, or levels high and critical.
Scale for assessment of confidentiality
+------------------------------------------------------------------------+
| Level | Description | Protection |
|----------+--------------------------------+----------------------------|
| Low | Assets are publicly accessible | Requires no |
| | or was intended for publication | the protection. |
| | (e.g. on the basis of Act No. | |
| | 106/1999 Coll. on free | |
| | access to information, in | |
| | as amended). | |
| | Violation of the confidentiality of assets | |
| | does not affect the legitimate interests of | |
| | authority and of the persons referred to in | |
| | § 3 (b). c) to (e)) of the Act. | |
|----------+--------------------------------+----------------------------|
| Central | Assets are not publicly | For the protection of confidentiality |
| | accessible and forms of know-how | used equipment |
| | authority and of the persons referred to in | for access control. |
| | § 3 (b). c) to (e)) of the Act, | |
| | protection of assets is not required | |
| | any legislation | |
| | or the contractual specifications. | |
|----------+--------------------------------+----------------------------|
| High | Assets are not publicly | For the protection of confidentiality |
| | accessible, and their protection is | the funds are being used, |
| | required by the legislation | to ensure the management and |
| | in other regulations or contractual | recording access. |
| | arrangements (e.g., business | External information transfers |
| | the secret according to law | communication networks are |
| | No. 89/2012 Coll., the civil | protected by |
| | code, personal data according to | cryptographic |
| | Act No. 101/2000 Coll. | resources. |
| | on the protection of personal data, in | |
| | as amended). | |
|----------+--------------------------------+----------------------------|
| Critical | Assets are not publicly | For the protection of confidentiality is |
| | accessible and require | required registration of persons |
| | extra level of protection above | which of the assets |
| | beyond previous category | have acceded, and methods |
| | (e.g. protection preventing strategic business | |
| | the secret, sensitive, personal | misuse of the assets from the side |
| | data). | the administrators. Traffic |
| | | information are protected |
| | | by using the cryptographic |
| | | resources. |
+------------------------------------------------------------------------+
The scale for the evaluation of the integrity of the
+------------------------------------------------------------------------+
| Level | Description | Protection |
|----------+--------------------------------+----------------------------|
| Low | Asset does not require protection from | Requires no |
| | in terms of integrity. Distortion | the protection. |
| | the integrity of the asset does not jeopardise | |
| | the legitimate interests of the institution and persons | |
| | referred to in § 3 (b). c) to (e)) | |
| | the law. | |
|----------+--------------------------------+----------------------------|
| Central | An asset may require protection | For the protection of integrity are |
| | in terms of integrity. Distortion | used standard |
| | the integrity of assets can lead to | tools (e.g. restrictions |
| | damage to the legitimate interests of the | access rights for |
| | authority and of the persons referred to in | write). |
| | § 3 (b). c) to (e)) of the Act and | |
| | may show minor | |
| | impacts on primary assets. | |
|----------+--------------------------------+----------------------------|
| High | Asset requires protection from | For the protection of integrity are |
| | in terms of integrity. Distortion | used special |
| | the integrity of assets leads | the resources that permit |
| | damage to the legitimate interests of | track the history |
| | authority and of the persons referred to in | changes and |
| | § 3 (b). (c) to (e)) of the Act) | record the identity of a person |
| | with substantial impact on | implementing the change. Protection |
| | primary assets. | integrity of information |
| | | transmitted outside |
| | | communications networks is |
| | | provided by |
| | | cryptographic |
| | | resources. |
|----------+--------------------------------+----------------------------|
| Critical | Asset requires protection from | For the protection of integrity are |
| | in terms of integrity. Distortion | used special |
| | integrity leads to very serious | unique resources |
| | damage to the legitimate interests of the | identification of the person |
| | authority and of the persons referred to in | implementing change (eg. |
| | § 3 (b). c) to (e)) of the Act with the | using technology |
| | straight and very serious effects | a digital signature). |
| | the primary assets. | |
+------------------------------------------------------------------------+
The scale for the assessment of the availability of
+------------------------------------------------------------------------+
| Level | Description | Protection |
|----------+--------------------------------+----------------------------|
| Low | Disruption to the availability of assets | To protect availability |
| | It is not important, and in the case of | sufficient regular |
| | failure is normally tolerated | backup. |
| | a longer period for | |
| | axle (approx. 1 week). | |
|----------+--------------------------------+----------------------------|
| Central | The availability of the assets would be violation | Availability protection |
| | should not exceed the period | are used by common |
| | the day's work, a longer term | backup methods and |
| | failure leads to a possible | renewal. |
| | a threat to the interests of the authority and of the persons | |
| | referred to in § 3 (b). c) to (e)) | |
| | the law. | |
|----------+--------------------------------+----------------------------|
| High | The availability of the assets would be violation | Availability protection |
| | should not exceed a period of | are used by backup |
| | hours. Any failure is | systems and recovery |
| | need to be addressed without delay, | provision of services may |
| | because it leads to direct | be subject to intervention |
| | a threat to the interests of the authority and of the persons | servicing or replacing |
| | referred to in § 3 (b). c) to (e)) | technical assets. |
| | the law. Assets are considered | |
| | as very important. | |
|----------+--------------------------------+----------------------------|
| Critical | Disruption to the availability of assets | Availability protection |
| | It is not permissible, and even short term | are used by backup |
| | unavailability (in the order of several systems and restore | |
| | minutes) leads to a serious threat | the provision of services is |
| | the interests of the authority and of the persons referred to in | short-and long-term |
| | § 3 (b). c) to (e)) of the Act. | automated. |
| | Assets are considered as | |
| | critical. | |
+------------------------------------------------------------------------+
Annex 2
The risk assessment
The risk assessment is expressed as a function, which affects impact,
threat and vulnerability.
For risk assessment, in particular, this function can be used
risk = threat x vulnerability x impact.
Unambiguous identification function to determine the risks is an essential part of
the methodology for the identification and evaluation of risks.
+------------------------------------------------------------------------+
| Scale for impact assessment |
|----------+-------------------------------------------------------------+
| Level | Popis |
|----------+-------------------------------------------------------------+
| Low | The impact is within a limited time period and of a minor nature and not |
| | be catastrophic. |
| | |
| | The extent of damage does not exceed |
| | |
| | and 10 injured persons) with subsequent hospitalizations for |
| | longer than 24 hours or |
| | |
| | (b)) financial or material losses to 5 000 000 Czk or |
| | |
| | (c) the impact on the public) is a large constraint ' |
| | necessary services or other serious interference |
| | everyday life affecting a maximum of 250 persons. |
|----------+-------------------------------------------------------------|
| Central | The impact is limited and in a limited period of time. |
| | |
| | The extent of damage ranges |
| | |
| | and the dead) to 10 or 11 to 100 people with subsequent |
| | hospital admissions for more than 24 hours, or |
| | |
| | b) financial or material loss from 5 000 000 € to |
| | 50 000 000 $ or |
| | |
| | (c) the impact on the public) is a large constraint ' |
| | necessary services or other serious interference |
| | everyday life affecting from 251 to 2 500 people. |
|----------+-------------------------------------------------------------|
| High | The impact is limited, but the permanent or catastrophic. |
| | |
| | The extent of damage ranges |
| | |
| | and) from 11 to 100 dead or from 101 to 1 000 persons |
| | with subsequent hospitalizations for a period longer than 24 hours |
| | nebo |
| | |
| | b) financial or material loss from 50 000 000 $ to |
| | 500 000 000 $ or |
| | |
| | (c) the impact on the public) is a large constraint ' |
| | necessary services or other serious interference |
| | everyday life affecting from 25 000 to 2 501 |
| | persons. |
|----------+-------------------------------------------------------------|
| Critical | Impact is an area range, permanent and catastrophic. |
| | |
| | The extent of damage ranges |
| | |
| | 101 and more) dead, and 1 001 and more people with subsequent |
| | hospital admissions for more than 24 hours, or |
| | |
| | b) financial or material losses exceeding 500 000 000 |
| | $ Or |
| | |
| | (c) the impact on the public) is a large constraint ' |
| | necessary services or other serious interference |
| | everyday life affecting more than 25 000 people. |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Scale for assessing threats |
|------------------------------------------------------------------------|
| Level | Popis |
|----------+-------------------------------------------------------------|
| Low | The threat does not exist or is improbable. Estimated |
| | realization of the threat is not more frequent than once per 5 years. |
|----------+-------------------------------------------------------------|
| Central | The threat is remote to the probable. |
| | The expected realization of the threat is in the range from 1 year to 5 |
| | years of age. |
|----------+-------------------------------------------------------------|
| High | The threat is likely to very likely. |
| | The expected realization of the threat is in the range from 1 month to |
| | 1 year. |
|----------+-------------------------------------------------------------|
| Critical | The threat is very likely to more or less certain. |
| | The expected realization of the threat is more frequent than once per |
| | month. |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| The scale for rating vulnerabilities |
|------------------------------------------------------------------------|
| Level | Popis |
|----------+-------------------------------------------------------------|
| Low | The vulnerability does not exist or is an abuse of the vulnerability of a little |
| | likely. There are high-quality security measures |
| | that are able to timely detect possible weaknesses or |
| | any attempts to overcome measures. |
+------------------------------------------------------------------------+
| Central | The vulnerability is improbable to probable. |
| | There are high-quality security measures whose effectiveness |
| | is checked regularly. The ability of security |
| | measures in time to detect possible weaknesses or potential |
| | attempts to overcome measures is limited. Are not known |
| | any successful attempts to overcome security measures. |
+------------------------------------------------------------------------+
| High | The vulnerability is likely to very likely. |
| | Security measures exist, but their effectiveness |
| | It does not cover all necessary aspects and is not regularly |
| | checked. There are known minor successful attempts to overcome |
| | security measures. |
+------------------------------------------------------------------------+
| Critical | The vulnerability is very unlikely to occur until after more or less |
| | some abuse. The security measures are not implemented |
| | or is considerably limited their effectiveness. Controls |
| | the effectiveness of security measures. Are known successful |
| | attempts to overcome security measures. |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Scale for risk assessment |
|------------------------------------------------------------------------|
| Level | Popis |
|----------+-------------------------------------------------------------|
| Low | The risk is considered acceptable. |
+------------------------------------------------------------------------+
| Central | The risk may be reduced or demanding measures |
| | in the case of higher performance measures, the risk is acceptable. |
+------------------------------------------------------------------------+
| High | The risk is not acceptable and must be launched |
| | systematic steps to eliminate it. |
+------------------------------------------------------------------------+
| Critical | The risk is unacceptable and must be immediately launched |
| | steps to delete it. |
+------------------------------------------------------------------------+
In the event that the authority or person referred to in paragraph 3 (b). (c) to (e)) of the Act)
uses a method for identifying and assessing risk, which does not distinguish
the evaluation of threats and vulnerabilities, it is possible to scale for the evaluation of
threats and vulnerabilities to merge. Merge scales should not lead to
loss of ability to distinguish rates of threats and vulnerabilities. For this
the purpose can be used, for example, a comment that clearly expressed how the level of
threat and vulnerability level. Similarly, the true authority or
the person referred to in paragraph 3 (b). c) to (e)) of the Act, which uses a different number of
the levels for the impact assessment of threats, vulnerabilities and risks.
Annex 3
Minimum requirements for cryptographic algorithms
(1) the symmetric algorithms
and current and block ciphers) to protect the confidentiality and integrity of
1. Advanced Encryption Standard (AES) using the key length 128, 192 and
256-bit Triple Data Encryption Standard (3DES) with the use of key lengths
168 bits, only with a load restricted use of the key with less than 10 GB,
gradually move the AES.
2. The Triple Data Encryption Standard (3DES) with the use of key lengths 112
bits limited use only load the keys are smaller than 10 MB, gradually
Navigate to the AES. Recommended that you use a unique key for each
message.
3. Blowfish, using the minimum key length 128 bits, limited use
just load the keys are smaller than 10 GB.
4. Kasumi using 128-bit key lengths, limited use only
loads the key with less than 10 GB.
5. the Twofish using key lengths up to 256 bits, 128.
6. the Serpent with the use of key length 128, 192, 256 bits.
7. Camellia using key length 128, 192 and 256 bits.
8. SNOW 2.0, SNOW 3 g using key length 128, 256 bits.
(b) protection of the encryption Modes) the integrity of the
1. the CCM,
2. the EAX,
3. the OCB,
4. Composite type schemas "Encrypt-then-MAC".
Note:
Schemes of "Encrypt-then-MAC", must be used to encrypt only
referred to the encryption modes and to calculate MAC only these modes for the protection
integrity.
c) encryption Modes
1. CTR,
2. The ÖFB,
3. the CBC,
4. the CFB,
Note:
CBC and CFB modes must be used with a random, for an attacker to
nepředpověditelným initialization vector when using mode for OFB
the key is not to repeat the initialization vector value, when you use the
CTR mode for a given key must not retry counter value, in the case of
the use of CBC mode encryption without integrity protection is needed to verify
resistance to attack on CBC padding mode.
(d) to protect the integrity of the fashion)
1. The HMAC,
2. CBC-MAC-X 9.19, limited use only with a load less than 109 MAC
3. the CBC-MAC-EMAC,
4. the CMAC.
(2) the asymmetric algorithms
and digital signature technology)
1. The Digital Signature Algorithm (DSA) with the use of key lengths of 2048 bits and
more, the length of the parameter of the cyclic subgroups 224 bits, and more.
2. Elliptic Curve Digital Signature Algorithm (EC-DSA) with the use of the length
224-bit keys, and more.
3. The Rivest-Shamir-Adleman Probablistic Signature Scheme (RSA-PSS)
using a key length of 2048 bits or more.
(b)) For the agreements on the key processes and encryption keys
1. Diffie-Hellman (DH) with the use of key lengths of 2048 bits or more, the length of the
parameter of the cyclic subgroups 224 bits, and more.
2. Elliptic Curve Diffie-Hellman (ECDH) using the 224-bit key lengths
and more.
3. Elliptic Curve Integrated Encryption System-Key Encapculation
Mechanism (ECIES-KEM) using the 256-bit key lengths and more.
4. a Provably Secure Elliptic Curve Key-Encapculation Mechanism
(IPSEC FILTERS-KEM) using the 256-bit key lengths and more.
5. Encapculation Asymmetric Ciphers and Key Mechanism (ACE-KEM)
using the 256-bit key lengths and more.
Rivest, Shamir, and Adleman 6-Optimal Asymmetric Encryption Pedding
(RSA-OAEP) with the use of key lengths of 2048 and more.
Rivest, Shamir, and Adleman 7-Key Encapculation Mechanism (RSA-KEM)
use of key lengths of 2048 and more.
(3) the functions of the hash algorithms
and SHA-2)
1. SHA-224,
2. SHA-256,
3. SHA-384,
4. SHA-512,
5. SHA-512/224,
6. SHA-512/256.
b) SHA-3
1. SHA3-224,
2. the SHA3-256,
3. the SHA3-384,
4. the SHA3-512,
5. SHAKE-128,
6. SHAKE-256.
(c)) the other hash functions
1. Whirlpool,
2. the RIPEMD-160,
3. SHA 1 with limited use.
Note # 1:
SHA-1 is not to be used for the new generation of digital signatures,
time stamps, any other applications that require non-collision of SHA-1.
Note # 2:
The SHA-1 may be used only for verifying existing digital
signatures and time stamps, generation and HMAC-SHA1 authentication, the function for
deriving keys and pseudorandom generators.
Annex 4
The structure of the safety documentation
This annex contains the recommended content security documentation.
The proposed structure of each document includes topics that
each of the documents referred to in this Decree shall cover the
the structure of the documents are not binding and it is up to the authority or person referred to in
§ 3 (b). c) to (e)) of the Act, what approach to the formation of safety
documentation of it. Permissible is i change the names of individual documents
or integrating multiple topics into one document.
(I).
The structure of the security policy
(1) the policy of information security management *
[§ 5 para. 1), § 5 para. 2 (a). and)]
and principles and objectives), the needs of information security management.
(b)) the extent and boundaries of information security management system.
(c)) the rules and procedures for the management of the documentation.
d) rules and procedures for the management of resources and operation management system
of information security.
e) rules and procedures for conducting audits of cyber security.
f) rules and procedures for the review of the safety management system
information.
g) rules and procedures for corrective action and improvement of management system
of information security.
(2) the organizational Security Policy **
[§ 5 para. 1 (b)), § 5 para. 2 (a). (b))]
and specify the security roles and) their rights and obligations,
1. the rights and duties of the Manager of cyber security,
2. the rights and duties of the architect, cyber security,
3. rights and obligations of the auditor of cyber security,
4. rights and obligations of the guarantor assets
5. the rights and obligations of the Committee for the management of cyber security.
(b)) Department requests the performance of activities of individual security
roles.
(3) the vendor management policy **
[§ 5 para. 1 (b) (c)), § 5 para. 2 (a). (c))]
and) the rules and principles for the selection of suppliers.
(b)) the rules for the risk assessment of suppliers.
(c)) the details to service level agreements and the arrangements and levels of realization
security measures and the determination of the mutual contractual liability.
(d) the rules for the implementation of the control) the introduction of security measures.
(e) the arrangements for evaluating the suppliers).
(4) asset classification Policy **
[§ 5 para. 1 (c) (d)), § 5 para. 2 (a). (d))]
and the identification, evaluation and) evidence of primary assets
1. the determination and registration of individual primary assets including the determination of their
the guarantor,
2. evaluation of the importance of the primary assets in terms of confidentiality,
integrity and availability.
(b)) and review the evidence supporting assets
1. the determination and registration of individual support assets including the determination of their
the guarantor,
2. determine the links between primary and supporting assets.
(c) the rules on the protection of the individual levels) of assets
1. ways of distinguishing different levels of assets,
2. the rules for handling and recording assets according to asset levels,
3. permissible uses of the assets.
(d) reliable) ways of erasing or destroying the technical data media.
(5) safety policy human resources **
[§ 5 para. 1 (b), (e)), § 5 para. 2 (a). (e))]
and safety awareness development) rules and ways of its reviews
1. methods and forms of instruction of the users
2. the ways and forms of instruction of supervisors of assets,
3. methods and forms of instruction of administrators,
4. the methods and forms of instruction of persons holding other security
role.
b) safety training of new employees.
(c)) the rules for the solution of breaches of security policy system
information security management.
(d)) the rules for termination of the employment relationship or change jobs.
1. return of the entrusted assets and remove rights on termination of employment
the relationship,
2. change the access permissions when you change jobs.
(6) traffic management, and Communications Policy **
[§ 5 para. 1 (b), (f)), § 5 para. 2 (a). (f))]
a) powers and responsibilities associated with safe operation.
(b)) the procedures for safe operation.
(c)) the requirements and standards for safe operation.
d) management of the technical vulnerabilities.
e) rules and limitations for cyber security audits and
Security tests.
(7) the access control Policy **
[§ 5 para. 1 (b) (g)), § 5 para. 2 (a). g)]
and the principle of the minimum permissions)/need to know (need to know).
b) access control requirements.
(c)) access control life cycle.
(d)) to control privileged permissions.
e) access control for emergency situations.
f) regular review of access privileges, including the distribution of
each user in the access groups.
(8) the policy of safe conduct of users *
[§ 5 para. 1 (b), (h)), § 5 para. 2 (a). h)]
and rules for safe management) with assets.
(b)) the safe use of a passphrase.
(c)) the safe use of electronic mail and internet access.
d) secure remote access.
e) safe behavior on social networks.
f) Safety in relation to mobile devices.
(9) backup and Recovery Policy **
[§ 5 para. 1 (b) (i)), § 5 para. 2 (a). I)]
and) requirements for backup and recovery.
(b)) rules, and backup procedures.
(c) the rules of safe storage of backups).
d) rules and procedures for recovery.
(e)) the rules and procedures of testing backup and recovery.
(10) the policy of safe transmission and exchange of information **
[§ 5 para. 1 (b) (j))]
and) the rules and procedures for the protection of the transmitted information.
(b)) ways of protecting electronic information exchange.
(c) the rules for the use of) cryptographic protection.
(11) the technical vulnerability management policy **
[§ 5 para. 1 (b))]
and) rules to limit the installation of software,
(b)) the rules and procedures of adjustments to program packages, search
(c)) the rules and procedures of software fixes, testing
d) rules and procedures for deploying software patches.
(12) the policy of the safe use of mobile devices *
[§ 5 para. 1 (b). l)]
and) the rules and procedures for the safe use of mobile devices.
(b)) the rules and procedures to ensure the safety of the devices, which the authority
and the person referred to in paragraph 3 (b). (c)), and (d)) of the Act does not have.
(13) the policy on the provision and acquisition of software and licenses
information *
[§ 5 para. 1 (b). m), § 5 para. 2 (a). (j))]
and) the rules and procedures of software deployment and its evidence.
b) rules and procedures for monitoring compliance with the license terms.
(14) the politics of long-term storage and archiving information
[§ 5 para. 1 (b). n)]
and) rules and procedures for archiving documents and records.
(b)) the protection of archived documents and records.
c) policy regarding access to archived documents and records.
(15) the privacy policy *
[§ 5 para. 1 (b)), § 5 para. 2 (a). k)]
and characteristics of the processing of personal data).
(b) a description of the adopted and carried out) organizational protection measures
of personal data.
(c) a description of the adopted and carried out) technical measures for the protection of
of personal data.
(16) the physical safety Policy **
[§ 5 para. 1 (b), p)]
a) rules for the protection of objects.
(b) the rules for the control of entry) people.
c) rules for the protection of the device.
d) intrusion detection physical safety.
(17) Communicaton network security policy **
[§ 5 para. 1 (b). q)]
and) the rules and procedures for ensuring the security of the network.
(b)) to determine the rights and obligations for the safe operation of the network.
(c)) the rules and procedures for the management of the approaches within the network.
d) rules and procedures for the protection of remote access to the network.
e) rules and procedures for network monitoring and evaluation of operational
records.
(18) the policy of protection against malicious code *
[§ 5 para. 1 (b) r), § 5 para. 2 (a). m)]
and) the rules and procedures for the protection of communications between internal and external
networks.
b) rules and procedures for the protection of servers and shared data storage.
(c)) the rules and procedures for the protection of workstations.
(19) the deployment and use of Policy tools for the detection of cyber
security events **
[§ 5 para. 1 (b)) § 5 para. 2 (a). n)]
and) the rules and procedures of the deployment tools for the detection of cyber
security events.
b) operational procedures for the evaluation of and respond to a detected
Cyber security incident.
(c)) the rules and procedures to optimize detection tools
Cyber security events.
(20) the use and maintenance of the Policy tools for the collection and evaluation of
Cyber security events **
[§ 5 para. 1 (a) t)]
and) the rules and procedures for the registration and evaluation of cyber
security events.
b) rules and procedures for periodic updates rules for evaluation
Cyber security events.
(c)) the rules and procedures for the optimal settings of the security features
tools for the collection and evaluation of cyber security incidents.
(21) the policy of safe use cryptographic protection **
[§ 5 para. 1 (b)) § 5 para. 2 (a). l)]
and) the level of protection with regard to the type and strength of the cryptographic algorithm.
(b) the cryptographic information protection Rules)
1. when in transit over communication networks,
2. when stored on mobile devices or removable technical carrier
data,
(c) key management System).
II.
The structure of the additional documentation
(1) the report of the audit of the cyber security **
[§ 28 para. 1 (b))]
and) cyber security audit objectives.
(b)) the subject of cyber security audit.
c) audit criteria of cyber security.
(d) Identify the auditing team) and people who are Cyber-audit
safety participated.
(e)), the date and place where the activities are carried out during the audit of cyber
safety.
(f) the findings of the audit) Cyber Security.
g) cyber security audit findings.
(2) the report from the review of the information security management system **
[section 28 (1) (b) (c))]
and the evaluation of measures from the previous) review management system
information security,
(b) the Identification of changes and circumstances) that may have an effect on the steering system
of information security.
c) feedback on the performance of information security management
1. nonconformance and corrective measures
2. the results of monitoring and measurement,
3. the results of the audit,
4. Security objectives,
(d)) the results of the risk evaluation and risk management plan status.
(e) the identification of options for) continuous improvement.
(d) the necessary decision) a recommendation determining measures and people
ensuring the performance of individual activities.
(3) the methodology for the identification and evaluation of assets and for the identification and
risk assessment *
[§ 28 para. 1 (b), (d)), § 28 para. 2 (a). (b))]
and determine the scale for rating) of primary assets
1. determine the scale for rating the level of confidentiality of the asset,
2. determine the scale for the evaluation of asset integrity levels,
3. determine the scale for evaluation of the level of availability of the assets.
(b) determine the scale for) risk assessment
1. determine the scale for rating the level of impact,
2. determine the scale for evaluation of the level of threat,
3. determine the scale for rating the level of vulnerability,
4. determine the scale for the evaluation of risk levels
a) methods and approaches for the management of risks.
(b) approval of acceptable risk) ways.
(4) the report on the evaluation of assets and risk **
[section 28 (1) (b), (e)), § 28 para. 2 (a). (c))]
and an overview of the primary asset)
1. identification and description of primary assets,
2. determination of the guarantors of the primary assets,
3. evaluation of primary assets in terms of confidentiality, integrity, and
availability.
(b) an overview of the supporting assets) (does not apply to the institutions and persons referred to in § 3
(a). e) of the Act)
1. identification and description of the supporting assets
2. determination of the guarantors of the supporting assets
3. determine the links between primary and supporting assets
(c) Identification and assessment of risks)
1. assessment of the possible impact on the assets,
2. evaluation of existing threats
3. evaluation of existing vulnerabilities, evaluation of existing
measures,
4. determination of the level of risk, compared with the criteria for this level
the acceptability of the risks
5. the determination and approval of acceptable risks.
(d)) risk management
1. the proposal for the method of risk management,
2. the draft measures and their implementation.
(5) statement of applicability of
[§ 28 para. 1 (b), (f)), § 28 para. 2 (a). (d))]
and an overview of selected security measures), including the rationale for their
selection and their ties to the identified risks.
(b)) for an overview of established security measures.
(6) risk management Plan **
[section 28 (1) (b), (g)), § 28 para. 2 (a). (e))]
and) content and objectives selected security measures for the management of risks.
(b)), the necessary resources for each of the security measures for the management of
risks.
(c) Persons providing individual) safety measures for the management of
risks.
(d) the introduction of individual Terms) of the security measures for the management of
risks.
(e) the arrangements for evaluating the success of the introduction of the) individual security
measures for the management of risks.
(7) the development plan for security awareness
[§ 28 para. 1 (b), (h)), § 28 para. 2 (a). (f))]
and the content and terms) educate users.
(b) the Content and timing of the lessons learned) the guarantors of assets (does not apply to the institutions and persons
referred to in § 3 (b). e) of the Act).
(c) the Content and timing of the lessons), administrators (does not apply to the institutions and persons
referred to in § 3 (b). (c)), and (d)) of the Act).
(d) dates of the lessons) content and other persons holding security
role.
e) content and terms the lessons of new employees.
f) forms and methods of evaluation of the plan.
(8) the management of cyber security incidents **
[section 28 (1) (b) (i)), § 28 para. 2 (a). g)]
and) define categories, cyber security incident.
b) rules and procedures for the registration and management of the various categories of
Cyber security incidents.
(c)) the rules and procedures of cyber-management system testing
security incidents.
d) rules and procedures for the evaluation of cyber security
incidents and for improving cyber security.
(9) business continuity management Strategy **
[section 28 (1) (b) (j)), § 28 para. 2 (a). h)]
and) the rights and obligations of interested parties.
(b)) the objectives of business continuity management
1. the minimum level of services provided,
2. the duration of the restore operation,
3. restore point.
(c) the business continuity management) strategy for fulfilling the objectives of continuity.
(d) the arrangements for evaluating the impact of cyber) security incidents on
the continuity and the assessment of the risks involved.
(e) the determination of the content and the necessary) plans of continuity.
(f) procedures for the implementation of the measures) issued by the national security
by the authority.
(10) an overview of generally binding legal regulations, the internal regulations and
other regulations and contractual commitments
[section 28 (1) (a). to), § 28 para. 2 (a). I)]
and) overview of generally binding legal regulations.
(b) an overview of the internal rules) and other regulations.
(c)) for an overview of contractual obligations.
Note:
* Expected confidentiality document is medium according to the scale
listed in annex 1: assessment and asset level.
** Expected confidentiality is a high level document according to the scale
listed in annex 1: assessment and asset level.
Annex 5
Cyber security incident report form
Annex 6
Notification form on the implementation of reactive measures and its result
Annex 7
Reporting form for contact information
1) ISO/IEC 27001:2013 or ČSN ISO/IEC 27001:2014
