Decree On Cyber Security

Original Language Title: vyhláška o kybernetické bezpečnosti

Read the untranslated law here: https://portal.gov.cz/app/zakony/download?idBiblio=83170&nr=316~2F2014~20Sb.&ft=txt

316/2014 Sb.



DECREE



of 15 November 2004. December 2014



on safety measures, cyber security incidents,

reactive measures and the determination of the requirements for filing in the field

Cyber Security (Decree on Cyber Security)



The National Security Bureau determined in accordance with § 28 para. 2 of law No 181/2014

Coll., on cyber security and amending related laws (the law on the

Cyber Security), (hereinafter referred to as the "Act") to implement paragraph 6 (a). and)

to c), § 8 para. 4, § 13 para. 4 and § 16 para. 6 of the Act.



PART THE FIRST



INTRODUCTORY PROVISIONS



§ 1



The subject of the edit



This Decree lays down the content and structure of the safety documentation

for information system critical information infrastructure, communication

the system of critical information infrastructure or significant information

system, the content of the security arrangements, the extent of their establishment, types and

categories of cyber security incidents, essentials and method

Cyber security incident reporting requirements, notice of

implementation of reactive measures and its result and notification pattern

contact information and its form.



§ 2



Definition of terms



In this Ordinance means



and information security management system) part of the authority and the control system

the persons referred to in paragraph 3 (b). (c) to (e)) of the Act) based on access to

risks information system critical information infrastructure,

communication of critical information infrastructure or

significant information system, which provides for the establishment of the method,

the implementation, operation, monitoring, reviewing, maintaining and improving

information security,



(b) the primary asset and asset) supporting an asset



(c)) the primary asset of information or a service that processes or

the information system provides the critical information infrastructure,

communication system critical information infrastructure or significant

information system,



(d) technical support asset an asset), employees and vendors

involved in the operation, development, administration, or security information

critical information infrastructure system, communication system

critical information infrastructure or significant information

the system,



e) technical asset technical equipment, means of communication and

software information system critical information

infrastructure, communication of critical information

infrastructure or significant information system and objects, in

These systems are located,



(f)), that a certain risk option threat exploits the vulnerability of information

critical information infrastructure system, communication system

critical information infrastructure or significant information system

and causes damage to assets,



g) risk assessment process that is determined by the significance of the risks and

their acceptable level,



h) risk management activities involving risk assessment, selection and implementation

measures for risk management, sharing of information on risk and monitoring and

a review of the risks,



even the threat of a potential cause of cyber) security incident

or cyber security incident that results can be

damage to assets,



j) vulnerabilities vulnerability of an asset or security measure that

can be used in one or more threats,



to an acceptable risk the risk remaining) after application of safety

the measure, whose level corresponds to the criteria for the acceptability of the risks



l) safety policy of the set of principles and rules, which determine the way of

ensure the protection of the assets of the authority and a person referred to in paragraph 3 (b). c) to (e))

the law,



m) the guarantor assets of a natural person authorized by the authority or a person referred to

in paragraph 3 (b). (c)) to (e)) of the Act to ensure the development, use and safety

assets,



n) by natural or legal person or a public authority,

which uses the primary assets,



a natural person, the designated administrator) the guarantor assets to ensure

the management, operation, use, maintenance and safety of technical assets.



PART TWO



SECURITY MEASURES



TITLE I OF THE



ORGANISATIONAL MEASURES



§ 3



Information security management system



(1) the Authority and a person referred to in paragraph 3 (b). (c)), and (d)) of the act within the system

information security management



and) determined with regard to the assets and organizational safety and range

the boundaries of the information security management system, which will determine which

organisational components and technical elements of the safety management system

the information relates to,



b) manages risk pursuant to § 4 paragraph 2. 1,



(c)) creates and approves the security policy in the field of management system

information security, which contains the main principles, objectives, security

needs, rights and obligations in relation to the management of information security and

based on security needs, and the results of the risk assessment provides

security policy in other areas according to § 5, and put in place appropriate

security measures



(d)) to monitor the effectiveness of security measures



(e)) evaluates the appropriateness and effectiveness of the security policy under section 5,



(f) implementation of the audit) to ensure cyber security under section 15,

at least once a year,



(g) evaluate the effectiveness of the system) to ensure information security management,

that includes assessing the State of information security management system

including the revision of the risk assessment, the assessment of the results of checks carried out, and

Cyber security audits and impact of cyber security

incidents on the information security management system, and at least once

per year,



h) updates the information security management system and the

documentation on the basis of the findings of the audits, cyber security,

the results of the evaluation of the effectiveness of the information security management system and in

relation with implemented or planned changes and



I) controls the operation and information security management system of the source,

records the activities associated with information security management systems, and

risk management.



(2) the Authority and a person referred to in paragraph 3 (b). e) of the Act in the context of the management system

information security



and manage the risks), pursuant to section 4, paragraph 4. 2,



(b)) creates and approves the security policy in the field of management system

information security, which contains the main principles, objectives, security

needs, rights and obligations in relation to the management of information security and

based on security needs, and the results of the risk assessment provides

security policy in other areas according to § 5, and put in place appropriate

the safety measures and



(c)) performs an update report on the evaluation of assets and security risks

policy, risk management plan, and the plan for the development of safety awareness,

and at least once every three years, or in connection with, or

the planned changes.



§ 4



Risk management



(1) the Authority and a person referred to in paragraph 3 (b). (c)), and (d)) of the Act in the course of proceedings

risks



and methodology) identification and evaluation of assets and for

identification and assessment of risks including the establishment of criteria for the

the acceptability of the risks



(b) identifies and evaluates the importance of) assets which belong to the scope of the

the information security management system, pursuant to section 8, within the scope of Annex No. 1

This Decree shall introduce to the outputs and reports on the evaluation of the assets and

risks,



c) identifies the risk, take into account the threats and vulnerabilities,

assess the potential impact on the assets, assesses these risks at a minimum, to the extent

in accordance with Annex 2 to this Decree, establish and approve acceptable risks and

processes the message on the evaluation of the assets and risks,



d) processes based on security needs, and the results of the risk assessment

statement of applicability, which provides an overview of selected and

established security measures,



e) processes and establish a risk management plan that includes objectives and benefits

security measures for the management of risks, identification of the person providing

the enforcement of security measures for risk management, the necessary

financial, technical, human and information resources, the introduction of the term

and a description of the links between the risk and the relevant safety measures and



f) without undue delay, taking into account the reactive and protective measures issued by the

The National Security Office (hereinafter referred to as "the authority") in risk assessment and in

If the risk assessment updated about new vulnerabilities associated

with the realization of reactive or of a safeguard measure exceeds the established

criteria for the acceptability of the risks, make risk management plan.



(2) the Authority and a person referred to in paragraph 3 (b). e) of the Act in the context of risk management



and methodology) identification and evaluation of assets and for

identification and assessment of risks including the establishment of criteria for the

the acceptability of the risks



(b) identifies and evaluates the importance of) the primary assets that belong to the

the scope of the information security management system, in accordance with § 8 in at least

the scope of annex 1 to this notice, and to report on the implementation of the outputs

evaluation of the assets and risks,



c) identifies the risk, take into account the threats and vulnerabilities,

assess the potential impact on the primary assets, assesses these risks at a minimum,

to the extent referred to in annex 2 to this Decree, and processes the message about

evaluation of the assets and risks,



d) processes based on security needs, and the results of the risk assessment


statement of applicability, which provides an overview of selected and

established security measures,



e) processes and establish a risk management plan that includes objectives and benefits

security measures for the management of risks, identification of the person providing

the enforcement of security measures for risk management, the necessary

financial, technical, human and information resources, the dates of their

introduction and description of the links between the identified risks and the relevant

security measures and



f) without undue delay, taking into account the reactive and protective measures issued by the

Authority in risk assessment and in the case that the risk assessment updated

about new vulnerabilities associated with reactive or implementation

the measure exceeds the specified criteria for the acceptability of the risks, make up

risk management plan.



(3) risk management can be accomplished in other ways than as

provided for in paragraphs 1 and 2, where the authority and a person referred to in paragraph 3 (b).

(c)) to (e)) of the Act shall ensure that the measures to ensure the same or uses

a higher level of risk management.



(4) the Authority and a person referred to in paragraph 3 (b). c) to (e)) of the Act when evaluating the

considering in particular the risks these threats



and a violation of security policy) perform unauthorized activities,

abuse of privileges by users and administrators,



(b) damage or technical failure) or software,



(c) misuse of identity of a natural person),



d) use the software in violation of the license terms,



e) Cyber attack from a communications network



f) malicious code (such as viruses, spyware, Trojans)



g) shortcomings in the provision of services of the information system critical

information infrastructure, critical information communication system

infrastructure or significant information system,



h) breach physical security,



I) interruption of the provision of electronic communications services or supplies

electric power,



j) misuse or unauthorized modification of data,



to permanently acting and threats)



l) theft or damage to assets.



(5) the Authority and a person referred to in paragraph 3 (b). c) to (e)) of the Act when evaluating the

considering, in particular, the risk of vulnerability



and lack of protection outside the perimeter),



(b) insufficient security user awareness) and administrators,



c) inadequate maintenance information system critical information

infrastructure, communication of critical information

infrastructure or significant information system,



d) inappropriate setting access permissions,



(e) inadequate procedures for identifying) and detection of negative

security events, cyber security events and

Cyber security incidents,



(f) insufficient monitoring user activity) and administrators and

inability to reveal their inappropriate or objectionable behaviors and



(g) establishment of safety rules) inadequate, inaccurate, or

ambiguous definition of the rights and obligations of users, administrators, and

security roles.



(6) the Authority and a person referred to in paragraph 3 (b). (c)), and (d)) of the Act when evaluating the

the risks of further considering these threats



and a violation of security policy) perform unauthorized activities,

abuse of privilege by the administrators critical information

infrastructure,



b) misconduct on the part of employees,



(c) misuse of the internal resources) sabotage,



d interruption) long-term provision of electronic communications services,

the supply of electricity or other important services,



(e)) with the necessary professional staff shortages, levels



f) targeted cyber attack using social engineering, the use of

espionage techniques and



g) misuse of removable technical data media.



(7) the Authority and a person referred to in paragraph 3 (b). (c)), and (d)) of the Act when evaluating the

Furthermore, considering the risk of these vulnerabilities



and resource protection) insufficient critical information infrastructure,



b) inappropriate security architecture,



(c) the insufficient level of independent review) and



(d)) the inability of early detection of misconduct on the part of employees.



§ 5



Security policy



(1) the Authority and a person referred to in paragraph 3 (b). (c)), and (d)) of the Act provides for

security policy in the areas of



and information security management system),



(b) organizational, safety)



(c)), supplier relationship management,



(d) the classification of the assets)



e) safety of human resources,



f) traffic management and communications



g) access control,



h) secure user behaviour,



I) backup and recovery,



j) safe transmission and exchange of information,



to the management of the technical vulnerabilities)



l) safe use of mobile devices,



m) the provision and acquisition of licenses of software and information,



n) long-term storage and archiving information



o) privacy policy



p) physical security,



q) safety communications network



r) protection against malicious code,



s) deployment and use tools for the detection of cyber

security events,



t) use and maintenance of tools for the collection and evaluation of cyber

security events and



for) the use of cryptographic protection.



(2) the Authority and a person referred to in paragraph 3 (b). e) of the Act provides for the safety

policy in the areas of



and information security management system),



(b) organizational, safety)



(c)), supplier management,



(d) the classification of the assets)



e) safety of human resources,



f) traffic management and communications



g) access control,



h) secure user behaviour,



I) backup and recovery,



(j)) the provision of licences and the acquisition of software and information,



to) privacy policy,



l) the use of cryptographic protection,



m) protection against malicious code and



n) deployment and use of tools to detect Cyber

security events.



(3) the Authority and a person referred to in paragraph 3 (b). (c)) to (e)) of the Act on a regular basis

evaluate the effectiveness of the security policies, and updates it.



§ 6



Organizational security



(1) the Authority and a person referred to in paragraph 3 (b). (c) to (e))) the law shall establish the Organization

information security management, in the framework of the Management Committee which will determine the

Cyber-Security and security roles, and the rights and

obligations related to information system critical information

infrastructure, critical information communication system

infrastructure or significant information system.



(2) the Authority and a person referred to in paragraph 3 (b). (c)), and (d)) of the Act specifies security

the role of the



and) Cyber Security Manager,



b) Cyber Security Architect,



c) auditor and cyber security



(d)) the guarantor assets under section 2 (b). m).



(3) the Authority and a person referred to in paragraph 3 (b). (e) safety) determine the role

mutatis mutandis pursuant to paragraph 2.



(4) Cyber Security Manager is the person responsible for the system

information security management, which is trained for this activity and

Demonstrates competence in managing information security practice after

for at least three years.



(5) Cyber Security Architect is a person providing the design and

implementing security measures for this activity

trained and demonstrated competence in the design practice

security architecture for at least three years.



(6) the Auditor of a cyber-security is the person performing the audit

Cyber Security, which is trained for this activity and to demonstrate

the competence of the practice with the implementation of cyber security audits

for at least three years. Cyber security auditor performs

its role as an impartial and perform its role is separate from the performance of roles

referred to in paragraph 2 (a). a), b) or (d)).



(7) the Committee for the management of cyber security is an organized group

formed by persons who are responsible for the overall management and development of

information system critical information infrastructure, communication

of critical information infrastructure or significant information

system, or significantly involved in the management and coordination of activities

associated with cyber security of these systems.



(8) the Authority and a person referred to in paragraph 3 (b). (c)) to (e)) of the Act shall ensure that the technical

training of persons who hold a security role in line with the plan

the development of safety awareness in accordance with § 9 para. 1 (b). (b)).



§ 7



The determination of safety requirements for contractors



(1) the Authority and a person referred to in paragraph 3 (b). (c) to (e))) the law shall establish rules

for the vendor, which take into account the needs of information security management,

and taking into account the suppliers or other persons involved in the

development, operation, or to ensure the security of the information system

critical information infrastructure, critical communication system

the information infrastructure or significant information system. Range

the involvement of suppliers in the development, operation, or ensure the safety of

information system critical information infrastructure, communication

of critical information infrastructure or significant information

System proven documents the authority and a person referred to in paragraph 3 (b). (c))

to (e)) of the Treaty, which includes provisions on security

information.



(2) the Authority and a person referred to in paragraph 3 (b). (c)), and (d)) of the Act for suppliers

referred to in paragraph 1 on




a) before concluding the contract risk assessment carried out in accordance with Annex 2 to the

This Decree, which are connected with essential supplies,



(b)) enters into a service level agreement, which sets out the ways and levels

implementation of security measures, and determine mutual contractual relationship

responsibility for the implementation and control of the security measures, and



(c)) shall carry out periodic risk assessments and regular checks established

security measures for the services provided and the deficiencies found

Removes or in agreement with the supplier ensures their elimination.



§ 8



Asset management



(1) the Authority and a person referred to in paragraph 3 (b). (c)) to (e)) of the Act, in proceedings

the assets of the



and) identifies and records the primary assets,



(b)) specifies the guarantors of assets, who are responsible for the primary assets, and



(c) assesses the importance of the primary asset) in terms of confidentiality, integrity,

and availability, and assigns them to the individual levels at least in the range

According to annex 1 to this notice.



(2) in assessing the importance of the primary assets need to be particularly

to assess the



and the scope and importance of) personal data or business secrets



(b) the scope of the relevant legal obligations) or other obligations,



(c) the extent of the distortion of internal) management and control activities,



(d)), commercial or public damage economic interests,



e) possible financial loss,



f) extent of the distortion of the normal activities of the authority and a person referred to in paragraph 3 (b).

c) to (e)) of the Act,



g) impacts related to breaches of confidentiality, integrity, and availability and



h) impacts on maintaining the good name or reputation protection.



(3) the Authority and a person referred to in paragraph 3 (b). (c)), and (d)) of the law on



and identifies and records subsidiary) asset,



(b)) specifies the guarantors of assets, who are responsible for supporting assets, and



(c)) shall determine the links between primary and supporting assets and evaluate the consequences of the

dependencies between primary and supporting assets.



(4) the Authority and a person referred to in paragraph 3 (b). c) to (e)) of the law on



and) lays down rules of protection required for each level of security

assets by



1. determine the ways of distinguishing different levels of assets,



2. establishes rules for handling and recording of assets by level

assets, including rules for the safe electronic sharing and physical

transfer of assets and



3. lay down permissible methods of use of assets,



(b) the corresponding protection rules) establish the level of assets and



c) modalities for reliable deletion or destruction of the technical means of delivery

data with regard to the level of assets.



§ 9



Human resources safety



(1) the Authority and a person referred to in paragraph 3 (b). (c)) to (e)) of the Act, in proceedings

human resources security



and security development plan) provides for awareness, that contains the form,

the content and scope of the necessary training and determine the persons carrying out the implementation

each of the activities that are listed in the schedule,



(b)) in accordance with the development plan will ensure safety awareness lessons

users, administrators and persons holding a security role on the

their obligations, and security policy in the form of the input and

regular training,



(c)) shall ensure compliance with the security policy on the part of

users, administrators and persons holding a security role and



(d) the return of the entrusted assets) and removing access permissions

upon termination of the contractual relationship with users, Admins or people

zastávajícími security role.



(2) the Authority and a person referred to in paragraph 3 (b). (c)) to (e)) of the Act shall keep training

in accordance with paragraph 1, that contain overviews the subject of training and a list of

persons who have undergone training.



(3) the Authority and a person referred to in paragraph 3 (b). (c)), and (d)) of the law on



and lays down the rules for the determination of) person who will act as a safety

role, the role of administrators or users,



b) evaluate the effectiveness of the development plan of safety awareness, carried out

training and other activities connected with the deepening of the safety

awareness,



(c)) shall determine the rules and procedures to deal with cases of violations of the established

safety rules by users, administrators and people

holding a security role and



(d) a change of access privileges) when you change the status of the users,

Administrators or persons holding a security role.



§ 10



Traffic management and communications



(1) the Authority and a person referred to in paragraph 3 (b). (c)) to (e)) of the Act, in proceedings

traffic and communications by technical instruments referred to in section 21 to 23 of the

detects cyber security events, regularly evaluates the

the information obtained and the deficiencies observed reacts in accordance with § 13.



(2) the Authority and a person referred to in paragraph 3 (b). (c)) to (e)) of the Act, in proceedings

traffic and communications also ensures the safe operation of the information

critical information infrastructure system, communication system

critical information infrastructure and major information system.

To this end, establish operational rules and procedures.



(3) the operating rules and procedures of the authority and of the persons referred to in paragraph 3 (b). (c)), and

(d)) of the Act contain



and) the rights and obligations of persons holding a security role

Administrators and users,



(b)) the procedures for starting and stopping the running of the system to reboot or

restore the operation of the system after a failure and for the treatment of error conditions or

extraordinary phenomena,



(c)) the procedures for monitoring of cyber security incidents and for

protect access to the records of these activities,



d) connection to the contact person to whom they are intended as an aid in

unexpected system or solution to a technical problem,



e) management procedures and approval of operational changes and



f) the procedures for monitoring, planning and management capacity of human and

technical resources.



(4) the traffic control authority and a person referred to in paragraph 3 (b). (c) to (e)) of the Act)

consists in regular backups and verification of the applicability of

made backups.



(5) the traffic control authority and a person referred to in paragraph 3 (b). (c)), and (d)) of the Act

lies in the



and Development Department), test and production environment,



(b) reactive measures) issued by that authority and the person

referred to in paragraph 3 (b). (c)), and (d)) of the Act



1. assess the expected impacts of reactive measures on information system

critical information infrastructure or communication system critical

information infrastructure and established security measures

evaluates the possible negative effects and without undue delay, notify the

The Office and the



2. provides a way to quickly perform a reactive measures that

minimizes possible negative effects, and shall determine the timetable for its implementation.



(6) the Authority and a person referred to in paragraph 3 (b). (c)), and (d)) of the Act in the course of proceedings

communications



and) ensures the security and integrity of communications networks and security

communication services under section 17,



(b)) shall determine the rules and procedures for the protection of information that is transmitted

communications networks,



(c)) performs the Exchange and transfer of information on the basis of the rules laid down

the legislation, while ensuring the security of information and this

documents and rules



(d)) with respect to the classification of the assets is performed by the Exchange and transfer of information

on the basis of written agreements, which includes a provision on the

of information security.



§ 11



Access control and secure user behavior



(1) the Authority and a person referred to in paragraph 3 (b). (c) to (e)) of the Act) on the basis of

operational and security needs and controls access to the information system

critical information infrastructure, critical to the communications system

information infrastructure and significant information system and allocate

unique identifier for each user.



(2) the Authority and a person referred to in paragraph 3 (b). (c)) to (e)) of the Act shall take the measures

which is used to ensure data protection, which are used for

log on users and administrators of the information system critical

information infrastructure, critical information communication system

infrastructure and significant information system pursuant to section 18 and 19, and

that prevents the misuse of these data by any unauthorized person.



(3) the Authority and a person referred to in paragraph 3 (b). (c)), and (d)) of the Act later in the

access control



and a separate accessor applications shall be assigned) identifier,



(b) restrict the allocation of administrative privileges),



(c)) allocates and removes the access privileges in accordance with the policy

access control,



(d) carry out regular review) set access permissions

including the distribution of individual users in groups or

rolls,



e) uses a tool for verifying the identity of users, pursuant to section 18 and

a tool for managing access permissions according to § 19 and



(f) introduce security measures necessary) for safe use

mobile devices, or even the security measures associated with the use of

technical devices, which the authority and a person referred to in paragraph 3 (b). (c)), and (d))

the law does not have.



§ 12



The acquisition, development and maintenance



(1) the Authority and a person referred to in paragraph 3 (b). c) to (e)) of the Act provides for

safety requirements for the information system critical changes

information infrastructure, critical information communication system

infrastructure or significant information system associated with their


through the acquisition, development and maintenance of the project and include them in the acquisition, development and

maintenance of the system.



(2) the Authority and a person referred to in paragraph 3 (b). (c)), and (d)) of the law on



and identifies, assesses and) controls the risks associated with the acquisition, development

and maintenance of critical information infrastructure information system or

communication of critical information infrastructure; for the procedures

risk assessment and management methodology pursuant to § 4 paragraph 2. 1 (b). and) apply

Similarly,



(b)) ensure the security of the development environment and ensure the protection of

used test data and



(c)) performs security testing of changes to the information system critical

information or communication system critical infrastructure

information infrastructure before their introduction into service.



section 13 of the



Coping with cyber security events and incidents



Authority and a person referred to in paragraph 3 (b). (c) to (e)) of the Act) to manage the

Cyber-events and incidents



and) shall take the necessary measures to ensure the reporting of cyber

security events in the information system of critical information

infrastructure, communication of critical information

infrastructure and significant information system from users,

Administrators and persons holding a security role, and of the notifications

keep records



(b)) prepares the environment for the evaluation of reported Cyber-

security incidents and cyber security events

detected technical instruments under section 21 to 23, carried their

evaluation and identifies cyber security incidents,



c) classification of cyber security incidents, accepts

measures for averting and mitigating the impact of cyber security

the incident, cyber security incident reporting is performed by

According to § 32 and shall ensure the collection of reliable supporting documents required for the analysis of

Cyber security incident,



(d) investigate and determine the cause) cyber security incident,

shall assess the effectiveness of security incidents and cyber solutions on

based on the evaluation sets out the necessary safety measures to prevent

the repetition of the solution to cyber security incidents and



e) documents the management of cyber security incidents.



§ 14



Business continuity management



(1) the Authority and a person referred to in paragraph 3 (b). (c)) to (e)) of the Act, in proceedings

the continuity of the activities provides for



and the rights and obligations of guarantors) assets, the administrators and the people

holding a security role



(b)) the objectives of business continuity management in the form of specifying



1. the minimum standards of service that is acceptable for

the use, operation and management of the information system critical information

infrastructure, communication of critical information

infrastructure or significant information system,



2. recovery time running, during which, after the cyber security

the incident renewed a minimum level of service provided by the information

critical information infrastructure system, communication system

critical information infrastructure or significant information

system, and



3. time to restore data as of a term to which data will be restored after

Cyber security incident, and



c) business continuity management strategy, which includes the fulfillment of the objectives of the

referred to in subparagraph (b)).



(2) the Authority and a person referred to in paragraph 3 (b). (c)), and (d)) of the law on



and evaluates and documents the) potential impact of cyber security

incidents and assess the possible risks related to threats to the continuity of the

activities,



(b)) provides updates and regularly tests plans for continuity of operations

critical information infrastructure information system and communication

of critical information infrastructure,



c) measures to increase the resilience of the implements of information system

critical information infrastructure and communication system critical

information infrastructure against cyber incidents

and uses a tool for ensuring the levels of availability pursuant to section 26 and



(d)) shall be established and updated procedures for the implementation of the measures issued by the authority

pursuant to section 13 and 14 of the law, which will take into account



1. the results of the risk assessment the implementation of measures,



2. status of the concerned security measures and



3. evaluation of possible negative impacts on the operation and safety

critical information infrastructure information system or

communication of critical information infrastructure.



§ 15



Review and audit of critical information infrastructure and significant

information systems



(1) the Authority and a person referred to in paragraph 3 (b). (c)) to (e)) of the Act under the control of

and audit of critical information infrastructure and important information

systems (hereinafter referred to as "cyber-security audit")



and) assess the consistency of security measures with the law,

the internal regulations, other regulations and contractual obligations relating

to critical information infrastructure information system,

communication of critical information infrastructure and significant

information system and identify measures for its enforcement and



(b)) performs regular checks and documents the compliance with safety

policy and the results of these checks shall take into account in the development plan.

safety awareness and risk management plan.



(2) the Authority and a person referred to in paragraph 3 (b). (c)), and (d)) of the Act provides

Cyber security audit by a person with professional qualifications

According to § 6 paragraph 1. 6, to evaluate the accuracy and effectiveness of the

security measures.



(3) the Authority and a person referred to in paragraph 3 (b). (c)), and (d)) of the Act for the

critical information infrastructure information system and communication

the system performs checks on critical information infrastructure

the vulnerability of the technical means through automated tools, and

their expert evaluation and responds to the identified vulnerabilities.



TITLE II



TECHNICAL MEASURES



section 16 of the



Physical security



(1) the Authority and a person referred to in paragraph 3 (b). (c)) to (e)) of the act within the physical

safety



and) shall take the necessary measures to prevent unauthorized entry into the

defined space where information are processed and placed

technical information system critical information assets

infrastructure, communication of critical information

infrastructure or significant information system,



(b)) shall take the necessary measures to prevent corruption and interference in the

defined space where information is kept and placed technical

assets information system critical information infrastructure,

communication of critical information infrastructure or

significant information system, and



c) damage, theft or misappropriation of assets or discontinuation of

the provision of services of the information system critical information

infrastructure, communication of critical information

infrastructure or significant information system.



(2) the Authority and a person referred to in paragraph 3 (b). (c)), and (d)) of the Act further claims

physical safety



and protection) to ensure that at the level of objects and



(b)) to ensure protection in the context of objects by providing increased safety

defined space in which are located the technical assets

critical information infrastructure information system or

communication of critical information infrastructure.



(3) the means of physical safety are particularly



mechanical barrier devices),



(b) the electrical security alarm device),



c) restrictive effect of the fires, resources



(d) the restrictive effect of the expressions) means natural events



e) systems for controlling access,



f) camera systems



g) devices to provide protection against power supply failures

power supply and



h) equipment to ensure optimal operating conditions.



§ 17



A tool for the protection of the integrity of communication networks



(1) the Authority and a person referred to in paragraph 3 (b). (c)) to (e)) of the Act for the protection of

the integrity of the external interface communication network which is not under the control of

the authority or person, and the internal communications network, which is under the administration of the

the authority or person, shall establish



secure access management) between the external and internal networks



(b) in particular, the segmentation using demilitarizovaných) zones as special

the type of network that is used to increase the security of the applications available from the

external networks and to prevent direct communication with the internal network, external network



c) cryptographic devices (section 25) for remote access, remote

Administration or access through wireless technologies and



d) measures for the removal or blocking of the data transmitted,

do not match the requirements for the protection of the integrity of the communications network.



(2) the Authority and a person referred to in paragraph 3 (b). (c)), and (d)) of the Act also uses

tools for the protection of the integrity of the internal communications network that ensures

its segmentation.



section 18



A tool for verifying the identity of users



(1) the Authority and a person referred to in paragraph 3 (b). (c)) to (e)) of the Act uses the tools

to verify the identity of users and administrators of the information system

critical information infrastructure, critical communication system

information infrastructure and major information system.




(2) a tool for verifying the identity of users and administrators ensures

Verify the identity of users and administrators before the start of their

activities in the information system critical information infrastructure,

communication of critical information infrastructure and significant

the information system.



(3) a tool for user authentication, which uses the authentication

only with a password, ensures



and) a minimum password length of eight characters,



(b)) the minimum password complexity, so that the password will contain at least 3 of the

the following four requirements



1. at least one capital letter,



2. at least one lower case letter,



3. at least one digit, or



4. at least one special character different from the requirements referred to in points

1 to 3,



(c) the maximum period for the compulsory) Exchange password not exceeding one hundred days;

This requirement is not required for standalone application identifiers.



(4) the Authority and a person referred to in paragraph 3 (b). (c)), and (d)) of the law on



and) uses for identity verification tool that



1. avoid the use of previously used passwords again and will not allow more

password changes one user within a specified period, which shall be

at least 24 hours, and



2. performs a re-authentication identity after a specified period of inactivity and



(b)) uses a tool for verifying the identity of the administrators. In the case that

This tool uses password authentication, ensure that the enforcement of the minimum

password length of fifteen characters in compliance with the requirements under paragraph 3 (b).

(b)), and (c)).



(5) a tool for verifying the identity of users may be provided also by other

ways than those laid down in paragraphs 3 to 5, if the authority and the

the person referred to in paragraph 3 (b). (c)) to (e)) of the Act shall ensure that used

measures to ensure the same or higher level of password strength.



§ 19



A tool for managing access permissions



(1) the Authority and a person referred to in paragraph 3 (b). (c)) to (e)) of the Act uses the tool

for the management of access privileges, which shall ensure the control permission



and) for access to individual applications and data, and



(b)) to read data, write data, and to change permissions.



(2) the Authority and a person referred to in paragraph 3 (b). (c)), and (d)) of the Act also uses

a tool for managing access permissions, which records the use of the

access privileges in accordance with the security needs and results

the risk assessment.



section 20



Tool to protect against malicious code



Authority and a person referred to in paragraph 3 (b). (c) to (e))) risk management act

associated with the action of malicious code protection tool uses

information system critical information infrastructure, communication

of critical information infrastructure and major information

the system from malicious code that ensures a constant verification and control



and communication between the internal network) and external networks



b) servers and shared data storage and



c) workstations,



by regular and effective tools for the protection of

against malicious code, its definition and signature.



section 21



Tool for recording the activities of critical information infrastructure and

major information systems, their users and administrators



(1) the Authority and a person referred to in paragraph 3 (b). (c)) to (e)) of the Act uses the tool

the activities of the information system for the recording of critical information

infrastructure, communication of critical information

infrastructure and significant information system, which ensures



and) collect information on the operational and security activities, in particular the type

the activity, the date and time, the identification of technical assets, that the activities of the

recorded, the identification of the originator, and the place of the activity and the success or

failure activity and



(b) the protection of the information received from) the unauthorized reading or changing.



(2) the Authority and a person referred to in paragraph 3 (b). c) to (e)) of the law further by using

tools for recording the activity of an information system critical

information infrastructure, critical information communication system

infrastructure and significant information system records the



and) login and logout users and administrators,



(b)) activity of Admins,



(c)) to change the activities of access privileges,



(d)) the non-activities due to lack of access permissions and

Another unsuccessful user activity,



(e) the start and end of the activities) of technical asset information system

critical information infrastructure, critical communication system

information infrastructure and significant information system,



f) automatic warning or error messages technical assets



g) approaches to the records of the activities, attempts to manipulate records of

activities and changes settings for recording activities and tools



h) the use of identification and authentication mechanisms, including changes to the information,

that is used to log on.



(3) the Authority and a person referred to in paragraph 3 (b). (c)), and (d)) of the records of activities

recorded in accordance with paragraph 2 shall keep for at least three months.



(4) the Authority and a person referred to in paragraph 3 (b). (c)) to (e)) of the Act provides at least

once every 24 hours to synchronize the system time of single

technical assets belonging to the information system critical information

infrastructure, communication of critical information

infrastructure or significant information system.



section 22



A tool for the detection of cyber security events



(1) the Authority and a person referred to in paragraph 3 (b). (c)) to (e)) of the Act uses the tool

for the detection of cyber security events, based on the

set security needs and the results of risk assessment and that

ensure the verification, inspection and, where necessary, blocking the communication between the

internal communication networks and external networks.



(2) the Authority and a person referred to in paragraph 3 (b). (c)), and (d)) of the Act also uses

tool for the detection of cyber security events, which

ensure the verification, inspection and, where necessary, blocking communication



and) within the internal communications network and



b) servers belonging to the information system of critical information

infrastructure and critical information communication system

infrastructure.



Article 23 of the



A tool for collection and evaluation of cyber security events



(1) the Authority and a person referred to in paragraph 3 (b). (c)), and (d)) of the Act uses the tool

for the collection and continuous evaluation of cyber security incidents,

that in accordance with the security needs and the results of the risk assessment

shall ensure



and) integrated collection and evaluation of cyber security

events from the information system critical information infrastructure and

communication of critical information infrastructure,



(b) provision of information for the specified) the security role of the detected

Cyber-security incidents in the information system critical

the information infrastructure or critical information communication system

infrastructure and



(c) continuous evaluation of the cyber-security) events with

the objective identification of cyber security incidents, including

early warning intended for security roles.



(2) the Authority and a person referred to in paragraph 3 (b). (c)), and (d)) of the Act shall ensure that the



a) regular updating of setting rules for the evaluation of

Cyber security events and early warning, to be

constrained instances of incorrect evaluation of the events or cases

false warnings, and



b) use of the information, that are ready for collection and tool

evaluation of cyber security incidents, for optimal

setting the security measures of the information system critical

information infrastructure and critical information communication system

infrastructure.



section 24



Application security



(1) the Authority and a person referred to in paragraph 3 (b). (c)) to (e)) of the Act is performed by

security vulnerability tests applications that are accessible from the

external networks, and prior to their commissioning and after every major

change the security mechanisms.



(2) the Authority and a person referred to in paragraph 3 (b). (c)), and (d)) of the Act later in the

application security will ensure continuous protection



and) applications and information available from external network from unauthorized

the activities carried out by the negation of the activities, or kompromitací

unauthorised modification and



(b) the transaction prior to nedokončením), incorrect routing,

an unauthorized change of the transmitted data content, kompromitací,

unauthorised duplicating or repeat.



§ 25



Cryptographic products



(1) the Authority and a person referred to in paragraph 3 (b). (c) to (e)) of the Act)



and for the use of cryptographic protection) provides



1. level of protection with regard to the type and strength of the cryptographic algorithm, and



2. the rules of cryptographic protection of information in transit over the

communications networks or when stored on mobile devices or

removable data carriers and technical



(b)) in accordance with the security needs and the results of the risk assessment

uses cryptographic resources that ensure the protection of the confidentiality and

the integrity of the transmitted or stored data and supporting identification

person for the work performed.



(2) the Authority and a person referred to in paragraph 3 (b). (c)), and (d)) of the law on




and) provides for use of the cryptographic resources management system

keys, which ensure the generation, distribution, storage, archiving,

change, destruction, control and audit of the keys, and



(b)) uses resistant cryptographic algorithms, and cryptographic keys; in

the case of non-compliance with the minimum requirements on cryptographic algorithms

referred to in annex 3 to this Decree controls the risks associated with this

non-compliance.



section 26



A tool for ensuring the levels of availability



(1) the Authority and a person referred to in paragraph 3 (b). c) to (e)) of the Act in accordance with the

security needs and the results of the risk assessment tool

the level of assurance of the availability of information.



(2) the Authority and a person referred to in paragraph 3 (b). (c)), and (d)) of the Act uses the tool

to provide the level of access to information, which will ensure



and information system) the availability of critical information infrastructure and

communication of critical information infrastructure to meet the

the objectives of the business continuity management,



(b)) the resilience of the critical information infrastructure information system and

communication of critical information infrastructure to

Cyber security incidents, which could reduce the

availability, and



c) backing up important technical asset information system

critical information infrastructure and communication system critical

the information infrastructure



1. using the redundancy in the design of the solution and



2. provision of replacement of technical assets in the specified time.



section 27 of the



Industrial safety and control systems



Authority and a person referred to in paragraph 3 (b). (c)), and (d)) of the Act for the safety

industrial and management systems, which are information system

critical information infrastructure or critical system communication

the information infrastructure or are their parts, used tools,

to ensure



and physical access restrictions) to the network and the device of industrial and

control systems,



(b) restrictions on linking and remote) access to the network of industrial and

control systems,



(c) the protection of the individual technical assets) industrial and control

systems before using the known vulnerabilities and



d) relaunching of industrial and management systems after the Cyber

the security incident.



TITLE III



SAFETY DOCUMENTATION



section 28



Safety documentation



(1) the Authority and a person referred to in paragraph 3 (b). (c)), and (d)) of the Act is kept and updated

Security documentation that contains



According to the security policy) § 5 para. 1,



(b)) messages from cyber security audit in accordance with § 3 (1). 1 (b). (f)),



(c)) messages from information security management system of the examination under section 3

paragraph. 1 (b). (g)),



d) methodology for the identification and evaluation of assets and for the identification and

risk assessment,



e) report on the assets and risks,



f) Declaration of applicability,



g) risk management plan,



(h) security awareness development plan) pursuant to § 9 para. 1 (b). and)



I) coping with cyber security incidents under section 13 (a).

(e)),



j) business continuity management strategy pursuant to § 14 para. 1 (b). (c)), and



for an overview of the legislation), internal rules and other regulations and

contractual obligations in accordance with § 15 para. 1 (b). and).



(2) the Authority and a person referred to in paragraph 3 (b). e) of the Act is kept and updated

Security documentation that contains



According to the security policy) § 5 para. 2,



(b)) a methodology for identifying and evaluating assets and for the identification and

the risk assessment pursuant to section 4, paragraph 4. 2 (a). and)



c) report on the assets and risks pursuant to § 4 paragraph 2. 2 (a). (b)), and (c)),



(d) statement of applicability) pursuant to § 4 paragraph 2. 2 (a). (d)),



e) risk management plan pursuant to § 4 paragraph 2. 2 (a). (e)),



(f) the development of safety awareness) the plan referred to in § 9 para. 1 (b). and)



(g) the management of cyber security incidents), pursuant to section 13 (a).

(e)),



h) business continuity management strategy pursuant to § 14 para. 1 (b). (c)), and



I) an overview of the laws, internal rules and other regulations and

contractual obligations in accordance with § 15 para. 1 (b). and).



(3) the Authority and a person referred to in paragraph 3 (b). (c)) to (e)) of the Act leads security

documentation so that records of the performed activities are complete,

legible, readily identifiable and to make them easy to find.

The measures necessary for the identification, storage, protection, retrieval, time

the validity and the arrangement of the records of the performed activities documented.



(4) the recommended structure of the safety documentation provided for in

Annex No 4 to this notice.



section 29



Proof of certification



Authority and a person referred to in paragraph 3 (b). c) to (e)) of the Act, the information

critical information infrastructure system, communication system critical

the information infrastructure or significant information system is completely

included in the scope of the information security management system, which was

certified according to the relevant technical standards ^ 1) accredited

by the certifying authority and documents containing



description of the scope of the system) and information security management,



(b)) statement by the policy and objectives of information security management,



(c) a description of the methods used) risk assessment and risk assessment report,



(d) statement of applicability),



e) information security management system certificate meeting the requirements of

the relevant technical standards dealing with safety information ^ 1)



(f) a record of the review system) information security management including

related inputs and outputs of the review and



g) message from the audits carried out by the certifying authority including relevant

rectifying the identified records of disagreements with the relevant standard;



meets the requirements for the introduction of safety measures according to the law and

of this order.



PART THREE



CYBER SECURITY INCIDENT



section 30



Types of cyber security incidents



(1) according to the causes of cyber security incidents are divided into

the following types of



and a cyber security incident caused by) Cyber attack

or other events leading to the penetration of the system or to limit the

availability of the services,



(b) a cyber security incident caused by) malicious code



(c) cyber security incident caused) by overcoming the technical

measures,



(d) a cyber security incident caused by) a violation of organizational

measures,



(e) a cyber security incident) associated with the manifestation of the permanently

Active threats and



(f)) other cyber security incidents caused by Cyber

attack.



(2) the impact of cyber security incidents are divided into

the following types of



and a cyber security incident causing), violation of the confidentiality of

assets,



(b) a cyber security incident causing), violation of the integrity of

assets,



(c) cyber security incident), causing disruption to the availability of

assets, or



(d) a cyber security incident) causing a combination of impact

referred to in points (a) to (c)).)



section 31



Categories of cyber security incidents



(1) for the purposes of the management of cyber security incidents to the

According to the consequences and negative manifestations of cyber security

incidents are divided into the following categories



and) category III-a very serious cyber security incident,

which directly and significantly impair the safety of the services provided

or assets. His solution requires the immediate intervention of the operator, with the

all available means must be prevented from spreading

Cyber security incident, including minimizing incurred and

the potential damages.



(b) category II)-serious cyber security incident

which is a breach of the security of the provided services or assets. His

the solution requires the immediate intervention of the operator that must be suitable

resources prevented further spread of cyber incident, including

minimizing damages.



c) category I-less serious cyber security incident

which occurs to a less significant breach of security provided by

services or assets. His solution requires the intervention of an operator that must

be limited by appropriate means and other dissemination of cyber

security incident, including minimizing damages.



(2) the Authority and a person referred to in paragraph 3 (b). (c)) to (e)) of the Act in the categorisation of

each of cyber security incidents referred to in paragraph 1

take into account the



and the assets concerned) the importance of the information system of critical information

infrastructure, communication of critical information

infrastructure or significant information system,



b) impacts on the service provided critical information system

information infrastructure, critical information communication system

infrastructure or significant information system,



c) impacts on the services provided by other information systems are critical

information infrastructure, communication systems, critical information

infrastructure or significant information systems and



(d) the estimated damages and other) impacts.



§ 32



Form and requirements for reporting cyber security incidents



(1) the Authority and a person referred to in paragraph 3 (b). (c) to (e))) law reports

Cyber security incident




and) in electronic form through



1. the electronic form published on the website of the

The Office,



2. e-mail at the e-mail address of the authority designated to receive the message

Cyber security incidents, published on the Internet

the website of the Office,



3. a data message to the data box office, or



4. through the specified data interface, whose description is published

on the website of the Office, or



(b)) in paper format to the address of the National Center of cyber

safety, published on the website of the Office.



(2) the Report shall be sent in paper form only in cases where you cannot

use any of the methods referred to in paragraph 1 (b). and).



(3) the details to report cyber security incidents are

listed in annex 5 to this Decree.



PART FOUR



REACTIVE MEASURES AND CONTACT DETAILS



§ 33



Reactive measures



Authority and a person referred to in paragraph 3 (b). (c)) to (e)) of the Act shall notify the implementation

reactive action and its result on the form of which a specimen is given

in annex 6 to this Ordinance.



§ 34



Contact details



Authority and a person referred to in section 3 of the Act to announce the contact details of the

a form of which a specimen is given in annex 7 to this Decree. Authority and the

the person referred to in paragraph 3 (b). (c) to (e)) of the Act) to announce the contact details

in the form specified in § 32 para. 1 (b). and).



PART FIVE



The EFFECTIVENESS of the



§ 35



This Decree shall enter into force on 1 January 2000. January 2015.



Director:



Ing. He returned in r.



Annex 1



The evaluation and the level of importance of the assets



For the evaluation of the importance of the assets are used for four

levels. The authority or person referred to in paragraph 3 (b). c) to (e)) of the Act may

to use a different number of levels for the evaluation of the importance of assets than what

It is listed in this annex, shall comply with the clear links between the it

used reviews the importance of assets and scales and levels

for the evaluation of the importance of the assets, which are listed in that annex.



In the case of the use of three levels of evaluation of the importance of the assets is permitted

Merge either levels low and medium, or levels high and critical.



Scale for assessment of confidentiality

+------------------------------------------------------------------------+

| Level | Description | Protection |

|----------+--------------------------------+----------------------------|

| Low | Assets are publicly accessible | Requires no |

| | or was intended for publication | the protection. |

| | (e.g. on the basis of Act No. | |

| | 106/1999 Coll. on free | |

| | access to information, in | |

| | as amended). | |

| | Violation of the confidentiality of assets | |

| | does not affect the legitimate interests of | |

| | authority and of the persons referred to in | |

| | § 3 (b). c) to (e)) of the Act. | |

|----------+--------------------------------+----------------------------|

| Central | Assets are not publicly | For the protection of confidentiality |

| | accessible and forms of know-how | used equipment |

| | authority and of the persons referred to in | for access control. |

| | § 3 (b). c) to (e)) of the Act, | |

| | protection of assets is not required | |

| | any legislation | |

| | or the contractual specifications. | |

|----------+--------------------------------+----------------------------|

| High | Assets are not publicly | For the protection of confidentiality |

| | accessible, and their protection is | the funds are being used, |

| | required by the legislation | to ensure the management and |

| | in other regulations or contractual | recording access. |

| | arrangements (e.g., business | External information transfers |

| | the secret according to law | communication networks are |

| | No. 89/2012 Coll., the civil | protected by |

| | code, personal data according to | cryptographic |

| | Act No. 101/2000 Coll. | resources. |

| | on the protection of personal data, in | |

| | as amended). | |

|----------+--------------------------------+----------------------------|

| Critical | Assets are not publicly | For the protection of confidentiality is |

| | accessible and require | required registration of persons |

| | extra level of protection above | which of the assets |

| | beyond previous category | have acceded, and methods |

| | (e.g. protection preventing strategic business | |

| | the secret, sensitive, personal | misuse of the assets from the side |

| | data). | the administrators. Traffic |

| | | information are protected |

| | | by using the cryptographic |

| | | resources. |

+------------------------------------------------------------------------+



The scale for the evaluation of the integrity of the



+------------------------------------------------------------------------+

| Level | Description | Protection |

|----------+--------------------------------+----------------------------|

| Low | Asset does not require protection from | Requires no |

| | in terms of integrity. Distortion | the protection. |

| | the integrity of the asset does not jeopardise | |

| | the legitimate interests of the institution and persons | |

| | referred to in § 3 (b). c) to (e)) | |

| | the law. | |

|----------+--------------------------------+----------------------------|

| Central | An asset may require protection | For the protection of integrity are |

| | in terms of integrity. Distortion | used standard |

| | the integrity of assets can lead to | tools (e.g. restrictions |

| | damage to the legitimate interests of the | access rights for |

| | authority and of the persons referred to in | write). |

| | § 3 (b). c) to (e)) of the Act and | |

| | may show minor | |

| | impacts on primary assets. | |

|----------+--------------------------------+----------------------------|

| High | Asset requires protection from | For the protection of integrity are |

| | in terms of integrity. Distortion | used special |

| | the integrity of assets leads | the resources that permit |

| | damage to the legitimate interests of | track the history |

| | authority and of the persons referred to in | changes and |

| | § 3 (b). (c) to (e)) of the Act) | record the identity of a person |

| | with substantial impact on | implementing the change. Protection |

| | primary assets. | integrity of information |

| | | transmitted outside |

| | | communications networks is |

| | | provided by |

| | | cryptographic |

| | | resources. |

|----------+--------------------------------+----------------------------|

| Critical | Asset requires protection from | For the protection of integrity are |

| | in terms of integrity. Distortion | used special |

| | integrity leads to very serious | unique resources |

| | damage to the legitimate interests of the | identification of the person |

| | authority and of the persons referred to in | implementing change (eg. |

| | § 3 (b). c) to (e)) of the Act with the | using technology |

| | straight and very serious effects | a digital signature). |

| | the primary assets. | |

+------------------------------------------------------------------------+



The scale for the assessment of the availability of



+------------------------------------------------------------------------+

| Level | Description | Protection |

|----------+--------------------------------+----------------------------|

| Low | Disruption to the availability of assets | To protect availability |

| | It is not important, and in the case of | sufficient regular |

| | failure is normally tolerated | backup. |

| | a longer period for | |

| | axle (approx. 1 week). | |

|----------+--------------------------------+----------------------------|

| Central | The availability of the assets would be violation | Availability protection |

| | should not exceed the period | are used by common |

| | the day's work, a longer term | backup methods and |

| | failure leads to a possible | renewal. |

| | a threat to the interests of the authority and of the persons | |

| | referred to in § 3 (b). c) to (e)) | |

| | the law. | |

|----------+--------------------------------+----------------------------|

| High | The availability of the assets would be violation | Availability protection |

| | should not exceed a period of | are used by backup |

| | hours. Any failure is | systems and recovery |

| | need to be addressed without delay, | provision of services may |

| | because it leads to direct | be subject to intervention |

| | a threat to the interests of the authority and of the persons | servicing or replacing |

| | referred to in § 3 (b). c) to (e)) | technical assets. |


| | the law. Assets are considered | |

| | as very important. | |

|----------+--------------------------------+----------------------------|

| Critical | Disruption to the availability of assets | Availability protection |

| | It is not permissible, and even short term | are used by backup |

| | unavailability (in the order of several systems and restore | |

| | minutes) leads to a serious threat | the provision of services is |

| | the interests of the authority and of the persons referred to in | short-and long-term |

| | § 3 (b). c) to (e)) of the Act. | automated. |

| | Assets are considered as | |

| | critical. | |

+------------------------------------------------------------------------+



Annex 2



The risk assessment



The risk assessment is expressed as a function, which affects impact,

threat and vulnerability.



For risk assessment, in particular, this function can be used



risk = threat x vulnerability x impact.



Unambiguous identification function to determine the risks is an essential part of

the methodology for the identification and evaluation of risks.



+------------------------------------------------------------------------+

| Scale for impact assessment |

|----------+-------------------------------------------------------------+

| Level | Popis |

|----------+-------------------------------------------------------------+

| Low | The impact is within a limited time period and of a minor nature and not |

| | be catastrophic. |

| | |

| | The extent of damage does not exceed |

| | |

| | and 10 injured persons) with subsequent hospitalizations for |

| | longer than 24 hours or |

| | |

| | (b)) financial or material losses to 5 000 000 Czk or |

| | |

| | (c) the impact on the public) is a large constraint ' |

| | necessary services or other serious interference |

| | everyday life affecting a maximum of 250 persons. |

|----------+-------------------------------------------------------------|

| Central | The impact is limited and in a limited period of time. |

| | |

| | The extent of damage ranges |

| | |

| | and the dead) to 10 or 11 to 100 people with subsequent |

| | hospital admissions for more than 24 hours, or |

| | |

| | b) financial or material loss from 5 000 000 € to |

| | 50 000 000 $ or |

| | |

| | (c) the impact on the public) is a large constraint ' |

| | necessary services or other serious interference |

| | everyday life affecting from 251 to 2 500 people. |

|----------+-------------------------------------------------------------|

| High | The impact is limited, but the permanent or catastrophic. |

| | |

| | The extent of damage ranges |

| | |

| | and) from 11 to 100 dead or from 101 to 1 000 persons |

| | with subsequent hospitalizations for a period longer than 24 hours |

| | nebo |

| | |

| | b) financial or material loss from 50 000 000 $ to |

| | 500 000 000 $ or |

| | |

| | (c) the impact on the public) is a large constraint ' |

| | necessary services or other serious interference |

| | everyday life affecting from 25 000 to 2 501 |

| | persons. |

|----------+-------------------------------------------------------------|

| Critical | Impact is an area range, permanent and catastrophic. |

| | |

| | The extent of damage ranges |

| | |

| | 101 and more) dead, and 1 001 and more people with subsequent |

| | hospital admissions for more than 24 hours, or |

| | |

| | b) financial or material losses exceeding 500 000 000 |

| | $ Or |

| | |

| | (c) the impact on the public) is a large constraint ' |

| | necessary services or other serious interference |

| | everyday life affecting more than 25 000 people. |

+------------------------------------------------------------------------+



+------------------------------------------------------------------------+

| Scale for assessing threats |

|------------------------------------------------------------------------|

| Level | Popis |

|----------+-------------------------------------------------------------|

| Low | The threat does not exist or is improbable. Estimated |

| | realization of the threat is not more frequent than once per 5 years. |

|----------+-------------------------------------------------------------|

| Central | The threat is remote to the probable. |

| | The expected realization of the threat is in the range from 1 year to 5 |

| | years of age. |

|----------+-------------------------------------------------------------|

| High | The threat is likely to very likely. |

| | The expected realization of the threat is in the range from 1 month to |

| | 1 year. |

|----------+-------------------------------------------------------------|

| Critical | The threat is very likely to more or less certain. |

| | The expected realization of the threat is more frequent than once per |

| | month. |

+------------------------------------------------------------------------+



+------------------------------------------------------------------------+

| The scale for rating vulnerabilities |

|------------------------------------------------------------------------|

| Level | Popis |

|----------+-------------------------------------------------------------|

| Low | The vulnerability does not exist or is an abuse of the vulnerability of a little |

| | likely. There are high-quality security measures |

| | that are able to timely detect possible weaknesses or |

| | any attempts to overcome measures. |

+------------------------------------------------------------------------+

| Central | The vulnerability is improbable to probable. |

| | There are high-quality security measures whose effectiveness |

| | is checked regularly. The ability of security |

| | measures in time to detect possible weaknesses or potential |

| | attempts to overcome measures is limited. Are not known |

| | any successful attempts to overcome security measures. |

+------------------------------------------------------------------------+

| High | The vulnerability is likely to very likely. |

| | Security measures exist, but their effectiveness |

| | It does not cover all necessary aspects and is not regularly |

| | checked. There are known minor successful attempts to overcome |

| | security measures. |

+------------------------------------------------------------------------+

| Critical | The vulnerability is very unlikely to occur until after more or less |

| | some abuse. The security measures are not implemented |

| | or is considerably limited their effectiveness. Controls |

| | the effectiveness of security measures. Are known successful |

| | attempts to overcome security measures. |

+------------------------------------------------------------------------+



+------------------------------------------------------------------------+

| Scale for risk assessment |

|------------------------------------------------------------------------|

| Level | Popis |

|----------+-------------------------------------------------------------|

| Low | The risk is considered acceptable. |

+------------------------------------------------------------------------+

| Central | The risk may be reduced or demanding measures |

| | in the case of higher performance measures, the risk is acceptable. |

+------------------------------------------------------------------------+

| High | The risk is not acceptable and must be launched |

| | systematic steps to eliminate it. |

+------------------------------------------------------------------------+

| Critical | The risk is unacceptable and must be immediately launched |

| | steps to delete it. |

+------------------------------------------------------------------------+



In the event that the authority or person referred to in paragraph 3 (b). (c) to (e)) of the Act)

uses a method for identifying and assessing risk, which does not distinguish

the evaluation of threats and vulnerabilities, it is possible to scale for the evaluation of


threats and vulnerabilities to merge. Merge scales should not lead to

loss of ability to distinguish rates of threats and vulnerabilities. For this

the purpose can be used, for example, a comment that clearly expressed how the level of

threat and vulnerability level. Similarly, the true authority or

the person referred to in paragraph 3 (b). c) to (e)) of the Act, which uses a different number of

the levels for the impact assessment of threats, vulnerabilities and risks.



Annex 3



Minimum requirements for cryptographic algorithms



(1) the symmetric algorithms



and current and block ciphers) to protect the confidentiality and integrity of



1. Advanced Encryption Standard (AES) using the key length 128, 192 and

256-bit Triple Data Encryption Standard (3DES) with the use of key lengths

168 bits, only with a load restricted use of the key with less than 10 GB,

gradually move the AES.



2. The Triple Data Encryption Standard (3DES) with the use of key lengths 112

bits limited use only load the keys are smaller than 10 MB, gradually

Navigate to the AES. Recommended that you use a unique key for each

message.



3. Blowfish, using the minimum key length 128 bits, limited use

just load the keys are smaller than 10 GB.



4. Kasumi using 128-bit key lengths, limited use only

loads the key with less than 10 GB.



5. the Twofish using key lengths up to 256 bits, 128.



6. the Serpent with the use of key length 128, 192, 256 bits.



7. Camellia using key length 128, 192 and 256 bits.



8. SNOW 2.0, SNOW 3 g using key length 128, 256 bits.



(b) protection of the encryption Modes) the integrity of the



1. the CCM,



2. the EAX,



3. the OCB,



4. Composite type schemas "Encrypt-then-MAC".



Note:



Schemes of "Encrypt-then-MAC", must be used to encrypt only

referred to the encryption modes and to calculate MAC only these modes for the protection

integrity.



c) encryption Modes



1. CTR,



2. The ÖFB,



3. the CBC,



4. the CFB,



Note:



CBC and CFB modes must be used with a random, for an attacker to

nepředpověditelným initialization vector when using mode for OFB

the key is not to repeat the initialization vector value, when you use the

CTR mode for a given key must not retry counter value, in the case of

the use of CBC mode encryption without integrity protection is needed to verify

resistance to attack on CBC padding mode.



(d) to protect the integrity of the fashion)



1. The HMAC,



2. CBC-MAC-X 9.19, limited use only with a load less than 109 MAC



3. the CBC-MAC-EMAC,



4. the CMAC.



(2) the asymmetric algorithms



and digital signature technology)



1. The Digital Signature Algorithm (DSA) with the use of key lengths of 2048 bits and

more, the length of the parameter of the cyclic subgroups 224 bits, and more.



2. Elliptic Curve Digital Signature Algorithm (EC-DSA) with the use of the length

224-bit keys, and more.



3. The Rivest-Shamir-Adleman Probablistic Signature Scheme (RSA-PSS)

using a key length of 2048 bits or more.



(b)) For the agreements on the key processes and encryption keys



1. Diffie-Hellman (DH) with the use of key lengths of 2048 bits or more, the length of the

parameter of the cyclic subgroups 224 bits, and more.



2. Elliptic Curve Diffie-Hellman (ECDH) using the 224-bit key lengths

and more.



3. Elliptic Curve Integrated Encryption System-Key Encapculation

Mechanism (ECIES-KEM) using the 256-bit key lengths and more.



4. a Provably Secure Elliptic Curve Key-Encapculation Mechanism

(IPSEC FILTERS-KEM) using the 256-bit key lengths and more.



5. Encapculation Asymmetric Ciphers and Key Mechanism (ACE-KEM)

using the 256-bit key lengths and more.



Rivest, Shamir, and Adleman 6-Optimal Asymmetric Encryption Pedding

(RSA-OAEP) with the use of key lengths of 2048 and more.



Rivest, Shamir, and Adleman 7-Key Encapculation Mechanism (RSA-KEM)

use of key lengths of 2048 and more.



(3) the functions of the hash algorithms



and SHA-2)



1. SHA-224,



2. SHA-256,



3. SHA-384,



4. SHA-512,



5. SHA-512/224,



6. SHA-512/256.



b) SHA-3



1. SHA3-224,



2. the SHA3-256,



3. the SHA3-384,



4. the SHA3-512,



5. SHAKE-128,



6. SHAKE-256.



(c)) the other hash functions



1. Whirlpool,



2. the RIPEMD-160,



3. SHA 1 with limited use.



Note # 1:



SHA-1 is not to be used for the new generation of digital signatures,

time stamps, any other applications that require non-collision of SHA-1.



Note # 2:



The SHA-1 may be used only for verifying existing digital

signatures and time stamps, generation and HMAC-SHA1 authentication, the function for

deriving keys and pseudorandom generators.



Annex 4



The structure of the safety documentation



This annex contains the recommended content security documentation.

The proposed structure of each document includes topics that

each of the documents referred to in this Decree shall cover the

the structure of the documents are not binding and it is up to the authority or person referred to in

§ 3 (b). c) to (e)) of the Act, what approach to the formation of safety

documentation of it. Permissible is i change the names of individual documents

or integrating multiple topics into one document.



(I).



The structure of the security policy



(1) the policy of information security management *



[§ 5 para. 1), § 5 para. 2 (a). and)]



and principles and objectives), the needs of information security management.



(b)) the extent and boundaries of information security management system.



(c)) the rules and procedures for the management of the documentation.



d) rules and procedures for the management of resources and operation management system

of information security.



e) rules and procedures for conducting audits of cyber security.



f) rules and procedures for the review of the safety management system

information.



g) rules and procedures for corrective action and improvement of management system

of information security.



(2) the organizational Security Policy **



[§ 5 para. 1 (b)), § 5 para. 2 (a). (b))]



and specify the security roles and) their rights and obligations,



1. the rights and duties of the Manager of cyber security,



2. the rights and duties of the architect, cyber security,



3. rights and obligations of the auditor of cyber security,



4. rights and obligations of the guarantor assets



5. the rights and obligations of the Committee for the management of cyber security.



(b)) Department requests the performance of activities of individual security

roles.



(3) the vendor management policy **



[§ 5 para. 1 (b) (c)), § 5 para. 2 (a). (c))]



and) the rules and principles for the selection of suppliers.



(b)) the rules for the risk assessment of suppliers.



(c)) the details to service level agreements and the arrangements and levels of realization

security measures and the determination of the mutual contractual liability.



(d) the rules for the implementation of the control) the introduction of security measures.



(e) the arrangements for evaluating the suppliers).



(4) asset classification Policy **



[§ 5 para. 1 (c) (d)), § 5 para. 2 (a). (d))]



and the identification, evaluation and) evidence of primary assets



1. the determination and registration of individual primary assets including the determination of their

the guarantor,



2. evaluation of the importance of the primary assets in terms of confidentiality,

integrity and availability.



(b)) and review the evidence supporting assets



1. the determination and registration of individual support assets including the determination of their

the guarantor,



2. determine the links between primary and supporting assets.



(c) the rules on the protection of the individual levels) of assets



1. ways of distinguishing different levels of assets,



2. the rules for handling and recording assets according to asset levels,



3. permissible uses of the assets.



(d) reliable) ways of erasing or destroying the technical data media.



(5) safety policy human resources **



[§ 5 para. 1 (b), (e)), § 5 para. 2 (a). (e))]



and safety awareness development) rules and ways of its reviews



1. methods and forms of instruction of the users



2. the ways and forms of instruction of supervisors of assets,



3. methods and forms of instruction of administrators,



4. the methods and forms of instruction of persons holding other security

role.



b) safety training of new employees.



(c)) the rules for the solution of breaches of security policy system

information security management.



(d)) the rules for termination of the employment relationship or change jobs.



1. return of the entrusted assets and remove rights on termination of employment

the relationship,



2. change the access permissions when you change jobs.



(6) traffic management, and Communications Policy **



[§ 5 para. 1 (b), (f)), § 5 para. 2 (a). (f))]



a) powers and responsibilities associated with safe operation.



(b)) the procedures for safe operation.



(c)) the requirements and standards for safe operation.



d) management of the technical vulnerabilities.



e) rules and limitations for cyber security audits and

Security tests.



(7) the access control Policy **



[§ 5 para. 1 (b) (g)), § 5 para. 2 (a). g)]



and the principle of the minimum permissions)/need to know (need to know).



b) access control requirements.



(c)) access control life cycle.



(d)) to control privileged permissions.



e) access control for emergency situations.



f) regular review of access privileges, including the distribution of

each user in the access groups.



(8) the policy of safe conduct of users *



[§ 5 para. 1 (b), (h)), § 5 para. 2 (a). h)]



and rules for safe management) with assets.



(b)) the safe use of a passphrase.



(c)) the safe use of electronic mail and internet access.




d) secure remote access.



e) safe behavior on social networks.



f) Safety in relation to mobile devices.



(9) backup and Recovery Policy **



[§ 5 para. 1 (b) (i)), § 5 para. 2 (a). I)]



and) requirements for backup and recovery.



(b)) rules, and backup procedures.



(c) the rules of safe storage of backups).



d) rules and procedures for recovery.



(e)) the rules and procedures of testing backup and recovery.



(10) the policy of safe transmission and exchange of information **



[§ 5 para. 1 (b) (j))]



and) the rules and procedures for the protection of the transmitted information.



(b)) ways of protecting electronic information exchange.



(c) the rules for the use of) cryptographic protection.



(11) the technical vulnerability management policy **



[§ 5 para. 1 (b))]



and) rules to limit the installation of software,



(b)) the rules and procedures of adjustments to program packages, search



(c)) the rules and procedures of software fixes, testing



d) rules and procedures for deploying software patches.



(12) the policy of the safe use of mobile devices *



[§ 5 para. 1 (b). l)]



and) the rules and procedures for the safe use of mobile devices.



(b)) the rules and procedures to ensure the safety of the devices, which the authority

and the person referred to in paragraph 3 (b). (c)), and (d)) of the Act does not have.



(13) the policy on the provision and acquisition of software and licenses

information *



[§ 5 para. 1 (b). m), § 5 para. 2 (a). (j))]



and) the rules and procedures of software deployment and its evidence.



b) rules and procedures for monitoring compliance with the license terms.



(14) the politics of long-term storage and archiving information



[§ 5 para. 1 (b). n)]



and) rules and procedures for archiving documents and records.



(b)) the protection of archived documents and records.



c) policy regarding access to archived documents and records.



(15) the privacy policy *



[§ 5 para. 1 (b)), § 5 para. 2 (a). k)]



and characteristics of the processing of personal data).



(b) a description of the adopted and carried out) organizational protection measures

of personal data.



(c) a description of the adopted and carried out) technical measures for the protection of

of personal data.



(16) the physical safety Policy **



[§ 5 para. 1 (b), p)]



a) rules for the protection of objects.



(b) the rules for the control of entry) people.



c) rules for the protection of the device.



d) intrusion detection physical safety.



(17) Communicaton network security policy **



[§ 5 para. 1 (b). q)]



and) the rules and procedures for ensuring the security of the network.



(b)) to determine the rights and obligations for the safe operation of the network.



(c)) the rules and procedures for the management of the approaches within the network.



d) rules and procedures for the protection of remote access to the network.



e) rules and procedures for network monitoring and evaluation of operational

records.



(18) the policy of protection against malicious code *



[§ 5 para. 1 (b) r), § 5 para. 2 (a). m)]



and) the rules and procedures for the protection of communications between internal and external

networks.



b) rules and procedures for the protection of servers and shared data storage.



(c)) the rules and procedures for the protection of workstations.



(19) the deployment and use of Policy tools for the detection of cyber

security events **



[§ 5 para. 1 (b)) § 5 para. 2 (a). n)]



and) the rules and procedures of the deployment tools for the detection of cyber

security events.



b) operational procedures for the evaluation of and respond to a detected

Cyber security incident.



(c)) the rules and procedures to optimize detection tools

Cyber security events.



(20) the use and maintenance of the Policy tools for the collection and evaluation of

Cyber security events **



[§ 5 para. 1 (a) t)]



and) the rules and procedures for the registration and evaluation of cyber

security events.



b) rules and procedures for periodic updates rules for evaluation

Cyber security events.



(c)) the rules and procedures for the optimal settings of the security features

tools for the collection and evaluation of cyber security incidents.



(21) the policy of safe use cryptographic protection **



[§ 5 para. 1 (b)) § 5 para. 2 (a). l)]



and) the level of protection with regard to the type and strength of the cryptographic algorithm.



(b) the cryptographic information protection Rules)



1. when in transit over communication networks,



2. when stored on mobile devices or removable technical carrier

data,



(c) key management System).



II.



The structure of the additional documentation



(1) the report of the audit of the cyber security **



[§ 28 para. 1 (b))]



and) cyber security audit objectives.



(b)) the subject of cyber security audit.



c) audit criteria of cyber security.



(d) Identify the auditing team) and people who are Cyber-audit

safety participated.



(e)), the date and place where the activities are carried out during the audit of cyber

safety.



(f) the findings of the audit) Cyber Security.



g) cyber security audit findings.



(2) the report from the review of the information security management system **



[section 28 (1) (b) (c))]



and the evaluation of measures from the previous) review management system

information security,



(b) the Identification of changes and circumstances) that may have an effect on the steering system

of information security.



c) feedback on the performance of information security management



1. nonconformance and corrective measures



2. the results of monitoring and measurement,



3. the results of the audit,



4. Security objectives,



(d)) the results of the risk evaluation and risk management plan status.



(e) the identification of options for) continuous improvement.



(d) the necessary decision) a recommendation determining measures and people

ensuring the performance of individual activities.



(3) the methodology for the identification and evaluation of assets and for the identification and

risk assessment *



[§ 28 para. 1 (b), (d)), § 28 para. 2 (a). (b))]



and determine the scale for rating) of primary assets



1. determine the scale for rating the level of confidentiality of the asset,



2. determine the scale for the evaluation of asset integrity levels,



3. determine the scale for evaluation of the level of availability of the assets.



(b) determine the scale for) risk assessment



1. determine the scale for rating the level of impact,



2. determine the scale for evaluation of the level of threat,



3. determine the scale for rating the level of vulnerability,



4. determine the scale for the evaluation of risk levels



a) methods and approaches for the management of risks.



(b) approval of acceptable risk) ways.



(4) the report on the evaluation of assets and risk **



[section 28 (1) (b), (e)), § 28 para. 2 (a). (c))]



and an overview of the primary asset)



1. identification and description of primary assets,



2. determination of the guarantors of the primary assets,



3. evaluation of primary assets in terms of confidentiality, integrity, and

availability.



(b) an overview of the supporting assets) (does not apply to the institutions and persons referred to in § 3

(a). e) of the Act)



1. identification and description of the supporting assets



2. determination of the guarantors of the supporting assets



3. determine the links between primary and supporting assets



(c) Identification and assessment of risks)



1. assessment of the possible impact on the assets,



2. evaluation of existing threats



3. evaluation of existing vulnerabilities, evaluation of existing

measures,



4. determination of the level of risk, compared with the criteria for this level

the acceptability of the risks



5. the determination and approval of acceptable risks.



(d)) risk management



1. the proposal for the method of risk management,



2. the draft measures and their implementation.



(5) statement of applicability of



[§ 28 para. 1 (b), (f)), § 28 para. 2 (a). (d))]



and an overview of selected security measures), including the rationale for their

selection and their ties to the identified risks.



(b)) for an overview of established security measures.



(6) risk management Plan **



[section 28 (1) (b), (g)), § 28 para. 2 (a). (e))]



and) content and objectives selected security measures for the management of risks.



(b)), the necessary resources for each of the security measures for the management of

risks.



(c) Persons providing individual) safety measures for the management of

risks.



(d) the introduction of individual Terms) of the security measures for the management of

risks.



(e) the arrangements for evaluating the success of the introduction of the) individual security

measures for the management of risks.



(7) the development plan for security awareness



[§ 28 para. 1 (b), (h)), § 28 para. 2 (a). (f))]



and the content and terms) educate users.



(b) the Content and timing of the lessons learned) the guarantors of assets (does not apply to the institutions and persons

referred to in § 3 (b). e) of the Act).



(c) the Content and timing of the lessons), administrators (does not apply to the institutions and persons

referred to in § 3 (b). (c)), and (d)) of the Act).



(d) dates of the lessons) content and other persons holding security

role.



e) content and terms the lessons of new employees.



f) forms and methods of evaluation of the plan.



(8) the management of cyber security incidents **



[section 28 (1) (b) (i)), § 28 para. 2 (a). g)]



and) define categories, cyber security incident.



b) rules and procedures for the registration and management of the various categories of

Cyber security incidents.



(c)) the rules and procedures of cyber-management system testing

security incidents.



d) rules and procedures for the evaluation of cyber security

incidents and for improving cyber security.



(9) business continuity management Strategy **




[section 28 (1) (b) (j)), § 28 para. 2 (a). h)]



and) the rights and obligations of interested parties.



(b)) the objectives of business continuity management



1. the minimum level of services provided,



2. the duration of the restore operation,



3. restore point.



(c) the business continuity management) strategy for fulfilling the objectives of continuity.



(d) the arrangements for evaluating the impact of cyber) security incidents on

the continuity and the assessment of the risks involved.



(e) the determination of the content and the necessary) plans of continuity.



(f) procedures for the implementation of the measures) issued by the national security

by the authority.



(10) an overview of generally binding legal regulations, the internal regulations and

other regulations and contractual commitments



[section 28 (1) (a). to), § 28 para. 2 (a). I)]



and) overview of generally binding legal regulations.



(b) an overview of the internal rules) and other regulations.



(c)) for an overview of contractual obligations.



Note:



* Expected confidentiality document is medium according to the scale

listed in annex 1: assessment and asset level.



** Expected confidentiality is a high level document according to the scale

listed in annex 1: assessment and asset level.



Annex 5



Cyber security incident report form



Annex 6



Notification form on the implementation of reactive measures and its result



Annex 7



Reporting form for contact information



1) ISO/IEC 27001:2013 or ČSN ISO/IEC 27001:2014