Procedures Are Provided In The Information And Communication Technology Systems In Compliance With The Minimum Security Requirements

Original Language Title: Kārtība, kādā tiek nodrošināta informācijas un komunikācijas tehnoloģiju sistēmu atbilstība minimālajām drošības prasībām

Read the untranslated law here: https://www.vestnesis.lv/op/2015/149.7


Cabinet of Ministers Regulations No. 442 in 2015 (28 July. No. 36 63) procedures are provided in the information and communication technology systems in compliance with the minimum security requirements Issued under the information technology security law article 8, fifth and national information system Act 4 the second subparagraph of article i. General questions 1. determines: 1.1. State and local government bodies of information and communication technologies, minimum safety requirements and procedures are provided to national and local government bodies (hereinafter referred to as the institutions) or controlled under the existing information and communication technology systems in compliance with the minimum requirements; 1.2. national information system General requirements for safety. 2. the rules relating to information and communication technology systems, which has a State secret, the North Atlantic Treaty Organization (NATO), the European Union and foreign institutions classified information or information service needs of processing or storage, as well as critical infrastructure information systems. 3. the Rules relating to information and communication technology systems, including the national information systems (hereinafter the system), which is the testing phase, as well as systems that passed chip. Other stages of the system (planning, design, development) to ensure adequate protection of information in the system. 4. These provisions such as the information technology security management duties of the person responsible for the national system of information system security manager. 5. system security measures implemented to ensure information 5.1: accessibility (access to information within a certain period after the enquiry); 5.2. ensure information integrity (complete and unaltered preservation of information); 5.3. ensure confidentiality of information (transmission of information to only those individuals who are authorized to receive and use); 5.4. the protected information resources (file, also containing the stored in the system, and users of the system to process the available information and documentation system); 5.5. the protected technical resources (computers, software, media, network equipment and other technical equipment, which ensures the operation of the system); 5.6. the system specific security threats (intentional (deliberate) or recklessly made transaction or event that can lead to system information or technical resource changes, damage, destruction or penetration of the parties, which have not been authorised, or for whom access to system information resources may be impeded or impossible); 5.7. assess system security risk; 5.8. open systems security incident; 5.9. restore the system after a system security incident. 6. system fall into two categories – basic and enhanced security system. 7. To divide or security-enhanced the system for management of information technology security of the person (hereinafter person responsible) it evaluates according to the following methodology: 7.1. evaluate this rule 13.5 of the risks referred to in the acceptable level and assign the appropriate security (availability, integrity and confidentiality) class: 7.1.1. If a system service provided an unplanned break system for the working time may be longer than 24 hours a month (summary) (C) the availability of a system class; 7.1.2. If the service does not provide a planned break system for the working time is not more than 24 hours (summary) a month, but it allowed greater than four hours (summary) a month, the system assigns the availability of class B; 7.1.3. If the service does not provide a planned break system for the working time is not more than four hours per month (summary), the system assigns A grade of availability; 7.1.4. If the stored data integrity risks will not risk the institution functions, the system assigns the C-class integrity; 7.1.5. If a separate system of stored data integrity threats pose a risk to the institution to provide the basic functionality, the system assigns the integrity class B; 7.1.6. If the stored data integrity threats pose a risk to the institution for the provision of basic or individual system stored data integrity threats can endanger Latvia's national interests and values, or cause a disaster, the system assigns A grade of integrity; 7.1.7. If your system contains only publicly available information or information system unauthorised disclosure or leaks do not pose a risk to the institution, the system assigns the C class of confidentiality; 7.1.8. If the system is processed in restricted access information, excluding sensitive personal data or system of information disclosure or unauthorised leak only consequence is the potential damage to the institution, other institutions or the reputation of the Republic of Latvia, the system assigns the privacy class B; 7.1.9. If the system is processed sensitive personal data or system of information disclosure or unauthorised leak can cause more serious consequences than the damage to the bodies, other institutions or the reputation of the Republic of Latvia, the system assigns A grade of confidentiality; 7.2. If the system assigned three security classes or (B) at least one of A class of security, the system is considered elevated security system; 7.3. in other cases, the system is considered to be a basic security system. 8. Each institution shall establish the following documents for each system, as well as to ensure compliance with the requirements of those monitoring and control: 8.1. system security policy; 8.2. system security rules; 8.3. terms of use of the system; 8.4. system security risk management plan; 8.5. system recovery plan. 9. On the basis of the safety systems not applicable requirements referred to in this rule 8.2., 8.3., 8.4 and 8.5. above. 10. The provisions referred to in paragraph 8 of the document approved by the head of the institution. All these provisions in the institution referred to in paragraph 8 of the document shall be reviewed at least once a year, as well as in the following cases: If changes to 10.1 can affect system security; 10.2. If changed or new systems are detected security risks; 10.3. If a sudden increase of system security incident has occurred or an important system security incident; 10.4. If the changes affect the institution's organisational structure of system safety management organization; 10.5. If the amended legislation governing the operation of the system. 11. If the institution responsible or held more than one system, each of these provisions referred to in paragraph 8 of document may lay down more or all or held under existing systems with a single, if necessary, indicate the specific requirements of each system. 12. the system of security measures for compliance with this provision in paragraph 5 above requirements valued based on system security checks the results. If during this test important deficiencies, the body shall take measures appropriate to the information technology security requirements laid down in the law.
II. System security policy and procurement requirements 13. System security policy include: 13.1. system security policy objectives and guidelines; 13.2. system description and analysis in the field of security; 13.3. system security management principles of the Organization; 13.4. system security compliance with regulations and standards; 13.5. system safety principles, system security risk (availability, integrity and confidentiality risks) the acceptable level according to the rules referred to in paragraph 7 of the methodology and other system security criteria (for example, system uptime, System Restore, the conditions under which the daily procedures interchangeable with crisis management procedures). 14. The institution shall ensure that the provisions referred to in paragraph 8.4. information is available on the system. 15. developing a system security policy, provides that: 15.1. system users that perform system administration work, uses special user accounts (hereinafter referred to as the system administrator account) that are not used in everyday activities; 15.2. each user account is associated with a particular individual. If the system uses the account, not to be reconciled in a particular natural person (hereinafter referred to as the sistēmkont), then the system should be incorporated into the technical means which prevents users to use sistēmkont; 15.3. If the system is not used for authentication, it is multifactorial, one attribute which is not static in nature (for example, the code calculator, single-use the text message code), and at least one other attribute, the system users must use the password required; 15.4. system user password length is not less than nine characters and contain at least one uppercase Latin letter small Latin letters, numbers, and special symbols; 9.6. system user passwords prohibited electronically stored and transported unencrypted, including user authentication process, except that rule 15.7. referred to; 15.6. system user password when user input is not fully represented; 15.7. system user password that is sent to a public data communication network in an unencrypted form, is used once and be valid for a period of not more than 72 hours after sending it; 15.8. the system is not allowed in the functionality that allows the system user to save your password so that subsequent connection times do not enter; 15.9. equipment, including equipment infrastructure that supports the functioning of the system, the default is not used (manufacturer or dealer installed) passwords; 15.10. are audit trail system (hereinafter referred to as the system notes) and storage for at least six months after entry; 15.11. any access to the system is traceable to the specific user account for the system or internet protocol (IP) address; 15.12. the system must be mounted to all available software updates, prior assessment of their need; 15.13. all institutions existing in possession of end-user equipment which in everyday life are used to connect to the system, should be included in antivirus functionality; 15.14. system functionality is accomplished with minimal possible rights. 16. system security policy may also provide for stricter safety requirements than those laid down in these regulations, without prejudice to other laws and regulations. 17. before the institution shall set up, or start shopping for new systems development, it develops and approves the system security policy and ensure that system development it is complied with. 18. the institution shall ensure that before the adoption of the new system in operation it has taken intrusion tests. Intrusion tests shall be a legal entity or institution staff who have not participated in the development of the system. 19. the institution shall ensure that the provisions referred to in paragraph 12 of the system security check at least once a year on the documentation requirements of security check. 20. If the institution of a system for maintenance switch outsourcing contract with a service provider, monitor the performance of the contract and a contract shall include the security requirements that are not lower than those mentioned in these provisions. The Treaty States: 20.1. receivable outsourcing description; 20.2. the exact requirements for the amount and quality of outsourcing; 20.3. the institution and outsourcing provider's rights and responsibilities, including: the institution 20.3.1. to continuously monitor the quality of the provision of outsourcing; 20.3.2. institutions outsourcing provider right to optional executable instructions related to the outsourcing of good faith, high-quality, timely and relevant laws and regulations; 20.3.3. the institution of the right to submit the outsourcing provider reasoned written request to immediately terminate the contract if the outsourcing institution found that the outsourcing provider does not comply with the requirements specified in the contract, outsourcing with regard to outsourcing, or quality; 20.3.4. outsourcing provider's obligation to ensure the institution the opportunity to continuously monitor the quality of the provision of outsourcing. 21. If the institution started shopping for an existing system improvements, it ensures that the appropriate security requirements are included in the purchase specification. 22. If the institution started shopping for new systems development, it includes the purchase specification requirements through: 22.1. determine system maintenance and support (including security failures) period; 22.2. the computer program source code and use it to transfer the institution not later than after this rule 22.1. in point by the end of the period, as well as after each change or improvements made to it; 22.3. the provisions of this subparagraph the period 22.1. continue the operation of the system with the minimum necessary for the functioning of the software (e.g., operating system, database management system, interpreter) later. 23. when shopping for new systems development or improvements to the existing system, the institution of the procurement specification shall include the prohibition of the Treaty limit the Copyright Act article 29 of law laid down in the first subparagraph.
III. requirements for heightened security systems 24. developing a system security policy, security-enhanced systems, take account of the provisions referred to in point 15 requirements and in addition provide that: 24.1. for each system user password is required to change no later than after 90 days, but the password is prohibited to directly change more often than two times within 24 hours; 24.2. system user password must be chosen so that it does not coincide with any of the five previous user passwords; 24.3. five consecutive times incorrectly entering the system user account, this account (except the administrator account) are immediately blocked; 15.2. a system administrator account to access the system through the equipment outside the premises of the authority, as well as equipment that is not in the possession of the authorities may only use multi-factor authentication; 15.2. physical access to facilities that ensure the operation of the system, the only authority allowed to authorised persons; 24.6. ensure system building and storage of records for at least 18 months after entry, storage system records or copies separately from the system; 15.3. the system records are created, ensuring that the specified time is the same as the actual event coordinated world time (UTC) with one second accuracy; 15.4. the system of records is provided content monitoring and systematic analysis to detect incidents; 15.5. system users visible error messages contains only the minimum necessary information to a user of the system yourself, or with the assistance of support personnel solve error; 24.10. flow between the system and its users as well as between the system and the other systems are controlled, for example through the firewall; 24.11. network services (network services) that are not used in the operation of the system, are disabled; 24.12. the development and testing of the system, is not allowed to cause harm to the system integrity of data held; 24.13. the deployment provider outsourcing resources provided allowed only if the service provider is a legal person established in the European Union or European economic area Member State, the information stored in the system and are located only in the European Union or the European economic area. 25. Internal system security rules determine: 25.1. system information resources created, topping, change, processing, transmission, storage, recovery and destruction; 25.2. the system of information and technical resources and control arrangements; 25.3. the arrangements are guaranteed access to system information and technical resources; 25.4. the information resources construction of backup and storage procedures as well as the procedures for checks or a system resource of information backup can restore system information resources; 25.5. media use, handling, storage and disposal procedures; 6. the procedures for the use and store the information or data that are required to access system information and technical resources; 25.7. system requirements for the protection of information resources, which are implemented via software features (such as system user recognition and his verification mandate of relevant activities within the system, protecting the system's information resources from intentional or accidental damage or destruction); 25.8. system requirements technical resources for protection against physical effect system security threats (such as fire, flood, or surge voltage drops in the power supply network, the system of technical resource theft, air humidity or temperature, which does not comply with the provisions of the operation); 16.1. the order in which the observed system security risk approach; 25.10. the procedures for the opening and administration of system security incident; 25.11. the order in which the system works, if the system information or technical resources not available in full; 25.12. the order in which changes the system technical resources; 25.13. the institution's staff training and knowledge verification arrangements in the field of security of the system. 26. the terms of use include the following: 26.1. system user rights, obligations, restrictions and responsibility; 26.2. the system user registration and cancellation procedures; 26.3. using the system; 26.4. system user support procedures. 27. System security risk management plan includes: 27.1. the risk analysis methodology to be conducted; 27.2. system security risk analysis; 27.3. the measures in system security risk mitigation, deadlines, funding and the person responsible for implementation. 28. in implementing the system security risk management plan, ensure system security risk level acceptable. 29. the system of security risk management plan developed and updated, based on the system security risk analysis. 30. System security risk analysis include: 30.1. list of security risks, the likelihood of the assessment and approach of list of characteristics; 30.2. the institution of a system of data subjects and of the users of the system the potential loss or damage assessment, if happen system security incident; 30.3. system security risk assessment; 18.9. system security risk mitigation measures and a list of features to be used; 5. system security risk mitigation measures the cost-effectiveness assessment. 31. systems security risks analyzes time, if plans to make changes that affect system security. 32. the institution shall ensure that the system security risk mitigation measures should be commensurate with the resources the potential loss or damage to the institution, the data subjects and system users may have to the system security incident. 33. System recovery plan include: 33.1. system information and technical resources to the recovery measures taken following system security incident; 33.2. in the event of a system restore procedure; 33.3. the restoration of the system, participating in the activities of the person in charge of the notification procedures and operating instructions; 33.4. the person in charge of training, practice and test plan of training. 34. Increased security systems available through a public data communication network, the institution provides that the provisions referred to in paragraph 12 of the system safety inspection, at least once every two years when ordering an external security audit and intrusion of the documentation tests. The purchase of these services centrally organised by the Defence Ministry. 35. When ordering an external security check enhanced security system, the institution provides that legal persons who carry out audits, is registered in the NATO, the European Union or European economic area Member State, its employees involved in safety audit, it is NATO, European Union, European economic area nationals or non-nationals of the Republic of Latvia, and the entity processing the information obtained during the audit only NATO, the European Union and European economic area countries. 36. Increased security system maintenance outsourcing contract allowed to close only by legal persons that are registered to the NATO, the European Union or European economic area Member State or a natural person that is NATO, European Union, European economic area citizen or non-citizen of the Republic of Latvia.
IV. Closing questions 37. Be declared unenforceable in the Cabinet of Ministers of 11 October 2005, Regulation No 765 of "national information system General safety requirements" (Latvian journal, 2005, nr. 164.; 2008, 195. no; 2009, 85. no; 2010, 150. No; No 19, 2011). 38. The authorities that rule 8 above documents confirm to 2017 January 1. The document, drawn up before the entry into force of these regulations, with respect to the information systems shall remain in force insofar as they are not inconsistent with these rules. 39. with respect to basic safety systems that have passed in the use of the institution until 2017 January 1, paragraph 15 of these rules shall apply from 1 January 2021. 40. with regard to the increased safety systems that have passed in the use of the institution until 2017 January 1, 15 and 24 of these rules shall apply as from point 1 January 2018. 41. If the system to this provision in paragraph 38 and 39 respectively specified in paragraphs 15 and 24, by the date of application does not meet the minimum security requirements, the operation stops during the year after the relevant date of application referred to in paragraph 1, provided that the system functions, if necessary, takes on the same or other institutions. Prime Minister-Minister of traffic Anrij matīss Defense Minister Raimonds Bergmanis