Read the untranslated law here: https://www.vestnesis.lv/op/2015/149.7
II. System security policy and procurement requirements 13. System security policy include: 13.1. system security policy objectives and guidelines; 13.2. system description and analysis in the field of security; 13.3. system security management principles of the Organization; 13.4. system security compliance with regulations and standards; 13.5. system safety principles, system security risk (availability, integrity and confidentiality risks) the acceptable level according to the rules referred to in paragraph 7 of the methodology and other system security criteria (for example, system uptime, System Restore, the conditions under which the daily procedures interchangeable with crisis management procedures). 14. The institution shall ensure that the provisions referred to in paragraph 8.4. information is available on the system. 15. developing a system security policy, provides that: 15.1. system users that perform system administration work, uses special user accounts (hereinafter referred to as the system administrator account) that are not used in everyday activities; 15.2. each user account is associated with a particular individual. If the system uses the account, not to be reconciled in a particular natural person (hereinafter referred to as the sistēmkont), then the system should be incorporated into the technical means which prevents users to use sistēmkont; 15.3. If the system is not used for authentication, it is multifactorial, one attribute which is not static in nature (for example, the code calculator, single-use the text message code), and at least one other attribute, the system users must use the password required; 15.4. system user password length is not less than nine characters and contain at least one uppercase Latin letter small Latin letters, numbers, and special symbols; 9.6. system user passwords prohibited electronically stored and transported unencrypted, including user authentication process, except that rule 15.7. referred to; 15.6. system user password when user input is not fully represented; 15.7. system user password that is sent to a public data communication network in an unencrypted form, is used once and be valid for a period of not more than 72 hours after sending it; 15.8. the system is not allowed in the functionality that allows the system user to save your password so that subsequent connection times do not enter; 15.9. equipment, including equipment infrastructure that supports the functioning of the system, the default is not used (manufacturer or dealer installed) passwords; 15.10. are audit trail system (hereinafter referred to as the system notes) and storage for at least six months after entry; 15.11. any access to the system is traceable to the specific user account for the system or internet protocol (IP) address; 15.12. the system must be mounted to all available software updates, prior assessment of their need; 15.13. all institutions existing in possession of end-user equipment which in everyday life are used to connect to the system, should be included in antivirus functionality; 15.14. system functionality is accomplished with minimal possible rights. 16. system security policy may also provide for stricter safety requirements than those laid down in these regulations, without prejudice to other laws and regulations. 17. before the institution shall set up, or start shopping for new systems development, it develops and approves the system security policy and ensure that system development it is complied with. 18. the institution shall ensure that before the adoption of the new system in operation it has taken intrusion tests. Intrusion tests shall be a legal entity or institution staff who have not participated in the development of the system. 19. the institution shall ensure that the provisions referred to in paragraph 12 of the system security check at least once a year on the documentation requirements of security check. 20. If the institution of a system for maintenance switch outsourcing contract with a service provider, monitor the performance of the contract and a contract shall include the security requirements that are not lower than those mentioned in these provisions. The Treaty States: 20.1. receivable outsourcing description; 20.2. the exact requirements for the amount and quality of outsourcing; 20.3. the institution and outsourcing provider's rights and responsibilities, including: the institution 20.3.1. to continuously monitor the quality of the provision of outsourcing; 20.3.2. institutions outsourcing provider right to optional executable instructions related to the outsourcing of good faith, high-quality, timely and relevant laws and regulations; 20.3.3. the institution of the right to submit the outsourcing provider reasoned written request to immediately terminate the contract if the outsourcing institution found that the outsourcing provider does not comply with the requirements specified in the contract, outsourcing with regard to outsourcing, or quality; 20.3.4. outsourcing provider's obligation to ensure the institution the opportunity to continuously monitor the quality of the provision of outsourcing. 21. If the institution started shopping for an existing system improvements, it ensures that the appropriate security requirements are included in the purchase specification. 22. If the institution started shopping for new systems development, it includes the purchase specification requirements through: 22.1. determine system maintenance and support (including security failures) period; 22.2. the computer program source code and use it to transfer the institution not later than after this rule 22.1. in point by the end of the period, as well as after each change or improvements made to it; 22.3. the provisions of this subparagraph the period 22.1. continue the operation of the system with the minimum necessary for the functioning of the software (e.g., operating system, database management system, interpreter) later. 23. when shopping for new systems development or improvements to the existing system, the institution of the procurement specification shall include the prohibition of the Treaty limit the Copyright Act article 29 of law laid down in the first subparagraph.
IV. Closing questions 37. Be declared unenforceable in the Cabinet of Ministers of 11 October 2005, Regulation No 765 of "national information system General safety requirements" (Latvian journal, 2005, nr. 164.; 2008, 195. no; 2009, 85. no; 2010, 150. No; No 19, 2011). 38. The authorities that rule 8 above documents confirm to 2017 January 1. The document, drawn up before the entry into force of these regulations, with respect to the information systems shall remain in force insofar as they are not inconsistent with these rules. 39. with respect to basic safety systems that have passed in the use of the institution until 2017 January 1, paragraph 15 of these rules shall apply from 1 January 2021. 40. with regard to the increased safety systems that have passed in the use of the institution until 2017 January 1, 15 and 24 of these rules shall apply as from point 1 January 2018. 41. If the system to this provision in paragraph 38 and 39 respectively specified in paragraphs 15 and 24, by the date of application does not meet the minimum security requirements, the operation stops during the year after the relevant date of application referred to in paragraph 1, provided that the system functions, if necessary, takes on the same or other institutions. Prime Minister-Minister of traffic Anrij matīss Defense Minister Raimonds Bergmanis
Search Translated Laws of Latvia