National Information System General Requirements For Safety

Original Language Title: Valsts informācijas sistēmu vispārējās drošības prasības

Subscribe to a Global-Regulation Premium Membership Today!

Key Benefits:

Subscribe Now

Read the untranslated law here: https://www.vestnesis.lv/ta/id/118990

Cabinet of Ministers Regulations No. 765 in Riga in 2005 (11 October. No 58. § 28) national information system with the General safety requirements Issued under the national system of information law article 4 second subparagraph 1. establish a national information system with the General safety requirements.
2. the national information system (hereinafter the system) security is provided by a set of measures that are implemented to: 2.1 ensure the functioning of the system established under the legislation functions;
2.2. ensuring the accessibility of information (access to information within a certain period after the enquiry);
2.3. ensure the integrity of the information (complete and unaltered preservation of information);
2.4. ensure confidentiality of the information (transmission of information to only those individuals who are authorized to receive and use);
2.5. the protected information resources (software, files (including those that content stored in the system, and users of the system to process the available information) and system documentation);
2.6. the protected technical resources (computers, media, network equipment and other technical equipment, which ensures the operation of the system);
2.7. determining system security threats (intentional (deliberate) or recklessly made transaction or event that can lead to system information or technical resource changes, damage, destruction or penetration of the parties, which have not been authorised, or for whom access to system information resources may be impeded or impossible);
UR2.8.nov ērtēt system security risk (the possibility that if a security risk, system information or technical resources can be changed, damaged, be destroyed or come into the possession of a person who is not authorised, or access the system information resources could be disturbed or impossible);
2.9. open system security incidents (with the intention of (intentionally) or recklessly made transaction or event that triggered the system information or technical resource changes, damage, destruction or penetration of the parties, which have not been authorised, or for whom access to system information resources is hindered or impossible);
2.10. restore the system after a system security incident.
3. the administrator shall ensure that: 3.1 system security policy development and implementation;
UR3.2.iek šēj system security development and rules;
3.3. system development and the terms of use;
3.4. system security risk management plan and its implementation;
3.5. system recovery plan development and execution;
UR3.6.apm candidates in the system security.
4. the administrator shall appoint a safety Manager of the system. System Security Manager organizes and conducts system security measures pursuant to the requirements laid down in these provisions.
5. System security policy include: 5.1 system safety policy objectives and guidelines;
5.2. system description and analysis in the field of security;
5.3. the safety management system of the organisation;
5.4. system security compliance with regulations and standards;
5.5. system safety principles and criteria (for example, system uptime, System Restore, system security risk acceptable level, system security incident detection time permissible unsuccessful access attempts).
6. Internal system security rules determine: 6.1. system information resources created, topping, change, processing, transmission, storage, recovery and destruction;
6.2. system information and technical resources and control arrangements;
6.3. procedures are guaranteed access to system information and technical resources;
6.4. information resources system backup and storage procedures of manufacture, as well as procedures for checks or a system resource of information backup can restore system information resources;
6.5. media use, handling, storage and disposal procedures;
6.6. the arrangements for the use and store the information or data that are required to access system information and technical resources;
6.7. system requirements for the protection of information resources, which are implemented via software features (such as system user recognition and his verification mandate of relevant activities within the system, protecting the system's information resources from intentional or accidental damage or destruction);
4.2. requirements for system technical resources for protection against physical effect system security threats (such as fire, flood, or surge voltage drops in the power supply network, the system of technical resource theft, air humidity or temperature, which does not comply with the provisions of the operation);
6.9. the order in which the observed system security risk approach;
6.10. the procedures for the opening and administration of system security incident;
6.11. the order in which the system works, if the information or technical resources not available in full;
6.12. the order in which changes the system technical resources;
6.13. the responsibility of the employee training system and knowledge verification arrangements in the field of security of the system.
7. terms of use of the system include: 7.1. system user rights, obligations, restrictions and responsibility;
7.2. system user registration and cancellation procedures;
7.3. using the system;
7.4. user support system.
8. System security risk management plan include: 8.1. system security and system security risk assessments;
UR8.2.pas based system security risk mitigation, deadlines, funding and the person responsible for implementation.
9. Implementing system security risk management plan, ensure system security risk level acceptable.
10. System security risk management plan developed and updated, based on the system security risk analysis.
11. System security risk analysis include: 11.1. system security threats, the likelihood of the assessment and the oncoming signs listing;
11.2. system security risk assessment;
11.3. system security risk mitigation measures and a list of features to be used;
11.4. the responsibility of the system, the system of the data subject and the potential users of the system loss or damage assessment, if happen system security incident;
11.5. system security risk mitigation measures the cost-effectiveness assessment.
12. If you plan to make the system changes that affect system security, timely analyzes system security risks.
13. the security risks are analysed, following the standard LVSIS of Latvia/IEC 17799: "information technology 2002. Code of practice for information security management ".
14. a system administrator to provide system security risk mitigation measures should be commensurate with the resources the possible loss or damage that the system administrator, system data entities and system users may have to the system security incident.
15. system recovery plan include: 15.1. system information and technical resources to the recovery measures taken following system security incident;
15.2. system restore procedure of measures;
15.3. system restore, participating in the activities of the person in charge of the operation instructions;
15.4. the person in charge of training, practice and test plan of training.
16. System security measures determined in accordance with the laws and regulations governing the circulation of electronic documents and storage.
17. the security measures of compliance with this provision in paragraph 2, the above requirements shall be assessed on the basis of system security checks (audit). System Manager provides system safety inspection (audit) at least once a year.
18. These rules 5, 6, 7, 8 and 15. documents referred to confirm system administrator. The system administrator will review it and, if necessary, updated at least once a year, as well as in the following cases: 18.1. If changes can affect system security;
18.2. If changes in the organisational structure of the management of the safety management system of the organisation;
18.3. If the amended legislation governing the operation of the system;
18.4. if changed or is new open systems security threats;
18.5. If increased system security incident or a number of important system security incident.
19. If the physical person in accordance with the data protection act is recognized as a physical person data processing system, the system should ensure these rules determine the requirements, insofar as this does not conflict with the legislation on personal data processing system for the protection of the mandatory technical and organisational requirements.
20. when using the system, ensures the circulation of the information, in accordance with the law "on State secrets" is recognized as a State secret, the object System Manager provides these rules determine the requirements, insofar as this does not conflict with the legislation on State secrets protection of the object.

21. when using the system, ensures the circulation of the information, in accordance with the freedom of information act should be considered as information service, System Manager provides the following provisions set out the requirements, insofar as this does not conflict with the laws on protection of information services needs.
22. a system administrator to implement system security measures according to the State budget.
23. the implementation of these rules monitor the special task Minister for electronic Government Affairs Secretariat.
Prime Minister a. Halloween special task Minister for electronic Government Affairs j. Rare Editorial Note: rules shall enter into force on 15 October 2005.