The Cabinet of Ministers of the Republic of Latvia of 21 March 2000, in Regulation No 106 (in Riga. No 13, § 4) information system security rules Issued under Cabinet installations article 14 of the law 3 (I). General questions 1. terms used in the rules: 1. audit trail — trail where the registered data for specific events in the information system;
1.2. physical protection — technical resources protection against physical effect of hazards (such as fire, flood, or surge voltage drops in the power supply network, technical resource theft, operational rules inadequate moisture, air temperature);
1.3. information resources — information system, which includes sistēmprogramm, sistēmfail, applications, and data files (those that contain information stored in the system, and process information system users with available information);
1.4. the holders of information: a person who deals with information resources information system on behalf of the Organization;
1.5. information systems: data input, storage and processing system that provides lietotājpieej to the data stored in it or information;
1.6. information systems risk — with the intention of (intentionally) or negligently made, action or inaction or possible events that may cause deletion, default information, resources or technical information resources, or corruption of information from the parties that are not authorised;
1.7. information systems security: availability of information (information system user request specified period he can access information), integrity (complete and unchanged information store) and privacy (information received only for the authorized person) providing information in the system;
1.8. user information system: a person who has access to information stored in the system information or receiving the information system services;
1.9. the information systems organization, State or municipal institution, public body or an undertaking (company), which is the property of, or is in possession of information resources and technical resources;
1.10. the logical protection — data or information resources, which distributes software products, identifying the user of the information system, checking his mandate in conformity with the relevant activities in the information system, protecting information from intentional or accidental change or delete;
1.11. password: a string of characters of the text, a copy of which is located in the information system and used by that person's proof of identity;
1.12. the technical resources, information system, which includes a computer, a computer network equipment and other technical equipment;
1.13. the technical resources, the holder, the person who handles the technical resources information system on behalf of the Organization;
1.14. firewall-software and hardware complex, linking the local area networks with external networks by providing a local networked system of information protection.
2. these rules provide for the security of information systems legal, technical and organisational requirements, followed by the information systems organization, its Director, information resources, technical resources, information systems and other people who are responsible for the security of information systems.
3. these rules apply to information systems: 3.1 which possessor is a public body established under the parliamentary or Cabinet issued;
3.2. which store and process information in accordance with international agreements, laws and Cabinet regulations;
3.3. which information systems organization entirely or partially financed from the State or local government funds.
4. the requirements laid down in these provisions for implementation of the information system of methodical drives traffic to the Ministry.
II. classification of information 5. Person who transmits information in the information system (hereinafter referred to as the originator of the information), determine whether the information is needed to assign this rule 9 or paragraph 10 of that value or the degree of confidentiality, as well as this.
6. information, which is not assigned a value or the degree of confidentiality, it is not classified information.
7. the value of the degree granting information depending on the damage that could be caused to the employer of the information or the information systems organization, if there is no integrity or availability of information.
8. the degree of information granted Confidentiality, depending on the damage that could be caused to the employer of the information or the information systems organization, if the confidentiality of the information is assured.
9. Information can be assigned one of the following values: 9.1 degrees high risk;
9.2. medium risk.
10. Information can be assigned one of the following privacy grade: 10.1. top secret;
10.2. the secret;
10.3. confidential.
11. information the confidentiality of which is protected by the Statute, granting the degree of confidentiality in accordance with the provisions of paragraph 10.
III. Risk analysis 12. Risk analysis needed to assess: 12.1. information system implementation in the likelihood of risks;
12.2. the potential damage the employer information or information systems organization, if there is no guarantee that the information system security.
13. A Risk analysis carried out in accordance with the Cabinet of Ministers approved the risk analysis methodology. The risk analysis: 13.1. define the potential risks of the information system, which can also cause the same information resources, technical resources and information system users, and assesses the likelihood of these risks;
13.2. assess the potential damage that can be caused the employer of information or information systems organization, if the implementation of the information system risk;
13.3. information systems for the prevention of hazards features;
13.4. evaluate or at the information systems security measures for information systems for hazard and possible injury is acceptable for information system security;
13.5. assess the information systems security measures.
14. the Risk analysis for each new need with information resources and technical resources related to the project.
15. the Risk analysis required when information system changes that can affect the security of information systems.
IV. Information resources and technical resources administration 16. Information systems organization develop internal information systems security rules, as well as designate the person responsible for information systems security.
17. the Organization of an information system manager in writing designate information resources and technical resources of the holder or assume the relevant tasks.
18. the Organization of an information System Manager provides information resources and technical resources of the holder with the resources required for the information systems security measures.
19. the holders of information: 19.1. jointly with the technical resources of the holder, and (if possible) with the sensor out with information resources related risk analysis;
19.2. ensure logical protection measures;
19.3. information system audit trail, as well as their preservation and accessibility of the check in accordance with internal information systems security;
19.4. determines the order in which information systems give users the right to access information resources and to work with them, and organizes the control of resource use;
19.5. provides information resources for backup and storage, as well as information resource renewal, if the functioning of the information system technical resources or other reasons, been hampered or impossible.
20. Technical Resource holder: 20.1. ensure physical protection measures;
20.2. participate in the risk analysis shall be determined by the technical resources related to information systems risks and evaluate the likelihood of the risk;
20.3. provides technical resources, if they are damaged.
21. the information resources and technical resources the holder in writing down the employee responsibilities information systems security and provide employee training and testing of knowledge information resources and technical resources.
V. information resources and technical resources protection 22. choosing information system security tools and measures the shall respect the privacy and value.
23. any information and data that are required to access the information stored in the system information with the privacy level, assign the same degree, what is this information.
24. A computer that contains top secret level information must not be connected to external networks or local area network, from which it is possible for external networks.
25. Top secret level information is not transmitted to the external networks.

26. If the local network computers, which are particularly sensitive or secret information, the degree of local area network cables must not cross territory that does not have a secure information system risk appropriate physical protection, and network hardware must be on the premises with the pitfalls of the information system for the appropriate physical protection.
27. the premises containing the computer with a top secret, secret or high risk information, provide the appropriate hazard information system of physical protection.
28. Top secret and sensitive information throughout the degree of storage is encrypted.
29. High-risk and medium-risk information across storage is protected with a cryptographic protection.
30. If the local network connected computers containing information with privacy or values, local area network can be connected to external networks with a firewall only (with the exception of those rules specified in paragraph 24 cases), ensuring the appropriate hazard information system in local network logical protection.
31. The computers that perform firewall functions, only used for this purpose.
32. it checks electronic mail (also attachment files), or does not contain a computer virus. Computers that are connected to external networks without a firewall, is equipped with a computer virus protection software, which checks all electronic mail (also attachment files).
33. Secret or confidential information over the degree of external networks transmit only encrypted.
34. High risk or medium risk information through external networks transmitted, providing cryptographic protection.
35. If the computer is connected to the external network, the firewall will not protect, encrypt, or decrypt it prohibited secret or high risk information, and media on this computer may not be the encryption and decryption of this information to kriptoatslēg.
36. If the user of the information system from the external network is allowed to access information with privacy or values, information system of user authentication using cryptographic methods. If the user authentication information system several times in a row is not successful, the user is accessing the information system is blocked.
37. The media with the value of the degree of privacy or information must not be left in places where there is no guarantee that the appropriate hazard information system of physical protection.
38. On portable data media containing information with privacy or values indicate highest degree granted to information privacy and value.
39. the Organization of an information system manager designate persons responsible for each information system using your computer.
40. If the computer contains information with privacy or values, the user of the information system, interrupting your work, leave your computer so that the work can resume only after user authentication system.
41. Every information system grants the user a unique user code, except those persons who receive only the information for the users of the system services.
42. the password is known only to the user of the information system (except the first password information systems the user receives when he granted the unique user code).
43. The audit trail protected by logical means of protection.
44. Audit trail logging automatically logs information system user's successful and unsuccessful attempts to access an information system, as well as the unique user code, the date and time of each access attempt occurred.
45. If the information system maintains a publicly accessible server, you must ensure that persons who have not authorized it, it can access information system local area networks and information with any privacy or values.
Vi. Information resources for backup and storage information resources 46. backup and storage procedures of manufacture determines the internal information systems security.
47. Information resource holder regularly checks with information resources backup can restore data and software.
48. The rules referred to in paragraph 47. inspections shall be carried out with the technical equipment, which is not part of the information system.
49. Information backup copies stored in at least two geographically different locations that provide it storage under the information system provided for in the Organization of media storage arrangements and selected so that the exceptional circumstances (fire, flood, and other exceptional circumstances) virtually no damage at all information resources backup.
VII. Internal information systems security rules required determination requirements 50. Internal information systems security rules contain guidance on what information is given, the contents of the value and degree of confidentiality, if the information is the information system of the organization.
51. internal information systems security rules determine: 51.1. password length and design conditions (minimum password length of eight characters);
51.2. information system user password, as well as the period after which a replacement password;
51.3. How do the information system user when the password or kriptoatslēg gets into another person's actions, and determine responsibility for password and not kriptoatslēg appropriate use and storage (information system users on notice, assigning a unique user code);
51.4. the number of failed information system user authentication attempts (such as incorrect password) is blocked this user (which is assigned a unique user code) access to information;
51.5. procedure cancels the password or kriptoatslēg, if the user of the information system notifies you that the password or kriptoatslēg has come another person's possession.
52. internal information systems security rules determine the order in which the information is to be used with the degree of confidentiality or values, and provide that information to the media with this information cannot be removed from the information system of the organization without the prior written permission of the Manager.
53. internal information systems security regulations require that the employer of the information determining the persons who may receive information with privacy.
54. internal information systems security rules include requirements for physical protection and determine: 54.1. the measures to be taken for protection against technical resources in exceptional circumstances (for example, fire, flood);
54.2. means by which provides the technical resources of the supplier's technical regulations according to the temperature and humidity of the room, which is located in the technical resources;
54.3. technical resources, which are provided with the equipment specified time maintains this resource availability, if the energy supply network goes down or you lose voltage and indicates the main characteristics of the equipment, particularly the length of time the machine can hold relevant technical resources;
54.4. the means by which provides technical resources against intentional tampering and kidnapping;
54.5. media storage and destruction procedures.
55. internal information systems security regulations require information systems renewal plan.
56. internal information systems security rules determine information system activities and maintenance of the required password storage.
57. internal information systems security rules determine the order in which the information systems organization: 57.1. using work computers in his possession;
57.2. use personal use computer information systems organization;
57.3. using business information systems computer organization-owned home;
57.4. using electronic mail.
58. internal information systems security rules determine the audit trail storage time and examination of records and evaluation frequency.
59. internal information systems security rules determine the order in which changes to the information resources and technical resources, as well as procedures: 59.1. analyse and evaluate the impact of these changes on the security of information systems;
59.2. the changes recorded in the information system;
59.3. prepare information resources provided to the backup before the changes.
60. internal information systems security rules determine the information system of malware (for example, a computer virus) prevention, detection and clearance procedures.
61. internal information systems security rules determine the information resources construction of backup and storage procedures and specify: 61.1. media on which made backup copies of information resources;
61.2. necessary logical and physical protection;
38.1. the cases in which the information resources required reserve copies of information encryption;
61.4. the frequency of the copy information;
61.5. Media rotation and its observance;

61.6. information resources for backup and storage.
VIII. Closing questions 62. Regulations shall enter into force by 1 July 2000.
63. the information which is transferred to the information system before the entry into force of these regulations until 1 January 2001 a classified, the head of the information system set up by the Commission (if possible) the employer of the information concerned.
64. The information systems organization: 64.1. until 1 July 2001 established the internal information system security rules;
64.2. to 2002 January 1, introducing the necessary physical protection;
64.3. to 2002 January 1, introducing the necessary logical protection features.
65. national and local government bodies, which belongs to the information system, the measures envisaged in these provisions take the year's budget.
 
Prime Minister a. slice traffic Minister a. Gorbunov will