Cabinet of Ministers Regulations No. 100 in 2011 (February 1. 7. § 18) information technology security critical infrastructure planning and implementation procedures Issued pursuant to the information technology Security Act 3 the third subparagraph of article i. General questions 1. determine information technology critical infrastructure (hereinafter referred to as critical infrastructure) security planning and implementation procedures.
2. identify the critical infrastructures and defines critical infrastructure and regulatory law.
II. Critical infrastructure security planning procedures of the constitutional protection Office 3 informs critical infrastructure owner or legal possessor of it information technology into the critical infrastructure as a whole.
4. Critical infrastructure owner or legal possessor shall be assigned for the security of critical infrastructure responsible person. On the security of critical infrastructure may not be the responsible person: 4.1 not of age or is not a Latvian citizen;
4.2. What is penalized for intentional criminal offence;
4.3. What is convicted for an intentional criminal offence, freeing from punishment;
4.4. What is called a criminally liable for intentional criminal offence, except where criminal proceedings against them terminated on a reabilitējoš basis;
4.5. What is recognized as incapacitated in accordance with the procedure prescribed by law;
4.6. which are or have been the USSR, Latvian SSR or foreign State security service or non-employee, agent, or conspiratorial apartment resident holder;
4.7. What is or has been with the law of the Republic of Latvia Supreme Council decisions or rulings of the court banned organization member (member) after the banning of such organizations;
4.8 which has a diagnosed mental disorders or alcohol, narcotic, psychotropic or toxic substance dependence;
4.9. in accordance with the national safety authorities or the national police information belong to the organised crime groups, the unarmed or armed formations, as well as to non-governmental organisations or associations of non-governmental organisations that launched action (legal) prior to the registration or continue to function after it has been suspended or terminated by the Court ruling.
5. The constitutional protection office shall examine and approve the security of critical infrastructure responsible for compliance with this provision in paragraph 4.
6. The constitutional protection Office can verify the operation of critical infrastructure-related employees who have access to significant critical infrastructure information or technological equipment, and evaluate information regarding a person's criminal record for an intentional criminal offence and the facts that give a basis to doubt its ability to save the limited availability and the classified information. Based on the results, the constitutional protection Office provides guidance critical infrastructure owner or legal possessor.
7. On the security of critical infrastructure responsible person: 7.1 planning critical infrastructure security measures;
7.2. in cooperation with the constitutional protection Bureau and the information technology security incident prevention institution (hereinafter security incident prevention body) provides the critical infrastructure of the current risk assessment and management.
III. Critical infrastructure security arrangements implementation modalities 8. Critical infrastructure owner or legal possessor of critical infrastructure security measures regulatory document or documents (hereinafter referred to as the document security measures) develop, on the basis of this rule 7.2. risks identified in, and subject to security incident prevention institutions and constitutional protection Office's recommendations. At the request of the Office for the protection of the Constitution in the critical infrastructure owner or legal possessor shall submit the constitutional protection Office security measures.
9. where critical infrastructure owner or legal possessor is registered in the financial and capital market for critical infrastructure is defined in the national information system, or to the relevant critical infrastructure are subject to other specific requirements for information technology security, documents the development of security measures according to the relevant industry regulatory requirements, based on this rule 7.2. risks identified in, and subject to security incident prevention institutions and constitutional protection Office's recommendations.
10. Critical infrastructure owner or legal possessor shall develop and document security measures they shall include the following information: 10.1 General information on critical infrastructure – the name of the owner or legal possessor, critical infrastructure location (address), the purpose of the document;
10.2. the Department that supports the implementation of security measures;
10.3. critical infrastructure;
10.4. critical infrastructure systems detailed technical description and scheme;
10.5. current risk management plan;
10.6. procedures are provided in the response to the information technology security incidents and other types of injury or offences that endanger the functioning of critical infrastructure;
10.7. critical infrastructure renewal plan.
11. The constitutional protection Office provides guidance critical infrastructure owner or legal possessor for elimination of the deficiencies found, as well as send the recommendations to the national regulatory authorities to monitor critical infrastructure concerned owner or legal possessor.
12. Critical infrastructure owner or legal possessor of critical infrastructure security provides a way to manage this rule 7.2. risks identified in the subparagraph.
13. in order to ensure a smooth exchange of information on information technology security incidents, security incident prevention institutions and critical infrastructure owner or legal possessor may agree on a technological solution that automatically collect and transmit the relevant information.
14. in order to determine the relevant critical infrastructure vulnerabilities and security risks, security incident prevention institution may make critical infrastructure checks when trying to implement critical infrastructure risks logical parts (hereinafter examination).
15. Checking out from the environment, which is the critical infrastructure of the owner or legal possessor of the property or possession, using the information that is the owner of this critical infrastructure or legal possessor's possession.
16. During the examination of the information and only to the extent that is necessary to identify the risks manageable.
17. Security incident prevention body checks may be carried out at the request of the Office for the protection of the Constitution. The request must state the reason for the requested examination.
18. Security incident prevention institution no later than 48 hours before the start of the inspection, to be informed in writing of the examination time, and duration of critical infrastructure owner or legal possessor, as well as the constitutional protection Office.
19. The checks are carried out so that they do not cause irreparable damage to critical infrastructure.
20. the detailed results of the verification, security incident prevention institution shall without delay forward to the relevant critical infrastructure owner or legal possessor and the constitutional protection Office, including appropriate recommendations.
21. Security incident prevention authority collects information on the inspections carried out, including their workers, inspection, a summary of the results and recommendations. All information associated with the checks is restricted access, and security incident prevention institution provides protection of this information.
22. During the test the information security incident prevention institution may be stored for no longer than three months after the completion of inspection, ensuring its adequate protection.
23. security incident prevention institutions with critical infrastructure owners or the consent of the legal possessor of the information collected during the inspection may collect and use information about current technology to inform the public of the risks.
24. During the test the identified risks are managed in accordance with the provisions referred to in point 7.2 of the specifications.
25. The constitutional protection office and security incident prevention institution not less than once every six months to inform the national information technology security tips on current threats to critical infrastructure.
Prime Minister v. dombrovsky traffic Minister Augul by U.