Key Benefits:
Law of changes to the Security Act (decrease of the number of trust authorities mv.) |
| Date | LO-2016-08-12-78 |
| Ministry of | Ministry of Defense |
| Last modified | |
| Published | |
| Istrontrecation | King decides |
| Changing | LAW-1998-03-20-10 |
| Announcement | 12.08.2016 at 14.00 |
| Card title | Change law to the Security Act |
In law 20. March 1998 # 10 whether preventive security service is made the following changes :
Section 2 fourth to eighth joints shall obey :
Section 29 a applies to all acquisitions to critical infrastructure. The king can give regulation on identification of critical infrastructure and about information to court subjects that own or control critical infrastructure.
The law applies to the courts with the special rules that follow the regulations of security clearance and authority in and in the co-chair of the sentencing law and the sentencing process law. The king can determine further particular rules.
The provisions given in and in the co-state of the Law Six on Labor Security do not apply to the government's members and judges of the Supreme Court.
The law does not apply to Parliament, the National Assembly, the Parliament of Parliament for the administration and other organs of the Parliament.
The law applies to Svalbard and Jan Mayen in the extent that the King decides.
Section 3 first clause new # 21 to sound :
| 21. | Critical infrastructure ; facilities and systems that are necessary to maintain society's basic needs and functions. |
New Section 5 a should sound :
Section 5 a. Varslashing equal and authority to grasp at risk of security throttling businessA business that gets knowledge of a planned or ongoing activity that could result in an insignificant risk of security of security being established or implemented should notify the parent ministry about this. If the notification of the whistleblower business is not subject to any ministry, the notice shall be given to the Ministry of Defense. Notification of duty applies without the hurdle of the legislator. At the processing of notice after the first and second period, it should be obtained advisory statements from relevant organs with competency within the applicable craft area.
The King of State Council can grasp the necessary ordinance to prevent a planned or ongoing activity as mentioned in the first period of first period. Such an ordinance can be covered without regard to the limitations of the Management Act Section 35, and regardless of whether the activity is permitted after other law or other ordinance. Attaches after the first period are particularly compultive basis after the forced consummation Act 13.
The King of State Council can give regulation on the notification of notification in the first clause and about which passes can be taken after other clauses.
Section 9 first clause letter e and f shall obey
| e) | drive a national response function for serious data attacks against critical infrastructure and a national warning system for digital infrastructure, |
| f) | provide information, advice and guidance to enterprises. |
In chapter 3, new Section 10 is to be sound :
Section 10 a. Treatment of personal informationWhen required to perform the tasks after Section 9 first clause letter e, the National Security Authority can process personal information in the form of
| a) | metadata of IKT traffic to and from enterprises related to the national warning system for digital infrastructure |
| b) | information that is necessary to analyze triggered alarms in the notification system |
| c) | IP addresses received from national and international cooperation partners |
| d) | logs and infected hardware, following the consent of a business where this is necessary in connection with assistance to the handling of severe data attacks. |
In other cases than mentioned in the first clause, personal information can also be resolved when this is strictly necessary to protect the tasks after Section 9 first clause letter e, and the treatment following a concrete assessment seems as both necessary and proportional in relation to the procedure it represents in the privacy of the privacy.
The king can give regulation on the National Security Intelligence Processing of personal information.
New Section 13 to sound :
Section 13 a. Safety-wise monitoring of approved information systemsThe individual business should continuously monitor an approved information system for security throttling events against the information system or information in the system, preferably when using automated system monitoring. Security relevant events should be registered.
Information exchanged between systems, across authorization sets or to portable storage media, is to be registered and stored.
Several businesses associated with the same information system can be agreement that one of the businesses should be able to monitor and registration after the first and second clause on behalf of the responsible business.
Information recorded after the first and second clause is to be filed for five years. Such information is to be used exclusively for dealing with security throttling events.
The individual business shall impose that authorized users of information systems that are monitored in accordance with this provision shall obtain information about the purpose of the treatment, whether or not the measures committed, whether the information will be issued and optionally if who is the recipient.
The king can give regulation on
| a) | what types of data can or should be registered and stored |
| b) | who should have access to registered and stored data |
| c) | how access is to be granted |
| d) | exception from storage time in five years. |
Section 23 should sound :
SECTION 23. Authorities responsible and trust authorityThe authority can be given if the authority responsible does not have information that makes it questionable if the person safety is to be trusted. The authority is given normal by the enterprise leader. The authority shall not be given until there is a message of security clearance, with the exception of the cases described in Section 19 third clause, and an authorization call has been prevented. National security authority is giving closer rules about authorization and about who is the authority responsible.
The king outpoints a trust authority for the defense sector and one for the civilian sector. The king can designate other trust authorities when honest reasons speak for it. The intelligence and security services are clearing their own personnel.
Section 28 first clause second period should sound :
The king gives regulation on the validity of the validity time of vendor clearances.
The Chapter 7 headline should sound :
In chapter 7, new Section 29 is supposed to sound :
Section 29 a. Varslations alike and the authority to grasp the acquisition of acquisitions to critical infrastructureBy acquisitions to critical infrastructure, a risk assessment should be taken. In assessment, it shall be taken to whether the acquisition implies an insignificant risk of safety of security being established or implemented against or by the use of the infrastructure. Duty to conduct a risk assessment does not apply if it seems obvious that the acquisition may not involve any such risk.
A business that owns or reigns over critical infrastructure shall notify the parent ministry if a risk assessment as mentioned in the first clause concludes that the acquisition may involve a no insignificant risk of security throttling business is established or implemented. The business of which is not subject to any ministry shall notify the Ministry of Defense. Notification of duty applies without the hurdle of the legislator. Duty does not apply if the business itself commits risk-taking measures that remove the risk, or make it negligible.
A ministry that receives notice after other clauses should overtake an advisory statement from relevant organs about the delivery of the liver's risk potential, and vendor's security reliability.
If an acquisition to critical infrastructure may result in an insignificant risk that security struting business is established or implemented, the King in the State Council can grasp that the acquisition should be denied implemented, or that it is set terms for the review. This is also applicable if it has already been reached agreement on the acquisition. If it does not be covered after the first period, the ministry shall inform the business of this. Attaches after the first period are particularly compultive basis after the forced consummation Act 13.
The King of State Council can give regulation on acquisitions to critical infrastructure.
The law applies from the time the King decides. The king can decide that the different regulations are going to be three in effect at different times.
