Advanced Search

Regulations On Security Management

Original Language Title: Forskrift om sikkerhetsadministrasjon

Subscribe to a Global-Regulation Premium Membership Today!

Key Benefits:

Subscribe Now for only USD$40 per month.
Regulations on security management.

Date of-2001-06-29-723 the Defense Department in the Ministry Published 2001 booklet 8 entry into force 01.07.2001 last edited FOR-2012-06-22-580 Change FOR-1998-12-11-1193, FOR-1994-12-16-1110, FOR-1972-03-17-3352, FOR-1972-03-17-8580,-1975-06-06-8583, FOR-1983-11-04-8584, FOR-1986-02-14-351 applies to Norway Pursuant LAW-1998-03-20-10-section 5 Announced 29.06.2001 short title regulations on security management Chapter overview: Chapter 1. General provisions (§ § 1-1-1-2) Chapter 2. Responsibilities and Organization (§ § 2-1-2-6) Chapter 3. Guidance, expertise and instructions (§ § 3-1-3-5) Chapter 4. Risk management and security auditing (§ § 4-1-4-4) Chapter 5. Reaction by security threatening events (§ § 5-1-5-8) Chapter 6. Effective date and changes (§ § 6-1-6-2) legal authority: Provided by URkgl.res. June 29, 2001 with the legal authority of the law of 20. March 1998 No. 10 in the preventive security service (Safety Act) section 5 fifth paragraph. Promoted by the Ministry of defence.
Changes: modified by regulation 22 June 2012 No. 580. Chapter 1. General provisions § 1-1. Purpose and scope of these regulations have the same purpose and scope that the security law.
The regulation applies to the individual enterprise security management within and across the fields of information security, personnel security and sikkerhetsgraderte procurement.
The regulation applies to security management to counter security threatening activities as espionage, sabotage and terrorist acts. The individual enterprise security management to reconcile and be seen in the context of conditions to counter the other intended events, such as ordinary acquisitive crime and mischief, and unintended events, such as natural disasters and accidents.
NSM can give further provisions on security management in relation to the treatment of ATOMAL information.

§ 1-2. Definitions in the regulations be understood with the: 1. Security management; internal control by implementation of systematic measures to ensure that your business tasks are scheduled, organised, performed and reviewed in accordance with the requirements set out in the and in pursuance of the security law.

2. Security-threatening event; security-threatening business, compromise of shielding worthy information and rough security breaches.

3. Compromise; the loss or suspicion of loss of confidentiality, integrity or availability of information, including shielding worthy of undesirable disposal, modification or destruction.

4. Security breaches; violations of the provision of security measures given in the security law or regulations to the security law.

5. Subject areas; information security, personnel security and sikkerhetsgraderte procurement. Information security within the individual virsomhet consists of among other things, document security, information system security, physical security and administrative crypto security.

Chapter 2. Responsibilities and organization section 2-1. The business leader its responsibility the business leader has overall responsibility for the preventive security service within their responsibility and jurisdiction, including underlagte businesses.
The business manager is obliged to set aside the necessary resources to ensure the security service.

section 2-2. The guardian's responsibility Safeguarding and control of security will be integrated in your business's other activities. Any parent or legal guardian in the business has responsibility for security within their responsibility and jurisdiction. The guardian's responsibility also applies where the conduct of the security tasks are left to private vendors, or other businesses.
Any parent or legal guardian to make sure that your child has a behavior that helps to protect your security. The parent will be ongoing mentoring subordinates. A child is considered not to be security fit, going to the parent informing his or her authorization.

§ 2-3. The individual's responsibility fixed and temporary employees, as well as hired personnel, will be in their work or mission for the business contribute to an effective security service.
Personnel to 1.
comply with the safety requirements in the security law with regulations, 2.
comply with the instructions for the practical implementation of the business security service, 3.
know the security organization by business, 4.
know the principles of risk management, 5.
point out errors and defects in your business's security service, and 6.
promptly reporting security threatening events to their immediate superiors, the Enterprise Manager or the Manager authoring.

§ 2-4. Distribution of tasks your business leader should as far as possible introduce a distribution of tasks and responsibilities that reduces the possibility that individuals can undermine security in the business. Executive and controlling tasks in security to be distributed on the different staff in the business.

section 2-5. Your company's security organization Business Manager shall designate a security manager with alternate and a sufficient number of people in relation to your business security needs and subject areas that will be included in your business's security organization. If the business has to be established crypto material a crypto security organization in accordance with the regulations on information security. If the business has information systems that handle classified information should it be established a data security organization in accordance with the regulations on information security.
The Security Manager and the other in the security organization to conduct coordination, advice and control of security as the guardians and the individual is responsible for. Security Organization should be able to deal with General and interdisciplinary security issues.
The task that the Security Manager can be safeguarded by one who performs security tasks within one of the fields or of one who is floating from the disciplines. Security Manager should be Norwegian citizen, unless the NSM agree otherwise. Security Manager should have direct access to the leader in key security matters. Crypto Security Manager and responsible for the practice of the trust authority should have direct access regardless of the security leader, unless the security leader even caters to these tasks. The business leader can decide that also responsible for other subject areas to have such access.

§ 2-6. Coordination By larger projects or acquisitions involving classified information should be appointed a project security leader.
The who is making an acquisition is the parent responsible for security with the vendor. This does not limit the supplier's responsibility for their own security. Regulations on the procurement section 2 sikkerhetsgraderte-4 the third paragraph regulates the overriding responsibility for private business that is supplier to two or more public corporations.
If two or more businesses are connected to a common information system, the incumbent responsible for the security of information system common parent business or the This designates, or the one that is designated in the written agreement entered into between the businesses. In the agreement it shall be disclosed in the information systems security degree is approved for, and the interconnections with other information systems that are allowed.

Chapter 3. Guidance, expertise and instructions section 3-1. Guide your business leader should make sure that safety is integrated in all business activities and that the personnel regularly receive guidance. The leader should put the emphasis on motivation and awareness of the need for security, including the principles of risk management.
The business shall ensure that personnel have access to and have read and understood the safety regulations that are relevant to the individual's job duties.

section 3-2. Expertise in all levels of Personnel a business before they'll be set to service related to shielding worthy information have sufficient expertise in the security service adapted to the individual's tasks.
The business will ensure that own personnel have completed basic training in security.
The business should keep track of the security professional competence of the personnel in General, and to the personnel in your own security organisation in particular. The business should make sure routines that ensures that sufficient expertise in the security service are developed and maintained.

section 3-3. The base document for the security business with shielding to have a worthy information, updated the base document for security. The base document should identify the basic assumptions of the company's handling of shielding worthy information, including 1.
Security Organization and its authority, 2.
Security section in the physical areas by the business, and how classified information processed is allowed and kept stating the highest security degree, 3.
which information systems, including the crypto systems, which handle classified information, specifying which security degree each system is approved for and in which physical spaces the individual system is located, 4.
Overview of communication of classified information that has been established internally in the business and against other businesses, 5.
who need access to the type of shielding worthy information and its information systems, and 6.
plans, instructions and other documentation for the security.

section 3-4. Instructions for the routines and procedures Business to prepare written instructions for the routines and procedures within the relevant subject areas. The instructions should be adapted to the size and complexity of your business, including your business sikkerhetsgraderte information with corresponding information systems and management systems.

The business should have up-to-date lists of security measures that can be taken if the risk increases by, for example, emergency, crisis or war. It should be taken into account the need to enhance the security of your organization. If there is a separate emergency organization by business, to the relationship between this and the security of your organization, be clarified. Emergency response organization and security measures should be documented in a contingency plan, and the plan to be exercised regularly and at least once a year.

§ 3-5. Job descriptions and working instructions powers, duties, and requirements for expertise in the security service should be described in the job description or work instructions for the question.

Chapter 4. Risk management and security auditing § 4-1. Risk management business with shielding should exercise information worthy of the risk management, by determining and implementing security measures for a risk assessment.

§ 4-2. Risk assessment the provisions relating to security measures in the security law with regulations are minimum requirements. These requirements are based on a general risk assessment in relation to the levels of the security grading and the General security threat at the national level.
The individual business shall make continuous risk assessments based on the foundational document for security. It should be taken into account in the risk assessment to the local conditions of security importance to 1.
uncover the need for action beyond the minimum requirements in the security law with regulations, 2.
uncover the redundant and unnecessary overlapping security measures, and 3.
find more cost-effective measures that can replace existing measures.

The individual employees and committed that gets involvement with shielding worthy information to perform risk assessment by the execution of activity that can have significance for safety.
NSM can impose a business to prepare written risk assessment when particular reasons, and decide which valuation method to be added to reason.

section 4-3. Security measures the business shall ensure implementation and correction of security measures with the basis of the risk assessment to make pursuant to § 4-2 the second paragraph.

§ 4-4. Security audit and management's evaluation Activities to make sure that you type the security measures that are imposed or decided in fact implemented and established is its purpose. Variances that are uncovered by the security audit will be presented for the business manager for the avklarering of the actions to be taken.
The business leader should at least once a year to evaluate the overall security condition in the business. The results of the security audit will be used as one of the foundations for the evaluation.
The results of the security audit and management's evaluation should be documented.

Chapter 5. Reaction by security threatening events § 5-1. Action by security threatening events by security threatening events to business where this has happened 1.
investigate the circumstances of the event, ensure any evidence, and review the relevant procedures and systems, 2.
take immediate action to reduce damage, 3.
If necessary, implement temporary or permanent security measures to prevent repetition, and 4.
consider the reaction to responsible persons.

section 5-2. Damage assessment by the compromise of information classified "confidential" or higher will be the business that manufactured the information develop damage assessment. Damage assessment to clarify the measures that can reduce the damage, and is addressed to affected businesses and others who can contribute to the harm-reduction measures. In the journal or other registry where the information is recorded, it shall be recorded that the compromise has occurred with reference to the reports in the case. Copy of the damage assessment to be imparted to the NSM.

section 5-3. Security breaches by necessity and breach-of-kin be made without criminal liability if the terms of necessity or the right of self-defense in Penal Code section 47 or section 48 are met. The relationship should be reported in accordance with § 5-4 to section 5-6.

§ 5-4. Internal reporting Security threatening events should be reported as soon as possible to the Enterprise Manager.
Reported security threatening events should be recorded. The registry and its reports should be kept for at least five years.

section 5-5. Reporting between businesses Business that detects the compromise will report to the business that has produced information and other businesses this has importance for the. Report to account for the possible cause of kompromitteringen and what is done to prevent repetition. If the ratio should be reported to the NSM, copy of the reports to the NSM is used when reporting to other businesses.

section 5-6. Reporting to the NSM a business shall as soon as possible submit preliminary report to the NSM if it detects: 1. Security threatening events, or 2.
security breach concerning the information classified by the foreign Government or international organization.

The business shall submit complementary report to NSM when the arising new important information about a previously reported conditions.
The business shall submit final report to NSM when the case is considered closed. The report shall contain a summary of all the recovered information and research, and educate people about the measures that are implemented or planned in order to limit the possibility of recurrence.
NSM will be in accordance with current security agreements determine whether or not it should be reported on to the foreign State or international organization.
NSM can dispense from the obligation of reporting in the first paragraph.

section 5-7. Reporting to the police shall be by Business Security threatening events consider to orient or releasing the review to the police. By police report to the NSM under directed.

section 5-8. Special provisions for crypto security by security threatening events that target crypto security regulations on information security applies to section 7-41 to § 7-45 instead of this regulation.

Chapter 6. Effective date and changes to section 6-1. Changes in the other regulations and instructions from the time the security law takes effect the following changes are made in the other regulations and instructions:--6. The following regulations are repealed:-instructions for processing of documents for security reasons must be protected (safety instructions). Provided by URkgl.res. of 17. March 1972 No. 8580.-the Defense Chief's complementary provisions to the security instruction. Established by the Chief of Defense april 1989.

directive for the protection of electronic information classified security protection for instruction or instruction (data protection directive). Established by the Defense Chief 28. January 1998.

directive for the assessment of the tempesttrusselen and determination of tempestmottiltak for electronic equipment to process information classified security protection for instruction or instruction (tempestdirektivet). Established by the Chief of Defense 20. September 1994.

directive for the crypto service in State Administration (Crypto directive). Published by the armed forces high command (undated).

directive for classification and management of CCI-material (CCI-directive). Published by the armed forces high command 1. July 1998.

-rules for the control and use of national kryptoalgoritme and-circuit and the control and use of equipment where the circuit are included (NSK-directive). Published by the armed forces high command 15. March 1996.

directive for the monitoringstjenesten in the armed forces. Established by the Chief of Defense 12. in May 1980.

directive for the TSU-service in the armed forces. Established by the Chief of Defense 1. January 1980.

-regulations of 6. June 1975 No. 8583 about security control of foreign nationals that are intended in the civil was part of State administration.

-regulations on personnel security service and the person control service within the civil administration. Provided by URKronprinsreg.res. of 4. November 1983 Nr. 8584. directive for personnel security service in the armed forces. Established by the Ministry of defence February 1990.

-supplementary provisions to the directive for personnel security service in the armed forces. Established by the Chief of Defense 12. July 1990.

-the Defense Chief's provisions for security management and control of the conscripts crews. Released by the Chief of Defense 30. March 1995.

-the security service in the industry. The security directive for administrative organs by the procurement of goods and services. Established by the Ministry of defence in november 1989.

-the security service in the industry. Safety regulations for providers of goods and services to government agencies. Established by the Ministry of defence in november 1989.

-the Defense Chief's main guidelines for the security service. Published by the armed forces high command 20. January 1994.

§ 6-2. Entry into force this Regulation shall enter into force 1. July 2001.