Legal Framework on Information Security

Ministry of Trade, Tourism and TelecommunicationNebojša Vasiljević

Relevant EU Legislation (1)

• Regulation No 460/2004 of the European Parliament and of the Council of 10 March 2004 establishing the European Network and Information Security Agency 32004R0460

• Council decision 2004/541/EC of 5 July 2004 on the three stakeholders’ representatives and their alternates to the Management Board of the European Network and Information Security Agency 32004D0541

• Council Decision 92/242/EEC of 31 March 1992 in the field of security of information systems(OJ L 123, 8.5.1992, p. 19–25) 31992D0242

• Council Resolution of 28 January 2002 on a common approach and specific actions in the area of network and information security

• (OJ C 43, 16.2.2002, p. 2–4) 32002G0216(02)• Council Resolution of 18 February 2003 on a European approach towards a culture

of network and information security • (OJ C 48, 28.2.2003, p. 1–2) 32003G0228(01)• Council Resolution of 22 March 2007 on a Strategy for a Secure Information Society

in Europe• (OJ C 68, 24.3.2007, p. 1–4) 32007G0324(01)

Relevant EU Legislation (2)

• Commission Communication /* COM/2006/0251 final */A strategy for a Secure Information Society - “Dialogue, partnership and empowerment”

• Commission Communication on Critical Information Infrastructure Protection -/* COM/2009/0149 final */ "Protecting Europe from large scale cyber-attacks and disruptions: enhancing preparedness, security and resilience" Commission Communication on Critical Information Infrastructure Protection ‘Achievements and next steps: towards global cyber-security’* COM/2011/0163 final */

• Directive 2002/21/EC of the European Parliament and of the Council on a common regulatory framework for electronic communications networks and services (Framework Directive)

• Commission Communication COM(2001) 298 final on Network and Information Security: A proposal for A European Policy Approach 52001DC0298

• Regulation (EC) No 1007/2008 of the European Parliament and of the Council of 24 September 2008 amending Regulation (EC) No 460/2004 establishing the European Network and Information Security Agency as regards its duration 32008R1007

• Regulation (EU) No 580/2011 of the European Parliament and of the Council of 8 June 2011 amending Regulation (EC) No 460/2004 establishing the European Network and Information Security Agency as regards its duration 32011R0580

• Proposal for a Directive concerning measures to ensure a high common level of network and information security across the Union - COM(2013) 48 final - 7/2/2013 - EN

National Policy Framework

• Development Strategy for Information Society in the Republic of Serbia by 2020• National Security Strategy of the Republic of Serbia• Strategy on Development of Electronic Communications in the Republic of Serbia

for period 2010-2020• Defense Strategy of the Republic of Serbia • Action Plan (2013-2014) on Implementation of the Development Strategy for

Information Society in the Republic of Serbia by 2020• Action Plan (2013-2014) on Implementation of the Strategy on Development of

Electronic Communications in the Republic of Serbia for period 2010-2020

National Legal Framework

• Law on Electronic Communications• Law on Personal Data Protection • Law on Electronic Signature • Law on Electronic Document• Law on the organization and competences of the state authorities for the fight against

cybercrime • Criminal Code• Criminal Procedure Code• Law on Defense• The Decision on the determination of large technical systems important for defense • Law on Ratification of the Convention on Cybercrime• Law on ratification of the CoE Convention on Cybercrime and Law on ratification of its

Additional Protocol concerning the criminalization of acts of a racist and xenophobic nature committed through computer system

• Regulation on Specific Measures for Protection of Classified Information in Information-communications Systems

Institutional Framework

• Ministry of Trade, Tourism and Telecommunications• Ministry of Interior• Ministry of Defense • Ministry of Public Administration and Local Self-Government• Ministry of Justice• Administrative Agency for Joint Services of Government Authorities• The Academic Network of the Republic of Serbia• Regulatory agency for electronic communications and postal service• Higher Court in Belgrade• Commissioner for Information of Public Importance and Personal Data Protection• Special Prosecutor’s Office for Fight Against High-Tech Crime• Office of the Council on National Security and Classified Information Protection • Intelligence agencies (Security-Information Agency, Military Security Agency and

Military Intelligence Agency)

Development Strategy for Information Society in the Republic of Serbia by 2020

INFORMATION SECURITY PRIORITY FIELDS

LEGAL AND INSTITUTIONAL FRAMEWORK

CRITICALINFRASTRUCTURE

PROTECTION

FIGHT AGAINST CYBERCRIME

SCIENTIFIC, RESEARCH AND DEVELOPMENT

WORK

Improvement of legal and institutional framework

• The existing legal framework needs to be improved in these matters:

• Legislation – adopting relevant laws, setting out standards and areas of Information Security, as well as functions of some institutions

• Institutions – responsible for tasks relating to verification and certification methods, software application, devices and systems, R&D and oversight of the IS standards implementation by state authorities

• National CERT – Computer Emergency Response Team

Activities relating to adoption of Law on Information Security

• An interdepartmental work group has been set up • Its task is to draft Law on Information Security• Defining a national authority responsible for regulating Information Security area, its

activities and competences • Setting out standards and procedures at the national level and determine role of other

state authorities• Establishing CERT at national level.

Legal institutional frameworkCERT (1)

• Currently there is no estabilished national CERT in Serbia.• There are many institutions which have departments which tasks are connected to

CERT functions:• Administrative Agency for Joint Service of Government Authorities – the main

datacenter, network backbone and Internet gateway for State Authorities are managed by AAJS, which has department which performs the tasks of managing security risks in information-communication systems of public administration bodies, protecting the public administration network and data, cooperation and coordination related to information security;

• Institution`s ICT departments – many institutions have their own ICT departments, datacenters and/or computer network (for example: Ministry of Defense, Ministry of Foreign Affairs, Ministry of Finance, National Tax Agency, Ministry of Interior, Ministry of Justice, Security Information Agency etc.)

Legal institutional frameworkCERT (2)

• The Academic Network of the Republic of Serbia (AMRES) performs the CERT activities for the educational and scientific-research institutions in the Republic of Serbia.

• AMRES CERT team has been listed in TERENA “Trusted Introducer” Service since May 2011.

• AMRES team has a status of listed team, which provides basic information about the team itself as well as shows endorsement of the team by the TI community.

• AMRES-CERT team members participated in the TERENA’s TRANSITS-I and TRANSITS-II trainings in 2012 which are held with the financial support of ENISA and gained relevant knowledge to work in the efficient CERT environment.

Legal institutional framework Obligations of operators

• Obligations of operators in accordance with the Law on Electronic Communications:• At the request of the regulatory body (RATEL), the operator shall supply all necessary

data and information of relevance for ensuring the protection of personal data and privacy of users, and assessment of security and integrity of electronic communications networks and services, including the implementation of policies on security, continuity of work and data protection

• Operators are obligated to implement the adequate technical and organizational security measures

• In case of a particular risk related to violation of the security and integrity of public communication networks and services, the operator should inform subscribers of such risks and, in case the risk lies outside the scope of measures to be taken by the operator, of possible means of protection and costs related to the implementation of these measures

Legal institutional framework Obligations of operators

• Ariticle 125. of Law on Electronic Communications: operator shall inform Regulatory agency for electronic communications and postal service (RATEL) of any violations of security and integrity of public communications networks and services, that significantly affected their operation, and particularly on violations that caused infringement of the personal data protection or privacy of subscribers or users

• RATEL shall be authorized to inform the public on the infringement of security and integrity or to require from the operator to do it himself, when it assesses that publication of such information is in the public interest.

Fight against cybercrimeCriminal Code

• In the Criminal Code are included criminal offences against information systems:

• damaging computer data and programs (art. 298) • computer sabotage (art. 299) • creating and introducing computer viruses (art. 300) • computer fraud (art. 301) • unauthorized access (art. 302) • preventing or restricting access to a public computer network (art. 303) • unauthorized use of a computer (art. 304) • Making, purchasing and giving for use tools for committing criminal offences against

security of computer data (art.304 a) • child pornography (art. 185) • grooming (art. 185b) • criminal offences against intellectual property (art. 198 to 202)

Fight against cybercrime Institutional framework

• Ministry of Interior - Department for Cyber Crime

• Higher Court in Belgrade

• Special Prosecutor’s Office for Fight Against High-Tech Crime

Critical Infrastructure Protection (1)

• Critical Information Infrastructure Protection is covered by different strategies and laws.

• Development Strategy for Information Society: • It is necessary to develop and improve protection from assaults that arise from the use

of information technologies on critical infrastructure systems, in addition to the ICT systems themselves, it could be also the other infrastructure systems that are managed by relying on ICTs, such as the electrical and energetic system

• The National Security Strategy:• identifies risks from cyber crime• emphasizes importance of building ICT security system through a system of national

security • emphasizes capacity building, education, timely collection and sharing of data and

information, coordination of security services and strengthen their organizational, human and material resources

Critical Infrastructure Protection (2)

• Law on Defense: • defines that large technical systems in telecommunications and information technology

are required to comply with the defense requirements of the country

• The Decision on the determination of large technical systems important for defense:• defines large telecommunication systems important for defense purpose

• Liaison officer in European Defense Agency and programs regarding Cyber security and Critical information infrastructure protection

Scientific, Research & Development Work

• Development Strategy for Information Society in the Republic of Serbia by 2020:

• The dynamic changes linked to the challenges in the area of information safety, which leads to the necessity to constantly introduce new protection methods and measures in this area

• The necessity to follow the latest achievements in the area of information safety internationally, through the international cooperation

• Cryptographic techniques are the basis for establishing information safety and the weaknesses of these techniques are directly violating the information safety mechanisms. The safety levels of cryptographic techniques is, as a rule, wearing off with the passage of time due to the constant progress made in the methods for compromising practically all the cryptographic techniques. This is why it is important to constantly maintain research and development of new cryptographic techniques, as well as to constantly re-examine the existing ones.

International cooperationSEENSA workgroup

• On the second conference of Southeastern Europe National Security Authorities, it is established the cyber defense thematic workgroup SEENSA

• It is defined that the goal of workgroup is to form common concept of cyber defense and to product relevant documents with the instructions for regulating the cyber defense area

• Serbian NSA participated on the third conference about information security and cybernetic defense “ISCD 2013” in Hungary

International cooperation

• Serbia is a member of ITU and IMPACT

• AMRES CERT team has been listed in TERENA “Trusted Introducer” Service since May 2011

Thank you for your attention