zakon o informacijskoj sigurnosti izazov informatičkoj industriji (panel)
DESCRIPTION
Zakon o informacijskoj sigurnosti izazov informatičkoj industriji (panel). Mr. sc. Aleksandar Klaić, dipl. ing. Ured Vijeća za nacionalnu sigurnost (UVNS) Dr. sc. Miroslav Mađarić, dipl. ing. INA Industrija nafte d.d. Stanko Cerin S&T Group d.d. - PowerPoint PPT PresentationTRANSCRIPT
Zakon o informacijskoj sigurnostiizazov informatičkoj industriji (panel)
Mr. sc. Aleksandar Klaić, dipl. ing.Ured Vijeća za nacionalnu sigurnost (UVNS)Dr. sc. Miroslav Mađarić, dipl. ing.INA Industrija nafte d.d.Stanko CerinS&T Group d.d.
The Information Security Act – a challenge to the Information Technology Industry
Mr. sc. Aleksandar Klaić, dipl. ing.Ured Vijeća za nacionalnu sigurnost (UVNS)
Zakon o informacijskoj sigurnosti (NN 79/2007)
o U fokusu Zakona su klasificirani i neklasificirani podaci državne uprave
o Temeljni smjerovi djelovanja Zakona:oDirektnioDržavna tijela u širem smislu - nacionalni standardi,
središnja državna tijela za informacijsku sigurnosto IndirektnioPoslovni subjekti – suradnja s državnim tijelima,
međunarodni klasificirani poslovi (EU, NATO)o StrateškioInformacijsko društvo u cjelini - Nacionalni CERT,
nacionalna normizacija
Meaning of the new Croatian legislation – information security contexto Information Security Act (07/2007):
o Nation-wide regulation framework - security policy (Government Regulation, NSA and NCSA Ordinances, Guidelines, …)
o Nation-wide institutional framework (NSA/DSA umbrella body and technical NCSA/SAA/NDA body as state authorities, and National CERT as public authority, CIS P&I bodies, CISO/LISO)
o The final aim is to cover in appropriate way all 3 pillars of authorities (executive, parliament and judiciary) and both national and local government
o Data Secrecy Act (07/2007):o Contemporary definitions of classified and unclassified data domainso Fundamental principles of data security for Nation-wide approach
(need-to-know, PSC, data owner, 4 grade damage based classification, …)
Information Security Acto Principles of data protection with a view of development of
information society in Croatia:o Comprehensive information security regulation framework for sub-
Acts (Government Regulations, NSA and NCSA Ordinances, Guidelines, …)
o Responsible bodies and prescribed period of time for regulation to enter into force
o 5 security areas (Personnel, Physical, Industrial Security, INFOSEC, Security of Information) coordinated at national level with a view to comply to NATO/EU security policy
o Main national authorities: NSA, NCSA (Security Sector)o Establishment of National CERT (Public, Academic Sector)o Defined Roles of: SAA, NDA, DSA, CIS P&I, CISO/LISOo Interrelation among national authorities that have defined roles
Conceptual Issues Addressed by the Information Security Acto Data Owner and Infrastructure Ownero Interoperability issue
o Organizationalo Semantico Technical
o Information security concepts and requirements in the foundation of information society
o Standardization of ICT and information security fieldo ISO/IEC 17799 and 27001 - Croatian National Standards from 2006
o UNCLASSIFIED and RESTRICTED infrastructure versus public and Internet infrastructureo NRoI – NATOo s-TESTA - EUo HITRONET – Croatia
Information Security – Process View
Information Security - Organizational View
Information Security - Regulation View
Information Security in INA d.d.
Dr. sc. Miroslav Mađarić, dipl. ing.INA Industrija nafte d.d.
ZoIS i INA
Ovaj zakon se primarno NE odnosi na INA, d.d., već samo u dijelu:
o “Pravne i fizičke osobe koje ostvaruju pristup ili postupaju s klasificiranim i neklasificiranim podacima.”o Npr: uloga u robnim i ratnim rezervama, obrambenim pripremama
zemlje, rezultati istraživanja (podzemlje i zalihe), …o Ali:
o Nema zapreke primjeni ZoIS u INI kao interne regulacijeo Naročito očekujemo korist od Uredbe za mjere i pripadne standarde.o Usklađeno s našim projektima.
Razvoj pogleda na informacijsku sigurnost
Gartner CIO survey Information Security rankings:
2006 2005 2004
Business priorities (outcome) 7 2 1
Technology priorities (tools) 2 1 n.a.
Explanation: 3-5 yrs ago severe security breaches happened … in between IT fixed them through governance and tools … thus business has it in focus no more … but IT has to take care about everyday operation by using tools.
INA major information security activities• Last severe security crisis: mid 2003. (“Blaster”)• Security incidents:
• 2Q2007: 2.131 • 3Q2007: 905
• Start of ISOP (Information Security Outsourcing Project) June 2007 (King, S&T)
• … covering all three main areas:• Confidentiality• Integrity• Accessibility
• According to ISO 27001.
Stanko Cerin, CISA, CISM, CBCPS&T Grupa d.o.o.