Zakon o informacijskoj sigurnostiizazov informatičkoj industriji (panel)

Mr. sc. Aleksandar Klaić, dipl. ing.Ured Vijeća za nacionalnu sigurnost (UVNS)Dr. sc. Miroslav Mađarić, dipl. ing.INA Industrija nafte d.d.Stanko CerinS&T Group d.d.

The Information Security Act – a challenge to the Information Technology Industry

Mr. sc. Aleksandar Klaić, dipl. ing.Ured Vijeća za nacionalnu sigurnost (UVNS)

Zakon o informacijskoj sigurnosti (NN 79/2007)

o U fokusu Zakona su klasificirani i neklasificirani podaci državne uprave

o Temeljni smjerovi djelovanja Zakona:oDirektnioDržavna tijela u širem smislu - nacionalni standardi,

središnja državna tijela za informacijsku sigurnosto IndirektnioPoslovni subjekti – suradnja s državnim tijelima,

međunarodni klasificirani poslovi (EU, NATO)o StrateškioInformacijsko društvo u cjelini - Nacionalni CERT,

nacionalna normizacija

Meaning of the new Croatian legislation – information security contexto Information Security Act (07/2007):

o Nation-wide regulation framework - security policy (Government Regulation, NSA and NCSA Ordinances, Guidelines, …)

o Nation-wide institutional framework (NSA/DSA umbrella body and technical NCSA/SAA/NDA body as state authorities, and National CERT as public authority, CIS P&I bodies, CISO/LISO)

o The final aim is to cover in appropriate way all 3 pillars of authorities (executive, parliament and judiciary) and both national and local government

o Data Secrecy Act (07/2007):o Contemporary definitions of classified and unclassified data domainso Fundamental principles of data security for Nation-wide approach

(need-to-know, PSC, data owner, 4 grade damage based classification, …)

Information Security Acto Principles of data protection with a view of development of

information society in Croatia:o Comprehensive information security regulation framework for sub-

Acts (Government Regulations, NSA and NCSA Ordinances, Guidelines, …)

o Responsible bodies and prescribed period of time for regulation to enter into force

o 5 security areas (Personnel, Physical, Industrial Security, INFOSEC, Security of Information) coordinated at national level with a view to comply to NATO/EU security policy

o Main national authorities: NSA, NCSA (Security Sector)o Establishment of National CERT (Public, Academic Sector)o Defined Roles of: SAA, NDA, DSA, CIS P&I, CISO/LISOo Interrelation among national authorities that have defined roles

Conceptual Issues Addressed by the Information Security Acto Data Owner and Infrastructure Ownero Interoperability issue

o Organizationalo Semantico Technical

o Information security concepts and requirements in the foundation of information society

o Standardization of ICT and information security fieldo ISO/IEC 17799 and 27001 - Croatian National Standards from 2006

o UNCLASSIFIED and RESTRICTED infrastructure versus public and Internet infrastructureo NRoI – NATOo s-TESTA - EUo HITRONET – Croatia

Information Security – Process View

Information Security - Organizational View

Information Security - Regulation View

Information Security in INA d.d.

Dr. sc. Miroslav Mađarić, dipl. ing.INA Industrija nafte d.d.

ZoIS i INA

Ovaj zakon se primarno NE odnosi na INA, d.d., već samo u dijelu:

o “Pravne i fizičke osobe koje ostvaruju pristup ili postupaju s klasificiranim i neklasificiranim podacima.”o Npr: uloga u robnim i ratnim rezervama, obrambenim pripremama

zemlje, rezultati istraživanja (podzemlje i zalihe), …o Ali:

o Nema zapreke primjeni ZoIS u INI kao interne regulacijeo Naročito očekujemo korist od Uredbe za mjere i pripadne standarde.o Usklađeno s našim projektima.

Razvoj pogleda na informacijsku sigurnost

Gartner CIO survey Information Security rankings:

2006 2005 2004

Business priorities (outcome) 7 2 1

Technology priorities (tools) 2 1 n.a.

Explanation: 3-5 yrs ago severe security breaches happened … in between IT fixed them through governance and tools … thus business has it in focus no more … but IT has to take care about everyday operation by using tools.

INA major information security activities• Last severe security crisis: mid 2003. (“Blaster”)• Security incidents:

• 2Q2007: 2.131 • 3Q2007: 905

• Start of ISOP (Information Security Outsourcing Project) June 2007 (King, S&T)

• … covering all three main areas:• Confidentiality• Integrity• Accessibility

• According to ISO 27001.

Stanko Cerin, CISA, CISM, CBCPS&T Grupa d.o.o.

Aleksandar.Klaic@uvns.vlada.hraklaic@hi.t-com.hr