INFORMATION SECURTITY POLICY IN PUBLIC SECTOR IN SLOVENIA

Transcription

1 MINISTRY OF PUBLIC ADMINISTATION REPUBLIC OF SLOVENIA e: Tržaška cesta 21, 1000 Ljubljana t: , f: INFORMATION SECURTITY POLICY IN PUBLIC SECTOR IN SLOVENIA Damijan Marinšek, M.Sc. secretary 1

2 Agenda The purpose of the policy Legal History Current state Policies Action plan 2

3 The purpose of the policy One common security policy in public sector Preserve and maintain: Integrity Confidentiality Availability of the information and the data across the public sector Promote a culture of security among all participants Raise awareness about the risk to information systems and networks 3

4 Legal The Personal Data Protection Act (ZVOP, Personal Data Protection Act - Official consolidated text, Official gazette. No. 94/2007) Decree on Administrative Operations (Official Gazette of the Republic of Slovenia, No. 20/2005, 106/2005, 30/2006, 86/2006, 32/2007, 31/2008) Electronic Commerce and Electronic Signature Act - Official consolidated text, Official gazette. No. 98/2004) Decree on Conditions for Electronic Commerce and Electronic Signing, Official gazette. No. 77/2000) Decree on Documentary and Archival Material Custody, Official gazette. No. 86/2006, Classified Information Act, Official gazette. No. 50/06) Decree on the Protection of Classified Information in Communication- Information Systems, Official gazette. No. 48/2007) Public Administration Act (Official Gazette of the Republic of Slovenia, No. 113/2005, 48/2009)ZDU-1-UPB4, ZDU-1E) 4

5 Standards, best practice ISO/IEC , ISO/IEC ISO/IEC , ITIL 5

6 History from OECD questionnaire: Decree on Administrative Operations pays special attention also to the information security and requires the preparation of the security policy and set-up of the information security system. For that purpose the former Government Centre for IT has prepared guidelines Handbook for the preparation of the information security policy. In the period the Government Centre for IT prepared several security policies according to the standard BSI After the reorganisation of the government in 2005 the Ministry of Public Administration (MPA) took over the responsibilities of the Government Centre for IT. MPA is now renovating current policies in order to make them contemporary and compliant with current standards (ISO ) as well as with good practices from the field. MPA is also renovating the policies in order to set the common policy for the whole public administration. MPA is also preparing new strategy SRITES which will amongst other address the information security, the interchange of data from authentic sources (registers) based on the national interoperability framework, and which will accelerate the use of electronic public services. Local policies Bottom up approach 6

7 Current state Governmental group for information security policy lead by MPA (2008) Weekly meetings One document to go Reconciliation Governmental procedure 7

8 Policies concept, roles and responsibilities 8

9 Policies on physical security proper use of information systems document, process and media management outsourcing management of production environment development and change management of applications compliance with the policy 9

10 Physical security Proper security mechanisms on entry control to the building and secure areas Entry logs Secure areas Inventory of assets Equipment safety Fire safety 10

11 Proper use of information systems Use of electronic equipment and information systems ( , internet etc.) Antivirus, mobile and malicious code Data encryption Management of user and administrative rights Roles and responsibilities The need to know Clear desk and screen policy Data safekeeping 11

12 Document, process and media management Document and media handling Back-up Archiving 12

13 Outsourcing Public procurement Specifications of information systems Contracts Tenders Copyrights Data safekeeping 13

14 Management of production environment SLA s (24/7, 16/5) Network and system access Network and system security Log files (management) Capacity management Redundancy Services 14

15 Development and change management of applications Development Test Production Change release 15

16 Compliance with the policy Tasks for the group to monitor the PDCA of the ISMS Reports for the management compliance with the law, standards 16

17 Action plan governmental approval by the end of 2009 consolidation of local policies with new common public sector policy risk assessment methodology and tool for public sector, risk assessment SIGOV- CERT incident management awareness rising security officers 17