1 / 17

Zakon o informacijskoj sigurnosti izazov informatičkoj industriji (panel)

Zakon o informacijskoj sigurnosti izazov informatičkoj industriji (panel). Mr. sc. Aleksandar Klaić, dipl. ing. Ured Vijeća za nacionalnu sigurnost (UVNS) Dr. sc. Miroslav Mađarić, dipl. ing. INA Industrija nafte d.d. Stanko Cerin S&T Group d.d.

padma
Download Presentation

Zakon o informacijskoj sigurnosti izazov informatičkoj industriji (panel)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Zakon o informacijskoj sigurnostiizazov informatičkoj industriji (panel) Mr. sc. Aleksandar Klaić, dipl. ing. Ured Vijeća za nacionalnu sigurnost (UVNS) Dr. sc. Miroslav Mađarić, dipl. ing. INA Industrija nafte d.d. Stanko Cerin S&T Group d.d.

  2. The Information Security Act – a challenge to the Information Technology Industry Mr. sc. Aleksandar Klaić, dipl. ing. Ured Vijeća za nacionalnu sigurnost (UVNS)

  3. Zakon o informacijskoj sigurnosti (NN 79/2007) • U fokusu Zakona su klasificirani i neklasificirani podaci državne uprave • Temeljni smjerovi djelovanja Zakona: • Direktni • Državna tijela u širem smislu - nacionalni standardi, središnja državna tijela za informacijsku sigurnost • Indirektni • Poslovni subjekti – suradnja s državnim tijelima, međunarodni klasificirani poslovi (EU, NATO) • Strateški • Informacijsko društvo u cjelini - Nacionalni CERT, nacionalna normizacija

  4. Meaning of the new Croatian legislation – information security context • Information Security Act (07/2007): • Nation-wide regulation framework - security policy (Government Regulation, NSA and NCSA Ordinances, Guidelines, …) • Nation-wide institutional framework (NSA/DSA umbrella body and technical NCSA/SAA/NDA body as state authorities, and National CERT as public authority, CIS P&I bodies, CISO/LISO) • The final aim is to cover in appropriate way all 3 pillars of authorities (executive, parliament and judiciary) and both national and local government • Data Secrecy Act (07/2007): • Contemporary definitions of classified and unclassified data domains • Fundamental principles of data security for Nation-wide approach (need-to-know, PSC, data owner, 4 grade damage based classification, …)

  5. Information Security Act • Principles of data protection with a view of development of information society in Croatia: • Comprehensive information security regulation framework for sub-Acts (Government Regulations, NSA and NCSA Ordinances, Guidelines, …) • Responsible bodies and prescribed period of time for regulation to enter into force • 5 security areas (Personnel, Physical, Industrial Security, INFOSEC, Security of Information) coordinated at national level with a view to comply to NATO/EU security policy • Main national authorities: NSA, NCSA (Security Sector) • Establishment of National CERT (Public, Academic Sector) • Defined Roles of: SAA, NDA, DSA, CIS P&I, CISO/LISO • Interrelation among national authorities that have defined roles

  6. Conceptual Issues Addressed by the Information Security Act • Data Owner and Infrastructure Owner • Interoperability issue • Organizational • Semantic • Technical • Information security concepts and requirements in the foundation of information society • Standardization of ICT and information security field • ISO/IEC 17799 and 27001 - Croatian National Standards from 2006 • UNCLASSIFIED and RESTRICTED infrastructure versus public and Internet infrastructure • NRoI – NATO • s-TESTA - EU • HITRONET – Croatia

  7. Information Security – Process View

  8. Information Security - Organizational View

  9. Information Security - Regulation View

  10. Information Security in INA d.d. Dr. sc. Miroslav Mađarić, dipl. ing. INA Industrija nafte d.d.

  11. ZoIS i INA Ovaj zakon se primarno NE odnosi na INA, d.d., već samo u dijelu: • “Pravne i fizičke osobe koje ostvaruju pristup ili postupaju s klasificiranim i neklasificiranim podacima.” • Npr: uloga u robnim i ratnim rezervama, obrambenim pripremama zemlje, rezultati istraživanja (podzemlje i zalihe), … • Ali: • Nema zapreke primjeni ZoIS u INI kao interne regulacije • Naročito očekujemo korist od Uredbe za mjere i pripadne standarde. • Usklađeno s našim projektima.

  12. Razvoj pogleda na informacijsku sigurnost Gartner CIO survey Information Security rankings: Explanation: • 3-5 yrs ago severe security breaches happened • … in between IT fixed them through governance and tools • … thus business has it in focus no more • … but IT has to take care about everyday operation by using tools.

  13. INA major information security activities • Last severe security crisis: mid 2003. (“Blaster”) • Security incidents: • 2Q2007: 2.131 • 3Q2007: 905 • Start of ISOP (Information Security Outsourcing Project) June 2007 (King, S&T) • … covering all three main areas: • Confidentiality • Integrity • Accessibility • According to ISO 27001.

  14. Stanko Cerin, CISA, CISM, CBCP S&T Grupa d.o.o.

  15. Aleksandar.Klaic@uvns.vlada.hraklaic@hi.t-com.hr

More Related