2. Principles of legal regulation of IT security

 Principle definition a fundamental truth or proposition that serves as the foundation for a system of belief or behavior or for a chain of reasoning. 

  1. Principles of IT security law 

  • IT security Law 

  • GDPR 

  • National cybersecurity strategies 

  1. Key cyber security principles 

When applying legal provisions which regulate cyber security, consideration shall be taken of these principles. These principles shall be inter aligned and coordinated; neither of them shall be given priority or prevalence. 

  1. Non-discrimination 

Non-discrimination of cyber space, which means that the provisions of legislation are applied and benefits are stored both in physical and cyber space equally; 

  1. Management of cyber security risk 

Management of cyber security risk, which means that the applicable cybersecurity measures must ensure that regularly assessed risks of cyber security entities are captured; 

  1. Proportionality of cyber security 

Proportionality of cyber security, which means that legal, organizational and technical cyber security measures, which are applied, shall not restrict the activities of cyber security entities in cyber space more than required; 

  1. Supremacy of public interest 

Supremacy of public interest, which means that the applicable cyber security measures shall first guarantee the protection of public interest, however, shall not, in principle, infringe on consumer rights or limit their freedom in cyber space proportionally; 

  1. Standardization and technological neutrality 

Standardization and technological neutrality, which means that when implementing cyber security measures, cyber security entities shall be encouraged to follow the national, the EU and other international communications and information systems’ cyber security standards and specification, without demanding to apply any specific type of technology and without giving it the priority; 

  1. Subsidiarity 

Subsidiarity, which means that cyber security entities, which operate information systems and use them for the provision of services, are responsible for cyber security of information systems as well as for services which are provided using such systems. 

In the areas which fall within the exclusive competence of cyber security entities, the authorities which develop and implement cyber security policy shall take measures solely when cyber security of the communications and information systems and services provided using such systems cannot be ensured by cyber security entities which manage such systems and use them for the provision of services. 

  1. Principles of Data Protection 

  • Article 5 of the General Data Protection Regulation (GDPR) sets out key principles which lie at the heart of the general data protection regime. 

  • These key principles are set out right at the beginning of the GDPR and they both directly and indirectly influence the other rules and obligations found throughout the legislation. 

  • Therefore, compliance with these fundamental principles of data protection is the first step for controllers in ensuring that they fulfil their obligations under the GDPR. 

  1. Article 5 of GDPR 

  1. Lawfulness, fairness, and transparency 

  • Any processing of personal data should be lawful and fair. It should be transparent to individuals that personal data concerning them are collected, used, consulted, or otherwise processed and to what extent the personal data are or will be processed. 

  • The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used. 

  1. Purpose Limitation 

  • Personal data should only be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes. In particular, the specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection of the personal data. However, further processing for archiving purposes in the public interest, scientific, or historical research purposes or statistical purposes (in accordance with Article 89(1) GDPR) is not considered to be incompatible with the initial purposes. 

  1. Data Minimisation 

  • Processing of personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed. Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means. This requires, in particular, ensuring that the period for which the personal data are stored is limited to a strict minimum (see also the principle of ‘Storage Limitation’ below). 

  1. Accuracy 

  • Controllers must ensure that personal data are accurate and, where necessary, kept up to date; taking every reasonable step to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay. In particular, controllers should accurately record information they collect or receive and the source of that information. 

  1. Storage Limitation 

  • Personal data should only be kept in a form which permits identification of data subjects for as long as is necessary for the purposes for which the personal data are processed. In order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review. 

  1. Integrity and Confidentiality 

  • Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including protection against unauthorized or unlawful access to or use of personal data and the equipment used for the processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures. 

  1. Accountability 

  • Finally, the controller is responsible for, and must be able to demonstrate, their compliance with all the above-named Principles of Data Protection. Controllers must take responsibility for their processing of personal data and how they comply with the GDPR and be able to demonstrate (through appropriate records and measures) their compliance, in particular to the DPC. 

  1. Cyber security policy in Lithuania 

  • Cyber security policy is developed, its implementation is organized, controlled and coordinated by the Ministry of National Defense (Krašto Apsaugos Ministerija, liet.) of the Republic of Lithuania. 

  • The National Cyber Security Centre (Nacionalinis Kibernetinio Saugumo Centras, liet. https://www.nksc.lt/) takes part in the development of cyber security policy to the extent to which legal regulation of activities of cyber security entities has to be established for the performance of functions laid down in this law. 

  • Cyber security policy is implemented by the National Cyber Security Centre, the State Data Protection Inspectorate (Valstybinė Duomenų Apsaugos Inspekcija), the Lithuanian Police and other authorities the functions of which are related to cyber security. 

  1. Powers of the Government (2.6.1), Ministry of National Defence (2.6.2), Cyber Security Council (2.6.3), National Cyber Security Centre (2.6.4), State Data Protection Inspectorate (2.6.5) and Police (2.6.6) in the field of cyber security 

  1. The Government 

  1. Ministry of National Defence 

  • Coordinates the preparation of the National Cyber Security Strategy, submits it to the Government for approval; 

  • submits to the Government organizational and technical cyber security requirements imposed on cyber security entities for approval; 

  • submits the National Cyber Incident Management Plan to the Government for approval; 

  • submits the methodology for identification of critical information infrastructure to the Government for approval; 

  • submits the list of critical information infrastructure and its managers to the Government for approval; 

  • approves a typical plan for cyber incident management in critical information infrastructures; 

  • approves a cyber defense plan for critical information infrastructures; 

  • establishes the procedure for responding to cyber incidents, which occur in communications and information systems of cyber security entities, by the National Cyber Security Centre; 

  • approves the plan on implementation of technical cyber security measures, establishes the procedure for their implementation and management in information resources and in critical information infrastructure; 

  • participates in cyber security crisis management; 

  • establishes Cyber Security Information Network and approves its regulations; 

  • approves the Regulation of the Cyber Security Council and composition. 

  1. Cyber Security Council 

The Cyber Security Council is a permanent collegial independent advisory body which analyses the situation of cyber security assurance in the Republic of Lithuania and puts forward proposals to institutions which develop and implement cyber security policy, cyber security entities, research and educational institutions and business entities which engage in activities in the field of information technology (hereinafter referred to as the “Cyber Security Actors”) with regard to improvement of the situation of cyber security assurance. 

  1. National Cyber Security Centre 

National Cyber Security Centre (NCSC) under the Ministry of National Defence is the main Lithuanian cyber security institution, responsible for unified management of cyber incidents, monitoring and control of the implementation of cyber security requirements, accreditation of information resources. 

  1. State Data Protection Inspectorate 

The State Data Protection Inspectorate implements the cyber security policy in the field of protection of personal data and fulfils the tasks established by the supervisory authority in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 119, p. 1). 

  1. Police 

When implementing the prevention of cyber incidents which possibly have constituent elements of criminal offences and when conducting their investigation, the Police: 

  • collects, analyses and summarizes information about cyber incidents which possibly have constituent elements of criminal offences. 

  • establishes the procedure for the provision of information by cyber security entities to the police which is required to prevent and investigate cyber incidents which might have constituent elements of criminal offences. 

  • has the right [without a court sanction] to order the provider of public communications networks and/or public digital communications service providers<…> 

  • to limit the provision of public communications networks and/or public electronic communications services<…> 

  • to preserve information related to the services provided by them which might help detect the type of communications service used<…> 

  1. General duties of cyber security entities 

  • Are responsible for cyber security of communications and information service they manage and of services they provide, ensure their compliance with the organizational and technical cyber security requirements imposed on cyber security entities. 

  • conduct risk assessment and implement technical and organizational cyber security measures based on the latest technology developments proportionate to the identified risk; 

  • notify the National Cyber Security Centre of cyber incidents which occur in communications and information systems controlled and/or managed by them. 

  • provide the Police with information required for the prevention and investigation of infringements of the law. 

  • assign a competent person or department responsible for the organization and assurance of cyber security 

  1. Critical information infrastructure 

Managers of critical information infrastructure have additional detail requirements. 

  1. Inter-institutional cooperation in managing and investigating cyber incidents 

  • NCSC and the Police consult each other and cooperate in investigating cyber incidents, exchange information related to investigation of cyber incidents which is required to perform the functions of these authorities which fall under their competence. When required, investigation of cyber incidents might be reported to other entities of criminal intelligence and/or intelligence institutions. 

  • NCSC and the State Data Protection Inspectorate cooperate in investigating cyber incidents related to personal data and/or privacy protection violations, exchange information which is necessary for the fulfilment of functions established by legal acts in relation to investigation of cyber incidents which infringe on personal data and/or privacy protection. 

  • The procedure of inter-institutional cooperation in managing and investigating cyber incidents shall be established in the National Cyber Incident Management Plan. 

Comments

Post a Comment

Popular posts from this blog

STRESS, BURNOUT, AND SECURITY FATIGUE IN CYBERSECURITY: A HUMAN FACTORS PROBLEM

Image
Received: January 2022 |Accepted: April 2022 | Published: July 2022 Please cite this paper as: Nobles, C. (2022) Stress, burnout and security fatigue in cybersecurity: A human factors problem, Holistica Journal of Business and Public Administration, Vol. 13, Iss. 1, pp. 49-72 Abstract Stress, burnout, and security fatigue continue as slight destroyers of strong cybersecurity and significant human factors concerns. The persistence of these human performance issues is concerning given the lack of mitigation and integration of human factors practitioners to mitigate these adverse risk circumstances. Security fatigue is not a new phenomenon but the evolving nature of cybersecurity results in various sub-categories of security fatigue; thus, making it a difficult problem to solve. Stress and burnout are major causes of short tenures in senior roles for security executives. Business decision-makers lack the expertise to explore the negative influences of stress, burnout, and security fatigue...
Read more

ITSM - All topics

Image
1         Introduction, main principals and definitions / Attacks against information systems 1.1      Introduction ·          Information security vs Information safety ·          Life spheres, influenced by information security: o    Finance and commerce; o    Government; o    Military; o    Private life. ·          Reasons of importance increase. 1.2      Information Security Definition CIA Triad: ·          Confidentiality - preventing the disclosure of information to unauthorized individuals or systems. ·          Integrity - maintaining and assuring the accuracy and consistency of data over its entire life-cycle. ·     ...
Read more

Adaptive Knowledge Assessment Method For Cybersecurity Specialists Evaluating Under Stressful And Emotional Situations

Introduction: The Need For Adaptive Knowledge Assessment In Cybersecurity In the rapidly evolving field of cybersecurity, it is crucial to ensure that professionals possess the necessary knowledge and skills to protect critical information systems. Traditionally, knowledge assessment methods have focused on evaluating individuals' theoretical understanding of cybersecurity principles through standardized tests or practical exercises. However, these approaches often fail to capture the real-world challenges faced by cybersecurity specialists when operating under stressful and emotional situations. [ 0 ,  1 ,  2 ] As cyber threats become increasingly sophisticated and frequent, it is essential to develop an adaptive knowledge assessment method that accurately reflects the dynamic nature of this domain. Such an assessment approach would not only evaluate technical expertise but also measure individuals' ability to make sound decisions while under pressure or in emotionally c...
Read more