Development of governance and the level of information and cyber security in the sub-sector VS - Industrial Property Office of the Slovak Republic
Recipient
Industrial Property Office of the Slovak Republic, Švermova 43, 974 04 Banská Bystrica
Project code
311071BNQ3
Project name
Development of governance and level of information and cyber security in the sub-sector VS - Industrial Property Office of the Slovak Republic
Project location
Industrial Property Office of the Slovak Republic, Švermova 43, 974 04 Banská Bystrica, Slovak Republic
Amount of the granted NFA
EUR 120 888,00
Effective date of the NFP contract
08. 06. 2022
Contract
Brief description of the project
The Industrial Property Office of the Slovak Republic (hereinafter referred to as "IPO SR") is an operator of a basic service (this includes the IPO SR website as well as all IPO SR information systems registered in the Central Meta-Information System of Public Administration) registered in the register of operators of basic services of the NSA. The main purpose of the project is to implement the extension of the competence in the field of information and cybersecurity of the IPO SR. The reason for implementing the project is to ensure compliance with Act No. 69/2018 Coll. on cyber security and Act No. 95/2019 Coll. on information technologies of public administration. Within the framework of the project, the IPO SK plans to implement cyber security governance processes, conduct risk and impact analysis, develop an information and cyber security strategy, including a roadmap for the implementation of the proposed measures, ensure the process of a formal decision on risk management and implement a tool for recording information assets, categorisation of IS and networks and management of identified risks and incidents.
The following activities will be carried out under the project:
- Analyse the current state of IB and KyB management and its compliance with the requirements of the legislation - in particular the Cyber Security Act No. 69/2018 (ZoKB) and related decrees, in particular Decree No. 362/2018, which establishes the content of security measures, the content and structure of security documentation and the scope of general security measures, information and cyber security analysis, as well as the Law on Information Technology in Public Administration No. 95/2019 (ZoITVS) and the related Decree No. 179/2020 which establishes the method of categorisation and content of security measures for information technology in public administration.
- Conduct a thorough risk analysis and impact analysis (AR/BIA) including:
- identification of assets and assessment of their criticality,
- classification of assets and categorisation of IS and networks,
- identification of threats and attack vectors,
- analysis of potential impacts,
- identification of risks based on threat probabilities and potential impacts,
- identification of existing measures and residual risks,
- design of measures.
3. Based on the risk analysis, develop an information and cyber security strategy, including a roadmap for the implementation of the proposed measures.
4. Ensure the process of a formal decision on risk management (acceptance of risks or adoption of adequate measures to reduce or eliminate them) by the management of the SRSG.
5. Establish the required internal documents, directives and operational documentation for the relevant IB and KyB management areas:
- Cyber Security Strategy,
- Security Policy,
- Information Security Management Directive,
- Information Classification and Categorisation of Networks and Information Systems,
- Risk Analysis and Impact Analysis (AR/BIA) Performance Directive
- ,Directive on the secure operation of IS and networks,
- Directive on monitoring and handling of cyber security incidents,
- BCM Policy (for all information systems of the IPO SK), including a recovery strategy and a draft pre-populated template for the BCP and DRP,
- Secure Software Development Life Cycle (SSDLC) guidelines for the secure development and maintenance of applications and IS and draft security requirements for applications by classification level,
- Security design of all relevant information systems of the IPO SK for which it is required by the legislation in force
6. Introduce into the environment of the IPO SK a client tool (module) provided by MIRRI from the CMRKB project for the registration of information assets, their classification, categorisation of IS and networks and management of identified risks and incidents.
The expected benefits after the implementation of the project are:
- Enhancement of information and cyber security capabilities in IPO SK,
- ensuring compliance with the ITMS Act and the Cyber Security Act,
- deployment of a software tool for recording information assets, risks and monitoring and management of security incidents,
- once the project is implemented, the process will already be in place and implemented by internal staff, in particular the Cyber Security Manager.
Information on the Operational Programme Integrated Infrastructure 2014-2020 can be found at www.opii.gov.sk
Hyperlink to the website of the Managing Authority: www.mindop.sk;
Hyperlink to the website of the Central Coordination Body: www.eufondy.sk