Organizations (private and public sector), in order to assess the protection of processed information and personal data and the compliance with the requirements of the legislative acts of the Republic of Lithuania, regulating the security of electronic information and cyber security, can conduct an audit of information and cyber security management (assessment of the adequacy of organizational and technical measures).
The audit of information and cyber security management may include the services of Vulnerability Assessment, Information Technology Security Compliance Assessment (hereinafter – Compliance Assessment) and Information Systems Information Security Risk Assessment (hereinafter – Risk Assessment).
Vulnerability Assessment will help to assess external network vulnerabilities according to the black box methodology, web application vulnerabilities, internal network vulnerabilities according to the white box methodology. Identified vulnerabilities are verified through penetration testing. Vulnerability assessment and penetration testing will be performed using a vulnerability and penetration testing methodology compatible with OWASPv4 and OSSTMMv3 methodologies.
The Compliance Assessment services in accordance with the requirements of the legal acts of the Republic of Lithuania, which regulate information and cyber security, and in accordance with the requirements of the international standards ISO/IEC 27001 and ISO/IEC 27002 (hereinafter – ISO 27001 and ISO 27002) will help properly to assess the existing in the organization level of information and cyber security management. Compliance Assessment according to the 2020 December 4 by the Resolution of the Minister of National Defense of the Republic of Lithuania No. V-941 approved information technology security compliance assessment methodology must be organized and performed at least once a year.
Risk Assessment can help to identify gaps and threats, identify, analyze and evaluate risks and prepare proper measure to manage them.
Organizations, that managing state information resources or managing the critical information infrastructure must submit Risk Assessment and Compliance Assessment reports to the National Cyber Security Center. Failure to comply with this requirement, or failure to comply with this requirement in a timely manner, will result in a warning or fine to the heads of legal entities or other responsible persons.
Lack of appropriate technical and organizational measures may be considered a infringements of the provisions of the General Data Protection Regulation (GDPR) and in such case administrative fines may be imposed, which may reach up to 2 – 4%. of the previous financial year’s total annual global turnover, or up to 10,000,000– 20,000,000 euros.
- We collect evidence and information
- We organize and conduct interviews with persons responsible for processes (process owners)
- We identify RPO and RTO of information systems
- We conduct a vulnerability assessment and penetration testing
- We evaluate organizational and technical measures
- We perform a compliance assessment
- We perform a risk assessment
- We prepare recommendations to eliminate non-compliant security gaps and to manage risks
- An assessment of technological vulnerability was performed. A vulnerability assessment report was prepared with a list of technological vulnerabilities (security gaps) and recommendations for their elimination.
- Assessed compliance. Compliance with the information and cyber security requirements established in the legal acts of the Republic of Lithuania was evaluated. A compliance assessment report has been prepared detailing the non-compliances identified during the compliance assessment and recommendations for their elimination
- Assessed compliance. Assessed compliance with ISO 27001 and ISO 27002 requirements. An ISO 27001 and ISO 27002 compliance assessment report was prepared detailing the non-compliances identified during the compliance assessment and recommendations for their elimination.
- A risk assessment has been performed. Prepared risk register, risk assessment report and plan of risk management measures
- Identified and eliminated vulnerabilities (security gaps)
- Identified and eliminated non-compliances with the requirements of LR legislation and standards ISO 27001 and ISO 27002
- Risks have been identified and assessed, and measures have been prepared to manage them
- Ensured compliance with the requirements of the legal acts of the Republic of Lithuania and standards of ISO 27001 and ISO 27002
- A Compliance Assessment Project Has Been Implemented in the State Tax Inspectorate
- A Compliance Assessment Services for Government Information Resources and Communications and Information Systems Managed and Managed
- National Health Insurance Fund User Identity and Rights Management and User Registration and Control System Implementation Project
- Independent ESPBI IS (Electronic Health Services and Collaboration Infrastructure Information System) Security Audit Project of SE Center of Registers
- Compliance assessment
- ISO 27001 and 27002 compliance assessment
- Risk assessment (service description is being prepared)
- General Data Protection Regulation (GDPR)
- Cyber Security Law of the Republic of Lithuania
- The Government of the Republic of Lithuania Resolution No. 716 “On the Approval of the Description of the Guidelines for the Determination of the General Electronic Information Security Requirements, the Description of the Guidelines for Content of Documental Content Documents and of the State Information Systems, Registers and Other Information Systems Classification and Electronic Information
- The Resolution No 818 of the Government of the Republic of Lithuania of 13 August 2018 ‘On the Implementation of the Republic of Lithuania Law on Cybersecurity
- The Code of Administrative Offences of the Republic of Lithuania