Information security risk assessment service
Service
Entities which controls and/or manages information resources of the state must organize and perform a risk assessment at least once a year or after significant organizational or systemic changes in accordance with the procedure established by legal acts.
Providers of public communications networks and / or public electronic communications services, providers of electronic information hosting services and providers of digital services must organize and carry out a risk assessment in accordance with the procedure established by law at least every two years or after significant organizational or systemic changes.
Entities must submit a risk assessment to the National Cyber Security Center, failure to comply with this requirement, or failure to comply with this requirement in a timely manner, will result in a warning or fine to the heads of legal entities or other responsible persons.
Private entities that hold information systems and IT infrastructure can identify information and cyber security gaps and threats through a risk assessment and prepare a plan for information security management measures to address them appropriately.
Data controllers and processors must implement appropriate technical and organizational measures to ensure an appropriate level of security in accordance with the requirements of the EU General Data Protection Regulation (GDPR). Information security risk assessment can help to select the most optimal technical and organizational measures. Infringements of the GDPR may result in administrative fines of up to 2 – 4%. the total annual worldwide turnover of the preceding financial year, or up to EUR 10 000 000 to EUR 20 000 000.
Process
- We gather evidence and information
- We assess evidence and information
- We prepare a list of information resources
- We assess the impact of information resources on the confidentiality, integrity, availability and legality of the use of personal data
- We identify and evaluate RPO (Recovery Point Objective) – tolerable data loss rates and RTO (Recovery Time Objective) – minimum service recovery time intervals
- We identify, analyze, and assess information security risks
- We identify and evaluate organizational and technical measures for information security and cyber security and their adequacy
- We prepare a plan of risk management measures for unacceptable risk management
The result
- A list of information resources has been prepared and an impact assessment has been carried out. A list of information resources has been prepared. An assessment of the impact of information resources on the confidentiality, integrity and availability of information has been carried out
- RPO and RTO indicators were identified and evaluated. RPO and RTO indicators for information resources were identified and evaluated
- A risk register has been prepared. Information security risks and threats (security gaps) have been identified, analyzed, and assessed, levels of risk and level of acceptability to the organization have been identified, and organizational and technical measures and their adequacy have been identified and assessed
- Risk assessment report prepared. An information security risk assessment report has been prepared describing the risk assessment methodology and the results of the risk assessment
- A plan of risk management measures has been prepared. A plan of risk management measures to reduce the level of unacceptable risks has been prepared, as well as priorities and a timetable for implementation
- An appropriate report has been prepared for upload to ARSIS
Benefits
- Identified and assessed information security and cyber security gaps, threats and risks affecting the organization’s vulnerability and business continuity
- A plan for risk management measures, priorities for measures and a timetable for implementation have been prepared for unacceptable risk management
- The assessment is submitted to the National Cyber Security Center and uploaded to ARSIS
- Compliance with the requirements of the legal acts of the Republic of Lithuania is ensured
- Prepared for organizational resilience and business continuity
Customer reviews
- A Compliance Assessment Project Has Been Implemented in the State Tax Inspectorate
- A Compliance Assessment Services for Government Information Resources and Communications and Information Systems Managed and Managed
- National Health Insurance Fund User Identity and Rights Management and User Registration and Control System Implementation Project
- Independent Electronic Health Services and Collaboration Infrastructure Information System (ESPBI IS) Security Audit Project of SE Center of Registers
Links
- The Law of Cyber Security of the Republic of Lithuania
- The Government of the Republic of Lithuania Resolution No. 716 “On the Approval of the Description of the Guidelines for the Determination of the General Electronic Information Security Requirements, the Description of the Guidelines for Content of Documental Content Documents and of the State Information Systems, Registers and Other Information Systems Classification and Electronic Information”
- The Resolution No 818 of the Government of the Republic of Lithuania of 13 August 2018 ‘On the Implementation of the Republic of Lithuania Law on Cybersecurity
- The Code of Administrative Offences of the Republic of Lithuania
- General Data Protection Regulation (GDPR)
Contact person
Ernestas Lipnickas
Mobile: +370 (605) 44 444
Email: ernestas.lipnickas@adwisery.eu