Services of Chief Information Security and Cyber Security Officer
Entities controls and manage state information resources, critical information infrastructure must have an information security officer in accordance with the procedure established by legal acts, whose main functions are:
- to establish and on the regular basis update electronic information and cyber security management policy;
- perform risk and compliance assessments;
- manage information security and cyber incidents;
- implement measures to ensure the protection of personal data;
- to organize and carry out employee training;
- to tests business continuity management and recovery plans;
- and to perform other functions mentioned in the legislation.
The functions of an organization’s information security officer may be outsourced by a service provider.
Private entities with information systems and IT infrastructure should have a cyber security officer that organizes the management of information security, cyber security, and personal data protection.
The National Cyber Security Center report notes that audited entities often have only formal paper-based information and cyber security processes that are not properly organized and managed, and that the staff assigned to these functions do not have the necessary qualifications and experience.
The decisions adopted by the State Data Protection Inspectorates state that some data controllers and data processors do not take proper management of personal data in accordance with the requirements of the General Data Protection Regulation (GDPR) and do not have sufficient technical and organizational means.
Lack of sufficient technical and organizational measures may be considered infringements of the provisions of the GDPR, in which case administrative fines of up to 2–4% may be imposed. the total annual worldwide turnover of the preceding financial year, or up to EUR 10 000 000 to EUR 20 000 000.
- We assess the current situation of information and cyber security and personal data protection
- We prepare documentation of regulation the information and cyber security policy and its implementation
- We perform a risk assessment
- We perform a compliance assessment
- We organize cyber security training and social engineering testing, consult employees
- We organize tests / exercises of business continuity management and recovery plans
- We coordinate the management of information security and cyber incidents, personal data breaches
- We coordinate the control of vulnerabilities management, software updates, information security management of third-party services and other processes
- We help to ensure the implementation and control of the organizational and technical cyber security requirements established in the legal acts of the Republic of Lithuania
- Cyber security policy and its implementation documents have been prepared and periodically updated. The cyber security policy and its implementation documents have been prepared and agreed with the National Cyber Security Center
- Compliance assessment is performed at regular intervals. Compliance with the organizational and technical requirements of cyber security established in the legal acts of the Republic of Lithuania has been assessed. A compliance assessment report has been prepared to detail the non-compliances identified during the conformity assessment and actions have been prepared to eliminate the identified non-conformities
- The risk assessment is performed at regular intervals. A list of information resources has been prepared. An assessment of the impact of information resources on the confidentiality, integrity and availability of information has been carried out as well as RPO (Recovery Point Objective) and RTO (Recovery Time Objective) indicators for information resources were identified and evaluated. Information security risks and threats (security gaps) have been identified, analyzed, and assessed, levels of risk and level of acceptability to the organization have been identified, and organizational and technical measures and their adequacy have been identified and assessed. An information security risk assessment report and a risk management plan have been prepared to manage unacceptable risks
- Testing of business continuity management and recovery plans is organized. Exercises were organized, the ability of the organization to ensure business continuity and the restoration of information systems and IT infrastructure was assessed in practice
- Cyber security training and social engineering testing are provided, and assistance and advice is provided to employees
- Cyber incident management is ensured. Managed cyber incidents in accordance with the procedures of the National Cyber Incident Management Plan
- Cooperation between the responsible employees and departments of the organization in the field of information security, cyber security and protection of personal data is being implemented
- Control of vulnerability management, software update, information security management of third-party services and other processes is ensured
- Continuous management of the organization’s information and cyber security is ensured
- Information and cyber security risks are regularly assessed, and measures implemented to manage them
- Qualification of employees in the field of information and cyber security, resistance to social engineering is raised and maintained
- Business continuity and recovery is ensured
- Coordinated activities of responsible personnel and departments, information security and cyber incident management
- Compliance with the requirements of the legislation of the Republic of Lithuania and the GDPR is ensured
- A Compliance Assessment Project Has Been Implemented in the State Tax Inspectorate
- A Compliance Assessment Services for Government Information Resources and Communications and Information Systems Managed and Managed
- National Health Insurance Fund User Identity and Rights Management and User Registration and Control System Implementation Project
- Independent ESPBI IS – Electronic Health Services and Collaboration Infrastructure Information System) Security Audit Project of SE Center of Registers
- The Law of Cyber Security of the Republic of Lithuania
- The Government of the Republic of Lithuania Resolution No. 716 “On the Approval of the Description of the Guidelines for the Determination of the General Electronic Information Security Requirements, the Description of the Guidelines for Content of Documental Content Documents and of the State Information Systems, Registers and Other Information Systems Classification and Electronic Information”
- Minister of National Defense of the Republic of Lithuania 2020 December 4 Resolution No. V-941 “On Approval of the Description of Electronic Information Security Requirements for Technical State Registers (Cadastres), Departmental Registers, State Information Systems and Other Information Systems and the Methodology for Conformity Assessment of Information Technology Security”
- The Resolution No 818 of the Government of the Republic of Lithuania of 13 August 2018 ‘On the Implementation of the Republic of Lithuania Law on Cybersecurity
- The Code of Administrative Offences of the Republic of Lithuania
- General Data Protection Regulation (GDPR)
- National Cyber Security Centre Report
- State Data Protection Inspectorate