Informacijos ir kibernetinio saugumo valdymas

Services of Chief Information Security and Cyber Security Officer

Service

Entities controls and manage state information resources, critical information infrastructure must have an information security officer in accordance with the procedure established by legal acts, whose main functions are:

  • to establish and on the regular basis update electronic information and cyber security management policy;
  • perform risk and compliance assessments;
  • manage information security and cyber incidents;
  • implement measures to ensure the protection of personal data;
  • to organize and carry out employee training;
  • to tests business continuity management and recovery plans;
  • and to perform other functions mentioned in the legislation.

The functions of an organization’s information security officer may be outsourced by a service provider.

Private entities with information systems and IT infrastructure should have a cyber security officer that organizes the management of information security, cyber security, and personal data protection.

The National Cyber Security Center report notes that audited entities often have only formal paper-based information and cyber security processes that are not properly organized and managed, and that the staff assigned to these functions do not have the necessary qualifications and experience.

The decisions adopted by the State Data Protection Inspectorates state that some data controllers and data processors do not take proper management of personal data in accordance with the requirements of the General Data Protection Regulation (GDPR) and do not have sufficient technical and organizational means.

Lack of sufficient technical and organizational measures may be considered infringements of the provisions of the BDAR, in which case administrative fines of up to 2–4% may be imposed. the total annual worldwide turnover of the preceding financial year, or up to EUR 10 000 000 to EUR 20 000 000.

Process

  • We assess the current situation of information and cyber security and personal data protection
  • We prepare documentation of regulation the information and cyber security policy and its implementation
  • We perform a risk assessment
  • We perform a compliance assessment
  • We organize cyber security training and social engineering testing, consult employees
  • We organize tests / exercises of business continuity management and recovery plans
  • We coordinate the management of information security and cyber incidents, personal data breaches
  • We coordinate the control of vulnerabilities management, software updates, information security management of third-party services and other processes
  • We help to ensure the implementation and control of the organizational and technical cyber security requirements established in the legal acts of the Republic of Lithuania

The result

  • Cyber security policy and its implementation documents have been prepared and periodically updated. The cyber security policy and its implementation documents have been prepared and agreed with the National Cyber Security Center
  • Compliance assessment is performed at regular intervals. Compliance with the organizational and technical requirements of cyber security established in the legal acts of the Republic of Lithuania has been assessed. A compliance assessment report has been prepared to detail the non-compliances identified during the conformity assessment and actions have been prepared to eliminate the identified non-conformities
  • The risk assessment is performed at regular intervals. A list of information resources has been prepared. An assessment of the impact of information resources on the confidentiality, integrity and availability of information has been carried out as well as RPO (Recovery Point Objective) and RTO (Recovery Time Objective) indicators for information resources were identified and evaluated. Information security risks and threats (security gaps) have been identified, analyzed, and assessed, levels of risk and level of acceptability to the organization have been identified, and organizational and technical measures and their adequacy have been identified and assessed. An information security risk assessment report and a risk management plan have been prepared to manage unacceptable risks
  • Testing of business continuity management and recovery plans is organized. Exercises were organized, the ability of the organization to ensure business continuity and the restoration of information systems and IT infrastructure was assessed in practice
  • Cyber security training and social engineering testing are provided, and assistance and advice is provided to employees
  • Cyber incident management is ensured. Managed cyber incidents in accordance with the procedures of the National Cyber Incident Management Plan
  • Cooperation between the responsible employees and departments of the organization in the field of information security, cyber security and protection of personal data is being implemented
  • Control of vulnerability management, software update, information security management of third-party services and other processes is ensured

Benefits

  • Continuous management of the organization’s information and cyber security is ensured
  • Information and cyber security risks are regularly assessed, and measures implemented to manage them
  • Qualification of employees in the field of information and cyber security, resistance to social engineering is raised and maintained
  • Business continuity and recovery is ensured
  • Coordinated activities of responsible personnel and departments, information security and cyber incident management
  • Compliance with the requirements of the legislation of the Republic of Lithuania and the GDPR is ensured

Contact person

Ernestas Lipnickas
Mobile: +370 (605) 44 444
Email: ernestas.lipnickas@adwisery.eu