Cyber Security Assurance
ABOUT SCALE
-
-
Due to the increasing
digitization
of services and processes, the COVID-19 pandemic, geopolitical challenges and tensions, the threat of cyber and hybrid attacks is growing, and their social and economic impact is increasing.
-
-
According to the data of the National Cyber Security Center, 11 659 cyber incidents were registered in the last three years: in 2019 – 3 241 in 2020 – 4 330, and in 2021 – 4 088. 9,7 million EUR appropriations were planned for measures to strengthen cyber security in that period.
COMPLIANCE FOCUS
-
-
Cyber Security Law
-
-
Law on Strategic Management
-
-
National Cybersecurity Strategy
PERFORMANCE ASPECT
-
-
thoroughness of risk assessment
-
-
to management system
-
-
strategic goals and objectives implementation
-
-
performance evaluation indicators
Since there are no identified national cyber security risks, no national cyber security risk management plan has been drawn up and acceptable national cyber security risks and their tolerance limits have not been determined, therefore there is no coordinated risk management process at the national level that would ensure the necessary protection, prevention and response measures and capabilities utilization.
2.
Incident management
- Plan
Every fourth cyber security entity (26 percent, 55 out of 212) does not have a cyber incident management plan (procedure), nor has a typical cyber incident management plan approved, which should serve as an example for cyber security entities.
3.
Monitoring
- Reporting
Monitoring and control of the implementation of the National Cybersecurity Strategy is focused on continuous reporting on the progress achieved, but in 2019-2021 the strategy implementation results were not reviewed annually: from 2021 after the Law on Strategic Management came into force, the Ministry of National Defence did not collect and systematize information about the results of the implementation of the National Cybersecurity Strategy. The executors of the Strategy did not monitor all measures and evaluation criteria.
4.
Communication
- Engagement
Institutions that manage and investigate cyber incidents (…) do not in all cases ex-change information about cyber incidents that are relevant to them according to the nature of their activities, so these institutions do not make assumptions to quickly recognize different types cyber incidents and transfer the information to the competent authorities so that the latter can act in a timely manner. Prevention of criminal acts or violations, cyber security entities and society may suffer as a result.
5.
Training
- Involvement
National cyber security exercises are held every year, cyber security trainings are organized, consultations and methodological recommendations are provided, the majority (73 percent, or 101 out of 138 participants in the exercises and 72 percent, or 73 out of 102 training participants) of cyber security entities evaluate them positively, but cyber security the involvement of security entities in exercises and training is insufficient: in the last three years (2019-2021), as much as 35 percent (74 of 212) subjects never participated in exercises, 52 percent. (110 out of 212) - in training.
Code (gexf) to continue analysis with GephiTerminology graph
