KRI audits

Security audits have been included in our offer for a long time. The service is addressed to both private enterprises and public institutions. In every organization, an increasingly extensive sphere of internal activities and those related to contacts with clients takes place with the use of IT systems.

For public institutions, many services are available to provide services to citizens through electronic media. Applications, certificates, extracts from registers, tax declarations can be submitted via internet applications without visiting offices. These possibilities are a great help, but at the same time they endanger the systems available on the Internet and the data stored in them.

We would like to draw your attention to the audits of compliance with the National Interoperability Framework (KRI) performed by our company, i.e. information security management audits in public entities.

In May 2012, the Regulation of the Council of Ministers of April 12, 2012 on the National Interoperability Framework entered into force, concerning the minimum requirements for public registers and the exchange of information in electronic form, as well as minimum requirements for ICT systems.

The Regulation in question is an implementing act to The Act of February 17, 2005 on computerization of the activities of entities performing public tasks.

It imposes requirements on public administration units as to the annual IT infrastructure security audit. It concerns in particular:

Art. 2. 1. Subject to sec. 2-4, the provisions of the Act shall apply to those performing public tasks specified by the Acts: 1) government administration bodies, state control and law protection bodies, courts, organizational units of the prosecutor's office, as well as local government units and their bodies, 2) budgetary and local government units budgetary establishments, 3) earmarked funds, 4) independent public health care establishments and companies performing medical activities within the meaning of the provisions on medical activity, 5) the Social Insurance Institution, the Agricultural Social Insurance Fund, 6) the National Health Fund, 7) state or local government persons legal entities created on the basis of separate acts in order to perform public tasks - hereinafter referred to as "public entities". 2. The provision of Art. 13 sec. 2 point 1 shall also apply to the entity to which the public entity has entrusted or commissioned the performance of a public task, if due to the © Kancelaria Sejmu s. 3/28 2015-05-12 implementation of this task there is an obligation to provide information to or from non-administrative entities governmental.

Source: Journal of Laws 2005 No.64 item. 565 ACT of February 17, 2005 on computerization of activities of entities performing public tasks.

We will now focus on the provision concerning the minimum requirements for ICT systems. It includes 13 checkpoints:

1. Provision of updating internal regulations with regard to the changing environment;
2. Keeping the inventory of hardware and software used for information processing up-to-date, including their type and configuration;
3. Conducting periodic analyzes of the risk of losing the integrity, availability or confidentiality of information and taking actions to minimize this risk, according to the results of the analysis;
4. Taking actions to ensure that people involved in the information processing process have appropriate rights and participate in this process to an extent adequate to their tasks and obligations aimed at ensuring information security;
5. Immediate change of powers in the event of a change in the tasks of the persons referred to in point 4;
6. Providing training for people involved in the information processing process, with particular emphasis on such issues as:
   a) information security threats,
   b) consequences of breach of information security rules, including legal liability,
   c) application of measures ensuring information security, including devices and software minimizing the risk of human error;
7. Ensuring protection of processed information against theft, unauthorized access, damage or
   disturbances, by:
   a) monitoring access to information,
   b) activities aimed at detecting unauthorized activities related to information processing,
   c) providing measures to prevent unauthorized access at the level of operating systems, network services and applications;
8. Establishing basic rules to guarantee safe work in mobile computing and working remotely;
9. Securing information in a way that prevents its disclosure, modification, deletion or by an unauthorized person
   destruction;
10. Including in service contracts signed with third parties provisions that guarantee the appropriate level
    information security;
11. Establishing information handling rules ensuring minimization of the risk of information theft
    and information processing means, including mobile devices;
12. Ensuring an appropriate level of security in ICT systems, consisting in particular in:
    a) care for software updates,
    b) minimizing the risk of information loss as a result of a failure,
    c) protection against errors, loss, unauthorized modification,
    d) using cryptographic mechanisms in a manner adequate to the threats or requirements of a legal provision,
    e) ensuring the security of system files,
    f) reduction of risks resulting from the use of published technical vulnerabilities of ICT systems,
    g) immediately taking actions after noticing undisclosed vulnerabilities of ICT systems to
    the possibility of a security breach,
    h) control of compliance of ICT systems with the relevant ones
    security standards and policies;
13. Immediate reporting of information security breach incidents in a predetermined and predetermined manner, enabling quick corrective action.

Meeting the above requirements does not guarantee full safety. Remember that security is not a state, it is a process. The level of threats is constantly growing and we are not able to fully take care of every detail of our infrastructure or the carelessness of our employees. The solution is periodic security audits, preferably external, carried out by high-class specialists who are certified by industry organizations in the field of security.

Our company is a member of ISSA Polska - Association for the Security of Information Systems. Our specialists have conducted several dozen security audits also in local government units. We have a certificate Certified Ethical Hacker (CEH) awarded by the International Council of Electronic Commerce Consultants (EC-Council).