Pursuant to the Law on Information Security (“Official Gazette of RS”, No. 6/2016, 94/2017 and 77/2019), Article 6a, the obligations of ICT system operators of special importance are that:
- enter the ICT system of special importance which it manages in the records of the operator of the ICT system of special importance.
- take measures to protect ICT systems of special importance.
- adopt an act on the security of the ICT system.
- checks the compliance of the applied measures for the protection of the ICT system with the act on the security of the ICT system at least once a year.
- regulate the relationship with third parties in a way that ensures the undertaking of measures for the protection of that ICT system in accordance with the law, if it entrusts activities related to the ICT system of special importance to third parties.
- submits notifications on incidents that significantly endanger the information security of the ICT system.
- provide accurate statistics on incidents in the ICT system.
The ICT System Security Act covers all protection measures provided by the Law on Information Security, the Decree on Detailed Content of the ICT System Security Act of Special Importance, Manner of Verification and Content of ICT System Security Verification Report of Special Importance and the Decree on Detailed Regulation of ICT System Protection Measures of special importance.
When drafting the Act, it is necessary to define the actual state of the security system and harmonize the current state with the recommendations and standards provided by the Law and Regulations. It recommended that the obligatory members of the working group that will work on the drafting of the Act be lawyers and technical persons, system administrators.
It is important to point out that the Security Act is a document that is extremely subject to change, and its provisions need to regularly reviewed and checked, all to create the most advanced level of security and build awareness of employees and those responsible about the importance of ICT information security.
The objectives of the ICT System Security Act are:
- determining the manner and procedure for achieving and maintaining an adequate level of security system.
- preventing and mitigating the consequences of an incident that compromises or compromises the security of information.
- raising awareness among employees about the importance of information security, risks and protection measures when using ICT systems.
- prescribing the powers and responsibilities of employees regarding the security and resources of the ICT system.
- overall improvement of information security and verification of compliance with the application of protection measures.