Procedures for the Planning and Implementation of Security Measures for the Critical Infrastructure of Information Technologies

Issued pursuant to
Section 3, Paragraph three
of the Law On the Security of Information Technologies

I. General Provisions

1. This Regulation prescribes the procedures for the planning and implementation of security measures for the critical infrastructure of information technologies (hereinafter - critical infrastructure).

2. The critical infrastructure shall be surveyed and determined in accordance with the procedures laid down in the laws and regulations governing critical infrastructure.

II. Procedures for the Planning of Security Measures for the Critical Infrastructure

3. The Constitution Protection Bureau shall inform the owner or legal possessor of the critical infrastructure regarding inclusion of its information technologies in the aggregate of the critical infrastructure.

4. The owner or legal possessor of the critical infrastructure shall appoint a person responsible for the security of the critical infrastructure. The following person may not be responsible for the security of the critical infrastructure:

4.1. who is not of legal age or is not a citizen of Latvia;

4.2. who has been punished for an intentional criminal offence;

4.3. who has been punished for an intentional criminal offence, releasing from a punishment;

4.4. who has been held criminally liable of committing an intentional criminal offence, except the case if criminal proceedings against the person have been terminated on the grounds of exoneration;

4.5. who has been found as lacking capacity to act in accordance with the procedures laid down in law;

4.6. who is or has been a staff employee or non-staff employee of the security service of the U.S.S.R., Latvian S.S.R. or a foreign state, or an agent, resident or safe-house keeper thereof;

4.7. who is or has been a participant (member) of an organisation prohibited by the laws of the Republic of Latvia, decisions of the Supreme Council or court rulings, following the prohibition of these organisations;

4.8. who has been diagnosed as having mental disorders or addiction to alcohol, narcotic, psychotropic or toxic substances;

4.9. who, in accordance with the information at the disposal of the State security authority or the State Police, belongs to groups of organised crime, unlawful militarised or armed formations, as well as to non-governmental organisations or associations of non-governmental organisations that have commenced activities (legal) prior to the registration thereof or continue to operate after suspension or termination of the activities thereof by a court adjudication.

5. The Constitution Protection Bureau shall examine and approve the conformity of the person responsible for the security of the critical infrastructure with the requirements referred to in Paragraph 4 of this Regulation.

6. The Constitution Protection Bureau may examine the employees related to ensuring the operation of the critical infrastructure who have access to significant information or technological equipment of the critical infrastructure, and assess information in relation to the criminal record of a person for an intentional criminal offence and facts providing the grounds to doubt his or her ability to preserve restricted access and classified information. On the basis of results of the examination the Constitution Protection Bureau shall provide recommendations to the owner or legal possessor of the critical infrastructure.

7. The person responsible for the security of the critical infrastructure shall:

7.1. plan security measures of the critical infrastructure;

7.2. in co-operation with the Constitution Protection Bureau and the Information Technologies Security Incidents Response Institution (hereinafter - Security Incidents Response Institution) ensure assessment and management of the current risks of the critical infrastructure.

III. Procedures for the Implementation of Security Measures for the Critical Infrastructure

8. The owner or legal possessor of the critical infrastructure shall draw up a document or documents governing the security measures of the critical infrastructure (hereinafter - documents of security measures) on the basis of the risks identified in Sub-paragraph 7.2 of this Regulation and conforming to the recommendations of the Security Incidents Response Institution and the Constitution Protection Bureau. Upon request of the Constitution Protection Bureau the owner or legal possessor of the critical infrastructure shall submit documents of security measures to the Constitution Protection Bureau.

9. If the owner or legal possessor of the critical infrastructure is a participant of the financial and capital market registered in Latvia or if a State information system for the critical infrastructure is determined, or if other special requirements in the field of security of information technologies apply to the relevant critical infrastructure, documents of security measures shall be drawn up in accordance with the requirements governing the relevant sector on the basis of the risks identified in Sub-paragraph 7.2 of this Regulation and conforming to the recommendations of the Security Incidents Response Institution and the Constitution Protection Bureau.

10. The owner or legal possessor of the critical infrastructure shall draw up documents of security measures and include the following information therein:

10.1. general information regarding the critical infrastructure - the name, owner or legal possessor, location (address) of the critical infrastructure, purpose of the document;

10.2. the unit that ensures the implementation of security measures;

10.3. the tasks of the critical infrastructure;

10.4. a detailed technical description and scheme of the critical infrastructure system;

10.5. the plan for the management of current risks;

10.6. the procedures by which response to security incidents of information technologies and damages and offences of other types, which endanger the operation of the critical infrastructure, is ensured;

10.7. the plan for restoring the operation of the critical infrastructure.

11. The Constitution Protection Bureau shall provide recommendations to the owner or legal possessor of the critical infrastructure for elimination of the detected deficiencies, as well as send recommendations to the State administrative institutions which supervise the owner or legal possessor of the relevant critical infrastructure.

12. The owner or legal possessor of the critical infrastructure shall ensure the security of the critical infrastructure in such a way that the risks identified in Sub-paragraph 7.2 of this Regulation are managed.

13. In order to ensure more expedient exchange of information regarding security incidents of information technologies, the Security Incidents Response Institution and the owner or legal possessor of the critical infrastructure may agree upon a technological solution that automatically compiles and forwards the relevant information.

14. In order to determine the vulnerability and security risks of the relevant critical infrastructure, the Security Incidents Response Institution may perform inspections of the critical infrastructure, attempting to implement the risks in the logical parts of the critical infrastructure (hereinafter - inspections).

15. Inspections shall be performed from the environment which is not in the ownership or possession of the owner or legal possessor of the critical infrastructure, using information which is at the disposal of the owner or legal possessor of such critical infrastructure.

16. Only such information and in such extent shall be obtained during inspection, which is necessary for identification of the risks to be managed.

17. The Security Incidents Response Institution may perform inspections upon request of the Constitution Protection Bureau. A reason for the inspection requested must be indicated in the request.

18. The Security Incidents Response Institution shall, not later than 48 hours prior to commencing an inspection, shall inform the owner or legal possessor of the critical infrastructure, as well as the Constitution Protection Bureau in writing regarding the time and duration of the inspection.

19. Inspections shall be performed in such a way that they do not cause irreversible damage to the critical infrastructure.

20. The Security Incidents Response Institution shall send detailed results of inspection to the relevant owner or legal possessor of the critical infrastructure and the Constitution Protection Bureau without delay, providing also corresponding recommendations.

21. The Security Incidents Response Institution shall compile information regarding inspections performed, indicating the performers thereof, the time of inspections, a summary of the results and the recommendations provided. All information related to inspections shall be restricted access information, and the Security Incidents Response Institution shall ensure the protection of such information.

22. The Security Incidents Response Institution may store the information obtained during an inspection for not more than three months after completion of the inspection, ensuring corresponding protection thereof.

23. The Security Incidents Response Institution may compile and use the information obtained during an inspection with the consent of the owner or legal possessor of the critical infrastructure in order to inform the public regarding prevention of the current risks of information technologies.

24. The risks identified during an inspection shall be managed in accordance with the requirements laid down in Sub-paragraph 7.2 of this Regulation.

25. The Constitution Protection Bureau and the Security Incidents Response Institution shall inform the National Information Technologies Security Council regarding the current threats to the critical infrastructure not less than once every six months.

Prime Minister V. Dombrovskis

Minister for Transport U. Augulis

Translation © 2014 Valsts valodas centrs (State Language Centre)