Laws and regulations governing cybersecurity

A security policy is a set of policies and rules that determine how to ensure the protection of assets.

By default, a security policy rests on the fact that the designated entities are obliged, with regard to the information security management system, to:

a) establish a security policy and maintain security documentation covering the following policy areas:[1]

• information security management system,
• asset management,
• organisational security,
• supplier management,
• security of human resources,
• traffic and communication management,
• access control,
• safe user behaviour,
• backup and recovery and long-term storage,
• secure transmission and exchange of information,
• management of technical vulnerabilities,
• safe use of mobile devices,
• acquisitions, development and maintenance,
• protection of personal data,
• physical security,
• security of the communication network,
• protection against malicious code,
• deployment and use of a tool for detection of cybersecurity events,
• secure use of cryptographic protection,
• change management,
• cybersecurity incident management,
• business continuity management.

The content of the security documentation is also specified. It must include:

• cybersecurity audit report,
• report on the review of the information security management system,
• methodology for asset identification and evaluation and for risk assessment,
• asset and risk assessment report,
• declaration of applicability,
• risk management plan,
• security awareness development plan,
• records of changes,
• reported contact details,
• an overview of generally binding legal regulations, internal regulations and other regulations and contractual obligations,
• other recommended documentation (e.g. infrastructure topology, overview of network devices).

b) regularly review the security policy and security documentation,

c) ensure that the security policy and security documentation are up to date.

The security policy and security documentation must be:

• available in printed or electronic form,
• communicated as part of an obligor,
• reasonably available to the parties concerned,
• managed,
• protected in terms of confidentiality, integrity and availability,
• maintained in such a way that the information contained therein is complete, legible, easily identifiable and easily searchable.