Due diligence – KSC

03 May 2021
Ryszard Kluska

Does anyone remember about her today?

The National Cybersecurity System is a requirement for operators of key services and digital services.
What are these requirements, quite sparingly described in the Act?
In the case of key services, the requirements are currently defined only in the Act. The draft executive regulations to the Act indicate the requirements and guidelines of ISO / IEC 27001 and ISO 22301. However, until they are approved, they should not be equated with requirements.
What does the act itself say about how to ensure the security and continuity of key services?

Today, an example on risk estimation. Art. 8. point 1 conducting systematic incident risk assessment and management.

When reading literally the requirement of the act, should one write on an A4 sheet of paper “Low risk”, maybe even “No susceptibility”, or the sentence “due to the lack of risk factors for an incident, the risks for this area are not identified”?
After all, the act does not define how to manage this risk. It has not been explicitly indicated that we should define the effect level, the level of probability for the identified risks. Even more so, we are not obliged to verify the criteria for recognizing the likelihood of an incident risk during the risk assessment.
Perhaps, however, we should exercise due diligence and conduct a risk assessment for information systems used to provide a key service (quoted in Art. 8) in accordance with the best practices in the world? We wrote earlier in the explanations to the act that cybersecurity in the world is managed using ISO / IEC 27001, ISA99, NIST standards.
Why, then, we should not fulfill the requirements of the act on a proper level while observing this due diligence. Concepts that we tend to forget more and more often.
A diligent risk assessment is:
  • identification (name, description, ownership) of the systems being assessed,
  • designation for evaluation of all systems affecting the service, with a level of detail that allows an effective safety assessment,
  • defining (if not yet defined) system assessment criteria – that is, what means a safe system for us, with a low probability of a threat,
  • identification and assessment of weaknesses – unfulfilled criteria – that may contribute to the incident,
  • risk assessment – determining its level in comparison with criticality and weakness assessment, identification of corrective actions,
  • with the obligatory indication of the owner of the risk, as well as agreeing the action with him,
  • approval of the action by top management,
  • monitoring the implementation of the action so that it is effectively implemented.

Certainly, such a description of the risk assessment will not be found in the act. We can find it in the norms and standards often quoted on the website cyberustawa.pl. We can also find in the results of risk assessments carried out by many government agencies of countries where cybersecurity is managed.

Should we therefore exercise due diligence and carry out risk assessments in steps that are consistent with the standards?

Or just fill out an A4 sheet or a simple spreadsheet and report the victory? How do you think?


See also

02 Nov
More penalties from the DPA

The Office of Personal Data Protection in September this year. imposed another administrative penalty on an entity that failed to comply with obligations that stem directly from the RODO.

Read more arrow
25 Jul
What about the whistleblowers? – first penalties and the third installment of the whistleblower protection bill.

Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on on the protection of Union law whistleblowers, is already in effect as of December 17, 2021. However, until today (25.07.2022), a law clarifying the requirements of the Directive on the protection of whistleblowers has not appeared in the Polish legal order.

Read more arrow
Did not find what you are looking for?
Write to us arrow