Due diligence – KSC

03 May 2021
Ryszard Kluska

Does anyone remember about her today?

The National Cybersecurity System is a requirement for operators of key services and digital services.
What are these requirements, quite sparingly described in the Act?
In the case of key services, the requirements are currently defined only in the Act. The draft executive regulations to the Act indicate the requirements and guidelines of ISO / IEC 27001 and ISO 22301. However, until they are approved, they should not be equated with requirements.
What does the act itself say about how to ensure the security and continuity of key services?

Today, an example on risk estimation. Art. 8. point 1 conducting systematic incident risk assessment and management.

When reading literally the requirement of the act, should one write on an A4 sheet of paper “Low risk”, maybe even “No susceptibility”, or the sentence “due to the lack of risk factors for an incident, the risks for this area are not identified”?
After all, the act does not define how to manage this risk. It has not been explicitly indicated that we should define the effect level, the level of probability for the identified risks. Even more so, we are not obliged to verify the criteria for recognizing the likelihood of an incident risk during the risk assessment.
Perhaps, however, we should exercise due diligence and conduct a risk assessment for information systems used to provide a key service (quoted in Art. 8) in accordance with the best practices in the world? We wrote earlier in the explanations to the act that cybersecurity in the world is managed using ISO / IEC 27001, ISA99, NIST standards.
Why, then, we should not fulfill the requirements of the act on a proper level while observing this due diligence. Concepts that we tend to forget more and more often.
A diligent risk assessment is:
  • identification (name, description, ownership) of the systems being assessed,
  • designation for evaluation of all systems affecting the service, with a level of detail that allows an effective safety assessment,
  • defining (if not yet defined) system assessment criteria – that is, what means a safe system for us, with a low probability of a threat,
  • identification and assessment of weaknesses – unfulfilled criteria – that may contribute to the incident,
  • risk assessment – determining its level in comparison with criticality and weakness assessment, identification of corrective actions,
  • with the obligatory indication of the owner of the risk, as well as agreeing the action with him,
  • approval of the action by top management,
  • monitoring the implementation of the action so that it is effectively implemented.

Certainly, such a description of the risk assessment will not be found in the act. We can find it in the norms and standards often quoted on the website cyberustawa.pl. We can also find in the results of risk assessments carried out by many government agencies of countries where cybersecurity is managed.

Should we therefore exercise due diligence and carry out risk assessments in steps that are consistent with the standards?

Or just fill out an A4 sheet or a simple spreadsheet and report the victory? How do you think?


See also

01 Mar
“Control” is the highest form of trust – why is it worth auditing your processors?

February 28 this year. information about an administrative fine appeared on the UODO website. It was imposed on Fortum Marketing and Sales Polska. The President of UODO imposed an administrative fine in the amount of PLN 4,911,732.

Read more arrow
21 Feb

From 21:00 on February 21 to 23:59 on March 4, the CHARLIE - CRP alert level applies throughout the country.

Read more arrow
Did not find what you are looking for?
Write to us arrow