ISSN 1452-6662
Više od 180 osnovnih i prečišćenih tekstova propisa Republike Srbije prevedenih na engleski jezik.
Published in the Službeni glasnik RS, Nos. 6/16 of 28 January 2016, 94/17 of 19 October 2017 and 77/19 of 31 October 2019

Izmene - Tekst sadrži izmene

Kompletan tekst dostupan je samo pretplatnicima

Ako ste pretplatnik
  Novi korisnik
  • Scope of Regulation
     Article 1

    This Law shall regulate protection measures against security risks in information and communication systems, liability of legal entities in the management and use of information and communication systems, and define competent authorities for the implementation of protection measures, coordination between protection factors and monitoring of proper application of the prescribed protection measures.

  • Meaning of Specific Terms
     Article 2

    For the purpose of this Law, specific terms shall have the following meanings:

    1) information and communication system (ICT system) shall mean a technological and organisational unit that includes:

         (1) electronic communications networks within the meaning of the law regulating electronic communications;

         (2) devices or groups of interconnected devices, such that automated data processing is carried out within the devices or within at least one of the group devices using a computer program;

         (3) data that is maintained, kept, processed, searched or transmitted by means referred to in sub-items (1) and (2) of this item for the purpose of operation, use, protection or maintenance of the means mentioned;

         (4) organisational structure through which the ICT system is managed;

         (5) all types of systematic and application software and software development tools.

    2) ICT system operator shall mean a legal entity, republic authority or organisational unit of the republic authority that uses the ICT system in performing its activity, i.e. duties falling within the scope of its competence;

    3) information security shall mean a set of measures that enable the protection of the information being handled through the ICT system from unauthorised access, as well as the protection of integrity, availability, authenticity and non-repudiation of such information, in order for the system to function as foreseen, where foreseen and under the control of authorised persons;

    4) secrecy shall mean a property indicating that information is not available to unauthorised persons;

    5) integrity shall mean the preservation of original contents and completeness of information;

    6) availability shall mean a property indicating that information is available and usable at the request of authorised persons whenever they need it;

    7) authenticity shall mean a property indicating that it is possible to verify and confirm that the information was created or sent by the person declared to have performed the operation concerned;

    8) non-repudiation shall mean the ability to prove that a particular operation was carried out or that a particular event occurred, so that it cannot be denied at a later stage;

    9) risk shall mean the possibility of violating information security, i.e. possibility of violating secrecy, integrity, availability, authenticity or non-repudiation of information, or possibility of violating proper functioning of the ICT system;

    10) risk management shall mean a systematic set of measures that includes planning, organising and directing activities in order to ensure that risks remain within prescribed and acceptable frameworks;

    11) incident shall mean each and every event having an actual, adverse effect on the security of network and information systems;

    11a) a unique system for the reception of notifications on incident shall be the information system into which data on incidents in ICT systems are entered, of special importance which may have a significant effect on the distortion of information security;

    12) ICT system protection measures shall mean technical and organisational measures for managing the ICT system security risks;

    13) classified information shall mean any information that is determined and classified with a certain degree of secrecy in accordance with the regulations on information secrecy;

    14) ICT system dealing with classified information shall mean the ICT system that is determined for dealing with classified information in accordance with the law;

    15) republic authority shall be a state authority, authority of the autonomous province, or a body of the local self-government unit, an organization and other legal entity or natural persons entrusted with the discharge of public powers;

    16) security service shall mean a security service within the meaning of the law regulating the foundations of the Republic of Serbia's security and intelligence system;

    17) independent ICT system operators shall mean the ministry in charge of defence affairs, ministry in charge of internal affairs, ministry in charge of foreign affairs and security services;

    18) compromising electromagnetic radiation (CEMR) shall mean unintentional electromagnetic emissions when transmitting, processing or storing information, the receipt and analysis of which can disclose the contents of such information;

    19) cryptosecurity shall mean an information security component encompassing cryptoprotection, management of cryptomaterials and development of cryptoprotection methods;

    20) cryptoprotection shall mean the application of methods, measures and procedures for the purpose of transforming data into a form that makes them inaccessible to unauthorised persons for a certain period of time or permanently;

    21) cryptographic product shall mean a software or device by which cryptoprotection is carried out;

    22) cryptomaterials shall mean cryptographic products, data, technical documentation of cryptographic products, as well as appropriate cryptographic keys;

    23) security zone shall mean a space or room where classified information is processed and stored in accordance with the regulations on information secrecy;

    24) information assets shall include the data located in files and databases, program code, configuration of hardware components, technical and user documentation, records of the used of hardware components, data from the files and databases and implementation of procedures, if such are maintained, in-house general acts, procedures, and the like;

    25) information society services shall be the services as set forth by the law governing electronic trade;

    26) information society service provider shall be the legal entity being the service provider as defined by the law governing electronic trade.

  • Principles
     Article 3

    When planning and implementing the ICT system protection measures, the following principles shall be observed:

    1) principle of risk management - selection of measures and level of their implementation shall be based on risk assessment, need for risk prevention and elimination of the consequences of the risk realised, including all types of extraordinary circumstances;

    2) principle of comprehensive protection - measures shall be implemented at all organisational, physical, technical and technological levels, as well as during the ICT system's entire life cycle;

    3) principle of expertise and good practice - measures shall be implemented in accordance with professional and scientific knowledge and experience in the field of information security;

    4) principle of awareness and competence - all the persons who effectively or potentially affect information security by their actions should be aware of the risk and possess the appropriate knowledge and skills.