41. Bosnia and Herzegovina 49.35

41st National Cyber Security Index
135th Global Cybersecurity Index
83rd ICT Development Index
97th Networked Readiness Index
Population 3.5million
Area (km2) 51.2thousand
GDP per capita ($) 13.4thousand
NCSI FULFILMENT PERCENTAGE
NCSI Update Data source
9 Oct 2018 Public data collection
NCSI DEVELOPMENT TIMELINE 2 years All data

Version 9 Oct 2018

GENERAL CYBER SECURITY INDICATORS
BASELINE CYBER SECURITY INDICATORS
  • 5. Protection of digital services 4/5 80%
    4
    5 80%
    • 5.1. Cyber security responsibility for digital service providers 0
      0
      1
      Requirements
      Criteria

      According to legislation, digital service providers (except micro and small enterprises): (1) must manage cyber/ICT risks or (2) must implement established cyber/information security requirements.

      Accepted references

      Legal act

      Evidence
    • 5.2. Cyber security standard for the public sector 1
      1
      1
      Requirements
      Criteria

      Public sector digital service providers must implement (1) cyber/ICT security requirements (defined by legislation) or (2) a widely recognised security standard.

      Accepted references

      Legal act

      Evidence

      Law on Information Security

      Article 1. This law defines the information security provided by the application of measures and standards of information security.

      Article 2. (1) The provisions of this law apply to:
      a) the republican authorities,
      b) local self-government units,
      v) legal entities that exercise public authority and
      g) other legal and physical persons that access or handle data in
      electronic form of republic authorities, local self-government units and
      legal entities that exercise public authority.


      Rules on Information Security Standards 

      Article 1
      This Rulebook sets out minimum standards of information security that provide basic data protection at the physical, technical and organizational level.
      Article 2
      The standards referred to in Article 1 of this Ordinance shall apply to republican authorities, local self-government units, legal entities that exercise public authority and other legal and natural persons who gain access or act in electronic form in the republican authorities, local self-government units and legal entities who exercise public authority

    • 5.3. Competent supervisory authority 3
      3
      3
      Requirements
      Criteria

      The government has a competent authority in the field of cyber/information security that has the power to supervise public and private digital service providers regarding the implementation of cyber/information security requirements.

      Accepted references

      Official website or legal act

      Evidence

      Law on Information Security (*This is about public digital service providers)

      Article 13
      (1) The Ministry of Science and Technology shall supervise the application of this law, and expert supervision shall be carried out by the Agency.
      (2) In order to exercise supervision, the authorities and other legal entities and individuals referred to in Article 2, paragraph 1 of this Law shall be obliged to enable the responsible person of the administrative and professional supervision authority access to space, computer equipment and devices, and without delay, or provide the necessary information and documentation regarding the subject of supervision.


      Also found this department of the Agency for the Information Security but was not sure if it would be relevant for any of the indicators:

      4)  Information Security Department  - Security Information Security Department (hereinafter: OIB) performs security incident prevention, protection of computer applications and public information and communication infrastructure, electronic data owned by the Government and other administrative bodies, as well as cryptanalysis and cryptographic protection, electronic monitoring and counter-observation, certification and accreditation of security electronic mechanisms.

  • 6. Protection of essential services 0/6 0%
    0
    6 0%
    • 6.1. Operators of essential services are identified 0
      0
      1
      Requirements
      Criteria

      There is a legal act that allows to identify operators of essential services.

      Accepted references

      Legal act

      Evidence
    • 6.2. Cyber security requirements for operators of essential services 0
      0
      1
      Requirements
      Criteria

      According to the legislation, operators of essential services must manage cyber/ICT risks.

      Accepted references

      Legal act

      Evidence
    • 6.3. Competent supervisory authority 0
      0
      3
      Requirements
      Criteria

      The government has a competent authority in the field of cyber/information security that has the power to supervise operators of essential services, regarding cyber/information security requirements.

      Accepted references

      Official website or legal act

      Evidence
    • 6.4. Regular monitoring of security measures 0
      0
      1
      Requirements
      Criteria

      Operators of essential services must regularly (at least once every 3 years) provide evidence of the effective implementation of cyber/information security policies (e.g. audit result, documentation, specific report).

      Accepted references

      Legal act

      Evidence
  • 7. E-identification and trust services 6/9 67%
    6
    9 67%
  • 8. Protection of personal data 4/4 100%
    4
    4 100%
INCIDENT AND CRISIS MANAGEMENT INDICATORS