77. Ecuador 32.47

77th National Cyber Security Index
65th Global Cybersecurity Index
97th ICT Development Index
82nd Networked Readiness Index
Population 16.5million
Area (km2) 276.8thousand
GDP per capita ($) 11.8thousand
NCSI FULFILMENT PERCENTAGE
NCSI Update Data source
26 Nov 2018 Public data collection
NCSI DEVELOPMENT TIMELINE 3 years All data

Version 26 Nov 2018

GENERAL CYBER SECURITY INDICATORS
BASELINE CYBER SECURITY INDICATORS
  • 5. Protection of digital services 1/5 20%
    1
    5 20%
    • 5.1. Cyber security responsibility for digital service providers 0
      0
      1
      Requirements
      Criteria

      According to legislation, digital service providers (except micro and small enterprises): (1) must manage cyber/ICT risks or (2) must implement established cyber/information security requirements.

      Accepted references

      Legal act

      Evidence
    • 5.2. Cyber security standard for the public sector 1
      1
      1
      Requirements
      Criteria

      Public sector digital service providers must implement (1) cyber/ICT security requirements (defined by legislation) or (2) a widely recognised security standard.

      Accepted references

      Legal act

      Evidence

      Ministerial Agreement 166, of 2013, Government's Information Security Scheme.

       

      Art. 1.- Provide to the entities of the Central, Institutional and Public Administration that depend on the Executive Function the mandatory Ecuadorian Technical Standards NTE INEN-ISO / IEC
      27000 for Information Security Management.
      Art. 2.- The entities of the Public Administration will implement in a term of eighteen (18) months the Government Information Security Scheme (EGSI), which is attached to this
      agreement as Annex 1, with the exception of the provisions or standards set as priorities in said scheme, which will be implemented in (6) months from the issuance of this Agreement.

    • 5.3. Competent supervisory authority 0
      0
      3
      Requirements
      Criteria

      The government has a competent authority in the field of cyber/information security that has the power to supervise public and private digital service providers regarding the implementation of cyber/information security requirements.

      Accepted references

      Official website or legal act

      Evidence
  • 6. Protection of essential services 0/6 0%
    0
    6 0%
    • 6.1. Operators of essential services are identified 0
      0
      1
      Requirements
      Criteria

      There is a legal act that allows to identify operators of essential services.

      Accepted references

      Legal act

      Evidence
    • 6.2. Cyber security requirements for operators of essential services 0
      0
      1
      Requirements
      Criteria

      According to the legislation, operators of essential services must manage cyber/ICT risks.

      Accepted references

      Legal act

      Evidence
    • 6.3. Competent supervisory authority 0
      0
      3
      Requirements
      Criteria

      The government has a competent authority in the field of cyber/information security that has the power to supervise operators of essential services, regarding cyber/information security requirements.

      Accepted references

      Official website or legal act

      Evidence
    • 6.4. Regular monitoring of security measures 0
      0
      1
      Requirements
      Criteria

      Operators of essential services must regularly (at least once every 3 years) provide evidence of the effective implementation of cyber/information security policies (e.g. audit result, documentation, specific report).

      Accepted references

      Legal act

      Evidence
  • 7. E-identification and trust services 6/9 67%
    6
    9 67%
    • 7.1. Unique persistent identifier 1
      1
      1
      Requirements
      Criteria

      The government provides a unique persistent identifier to all citizens, residents, and legal entities. For example, the identifier remains the same after document expiration and name change.

      Accepted references

      Legal act

      Evidence

      Art. 29.- Unique Identification Number.- The live birth will be assigned a Unique Identification Number (NUI) related to a biometric element of the person, in such a way that it allows individualizing the person from birth, guaranteeing the unique identity , so it is the obligation of the State through the public body in charge of health, public and private health facilities, and the General Directorate of Civil Registry, Identification and Certification, to make birth registrations immediately within the establishment of health and without the request of the interested party.
      The Unique Identification Number (NUI) will link all public and private services without the need for the issuance of the identity card and will be mandatory in the different documents or public and private registers.


      Unique Registry of Taxpayers (RUC) Number

    • 7.2. Requirements for cryptosystems 0
      0
      1
      Requirements
      Criteria

      Requirements for cryptosystems in the field of trust services are regulated.

      Accepted references

      Legal act

      Evidence
    • 7.3. Electronic identification 0
      0
      1
      Requirements
      Criteria

      Electronic identification is regulated.

      Accepted references

      Legal act

      Evidence
    • 7.4. Electronic signature 1
      1
      1
      Requirements
      Criteria

      E-signature is regulated

      Accepted references

      Legal act

      Evidence

      Law N. 2002-67, on Electronic Commerce, Electronic Signatures and Data Messages

      Articles 13 – 28


      Executive Decree 3496, of 2002 General Regulations for the Law on Electronic Commerce, Electronic Signatures and Data Messages (subsequently modified by Executive Decree 908, of 2005, Executive Decree 1356, of 2008, and Executive Decree 867, of 2011)

    • 7.5. Timestamping 1
      1
      1
      Requirements
      Criteria

      Timestamping is regulated.

      Accepted references

      Legal act

      Evidence

      Law N. 2002-67, on Electronic Commerce, Electronic Signatures and Data Messages

      General Dispositions (pages 24 - 27): Definition of Timestamping (Sellado de Tiempo)

      Definition: Electronic notation electronically signed and added to a data message with at least the date, the time and identity of the person making the entry.

      Second.- The accredited information certification entities may
      provide time-stamping services. This service must be accredited
      technically by the National Telecommunications Council. 


      Executive Decree 3496, of 2002 General Regulations for the Law on Electronic Commerce, Electronic Signatures and Data Messages (subsequently modified by Executive Decree 908, of 2005, Executive Decree 1356, of 2008, and Executive Decree 867, of 2011)

      Article 23: Timestamp - For the provision of time stamping services, the data message must be sent through the certifying entity or a third party duly registered in the CONAT / A to provide this service. The time stamp shall only establish, for the pertinent legal purposes, the exact time and date in which the data message was received by the certifying entity or the third party registered by the CONAT / A; and the exact date and time in said data message was delivered to the recipient.
      For legal purposes, the time stamp service will be provided taking as reference the time zone of the Ecuadorian continental territory. The provision of services, time stamping will be carried out under free competition and contracting. The parties involved in the contracting of this type of service may determine the conditions that regulate their relationship.

    • 7.6. Electronic registered delivery service 0
      0
      1
      Requirements
      Criteria

      Electronic registered delivery service between state entities, citizens and private sector entities is regulated. The service provides legally binding data exchange and guarantees the confidentiality and integrity of information.

      Accepted references

      Legal act

      Evidence
    • 7.7. Competent supervisory authority 3
      3
      3
      Requirements
      Criteria

      There is an authority responsible for the supervision of qualified trust service providers.

      Accepted references

      Official website or legal act

      Evidence

      National Telecommunications Council (CONATEL)

      >Superintendence of Telecommunications (non-existent entity)<

      Law N. 2002-67, on Electronic Commerce, Electronic Signatures and Data Messages

      Article 37: CONATEL is the agency for regulation, authorization and registration of accredited certification bodies

      Article 38 – 39: The Superintendence of Telecommunications is the control agency of accredited certification bodies.

  • 8. Protection of personal data 0/4 0%
    0
    4 0%
INCIDENT AND CRISIS MANAGEMENT INDICATORS

CONTRIBUTORS

Radu Serrano
Intern at eGA