20. Georgia 64.94

20th National Cyber Security Index
8th Global Cybersecurity Index
74th ICT Development Index
58th Networked Readiness Index
Population 3.7million
Area (km2) 69.7thousand
GDP per capita ($) 10.6thousand
NCSI FULFILMENT PERCENTAGE
NCSI Update Data source
21 Nov 2017 Government officials
NCSI DEVELOPMENT TIMELINE 3 years All data

Version 21 Nov 2017

GENERAL CYBER SECURITY INDICATORS
  • 1. Cyber security policy development 7/7 100%
    7
    7 100%
    • 1.1. Cyber security policy unit 3
      3
      3
      Requirements
      Criteria

      A central government entity (ministry or equivalent) has a specialised official or unit responsible for national cyber security policy development.

      Accepted references

      Official website or legal act

      Evidence

      page 2 - The Cyber Security Strategy has been developed by the Permanent Inter-agency Commission under the auspices of the National Security Council tasked to coordinate drafting national security strategic documents


      page 67, Art 3.8.2 b. - Since the beginning of 2011 Data Exchange Agency (DEA) was actively participating in the process of developing national strategy for cyber security of Georgia. The process was going on within the framework of working group established by the National Security Council.

    • 1.2. Cyber security policy coordination format 2
      2
      2
      Requirements
      Criteria

      The central government has a committee, council, working group, etc. for national-level cyber security policy coordination.

      Accepted references

      Official website or legal act

      Evidence

      Office of State Security and Crisis Management Council constitutes the National-level cyber security coordination format. National Security Concept of Georgia and Law of Georgia on National Security Policy Planning and Coordination stipulate cyber security as a part of National Security. The process of planning the national security policy are coordinated by the National Security Council and the State Security and Crisis Management Council. The council is an advisory board for Prime Minister of Georgia and is directly subordinated to him. Accordingly, the Prime Minister is the head of the Council. The council is composed of the following permanent members: Secretary of the Council, Minister of Internal Affairs, Minister of Defence; Minister of foreign Affairs and Minister of Finance.



      Law of Georgia on National Security Policy Planning and Coordination, Art. 19

    • 1.3. Cyber security strategy 1
      1
      1
      Requirements
      Criteria

      The central government has established a national-level cyber security strategy or other equivalent document.

      Accepted references

      Valid official document

    • 1.4. Cyber security strategy implementation plan 1
      1
      1
      Requirements
      Criteria

      The central government has established an implementation plan to the national-level cyber security strategy or other equivalent document.

      Accepted references

      Valid official document or its enforcement act

      Evidence

      Action Plan of the National Cyber Security Strategy for the years of 2017-2018 has been approved by the Government of Georgia. The Action Plan includes activities, timeframe, responsible and supporting agencies, source of funding and performance indicators for the implementation of National Cyber Security Strategy. According to the Action Plan, Georgia will continue to study the best practices of the developed countries, initiate new legislative acts and bylaws to ensure information security. Besides, Georgia will deepen institutional coordination, initiate public awareness activities and educational programs in the cyber security field. Further training of staff and technical personnel to make them familiar with international standards of information security will be high on agenda. The state will deepen cooperation with the international organizations, actively participate in international activities, conferences, seminars, workshops, and support educational initiatives on a regional basis, as well as initiate bilateral and multilateral cooperation with international organizations working in cybersecurity field.

  • 2. Cyber threat analysis and information 5/5 100%
    5
    5 100%
    • 2.1. Cyber threats analysis unit 3
      3
      3
      Requirements
      Criteria

      A central government entity has a national-level unit that is specialised in national strategic cyber threat situation analysis.

      Accepted references

      Official website or legal act

      Evidence

      Law of Georgia on Information Security, Art 8. State Security and Crisis Management Council performs the functions of National Level Cyber Threats Analysis Unit. Relevant functions of State Security and Crisis Management Council are provided by law as following: “Council identifies and assesses internal and external threats and develop appropriate measures to prevent those threats.” In addition to that, According to the law on the Establishment of “Legal Entity of Public Law under the Ministry of Justice of Georgia - Data Exchange Agency”, one of the main functions of DEA is the identification of risks, related to information security. CERT.GOV.GE – national and government Computer Emergency Response Team within DEA is responsible for management and analysis of cyber incidents against information security in the cyberspace of Georgia.

    • 2.2. Public cyber threat reports are published annually 1
      1
      1
      Requirements
      Criteria

      The public part of the national cyber threat situation analysis is published at least once a year.

      Accepted references

      Official public report

      Evidence

      Data Exchange Agency annually from 2012 publishes its activity reports which contain information about identified cyber incidents, numbers and categories, vectors and targets of threats and implemented measures to combat them. DEA annual Report of 2015 is provided as reference (in Georgian).

    • 2.3. Cyber safety and security website 1
      1
      1
      Requirements
      Criteria

      Public authorities provide at least one cyber safety and security website for cyber security and ICT professionals, and regular users.

      Accepted references

      Website

  • 3. Education and professional development 2/9 22%
    2
    9 22%
  • 4. Contribution to global cyber security 3/6 50%
    3
    6 50%
    • 4.1. Convention on Cybercrime 1
      1
      1
      Requirements
      Criteria

      The country has ratified the Convention on Cybercrime.

      Accepted references

      Official website of the convention

    • 4.2. Representation in international cooperation formats 1
      1
      1
      Requirements
      Criteria

      The government is regularly represented in a cooperation format that is dedicated to international cyber security (e.g. FIRST).

      Accepted references

      Official website of the cooperation format

      Evidence

      GUAM (Georgia, Ukraine, Azerbaijan, Moldova), SELEC (SouthEast European Law Enforcement Center)



      MN CD E&T – Multinational Cyber Defence Education and Training Programme.

    • 4.3. International cyber security organisation hosted by the country 0
      0
      3
      Requirements
      Criteria

      A regional or international cyber security organisation is hosted by the country.

      Accepted references

      Organisation’s official website

      Evidence
    • 4.4. Cyber security capacity building for other countries 1
      1
      1
      Requirements
      Criteria

      The country has (co-)financed or (co-)organised at least one capacity building project for another country in the last 3 years.

      Accepted references

      Official website or project document

      Evidence

      Since 2012 the representatives of DEA participate as invited experts and trainers and co-organised and co-financed some international trainings in information and cyber security. In 2014, on January 20-21, the trainings were held for Moldavian specialists in the field of information and cyber security as well. The trainings held by NATO’s Program – The Science of Peace and Security.


      On February 9-10, 2016 DEA representatives were invited for administrating training sessions. Trainings were held for Azerbaijani specialists of corresponding profiles and the learning objectives included information and cyber security issues, including - Cyber Security Mechanisms, Security of Websites and Portals, Securing Network Monitoring, Cryptography, Discovering, Registration, Analysis, and Prevention of Cyber Incidents and etc.


      In 2015, DEA held the two regional workshops on Cyber Security. The first regional workshop, within the NATO program "Science for Peace and Security" (SPS), was dedicated to a cybersecurity‘s improved means identification and providing the cyber defense at South Caucasus and Black Sea countries. The event was organized by DEA, who brought together more than 50 representatives from 18 countries to participate in workshop. The Workshop was attended by the NATO- member countries’ cyber security experts, even more various international organizations and cyber and information security agencies from Georgia, working in all departments, who discussed the institutional capacity development tools in cyber defense field, malware programs and cyber threats neutralization and modern methods and enhancing cooperation in this direction.

BASELINE CYBER SECURITY INDICATORS
  • 5. Protection of digital services 0/5 0%
    0
    5 0%
    • 5.1. Cyber security responsibility for digital service providers 0
      0
      1
      Requirements
      Criteria

      According to legislation, digital service providers (except micro and small enterprises): (1) must manage cyber/ICT risks or (2) must implement established cyber/information security requirements.

      Accepted references

      Legal act

      Evidence
    • 5.2. Cyber security standard for the public sector 0
      0
      1
      Requirements
      Criteria

      Public sector digital service providers must implement (1) cyber/ICT security requirements (defined by legislation) or (2) a widely recognised security standard.

      Accepted references

      Legal act

      Evidence
    • 5.3. Competent supervisory authority 0
      0
      3
      Requirements
      Criteria

      The government has a competent authority in the field of cyber/information security that has the power to supervise public and private digital service providers regarding the implementation of cyber/information security requirements.

      Accepted references

      Official website or legal act

      Evidence
  • 6. Protection of essential services 6/6 100%
    6
    6 100%
    • 6.1. Operators of essential services are identified 1
      1
      1
      Requirements
      Criteria

      There is a legal act that allows to identify operators of essential services.

      Accepted references

      Legal act

      Evidence

       

      Resolution of Government №312 of Georgia on Approval of the list of critical infrastructure system subjects


      Resolution of Government №567 of Georgia on Approval of the list of critical infrastructure system subjects in the sphere of defence

    • 6.2. Cyber security requirements for operators of essential services 1
      1
      1
      Requirements
      Criteria

      According to the legislation, operators of essential services must manage cyber/ICT risks.

      Accepted references

      Legal act

    • 6.3. Competent supervisory authority 3
      3
      3
      Requirements
      Criteria

      The government has a competent authority in the field of cyber/information security that has the power to supervise operators of essential services, regarding cyber/information security requirements.

      Accepted references

      Official website or legal act

      Evidence

      Chapter II, Art 4: DEA (CERT.GOV.GE, Information Security and policy Division) is specialized entity authorized for strengthening cyber security of critical information infrastructure subjects. The unit has the responsibility to develop adequate security measures for CII, and coordinate and supervise the implementation of CII specific security measures

    • 6.4. Regular monitoring of security measures 1
      1
      1
      Requirements
      Criteria

      Operators of essential services must regularly (at least once every 3 years) provide evidence of the effective implementation of cyber/information security policies (e.g. audit result, documentation, specific report).

      Accepted references

      Legal act

      Evidence

      Chapter II, Art 4: 3. Critical information system subject shall communicate information security policy adopted in compliance with par. 1 of this Article to the Data Exchange Agency for review. The Data Exchange Agency shall be also notified of any changes to information security policies. The Data Exchange Agency conducts general analysis of submitted documents and present recommendations for remedying shortcomings identified.

  • 7. E-identification and trust services 7/9 78%
    7
    9 78%
    • 7.1. Unique persistent identifier 1
      1
      1
      Requirements
      Criteria

      The government provides a unique persistent identifier to all citizens, residents, and legal entities. For example, the identifier remains the same after document expiration and name change.

      Accepted references

      Legal act

      Evidence

      Art 1


       

      Art 12: Both citizens and businesses are uniquely identified in Georgia. The personal number is a unique identification number of a person that shall not be changed. The appropriate authority – Public Service Development Agency shall assign a personal identity number to a person during: a) Birth registration; b) Acquisition of citizenship of Georgia. Identification number of a legal person is a unique number assigned to a legal person when being registered in the business registry, one unique number is assigned to a business entity, used for tax and state registration purposes at the same time. An identification number of a legal person is permanent and shall not be changed. Number of digits in legal person’s identification number is different based on the organizational form of the business (sole entrepreneur physical person or corporate company).

    • 7.2. Requirements for cryptosystems 0
      0
      1
      Requirements
      Criteria

      Requirements for cryptosystems in the field of trust services are regulated.

      Accepted references

      Legal act

      Evidence
    • 7.3. Electronic identification 1
      1
      1
      Requirements
      Criteria

      Electronic identification is regulated.

      Accepted references

      Legal act

    • 7.4. Electronic signature 1
      1
      1
      Requirements
      Criteria

      E-signature is regulated

      Accepted references

      Legal act

      Evidence

      Law of Georgia on Electronic Signature and Electronic Documents was enacted on March 14, 2008 and established a legal framework for electronic document and the use of electronic signatures, but didn’t apply to electronic trust services. A new law on Electronic Document and Electronic Trust Services which will substitute existing law on e-signatures was enacted on April 21, 2017. The new Law replaced the old regulation and sets legal grounds for the application of electronic document and electronic trust services, such as qualified electronic signature and seal, timestamp, qualified preservation service for qualified electronic signatures and etc. New law fully comply with Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC.

    • 7.5. Timestamping 1
      1
      1
      Requirements
      Criteria

      Timestamping is regulated.

      Accepted references

      Legal act

    • 7.6. Electronic registered delivery service 0
      0
      1
      Requirements
      Criteria

      Electronic registered delivery service between state entities, citizens and private sector entities is regulated. The service provides legally binding data exchange and guarantees the confidentiality and integrity of information.

      Accepted references

      Legal act

      Evidence
    • 7.7. Competent supervisory authority 3
      3
      3
      Requirements
      Criteria

      There is an authority responsible for the supervision of qualified trust service providers.

      Accepted references

      Official website or legal act

      Evidence

      Law on " Electronic Document and Electronic Trust Services" vests all control and supervision of trust service providers to DEA. Art. 11.

  • 8. Protection of personal data 4/4 100%
    4
    4 100%
INCIDENT AND CRISIS MANAGEMENT INDICATORS

CONTRIBUTORS

Natalia Goderdzishvili
Data Exchange Authority