14. Poland 70.13

14th National Cyber Security Index
33rd Global Cybersecurity Index
49th ICT Development Index
42nd Networked Readiness Index
Population 38.4million
Area (km2) 312.7thousand
GDP per capita ($) 31.4thousand
NCSI FULFILMENT PERCENTAGE
NCSI Update Data source
17 Jul 2018 Government officials
24 May 2017 Cooperation partner
NCSI DEVELOPMENT TIMELINE 2 years All data

Version 17 Jul 2018

GENERAL CYBER SECURITY INDICATORS
  • 1. Cyber security policy development 7/7 100%
    7
    7 100%
    • 1.1. Cyber security policy unit 3
      3
      3
      Requirements
      Criteria

      A central government entity (ministry or equivalent) has a specialised official or unit responsible for national cyber security policy development.

      Accepted references

      Official website or legal act

      Evidence

      According to the Law of 4 September 1997 of government administration division (Official Journal from 2018, item 1090) since December 2015 the division of computerization covers the field of cybersecurity, so the department of cybersecurity was established within the Ministry of Digital Affairs.

      Art. 12a The division of computerization covers:

      (...)

      10) cybersecurity.


      The ordinance of The Prime Minister establishes the structure of the Ministry of Digital Affairs with the department of cybersecurity within. 

    • 1.2. Cyber security policy coordination format 2
      2
      2
      Requirements
      Criteria

      The central government has a committee, council, working group, etc. for national-level cyber security policy coordination.

      Accepted references

      Official website or legal act

      Evidence

      The Directive on security of network and information systems (the NIS Directive) was adopted by the European Parliament on 6 July 2016 and entered into force in August 2016. Member States of the European Union, including Poland, have 21 months to transpose the Directive into their national laws and 6 months more to identify operators of essential services. A proposal of law on national cybersecurity system, transposing the NIS Directive is currently being proceeded by the Parliament. According to art. 62 of the proposal the Government Plenipotentiary for Cyber Security shall be responsible for coordinating the implementation of cybersecurity tasks in the Republic of Poland at the national level. The Government Plenipotentiary, in the rank of secretary of state or undersecretary of state, will be appointed and dismissed by the Prime Minister. His tasks will include analysis and assessment of the functioning of the national cyber security system based on aggregated data and indicators developed with the participation of state administration bodies, competent authorities and CSIRT teams, as well as supervision of the risk management process of the national cyber security system using aggregated data and indicators developed with the participation of competent authorities and CSIRT teams . The mechanism of the Cybersecurity Strategy of the Republic of Poland will be used in the implementation of this process.

    • 1.3. Cyber security strategy 1
      1
      1
      Requirements
      Criteria

      The central government has established a national-level cyber security strategy or other equivalent document.

      Accepted references

      Valid official document

      Evidence

      The competences related to security of cyberspace are divided between the institutions that pursue their tasks regarding cyber resilience, the prevention of cybercrime and cyberdefence. In the effect there are

      three main documents that relate to cyber security:

      1) National Framework of Cybersecurity Policy of the Republic of Poland for 2017-2022

      2) The National Security Strategy of the Republic of Poland,

      3) The Doctrine of Cybersecurity of the Republic of Poland.


      The National Security Strategy of the Republic of Poland,

    • 1.4. Cyber security strategy implementation plan 1
      1
      1
      Requirements
      Criteria

      The central government has established an implementation plan to the national-level cyber security strategy or other equivalent document.

      Accepted references

      Valid official document or its enforcement act

      Evidence

      According to point 9 of National Framework of Cybersecurity Policy within six months of the adoption of the National Framework of Cybersecurity Policy, in cooperation with members of the Council of Ministers, heads of central offices and the Director of the Government Centre for Security, the coordinator will develop an Action Plan for the implementation of the National Framework of Cybersecurity Policy. When developing the Plan, the above-mentioned bodies shall take into account in their activities the issues of cybersecurity in accordance with the statutory competence. The action plan has been adopted.

  • 2. Cyber threat analysis and information 4/5 80%
    4
    5 80%
    • 2.1. Cyber threats analysis unit 3
      3
      3
      Requirements
      Criteria

      A central government entity has a national-level unit that is specialised in national strategic cyber threat situation analysis.

      Accepted references

      Official website or legal act

      Evidence

      It should be emphasized that in Poland there is no single computer security incident response team, but many CERT-s dealing with the issue broadly defined ICT security. Within the structures of Internal Security Agency operates governmental CERT.GOV.PL and the teams set up by the telecommunications and energy environments, including ORANGE CERT, PSE CERT, as well as CERT Polska– functioning in the framework of the Research and Academic Computer Network (NASK).
      CERT POLSKA
      Polish Minister of Digital Affairs is responsible for supervision of NASK as the research institute and operator of data transmission network, under which CERT Polska functions. CERT Polska is the first Computer Emergency Response Team established in Poland. Thanks to its dynamic activity since 1996 in the environment of responsive teams, it has become a recognizable and experienced entity in the field of computer security. From the beginning of the team's existence, the core business is the handling of security incidents and cooperation with similar units around the world, both in operational and research and implementation activities. Since 1998, CERT Polska has been a member of the international forum of responding teams - FIRST, and since 2000 belongs to the working group of European responsive teams - TERENA TF-CSIRT and the Trusted Introducer operating on it. In 2005, at the initiative of CERT Polska, the forum of Polish abuse teams - Abuse FORUM - was established, while in 2010 CERT Polska joined the Anti-Phishing Working Group, an association gathering companies and institutions actively fighting cybercrime. CERT Polska is so-called "last chance CSIRT", which means that everyone can report an incident. Until now, reporting incidents was not mandatory, but the new proposal on the national cybersecurity system, already discussed in Parliament, provides for CERT Polska to be one of the 3 CSIRTs national level.


      Established on 1 February 2008 within the structure of the Internal Security Agency, the Governmental Computer Security Incident Response Team (CERT.GOV.PL) ensures and develops the capability of public administration units and Critical Infrastructure operators to protect themselves against cyber threats, in particular attacks against the infrastructure involving IT systems and networks the destruction or disturbing of which may considerably threaten the lives and health of people, existence of national heritage and the environment or lead to considerable financial loss or disturb the operations of public authorities or critical infrastructure operators. The new tasks was introduced in 2016 by the amendments to the Act on Internal Security Agency and Intelligence Agency.

    • 2.2. Public cyber threat reports are published annually 1
      1
      1
      Requirements
      Criteria

      The public part of the national cyber threat situation analysis is published at least once a year.

      Accepted references

      Official public report

    • 2.3. Cyber safety and security website 0
      0
      1
      Requirements
      Criteria

      Public authorities provide at least one cyber safety and security website for cyber security and ICT professionals, and regular users.

      Accepted references

      Website

      Evidence
  • 3. Education and professional development 5/9 56%
    5
    9 56%
    • 3.1. Cyber safety competencies in primary or secondary education 1
      1
      1
      Requirements
      Criteria

      Primary or secondary education curricula include cyber safety / computer safety competences.

      Accepted references

      Official curriculum or official report

      Evidence

      In 2017, issues within the field of cybersecurity education were introduced to the Polish education system.
      1. There are new changes introduced to the Act of 14 December 2016 on Educational Law (Journal of Laws of 11 January 2017). New provision were introduced in Art. 1 (items 21 and 22) about dissemination of knowledge about threats, including in cyberspace and development of ICT skills. These records are as follows:
      Art. 1. The education system ensures in particular:
      21) dissemination of knowledge about safety among children and adolescents and shaping appropriate attitudes towards threats, including those related to the use of information and communication technologies, and emergency situations;
      22) developing students' skills in efficient use of information and communication technologies;
      These records must be taken into account in the planning and implementation of activities by all entities operating under the education system in Poland.
      2. In addition, issues related to education in the area of the use of new technologies, critical understanding and security in cyberspace have been formulated in the new core curriculum of general education for both primary and secondary schools.
      The new core curriculum of IT education and IT extends safety and compliance provisions. They refer to respecting the privacy of information, data protection, intellectual property rights and safe movement in cyberspace.
      The implementation of the core curriculum is the responsibility of every teacher.
      The new core curriculum for primary schools is in force from the training year 2017/2018. However, for secondary schools it will apply from the school year 2018/2019.
      The Minister of National Education, defining the directions of the implementation of the state's education policy in the 2017/2018 school year, identified security on the internet and responsible use of social media as one of the priorities. It is also planned to prepare tutorials for teachers on the implementation of the content of the new core curriculum of IT classes and computer science, including in the field of information security. Materials will be developed by the Center for Education Development in 2018.
      At the request of the Ministry of National Education, recommendations were also prepared. "Safe school, threats and recommended preventive actions in the field of physical and digital security". The material was donated to educational institutions and published on the website https://bezpiecznaszkola.men.gov.pl/bezpieczna-szkola-zagrozenia-and-albane-dzialania-profilaktyczne-w-zakresie-bezpieczenstwa-fizycznego-i-cyfrowy-uczniow/ in September 2017.

    • 3.2. Bachelor’s level cyber security programme 0
      0
      2
      Requirements
      Criteria

      There is at least one cyber security / electronic information security focused programme at Bachelor’s or equivalent level.

      Accepted references

      Accredited study programme

      Evidence
    • 3.3. Master’s level cyber security programme 2
      2
      2
      Requirements
      Criteria

      There is at least one cyber security / electronic information security focused programme at Master’s or equivalent level.

      Accepted references

      Accredited study programme

    • 3.4. PhD level cyber security programme 0
      0
      2
      Requirements
      Criteria

      There is at least one cyber security / electronic information security focused programme at PhD or equivalent level.

      Accepted references

      Accredited study programme

      Evidence
    • 3.5. Cyber security professional association 2
      2
      2
      Requirements
      Criteria

      There is a professional association of cyber/electronic information security specialists, managers or auditors.

      Accepted references

      Website

  • 4. Contribution to global cyber security 2/6 33%
    2
    6 33%
BASELINE CYBER SECURITY INDICATORS
INCIDENT AND CRISIS MANAGEMENT INDICATORS

CONTRIBUTORS

Joanna Świątkowska
The Kosciuszko Institute