NCSI FULFILMENT PERCENTAGE
Version 3 Dec 2019
GENERAL CYBER SECURITY INDICATORS
-
1. Cyber security policy development 7/7 100%77 100%
-
1.1. Cyber security policy unit 333
Requirements
CriteriaA central government entity (ministry or equivalent) has a specialised official or unit responsible for national cyber security policy development.
Accepted referencesOfficial website or legal act
Evidence
According to Article 4. of Law on Information security (Web link 1) and Article 8.5. of Law on Ministries (Web link 2), Ministry of Trade, Tourism and Telecommunications is a competent body for cyber security in Serbia ("The state administration body responsible for the security of the ICT system is the ministry responsible for information security (hereinafter: the competent authority)."). This Ministry has established Sector for Information Society and Information Security. Within this sector are Unit for regulation, analysis and planning in the Information Society Field and Unit for Information Security and e-Commerce. This sector has prepared regulations (laws, bylaws) in cyber security area and also Cyber Security Strategy.
https://www.paragraf.rs/propisi/zakon_o_ministarstvima.html
http://mtt.gov.rs/download/Informator%20o%20radu(3).pdf
The information on Ministry organizational units and its tasks are available on the 5th and the 37th page of the Ministry Informator.
-
1.2. Cyber security policy coordination format 222
Requirements
CriteriaThe central government has a committee, council, working group, etc. for national-level cyber security policy coordination.
Accepted referencesOfficial website or legal act
Evidence
The Government of Serbia has The Coordination Body for Cyber Security Affairs, which consists of the representatives of relevant state bodies in this area. The tasks of this body are defined by Article 2 of Decision on Establishing (Web Link 1).
-
1.3. Cyber security strategy 111
Requirements
CriteriaThe central government has established a national-level cyber security strategy or other equivalent document.
Accepted referencesValid official document
Evidence
http://mtt.gov.rs/download/3/strategijarazvoja%20ib.pdf
The Strategy of Information Security Development in the Republic of Serbia for the period 2017-2020
-
1.4. Cyber security strategy implementation plan 111
Requirements
CriteriaThe central government has established an implementation plan to the national-level cyber security strategy or other equivalent document.
Accepted referencesValid official document or its enforcement act
Evidence
2018 and 2019 Action Plan for Implementation of the Information Security Development Strategy in the Republic of Serbia
-
-
2. Cyber threat analysis and information 1/5 20%15 20%
-
2.1. Cyber threats analysis unit 003
Requirements
CriteriaA central government entity has a national-level unit that is specialised in national strategic cyber threat situation analysis.
Accepted referencesOfficial website or legal act
Evidence
-
2.2. Public cyber threat reports are published annually 001
Requirements
CriteriaThe public part of the national cyber threat situation analysis is published at least once a year.
Accepted referencesOfficial public report
Evidence
-
2.3. Cyber safety and security website 111
Requirements
CriteriaPublic authorities provide at least one cyber safety and security website for cyber security and ICT professionals, and regular users.
Accepted referencesWebsite
Evidence
https://www.pametnoibezbedno.gov.rs/
Ministry of Trade, Tourism and Telecommunications administrates the web site "Safe&Smart" where can be found information on cyber security matters. The aim of this initiative is to educate and raise awareness about the necessity of fast, correct and targeted involvement of citizens, the education system and the economy in contemporary digital currents. The platform launches educational and promotional projects that should contribute to the development of digital literacy, digital competences and digital security culture among all citizens of Serbia.
Also, on the website of National CERT there are notifications and recommendations regarding cyber security.
-
-
3. Education and professional development 5/9 56%59 56%
-
3.1. Cyber safety competencies in primary or secondary education 111
Requirements
CriteriaPrimary or secondary education curricula include cyber safety / computer safety competences.
Accepted referencesOfficial curriculum or official report
Evidence
Cyber security lectures are included in Informatics and computing curricula for elementary schools (digital literacy area) (p.181 of PDF document).
-
3.2. Bachelor’s level cyber security programme 002
Requirements
CriteriaThere is at least one cyber security / electronic information security focused programme at Bachelor’s or equivalent level.
Accepted referencesAccredited study programme
Evidence
-
3.3. Master’s level cyber security programme 222
Requirements
CriteriaThere is at least one cyber security / electronic information security focused programme at Master’s or equivalent level.
Accepted referencesAccredited study programme
Evidence
http://www.metropolitan.ac.rs/en/master-studies/information-security/
There are accredited information security study programmes and courses in Republic of Serbia. For example, there is a information security module at master studies at University "Metropolitan" Belgrade.
There is also an information security course at accredited master programme of Faculty of Transport and Traffic Engineering in Belgrade.
-
3.4. PhD level cyber security programme 002
Requirements
CriteriaThere is at least one cyber security / electronic information security focused programme at PhD or equivalent level.
Accepted referencesAccredited study programme
Evidence
-
3.5. Cyber security professional association 222
Requirements
CriteriaThere is a professional association of cyber/electronic information security specialists, managers or auditors.
Accepted referencesWebsite
Evidence
https://www.isaca.org/membership/local-chapter-information/pages/chapteroverview.aspx?chapterid=236
The main goal of the DIBS Society is to raise the level of information security in the Republic of Serbia by continuously monitoring and assessing the state of information security, as well as actively participating in the creation of the National Strategy and Legislation in the domain of work. The society has formed a group of enthusiasts from various structures of our society who practically and at the academic level gravitate in the areas of information security.
eSafety is a non-profit association formed in February 2016. It is made up of IT security professionals who are gathered around the general vision and intention to raise the significance, role and awareness of information security, as well as knowledge of high-tech crime.
-
-
4. Contribution to global cyber security 2/6 33%26 33%
-
4.1. Convention on Cybercrime 111
Requirements
CriteriaThe country has ratified the Convention on Cybercrime.
Accepted referencesOfficial website of the convention
Evidence
https://www.coe.int/en/web/conventions/full-list/-/conventions/treaty/185/signatures?p_auth=zrS8ISMY
Republic of Serbia has signed and ratified the Convention on Cybercrime.
Republic of Serbia has adopted the Law on ratifying of Convention on cybercrime (Web link 2, Official Gazette of the Republic of Serbia, No. 19/2009, Page 3-20) and the Law on ratifying of and the Law on ratifying Additional Protocol to the Convention on cybercrime, concerning the criminalisation of acts of a racist and xenophobic nature committed through computer systems (Official Gazette of the Republic of Serbia, No. 19/2009, Page 40-45).
-
4.2. Representation in international cooperation formats 111
Requirements
CriteriaThe government is regularly represented in a cooperation format that is dedicated to international cyber security (e.g. FIRST).
Accepted referencesOfficial website of the cooperation format
Evidence
https://www.trusted-introducer.org/directory/country_LICSA.html
Serbian CERT teams are listed on Trusted Introducer List and they are available for international cooperation.
https://www.osce.org/secretariat/cyber-ict-security
Serbia participates in OEBS Informal workgroup formed by Decision 1039 of OEBS Permanent Council on development of confidence-building measures to reduce the risks of conflict stemming from the use of information and communication technologies.
-
4.3. International cyber security organisation hosted by the country 003
Requirements
CriteriaA regional or international cyber security organisation is hosted by the country.
Accepted referencesOrganisation’s official website
Evidence
-
4.4. Cyber security capacity building for other countries 001
Requirements
CriteriaThe country has (co-)financed or (co-)organised at least one capacity building project for another country in the last 3 years.
Accepted referencesOfficial website or project document
Evidence
-
BASELINE CYBER SECURITY INDICATORS
-
5. Protection of digital services 5/5 100%55 100%
-
5.1. Cyber security responsibility for digital service providers 111
Requirements
CriteriaAccording to legislation, digital service providers (except micro and small enterprises): (1) must manage cyber/ICT risks or (2) must implement established cyber/information security requirements.
Accepted referencesLegal act
Evidence
http://www.pravno-informacioni-sistem.rs/SlGlasnikPortal/eli/rep/sgrs/skupstina/zakon/2016/6/5/reg
By the amendments of The Law on Information security, information society service providers (digital service providers) are recognized as ICT systems of particular importance in the Republic of Serbia (Article 6). In accordance with the Law, they are obliged to take protection measures of their ICT system, to adopt policy on security of ICT system, take system audits every year and report incidents that significantly disrupt information security of their system.
-
5.2. Cyber security standard for the public sector 111
Requirements
CriteriaPublic sector digital service providers must implement (1) cyber/ICT security requirements (defined by legislation) or (2) a widely recognised security standard.
Accepted referencesLegal act
Evidence
According to Article 6 of Law on Information Security, public sector bodies are determined as operators of ICT systems of particular importance. Public sector bodies are obliged to conduct protection measures of their ICT systems (Article 7), to adopt Act on Information Security of their ICT systems (Article 8) and to report incidents which significantly endanger their ICT systems (Article 11).
-
5.3. Competent supervisory authority 333
Requirements
CriteriaThe government has a competent authority in the field of cyber/information security that has the power to supervise public and private digital service providers regarding the implementation of cyber/information security requirements.
Accepted referencesOfficial website or legal act
Evidence
By the amendments of The Law on Information security, information society service providers (digital service providers) are recognized as ICT systems of particular importance in the Republic of Serbia (Article 6). In accordance with the Article 28 of the Law, competent ministry takes supervision over ICT systems of particular importance.
-
-
6. Protection of essential services 6/6 100%66 100%
-
6.1. Operators of essential services are identified 111
Requirements
CriteriaThere is a legal act that allows to identify operators of essential services.
Accepted referencesLegal act
Evidence
According to Article 6 of Law on Information Security (Web link 1), operators of particular importance are: 1) public sector bodies, 2) entities which use ICT systems processing particulary sensitive personal data, 3) operators of ICT systems in areas of public interest (operators of essential services). In Article 6 are defined areas of public interest.
The list of services are closely defined by Government Regulation on determing List of activities in areas of public interest in which ICT systems of particular importance are used.
-
6.2. Cyber security requirements for operators of essential services 111
Requirements
CriteriaAccording to the legislation, operators of essential services must manage cyber/ICT risks.
Accepted referencesLegal act
Evidence
Article 7,8 of Law on Information security, the operators of ICT systems of particular interest (including operators of essential services) are obliged to take protection measures in order to prevent incidents in their ICT systems, operators of ICT systems of particular importance have to conduct security audit
Protection measures are regulated by Government Regulation on ICT systems of particular importance protection measures.
Security of ICT system, audit methods and report content are closely regulated by Government regulation.
-
6.3. Competent supervisory authority 333
Requirements
CriteriaThe government has a competent authority in the field of cyber/information security that has the power to supervise operators of essential services, regarding cyber/information security requirements.
Accepted referencesOfficial website or legal act
Evidence
Article 28-29: competent ministry for information security (which is now Ministry of Trade, Tourism and Telecommunications) conducts inpection on operators of ICT systems of particular importance (including operators of essential services)
-
6.4. Regular monitoring of security measures 111
Requirements
CriteriaOperators of essential services must regularly (at least once every 3 years) provide evidence of the effective implementation of cyber/information security policies (e.g. audit result, documentation, specific report).
Accepted referencesLegal act
Evidence
Operators of ICT systems have to conduct security audit of their ICT systems at least once per year and to make a report on that audit (Article 8, Web link 1).
-
-
7. E-identification and trust services 9/9 100%99 100%
-
7.1. Unique persistent identifier 111
Requirements
CriteriaThe government provides a unique persistent identifier to all citizens, residents, and legal entities. For example, the identifier remains the same after document expiration and name change.
Accepted referencesLegal act
Evidence
Citizens of the Republic of Serbia have a unique identification number, which is individual and unrepeatable identification citizen's data (Article 1; Law on the unique registration number of citizens).
Companies in Serbia have an identification number which is given by Statistical Office of Serbia (Article 4).
-
7.2. Requirements for cryptosystems 111
Requirements
CriteriaRequirements for cryptosystems in the field of trust services are regulated.
Accepted referencesLegal act
Evidence
Art. 4 ref to: ETSI TS 119 312 „Electronic Signatures and Infrastructures (ESI) – Cryptographic Suites”
-
7.3. Electronic identification 111
Requirements
CriteriaElectronic identification is regulated.
Accepted referencesLegal act
Evidence
Electronic identification in Serbia is regulated by Law on Electronic Document, Electronic Identification and Trust Services in Electronic Business (Web Link 1, Article 17-24) and by the Regulation on detailed conditons for electronic identification schemes for each level of assurance (Web link 2).
http://www.pravno-informacioni-sistem.rs/SlGlasnikPortal/eli/rep/sgrs/vlada/uredba/2018/60/1/reg
-
7.4. Electronic signature 111
Requirements
CriteriaE-signature is regulated
Accepted referencesLegal act
Evidence
Electronic signature/seal in Serbia is regulated by Law on Electronic Document, Electronic Identification and Trust Services in Electronic Business (Web Link 1, Article 42-51), and by Regulation on conditions for trust services providing (Web link 2) and by Rulebook on conditions for qualified electronic certificates (Web link 3). Also, there is Rulebook on conditions for qualified creation signature/seal devices (link: http://www.pravno-informacioni-sistem.rs/SlGlasnikPortal/eli/rep/sgrs/ministarstva/pravilnik/2018/34/4/reg)
http://www.pravno-informacioni-sistem.rs/SlGlasnikPortal/eli/rep/sgrs/vlada/uredba/2018/37/2/reg
-
7.5. Timestamping 111
Requirements
CriteriaTimestamping is regulated.
Accepted referencesLegal act
Evidence
Timestamping is regulated by Law on Electronic Document, Electronic Identification and Trust Services in Electronic Business (Articles 52-53).
Rules on the issuance of a time stamp
-
7.6. Electronic registered delivery service 111
Requirements
CriteriaElectronic registered delivery service between state entities, citizens and private sector entities is regulated. The service provides legally binding data exchange and guarantees the confidentiality and integrity of information.
Accepted referencesLegal act
Evidence
Electronic registred delivery is regulated by Law on Electronic Document, Electronic Identification and Trust Services in Electronic Business (Article 15, Article 54-55). In Article 54 is regulated that service providers have to fullfil technical and security requirements, which guarantee confidentiality and integrity of information. Legal effect of registred delivery service in administrative procedures is regulated by Article 55.
-
7.7. Competent supervisory authority 333
Requirements
CriteriaThere is an authority responsible for the supervision of qualified trust service providers.
Accepted referencesOfficial website or legal act
Evidence
Ministry competent for information society (Ministry of Trade, Tourism and Telecommunications is an authority resposnible for the supervision of qualified trust services providers (Article 28).
-
-
8. Protection of personal data 4/4 100%44 100%
-
8.1. Personal data protection legislation 111
Requirements
CriteriaThere is a legal act for personal data protection.
Accepted referencesLegal act
Evidence
Law on personal data protection
-
8.2. Personal data protection authority 333
Requirements
CriteriaThere is an independent public supervisory authority that is responsible for personal data protection.
Accepted referencesOfficial website or legal act
Evidence
Commisioner for Information of Public Importance and Personal Data Protection (Web link 2) carries out the duties of personal data protection as an autonomous public authority who exercices its powers independently (Web Link 1, Article 1 paragraph 3)
-
INCIDENT AND CRISIS MANAGEMENT INDICATORS
-
9. Cyber incidents response 6/6 100%66 100%
-
9.1. Cyber incidents response unit 333
Requirements
CriteriaThe government has a unit (CSIRT, CERT, CIRT, etc.) that is specialised in national-level cyber incident detection and response.
Accepted referencesOfficial website or legal act
Evidence
Law on Information Security (Web Link 1, Article 14-16) determined RATEL (Regulatory Agency for Electronic Communications, Web link 2) as National CERT.
-
9.2. Reporting responsibility 111
Requirements
CriteriaDigital service providers and operators of essential services have an obligation to notify appointed government authorities of cyber security incidents.
Accepted referencesLegal act
Evidence
Operators of particular interest are obliged to notify competent authorities on cyber security incidents which significantly disrupt security of their ICT systems (Article 11).
Procedures of incident notifications, list, types and significance of incidents are regulated by Government act.
-
9.3. Single point of contact for international coordination 222
Requirements
CriteriaThe government has designated a single point of contact for international cyber security coordination.
Accepted referencesOfficial website or legal act
Evidence
http://www.pravno-informacioni-sistem.rs/SlGlasnikPortal/eli/rep/sgrs/skupstina/zakon/2016/6/5/reg
In accordance with the Article 15 of the Law on Information Security, the National CERT is the authorized point of contact for the cooperation with the similar organizations in other countries.
-
-
10. Cyber crisis management 3/5 60%35 60%
-
10.1. Cyber crisis management plan 001
Requirements
CriteriaThe government has established a crisis management plan for large-scale cyber incidents.
Accepted referencesLegal act
Evidence
-
10.2. National-level cyber crisis management exercise 222
Requirements
CriteriaThe government has conducted a national-level cyber crisis management exercise or a crisis management exercise with a cyber component in the last 3 years.
Accepted referencesExercise document/website or press release
Evidence
https://www.osce.org/secretariat/351176
Representatives of Serbian state bodies participated at table top exercise in Serbia on protecting critical energy infrastructure from cyber-related terrorist attacks, which was organized by OSCE in October 2017 (Web link 1).
-
10.3. Participation in international cyber crisis exercises 111
Requirements
CriteriaThe country's team has participated in an international cyber crisis management exercise in the last 3 years.
Accepted referencesExercise document/website or press release
Evidence
http://brilliancesecuritymagazine.com/by-staff-reporter/cyber-exercise-between-european-certs/
SecOps Europe 2018: International Exercise and Conference on Security Operations.
https://www.secops-europe.com/
Technical cyber security exercise for national CERTs. The national CERTs from Europe will be given identical environments that operate critical infrastructure. Their role is to defend the infrastructure from the attacking red team. Visual effects and scoreboards will be placed all around the venue so visitors can keep an eye on the developments of the attacks and the defences while they are visiting the conference. Serbia was represented by Unicom Telecom, security services provider with its UniCERT team.
-
10.4. Operational support of volunteers in cyber crises 001
Requirements
CriteriaThe procedures for using volunteers in the field of cyber security are established by legislation.
Accepted referencesLegal act
Evidence
-
-
11. Fight against cybercrime 9/9 100%99 100%
-
11.1. Cybercrimes are criminalised 111
Requirements
CriteriaCybercrimes are defined by legislation.
Accepted referencesLegal act
Evidence
https://www.mpravde.gov.rs/files/CRIMINAL%20CODE%20SERBIA.doc
Cybercrimes are regulated by the Criminal Code ( Article 298-304a, Article 185b, Article 198-204).
-
11.2. Cybercrime unit 333
Requirements
CriteriaThere is a government entity with a specific function of combatting cybercrime.
Accepted referencesOfficial website or legal act
Evidence
http://arhiva.mup.gov.rs/cms_lat/UKP.nsf/sbpok.h?OpenPage
Cybercrime Department is a unit which is part of Ministry of Interior - Service for Organized Crime (Web link 1) and it has a specific function of combatting cybercrime (Web link 2, Article 9).
Also, Special Prosecutor's Office for Cybercrime (Web Link 3) is competent authority for cybercrime processing (Web link 2, Article 4).
-
11.3. Digital forensics unit 333
Requirements
CriteriaThere is a government entity with a specific function of digital forensics.
Accepted referencesOfficial website or legal act
Evidence
Digital forensics is performed by the Section for providing and analysis of electronic evidences and electronic forensics within Ministry of Interior, Service for Combating Organized Crime (Web link 1, page 13, paragraph 2).
-
11.4. 24/7 contact point for international cybercrime 222
Requirements
CriteriaThe government has designated an international 24/7 contact point for cybercrimes.
Accepted referencesOfficial website or legal act
Evidence
- Cybercrime Department, Service for Combating Organized Crime, Ministry of Interior
- Special Prosecutor's Office for High-tech Crime of Serbia
-
-
12. Military cyber operations 3/6 50%36 50%
-
12.1. Cyber operations unit 003
Requirements
CriteriaMilitary forces have a unit (cyber command, etc.) that is specialised in planning and conducting cyber operations.
Accepted referencesOfficial website or legal act
Evidence
-
12.2. Cyber operations exercise 222
Requirements
CriteriaMilitary forces have conducted a cyber operations exercise or an exercise with a cyber operations component in the country in the last 3 years.
Accepted referencesExercise document/website or press release
Evidence
http://www.vs.rs/en/news/BA5E2A5D062D11EAAC980050568F5424/multinational-exercise-cyber-tesla-2019
Serbian Armed Forces have conducted "Cyber Tesla" cyber operations excercise every year.
http://www.mod.gov.rs/eng/12657/pocela-multinacionalna-vezba-sajber-tesla-2018-12657
http://www.mod.gov.rs/eng/11525/ministar-vulin-na-vezbi-sajber-tesla-2017-11525
-
12.3. Participation in international cyber exercises 111
Requirements
CriteriaThe country's military team has participated in an international cyber operations exercise in the last 3 years.
Accepted referencesExercise document/website or press release
Evidence
http://www.vs.rs/en/news/BA5E2A5D062D11EAAC980050568F5424/multinational-exercise-cyber-tesla-2019
"Cyber Tesla" exercise is every year conducted with the National Guard of Ohio (USA).
http://www.mod.gov.rs/eng/12657/pocela-multinacionalna-vezba-sajber-tesla-2018-12657
http://www.mod.gov.rs/eng/11525/ministar-vulin-na-vezbi-sajber-tesla-2017-11525
-
CONTRIBUTORS
Ministry of Trade, Tourism and Telecommunications
