Slovakia (SK)

The latest cyber security strategy for Slovakia covers the years 2015-2020: Cyber Security Concept of the Slovak Republic

The strategic goal of cyber security in the Slovak Republic is to achieve an open, secure, and protected national cyber space, i.e. building trust in the reliability and security of critical information and communication infrastructure, as well as building of certainty that this will perform its functions and serve national interests also in cases of cyber attacks. Objectives are: 

Obj. 1 - Protection of national cyber space is a system operating conceptually, in a coordinated manner, efficiently, effectively, and on a legal basis.

Obj.2 - Security awareness of all components of society is systematically increasing.

Obj. 3 - The private and academic sectors as well as civil society actively participate in the formulation and implementation of the policy of the Slovak Republic in the area of cyber security.

Obj. 4 - Efficient collaboration is provided for both at national and international levels.

Obj. 5 - The adopted measures are adequate and respect the protection of privacy and basic human rights and freedoms.

The strategy defines 7 measures:

Measure 1: Building an institutional framework for cyber security administration.
Measure 2: Creating and adopting a legal framework for cyber security.
Measure 3: Defining and applying basic mechanisms for securing the administration of cyberspace.
Measure 4: Supporting, preparing, and introducing a system of education in the area of cyber security.
Measure 5: Defining and applying a risk control culture and a system of communication between the stakeholders.
Measure 6: Active international collaboration.
Measure 7: Supporting science and research in the area of cyber security.

 

NATIONAL CYBER SECURITY STRATEGY - NIS CAPACITIES

Year of adoption

2015 covering the years 2015-2020; 2009 covering the period 2008-2013

Updates and revisions

Cyber Security Concept of the Slovak Republic is based on an extensive review of the current state of play on cyber security in the Slovak Republic. 

The new strategy covers operational cyber security capabilities and cyber incident management; military cyber defence; and cyber aspects of crisis prevention and crisis management. It also offers a summary of the national information society setting and e-government initiatives as well as the national cyber security strategy objectives in to clarify the context for the organisational approach in a particular nation.

The initial strategy was entitled  Reports on the Performance of Tasks of the National Information Security Strategy of the Slovak Republic and Tasks of the Action Plan for 2008 to 2013

Implementation and monitoring

Implementation of the strategy is defined at government level. 

Annual reports have been compiled since 2010 to monitor progress towards defined goals. The 2010 report highlights the need to significantly improve response capacities and overall awareness. The 2013 report underscores the importance of defining a new legal framework in view of the European Directive on network and information security (NISD), while the 2014 report underlines the importance of standardised procedures and control mechanisms, risk management, as well as increased security awareness and skills. 

Operational Capacity building

The 2015-2020 strategy sets out the plans for national capacity building at various levels. The plan is to create a formal platform for collaboration on a national level, ensuring the participation of representatives of the corporate and academic sectors with recommendations and/or opinions on the development and continuous improvement of the cyber security system of the Slovak Republic.

  • Central state administration body for cyber security -  National Security Authority.
  • National Incident Resolution Unit - CERT/CSIRT - systematically monitors the status of security and adherence to security standards in public administration information systems in liaison with central government; responsible for coordinated incident resolution and/or coordinated responses to cyber attacks; issues early warnings and shares updates on the threat landscape; provides specialised training on incident resolution units and on cyber security; conducts international collaboration within its scope; builds wide public awareness of online risks and organises campaigns on network and information security; and incident resolution.
  • Sector oriented authority - national policies and co-operation with other sector oriented authorities; ensures greater levels of awareness and coordinates collaboration at all levels of cyber control. 
  • Additional CERT/CSIRT capabilities (government) - monitors state of cyber security and compliance with standards; executes immediate warnings and early notification of cyber threats; provides professional training courses and co-operates with other incident resolution units.

Current capacities are delivered through existing Computer security incident response (CSIRT)/computer emergency response (CERT) teams. 

CSIRT.SK (Slovak and English) was established by the Ministry of Finance to ensure an adequate level of protection of the national IT infrastructure and critical infrastructures.

Its activities include handling security incidents and their consequences and subsequent recovery in co-operation with the owners and operators NIKI, telecom operators, internet service providers (ISPs) and other state authorities (eg. Police, investigators, courts) involved in building and expanding public knowledge in selected areas of information security.

It also actively co-operates with international organisations and represents Slovakia in the field of information security at the international level. It is a member of FIRST, an international forum for CERTs/CSIRTs. 

 

Legal conditions

Creating a formal legal regulation for the cyber security control system is the highest priority in the 2015-2020 stratefy for substantially increasing protection in cyberspace. The legal basis is intended to be an institutional, regulatory and methodical framework, including specialised institutions and terminology through the adoption of a Cyber Security Act. 

The Cyber Security Act will define the powers and competences of public authorities and the duties of organisations using ICT in cyberspace.  It will establish binding terminology and standards on cyber security and will provide guidance on the practical application of the Act and standards across different industry sectors.

Business & Public Private partnerships

The 2015-2020 strategy provides for co-operation and partnerships at national and international levels of all relevant entities from public, private and academic sectors and the civil society.

The new strategy also places emphasis on developing an internal market with cyber security products and services, especially using grants, EU funds and support for newly emerging projects or start-ups, as well as support for research, development and innovation of industrial and technological sources of cyber security. In addition, the strategy includes systematic informing and a complex education system in the cyber security area.

Risk assessment 

The 2015-2020 strategy highlights the importance of establishing a high culture of risk control, information exchange between private and public sectors and increasing capacities of actors, based on an evaluation made in 2014. 

Determination and Application of Risk Management Culture and Communication System Between Stakeholders - setting up control and executive structures with clearly defined powers and competences; introducing relevant methodologies and standards; implementing relevant supporting information, communication and control systems as well as secure systems: exchange of information, early warning and coordinated reaction.

Date of last WISER analysis July 2017 (complete update)

 

Compliance with the GDPR and NIS Directive: Report a cyber incident

Report a cyber incident to national CSIRT/CERT


CSIRT.SK
Guidelines on reporting a cyber incident can be found at www.csirt.gov.sk/incident-report-86c.html

Best practices

Slovakia has recognised the importance of defining a legal framework inline with European legislation, particularly the NIS Directive, as well as of risk management. However, specific measures still need defining and implementing, which raises some doubts about readiness levels for both the NIS Directive and the GDPR when it comes into force in May 2018.

CSIRT.SK provides timely updates on the the national cyber threat landscape.

Guidance and Updates

The  National Security Authority coordinates, monitors, controls and evaluates the execution of tasks in the area of cyber security at a national level.

CSIRT.SK is accredited by Trusted Introducer, which gathers mostly European CERT/CSIRT teams and represents a platform for exchange of knowledge and experience in handling computer security incidents.

CSIRT.SK publishes monthly reports noting different types of attacks that have occurred in a piechart. It also provides regular updates on cyber attacks, such as ransomware:

Other national entities are also involved in monitoring: Sanet (Slovak academic Network, member of TERENA), ISACA Slovak Chapter, ITAS (IT Association of Slovakia), Sasib (Slovak Association for Information Security).

Slovakia is also a part of the Central and Eastern European Networking Association (CEENet), where co-operation has evolved into computer network security. 

Languages Slovak and English. The CSIRT.SK website is in both Slovak and English.
Date of last WISER analysis July 2017 (complete revision)

 

Contact us for more info