The Order of the General Secretariat of the Government (SGG) no. 559/2021 regarding the approval of the Regulation for the attestation and verification of cyber security auditors was published in the Official Gazette no. 387 of April 14, 2021.
Through this document, special rules for the attestation and verification of cyber security auditors have entered into force, specialists indicated by the Cyber Security Law – called NIS Law (Law 362/2018).
Specifically, companies that are operators of essential services or providers of digital services (among others, carriers, utility providers or medical units) periodically need these specialists to perform systems auditing operations, as a cyber security obligation.
It is important to note that the law mainly targets transport companies (air, rail, road or water), hospitals and medical clinics, energy suppliers (natural gas, electricity) and drinking water or banks. These types of companies are legally obliged to take security measures, such as auditing, to prevent cyber attacks that can seriously affect the business environment and the population.
Thus, according to Order 559/2021, cyber security auditors can be certified natural persons Romanian citizens, as well as citizens of another member state of the European Union or the European Economic Area or legal entities with certified staff, who meet the requirements of this regulation and who wish to carry out an activity through which a systematic evaluation of all policies, procedures and protection measures implemented at the level of computer networks and systems is carried out, in order to identify dysfunctions and vulnerabilities and to provide solutions to remedy them. o exercises in Romania independently or as employees of legal entities.
We emphasize that the mentioned regulation does not apply at the level of the institutions from the defense system, public order and national security, in the field of critical infrastructures protection nor at the level of the cyber infrastructures that convey classified information.
Competent authority at national level:
For the issuance, revocation or renewal of certificates of cybersecurity auditors who can perform audits in networks and computer systems that support essential services or provide digital services, the National Cyber Security Incident Response Center – CERT-RO is the competent authority at national level in in accordance with the provisions of art.15 par. (1) in conjunction with art. 20 letter p) of the NIS Law.
The competent authority at national level organizes and manages the attestation and verification process of the cyber security auditors.
CERT-RO, as the competent authority at national level, ensures:
a) maintaining and permanently updating the National Register of cyber security auditors; b) granting, extending, suspending or withdrawing the certificates of cyber security auditors;
c) security risk assessment regarding security auditors and audit activities of computer networks and systems, together with COSC institutions;
d) participation in the process of training / specialization of auditors in order to be certified as cybersecurity auditors, both through the elaborated topics and in the examination / evaluation commissions;
e) the verification following the notifications or ex officio of the fulfillment by the certified cyber security auditors of the legal obligations incumbent on them.
Thus, the auditors’ certificates are issued, renewed or revoked by the National Cyber Security Incident Response Center (CERT-RO).
The attestation can be general, special or common, depending on the activity that the natural or legal person requesting the attestation at CERT-RO will be able to carry out.
The certificate will be issued upon request, following a detailed process in the cited order, and applicants will have to prove that they have experience in the field of cybernetics and certain certifications.
Cyber security auditors:
As mentioned above, a cybersecurity auditor can be any natural person or legal entity that performs on the territory of Romania the security audit activity of networks and information systems that provide essential services or provide digital services to identify malfunctions and vulnerabilities. and the provision of solutions to remedy them.
The cyber security auditor carries out its activity individually or within an audit team and performs at least one of the security audit activities, as described in art. 5, paragraph (1) of Order 559/2021.
Cyber security auditors are certified by CERT-RO, and their records are kept in the National Register of cyber security auditors.
The quality of cyber security auditor is proven by the valid auditor certificate issued by the competent authority at national level for the security of networks and information systems.
The cyber security auditor certificate is nominal, non-transferable and is valid for 3 years from the date of issue.
The model of the certificate is provided in annex no. 1.
NATIONAL CENTER FOR RESPONSE TO CYBER SECURITY INCIDENTS – CERT-RO COMPETENT AUTHORITY AT NATIONAL LEVEL FOR THE SECURITY OF COMPUTER NETWORKS AND SYSTEMS |
CERTIFICATE
FOR CYBER SECURITY AUDITOR
(S/N) ……./…………….. from ……./……………../20……
In applying the provisions of art. 20 lit. p) of Law no. 362/2018 on ensuring a high common level of security of computer networks and systems, with subsequent amendments and completions, based on the provisions of art. 11 of the Regulation for the attestation and verification of cyber security auditors, approved by the Order of the Secretary General of the Government no. 559/2021, based on the final evaluation report no. ……………. of ……. / …… / 20 ……, drawn up by the competent authority at national level for network security and information systems (ANSRSI),
……………………………………………………………………………………………………………………………………,
(name of the legal entity / name and surname)
with headquarters / domicile in the locality…………………………………………………………….., county ……………………………………………., UID/CNP …………………………………….., series/no. registration RC/CI …………………………………., is certified as:
CYBER SECURITY AUDITOR
Registered in the National Register of Cyber Security Auditors /IDASC ………………
eriod of validity: ………/………/20…….-……../……./20……..
CERTIFIED TYPE: |_| general / | _ | special / | _ | common
Restrictions on the performance of special audit activities: No / | _ | Yes Special qualified audit activities: Source code audit [AS3] | _ | No / | _ | Yes | Penetration audit [AS4] | _ | No / | _ | Yes
General Manager, CERT-RO, ………………………………………………………. (first name and last name, signature and stamp) | |
Manager, CERT-RO/ANSRSI, ………………………………………………………. (first name and last name, signature) |
The security audit activities covered in this regulation are:
a) audit of the architecture [AS1] – consists in verifying the conformity of the security measures related to the choice, positioning and implementation of the hardware / software devices in the computer networks and systems, the minimum security requirements and the internal policies of the economic operator. The audit may be extended to interconnections with third party networks, including the Internet;
b) configuration audit [AS2] – consists in verifying the implementation of security measures in accordance with the state of the art, minimum security requirements and security policies regarding the configuration of hardware / software components of computer networks and systems. These devices can be in particular network equipment, operating systems (server or workstation), applications or security products;
c) source code audit [AS3] – consists of total or partial analysis of the source code or the compilation conditions of an application to discover vulnerabilities related to inappropriate programming practices or logical errors that could have an impact on the security of networks and systems computer science;
d) penetration audit or penetration testing [AS4] – consists in identifying vulnerabilities in networks and computer systems and verifying the possibilities of their exploitation, as well as the impact of their exploitation on the network, in the real conditions of a cyber attack on networks and systems computer science. The audit activity can be carried out either outside the network (especially from the Internet or from the interconnected network of a third party) or from within the network and is an activity that must be performed in complementarity with other audit activities to improve their effectiveness or to demonstrate the feasibility of exploiting the discovered vulnerabilities;
e) organization security audit [AS5] – consists of the organization’s audit on logical and physical security and seeks to ensure that security policies and procedures defined by the economic operator (essential services operator or digital service provider):
(i) comply with the security needs of the audited economic operator, the technological
level and the standards in force;
(ii) correctly completes the implemented technical measures;
(iii) are effectively put into practice.
The cybersecurity auditor should also ensure that the physical aspects of the security of networks and information systems are adequately covered. This activity must be performed in complementarity with other audit activities in order to improve their effectiveness;
f) audit of industrial control systems [AS6] – consists in evaluating the security level of an industrial control system and the associated control devices. The security assessment implies the application of the audit activities from letter a) the lit. e) of this article.
Security audit activities are divided into:
a) special activities: [AS3] and [AS4];
b) common activities: [AS1], [AS2] and [AS5];
c) mixed activities: [AS6].
Mixed activities include special and normal / common activities. In this context, the audit activity of the industrial control systems supposes the development of all the activities, respectively special and common.
For each audit activity, the cybersecurity auditor provides an audit report containing recommendations.
National Register of Cyber Security Auditors:
CERT-RO constitutes, at the level of the competent authority at national level, the National Register of cyber security auditors, which is constantly maintained and updated.
The Register is constituted in electronic format on the attestation variants presented at art. 6 para. (2) – general / special / common type attestation – and includes data and information regarding the cyber security auditors subject to the process of attestation, revocation or suspension of the cyber security attestation.
In order to inform the operators of essential services, the providers of digital services and the regulatory and administration authorities of the sectors and subsectors, based on the National Register of Cyber Security Auditors, the competent authority at national level elaborates, permanently updates and publishes on the institution’s website the list. cybersecurity auditors.
The issuance, revocation and renewal of cybersecurity auditor certificates are recorded by the competent authority at national level in its own records / databases.
Legal basis:
– OSGG 559/2021 on the approval of the Regulation for the attestation and verification of cyber security auditors;
– Law 362/2018 on ensuring a high common level of security of computer networks and systems.