- Kateřina Kubíková
With the new Cyber Security Act, companies will have to deal with the mandatory roll-out of new security roles. What are these roles and what will their responsibilities be?
Security roles in the higher and lower regime
The new Cyber Security Act is due to be effective at the beginning of next year 2025 and companies and organisations that will be regulated under the regime of higher regime will have to roll-out these roles: cybersecurity manager, cybersecurity architect, cybersecurity auditor and assetes guarantors. Senior management will have to designate these individuals. This is specified for the regime of higher obligation in draft Section 14(1)(a)(3) of the Cyber Security Actct. The obligation is an organisational measure. The security roles will then be further detailed in the Decree on security measures of the regulated service provider in the regime of higher obligation.
If your company self-identifies, that it meets the criteria of the regime of lower obligation it must have a so-called cybersecurity officer and asset guarantors. This is based on the definition of security roles and for the regime of lower obligation in draft section 14(2)(a), (c) and (e) of the Cyber Security Act d also on the Decree on security measures of a regulated service provider in the lower regime. Under the lower regime, the asset guarantor is not explicitly mentioned as a mandatory security role. However, in the context of asset management, it is indispensable and therefore companies should not forget about it even in this regime.
Each of these security roles must meet the requirements set out in the Decree and it is recommended that the Annex to the Decree, which further elaborates on these roles, is followed. It is up to the discretion of each company whether to implement the roles internally or to outsource the roles, as it may well be that there is no one in the company who meets the criteria. In any case, it is recommended that the persons in charge of the role fulfil the criteria that will be set out in the annexes to the decrees to the new Cybersecurity Act. Read more about the individual roles below.
We offer role outsourcing
Cyber Security Manager
According to the new cyber law, the cyber security manager is a critical security role. It is a person who will beresponsible for compliance with the rules of the information security sharingis trained for this activityand demonstrates professional competence by work experience(at least 1 year) or by studying at university.
Its task is to be responsible for the overall state of cyber security. The person should have a good overview of the company and a comprehensive knowledge of not only the ICT area but also the overall operations in order to support business continuity (BCP, DRP). Furthermore, he/she should be able to manage risks and interpret the results of risk management towards the top management.
A cyber security manager manager may not be delegated roles responsible for the operation of the regulated service or be responsible for the operation of the company's information and communication system. And the necessary authority, accountability and budget must be in place to properly perform this role.
In general, we can summarize that the cyber security manager:
- plans and implements security measures,
- is responsible for the state of safety documentation,
- is responsible for informing top management about the information security management system,
- monitor the effectiveness and appropriateness of security measures,
- coordinates the asset and risk management process,
- coordinates the management of security incidents, and
- submits a risk management plan and a statement of applicability to the Cybersecurity Management Committee.
In practice, you can imagine the role of cyber security manager in change management.
The first stage of the process is to create a change request. The object of this phase is to define the detailed scope of services and/or other resources that are the content of the request. Subsequently, the cyber security manager, in collaboration with the cyber security architect or asset sponsor and the initiator of the request, will review the potential impact of the change on the information and cyber security of the organisation. Thus, the cyber security manager plays a key role in change management, as well as in the decision to perform penetration testing of significant changes. Or even in the development of a significant change testing plan, where the cyber security manager works with the sponsor of the asset affected by the change or with the vendor.
Cyber Security Architect
The design and implementation of security measures is the task of the cybersecurity architect. The architectis responsible for the design of the secure architecture of the regulated service (e.g. from infrastructure to application-level security) and its implementation in practice. There may be multiple architects in an organisation who specialise in different areas.
The cybersecurity architect should have experience in security measures and should also have at least one year of experience in the field. At the same time, the architect cannot be the person responsible for the operation of the company's information and communication systems.
The role of the cyber security architect has in particular the following rights and obligations:
- is responsible for the conceptual management of the security architecture in the field of cyber security,
- inspect, evaluate and test the functionality of the security measures in place,
- develops test procedures and appropriate acceptance criteria for implementing changes,
- defines security requirements at the architectural level for the design, development, testing and implementation of new information and communication systems and for the modification of existing ones,
- responsible for ensuring the design for the implementation of security measures,
- review proposed safety, corrective and reactive measures,
- communicates, collaborates and provides assistance to ISMS security roles in the design and implementation of rules and security measures,
- issues opinions on security measures, and
- analyses the ISMS architecture, its individual components, including interrelationships and is responsible for the creation and maintenance of the process-organisational and application model of the information security architecture.
Cyber Security Auditor
The cyber security auditor is responsible for conducting cybersecurity audits. Their role is to assess the compliance of implemented security measures with requirements, provide independent feedback on the effectiveness of the information security system, and prepare conclusions and documentation of results.
The auditor must be familiar with the relevant legislation, processes and internal audit proceduresof the company. To perform this role it is required to demonstrate competence and have a minimum of one year's experience. The cyber security auditor must not be assigned to roles responsible for the operation of a regulated service or be responsible for the operation of information and communication systems.
The role of the cyber security auditor is separate from other security roles and is not compatible with roles responsible for the operation of information systems. Cybersecurity Auditor:
- is responsible for conducting an impartial cybersecurity audit,
- shall not be a permanent member of the Cybersecurity Management Committee, but shall be entitled to attend meetings of the Cybersecurity Management Committee and to request minutes of meetings,
- assesses the compliance of implemented security measures in the company with best practice, legal regulations, internal management acts, other regulations and contractual obligations related to the company's ISMS,
- reviews the technical compliance of cyber security measures and makes recommendations to ensure compliance with legislative requirements.
The Asset Guardian
The guardian assets ensure that a company's assets are protectedagainst various threats such as cyber-attacks, phishing, loss, theft or damage to assets or physical security breaches, in particular by defining security requirements.
This security role is responsible for ensuring the development, use and security of the asset. The Asset Guarantor typically works with other company departments such as IT, legal and management to ensure effective asset protection and compliance with relevant regulatory requirements.
The guardian asset cannot be outsourced. Ideally, this role should be delegated to an internal person who is "in charge" of the company's assets. A company typically has multiple assets and therefore multiple guarantors. This is because asset guarantors are determined based on their job title and the process and expertise of the asset. For asset management purposes, the asset guarantor must be able to evaluate the asset on the basis of the potential impacts.
The Asset Guardian
- is responsible for ensuring the development, use and safety of the asset,
- provides assistance to the cyber security manager in analysing risks and impacts for the asset,
- determines the value of the asset in terms of confidentiality, integrity and availability,
- establishes general security requirements and concepts (e.g. required recovery times, asset access matrix or other requirements for safe use, operation and development) for the asset based on the classification,
- approves proposed security rules and measures addressing security requirements for the asset, and
- informs the cyber security manager of any changes to the asset that may or do affect the value of the asset.
Tthe Person Responsible for Cyber Security
In the regime of lower obligation the role of cyber security manager, cyber security architect or cyber security auditor is not available. However, companies are required to pick a person responsible for cyber security. This role is found within the companies' obligation under the minimum cybersecurity assurance regime, it is not a separate obligation as in the case of the higher regime.
This role must complete training without undue delay, which will have both theoretical and practical components and must demonstrate competence in cyber security.
The person responsible for cyber security maintains current security policies, carries out information security control activities and provides methodological guidance, and is thus responsible for the implementation of security measures. This role then, among other things, submits the security awareness development plan to the company's management for approval. This plan is then evaluated.
