Summary of the Information Security Requirements and Data Protection Measures

The Agency’s information security policy applies to all of the Agency’s business processes and covers verbal and written information, information systems, computer networks, physical environment, civil servants and employees working under employment contracts, other persons who lawfully manage the SDG IS information or provide other IT services to the Agency.

Information security in the Agency is based on:

• the principle of confidentiality – the Agency shall ensure that data are accessible only to the intended users;
• the principle of integrity – the Agency shall ensure that data have not been altered in an unauthorised way during storage or transmission;
• the principle of availability – the Agency shall ensure that the data are received within a reasonable period of time.

As the electronic information contained in SDG IS constitutes important information resources of the State, the electronic information managed in SDG IS is classified as electronic information of critical importance.

At the Agency, data protection is governed by the following security documents approved by the Director General of the Agency:

• The SDG IS Data Security Regulations;
• The rules for the secure management of electronic information in SDG IS, including the SDG IS end-user commitment on protection of data and proprietary information;
• The rules for the SDG IS user administration;
• The SDG IS Continuity Management Plan;
• The SDG IS Cyber Incident Management Plan;
• the Agency’s ISMS Manual;
• other internal legal acts governing information security, cyber security and the protection of personal data within the Agency.

All employees and trainees of the Agency shall sign the SDG IS end-user commitment on protection of data and proprietary information.

Information security training shall be regularly organized for the Agency’s employees.

The SDG IS users shall have the obligation:

• To comply with the organisational and technical cyber security requirements applicable to cyber security entities and with the requirements of this Summary;
• To use the SDG IS electronic information only to perform work functions;
• To ensure the confidentiality and integrity of the SDG IS electronic information used and managed by them, and to ensure that their actions do not disturb the availability of the SDG IS electronic information;
• Upon finishing the work or leaving the workplace, take measures to prevent unauthorized persons from accessing the SDG IS electronic information.

In case of any malfunction or security incident in SDG IS, the users are obliged to immediately report it to the Agency’s Helpdesk by email [email protected] or by phone +370 652 85456, and to the person responsible for the contract (if the relationship is based on a contract between the Agency and a third party). In the event of a malfunction of the Data Management Platform subsystem, additional notification shall be provided to the staff responsible for the maintenance of the Platform by email [email protected].

In order to protect information and personal data from unauthorised disclosure or destruction, in case of suspicions of a user’s actions and in order to minimise potential damage, the Agency shall have the right to monitor the user’s actions without prior notice to the user, and to restrict the user’s rights to use SDG IS.

The right of the SDG IS user to work with specific SDG IS electronic information shall be suspended immediately in case of his/her removal from work, a pre-trial investigation of his/her activities, etc.

Each SDG IS user shall be granted only such access to data as is necessary for the performance of his/her tasks.

All personal data shall be encrypted or depersonalised.

Only legal software shall be used and only authorised persons may install or remove it. The use of software on the computers of the SDG IS users that is not related to their direct activities and functions is prohibited.

The Agency has a permit regime system in place to control access to the Agency’s premises.

In order to ensure the safety of the Agency’s employees, visitors, buildings (premises) and their assets, as well as the data managed by the Agency, video surveillance is carried out in the Agency.

All computers have a login password. A password-protected screen saver shall be automatically activated after 15 minutes when a SDG IS user leaves the workplace.

The SDG IS users must use all physical security measures to protect their computers from theft or damage.

The workplaces of the VDV IS users are subject to a “clean desk” policy, thus the SDG IS users must comply with the following requirements:

• A password-protected screen saver shall be turned on when leaving the workplace even for a short time;
• After finishing the work, the programme windows shall be closed and the computer shall be switch off;
• The SDG IS users who work remotely may leave their computers turned on with a password-protected screen saver;
• After finishing the work, the documents and data media containing confidential data or restricted information shall not be left on the table but shall be placed in drawers, cabinets or shelves;
• The SDG IS user’s desktop, including computer desktops, shall not be used to store documents and files containing confidential data or restricted information.

The SDG IS user passwords shall meet the following requirements:

• The password must consist of letters, numbers and special characters. The password must be at least 8 characters long;
• Passwords shall not use personal information and shall not be linked to the names, surnames, personal identification numbers, dates of birth or other similar easily guessable information related to the employee or his/her family members;
• The SDG IS user passwords must be kept secret. They may not be disclosed to other employees or to third parties;
• If a SDG IS user enters an incorrect password for 3 times in a row, the SDG IS user account shall be locked for at least 15 minutes;
• The password must be changed at least every 60 days.

In the case of the SDG IS Data Management Platform Subsystem, a two-factor authentication mechanism is mandatory for all users.

It is forbidden to keep the written passwords near the computer or in any other place and form accessible to other persons.

The use of the IDs and passwords of other persons is strictly prohibited. Each SDG IS user shall be responsible for the actions of other person if his/her ID and password were used due to the fault of the SDG IS user.

The persons responsible for the performance of the contract must communicate this Summary to the supplier.

Suppliers must ensure compliance with the minimum organisational and technical cyber security requirements for cyber security entities set out in the Description of Organisational and Technical Cyber Security Requirements for Cyber Security Entities approved by Resolution No. 818 of 13 August 2018 of the Government of the Republic of Lithuania “On Implementation of the Law on Cyber Security of the Republic of Lithuania”, as well as the LST EN ISO/IEC 27001:2017 standard and other legal and normative acts, and must comply with the requirements of the Law on Cyber Security, the Description of Technical Requirements for the Electronic Information Security of the State Registers (Cadastres), Departmental Registers, State Information Systems and Other Information Systems, approved by Order No. V-941 of 4 December 2020 of the Minister of National Defence of the Republic of Lithuania. Suppliers shall comply with all these obligations and requirements insofar as they relate to the services provided, including, but not limited to, compliance with organisational and technical cyber security requirements and responsibilities for cyber security, timely and compliant handling of cyber incidents and disruptions, and compliance with cyber security measures set out in legal acts.

The requirements for suppliers are laid down in advance in data or service contracts.

The services provided by suppliers are monitored and supervised in accordance with the contractual arrangements.

The SDG IS administrators shall grant the supplier only such access to the SDG IS software, technical and other resources as is necessary to perform the SDG IS development, modernisation and/or maintenance and other information technology services, and only to the extent necessary for the provision of the services provided for in the contracts.

Information shall be transmitted over electronic communication networks using only an encrypted communication channel.

Upon expiry of the contract with the provider, the SDG IS administrators shall immediately cancel the access to the SDG IS resources granted to that provider.