COUNTRY: CYPRUS
Cyprus adopted a national cybersecurity strategy in
2013. It includes a commitment to update key elements
of the legal framework for cybersecurity. Cyprus also
is working toward the establishment of a national
computer emergency response team (CERT), which is
QUESTION
expected to be operational in 2015. The country has also
taken an interest in sector-specific approaches to the
management of cybersecurity, with a potential focus on
the energy and financial services sectors.
RESPONSE EXPLANATORY TEXT
LEGAL FOUNDATIONS
1. Is there a national cybersecurity
strategy in place?
4
2. What year was the national
cybersecurity strategy adopted?
2013
3. Is there a critical infrastructure
protection (CIP) strategy or plan in
place?
6
The Cybersecurity Strategy of Cyprus was adopted in February 2013. As of August
2014, however, the contents of the strategy have not been made available to the
public.
Cyprus does not have a critical infrastructure protection strategy or plan in place.
The critical infrastructure protection in general is under the responsibility of the
Ministry of Interior and Civil Defence. <www.moi.gov.cy> Critical information
infrastructure protection is under the responsibility of the Office of the Commissioner
of Electronic Communications and Postal Regulation (OCECPR). <www.ocecpr.org.
sy> The work under the critical information infrastructure protection project is in
progress as of August 2014.
The academic sector, particularly the KIOS Research Centre for Intelligent System
and Networks <www.kios.ucy.ac.cy> at the University of Cyprus, has published
numerous research papers on Cypriot critical infrastructure.
4. Is there legislation/policy that
requires the establishment of a
written information security plan?
6
There is no legislation or policy in place in Cyprus that requires the establishment of
a written information security plan.
Cyprus classifies sensitive information against a four-tiered classification system,
however, there is no legislation or policy requiring the classification of particular data.
5. Is there legislation/policy that
requires an inventory of “systems”
and the classification of data?
6. Is there legislation/policy that
requires security practices/
requirements to be mapped
to risk levels?
6
Cyprus does not map specific security practices or requirements to risk levels.
7. Is there legislation/policy that
requires (at least) an annual
cybersecurity audit?
6
There is no legislation or policy in place in Cyprus that requires (at least) an annual
cybersecurity audit.
8. Is there legislation/policy that
requires a public report on
cybersecurity capacity for the
government?
6
There is no legislation or policy in place in Cyprus that requires a public report on
cybersecurity capacity for the government.
9. Is there legislation/policy that
requires each agency to have a
chief information officer (CIO) or
chief security officer (CSO)?
6
There is no legislation or policy in place in Cyprus that requires each agency to have
a chief information officer or chief security officer.
10. Is there legislation/policy that
requires mandatory reporting of
cybersecurity incidents?
4
Cyprus has passed the Subsidiary Administrative Act Number 371/2013 that requires
mandatory reporting of cybersecurity incidents.
11. Does legislation/policy include an
appropriate definition for “critical
infrastructure protection” (CIP)?
6
Cypriot legislation does not have an appropriate definition for “critical infrastructure
protection”.
EU Cybersecurity Dashboard
The introduction of such a policy may occur in light of action in the Cybersecurity
Strategy of Cyprus to introduce a national security policy.
www.bsa.org/EUcybersecurity
|
1