More than 7 months have passed since the publication of the "Information and Communication Security Guide" by the Presidency's Digital Transformation Office. Institutions within the scope should be in the phase of implementing the measures as of February.
Which Institutions Does It Cover?
The scope of the guide: “It covers institutions and organizations within the government organization and businesses that provide critical infrastructure services, which have an IT unit or receive data processing services from third parties within the framework of contracts.” specified as. Scope of the Digital Transformation Office: The Circular covers all public institutions and organizations and enterprises providing public services in the fields of "Electronic Communication", "Energy", "Water Management", "Transportation", "Banking and Finance", "Health" from critical infrastructure sectors. detailed as.
What Needs to be Done?
Determination of Criticality of Assets.
Guidance institutions are expected to group the information assets they own within the first 6 months with the “Annex C.1: Asset Group Critical Rating Questionnaire” as follows.
If the survey result is less than 18: 1st Degree Asset.
If the survey result is between 18 and 28, 2nd Degree Asset.
If the survey result is higher than 28, 3. Degree Varlık.
Gap Analysis
After the determination of the asset groups, the measures currently applied to the assets are compared with the measures specified in the guide, and it is expected that a GAP analysis will be made on the "Annex-C.3: Current Situation and Gap Analysis" form specified in the guide. The Current Situation and Gap Analysis must be done within 6 months from July 2020.
Guideline Implementation Roadmap
The measures to be implemented according to the results of the gap analysis are expected to be planned with “Annex C.4: Guideline Implementation Roadmap Determination Form”.
Implementation of Measures
After the measures to be implemented are determined:
⦁ 18 Months from July 2020 for implementation of measures with a criticality rating of 1
⦁ 21 Months from July 2020 for the implementation of measures with a criticality rating of 2
⦁ 24 Months from July 2020 for the implementation of measures with a criticality rating of 3
The time has been given. After the implementation of the measure, it is expected that the project progress reports will be prepared periodically.
Information and Communication Security Internal Audit
After the measures are implemented, an annual Information and Communication Security Internal Audit should be conducted and the audit reports should be submitted to the Presidency Digital Transformation Office.
Time is running out
The implementation of the guide includes comprehensive and time-consuming measures, and the risk of not meeting the deadline for the institutions that have not taken action yet increases with each passing day.
