On August 17, the Official Gazette published Decree No. 27 of the Ministry General Secretariat of the Presidency, which establishes technical standards for information security and cybersecurity in accordance with Law No. 21,180 on Digital Transformation of the State. The norm seeks to define standards and technical guidelines that must be complied with by the bodies of the State Administration to guarantee the confidentiality, integrity and availability of the information, as well as the security of the IT infrastructure that supports the administrative procedures in electronic platforms.
Among the key aspects of this standard are:
Initial diagnosis: Each organ of the State Administration must perform an initial diagnosis of the cybersecurity status of its electronic platforms, following the technical guidelines mentioned in the standard.
Information security and cybersecurity policy: Each agency is required to develop a policy approved by the Senior Service Chief. This policy must establish general guidelines on information security and cybersecurity, ensuring the protection of software, hardware, systems and data components.
Technical guide: To facilitate the implementation of the standard, the Digital Government Division of the Ministry General Secretariat of the Presidency will issue one or more technical guides that will establish the detailed operational aspects and processes.
These technical guides will focus on the following points:
– Identification function: activities and processes to properly identify and manage information security and cybersecurity risks will be described. This will include the context of the State Administration body, governance, information asset management, risk management and relationship with cloud service providers.
– Protection function: This will detail the processes and activities to ensure security measures in the provision of services, including management of servers, networks, authentication, access control and data security.
– Detection function: The processes and actions to detect security incidents, including event analysis to identify anomalies, continuous security monitoring and the establishment of detection processes will be described.
– Response function: The processes and activities required to take technical and organizational measures in the event of detecting a security incident shall be detailed. This will include planning, communication, analysis, mitigation and response improvements.
– Recovery function: Processes and actions to maintain recovery plans and restore capabilities affected by security incidents shall be described.
The implementation of the standard will follow the gradual plan established in Decree with Force of Law No. 1 of 2020, which contemplates a preparation phase for state agencies from 2022 to 2023, and extends towards full implementation during the years 2026 and 2027.
The standard must be reviewed and updated at least every two years, incorporating lessons learned and good practices.
The importance of a constant review of internal cybersecurity systems, practices and data protection policies lies not only in the prevention of possible cyber-attacks, but also in safeguarding against criminal liability established in Law No. 20,393 on Criminal Liability of Legal Entities for computer and related crimes.