An electronic information system is closed if
1. The information system provides closed, comprehensive, continuous and risk-proportionate protection regarding the confidentiality, integrity and accessibility of all handled data, as well as ensures the integrity and accessibility of the elements of the information system /see Act L. of 2013 – a henceforth IBTV – 1. § 15/, using the following interpretations:
- closed protection: protection that accounts for all potential threats / IBTV (1. § 48) /,
- comprehensive protection: protection that covers every element of the information system / IBTV (1. § 44) /,
- continuous protection: protection that holds up under temporally changeable conditions and circumstances without disturbances / IBTV (1. § 21) /,
- risk-proportionate protection: protection of the information system where the expenses of protection are proportionate to the financial damage potentially done by threats. / IBTV (1.§ 31) /.
A detailed description of the common standards fulfilling the requirements might be found in attachments 3-4 of the information security law-related Regulation No 41 of 2015 (VII 15) of the Ministry of Interior.
2. Beside the general requirements regarding protection described above, the following must be realised throughout the complete life-cycle of the information system’s operation:
- the general (human and programmed entities) as well as privileged users (entitled to special rights i. e. system administrators) might solely access the protected information and the various elements of the system handling them according to their strictly regulated roles, which also specify the activities these entities might initiate, and it is only the defined privileged users that might provide access to others according to their regulated roles and in a well-monitored manner.
- with the aid of the appropriate technical and procedural solutions, the system monitors every change to the protected information, and ensures that not even the general and privileged users having access to the information might delete or modify the log or other information that allows for the monitoring of activities;
- all outer interfaces of the information system are regulated and controlled;
- the regulations and procedures guarantee the continuous maintenance of the system’s security level (system updates, operation,…).