You are on page 1of 30

Human Rights Alert (NGO)

Joseph Zernik, PhD "


PO Box 33407, Tel Aviv, Israel 6133301 ",33407 "
Fax: 077-3179186 Email: joseph.zernik@hra-ngo.org

[]
September06,2017

NameUnknown,HeadoftheNationalCyberSecurityAuthority
PrimeMinister'sOffice
Bybyemail:team@cert.gov.il

RE:StandardsandregulationinCyberSecurity
Yourresponsewithin45daysiskindlyrequestedpursuanttotheAdministrative
ProcedureReformAct(1958).
DearNameUnknown:
AttachedpleasefindmyAugust30,2017inquirywithDrEviatarMatania,Headof
theNationalCyberBureau,andtheSeptember05,2017responsebyhisoffice,which
referredmetoyou.
TheHebrewNationalCyberSecurityAuthorityHebrewwebpage[1]inpartstates,
theAuthorityguidescriticalstateinfrastructureentities.(TheEnglishwebpage[2]
ismateriallydifferentonthispoint.)Therefore,Iaddtomyattachedinquirythe
followingquestions:
1. Whatisthelegalfoundation,ifany,fortheNationalCyberSecurityAuthoritys
guidingauthority,relativetocriticalstateinfrastructureentities?
2. IstheNationalCyberSecurityAuthorityauthorizedtoguideandcertifythe
CentralElectionCommitteerelativetoitsITsystems?
3. IstheNationalCyberSecurityAuthorityauthorizedtoguideandcertifythe
KnessetrelativetoitsITsystems?
4. IstheNationalCyberSecurityAuthorityauthorizedtoguideandcertifythe
Courtsand/ortheAdministrationofCourts,relativetotheirITsystems?
5. IstheNationalCyberSecurityAuthorityauthorizedtoguideandcertifythe
executivebranchministriesITsystems,suchasMinistryofJusticeandPrison
Service,relativetotheirITsystems?

1
https://www.gov.il/he/Departments/national_cyber_security_authority
2guidanceforallcivilianentitiesaswellasallcriticalinfrastructuresintheIsraeli
economy
NationalCyberSecurityAuthoritywebpage
https://www.gov.il/en/Departments/national_cyber_security_authority

1/3
Truly,

JosephZernik,PhD
)HumanRightsAlert(NGO

CC:ShinBetHeadNadavArgaman,Widedistribution
Attachments:
A.MyAugust30,2017inquirywithDrEviatarMatnia
1)Undated:StandardsandRegulationinCyberSecurity
2)August30,2017FOIArequest,filedwiththeCentralElectionCommittee
B.NationalCyberBureauSeptember05,2017response
_________________________________________________________________________
062017,

,

"team@cert.gov.il:

:
(,
)




45,



.1958
,
30,2017,
06,2017,.
[1]"
",:
.1,,
""?
.2
?
.3
?
.4
/?
.5
,,?
,

'

2/3
HumanRightsAlertNGO

:",
:
.302017,
(1":"
(2292017
.052017,

3/3
Human Rights Alert (NGO)
Joseph Zernik, PhD "
PO Box 33407, Tel Aviv, Israel 6133301 ",33407 "
Fax: 077-3179186 Email: joseph.zernik@hra-ngo.org

[]
August30,2017

EviatarMatania,PhD,HeadoftheNationalCyberBureau
PrimeMinister'sOffice
Bybyemail:sigalM@pmo.gov.il,reuta@pmo.gov.il,ArielC@pmo.gov.il

RE:StandardsandregulationinCyberSecurity
Yourresponsewithin45daysiskindlyrequestedpursuanttotheAdministrative
ProcedureReformAct(1958).
DearDrMatania:
AninternetpublicationbytheNationalAuthorityforCyberSecurityhasbeen
recentlybroughttomyattention.Itstitleis:StandardsandRegulationinCyber
Security(attached).Therecordisnotmarkedasaspokespersonspublication,it
failstospelloutthenameandauthorityofitsauthor,isunsigned,undated,andfails
toshowanyreferencenumber.
Obviously,acentralproblemincybersecurityofgovernmentinIsraelisthe
proliferationofinternetpublicationsbyvariousgovernmentauthorities,whichare
notvalidauthorizedrecords,butmerelydrafts(calledbymediafabrications).
Therefore,Ihereinrequestclarificationregardingtheabovereferenceddocument:
a)Thenameandauthorityofitsauthor.
b)Thenameandauthorityoftheperson,whoapproveditsonlinepublication.
Therecordconcludesbystating:TheAdministrationandProfessionalTraining
DivisionoftheNationalAuthorityforCyberDefense[sicjz]isnowworkingon
definingtheprofessionsandbuildingaprogramfortraininganddocumentationof
suchprofessionsintheIsraelimarket.Inthiscontext,IattachaFreedomof
Informationrequest,whichwasfiledwiththeCentralElectionCommittee,requesting
documentationofcomplianceoftheCommitteesITsystemswithexisting,effectual
InformationSecurityStandards.
Therefore,Ihereinrequestclarificationregardingtheabovereferenceddocument:
c)WilltheNationalAuthorityforCyberDefenseactasstatedintheabove
referenceddocumentonlyrelativetotheIsraelimarket,oralsorelativeto
governmentauthorities?
Truly,

JosephZernik,PhD
HumanRightsAlert(NGO)

2/1
CC:ShinBetHeadNadavArgaman,Widedistribution
Attachments:1)Undated:StandardsandRegulationinCyberSecurity
2)August30,2017FOIArequest,filedwiththeCentralElectionCommittee
_________________________________________________________________________
302017,

,

"sigalM@pmo.gov.il,reuta@pmo.gov.il,ArielC@pmo.gov.il:

:
(,
)




45,



.1958
,
" ",
"")(.,
,,,
.
,
,,
"")"(.
,":
(.
(.
":
][
.,,
,,
,.
,":
(""""",
.
,

'
HumanRightsAlertNGO

:",
(1:":"
(2292017

2/2
"
-1-


, , . ,
, , ,
.

" ,

. .

, ,
:

.1 ,

.
. ,
, ,
.

.

- .1.1

.2017
, ,

. 1.0 .2017

, 1995

( 3-5) . ,
, .

( ) , 7809"2017-

36 ," 1981-
( ) 7809 ,
"
-2-

. , (")


, ," .1981- 357
" " , 361 " " 355 "
"

- ,
() ," .1981- 2016 " "
,
.

27000 )International Organization for Standardization( ISO


" )International Electro-technical Commission( IEC-
- , .

' .

.1.2

ISO/IEC 27000

( ISO ") ( IEC- -)


,
45 - . . ISO
-27001 -ISO 27002
.ISO 27001

SOX

( )2002
. 404 ,
. " .
"
-3-

PCI-DSS

. ,
, , .
, .

CSA

Cloud Security Alliance


"" , 25 -
"" , )(Security, Trust and Assurance Registry
STAR "" .CCM

NIST

,The National Institute of Standards and Technology ()


.
NIST Special Publication 800-53 -
NIST Special Publication 800-30 .

ITIL

Information Technology Infrastructure Library ,


( )IT ,
. ITIL - OGC ,
.ITSMF

CobIT

Control Objectives for Information and Related Technologies


. ,
" ISACA , ,
.
"
-4-

" " ,
" HIPAA-HHS DHS-CYBERSCURITY
GDPR

)(The EU General Data Protection Regulation

.2 ,

( Common Criteria -" 15408


)ISO
.

.


.

.3 , ( )

.

.

:
.
(') . ,
"
:

, ,
'
, , , '.
"
-5-

, '.

, " , ( ).
.

, SANS , ICS2 Microsoft ,Cisco


.


.
"
-6-

'

" / #

, ISO/IEC 2701 1
0
" ISO/IEC 27000 ( 27000 27010: - ISO/IEC
,)family - 27XXX
2012
.
Information technology
Security techniques
, , Information security
- management for inter-sector
-.
and inter-organizational
communications
, ,
- ,
. ,

,
.

ISO/IEC 2701 2
, 4
, 27014:
Information technology
2013
()communicate Security techniques
. Governance of information
security
.

ISO/IEC 2703 3
, 2
27032:
, :
2012
Information technology
- ; Security techniques
- ; Guidelines for Cybersecurity

- ( ;)internet security

- (.)CIIP


( .)Cyberspace
:

- ;

-
;
"
-7-

" / #

-
;

-
;

-
.

ISO/IEC - 2703 4
. - : 3
27033-
1
1: 2009
[ Information technology --
, Security techniques --
,/
Network security: Overview
,
and concepts
(.])communication links


, .

,
( )administrators
/
, ,

.
,
.
, :

-
,
;

-

,

;

-
,
,
""
(
" )27033

,
.

,
" 27033"
" .
"
-8-

" / #

, ISO/IEC - 2703 5
. 27033- - : 3

2: 2012 2

Information technology --
Security techniques --
Network security : Guidelines
for the design and
implementation of network
security

, ISO/IEC - 2703 6
27033- - : 3
. , ,
, 3: 2010 3

( )mitigate Information technology --
. , Security techniques --
" 27033 Network security: Reference
4 5- - ISO/IEC networking scenarios --
,27033-6 Threats, design techniques
.
and control issues

/

/
,
" 27033 .2
(
" 27033 45-
- )ISO/IEC 27033-6
,
/ /
/ .

,

.

ISO/IEC - 2703 7
( , 27033- - : 3
,
) , 4: 2014 4
()Gateways
,:
Information technology --
)
; Security techniques --
Network security : Securing
) communications between
networks using security
"
-9-

" / #

; gateways
)

;

) ,,

.

, ISO/IEC - 2703 8
27033- - : 3

5: 2013 5
( )VPN
. )(VPNs

Information technology --
Security techniques --
Network security : Securing
communications across
networks using Virtual Private
)Networks (VPNs

ISO/IEC 2703 9
27034- : 4
.
1: 2011 1
Information technology
, , , Security techniques
.
Application
Overview and :security
( ,)in-house concepts

.

ISO/IEC 2703 10

27034- : 4
.
2: 2015 2
Information technology --
Security techniques --
Application security :
Organization normative
framework

ISO/IEC 2703 11
27039: , 9 IDPS
( IDPS intrusion
2015
.)detection and prevention systems ()IDPS
,
. Information technology
Security techniques
"
- 10 -

" / #

Selection, deployment and


operations of intrusion
detection and prevention
)systems (IDPS

ISO/IEC 2704 12
27040: 0
( ,)risk mitigation
2015 Information technology
()consistent
, , Security techniques
. Storage security


()communication links
.


,
,


( )lifetime
.


,

, ( )acquirers
,

( )managers ( )administrators

,

.


,
.


.
,

. ,
-
( )practices
.

ISO/IEC 2703 13
"
- 11 -

" / #

" .27036 27036- 6


1: 2014 :
1
( supplier Information technology
.)relationships Security techniques
Information security for
" .27036 supplier relationships:

Overview and concepts
.

ISO/IEC 2703 14
, , , ,, 27036- 6
. :
2: 2014 2
Information technology
, , Security techniques
,
,-- Information security for
. supplier relationships:
Requirements

, , .

,

,
. ,
, , ,
, .

, ISO/IEC 2703 15
27036- 6
( ,)ICT :
3: 2013 3
:

)
( physically Information technology
)dispersed- Security techniques
;ICT- Information security for
supplier relationships:
) ICT- Guidelines for information
and communication
,ICT- technology supply chain

security
.
(

"
- 12 -

" / #

( )IT);

)

, " 15288
" ,12207
,
" .27002



.ICT
" 27031 .

ISO/IEC - 2703 16
. 27037: - ,, 7
, ,
2012
( )digital evidence
( .)evidential value
Information technology
Security techniques
, Guidelines for identification,
. collection, acquisition, and
/ preservation of digital
, evidence
:

-
,,
- ,
;

- ,
( ,)PDA (,)PED
;

- ;

- ()
( );

- ;

- TCP / IP
;

-
.

:1
"
- 13 -

" / #

:2
.
,
,
.

ISO/IEC 2701 17
27017: 7
,:
2015
- " 27002
" ;27002
Information technology
-
Security techniques Code
.
of practice for information
security controls based on
. ISO/IEC 27002 for cloud
services

, ISO/IEC 2701 18
, 27018: 8
( ,)PII ( )PII
2014
"
29100 .

Information technology
" ,27002 Security techniques Code


of practice for protection of
( ,)PII
( ) personally identifiable
. information (PII) in public
clouds acting as PII

processors
,
,
,
,
.

ISO/IEC 2910 19
29100: 0
- ;
2011 Information technology
- ( )actors Security techniques

Privacy framework
(;)PII

- ;
"
- 14 -

" / #

-
.


, , , ,,
,
,

(.)PII

ISO/IEC 1804 20
" " - 15408 18045: 5 (
" . Common Criteria
2008
)ISO/IEC 15408
Information technology
" ,15408 Security techniques

Methodology for IT security
" .15408
evaluation

, IEC/TS 6244 21
62443- :, 3 SCADA /
( .)IACS
1-1: 1.1

" .62443 2009 Industrial communication
networks - Network and
:system security

. Terminology, concepts and
models
.


.
,


.



.
( SCADA
)
, :

) ;

) ;

) ;

) .

.
"
- 15 -

" / #

SCADA
.


( )IACS ,

,
. , :

)
,
( ,)DCSs
( ,)PLCs
( ,)RTUs ,
,SCADA ,
()custody
( . ,


( ,)SIS

).

) -
,
, ,
,
( ,)process historians ,
, ,
,
.

) , : ,
, , ,

,,
,
, ,
.

IEC 6244 22
()CSMS : 3
()IACS 62443-
. 2.1
2-1:
2010
Industrial communication
. networks Network and
Establishing :system security
an industrial automation and
,
, , control system security

"
- 16 -

" / #

. program



.



.
.

:

,

.

, , IEC 6244 23
: 3
( )IACS 62443- IACS
2.3
2-3:
. Security for industrial
2010
automation and control
( )format
Patch management :systems

in the IACS environment
,


,
.


( ,)OSs
.

.

.
,
( ,)bugs ,
, .

IEC 6244 24
IACS : 3
( )integration 62443-
IACS 2.4
(.)Automation Solution 2-4:
2015
Security for industrial
automation and control
"
- 17 -

" / #

IACS . Security program :systems


requirements for IACS service
providers

IEC 6244 25
, : 3
( )mitigation 62443-
3.1
3-1:

2009 Industrial communication
()IACS
networks Network and
. Security :system security
- technologies for industrial
,
automation and control
,
systems
,

, ,

.


( ,)IACS
,
, ,
.
,
, :

( , .
( data historian
)servers (,
, ,),
(,)DCSs
(,)PLCs

( ,)SCADA

, , .


( )IT
( )links

.
, , :
, , ,,
,
(,)fieldbus systems
,
\ ,
( ,)RTUs
"
- 18 -

" / #


.
. , ,
,
,
, , ,,
, ,
,

,
, ,
.
,
,
( )broadly applied ,
, :

. ;
. , , ;
; .
. ;
.;
; .
; .
. .
,

,
.


, ,

.
:

.
, ,\
;
. ;
; .
.

(;)IACS
. ;
; .
. .

,

( ,)IACS

,
.
"
- 19 -

" / #

( )SRs IEC 6244 26


, : 3
( )FRs " 62443-
3.3
62443 ,1.1 3-3:
. Industrial communication
2013
networks Network and
" 62443 ,1.1 System :system security
(:)FRs security requirements and
security levels
) (,)IAC

) (,)UC

) (,)SI

) (,)DC

) (,)RDF

) ( ,)TRE

) (.)RA


( )SLs ( SL-C ,
) .
.

NIST SP 8003 27
800- 0 800
. , Guide for Conducting Risk NIST
, 30:
Assessments
2012
/

. ,

( , ,
, ,
)

.

,

( ,
)
.

NIST SP 8006 28
800- 1

. 61: Computer Security Incident
"
- 20 -

" / #

2012 Handling Guide


, ,
, .


.

NIST SP 8008 29
(,)malware 800- 3
( )mitigate
83:
. 2013
, Guide to Malware Incident
( )real-world Prevention and Handling for
Desktops and Laptops
.
()data points
.



.
" , 80061
.

ISO/IEC : 2476 30
24760- 0
, :
1: 2011
, 1
. Information technology
Security techniques A
(.)identity information framework for identity
management: Terminology
and concepts

ISO/IEC : 2476 31
24760- 0
:
2: 2015 2
( identity
,)information
Information technology
. Security techniques A

framework for identity
.
management: Reference
architecture and
requirements

ISO/IEC 2914 32
"
- 21 -

" / #

( )vulnerabilities 29147: 7
. 2014
( )vendor Information technology
Security techniques
. : Vulnerability disclosure

) ()vendors


,

) ()vendors


,

)
( )vendor
,

)
.
"
- 22 -

'

NICCS US National Initiative for Cybersecurity Careers and Studies

GIAC Global Information Assurance Certification

IACRB The Information Assurance Certification Review Board

ISACA Information Systems Audit and Control Association

ISC2 International Information System Security Certification Consortium

ECCouncil
Human Rights Alert (NGO)
Joseph Zernik, PhD "
PO Box 33407, Tel Aviv, Israel 6133301 ",33407 "
Fax: 077-3179186 Email: joseph.zernik@hra-ngo.org

[]
August29,2017

AttorneyAleadNaveh
CentralElectionCommitteeFOIAOffice
Jerusalem
Email: hofeshmeida@knesset.gov.il , eladn@knesset.gov.il
Fax: 02-5669855

RE:FreedomofInformationRequestregardingITsystemsoftheCentralElection
CommitteecompliancewithIsraeliStandardIS27001InformationTechnologies
securitytechniques
DearAttorneyNaveh:
PleaseacceptinstantFreedomofInformationRequest.Pleaseconfirmreceiptbyreturn
email,includingadulydesignatedFOIArequestnumber.
I.Requester
Name:JosephZernik
ID:
Address:POBox33407,TelAviv,Israel
Fax:0773179186
II.RequestedInformation
Instantrequestpertainstowrittendocumentationoftherequestedinformationinrecords,
whichareheldbytheCentralElectionCommittee,orspecificreferencestoofficial
publications(e.g.StateRegistry)oftherequestedinformation.
A.CompliancewithIsraeliStandardIS27001InformationTechnologies
Anysigned,lawfullymaderecord,whichdocumentscertificationofcompliancewithIsraeli
StandardIS27001InformationTechnologies:SecurityTechniquessystemsfor
administrationofinformationsecurity.
ThelatestversionoftheStandardwaspublishedonMarch06,2014intheStateRegistry
(YalkutHaPirsumim)6766:InstantStandarddetailstherequirementsforestablishing,
implementation,maintenanceandongoingupgradeofsystemforadministrationof
informationsecurityinthecontextofanorganization...
III,Payment:
a.RequestfeeinthesumofNIS20.00waspaid,ReferenceNo91898602.

Truly,

JosephZernik,PhD
HumanRightsAlert(NGO)

1/2
292017,

"



hofeshmeida@knesset.gov.il
",eladn@knesset.gov.il:
025669855:

:
.27001.

",
.",
.
.I
:
"053625596 :
:",33407"6133301
"joseph.zernik@hrango.org :
0773179186 :
:
.II
)(
,)(
.
..27001.
,.27001.
:.
676606:2014,
"",,
)"(...
III:
20",.91898602
,

'
HumanRightsAlertNGO

2/2