Results of the GOVCERT.NL Project
GOVCERT.NL legal products
The applicability of the aforementioned laws and legislation has been translated into a number of legal products which ensure that GOVCERT.NL operates, as well as providing its services, in a careful manner.
Cooperation agreements in the GOVCERT.NL programme agreement
The fact that the general act on administrative law is applicable to GOVCERT.NL was determined by the tasks and capacities of the party responsible for GOVCERT.NL. Agreements on the responsibility, tasks and capacities of clients and GOVCERT.NL are incorporated in the GOVCERT.NL programme agreement. For a CERT which is not classified as a government CERT, agreements on responsibility and the distribution of tasks and capacities, depending on the legal form, will be specified, for example in the statutes or in a document known as a cooperation agreement.
Standard terms and conditions of GOVCERT.NL
The 'GOVCERT.NL Standard Terms and Conditions” provide an interpretation of the framework conditions arising from the liability laws of the civil code and the general principles of appropriate government. The standard terms and conditions and their formal acceptance by the participating organisations also play a role in the control of the liability risks undertaken by GOVCERT.NL in the provision of its services. In the standard terms and conditions, for example, the conditions and tariffs under which the services from GOVCERT.NL will be provided are clearly stated, together with the level of liability each has to bear and what the rights and obligations of the parties are with regard to the services provided by GOVCERT.NL.
The standard terms and conditions also show that GOVCERT.NL does not act in violation of the instructions concerning marketing activities carried out by organisations within the government.
Model agreements
In addition to the 'GOVCERT.NL standard terms and conditions”, GOVCERT.NL also provides tailored services. The general terms and conditions contained in the 'GOVCERT.NL standard terms and conditions” always remain the starting point for these services. Often additional agreements should rather be made in a service agreement for the services to be carried out and the definition of the rights and obligations of the parties concerned. This service agreement may contain the following, for example:
- The subject of the agreement, clearly defined;
- Specific mention that the way the results of the services from GOVCERT.NL are used is the responsibility of the participant;
- What the costs are for the service;
- That employees of GOVCERT.NL are entitled to access the workplace and / or computer system of the participating organisation.
In the event that the services are tailored and provided in return for payment, GOVCERT.NL must keep the 'Market and Government” question in mind at all times. This question includes the fact that a government organisation may offer market activities at cost price under certain conditions. For more information on the Market and Government question, see also paragraph 7.3.2.
With regard to setting up (inter)national cooperation agreements, these can often be completed with a Non Disclosure Agreement (NDA). A model NDA can be adapted to fit a new cooperation - especially the
subject of the cooperation. For international cooperation agreements, the applicable law is often a controversial issue. If no agreement is reached by the parties on the applicable law, it can be brought before international arbitration. In that case, in the event of a violation of the confidentiality agreement, the ruling will be made according to the rules of international private law.
Security policy
The heart of the Government Information Security Regulation (VIR) is that the parties responsible for holding information within a government organisation ensure the creation of a balanced package of measures for information security. This package of measures must be tailored to the activities and vulnerabilities of GOVCERT.NL as an organisation. The Information Security Code can be used to interpret this set of security measures, which together provide an adequate level of security. The areas for consideration specified in the Code, such as the management of business media, security requirements regarding staff, physical security, access security and the management of forms of communication together form an overall picture that the parties responsible should use as a guide when providing adequate information security. The measures and procedures which arise from the areas for consideration together form the basis for good information security. Alongside these general security measures, it is also recommended that the security policy should take into account the directive on security of personal data from the board for the protection of personal data. This directive provides instructions for those responsible for processing the data regarding taking
'appropriate technical and organisational measures” to secure personal information against any form of illegal processing.
The GOVCERT.NL security policy has resulted in procedures and measures which ensure that the danger that internal employees, the participating organisations and (any possible) externally sourced service providers may create for the information security of GOVCERT.NL are managed, and that GOVCERT.NL is entitled to suspend its services in the event that a participating organisation does not take suitable security measures.
It should be noted that a good security policy and appropriate organisational and technical security measures are also of great importance for the control of liability risks. The organisational and technical security measures make it possible to determine whether GOVCERT.NL has acted with due care. This exact level of care has an effect on liability risks.
It is true that government organisations are obliged to adhere to the laws and legislation in the field of security. This results in the strong recommendation that
all CERTs should ensure that security risks are identified, as well as that the security measures to be taken on the basis of this risk analysis should be integrated into work processes. For more information on security policy, see also chapter processes.
Information exchange policy
A carefully set up information exchange process also makes an important contribution to the control of liability risks such as those which can arise from general liability law and the general principles of appropriate government. A carefully set up information exchange process firstly involves tailoring the information exchange to the tasks and capacities of GOVCERT.NL. It is then important that it is clear which sources of information can be distinguished for GOVCERT.NL, which parties can participate in the information received by GOVCERT. NL from the various sources, as well as how the information (received) should be qualified. By then linking a method for its use to the qualified information, the illegal divulgence of information can be avoided. The careful setting up of an information exchange procedure does not specifically apply to a government CERT. Each CERT will have to set up a clear information exchange procedure to ensure a careful exchange of information. Information is always exchanged more frequently between organisations when the parties trust each other. The setting up of an information exchange procedure and the associated classification of the categories of information make a significant contribution to the creation of this trust.
Privacy policy
The personal data protection act (Wbp) demands the legal use of personal data. The privacy policy states how GOVCERT.NL uses personal data. This makes the aims clear, on the basis of which GOVCERT.NL can process personal data, what data can be processed, what are the underlying principles for the processing of the data, whether the personal data will be provided to third parties and how any unsolicited personal data received is handled. For the alerting service, the GOVCERT.NL privacy policy is translated into a privacy statement regarding the services provided by the alerting service. The privacy statement is available on the alerting service website.
Procedure for dealing with WOB requests
On the basis of the Act to Promote Open Government (WOB)
any person may request information stored in documents and sent to a government body with regard to a government matter.
1 Since various parties are involved with GOVCERT.NL, it is recommended that it is clarified in advance who is to deal with a WOB request which regards the services of GOVCERT.NL. The 'Procedure for dealing with WOB requests” makes an estimate of what WOB requests GOVCERT.NL can reasonably expect on the basis of the services it provides. It also states that WOB requests received by GOVCERT.NL should be dealt with by the Minister of Internal Affairs and Administrative Modernisation. In view of the fact that the WOB requests may have consequences for the constituency of GOVCERT.NL, these WOB requests should be dealt with in consultation with the participating organisations concerned.
1: A government matter is a matter which concerns the policy of a government body. These also include preparation and implementation. Within this framework, for GOVCERT.NL this could be a decision on whether or not to send a specific ICT related security incident received by GOVCERT.NL to the participating organisations
'Implementation regulations for post handling and archive management” from the ICTU Foundation
The Archive act is a framework law which imposes an obligation on government bodies to make and maintain their archive documents in a good, ordered and accessible state. In view of the confidentiality of the services provided by GOVCERT.NL and the confidential nature of the information that GOVCET.NL receives, it is recommended that the incoming post and the items to be archived are handled separately from the central post and archive system of the de ICTU.