Ethiopian Federal Laws

Go to Laws Index


Title: Information Network Security Agency Re-establishment Proclamation Execution Council of Ministers
Regulation No.: 320/2014
Jurisdiction: Federal
Law Type: Regulation
Country: Ethiopia 🇪🇹
Format: PDF (Amharic and English) | Text (English)




COUNCIL OF MINISTERS REGULATION TO PROVIDE FOR EXECUTION OF INFORMATION NETWORK SECURITY AGENCY RE-ESTABLISHMENT

This Regulation is issued by the Council of Ministers pursuant to Article 5 and Article 35 of the Definition of Powers and Duties of the Executive Organs of the Federal Democratic Republic of Ethiopia Proclamation No. 691/2010 (as amended by Proclamation No. 803/2013) and Article 11(1) of Information Network Security Agency ReEstablishment Proclamation No. 808/2013.

PART ONE
GENERAL

1. Short Title

This Regulation may be cited as the "Information Network Security Agency Re-establishment Proclamation Execution Council of Ministers Regulation No.320/2014".

2. Definitions

In this Regulation unless the context otherwise requires:
  1. "Proclamation" means the Information Network Security Agency Re-establishment Proclamation No. 808/2013;
  2. definitions provided for under Article 2 of the Proclamation shall be applicable;
  3. "Agency" means the Information Network Security Agency;
  4. "membership registration" means a registration for membership at different security institutions and associations through agreement to obtain various services via website subscription;
  5. cyber operation" means a technique that is used to exploit cyber intelligence and digital forensic evidence, curb cyber activities that threaten national security and citizen's safety or defend the state sovereignty from an attack by cyber and electromagnetic technologies;
  6. "Director General" means the Director General of the Agency.

PART TWO
AGENCY'S DATA, AUDIT AND EVALUATION

3. Confidential Data

Notwithstanding the provisions stipulated under other laws, the Director General:
  1. shall restrict the disclosure of employees profile, certain financial accounts, tools, working procedures, outputs, strategic and planning documents to any body by designating them as top secrets;
  2. when he believes it is vital for national security, security of the Agency, its core competencies and its employees' wellbeing, may categorize, through directive the Agency's working places, tangible and intangible assets information and other geographic indicators information as top secret or confidential and determine to whom and when it shall be accessible.

4. Financial and Performance Audit

  1. Notwithstanding the provisions stipulated under Article 3 of this Regulation, the Director General may issue a directive, upon approval by the Prime Minister, that entails total or partial restriction of the Auditor General or his representative to audit the Agency's assets. The Prime Minister shall order the amendment of the directive periodically by assessing the secrecy of the data.
  2. The internal auditor of the Agency shall inspect, in accordance with the directive issues by the Director General, the assets, documents and other necessary data stipulated under Article 3 of this Regulation; conduct financial and performance auditing.
  3. The audit report prepared by the internal auditor in accordance with sub-article (2) of this Article shall be submitted only to the Director General.

5. Security Auditing

  1. he Agency shall design and notify in a reasonable time to the organization subject to audit about the standards, criteria's, working procedures, security auditor's rule of engagement and audit report presentation system, while it conducts security vulnerability audit to ensure the security of information and computer-based critical infrastructures.
  2. The Director General shall periodically determine the schedule of security audit of organizations subject to audit by considering their national significance and strategic importance.
  3. Without prejudice to their right to seek clarification on the report of security audit, the organizations subject to audit are duty bound to accept the recommendations and to take the necessary measure.
  4. The Agency shall provide the necessary technical and other supports to the organization subject to audit to capacitate them to carry out security audit by themselves.

6. Information Technology Security

  1. Prior to the implementation of vital national critical information infrastructures, information management systems and geospatial information associated projects and related procurements being made, the Agency shall ensure:
    1. the intended project or the procurement process fulfills the security criteria;
    2. the satisfaction of the security criteria that the goods, services or systems produced as input for the project or the availability of standard risk management process within the manufacturers or service providers;
    3. that the product, service or system meet the necessary criterion prior to make use of it;
    4. that the implementation and configuration process is carried out in accordance with the security criterion;
    5. the continuity of post implementation security procedure and risk management process;
  2. For the application of sub-article (1) of this Article, the concerned institutions shall cooperate and notify to the Agency their project implementation plan and related procurements.

7. Security Assessment and Evaluation

  1. The Agency shall 'carry out the functions specified under Article 5 (1) of this Regulation in accordance with national security and national information security standards, in a manner that encourages science, innovation opportunities, technological advancement, mutual benefit and by using organized laboratories.
  2. The Agency shall ensure the availability of sufficient infrastructure, technology, work process and necessary professionals that enables it to carry out the functions stipulated under Article 5 (1) of this Regulation.

8. Export and Import of Products and Security Technologies

  1. The Agency shall, in order to ensure the security of information and computer based infrastructure, issue standards and criterion regarding information security technologies that can be imported for domestic use and that can be exported and, cause implementation of same in coordination with concerned bodies.
  2. he Director General, with notification to the concerned body, may restrict the inspection of the Agency's product or other related documents to be exported or imported, when he believes that the inspection and other related process may endanger national security by exposing the confidentiality of the information technology or other related products or documents.
  3. Without prejudice to sub-article (2) of this Article, the Director General may issue a directive that prohibits the exportation of certain domestically produced or customized information and cyber security technologies, cryptographic or electromagnetic technologies based on their significance for national security.

9. Cyber Operation

  1. Without prejudice to the powers and duties assigned to other relevant organs in other laws, the Agency shall lead and coordinate national cyber operation.
  2. Cyber operation may be carried out at any time:
    1. to collect cyber information and digital forensic evidence;
    2. to prevent cyber and electromagnetic attack targeted the national sovereignty; or
    3. when it is appropriate to prevent cyber action that threaten the national security or citizen's security.
  3. Upon the prior notification of the time and other relevant information to the requesting body, the Agency shall carry out cyber operation:
    1. with the instruction of federal government or by the request of regional governments;
    2. by the order of the court upon request by the Attorney General or the head of the concerned prosecution institution; or
    3. by its own motion.
  4. The Agency shall ensure the confidentiality of information obtained in the cyber operation process otherwise than in the hand of the requesting body.
  5. The Agency shall design a system to execute and enforce national cyber operation functions.

10. Digital Forensic

Without prejudice to the provisions of Article 9 of this Regulation, the Agency shall:
  1. carry out digital forensic investigation in cooperation with relevant investigating bodies pursuant to Article 6 (8) of the Proclamation and by the order of a Court;
  2. provide the necessary assistance to justice organs to setup and build up their own capability regarding digital forensic investigation.

11. Intelligence

  1. The Agency may provide information, among the information obtained pursuant to Article 6 (14) of the Proclamation or Article 9 (3) of this Regulation, to investigative bodies if it finds that the information is appropriate to initiate investigation or present evidences or information upon court order or request of public prosecutor; provided, however, that the Agency shall not be compelled to reveal the sources and the means by which such information or evidence has been obtained.
  2. The Director General shall issue a directive regarding intelligence collection, storage and transmission as well as the rule of engagement and code of ethics to intelligence officers.

12. Computer Emergency Responding Center

The Agency shall issue a directive to determine the relation of the critical institutions with the National Computer Emergency Responding Center, the method and systems of reporting various attacks and the coordination's thereof.

13. Standard

  1. The Agency shall have the power to issue standards that ensure the security of information and computer based critical infrastructure and to monitor their implementation.
  2. he security standards issued in accordance with sub-article (1) of this Article shall include a provision that clearly states whether or not a certain standard is a compulsory.

PART THREE
PROJECT ADMINISTRATION, PAYMENT AND SPECIAL PROCUREMENT

14. Project Administration

  1. The Agency shall have its own charts of account for projects.
  2. The Agency may not domestically compete in bids for the provision of products, services or to take projects.
  3. Government institutions shall cover whole project costs that the Agency undertakes to perform and, when necessary they may pay the entire project cost in advance.
  4. Notwithstanding the provisions stipulated in other regulation, directive or customary practices, public enterprises may effect payment of the project cost wholly or partially in advance.
  5. For the application of sub-article (3) of this Article, the Ministry of Finance and Economic Development may issue a guarantee letter on behalf of the Agency.
  6. The Agency may not be required to provide a guarantee for contract performance or advance payment.

15. Commensurate Fee

The Agency shall:
  1. supply to the public, without any fee, products and services specified under Article 18 (2) of this Regulation;
  2. require government institutions to cover the entire cost of the project or products and services for which it provides;
  3. require critical private infrastructures or public enterprises to pay the entire cost of the project or products and services, for which it provides, with minimum profit margin as compare to the normal market price;
  4. determine payment for the service and products that it provides for foreign institutions by taking into account government diplomatic directions and other objectives.

  1. The Agency may procure services and products, when it believes that it may be a source of security threat and directly related to information and cyber security, from single supplier or through restricted tendering.
  2. Notwithstanding sub-article (1) of this Article, the Agency shall:
    1. directly procure from single supplier intelligence analysis and reports as well as security training services;
    2. make direct payment for membership of information and cyber security institutions.
  3. The Director General shall issue a directive that enables protection of the public interest and ensures accountability with respect to direct procurements provided for under sub-article (1) and (2) of this Article.

PART FOUR
MISCELLANEOUS PROVISIONS

17. Integration and Cooperation

The Agency shall:
  1. cooperate with various internal security organs, law enforcement and other relevant institutions in a manner that assists accomplishment of the objectives of its establishment and promote mutual benefits;
  2. / interact with relevant foreign government institutions, security institutions and associations in a manner that ensures the protection of the national interest of the country and respect to the principles of sovereign relation.

18. Social Obligation and Responsibility

The Agency:
  1. shall discharge its social responsibilities through participation in man-made or natural disaster recoveries, rebuilding works and other social affairs to the extent its capacity permits;
  2. shall design various programs that create public awareness in relation to information and cyber security; provide antivirus and other similar products and services;
  3. shall take appropriate measures, to the extent possible, to prevent harm occurring to its employees and the environment in relation to radiation emitting x-ray technologies it make use of;
  4. may build residence or camps in all its stations in order to fulfill its responsibility led down by law and for the security of its employees; the details to be determined by directive.

19. Obligations of Employees

  1. Employees engaged in the activities specified under Articles 4 to 10 of this Regulation shall be subject to disciplinary measures if they contravene rules of engagement and code of ethics.
  2. The disciplinary measures taken pursuant to subarticle (1) of this Article may not relieve from civil or criminal liabilities.

20. Duty to Cooperate

All concerned bodies shall have the obligation to corporate with the Agency for the implementation of this Regulation.

21. Inapplicable Laws

No regulation or directive may, as far as they are inconsistent with this Regulation, be applicable with respect to matters covered in this Regulation.

22. Power to Issue Directives

The Agency may issue directives necessary for the implementation this Regulation.

23. Effective Date

This Regulation shall enter into force on the date of publication in the Federal Negarit Gazette

Done at Addis Ababa, this 22nd day of October, 2006.
HAILEMARIAM DESSALEGN
PRIME MINISTER OF THE FEDERAL DEMOCRATIC REPUBLIC OF ETHIOPIA



Disclaimer: The laws presented here are collected from various sources and are provided for informational purposes only. While we strive for accuracy, we encourage you to double-check the information with official government publications. Our goal is to increase awareness of the legal framework so that citizens can make informed decisions.

Output copied to clipboard!