Argentine Public Sector Entities are Subject to New Minimum Security Requirements

The National Cybersecurity Division of the Ministry of Public Innovation handed down Administrative Decision No. 641/2021 establishing general and minimum guidelines for National Public Sector entities —specifically those included in subsection a) of Article 8 of Law No. 24,156 and third parties that contract with them— to protect information assets against internal or external risks and preserve their confidentiality, integrity and availability.

Under the new guidelines, and having assessed potential risks, organizations are required to develop an Information Security Policy compatible with their primary responsibilities and competencies. That policy must be:

 

• Approved by the entity’s highest authorities or head.

• Notified and communicated to all personnel and third parties, when applicable.

• Complied by all agents and officials.

• Reviewed and potentially updated with a periodicity not exceeding 12 months.

• Used as a basis for establishing a set of regulations, procedures and guidelines in accordance with the processes carried out in the organization, its technological platform and other available resources.

• Reported to the National Cybersecurity Division once approved.

 

Likewise, entities must approve their Security Policies within a maximum period of 90 days from the entry into force of the Decision and must establish the terms of compliance with each of the “MINIMUM INFORMATION SECURITY REQUIREMENTS FOR THE NATIONAL PUBLIC SECTOR BODIES” included in ANNEX I of the Decision.

Those Minimum Requirements include adopting a systemic perspective to protect their information assets, which implies the following duties:

 

• Assigning information security responsibilities to the competent area.

• Carrying out and implementing awareness measures for the safe and responsible use of information assets, including periodic training to all agents and officials.

• Establishing information security requirements, including clearance levels per position.

• Protecting the confidentiality, integrity, authenticity and non-repudiation of the entity's information using encryption techniques when storing and transmitting data.

• Rendering all minutes or commitments on information security mandatory for all employees.

• Requiring agents and officials to sign non-disclosure agreements at the entity’s discretion.

• Taking disciplinary measures in the event of security policy breaches.

 

Should breaches occur, entities are required to adopt the necessary measures to prevent, detect, manage, resolve and report incidents that may affect their information assets as follows:

 

• Identify weaknesses in the organization's information management processes so as to adopt measures that prevent the occurrence of security breaches.

• Document, approve and properly communicate security breach management procedures, per functional area, at the entity’s discretion.

• Adopt a clear prioritization and escalation strategy, which includes informing affected areas, authorities and technical areas.

• Instruct agents to prevent, detect and report security breaches, in accordance with their corresponding responsibilities.

• Notify the National Cybersecurity Division of the occurrence of security breaches within 48 hours of their detection.

• Collect the necessary evidence to adopt subsequent administrative or judicial measures, if applicable, safeguarding the chain of custody.

• Publicly report any security breach that has affected information assets and compromised third party information and/or personal data.