Compatibility of the eAuditor system with the KRI

Check out KRI’s standards for information systems

National Interoperability Framework (KRI) standards.

The KRI regulation sets requirements for information systems, specifying:

  • specification of data formats and communication and encryption protocols to be used,
  • ways to ensure security in the exchange of information,
  • technical standards to ensure the exchange of information involving public entities,
  • taking into account cross-border exchange,
  • ways to ensure access to information resources of public entities.

Scope of KRI requirements – eAuditor information system

This is a set of technical and informational factors that enable information systems to carry out public tasks. They are regulated in the Decree of the Council of Ministers issued under Article 18 of the above-mentioned Law. Below is the range of requirements for information systems that the eAuditor system meets:

Do you need such a system?

Leave a contact and request a free consultation with our consultant.

Design, implementation and operation of ICT systems

  • ICT systems used by entities carrying out public tasks are designed, implemented and operated taking into account their functionality, reliability, usability, efficiency, portability and maintainability, using standards and professionally recognized standards and methodologies.
  • Management of the services provided by information and communication systems is aimed at providing these services at the declared level of availability and is carried out on the basis of documented procedures.
  • The requirements of paragraphs 1 and 2 shall be considered fulfilled if the design, implementation, operation, monitoring, review, maintenance and improvement of the management of the service of the entity performing the public task are carried out taking into account the Polish Standards: PN-ISO/IEC 20000-1 and PN-ISO/IEC 20000-2.

Enabling data exchange with other ICT systems

  • ICT systems used by entities performing public tasks shall be equipped with hardware components or software enabling data exchange with other ICT systems using communication and encryption protocols specified in applicable regulations, norms, standards or recommendations established by a national standardization body or a European Union standardization body.
  • If there are no regulations, norms or standards referred to in paragraph 1 in a given case, internationally recognized standards shall be applied.
  • Information on the availability of descriptions of the standards referred to in paragraph (2) shall be published by the minister responsible for informatization in the Public Information Bulletin.

Character encoding standards

  • Character encoding in documents sent from the information and communication systems of entities performing public tasks or received by such systems, also with respect to information exchanged by such systems with other systems by means of teletransmission, provided that the exchange is of the nature of character exchange, shall be in accordance with the Unicode UTF-8 standard as defined by the ISO/IEC 10646 standard, as amended, or a standard replacing it.
  • In justified cases, character encoding according to the Unicode UTF-16 standard specified by the standard referred to in paragraph (2) is allowed.
  • The use of encoding referred to in paragraph 2 shall not adversely affect cooperation with information and communication systems using the encoding specified in paragraph 1

Formats for providing information resources and receiving electronic data

  • ICT systems of entities performing public tasks shall make information resources available in at least one of the data formats specified in Annex No. 2 to the Regulation.
  • Unless otherwise specified in specific provisions or published in the interoperability repository of XML schemas or other templates, entities performing public tasks shall allow the reception of electronic documents used to handle matters within their scope of action in the data formats specified in Annexes No. 2 and 3 to the Regulation.

Presentation of information resources

  • In the information and communication system of an entity performing public tasks for presentation of information resources, it must be ensured that the system meets the requirements of the Web Content Accessibility Guidelines (WCAG 2.0), including level AA, as specified in Annex No. 4 to the Regulation.

Information security management system

  • Information security management is implemented in particular by ensuring that the management of the public entity has the conditions to implement and enforce the following:
  • Ensure that internal regulations are updated as they relate to the changing environment.
  • Maintaining an up-to-date inventory of information processing hardware and software covering their type and configuration.
  • Take measures to ensure that persons involved in information processing have the appropriate authorizations and participate in the process to the extent appropriate to their tasks and responsibilities to ensure information security.
  • Immediately change the authorizations if the tasks of the persons referred to in point 4 change.
  • Provide training for persons involved in the information processing process with particular attention to such issues as:
    – information security risks,
    – the consequences of information security violations, including legal liability,
    – use of measures to ensure information security, including devices and software that minimize the risk of human error
  • Ensure the protection of processed information from theft, unauthorized access, damage or interference, by:
    – monitoring access to information,
    – activities aimed at detecting unauthorized information processing activities,
    – providing measures to prevent unauthorized access at the level of operating systems, network services and applications.
  • Establish basic rules to ensure safe work in mobile processing and remote work.
  • Secure information in a way that prevents unauthorized disclosure, modification, deletion or destruction.
  • Include provisions in service contracts signed with third parties that guarantee an adequate level of information security.
  • Establish rules for handling information to ensure that the risk of theft of information and information processing means, including mobile devices, is minimized
  • Ensure an adequate level of security in ICT systems, consisting in particular of:
    – taking care of software updates,
    – minimizing the risk of losing information as a result of failures,
    – protection against errors, loss, unauthorized modification,
    – use of cryptographic mechanisms in a manner adequate to the threats or requirements of the law,
    – ensuring the security of system files,
    – reducing risks arising from the use of published technical vulnerabilities of ICT systems,
    – promptly taking action upon noticing undisclosed vulnerabilities of ICT systems to the possibility of a security breach,
    – monitoring compliance of ICT systems with relevant security standards and policies.
  • Promptly report incidents of information security breaches in a specific and predetermined manner to enable prompt corrective action.

Electronic records in system logs (logs)

  • Accountability in ICT systems is subject to reliable documentation in the form of electronic records in system logs (logs).
    It is mandatory to record in system logs the actions of users or system objects involving access to the system with administrative privileges and system configuration, including security configuration.
  • In addition to the information listed in paragraph 2, the actions of users or system objects may be recorded, as well as other events related to the operation of the system in the form of:
    – actions of users without administrative privileges,
    – system events that are not critical to the operation of the system,
    – events and parameters of the environment in which the ICT system is operated.
  • Information in system logs is stored from the date of recording, for the period indicated in separate regulations, and in the absence of separate regulations for two years.
  • Records of system logs may be stored on external computer data carriers in conditions that ensure information security. In justified cases, system logs may be kept on a paper medium.

You may be interested in

2023-12-12T10:10:13+01:00