49
2018
Computer Misuse and Cybercrimes
No. 5
class of information infrastructure or any part thereof, as a
critical information infrastructure, in line with a critical
infrastructure framework issue directives to regulate —
(a) the classification of data held by the critical
information infrastructure;
(b) the protection of, the storing of and archiving of
data held by the critical information infrastructure;
(c) cyber security incident management by the critical
information infrastructure;
(d) disaster contingency and recovery measures,
which must be put in place by the critical
information infrastructure;
(e) minimum physical and technical security measures
that must be implemented in order to protect the
critical information infrastructure;
(f) the period within which the owner, or person in
control of a critical information infrastructure must
comply with the directives; and
(g) any other relevant matter which is necessary or
expedient in order to promote cyber security in
respect of the critical information infrastructure.
10. (1) The Committee shall within reasonable time
and in consultation with the owner or a person in control of
an identified critical information infrastructure, submit to
the National Security Council its recommendations of
entities to be gazetted as critical information
infrastructures.
(2) The Committee shall, after the gazettement under
subsection (1), in consultation with a person that owns or
operates the critical information infrastructure—
(a) conduct an assessment of the threats,
vulnerabilities, risks, and probability of a cyberattack across all critical infrastructure sectors;
(b) determine the harm to the economy that would
result from damage or unauthorized access to
critical infrastructure;
(c) measure the overall preparedness of each sector
against damage or unauthorized access to critical
infrastructure including the effectiveness of market
Protection of
critical
information
infrastructure.