SENSITIVE S.I OF C.I

Declaration of Sensitive Information Systems (SIS) of Critical Infrastructure

The Cybersecurity Law 05-20 stipulates, particularly in Article 17, that the head of each vital infrastructure (VI) establishes the list of its sensitive information systems and transmits it to the national authority. Decree No. 2-21-406 of 4 Hija 1442 (July 15, 2021), regarding the implementation of Law No. 05-20 on cybersecurity, specifies in Articles 10 and 11 that each entity and vital infrastructure classifies its information systems based on an analysis of the impacts of incidents that could compromise the confidentiality, availability, or integrity of its informational assets. The level of impact of these incidents must reflect the importance of the consequences, which could result in the entity or VI being unable to:

  •   fulfill its missions ;
  •   Preserve life, health, or well-being of individuals ;
  •   Comply with laws, regulations, and contractual obligations ;
  •   Preserve its brand image and that of the State ;
  •   Maintain and reinforce the trust of citizens and partners in the services offered, or by the ability of said IIV to affect the operation of third-party entities reliant on its services.

This analysis is conducted according to the impact analysis scale set out in the aforementioned decree. According to Article 12 of the aforementioned decree, systems of information belonging to "CLASS A" or "CLASS B" are deemed sensitive information systems (SIS). Once the list of SIS is established, the entity or IIV's responsible party must complete the attached form for each SIS and transmit it securely(*) to the DGSSI. It is important to note that the list of vital importance infrastructures, the list of SIS, and the declaration forms are kept confidential. Furthermore, and in accordance with the aforementioned decree, each entity or vital importance infrastructure reviews the classification of its information systems at least once every three (03) years and whenever necessary.


(*)  Declaration forms can be submitted to the DGSSI by postal mail or electronically.

  • - In the case of postal mail, the forms must be placed in a sealed envelope clearly marked "CONFIDENTIAL" and sent to the address of the Minister Delegate to the Head of Government responsible for National Defense Administration.
  • - In the case of electronic submission, it is imperative to send the forms along with the cover letter to the email address declaration_SIS@dgssi.gov.ma. This submission must be encrypted with the public key published below.

HOMOLOGATION OF SENSITIVE INFORMATION SYSTEMS (SIS) OF VITAL IMPORTANCE INFRASTRUCTURES (VIIs)

The Law No. 05-20 on cybersecurity stipulates in Article 19 that any sensitive information system (SIS) of a vital importance infrastructure (VII) must undergo security certification before being put into operation.

This certification process aims to inform the managers of the VIIs about the risks associated with the operation of their sensitive information systems. It is a process that leads to a decision made by the manager of the VII. This decision constitutes a formal act by which they:

  •   Certifies their understanding of the information system and the technical, organizational, or legal security measures implemented;
  •   Accepts the remaining risks, known as residual risks.

The procedure to follow for approving a sensitive information system of a vital infrastructure, as well as the form and content of the approval decision, are detailed in the SIS approval guide.

 

To report any criminal digital content, including threats to the security of individuals and groups, praise or incitement of terrorism, and violations of the rights and freedoms of children, please use the following platform : www.e-blagh.ma

DGSSI2024 All rights reserved