Categorization of critical information infrastructure facilities (CIIS)

mdtech PROVIDES CATEGORIZATION OF CRITICAL INFORMATION INFRASTRUCTURE (CII) OBJECTS FOR BUSINESS AND GOVERNMENT ORGANIZATIONS

CII categorization is a mandatory requirement for entities operating in energy, transport, communications, healthcare, the banking sector, and other strategic industries in Uzbekistan.

According to the Law of the Republic of Uzbekistan "On Cybersecurity" (ZRU-764), failure to comply with protection requirements for critical objects entails administrative liability and poses risks to national security. Correctly determining the significance category allows for the construction of an adequate defense system and the successful passing of audits by the regulator — the Cybersecurity Center.

Regulatory Documents in Uzbekistan:

• Law of the Republic of Uzbekistan No. ZRU-764 dated April 15, 2022, "On Cybersecurity".

• Resolutions of the Cabinet of Ministers of the Republic of Uzbekistan and regulations of the Cybersecurity Center.

Who Must Undergo the Categorization?

Categorization is mandatory for all organizations (government and private) whose information systems support operations in the following sectors:

• Banking and Finance

• Energy and Fuel/Energy Complex

• Healthcare

• Transport and Logistics

• Telecommunications and Communication

• Public Administration

• Defense and Chemical Industry

Categorization Stages with mdtech:

1. Audit and Data Collection: Analyzing IT infrastructure and defining a list of potential CII objects.

2. Significance Assessment: Threat analysis and calculation of significance criteria according to national methodologies.

3. Documentation Preparation: Drafting the Act of Categorization and a package of organizational and regulatory documents.

4. Submission and Support: Submitting documents to the Cybersecurity Center and providing consultancy support during the review process.