CNJ establishes Cybersecurity Committee
Ordinance No. 242, of November 10, 2020
The National Council of Justice established the Cybersecurity Committee of the Judiciary through Ordinance No. 242, of November 10, 2020. Official response to the growing number of incidents recorded in recent days. In addition to the hacker attack on the STJ that encrypted and blocked access to that Court’s data, there was also disclosure by the TJ-SC regarding the e-mail invasion of magistrates and servers, and the TJ-RS reported the tampering of the petition page and posting a criticism of justice.
The Committee will be coordinated by a representative appointed by the CNJ and formed by technical experts with knowledge in the cybersecurity area, appointed by the STF, STJ, TSE, TST, CJF, STM, State Courts of Justice, in addition to the CNJ itself. There is the possibility of inviting other professionals from public bodies or the private sector to subsidize the work.
The Ordinance emphasizes, among the Committee’s purposes, the guarantee of cyber security of the digital ecosystem of the Brazilian Judiciary; establishment of objectives, principles and guidelines in line with the recommendations contained in technical standards on information security and risk management in this area. In addition, it will be up to the Committee to propose revisions and updates to the cyber security rules approved by the CNJ and to monitor their implementation in all courts.
It was determined, with the objective of tackling cyber crimes in the sphere of the Judiciary, that the Committee presents in the coming months protocols for prevention, crisis management and investigation. Likewise, the Cybersecurity and Information Strategy of the Judiciary should be developed, for which mandatory minimum content has been stipulated.
The document will need to include, among other elements: cyber security, culture and education policies, identity and access management, and encryption of sensitive data; minimum standards of risk management, protection of ICT assets, resilience and continuity of ICT services in cases of incidents and unavailability; requirements that ensure digital trust; forecasts of compliance with the LGPD and for monitoring compliance with security requirements established by external and internal auditing; guidelines for RD&I in the cybersecurity area.
Finally, the Committee will have to propose a rule that provides for the creation, activation and effective functioning of the CNJ’s Cyber Security Incident Treatment Center, which will function as an official channel for orchestrating and publicizing preventive and corrective actions, in chances of threats or cyber attacks. The Center will consist of one representative and one alternate from each Court of the Federation.
By: Wilson Sales Belchior