On October 4, 2024, the Ministry of Information and Communications Technologies (MICT) announced the updated design of the Information Security and Privacy Model (MSPI), a tool to establish the necessary guidelines for public entities to implement effective digital security management. The MICT stated that the MSPI will ensure that public entities are prepared to face digital threats, manage risks, and maintain the continuity of public services.

Goals and guidelines within the draft MSPI

The draft MSPI outlines several goals to include:

• provide entities with clear implementation mechanisms, guidelines, and instruments that enable them to adopt and implement the MSPI more easily;
• contribute to the development and implementation of the digital security strategy of entities; and
• establish security procedures that allow entities to appropriate the security enabler in the Digital Government policy.

The MICT stated that the draft MSPI defines the guidelines for implementing the digital security strategy and aims to formalize within entities an Information Security Management System. The draft MSPI includes five phases to allow entities to properly manage and maintain the security and privacy of their information assets:

• diagnosis – identify the current state of the entity with respect to the adoption of the MSPI;
• planning – determine the information security and privacy needs and objectives, taking into account the process map, size, and internal and external context;
• operation – implementation of controls that will reduce the impact or probability of occurrence of the risks identified in the planning stage;
• performance evaluation – evaluation of the status of the adoption of the model, through audits and indicators established in the planning; and
• continuous improvement – procedures established to identify deviations in the rules defined in the model and actions necessary for their solution and non-repetition.

Several definitions are provided, including 'information asset,' 'threats,' 'computer emergency response team,' 'incident,' 'public information,' and 'habeas data law.'

Public comments will be received until October 14, 2024, by email to [email protected] or the online form on the press release.

You can read the press release and draft MSPI for comment here.