Post on 28-Dec-2015
transcript
Introduction
• Peter De Witte• Information Security Officer for the IT
Department• Advisor for
– Software Development– Infrastructure
Introduction SVB
• SVB Sociale Verzekeringsbank • 15 different national insurance schemes. • Child Benefits, AOW Pensions, Anw
Survivor Benefits • 100 years +• 5 Million Clients• € 35 Billion on a yearly basis.
how can SVB assure adequate levels of security and
gain customers trust, while maximizing
quality and effectiveness of citizen service?
25 may 2012
Security, Trust, Quality & Effectiveness
• Awareness• Provide a secure IT• Proper use of available channels• Adequate response to incidents
Employee Awareness
• Code ofConduct
• Security Guidelines
• Classification ofinformation
• Incident response• Organisation of
Information Security
Provide a secure IT
• NEN-ISO/IEC 27002:2007 nl (BS27002)• CMMi• ITIL• OWASP• Security testing• Standard for webapplications provided by
Logius in cooperation with NCSC
3 Security levels for DIGID:
1. Basis: login code (username + password)
2. Middle: login code + text message on a mobile phone
3. High: electronic identifier (not yet implemented)
Response to incidents: Case Diginotar
• Diginotar: certificates were no longer trusted
• DIGID was affected directly, SVB indirectly
• If customers wanted to login, they received a warning of an unsafe certificate
Case Diginotar: response SVB (short term)
• Form an internal crisisteam• Inventory of SVB certificates• Link up with other sister organisations and
Ministry of the Interior and Kingdom Relations
• Communication to the customer, if necessary
Case Diginotar: response SVB (long term)
• Back-up CA• Investigation of the Dutch Safety Board• Cooperate with Logius and sister
organisations to develop and implement new standards framework for users of DIGID
• Start of expert center intiated by public service providers
Responses from external parties
SUWI:
“the SVB has a technical and organizational infrastructure of such a standard, that such an incident can be adequately addressed.Apparently the citizens understood where the problems where and have enough confidence in the SVB web service to continue its use.”
Dutch Safety Board (still unofficial):
Indication towards a positive reaction
National Ombudsman:
Positive reaction towards how SVB deals with customers and customer data
Future
• Keep our own security up to date
• Proactive towards new developments, like cloud.
• Cooperation with external parties