19
DIGIT Directorate-General for Informatics DIGIT Directorate-General for Informatics ISO 27k security standards What does it mean for ECI? 29 November 2012
| Date post: | 25-Dec-2015 |
| Category: |
Documents |
| Upload: | george-cobb |
| View: | 238 times |
| Download: | 1 times |
DIGITDirectorate-General for Informatics
DIGITDirectorate-General for Informatics
ISO 27k security standards
What does it mean for ECI?
29 November 2012
DIGITDirectorate-General for Informatics
Legal base
• Regulation (EU) No 211/2011 of the European Parliament and of the Council of 16 February 2011 on the citizens' initiative
• Commission Implementing Regulation (EU) No 1179/2011 of 17 November 2011 laying down technical specifications for online collection systems pursuant to Regulation (EU) No 211/2011 of the European Parliament and of the Council on the citizens' initiative
DIGITDirectorate-General for Informatics
3
(EU) No 211/2011
Article 6 Online collection systems
1. Where statements of support are collected online, the data obtained through the online collection system shall be stored in the territory of a Member State.
The online collection system shall be certified in accordance with paragraph 3 in the Member State in which the data collected through the online collection system will be stored.
DIGITDirectorate-General for Informatics
4
(EU) No 211/2011 (ctd.)
Article 6 Online collection systems
4. Online collection systems shall have adequate security and technical features in place in order to ensure that:a) only natural persons may submit a statement of
support form online;b) the data provided online are securely collected and
stored, c) the system can generate statements of support in a
form complying with the models set out in Annex III
DIGITDirectorate-General for Informatics
5
(EU) No 1179/2011
Provides technical specifications to address Article 6(4) of REGULATION (EU) No 211/2011.
(a) and (c) are addressed by the Online Collection Software provided by the European Commission (Section 1 and 3 of the annex)
(b) is addressed in section 2 of the annex that details requirements which have to be addressed by the Organisers are addressed by the Online Collection Software
provided by the European Commission have to be addressed by the hosting infrastructure
DIGITDirectorate-General for Informatics
6
(EU) No 1179/2011 (ctd.)
Section 2 of the annex provides technical specifications for the following domains:
• Information assurance standards (→ Organisers)• Functional requirements (→ OCS)• Application level security (→ OCS + hosting
infrastructure)• Database security and data integrity (→ OCS +
hosting infrastructure)• Infrastructure security (→ hosting infrastructure)• Organiser client security (→ Organisers)
DIGITDirectorate-General for Informatics
7
July, 18th
DIGITDirectorate-General for Informatics
8
EC as hosting provider … only?
The main objective was to • provide a suitable hosting infrastructure
(compliant with 1179/2011 section 2 requirements)
However, it quickly appeared that EC could also help:• in drafting documents required by 2.1 and 2.2• in fulfilling Organiser client security requirements
(Live-DVD)
DIGITDirectorate-General for Informatics
9
DIGITDirectorate-General for Informatics
10
Information assurance standards2.1. Organisers provide documentation showing that they fulfil the requirements of standard ISO/IEC 27001, short of adoption. For that purpose, they have:
a) performed a full risk assessment, …;b) designed and implemented measures for treating
risks …;c) identified the residual risks in writing;d) provided the organisational means to receive feedback
on new threats and security improvements.
DIGITDirectorate-General for Informatics
11
Information assurance standards (ctd)2.2. Organisers choose security controls based on the risk analysis in 2.1(a) from the following standards:1) ISO/IEC 27002; or2) the Information Security Forum’s ‘Standard of Good Practice’
to address the following issues:a) risk assessments (ISO/IEC 27005 or another specific and
suitable risk assessment methodology are recommended);b) physical and environmental security;c) human resources security;d) communications and operations management;e) …
DIGITDirectorate-General for Informatics
ISO 27000 security standards
• ISO 27001 formally specifies a management system that is intended to bring information security under explicit management controlISO 27001
• ISO 27002 provides best practice recommendations on information security management for use by those responsible for initiating, implementing or maintaining Information Security Management Systems (ISMS)
ISO 27002
DIGITDirectorate-General for Informatics
ISO27002 domains
Information Security Policy
Information security organization
Access control
Compliance
Physical and environmental
security
Communications and operations management
OP
ER
AT
ION
AL
Information Security Policy
Risk Assessment
ISMS Policy
Statement of applicability
Information security incident management
Business continuity management
Personnel security
Asset classification and control
Systems development and maintenance
DIGITDirectorate-General for Informatics
ISO27001 ISMSPerform a gap
analysis
Define / review the security perimeter
Perform risk assessment
Obtain approval
Formulate risk treatment plan
Update information
security policy
Risk management
Prepare a Statement of Applicability
ISO27001
PLAN
DO
ACT
CHECKImplement the risk
treatment plan and selected
controls
Implement training and awareness programs
ISMS
Perform Information
Security audits
Measure effectiveness
DIGITDirectorate-General for Informatics
15
ECI Documentation packageTo fulfil the above requirements, EC agreed with the Luxembourgish Authorities to build the following security documentation package :1. the Security Scope2. the Business Impact Analysis (BIA)3. the Risk Assessment Report (RAR)4. the Risk Treatment Plan (including Residual Risks)
(RTP)5. the Statement of Applicability (SoA)
DIGITDirectorate-General for Informatics
16
ECI Documentation package (ctd)
EC also built guidance documents to help the Organisers drafting their part of the security documentation, i.e.:
1. Organiser Risk Assessment Guidance 2. Organiser Risk Treatment Plan Guidance3. Organiser Statement of Applicability Guidance
The guidance documents have been drafted to be reusable as much as possible and thus to minimize Organiser's documentation effort.
DIGITDirectorate-General for Informatics
17
Organiser client security
2.20. Organiser client security
For the sake of end-to-end security, the organisers take necessary measures to secure their client application/ device that they use to manage and access the online collection system, such as:
2.20.1. Users run non-maintenance tasks (such as office automation) with the lowest set of privileges that they require to run. 2.20.2. When relevant updates and patches of the OS, any installed applications, or anti-malware become public, then such updates or patches are installed expediently.
DIGITDirectorate-General for Informatics
18
And finally …
DIGITDirectorate-General for Informatics
Q&A
