Session 5 – Data safety / security

Slides:

Advertisements

Similar presentations

Eurostat T HE E UROPEAN PROCESS OF ENHANCING ACCESS TO E UROSTAT DATA A LEKSANDRA B UJNOWSKA E UROSTAT.

Advertisements

Lecture Outline 10 INFORMATION SYSTEMS SECURITY. Two types of auditors External auditor: The primary mission of the external auditors is to provide an.

Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.

Farm Business and Farm Household Survey Data Customized Data Summaries from ARMS for Statistical Analysis Philip Friend USDA ‘s Economic Research Service.

EUropean Best Information through Regional Outcomes in Diabetes Privacy and Disease Registries Technical Aspects Peter Beck JOANNEUM RESEARCH, Austria.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

1 Privacy issues on pan-European White Pages service 4rd TF-LSD Meeting Amsterdam, Peter Gietz

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter.

European Statistical Law – in preparation Kirsten Wismer & Lars Thygesen.

Policy Review (Top-Down Methodology) Lesson 7. Policies From the Peltier Text, p. 81 “The cornerstones of effective information security programs are.

Top 10 Privacy Risks in Web Applications Method, results and some countermeasures 29 May 2015 Florian Stahl (Project Leader) Sponsored by.

Database Administration COMSATS INSTITUTE OF INFORMATION TECHNOLOGY, VEHARI.

Europe's work in progress: quality of mHealth Pēteris Zilgalvis, J.D., Head of Unit, Health and Well-Being, DG CONNECT Voka Health Community 29 September.

Monitoring public satisfaction through user satisfaction surveys Committee for the Coordination of Statistical Activities Helsinki 6-7 May 2010 Steve.

Eurostat ESTP course on International Trade in Goods Statistics April 2013 Point 2 of the agenda Legal framework for EU trade statistics.

State of e-Authentication in Higher Education August 20, 2004.

E-Authentication in Higher Education April 23, 2007.

Data Governance 101. Agenda  Purpose  Presentation (Elijah J. Bell) Data Governance Data Policy Security Privacy Contracts  FERPA—The Law  Q & A.

The Geographic Information System of the European Commission (GISCO) By Albrecht Wirthmann, GISCO, Eurostat ESPON.

Compliance August 18, Agenda Outline Status Draft of Answers.

1 Copyright © International Security, Trust & Privacy Alliance -All Rights Reserved Making Privacy Operational International Security, Trust.

Status: Item 6 – WISE developments and Implementation Plan WG D Reporting 21 March 2006.

Privacy Audit and Privacy Seal Barbara Körffer & Dr. Thomas Probst Independent Centre for Privacy Protection Independent Centre for Privacy ProtectionSchleswig-Holstein.

Eurostat Sharing data validation services Item 5.1 of the agenda.

Protection of Personal Information Act An Analysis on the impact.

Methodology of the European Commission’s project “Mapping study (phase II): Mapping of Broadband Services in Europe - SMART 2014/0016” Christiane Lehmann,

European Commission’s project “Mapping of Broadband Services in Europe” IETF 96 Meeting, Berlin.

1 1 European Central Bank Frankfurt, 21 September 2009 The new European supervisory architecture.

October 2014 HYBRIS ARCHITECTURE & TECHNOLOGY 01 OVERVIEW.

Session 4 – Data collection

Principles Identified - UK DfT -

Session 10 – Summary and Closing remarks

Introduction for the Implementation of Software Configuration Management I thought I knew it all !

Session 2 – Objective of workshop and status quo of project

INSPIRE and the role of Spatial Data Interest Communities (SDIC)

Mirjana Boshnjak Skopje, 20 to 22 September 2017

Session 9 – Data exploitation and publication

Working at a Small-to-Medium Business or ISP – Chapter 8

GDPR (General Data Protection Regulation)

THE NEW GENERAL DATA PROTECTION REGULATION: A EUROPEAN OR A GLOBAL STANDARD? Bart van der Sloot Senior Researcher Tilburg Institute for Law, Technology,

Data Protection: EU & International

Secure Software Confidentiality Integrity Data Security Authentication

Obligations of Educational Agencies: Parents’ Bill of Rights

Session 11 Other Assurance Services

Session 7 – Data aggregation and visualisation

Author: Mathew Chandler

Nettest An implementation of BEREC’s recommendations

IS4680 Security Auditing for Compliance

Amendment to the NUTS Regulation Oliver Heiden Eurostat.E4

Communication and Information Resource Centre Administrator

IS4680 Security Auditing for Compliance

MIG-T meeting, 19th April 2016, Ispra End-user applications

Responses to recent challenges in official statistics Renewed Institutional Frameworks and adoption of good statistical practice Pieter Everaers Director.

The activity of Art. 29. Working Party György Halmos

Ag.no.15.1 and 15.3 Dissemination of A65 data

Tools & Approaches for Ongoing Privacy Compliance

NUTS Agenda: 5.1; Document 9

Ag.no Dissemination of A64 data

Online Data Collection: Ethics

Ag.no.6.1 Dissemination of A64

By Daniel RASE, Eurostat

Integrated Statistical Systems

Designing IIS Security (IIS – Internet Information Service)

Reportnet 3.0 Database Feasibility Study – Approach

The GISCO Progress Report Nov – Feb By Albrecht Wirthmann

The new EDAMIS and its security

4.1 What is WISE compatible

WISE and INSPIRE By Albrecht Wirthmann, GISCO, Eurostat

Presentation transcript:

Session 5 – Data safety / security

Agenda Data safety / security EC + TUV 15:30 – 16:30 Presentation of data safety and security mechanisms (e.g. Memorandum of Understanding) Contractor TÜV Rheinland Ms. Lehmann and Mr. Hafner Questions and Answers on the Memorandum of Understanding EC, DG CNECT, Unit R4 „Compliance“ Mr. Schauer, Deputy Head of Unit, and Mr. Chirila Survey and discussion All

Presentation of data safety and security instruments and mechanisms Outlined in Memorandum of Understanding Data safety Security of European Commission architecture And server within this architecture Security of Mapping application Data security

MoU: Transparency about data suppliers’ specific collection approach Data collection / processing Submission: Agreement on data storage and aggregation for the purpose of the development of the platform No delivery of personal data containing IP addresses etc. Aggregation, integration into platform: Project methodology and standards for data aggregation are approved by project initiator EC (Steering Committee) Project owner recognizes validation procedure applied by data supplier in each initiative Transparency: Disclaimer / pop-up on website displays meta data to provide full picture on each initiative’s approach to avoid misinterpretation

MoU: Data privacy and confidentiality Personal data: Confidentiality: Privacy / confidentiality of information and its use only for statistical purposes ensured No collection of raw data sets containing IP addresses Personal data processed pursuant to Regulation (EC) 45/2001 of the European Parliament and of the Council Data suppliers have right to access and rectify personal data Confidentiality is ensured by both project owner and data suppliers especially with regard to data related to ISPs – no disclosure to not authorized third parties Binding confidentiality during lifetime of project and five years after

MoU: Degree of publication is decided by data supplier Data visualisation / publication (i) All data categories (QoS 1, QoS 2, QoS 3) Names of Internet Service Providers Public Restricted NUTS 3 1km INSPIRE grid 500m INSPIRE grid 250m INSPIRE grid 50m INSPIRE grid Address level Other level [to be explicitly named] Selection of options for data publication:

MoU: Degree of publication is decided by data supplier Data visualisation / publication (ii) Displayed spatial resolution: Data is visualised on public portal on NUTS 3 level (current EUROSTAT version 2013). In expert portal, higher level of resolution is possible (but only on address or grid level), if agreed between project owner and data supplier Open access: Publication in line with European Commission‘s open data policy of public sector information National open access regulation is respected Many data sets already accessible – platform as „directory“ to each open data set

MoU: Data suppliers have control of delivered data Right of access and rectification Limited access: Project owner has access to data collected Data suppliers have access to their own data sets and partial access to other data suppliers’ data sets according to explicit approval in each respective MoU Access differentiates between public version and expert version of the mapping application Other institutions of the EU and of the EEA will have partial access to aggregated, anonymous data sets Rectification: Right to review / rectify all data, if outdated or incorrect Explanatory note outlining reasons for update of data needs to be provided to contractor by data supplier

MoU: Withdraw consent to use their information at any time Right of withdrawal Withdrawal: Data suppliers are entitled to withdraw consent to use their information Deletion: Explanatory note outlining reasons needs to be provided to contractor by data supplier Deletion only in justified cases for aggregated data that is published on the mapping application

Measures related to server architecture and application configuration assure data security Standards: European and other international standards, guidelines and good practices are respected Measures: Limited group of administrators / web designers authorised to access database and mapping platform Configuration, installation of programs, tools and services to prevent unauthorised access Storage: Data sets coded and stored in a system independent from application server Public version: all users Expert version: authorised persons (scope to be agreed) Access:

Main platform security measures European Commission IT infrastructure Reverse Proxy Hardware Firewall SSL/TLS for encryption Application container / Server Only encrypted Server communication allowed (SSL/TLS, SSH) Operating System Measurements (eg. SELinux, IDS, IPS, … ) Role based Access Control System Monitoring

Summary of application security measurements Communication between application and server continuously encrypted (SSL/TLS) Data validation through Input validation, filtering Session management Best security practice software configuration Role based management Avoidance of privilege escalation Password policies Application monitoring