SISAI STATISTICAL INFORMATION SYSTEMS ARCHITECTURE AND INTEGRATION

Slides:

Advertisements

Similar presentations

SYSTEM OF EVALUATION AND MANAGEMENT CONTROL RESULTS-BASED BUDGETING THE CHILEAN EXPERIENCE Heidi Berner H Head of Management Control Division Budget Office,

Advertisements

CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.

Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, This work is the intellectual property rights of the author.

The quality framework of European statistics by the ESCB Quality Conference Vienna, 3 June 2014 Aurel Schubert 1) European Central Bank 1) This presentation.

Information Security Policies and Standards

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Stephen S. Yau CSE , Fall Security Strategies.

Philippe LE TERTRE IS Governance Consultant  Founder and managing partner of VADEGIS (company specialized in Information System Management.

Eurostat Coverage of Security Issues Pascal Jacques ESTAT B0 Local Informatics Security Officer.

Ferst Center Incident Incident Identification – Border Intrusion Detection System Incident Response – Campus Executive Incident Response Team Incident.

TTBIZLINK PROJECT MINISTRY OF TRADE, INDUSTRY, INVESTMENT & COMMUNICATIONS.

Statistics Canada’s Real Time Remote Access Solution 2011 MSIS Meeting – Karen Doherty May 2011.

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

Office of Campus Information Security Driving a Security Architecture by Assessing Risk Stefan Wahe Sr. Information Security Analyst.

MOSCOW, NOVEMBER 12 – 14, THE RESEARCH 1.Respondents 8 respondents from SAI Indonesia : auditor, investigator, R &D 2.Time 3 weeks (Sept to Oct.

PUBLIC INTERNAL CONTROL (PIC) SYSTEM OF HUNGARY Ms. Edit NÉMETH CENTRAL HARMONISATION UNIT FOR PUBLIC INTERNAL CONTROL, HUNGARY BUDAPEST, 25 TH OF JUNE,

Information Security 14 October 2005 IT Security Unit Ministry of IT & Telecommunications.

Converting Policy to Reality Designing an IT Security Program for Your Campus 2 nd Annual Conference on Technology and Standards May 3, 2005 Jacqueline.

Eurostat ESS Security and Secure exchange of information Working Group (E4SWG) ITDG – Item 4 Security progress and issues Pascal Jacques ESTAT B0 Local.

IT Security Policies and Campus Networks The dilemma of translating good security policies to practical campus networking Sara McAneney IT Security Officer.

International Security Management Standards. BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005.

Eurostat ESS Security and Secure exchange of information Expert Group (E4SWG) Report of the activity of the Task Force in 2015 Pascal Jacques ESTAT B0.

Status and role of International Department (Slovak experience) MGSC Meeting Luxembourg 23 – 24 March 2012 SOSR.

1 Item 2.1.b of the agenda IT Governance in the ESS and related issues Renewal of mandates STNE Adam WROŃSKI Eurostat, Unit B5.

Joint UNECE/Eurostat work session on statistical data confidentiality October 2015 Helsinki, Finland Circle of trust Maurice Brandt DESTATIS.

DG CONNECT NIPS Study – CONSULTATION CONFERENCE 13 November 2013

Eurostat Standardisation DIME-ITDG 2015 Item 6 DIME-ITDG February

Information Security tools for records managers Frank Rankin.

M O N T E N E G R O Negotiating Team for the Accession of Montenegro to the European Union Working Group for Chapter 32 – Financial Control Bilateral screening:

The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law

OFFICE OF VA ENTERPRISE ARCHITECTURE VA EA Cybersecurity Content Line of Sight Report April 29, 2016.

1 Recent developments in quality related matters in the ESS High level seminar for Eastern Europe, Caucasus and Central Asia countries Claudia Junker,

UNECE-CES Work session on Statistical Data Editing

Improving the Garment Sector in Lao PDR:

The ESS vision, ESSnets and SDMX

Guidelines for planning the costs of statistical surveys and other work implemented by the organisational units of official statistics services.

Implementing the ESS Vision 2020

Using the Checklist for SDMX Data Providers

ESS Security Survey ESTAT LISO – B0.

Cybersecurity Special Public Meeting/Commission Workshop for Natural Gas Utilities September 27, 2018.

Education and Training Statistics Working Group – June 2014

The ESS.VIP Programme: an update

ESS Security and Secure exchange of information Expert Group (E4SEG) DIME/ITDG Item 8 ESS Security Assurance Pascal Jacques ESTAT B2 Local Security Officer.

ESS Security and Secure exchange of information Expert Group (E4SEG) DIME/ITDG SG ESS IT Security Framework Pascal Jacques ESTAT B2 Local Security Officer.

Pascal JACQUES – ESTAT B0 Local Informatics Security Officer

The role of the ECCP (1) The involvement of all relevant stakeholders – public authorities, economic and social partners and civil society bodies – at.

9. Quality and Experimental data

Data Validation in the ESS Context

ESS Vision 2020.

Item 3 of the draft agenda ESS.VIP ADMIN: progress report

Item 5.6 of the Agenda Remote access to confidential data for scientific purpose Jean-Marc Museux/ Aleksandra Bujnowska - Unit B2 Methodology and research.

Giuliano Amerini Unit E6 (Transport)

Draft Methodology for impact analysis of ESS.VIP Projects

ESS Standardisation DIME / ITDG steering group – Item for information

Working Group on Statistical Confidentiality Item 3 of the Agenda

Steering Committee June 8th, 2016

Conclusions of the meeting

Single Window – The European Commission’s Perspective

Legislative strategy for cross-cutting ESS legislation

GSBPM AND ISO AS QUALITY MANAGEMENT SYSTEM TOOLS: AZERBAIJAN EXPERIENCE Yusif Yusifov, Deputy Chairman of the State Statistical Committee of the Republic.

Implementing the “Vision” within the ESS

IT security assurance – 2018 and beyond Item 2 of the agenda DIME/ITDG Steering Group June 2018 Pascal JACQUES ESTAT B2/LISO.

ESS Vision 2020.

Item 2.2 of the agenda IT Working Group meeting 2016

DSC Contract Management Committee Meeting

Outline Mandate Working methods Timetable

Paolo Valente UNECE Statistical Division

Project objectives and benefits

Preparatory meeting for the establishment of the Project Coordination Group (PCG) for the implementation of the MSFD 13 November :00-13:30 European.

Task Force Peer reviews and quality Eurostat

Presentation transcript:

SISAI STATISTICAL INFORMATION SYSTEMS ARCHITECTURE AND INTEGRATION WORKING GROUP 3rdMEETING 13-14 MAY 2013 ITEM 1.7 ESS Security Survey

ESS Security Survey ESTAT LISO – B0

Objectives Answer to challenges presented to SISAI 12-13/6/2012 Improve statistical production chain efficiency Needs to increase IT security in order to build trust between ESS partners Rationalisation of EU IT Development Implementation of the vision COM 404/2009 and the ESS Joint Strategy Fight against Cyber-criminality

Actions and progress since 2012 Finalise the MS consultation and get feedback on the initiative Initiative well received and supported by all MS Visits to some NSIs to understand their infrastructure Under preparation Present a draft action plan to ITDG ITDG agreed on the creation of a one year WG on Security with scope on Security Frameworks showing clear examples. Organise an « Enterprise Architecture Security Workshop » end of 2012 Done on 13-14/12/2012. All information on CROS portal. Mandate and action plan discussed. Possible pilot project with a few MS to exchange secure messages on CCN (Common Communication Network of DG TAXUD) Under ESS.VIP.ESDEN

Conclusions of the TF Understand the national conditions (infrastructure, security rules) allowing ESS partners to be connected to one or another secure network Be aware of the policies applied in the other ESS members their compatibilties and consistencies: Objective: Speak a common security language first analysis of the different security frameworks (survey) survey analysis until June results circulated to the group end of June submission to ITDG and DIME. recommendations for the creation on the common security language in September. A strategic document on the implementation of the common ESS security framework submitted to ESSC end 2013

Survey content Context Confidential info Any IT published Security Framework Shared infrastructure with other administrations Centralised NSI Network between offices Who is in charge of producing official statistics Confidential info Data centre operation Remote access facilities and used technologies Team dealing with confidentiality Conditions for exchanging confidential information with other NSIs

Data Protection Implementation Rules and needs for confidentiality Security included in the objectives of the organisation Maturity level of the security guidelines When is data protection applied in GSBPM Implementation Risk analysis and methodology Application of information security in project management Technology safeguards used Data Privacy safeguards Information Security Safeguards Network used for connection with EU services Preferred network connection

Governance Audit Ressources Who manages IT security Support from National Offices or Agencies Security Officer in place Audit Responsible body Incident management, nbr and cause of incidents Periodicity and date of last audit Ressources IT security team Person in charge Spending in security

Survey Results (1) 34 answers from 30 countries 24 EU MS (missing AT, EL, IE) 6 EFTA and Candidates Other Security Frameworks Decree on Information Security in Central Goverment 1 DS484:2005 to be replaced by ISO27001 CESG/Security Policy Framework guidance ISO 27000 Customized German BSI Grundschutz-Standard 100-1,100-2,100-3,100-4. (BSI: Federal Office for Information Security; the baseline protection standards are compatible to ISO 27001/2). 4 Spanish National Security Framework correlated with ISO 27002 ISKE is based on a German information security standard – IT Baseline Protection Manual, ISO 27001 and ISO 27002 recommendations.

Survey Results (2)

Data Centre Other types of Data Center Management Commercial Data Centre managed by NSI personnel Data center by IT provider own data centre and partial cooperation with central government data centre Own Data Centre maintained in collaboration a service provider Own Data Centre with NSI own IT-personnel and 10% are non NSI IT-personnel supervised by internal IT-personnel Central IT service provider at ministry level (2)

Conditions for exchanging confidential info with other MS Adoption of a legal framework 17 Agreement on confidential data usage/contract with technical conditions 7 Same conditions as National rules 6 Data Encryption 5 Secure connection like Stesta/Common secure IT infrastructure 3 Not possible due to National Rules Do not know 2 To be discussed Limited list of users/Authentication Anonymisation 1 Compliance with IT Securite principles (CIA)

Team dealing with confidentiality (Rules, Acces) No dedicated team 11 unknown 3 1 People (DPO) 1 2 People 3 People 3.5 People: IT Security 4 People 4 people : 1 (disclosure control) + 3 (IT security) 4.5 People: legal and methodology 6 People 7 People 8 People 8 People: 3 (methodo) + 5 (microdata access) 9 People 2 13 People: Confidential data WG 15 People 15 People half time on confidentiality 17 People: 12 confidentiality + 5 dissemination 20 People: IT (4) Security committee (9) Data Privacy (7)

Data Protection Needs for Confidentiality At which GSBPM stage is data protection applied? At all Stages 14 2 Design 3 2.5 Design of methodology 1 3 Build 4 Collection 9 5 Process 7 6 Analyse 6.4 Disclosure Control 4 7 Disseminate 8 Archive Needs for Confidentiality Constitution 9 Law 20 Act 14 Selfmade rules 22

Security Implementation Involvement of Security in Projects Analysis and design phase 16 As needed basis 9 Implementation phase 8 Inception phase Technology Safeguards Automated account provisioning/deprovisioning 8 Identity management 27 Encryption of laptops/mobile devices 19 Malicious code detection 32 Intrusion detection 26 Malware detection 33 Patch management Log Management 22 Dedicated isolated network for confidential data management 14 Firewall 4

Data Privacy Safeguards Implementation (2) Data Privacy Safeguards Privacy policy revised annually 17 Inventory of location of personal data and jurisdiction 20 Incidence response process 23 Require third parties to comply with privacy policies 21 Malware/virus detection 33 Encryption 25 Confidentiality Commitment for employees Restricted access to statistical database Process Safeguards Information security strategy 24 Security baselines/stds for external partners 22 Identity management BCP/ recovery strategy 23 Employee security awareness training Penetration testing Threat and vulnerability assessment 17

Secure Connections with EU services Implementation (3) Secure Connections with EU services Which kind of access would you prefer? I do not know 1 no opinion 2 Secured access for statistical purposes S-Testa 4 to be discussed VPN

Other IT security management levels Governance Other IT security management levels Separate Office/Other IT department 2 At government level 4

Audit

IT Security Ressources