ESS Security and Secure exchange of information Expert Group (E4SEG) DIME/ITDG Item 8 ESS Security Assurance Pascal Jacques ESTAT B2 Local Security Officer
ESS IT Security Framework and assurance mechanism State-of-play of implementation of the ESS IT security framework and ESS IT security assurance mechanism presented to November ESSC In the ESSC document of 17th of November 2016: Further work might be needed to harmonise practices in terms of data classification and controls, and organise the exchange of information on incidents in accordance with ISO27010:2015. These aspects, as well as legal and technical issues of repeated non-compliance, responsibilities and actions in case of breach of confidentiality will be discussed further by the ITDG at its next meeting in February 2017
Approach to a non compliance with the ESS IT security framework Eurostat will provide all necessary means (financial and technical support) to ensure that all ESS members are compliant with the ESS IT security framework by the end of 2019. Central certification body will assess the compliance of ESS members based on: Results of internal recent audits carried out internally and securely transmitted Additional information requested in case of identified missing elements On-site visit(s) to assess physically some controls and access information which cannot be transferred due to legal or physical constraints. Ex-post evaluation of the pre-audit and on-site visit(s)
Ranking of findings by the certification body Observations information on minor concerns or potential future issues that the ESS member should be well advised to consider Minor non compliance more significant concerns that the organisation has to address at some point as a condition of the certificate being granted the organisation does not follow the ESS IT security framework in some way, but does not consider to be a significant weakness Observations and minor non compliances to be resolved on self-reporting basis
Ranking of findings by the certification body Major non compliances significant issues in the implementation of the ESS IT security framework and the certificate cannot be awarded until they are resolved. the central certification service has to identify the missing information, the security gaps and to provide proposals for mitigation actions to be implemented by the ESS member The certification is suspended until the ESS member has applied the requested mitigation actions.
Major non-Compliance CASE 1 Some controls are not fulfilled. The certification service has issued remedial actions A roadmap for correction actions has been proposed and agreed between the ESS member and the central certification service. The ESS member agrees to implement them within the deadlines The ESS member passes again the certification process
Major non-Compliance CASE 2 Some controls are not fulfilled. The certification service has issued remedial actions The ESS member DOES NOT agree to implement them within the deadlines for technical or financial reasons Compensating controls (alternative controls) can be used to reduce the risk. In this case, an exception should be created for this member and this control and endorsed by ITDG. Then country can repass the certification process on basis of the new framework ESTAT can support financially or physically (support mission) the member for a short duration in order to solve the problems and pass again the certification
Major non-Compliance CASE 3 Some controls are not fulfilled. The certification service has issued remedial actions The ESS member DOES NOT agree at all to implement them within the requested deadlines. The ESS member is therefore not a trustworthy partner in the network. Sanctions then could apply: Technical : Based on the advice of ITDG, the ESSC could decide not to send data to the non-compliant ESS member and ask to delete any data already transmitted. The ESS member is however obliged to transmit its microdata to the network.
Progress of work Central certification service Call for tender closed. Evaluation is finished. Contract should be awarded and signed before end of March 2017. Action should start around May 2017. The central certification service should contact the MS in June and start certification activities according to the agenda. Organisation of workshops in 2017, 2018 and 2019 Capacity Building grants Call for proposal closed. Evaluation finished. Contracts should be signed. ESS members informed
Certification roadmap Certifications 3 countries in 2017: EE: October 2017??, IT : November 2017, NL: ?? 15 countries in 2018: BE, BG, DE, EL, FI (NSI+ONA), HR, HU, LT, LU, LV, PT, SE, SK, SI 12 countries in 2019: AT, CZ, CY, DK, ES, FR, IE, MT, PL, RO, UK (NSI+ONA) Potential "re-certifications" in 2018 and 2019. Reports to February ESSCs in 2018, 2019 and 2020
Organisation of workshops in 2017, 2018 and 2019 1st workshop on Information Classification - September 2017 Harmonise practices in terms of data classification and controls Propose guidelines for data classification and develop lookup tables for already existing classifications One delegate/ESS member invited 2nd workshop on incident management and putting in place a structure for exchanging within the ESS security incidents – June 2018 Rapid exchange of information regarding any incident compromising the security of the information exchanged and systems dealing with it 3rd workshop on ESS guidelines on harmonized security policies and on harmonized rules for staff recruitment policies – June 2019
Capacity Building grants ESTAT to provide support to MS To improve their IT security level To ensure compliance to ESS IT Security Entry Pack Mono-beneficiary grants Organised in 3 steps First group of ESS members to be supported in 2017 Grants launched in September 2016 10 countries supported (DE, EL, HR, IT, LT, LU, NL, PL, SI, SK) for an amount of 1.245 M€ Second group of ESS members to be supported in 2018 Grants to be launched in May 2017 – Deadline 09/17 Third group of ESS members to be supported in 2019
Additional supporting measures (1) Certification preparatory visits Eurostat to provide on-demand support/advice to ESS members on issues related with the implementation of the ESS IT security framework in their specific environment. Use of capacity building grants To help increase the maturity level of the security But also: To help correcting identified gaps during the certification process
Additional supporting measures (2) Proposal to the ITDG extension of the existing ESS IT Expert group membership ensure that all ESS members are represented in the discussions regarding the security assurance and can express their views and concerns. Use the ESS IT Expert Group as advisory body to ITDG regarding validation of compensating controls in 'exception' procedure
Certification preparatory visits Discuss with MS the implementation of the ESS IT security framework in relation with their local IT specificities Focus on mandatory exchange of info in relation to ITGS and national implementations Identify security gaps and improvement actions before certification
Certification preparatory visits To come PL : 1-2/3/17 SK: 21-22/3/17 HU: 29-30/3/17 LV: 11-12/5/17 BG: 31-1/6/17 LT: 14-15/6/17 HR: 28-29/6/17 IT: 5-6/7/17 CZ: 12-13/7/17 Completed MT: 23-24/8/16 SE: 20-21/9/16 EL: 27-28/9/16 CY: 8-9/11/16 LU : 1-2/12/16 IE : 5-6/12/16 AT : 20-21/12/16 EE: 18-19/1/17
Next steps Gather feedback from DIME/ITDG members of proposed mechanism and non compliance issues with remedial actions Draft guidelines following DIME/ITDG opinions within the ESS IT security TF Ongoing discussions with and security visit in ESS members in order to improve overall IT security maturity in the ESS Invite all MS to participate to the next TF meeting in June in Porto Continue/Finalise preparation of MS for certification and pre-check their readiness for the process. Organise workshop on data classification in September Pilot the certification process with the first 3 ESS members in 2017 Ensure consistency of treatement between MS regarding certification