EU’s Information Security Expectations Aleksandar Klaić Office of the National Security Council – Croatian National Security Authority (NSA)

Slides:



Advertisements
Similar presentations
A strategy for a Secure Information Society –
Advertisements

Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions.
Cyprus Project Management Society
1 Organizational Reform and Technological Modernization in the Public Sector or A view over some Information Society initiatives in Portugal Pedro Veiga.
Public Procurement in Albania in the framework of recent reforms PUBLIC PROCUREMENT AGENCY 1.
INFORMATION SOCIETY DEVELOPMENT IN THE REPUBLIC OF BULGARIA “Information Society perspectives in South-Eastern Europe” Thessaloniki, 29 & 30 June 2001.
Strategy and Policy Unit: Current Activities and Future Tasks
Geneva, Switzerland, September 2014 ENISA role in ICT standardization Sławomir Górniak, ENISA ITU Workshop on “ICT.
European Union Agency for Network and Information Security Follow ENISA: ENISA and standards Sławomir Górniak European Union Agency.
The European Commission's Approach to Responsible Business: Towards a strategy on Corporate Social Responsibility.
IT security seminar Copenhagen, April 4th 2002 M. Jean-Michel HUBERT Chairman of the French Regulation Authority IRG Chairman.
COMMISSION FOR PERSONAL DATA PROTECTION 14 TH Meeting, CEEDPA may, Kyiv LEGAL FRAMEWORK FOR DATA PROTECTION, COMPETENCES AND PRIORITIES OF THE COMMISSION.
European Regulatory Environment (just a part!) Mark Thomas, ECO Director CEPT Workshop on European Spectrum Management and Numbering 4 th June 2014.
Legal Framework on Information Security Ministry of Trade, Tourism and Telecommunication Nebojša Vasiljević.
1 ENISA’s contribution to the development of Network and Information Security within the Community By Andrea PIROTTI Executive Director ENISA Cyprus, 28.
WORLD MEETING OF CUSTOMS LAW BRUSSELS , September “ Studies on Harmonization of Customs Law and Contributions of the Academy for updating and.
REPUBLIC OF SERBIA AUTONOMOUS PROVINCE OF VOJVODINA GOVERNMENT OF THE AUTONOMOUS PROVINCE OF VOJVODINA OFFICE FOR JOINT AFFAIRS OF PROVINCIAL BODIES STRATEGY.
Critical Role of ICT in Parliament Fulfill legislative, oversight, and representative responsibilities Achieve the goals of transparency, openness, accessibility,
Institutional framework for supporting civil society development in Croatia A PLAN C FOR EUROPE: CITIZENSHIP, CIVIC ENGAGEMENT, CIVIL DIALOGUE 17 September.
Österreich 2006 Austria 2006 Autriche 2006 Präsidentschaft der Europäischen Union Presidency of the European Union Présidence de L’Union européenne ★★★★★★
INTERNATIONAL COOPERATION PUBLIC CONSULTATION FIRST OVERVIEW EXPORTIC 27 March 2008 JF SOUPIZET HEAD OF INTERNATIONAL RELATIONS DG INFSO These view are.
Terezia Sinkova EFSA The new EU Food Safety Agency.
Ministry of Transport, Information Technology and Communications
6 April Research for a secure Europe Christiane BERNARD European Commission - DG Enterprise and Industry Athens.
Towards a European network for digital preservation Ideas for a proposal Mariella Guercio, University of Urbino.
Building Sustainable Inspection Reforms Jordan Coordination Model Wafa’a M. Aranki June 2014 Amman – Jordan.
The 3rd package for the internal energy market Key proposals EUROPEAN COMMISSION Heinz Hilbrecht Directorate C - Security of supply and energy markets.
Europe's work in progress: quality of mHealth Pēteris Zilgalvis, J.D., Head of Unit, Health and Well-Being, DG CONNECT Voka Health Community 29 September.
E-Transformation Turkey Project State Planning Organization March 17, 2005 Interoperability and Metadata Workshop Ankara, Turkey.
JOINING UP GOVERNMENTS EUROPEAN COMMISSION Establishing a European Union Location Framework.
Anti-Fraud Strategies
EC Initiative « Standardisation Package » latest news Cyrill DIRSCHERL EC – DG ENTR /C.5 Standardisation Unit.
Transboundary Trust Space February 16, 2012 Ensuring trust in information exchange – proposal and approaches from Russia and CIS-states (RCC states) National.
1 GSC: Standardization Advancing Global Communications ISACC Opening Plenary Presentation GSC-11 SOURCE:ISACC TITLE:ISACC Opening Plenary Presentation.
Mounir BENHAMMOU Director of Administrative and Financial Department Secretariat General of the Arab Maghreb Union EN/CSC2/2014/Pres/05.
Directorate General for Enterprise and Industry European Commission The New Legislative Framework - Market Surveillance UNECE “MARS” Group meeting Bratislava,
EU activities against cyber crime Radomír Janský Unit - Fight against Organised Crime Directorate-General Justice, Freedom and Security (DG JLS) European.
MINISTRY OF ECONOMY AND TRADE ROMANIA International Seminar on Good Regulatory Practices and Regional Experience Geneva, November 2003.
National Information Communication Technologies Strategy Vasif Khalafov “National strategy” working group - Web -
Ministry of State Administration and Administrative Reform, Republic of Bulgaria 18 February 2008 Brdo, Slovenia 18 February 2008 Brdo, Slovenia Contribution.
19-20 October 2010 IT Directors’ Group meeting 1 Item 6 of the agenda ISA programme Pascal JACQUES Unit B2 - Methodology/Research Local Informatics Security.
ROMANIAN NATIONAL ICT POLICIES. NATIONAL ICT POLICIES and Market trends.
DG CONNECT NIPS Study – CONSULTATION CONFERENCE 13 November 2013
New approach in EU Accession Negotiations: Rule of Law Brussels, May 2013 Sandra Pernar Government of the Republic of Croatia Office for Cooperation.
M O N T E N E G R O Negotiating Team for the Accession of Montenegro to the European Union Working Group for Chapter 5 – Public Procurement Bilateral screening:
CYBER SECURITY Ministry of Trade, Tourism and Telecommunication Nebojsa Vasiljevic
M O N T E N E G R O Negotiating Team for the Accession of Montenegro to the European Union Working Group for Chapter 31 - Foreign, security and defence.
Croatian Example: PPP as a Frame for Cooperation TAIEX Workshop, Milan, Italy October 24-26, 2011 Kamilo Vrana, B.Sc.E.E. Managing Director.
Information and Network security: Lithuania Tomas Lamanauskas Deputy Director Communications Regulatory Authority (RRT) Republic of Lithuania; ENISA Liaison.
M O N T E N E G R O Negotiating Team for the Accession of Montenegro to the European Union Working Group for Chapter 10 – Information society and media.
M O N T E N E G R O Negotiating Team for the Accession of Montenegro to the European Union Working Group for Chapter 1 – Free movement of goods Bilateral.
M O N T E N E G R O Negotiating Team for the Accession of Montenegro to the European Union Working Group for Chapter 27 – Environment Bilateral screening:
M O N T E N E G R O Negotiating Team for the Accession of Montenegro to the European Union Working Group for Chapter 31 – Common Foreign and Security Policy.
University of Piraeus Research Centre (UPRC) Assistant Professor Nineta Polemi “PREVENTION, PREPAREDENESS AND CONSEQUENCE MANAGEMENT OF.
M O N T E N E G R O Negotiating Team for the Accession of Montenegro to the European Union Working Group for Chapter 10 – Information society and media.
Open Source Software Policy of the Croatian Government
66 items – 70% of circulated products
The 3rd package for the internal energy market
Cybersecurity in Belarus a general overview of support areas
Programme of the Government of the Republic of Bulgaria (draft)
Session 2 European Regulatory Environment (just a part!)
RACVIAC SEE Centre for Security Cooperation &
Dan Tofan | Expert in NIS 21st Art. 13a WG| LISBON |
European Regulatory Environment (just a part!)
CEPMC Executive Board and General Assembly EC standardisation package
FISCAL & BANKING REFORMS IN MOLDOVA
The e-government Conference main issues
Juan Gonzalez eGovernment & CIP operations
PRESENTATION OF MONTENEGRO
Ad hoc Group of Experts on Better Regulation
Presentation transcript:

EU’s Information Security Expectations Aleksandar Klaić Office of the National Security Council – Croatian National Security Authority (NSA)

2 Session parts 1.Introduction - Information Space 2.Information security Requirements 3.Conclusion

3 Part 1 1.Introduction –Information Space

4 Single European Information Space “i2010: European Information Society 2010” – five-year strategy –European Commission, COM(2005) 229 final, Brussels –Growth & employment strategy –Priorities: Single European Information Space, Innovation and Investment, Inclusive European Information Society –Single European Information Space: affordable & secure high bandwidth communications, rich & diverse content and digital services

5 Foundations of the Information Space

6 Information Domains Traditional information domains like: –Classified information domain (secrecy, legal persons – Government/military; confidential) –Unclassified information domain (privacy, legal persons; sensitive but not classified ) –Personal information domain (privacy, physical persons) –Public information domain (disclosure is not welcome but would not cause any adverse impact) Contemporary democratic concepts like: –Freedom of information –Open & transparent Government (e-Government) Information Society paradigm

7 Information Society Paradigm that arose at the turn of 20th & 21st centuries –(wide) national & society oriented –Private Government & public ICT infrastructure (CERTs) “Successor” of e-Government paradigm –(narrow) government & technically oriented –Primarily private Government ICT infrastructure Connection with information security –Standardization of ICT and IS fields CEN (ISSS), CENELEC, ETSI, ISO –IS in the foundation of information society COM(2006)251 final – A Strategy for a Secure Information Society –Prioritized interoperability issue technical, semantic, and organizational level IDABC (Interoperable pan-European eGov services)

8 Part 2 2.Information Security Requirements –legislation and policy requirements

9 Information Security Requirements Explicit requirements (legislative) –General Legislative requirements e.g. Personal Data Protection Act –Specific Legislative Requirements e.g. Code on Corporate Governance, Sarbonnes-Oxleey Act –Accession/membership program requirements e.g. EU e-signatures Directive 1999/93/EC Implicit requirements (policy) –Security Agreement - Security policy e.g. EU Council’s Security Regulations 2001/264/EC –Community Programs e.g. i COM(2005) 229 final –Sectoral requirements e.g. Basel II (finance sector)

10 Legislation Puzzle

11 EU Reference legislation eur-lex.europa.eu –Council Decision 92/242/EEC in the area of security of information –Council Resolution on a common approach and specific actions in the area of network and information security (OJ 2002/C 43/02, 28 January 2002) –Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data –Telecommunications Data Protection Directive 97/66/EC –Directive 2002/58/EC on Privacy and Electronic Communications –Data Retention Directive 2006/24/EC –Commission Communication to counter spam (COM (2004)28) –Council Resolution 2000/C 293/02 on the organization and management of the Internet –EU Parliament and Council Decision 854/2005/EC on promoting safer use of the Internet, Decision 1151/2003/EC on combating illegal and harmful content on global networks –Safer Internet plus Programme (europa.eu.int/saferinternet) –ISO :2001, ISO :2001, ISO/IEC 17799:2005, ISO/IEC 27001:2005, ISO/IEC13335-x - European testing framework for Electronic Records Management System (ERM) –Agreement Between the Republic of Croatia and the European Union on Security Procedures for the Exchange of Classified Information, 9/2006, 18 October 2006 –Memorandum of Understanding between European Community and the Republic of Croatia on the participation of the Republic of Croatia in the Community program on the interoperable delivery of pan-European e-Government services to public administrations, businesses and citizens (IDABC), 2/2007, 28 February 2007

12 Information Security Definition General: –Information security is characterized as the preservation of confidentiality, integrity, and availability of information, and it is achieved by implementing a suitable set of controls. Information Society: –Information security is not a right in itself, it is an instrument to exercise and enjoy other basic rights like the right to confidentiality, personal data protection, or trade secrets.

13 Security Policy requirements Information Criteria: –Security (Confidentiality, Integrity, Availability) –Fiduciary (Compliance, Reliability) –Quality (Effectiveness. Efficiency) Confidentiality: –Secrecy Privacy –Classified (Secrecy): 4 grade damage based classification system Top Secret, Secret, Confidential (national levels) Restricted (institutional level) –Unclassified (Privacy) Personal data

14 Security Agreement Security procedures for the exchange of classified information Bilateral between two countries –Mutual trust in security policies (no assessment) –The level of protection of foreign data is equal or higher than the one of national data Bilateral between a country and an international organization like EU or NATO –Minimal Security Requirements - Baseline standards –Assessment based trust Legislation, organization, procedures Designated Security Authority – National Security Authority (NSA)

15 EU’s Inf. Security Organization Council of the EU –General Secretariat Security/Infosec Offices –Judiciary body (national) –MS ministers –Policy making –Inspections of Accession Countries European Commission –Security Directorate Departments –Agency ENISA –Executive body –EU institution –Policy implementation –Cooperation with national (MS) authorities

16 Harmonization based on Sec. Agr. Security policy – key document –Council Decision, 19 March 2001, adopting the Council’s security regulations ( 2001/264/EC ) –Commission Decision, 29 November 2001, amending its internal Rules of Procedure ( 2001/844/EC ) Security organization: –National Security Authority (NSA) - central coordinating institution, –Infosec Authority (IA or NCSA) – auxiliary specialized institution, –Planning and Implementation Authority (PIA) – auxiliary specialized institution, –CISO/LISO – Central/Local Inf. Sec. Officers Security Areas: –Personnel Security, Physical Security, Security of Information, INFOSEC (Information System Security), Industrial Security Baseline standards

17 Baseline Standards Information security standards that shall be applied in each member state Why not risk assessment/management process? –Baseline procedures are the result of risk assessment/management on the highest org. level: Periodic changes of security policy and implementing directives –Org. concept follows the model of central/HQ organization with subsidiaries that are usually: Lack of field expertise and/or senior management resources –Recommendation for national risk management process: Different environments (legislation, culture, tradition) Old-fashioned way but successful in an extremely heterogeneous environment as government sector

18 Security Policy Development

19 Information Infrastructure Approach EU Security Policy (2001): Classified infrastructure (isolated, air-gap) –“Top Secret“, “Secret”, “Confidential” Protected Private infrastructure –“Restricted”, (non-classified) –TESTA Network (IDABC) Public infrastructure –GW connectivity w/protected private infrastructure –Portal Your Europe EU Inf. Society (2010) NATO Security Policy(2006): Classified infrastructure (isolated, air-gap) –“Top Secret“, “Secret”, “Confidential” Unclassified infrastructure –Unclassified, (“Restricted”) Public infrastructure –GW connectivity w/unclassified infrastructure

20 Plan–Do–Check–Act Process

21 ENISA European Network and Information Security Agency establishing, 10 March 2004, ( 2004/460/EC ) “Connects” all phases of the PDCA process and all participants in the information society Primarily Security Awareness responsibility Expert Analysis in the field of: –Risk Management, Security Technologies and Policies, … Coordination of: –EU bodies and MS –Industry and International Organizations –CERTs in EU

22 Other Initiatives Focus on Small and Medium Enterprises (SMEs) –ENISA: Information Package for SMEs (RM/RA), February 2007 – EU Regulatory Framework for electronic communications networks and services –Review of the EU Regulatory Framework for el. communications networks and services, Jun 2006, COM(2006)334 final Breaches of security – notifications, keep users informed Authorization of national authorities – specific security measures that implement Commission recommendations of decisions Network integrity – to modernize provisions –Based on A strategy for a Secure Information Society, May 2006, COM(2006)251 final (i2010) European Program for Critical Infrastructure Protection (EPCIP) –CI Sectors (Energy, ICT, Water, Food, …) –All-hazards approach, terrorism priority –Green Paper on EPCIP, COM(2005)576 final, November 2005

23 Part 3 3.Conclusion

24 Conclusion EU has complex regulation framework in the field of information security Information security requirements: –Traditional scope of the security policy –Contemporary demands of information society Very similar security policy strategies – EU & NATO (and generally Member States) Private Protected or Unclassified (+ “Restricted”) Infrastructure: –Similar approaches in MSs, EU (even NATO) based on society factors –More and more focused on international information security standards like the area of personal data protection

25 Questions ? THANK YOU !!!