DIGIT Directorate-General for Informatics DIGIT Directorate-General for Informatics ISO 27k security standards What does it mean for ECI? 29 November 2012
DIGIT Directorate-General for Informatics Legal base Regulation (EU) No 211/2011 of the European Parliament and of the Council of 16 February 2011 on the citizens' initiative Commission Implementing Regulation (EU) No 1179/2011 of 17 November 2011 laying down technical specifications for online collection systems pursuant to Regulation (EU) No 211/2011 of the European Parliament and of the Council on the citizens' initiative
DIGIT Directorate-General for Informatics (EU) No 211/ Article 6 Online collection systems 1.Where statements of support are collected online, the data obtained through the online collection system shall be stored in the territory of a Member State. The online collection system shall be certified in accordance with paragraph 3 in the Member State in which the data collected through the online collection system will be stored.
DIGIT Directorate-General for Informatics (EU) No 211/2011 (ctd.) 4 Article 6 Online collection systems 4. Online collection systems shall have adequate security and technical features in place in order to ensure that: a)only natural persons may submit a statement of support form online; b)the data provided online are securely collected and stored, c)the system can generate statements of support in a form complying with the models set out in Annex III
DIGIT Directorate-General for Informatics (EU) No 1179/ Provides technical specifications to address Article 6(4) of REGULATION (EU) No 211/2011. (a) and (c) are addressed by the Online Collection Software provided by the European Commission (Section 1 and 3 of the annex) (b) is addressed in section 2 of the annex that details requirements which have to be addressed by the Organisers are addressed by the Online Collection Software provided by the European Commission have to be addressed by the hosting infrastructure
DIGIT Directorate-General for Informatics (EU) No 1179/2011 (ctd.) 6 Section 2 of the annex provides technical specifications for the following domains: Information assurance standards ( → Organisers) Functional requirements ( → OCS) Application level security ( → OCS + hosting infrastructure) Database security and data integrity ( → OCS + hosting infrastructure) Infrastructure security ( → hosting infrastructure) Organiser client security ( → Organisers)
DIGIT Directorate-General for Informatics 7 July, 18th
DIGIT Directorate-General for Informatics EC as hosting provider … only? 8 The main objective was to provide a suitable hosting infrastructure (compliant with 1179/2011 section 2 requirements) However, it quickly appeared that EC could also help: in drafting documents required by 2.1 and 2.2 in fulfilling Organiser client security requirements (Live-DVD)
DIGIT Directorate-General for Informatics 9
DIGIT Directorate-General for Informatics Information assurance standards Organisers provide documentation showing that they fulfil the requirements of standard ISO/IEC 27001, short of adoption. For that purpose, they have: a)performed a full risk assessment, …; b)designed and implemented measures for treating risks …; c)identified the residual risks in writing; d)provided the organisational means to receive feedback on new threats and security improvements.
DIGIT Directorate-General for Informatics Information assurance standards (ctd) Organisers choose security controls based on the risk analysis in 2.1(a) from the following standards: 1)ISO/IEC 27002; or 2)the Information Security Forum’s ‘Standard of Good Practice’ to address the following issues: a)risk assessments (ISO/IEC or another specific and suitable risk assessment methodology are recommended); b)physical and environmental security; c)human resources security; d)communications and operations management; e)…
DIGIT Directorate-General for Informatics ISO security standards ISO formally specifies a management system that is intended to bring information security under explicit management control ISO ISO provides best practice recommendations on information security management for use by those responsible for initiating, implementing or maintaining Information Security Management Systems (ISMS) ISO 27002
DIGIT Directorate-General for Informatics ISO27002 domains
DIGIT Directorate-General for Informatics ISO27001 ISMS
DIGIT Directorate-General for Informatics ECI Documentation package 15 To fulfil the above requirements, EC agreed with the Luxembourgish Authorities to build the following security documentation package : 1.the Security Scope 2.the Business Impact Analysis (BIA) 3.the Risk Assessment Report (RAR) 4.the Risk Treatment Plan (including Residual Risks) (RTP) 5.the Statement of Applicability (SoA)
DIGIT Directorate-General for Informatics ECI Documentation package (ctd) 16 EC also built guidance documents to help the Organisers drafting their part of the security documentation, i.e.: 1.Organiser Risk Assessment Guidance 2.Organiser Risk Treatment Plan Guidance 3.Organiser Statement of Applicability Guidance The guidance documents have been drafted to be reusable as much as possible and thus to minimize Organiser's documentation effort.
DIGIT Directorate-General for Informatics Organiser client security Organiser client security For the sake of end-to-end security, the organisers take necessary measures to secure their client application/ device that they use to manage and access the online collection system, such as: Users run non-maintenance tasks (such as office automation) with the lowest set of privileges that they require to run When relevant updates and patches of the OS, any installed applications, or anti-malware become public, then such updates or patches are installed expediently.
DIGIT Directorate-General for Informatics 18 And finally …
DIGIT Directorate-General for Informatics Q&A