EU’s Information Security Expectations

Aleksandar KlaićOffice of the National Security Council – Croatian National Security Authority (NSA)

2

Session parts

1. Introduction - Information Space

2. Information security Requirements

3. Conclusion

3

Part 1

1. Introduction – Information Space

4

Single European Information Space

• “i2010: European Information Society 2010” – five-year strategy– European Commission, COM(2005) 229 final,

Brussels 1.6.2005– Growth & employment strategy– Priorities:

• Single European Information Space, Innovation and Investment, Inclusive European Information Society

– Single European Information Space:• affordable & secure high bandwidth communications, • rich & diverse content and digital services

5

INFORMATION SPACE

Public Secret1970

1980

1990

2000

2010

Foundations of the Information Space

ClassifiedData

UnclassifiedDataPersonal

DataFreedom of information

e-GovernmentInformation Society

6

Information Domains

• Traditional information domains like:– Classified information domain (secrecy, legal persons –

Government/military; confidential)– Unclassified information domain (privacy, legal persons;

sensitive but not classified )– Personal information domain (privacy, physical persons)– Public information domain (disclosure is not welcome but

would not cause any adverse impact)

• Contemporary democratic concepts like:– Freedom of information – Open & transparent Government (e-Government)

• Information Society paradigm

7

Information Society

• Paradigm that arose at the turn of 20th & 21st centuries – (wide) national & society oriented– Private Government & public ICT infrastructure (CERTs)

• “Successor” of e-Government paradigm – (narrow) government & technically oriented– Primarily private Government ICT infrastructure

• Connection with information security– Standardization of ICT and IS fields

• CEN (ISSS), CENELEC, ETSI, ISO– IS in the foundation of information society

• COM(2006)251 final – A Strategy for a Secure Information Society

– Prioritized interoperability issue • technical, semantic, and organizational level• IDABC (Interoperable pan-European eGov services)

8

Part 2

2. Information Security Requirements – legislation and policy requirements

9

Information Security Requirements

• Explicit requirements (legislative)– General Legislative requirements

• e.g. Personal Data Protection Act– Specific Legislative Requirements

• e.g. Code on Corporate Governance, Sarbonnes-Oxleey Act– Accession/membership program requirements

• e.g. EU e-signatures Directive 1999/93/EC

• Implicit requirements (policy)– Security Agreement - Security policy

• e.g. EU Council’s Security Regulations 2001/264/EC– Community Programs

• e.g. i2010 - COM(2005) 229 final– Sectoral requirements

• e.g. Basel II (finance sector)

10

Legislation Puzzle

11

EU Reference legislation

• eur-lex.europa.eu – Council Decision 92/242/EEC in the area of security of information– Council Resolution on a common approach and specific actions in the area of network and

information security (OJ 2002/C 43/02, 28 January 2002)– Directive 95/46/EC on the protection of individuals with regard to the processing of personal data

and on the free movement of such data– Telecommunications Data Protection Directive 97/66/EC– Directive 2002/58/EC on Privacy and Electronic Communications– Data Retention Directive 2006/24/EC– Commission Communication to counter spam (COM (2004)28)– Council Resolution 2000/C 293/02 on the organization and management of the Internet– EU Parliament and Council Decision 854/2005/EC on promoting safer use of the Internet, Decision

1151/2003/EC on combating illegal and harmful content on global networks– Safer Internet plus Programme (europa.eu.int/saferinternet)

• www.iso.org – ISO 15489-1:2001, ISO 15489-2:2001, ISO/IEC 17799:2005, ISO/IEC 27001:2005, ISO/IEC13335-

x• www.cornwell.co.uk/moreq.html - European testing framework for Electronic Records

Management System (ERM)• www.nn.hr

– Agreement Between the Republic of Croatia and the European Union on Security Procedures for the Exchange of Classified Information, 9/2006, 18 October 2006

– Memorandum of Understanding between European Community and the Republic of Croatia on the participation of the Republic of Croatia in the Community program on the interoperable delivery of pan-European e-Government services to public administrations, businesses and citizens (IDABC), 2/2007, 28 February 2007

12

Information Security Definition

• General:– Information security is characterized as the

preservation of confidentiality, integrity, and availability of information, and it is achieved by implementing a suitable set of controls.

• Information Society:– Information security is not a right in itself, it is an

instrument to exercise and enjoy other basic rights like the right to confidentiality, personal data protection, or trade secrets.

13

Security Policy requirements

• Information Criteria:– Security (Confidentiality,

Integrity, Availability)– Fiduciary (Compliance,

Reliability)– Quality (Effectiveness.

Efficiency)

• Confidentiality:– Secrecy --------------- Privacy– Classified (Secrecy):

• 4 grade damage based classification system

• Top Secret, Secret, Confidential (national levels)

• Restricted (institutional level)– Unclassified (Privacy)

• Personal data

14

Security Agreement

• Security procedures for the exchange of classified information

• Bilateral between two countries– Mutual trust in security policies (no assessment)– The level of protection of foreign data is equal or higher

than the one of national data

• Bilateral between a country and an international organization like EU or NATO– Minimal Security Requirements - Baseline standards– Assessment based trust

• Legislation, organization, procedures• Designated Security Authority – National Security Authority (NSA)

15

EU’s Inf. Security Organization

• Council of the EU– General Secretariat

• Security/Infosec Offices

– Judiciary body (national)– MS ministers– Policy making– Inspections of Accession

Countries

• European Commission– Security Directorate

• Departments

– Agency ENISA

– Executive body– EU institution– Policy implementation– Cooperation with

national (MS) authorities

16

Harmonization based on Sec. Agr.

• Security policy – key document – Council Decision, 19 March 2001, adopting the Council’s security

regulations (2001/264/EC)– Commission Decision, 29 November 2001, amending its internal

Rules of Procedure (2001/844/EC)

• Security organization:– National Security Authority (NSA) - central coordinating institution, – Infosec Authority (IA or NCSA) – auxiliary specialized institution, – Planning and Implementation Authority (PIA) – auxiliary specialized

institution, – CISO/LISO – Central/Local Inf. Sec. Officers

• Security Areas:– Personnel Security, Physical Security, Security of Information,

INFOSEC (Information System Security), Industrial Security

• Baseline standards

17

Baseline Standards

• Information security standards that shall be applied in each member state

• Why not risk assessment/management process?– Baseline procedures are the result of risk

assessment/management on the highest org. level:• Periodic changes of security policy and implementing directives

– Org. concept follows the model of central/HQ organization with subsidiaries that are usually:

• Lack of field expertise and/or senior management resources

– Recommendation for national risk management process:• Different environments (legislation, culture, tradition)

• Old-fashioned way but successful in an extremely heterogeneous environment as government sector

18

Security Policy Development

19

Information Infrastructure Approach

EU Security Policy (2001):• Classified infrastructure

(isolated, air-gap)– “Top Secret“, “Secret”,

“Confidential”• Protected Private

infrastructure– “Restricted”, (non-classified)– TESTA Network (IDABC)

• Public infrastructure– GW connectivity w/protected

private infrastructure– Portal Your Europe http://

ec.europa.eu/youreurope/

EU Inf. Society (2010)

NATO Security Policy(2006):• Classified infrastructure

(isolated, air-gap)– “Top Secret“, “Secret”,

“Confidential”

• Unclassified infrastructure– Unclassified, (“Restricted”)

• Public infrastructure– GW connectivity

w/unclassified infrastructure

20

Plan–Do–Check–Act Process

21

ENISA

• European Network and Information Security Agency establishing, 10 March 2004, (2004/460/EC)

• “Connects” all phases of the PDCA process and all participants in the information society

• Primarily Security Awareness responsibility• Expert Analysis in the field of:

– Risk Management, Security Technologies and Policies, …

• Coordination of:– EU bodies and MS– Industry and International Organizations– CERTs in EU

22

Other Initiatives

• Focus on Small and Medium Enterprises (SMEs)– ENISA: Information Package for SMEs (RM/RA), February 2007– http://www.enisa.europa.eu

• EU Regulatory Framework for electronic communications networks and services– Review of the EU Regulatory Framework for el. communications

networks and services, Jun 2006, COM(2006)334 final • Breaches of security – notifications, keep users informed• Authorization of national authorities – specific security measures that

implement Commission recommendations of decisions• Network integrity – to modernize provisions

– Based on A strategy for a Secure Information Society, May 2006, COM(2006)251 final (i2010)

• European Program for Critical Infrastructure Protection (EPCIP)– CI Sectors (Energy, ICT, Water, Food, …)– All-hazards approach, terrorism priority– Green Paper on EPCIP, COM(2005)576 final, November 2005

23

Part 3

3. Conclusion

24

Conclusion

• EU has complex regulation framework in the field of information security

• Information security requirements:– Traditional scope of the security policy– Contemporary demands of information society

• Very similar security policy strategies – EU & NATO (and generally Member States)

• Private Protected or Unclassified (+ “Restricted”) Infrastructure:– Similar approaches in MSs, EU (even NATO) based on

society factors– More and more focused on international information

security standards like the area of personal data protection

25

Questions ?

THANK YOU !!!

Aleksandar.Klaic@uvns.vlada.hraklaic@hi.t-com.hr