pitukri - the finnish criteria for assessment of information … · 2020 –2025 –2030 –2040?...
TRANSCRIPT
Division of information security responsibilities in Finland
The security of communications connections and services is the responsibility of the Ministry of Transport and Communications.
The Ministry of Finance is responsible for the steering and development of the state's information security.
The Foreign Ministry is responsible for international information security obligations.
Information classification 2020->
TL IV(restricted)
TL III(confidential)
TL II(secret)
TL I(top secret)
Salassa pidettävä
(~classified)
Information classification 2020->
TL IV(restricted)
TL III(confidential)
TL II(secret)
TL I(top secret)
Salassa pidettävä
(~classified)
Information classification 2020->aggregation of information
TL IV(restricted)
TL III(confidential)
TL II(secret)
TL I(top secret)
Salassa pidettävä
(~classified)
Information classification 2020->aggregation of information
TL IV(restricted)
TL III(confidential)
TL II(secret)
TL I(top secret)
Salassa pidettävä
(~classified)
A national information security authority, whose duties consist of:
• Collecting information on information security violations and threats.
• Informing of information security related matters and performance of communication networks and services;
• Solving information security violations and threats against networks, communications and value-added services;
• Steering and supervision of telecommunications operators' information security management and preparedness;
• Information assurance matters related to the handling of classified information in electronic communications;
• Supervising the responsibilities related to confidentiality of electronic communications.
The National Cyber Security Centre (NCSC-FI)
Security services of the NCSC-FI
Situational awareness and network coordination1
Detection and assistance2
Other authoritative services3
Assessments and accreditations
Accreditation of information systems For governmental organisations' information
systems that are related to fulfilling international information security obligations.
For the systems of companies that participate in international competitive bidding and need accreditation from a National Communications Security Authority.
Assessments and accreditations of cryptographic products
For products intended to be used in protecting national or international classified information.
Assessment services For the information systems under the
command of the authority or systems planned to be procured for such use.
For information systems under the command of the authority based on the request from the Ministry of Finance.
Finnish Communications Regulatory Authority's security assessment and accreditation services support the proactive and preventive security work and actions.
Information security advisory service
The purpose of the information security advisory service is to guarantee awareness of cyber threats and possible resolutions in the operational environment within the organisations.
The focus and the scope of the support is determined in cooperation with the client case-by-case.
NCSC-FI serves public administration and organisations critical to the security of supply with providing advice on information security related matters.
NCSC-FI and the cloud
Both the government and actors within the critical infrastructure have expressed great need for cloud services
Cost benefits
Scalability
Packaged products and services
Versatile outsourcing options
NCSC-FI works proactively to avoid common security challenges of the cloud
Basis on Risk Management
Perfectly secure (cloud) services do not exist, residual risk remains always
Secure cloud == a service, where the residual risk is proportionate to the use case and protected information
A cloud system with weak security might suffice for some use cases, others may require hardened systems or national cloud systems. Cloud may not be an option at all for some use cases
?
Security Needs to Be Measurable
What is secure enough?
How reliable are the protections against
Common risks
Technology specific risks
Use-case specific ridks
Measuring there effectively requires the use of a framework, i.e. a criteria
?
Evaluating the Applicability of Criteria throught Use Cases
A use case describes how a target group uses the criteria to achieve a goal.
Example: the use case of the Finnish national audit criteria Katakri 2015
An assessment by a security authority, with the goal of gaining assurance of the ability of the target to protect classified information
Need for a criteria tailored for cloud systems
Common risks, cloud risks, use cases
Avoiding misunderstandings
?
2020 – 2025 – 2030 – 2040?
Foresight on future technologies and phenomena at Traficom
Studies emerging phenomena in the digital society
Helps authorities and corporations in preparing for the future
Provides data to support decision making, proposals for the management, as well as tangible solutions
Myriad Work Themes
Promoting secure technology development (e.g. IoT and cloud services)
5g security
https://5gcyberhack.fi/
Digitalisation of traffic
Future financial services
Open data
Satellite services and technologies
Secure Cloud Services
Needs of citizens and small businesses
Coming later
Needs of authorities
Criteria to Assess the Information Security of Cloud Services (PiTuKri)
Goals
Improve protection of non-public information of the authorities, when data is being handled in cloud based environments
Tool for evaluating security of cloud based services
Support authorities’ risk management work
Support the implementation and make the guidelines of public sector cloud use by Ministry of Finance more tangible
Fulfilling National Needs Efficiently
National needs of Finland
Data classification, legislation changes
Must work for various kinds of organizations
Risk based, different ways to fulfill requirements
Use of and compatibility to pre-existing frameworks
BSI C5, CSA/CCM, ISO 27001, ISO 27017, Katakri 2015, guidelines/criteria of international communities of authorities
Finding balance between not too specific and not too generic
Wishes on Detailed Checklists..
"A detailed checklist for cloud service X using service model Y for service Z"
E.g. 6 services * 3 models = 18 criteria
Add 5 most common Saas services per cloud, 18 + 5 * 6 = 48 criteria
Add data on cloud specific functionalities -> 100+ criteria (and more each year)
Add criteria for different service components, development, deployment, maintenance, ...
.. with Broad Applicability
"A high-level criteria that can be used with different services and use cases"
Applicability for various needs
Requires more competence from the users of the criteria
Risks faced by cloud services separated by
Service model (IaaS, PaaS, SaaS, ...)
Implementation model (private cloud, public, combination, ...)
Service provider (authority or company within Finland, EU/EEC, other)
Physical location of data including management (FI, EU/EEC, other)
...and by type of protected information
Security classification (restricted, confidential, ...) and data owner/type
Personal information (GDPR boogeyman)
Effect of large amounts of above information available in one place
Information/service availability for preparedness reasons
Who is the adversary?
Structure
10 sections
Section 1, framework conditions
Determines whether it’s possible to continueevaluation based on risks, i.e. is cloud even an option for this use case and what kind of general conditionsare needed
Sections 2-10, collections of controls that reducethe risks associated with cloud based services in the areas of
Security management (administrative)
Physical security
Information assurance
Finding balance between simple to follow explicitcriteria vs. more generic criteria, and categorization of requirements
Section 1, Framework conditionsData type Service type Physical
locationCSP Additional information
Public No limitations No limitations No limitations The focus of assessing the applicability of security measures is on securingsufficient integrity and availability
Classified("Salassa
pidettävä")
No limitations No limitations No limitations If the information does not contain personal data.
Personal data No limitations Areas enabled in compliance
with the regulations
No limitations The service entity must meet the requirements of the specific legislationthat governs the protection of personal data (including GDPR).
TL IV No limitations Finland National Foreign authorities shall not have a direct nor an indirect access to theinformation. The restrictions concerning the physical location also coveradministration, backup and maintenance. Security clearance for the CSP.
Aggregate of classified data
(TL III)
Private/community
Finland National Similarly to above. Need to know emphasized. Detection of mass queriesof data.
Agggregate of TL IV (TL III)
Private/community
Finland National Similarly to above.
Preparedness No limitations Finland National The information must be accessible even under exceptional circumstances.The management of the information must be possible entirely withinnational borders.
TL III / II Private/community
Finland National Foreign authorities shall not have a direct nor an indirect access to theinformation. The restrictions concerning the physical location also coveradministration, backup and maintenance. Security clearance for the CSP.Additional requirements from Katakri.
Built to support various types of cloud services and usage scenarios
Evaluating security of cloud based services
Cloud service provider’s own information security work
Genericity, can be applied to different scenarios
Service model (IaaS, ...)
Specifics of the cloud service provider
Specifics of the application/service
Risk-based Appropriate Use
Risk assessment
Each authority is responsible for the security of their information systems
Ensuring coverage and reliability of evaluation
Risk based handling of evaluation findings
Appropriate use
Interpretation of the criteria based on requirements for the specific use case
Some weaknesses may be compensated with controls on another level (platform vs. application controls)
Pick and choose!
National data classification as a driver
Contents based on international and national public frameworks
BSI C5, CSA/CCM, ISO 27001 & 27017, Katakri 2015
The required protections and controls are strongly linked to the nature and classification of the data
This was already a common practice in the interpretation of requirements
Other certifications can support compliance efforts
Evidence for the compliance can sometimes be supported by other frameworks and certifications
Cross-comparison tables coming later
Case-by-case decision on applicability of previous evaluations
Level of information assurance required
But
Different frameworks and certifications measure dissimilar things
E.g. hard compliance against minimal requirements set by an information owner vs. risk-based certification within the scope of an information security management system
Variance in certification scope
Different requirements on the assurance in the protection of classified data
Verification methods vary greatly in granularity and depth
Continuous development
Version 1.0 published in Finnish in May 2019
Swedish and English versions are being translated, publication fall 2019
Development continues
Collecting feedback and requests
Update to be expected Q4/2019 or early 2020
Support tools and extra information
Evaluation tool (May 2019)
Cross-comparison (fall 2019)
Use case examples (fall 2019)
Feedback welcome! ncsa (at) traficom (dot) fi