rome, september 25th 2007 security and certification in the public sector – claudio manganelli...
TRANSCRIPT
Rome, September 25th 2007 Security and Certification in the Public Sector – Claudio Manganelli
Security and Certification in the Public Sector
Ing. Claudio Manganelli Member of CNIPA board
Centro Nazionale per l’Informatica nella Pubblica Amministrazione
Rome, September 25th 2007 Security and Certification in the Public Sector – Claudio Manganelli
National Center for IT in Public Sector (CNIPA)
Main tasks Give formal advices to the central Administration on
projects concerning Information and Communication (mandatory by law)
Foster the use of new technologies enabling innovation Contribute at the definition of standards and technical
rules with special care on security, interoperability, openness and performances
Coordinate the development of training coursesMoreover CNIPA
contributes at the definition of the Government IT policy carries out key projects in order to enable the public
sector innovation (e.g. SPC)
Rome, September 25th 2007 Security and Certification in the Public Sector – Claudio Manganelli
CNIPA guidelines on security(book n. 23)
Guidelines for ICT security within public sector National Plan for Information and Communication
Security within Public Administration ICT Security Organization Model for public sector
Guidelines were developed by a task force composed by experts of: National Committee on ICT Security in the Public sector Communication Ministry CNIPA
Rome, September 25th 2007 Security and Certification in the Public Sector – Claudio Manganelli
Contents of Security Plan and Organization Model
The National Plan indicate strategies and national initiatives for information security
The Organization Model outline the suitable organization for implementing the national plan in the public sector
Rome, September 25th 2007 Security and Certification in the Public Sector – Claudio Manganelli
Certification in the Security National Plan
The National Plan outline the strategy for security certification within the public sector
Issues addressed: Process certification (ISO/IEC 27001) Product/system certification (ISO/IEC 15408) Personnel certification
Rome, September 25th 2007 Security and Certification in the Public Sector – Claudio Manganelli
Products and systems certification strategy
Certification strongly recommended for process involved in citizen safety homeland security applications where security leak may cause
social problems (e.g. digital signature)
Certification recommended for applications where a security leak may cause
huge economical losses
Currently certification is mandatory only for digital signature
Rome, September 25th 2007 Security and Certification in the Public Sector – Claudio Manganelli
Guidelines for the certification in the public sector
CNIPA and OCSI have started a joint workshop aimed at defining the criteria for adopting certified products, systems and services in the public sector
Issues so far addressed are criteria for taking into account the certification
requirements in products, systems and services rules and policies for introducing certification
requirements in call for tenders the role of public administration as sponsor of the
certification process
Rome, September 25th 2007 Security and Certification in the Public Sector – Claudio Manganelli
The security survey
Every year CNIPA carries out a survey on the security level of central public administrations, by means of an on line questionnaire
The answers are analyzed and reported by CNIPA
Results are then summarized scoring 4 Key Performance Indicators: Logical security Infrastructure security Security of services Organization for security
Rome, September 25th 2007 Security and Certification in the Public Sector – Claudio Manganelli
Certification in the security survey
Q: is security certification taken into account for products and services acquisition?A: yes 61%
no 33 %n.a. 6 %
Figures refer to 2006