Presentation is loading. Please wait.

Presentation is loading. Please wait.

SISAI STATISTICAL INFORMATION SYSTEMS ARCHITECTURE AND INTEGRATION

Published byBernd Graf Modified over 5 years ago

Similar presentations

Presentation on theme: "SISAI STATISTICAL INFORMATION SYSTEMS ARCHITECTURE AND INTEGRATION"— Presentation transcript:

1 SISAI STATISTICAL INFORMATION SYSTEMS ARCHITECTURE AND INTEGRATION
WORKING GROUP 3rdMEETING MAY 2013 ITEM 1.7 ESS Security Survey

2 ESS Security Survey ESTAT LISO – B0

3 Objectives Answer to challenges presented to SISAI 12-13/6/2012
Improve statistical production chain efficiency Needs to increase IT security in order to build trust between ESS partners Rationalisation of EU IT Development Implementation of the vision COM 404/2009 and the ESS Joint Strategy Fight against Cyber-criminality

4 Actions and progress since 2012
Finalise the MS consultation and get feedback on the initiative Initiative well received and supported by all MS Visits to some NSIs to understand their infrastructure Under preparation Present a draft action plan to ITDG ITDG agreed on the creation of a one year WG on Security with scope on Security Frameworks showing clear examples. Organise an « Enterprise Architecture Security Workshop » end of 2012 Done on 13-14/12/2012. All information on CROS portal. Mandate and action plan discussed. Possible pilot project with a few MS to exchange secure messages on CCN (Common Communication Network of DG TAXUD) Under ESS.VIP.ESDEN

5 Conclusions of the TF Understand the national conditions (infrastructure, security rules) allowing ESS partners to be connected to one or another secure network Be aware of the policies applied in the other ESS members their compatibilties and consistencies: Objective: Speak a common security language first analysis of the different security frameworks (survey) survey analysis until June results circulated to the group end of June submission to ITDG and DIME. recommendations for the creation on the common security language in September. A strategic document on the implementation of the common ESS security framework submitted to ESSC end 2013

6 Survey content Context Confidential info
Any IT published Security Framework Shared infrastructure with other administrations Centralised NSI Network between offices Who is in charge of producing official statistics Confidential info Data centre operation Remote access facilities and used technologies Team dealing with confidentiality Conditions for exchanging confidential information with other NSIs

7 Data Protection Implementation Rules and needs for confidentiality
Security included in the objectives of the organisation Maturity level of the security guidelines When is data protection applied in GSBPM Implementation Risk analysis and methodology Application of information security in project management Technology safeguards used Data Privacy safeguards Information Security Safeguards Network used for connection with EU services Preferred network connection

8 Governance Audit Ressources Who manages IT security
Support from National Offices or Agencies Security Officer in place Audit Responsible body Incident management, nbr and cause of incidents Periodicity and date of last audit Ressources IT security team Person in charge Spending in security

9 Survey Results (1) 34 answers from 30 countries
24 EU MS (missing AT, EL, IE) 6 EFTA and Candidates Other Security Frameworks Decree on Information Security in Central Goverment 1 DS484:2005 to be replaced by ISO27001 CESG/Security Policy Framework guidance ISO Customized German BSI Grundschutz-Standard 100-1,100-2,100-3, (BSI: Federal Office for Information Security; the baseline protection standards are compatible to ISO 27001/2). 4 Spanish National Security Framework correlated with ISO 27002 ISKE is based on a German information security standard – IT Baseline Protection Manual, ISO and ISO recommendations.

10 Survey Results (2)

11 Data Centre Other types of Data Center Management
Commercial Data Centre managed by NSI personnel Data center by IT provider own data centre and partial cooperation with central government data centre Own Data Centre maintained in collaboration a service provider Own Data Centre with NSI own IT-personnel and 10% are non NSI IT-personnel supervised by internal IT-personnel Central IT service provider at ministry level (2)

12 Conditions for exchanging confidential info with other MS
Adoption of a legal framework 17 Agreement on confidential data usage/contract with technical conditions 7 Same conditions as National rules 6 Data Encryption 5 Secure connection like Stesta/Common secure IT infrastructure 3 Not possible due to National Rules Do not know 2 To be discussed Limited list of users/Authentication Anonymisation 1 Compliance with IT Securite principles (CIA)

13 Team dealing with confidentiality (Rules, Acces)
No dedicated team 11 unknown 3 1 People (DPO) 1 2 People 3 People 3.5 People: IT Security 4 People 4 people : 1 (disclosure control) + 3 (IT security) 4.5 People: legal and methodology 6 People 7 People 8 People 8 People: 3 (methodo) + 5 (microdata access) 9 People 2 13 People: Confidential data WG 15 People 15 People half time on confidentiality 17 People: 12 confidentiality + 5 dissemination 20 People: IT (4) Security committee (9) Data Privacy (7)

14 Data Protection Needs for Confidentiality
At which GSBPM stage is data protection applied? At all Stages 14 2 Design 3 2.5 Design of methodology 1 3 Build 4 Collection 9 5 Process 7 6 Analyse 6.4 Disclosure Control 4 7 Disseminate 8 Archive Needs for Confidentiality Constitution 9 Law 20 Act 14 Selfmade rules 22

15 Security Implementation
Involvement of Security in Projects Analysis and design phase 16 As needed basis 9 Implementation phase 8 Inception phase Technology Safeguards Automated account provisioning/deprovisioning 8 Identity management 27 Encryption of laptops/mobile devices 19 Malicious code detection 32 Intrusion detection 26 Malware detection 33 Patch management Log Management 22 Dedicated isolated network for confidential data management 14 Firewall 4

16 Data Privacy Safeguards
Implementation (2) Data Privacy Safeguards Privacy policy revised annually 17 Inventory of location of personal data and jurisdiction 20 Incidence response process 23 Require third parties to comply with privacy policies 21 Malware/virus detection 33 Encryption 25 Confidentiality Commitment for employees Restricted access to statistical database Process Safeguards Information security strategy 24 Security baselines/stds for external partners 22 Identity management BCP/ recovery strategy 23 Employee security awareness training Penetration testing Threat and vulnerability assessment 17

17 Secure Connections with EU services
Implementation (3) Secure Connections with EU services Which kind of access would you prefer? I do not know 1 no opinion 2 Secured access for statistical purposes S-Testa 4 to be discussed VPN

18 Other IT security management levels
Governance Other IT security management levels Separate Office/Other IT department 2 At government level 4

19 Audit

20 IT Security Ressources

Download ppt "SISAI STATISTICAL INFORMATION SYSTEMS ARCHITECTURE AND INTEGRATION"

Similar presentations

SYSTEM OF EVALUATION AND MANAGEMENT CONTROL RESULTS-BASED BUDGETING THE CHILEAN EXPERIENCE Heidi Berner H Head of Management Control Division Budget Office,

SYSTEM OF EVALUATION AND MANAGEMENT CONTROL RESULTS-BASED BUDGETING THE CHILEAN EXPERIENCE Heidi Berner H Head of Management Control Division Budget Office,
CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.

CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.
Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, 2007. This work is the intellectual property rights of the author.

Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, This work is the intellectual property rights of the author.
The quality framework of European statistics by the ESCB Quality Conference Vienna, 3 June 2014 Aurel Schubert 1) European Central Bank 1) This presentation.

The quality framework of European statistics by the ESCB Quality Conference Vienna, 3 June 2014 Aurel Schubert 1) European Central Bank 1) This presentation.
Information Security Policies and Standards

Information Security Policies and Standards
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Www.adira.org Philippe LE TERTRE IS Governance Consultant  Founder and managing partner of VADEGIS (company specialized in Information System Management.

Philippe LE TERTRE IS Governance Consultant  Founder and managing partner of VADEGIS (company specialized in Information System Management.
Eurostat Coverage of Security Issues Pascal Jacques ESTAT B0 Local Informatics Security Officer.

Eurostat Coverage of Security Issues Pascal Jacques ESTAT B0 Local Informatics Security Officer.
Ferst Center Incident Incident Identification – Border Intrusion Detection System Incident Response – Campus Executive Incident Response Team Incident.

Ferst Center Incident Incident Identification – Border Intrusion Detection System Incident Response – Campus Executive Incident Response Team Incident.
TTBIZLINK PROJECT MINISTRY OF TRADE, INDUSTRY, INVESTMENT & COMMUNICATIONS.

TTBIZLINK PROJECT MINISTRY OF TRADE, INDUSTRY, INVESTMENT & COMMUNICATIONS.
Statistics Canada’s Real Time Remote Access Solution 2011 MSIS Meeting – Karen Doherty May 2011.

Statistics Canada’s Real Time Remote Access Solution 2011 MSIS Meeting – Karen Doherty May 2011.
Chapter 8 8-1 © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
Office of Campus Information Security Driving a Security Architecture by Assessing Risk Stefan Wahe Sr. Information Security Analyst.

Office of Campus Information Security Driving a Security Architecture by Assessing Risk Stefan Wahe Sr. Information Security Analyst.
MOSCOW, NOVEMBER 12 – 14, 2013. THE RESEARCH 1.Respondents 8 respondents from SAI Indonesia : auditor, investigator, R &D 2.Time 3 weeks (Sept to Oct.

MOSCOW, NOVEMBER 12 – 14, THE RESEARCH 1.Respondents 8 respondents from SAI Indonesia : auditor, investigator, R &D 2.Time 3 weeks (Sept to Oct.
PUBLIC INTERNAL CONTROL (PIC) SYSTEM OF HUNGARY Ms. Edit NÉMETH CENTRAL HARMONISATION UNIT FOR PUBLIC INTERNAL CONTROL, HUNGARY BUDAPEST, 25 TH OF JUNE,

PUBLIC INTERNAL CONTROL (PIC) SYSTEM OF HUNGARY Ms. Edit NÉMETH CENTRAL HARMONISATION UNIT FOR PUBLIC INTERNAL CONTROL, HUNGARY BUDAPEST, 25 TH OF JUNE,
Information Security 14 October 2005 IT Security Unit Ministry of IT & Telecommunications.

Information Security 14 October 2005 IT Security Unit Ministry of IT & Telecommunications.
Converting Policy to Reality Designing an IT Security Program for Your Campus 2 nd Annual Conference on Technology and Standards May 3, 2005 Jacqueline.

Converting Policy to Reality Designing an IT Security Program for Your Campus 2 nd Annual Conference on Technology and Standards May 3, 2005 Jacqueline.
Eurostat ESS Security and Secure exchange of information Working Group (E4SWG) ITDG – Item 4 Security progress and issues Pascal Jacques ESTAT B0 Local.

Eurostat ESS Security and Secure exchange of information Working Group (E4SWG) ITDG – Item 4 Security progress and issues Pascal Jacques ESTAT B0 Local.
IT Security Policies and Campus Networks The dilemma of translating good security policies to practical campus networking Sara McAneney IT Security Officer.

IT Security Policies and Campus Networks The dilemma of translating good security policies to practical campus networking Sara McAneney IT Security Officer.

Similar presentations

Ads by Google