1. EU’s Information Security Expectations Aleksandar Klaić Office of the National Security Council – Croatian National Security Authority (NSA)

2. 2 Session parts 1.Introduction - Information Space 2.Information security Requirements 3.Conclusion

3. 3 Part 1 1.Introduction –Information Space

4. 4 Single European Information Space “i2010: European Information Society 2010” – five-year strategy –European Commission, COM(2005) 229 final, Brussels 1.6.2005 –Growth & employment strategy –Priorities: Single European Information Space, Innovation and Investment, Inclusive European Information Society –Single European Information Space: affordable & secure high bandwidth communications, rich & diverse content and digital services

5. 5 Foundations of the Information Space

6. 6 Information Domains Traditional information domains like: –Classified information domain (secrecy, legal persons – Government/military; confidential) –Unclassified information domain (privacy, legal persons; sensitive but not classified ) –Personal information domain (privacy, physical persons) –Public information domain (disclosure is not welcome but would not cause any adverse impact) Contemporary democratic concepts like: –Freedom of information –Open & transparent Government (e-Government) Information Society paradigm

7. 7 Information Society Paradigm that arose at the turn of 20th & 21st centuries –(wide) national & society oriented –Private Government & public ICT infrastructure (CERTs) “Successor” of e-Government paradigm –(narrow) government & technically oriented –Primarily private Government ICT infrastructure Connection with information security –Standardization of ICT and IS fields CEN (ISSS), CENELEC, ETSI, ISO –IS in the foundation of information society COM(2006)251 final – A Strategy for a Secure Information Society –Prioritized interoperability issue technical, semantic, and organizational level IDABC (Interoperable pan-European eGov services)

8. 8 Part 2 2.Information Security Requirements –legislation and policy requirements

9. 9 Information Security Requirements Explicit requirements (legislative) –General Legislative requirements e.g. Personal Data Protection Act –Specific Legislative Requirements e.g. Code on Corporate Governance, Sarbonnes-Oxleey Act –Accession/membership program requirements e.g. EU e-signatures Directive 1999/93/EC Implicit requirements (policy) –Security Agreement - Security policy e.g. EU Council’s Security Regulations 2001/264/EC –Community Programs e.g. i2010 - COM(2005) 229 final –Sectoral requirements e.g. Basel II (finance sector)

10. 10 Legislation Puzzle

11. 11 EU Reference legislation eur-lex.europa.eu –Council Decision 92/242/EEC in the area of security of information –Council Resolution on a common approach and specific actions in the area of network and information security (OJ 2002/C 43/02, 28 January 2002) –Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data –Telecommunications Data Protection Directive 97/66/EC –Directive 2002/58/EC on Privacy and Electronic Communications –Data Retention Directive 2006/24/EC –Commission Communication to counter spam (COM (2004)28) –Council Resolution 2000/C 293/02 on the organization and management of the Internet –EU Parliament and Council Decision 854/2005/EC on promoting safer use of the Internet, Decision 1151/2003/EC on combating illegal and harmful content on global networks –Safer Internet plus Programme (europa.eu.int/saferinternet) www.iso.org –ISO 15489-1:2001, ISO 15489-2:2001, ISO/IEC 17799:2005, ISO/IEC 27001:2005, ISO/IEC13335-x www.cornwell.co.uk/moreq.html - European testing framework for Electronic Records Management System (ERM)www.cornwell.co.uk/moreq.html www.nn.hr –Agreement Between the Republic of Croatia and the European Union on Security Procedures for the Exchange of Classified Information, 9/2006, 18 October 2006 –Memorandum of Understanding between European Community and the Republic of Croatia on the participation of the Republic of Croatia in the Community program on the interoperable delivery of pan-European e-Government services to public administrations, businesses and citizens (IDABC), 2/2007, 28 February 2007

12. 12 Information Security Definition General: –Information security is characterized as the preservation of confidentiality, integrity, and availability of information, and it is achieved by implementing a suitable set of controls. Information Society: –Information security is not a right in itself, it is an instrument to exercise and enjoy other basic rights like the right to confidentiality, personal data protection, or trade secrets.

13. 13 Security Policy requirements Information Criteria: –Security (Confidentiality, Integrity, Availability) –Fiduciary (Compliance, Reliability) –Quality (Effectiveness. Efficiency) Confidentiality: –Secrecy --------------- Privacy –Classified (Secrecy): 4 grade damage based classification system Top Secret, Secret, Confidential (national levels) Restricted (institutional level) –Unclassified (Privacy) Personal data

14. 14 Security Agreement Security procedures for the exchange of classified information Bilateral between two countries –Mutual trust in security policies (no assessment) –The level of protection of foreign data is equal or higher than the one of national data Bilateral between a country and an international organization like EU or NATO –Minimal Security Requirements - Baseline standards –Assessment based trust Legislation, organization, procedures Designated Security Authority – National Security Authority (NSA)

15. 15 EU’s Inf. Security Organization Council of the EU –General Secretariat Security/Infosec Offices –Judiciary body (national) –MS ministers –Policy making –Inspections of Accession Countries European Commission –Security Directorate Departments –Agency ENISA –Executive body –EU institution –Policy implementation –Cooperation with national (MS) authorities

16. 16 Harmonization based on Sec. Agr. Security policy – key document –Council Decision, 19 March 2001, adopting the Council’s security regulations ( 2001/264/EC ) –Commission Decision, 29 November 2001, amending its internal Rules of Procedure ( 2001/844/EC ) Security organization: –National Security Authority (NSA) - central coordinating institution, –Infosec Authority (IA or NCSA) – auxiliary specialized institution, –Planning and Implementation Authority (PIA) – auxiliary specialized institution, –CISO/LISO – Central/Local Inf. Sec. Officers Security Areas: –Personnel Security, Physical Security, Security of Information, INFOSEC (Information System Security), Industrial Security Baseline standards

17. 17 Baseline Standards Information security standards that shall be applied in each member state Why not risk assessment/management process? –Baseline procedures are the result of risk assessment/management on the highest org. level: Periodic changes of security policy and implementing directives –Org. concept follows the model of central/HQ organization with subsidiaries that are usually: Lack of field expertise and/or senior management resources –Recommendation for national risk management process: Different environments (legislation, culture, tradition) Old-fashioned way but successful in an extremely heterogeneous environment as government sector

18. 18 Security Policy Development

19. 19 Information Infrastructure Approach EU Security Policy (2001): Classified infrastructure (isolated, air-gap) –“Top Secret“, “Secret”, “Confidential” Protected Private infrastructure –“Restricted”, (non-classified) –TESTA Network (IDABC) Public infrastructure –GW connectivity w/protected private infrastructure –Portal Your Europe http://ec.europa.eu/youreurope/ http://ec.europa.eu/youreurope/ EU Inf. Society (2010) NATO Security Policy(2006): Classified infrastructure (isolated, air-gap) –“Top Secret“, “Secret”, “Confidential” Unclassified infrastructure –Unclassified, (“Restricted”) Public infrastructure –GW connectivity w/unclassified infrastructure

20. 20 Plan–Do–Check–Act Process

21. 21 ENISA European Network and Information Security Agency establishing, 10 March 2004, ( 2004/460/EC ) “Connects” all phases of the PDCA process and all participants in the information society Primarily Security Awareness responsibility Expert Analysis in the field of: –Risk Management, Security Technologies and Policies, … Coordination of: –EU bodies and MS –Industry and International Organizations –CERTs in EU

22. 22 Other Initiatives Focus on Small and Medium Enterprises (SMEs) –ENISA: Information Package for SMEs (RM/RA), February 2007 –http://www.enisa.europa.euhttp://www.enisa.europa.eu EU Regulatory Framework for electronic communications networks and services –Review of the EU Regulatory Framework for el. communications networks and services, Jun 2006, COM(2006)334 final Breaches of security – notifications, keep users informed Authorization of national authorities – specific security measures that implement Commission recommendations of decisions Network integrity – to modernize provisions –Based on A strategy for a Secure Information Society, May 2006, COM(2006)251 final (i2010) European Program for Critical Infrastructure Protection (EPCIP) –CI Sectors (Energy, ICT, Water, Food, …) –All-hazards approach, terrorism priority –Green Paper on EPCIP, COM(2005)576 final, November 2005

23. 23 Part 3 3.Conclusion

24. 24 Conclusion EU has complex regulation framework in the field of information security Information security requirements: –Traditional scope of the security policy –Contemporary demands of information society Very similar security policy strategies – EU & NATO (and generally Member States) Private Protected or Unclassified (+ “Restricted”) Infrastructure: –Similar approaches in MSs, EU (even NATO) based on society factors –More and more focused on international information security standards like the area of personal data protection

25. 25 Questions ? THANK YOU !!! Aleksandar.Klaic@uvns.vlada.hr aklaic@hi.t-com.hr