Presentation is loading. Please wait.

Presentation is loading. Please wait.

DIGIT Directorate-General for Informatics DIGIT Directorate-General for Informatics ISO 27k security standards What does it mean for ECI? 29 November 2012.

Published byGeorge Cobb Modified over 8 years ago

Similar presentations

Presentation on theme: "DIGIT Directorate-General for Informatics DIGIT Directorate-General for Informatics ISO 27k security standards What does it mean for ECI? 29 November 2012."— Presentation transcript:

1 DIGIT Directorate-General for Informatics DIGIT Directorate-General for Informatics ISO 27k security standards What does it mean for ECI? 29 November 2012

2 DIGIT Directorate-General for Informatics Legal base Regulation (EU) No 211/2011 of the European Parliament and of the Council of 16 February 2011 on the citizens' initiative Commission Implementing Regulation (EU) No 1179/2011 of 17 November 2011 laying down technical specifications for online collection systems pursuant to Regulation (EU) No 211/2011 of the European Parliament and of the Council on the citizens' initiative

3 DIGIT Directorate-General for Informatics (EU) No 211/2011 3 Article 6 Online collection systems 1.Where statements of support are collected online, the data obtained through the online collection system shall be stored in the territory of a Member State. The online collection system shall be certified in accordance with paragraph 3 in the Member State in which the data collected through the online collection system will be stored.

4 DIGIT Directorate-General for Informatics (EU) No 211/2011 (ctd.) 4 Article 6 Online collection systems 4. Online collection systems shall have adequate security and technical features in place in order to ensure that: a)only natural persons may submit a statement of support form online; b)the data provided online are securely collected and stored, c)the system can generate statements of support in a form complying with the models set out in Annex III

5 DIGIT Directorate-General for Informatics (EU) No 1179/2011 5 Provides technical specifications to address Article 6(4) of REGULATION (EU) No 211/2011.  (a) and (c) are addressed by the Online Collection Software provided by the European Commission (Section 1 and 3 of the annex)  (b) is addressed in section 2 of the annex that details requirements which  have to be addressed by the Organisers  are addressed by the Online Collection Software provided by the European Commission  have to be addressed by the hosting infrastructure

6 DIGIT Directorate-General for Informatics (EU) No 1179/2011 (ctd.) 6 Section 2 of the annex provides technical specifications for the following domains: Information assurance standards ( → Organisers) Functional requirements ( → OCS) Application level security ( → OCS + hosting infrastructure) Database security and data integrity ( → OCS + hosting infrastructure) Infrastructure security ( → hosting infrastructure) Organiser client security ( → Organisers)

7 DIGIT Directorate-General for Informatics 7 July, 18th

8 DIGIT Directorate-General for Informatics EC as hosting provider … only? 8 The main objective was to provide a suitable hosting infrastructure (compliant with 1179/2011 section 2 requirements) However, it quickly appeared that EC could also help: in drafting documents required by 2.1 and 2.2 in fulfilling Organiser client security requirements (Live-DVD)

9 DIGIT Directorate-General for Informatics 9

10 DIGIT Directorate-General for Informatics Information assurance standards 10 2.1. Organisers provide documentation showing that they fulfil the requirements of standard ISO/IEC 27001, short of adoption. For that purpose, they have: a)performed a full risk assessment, …; b)designed and implemented measures for treating risks …; c)identified the residual risks in writing; d)provided the organisational means to receive feedback on new threats and security improvements.

11 DIGIT Directorate-General for Informatics Information assurance standards (ctd) 11 2.2. Organisers choose security controls based on the risk analysis in 2.1(a) from the following standards: 1)ISO/IEC 27002; or 2)the Information Security Forum’s ‘Standard of Good Practice’ to address the following issues: a)risk assessments (ISO/IEC 27005 or another specific and suitable risk assessment methodology are recommended); b)physical and environmental security; c)human resources security; d)communications and operations management; e)…

12 DIGIT Directorate-General for Informatics ISO 27000 security standards ISO 27001 formally specifies a management system that is intended to bring information security under explicit management control ISO 27001 ISO 27002 provides best practice recommendations on information security management for use by those responsible for initiating, implementing or maintaining Information Security Management Systems (ISMS) ISO 27002

13 DIGIT Directorate-General for Informatics ISO27002 domains

14 DIGIT Directorate-General for Informatics ISO27001 ISMS

15 DIGIT Directorate-General for Informatics ECI Documentation package 15 To fulfil the above requirements, EC agreed with the Luxembourgish Authorities to build the following security documentation package : 1.the Security Scope 2.the Business Impact Analysis (BIA) 3.the Risk Assessment Report (RAR) 4.the Risk Treatment Plan (including Residual Risks) (RTP) 5.the Statement of Applicability (SoA)

16 DIGIT Directorate-General for Informatics ECI Documentation package (ctd) 16 EC also built guidance documents to help the Organisers drafting their part of the security documentation, i.e.: 1.Organiser Risk Assessment Guidance 2.Organiser Risk Treatment Plan Guidance 3.Organiser Statement of Applicability Guidance The guidance documents have been drafted to be reusable as much as possible and thus to minimize Organiser's documentation effort.

17 DIGIT Directorate-General for Informatics Organiser client security 17 2.20. Organiser client security For the sake of end-to-end security, the organisers take necessary measures to secure their client application/ device that they use to manage and access the online collection system, such as: 2.20.1. Users run non-maintenance tasks (such as office automation) with the lowest set of privileges that they require to run. 2.20.2. When relevant updates and patches of the OS, any installed applications, or anti-malware become public, then such updates or patches are installed expediently.

18 DIGIT Directorate-General for Informatics 18 And finally …

19 DIGIT Directorate-General for Informatics Q&A

Download ppt "DIGIT Directorate-General for Informatics DIGIT Directorate-General for Informatics ISO 27k security standards What does it mean for ECI? 29 November 2012."

Similar presentations

COMMON ASSESSMENT METHOD FOR STANDARDS AND SPECIFICATIONS (CAMSS)

COMMON ASSESSMENT METHOD FOR STANDARDS AND SPECIFICATIONS (CAMSS)
THE CERTIFYING AUTHORITY

THE CERTIFYING AUTHORITY
The European Citizens Initiative Background Preparing the ground rules Key elements of the Commission proposal Lucy Swan – Secretariat General – Unit E.

The European Citizens Initiative Background Preparing the ground rules Key elements of the Commission proposal Lucy Swan – Secretariat General – Unit E.
Regional Policy Delegated Act on the methodology for the quality review of major projects 1 Expert Group on Delegated and Implementing Acts for the ESI.

Regional Policy Delegated Act on the methodology for the quality review of major projects 1 Expert Group on Delegated and Implementing Acts for the ESI.
Developing a Risk-Based Information Security Program

Developing a Risk-Based Information Security Program
Reference Document Management 1 European Railway Agency (ERA) Cross-Acceptance Unit P. Mihm 17/11/2010.

Reference Document Management 1 European Railway Agency (ERA) Cross-Acceptance Unit P. Mihm 17/11/2010.
Directive 97/68/EC on the approximation of the laws of the Member States relating to measures against the emission of gaseous and particulate pollutants.

Directive 97/68/EC on the approximation of the laws of the Member States relating to measures against the emission of gaseous and particulate pollutants.
Accreditation 1. Purpose of the Module - To create knowledge and understanding on accreditation system - To build capacity of National Governments/ focal.

Accreditation 1. Purpose of the Module - To create knowledge and understanding on accreditation system - To build capacity of National Governments/ focal.
Introduction to PPDs Regulatory requirements and rationale.

Introduction to PPDs Regulatory requirements and rationale.
The IPPC Recast. New environmental requirements for explosives production sites.

The IPPC Recast. New environmental requirements for explosives production sites.
DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.

DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.
Supervision of the quality of water intended for human consumption by State Sanitary Inspection bodies Małgorzata Kedzierska Environmental Hygiene Dept.

Supervision of the quality of water intended for human consumption by State Sanitary Inspection bodies Małgorzata Kedzierska Environmental Hygiene Dept.
ISO/IEC 27001 Winnie Chan BADM 559 Professor Shaw 12/15/2008.

ISO/IEC Winnie Chan BADM 559 Professor Shaw 12/15/2008.
1 Reform of the EU regulatory framework for electronic communications What it means for Access to Emergency Services Reform of the EU regulatory framework.

1 Reform of the EU regulatory framework for electronic communications What it means for Access to Emergency Services Reform of the EU regulatory framework.
© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.

© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.

Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
First Practice - Information Security Management System Implementation and ISO 27001 Certification.

First Practice - Information Security Management System Implementation and ISO Certification.
The New EMC Directive 2004/108/EC and the DTI transposition Brian Jones and Peter Howick.

The New EMC Directive 2004/108/EC and the DTI transposition Brian Jones and Peter Howick.
Existing EU Regulations concerning pesticide statistics and Latvia experience in pesticide statistics Guna Karlsone, CSB of Latvia.

Existing EU Regulations concerning pesticide statistics and Latvia experience in pesticide statistics Guna Karlsone, CSB of Latvia.
S3: Module D 2012-10-31 1 Physikalisch-Technische Bundesanstalt Session 3: Conformity Assessment Module D Peter Ulbig, Harry Stolz Belgrade, 31 October.

S3: Module D Physikalisch-Technische Bundesanstalt Session 3: Conformity Assessment Module D Peter Ulbig, Harry Stolz Belgrade, 31 October.

Similar presentations

Ads by Google