1. Information security and privacy protection aspects of electronic information management in the Belgian social sector Frank Robben General manager Crossroads Bank for Social Security Sint-Pieterssteenweg 375 B-1040 Brussels E-mail: Frank.Robben@ksz.fgov.beFrank.Robben@ksz.fgov.be Website CBSS: www.ksz.fgov.bewww.ksz.fgov.be Personal website: www.law.kuleuven.be/icri/frobbenwww.law.kuleuven.be/icri/frobben

2. 2 26th June 2008 Frank Robben Stakeholders of the Belgian social sector > 10,000,000 citizens > 220,000 employers about 3,000 public and private institutions (actors) at several levels (federal, regional, local) dealing with –collection of social security contributions –delivery of social security benefits child benefits unemployment benefits benefits in case of incapacity for work benefits for the disabled re-imbursement of health care costs holiday pay old age pensions guaranteed minimum income –delivery of supplementary social benefits –delivery of supplementary benefits based on the social security status of a person

3. 3 26th June 2008 Frank Robben The problem a lack of well coordinated service delivery processes and of a lack of well coordinated information management led to –suboptimal effectiveness of social protection –a huge avoidable administrative burden and related costs for the citizens the employers/companies the actors in the social sector –service delivery that didn’t meet the expectations of the citizens and the companies –insufficient social inclusion –too high possibilities of fraud –suboptimal support of social policy

4. 4 26th June 2008 Frank Robben Expectations of citizens and companies effective social protection integrated services –attuned to their concrete situation, and personalized when possible –delivered at the occasion of events that occur during their life cycle (birth, going to school, starting to work, move, illness, retirement, starting up a company, …) –across government levels, public services and private bodies attuned to their own processes with minimal costs and minimal administrative burden if possible, granted automatically with active participation of the user (self service) well performing and user-friendly reliable, secure and permanently available accessible via a channel chosen by the user (direct contact, phone, PC, …) sufficient privacy protection

5. 5 26th June 2008 Frank Robben The solution a network between all 3,000 social sector actors with a secure connection to the internet, the federal MAN, regional extranets, extranets between local authorities and the Belgian interbanking network a unique identification key –for every citizen, electronically readable from an electronic social security card and an electronic identity card –for every company –for every establishment of a company an agreed division of tasks between the actors within and outside the social sector with regard to collection, validation and management of information and with regard to electronic storage of information in authentic sources

6. 6 26th June 2008 Frank Robben The solution 210 electronic services for mutual information exchange amongst actors in the social sector, defined after process optimization –nearly all direct or indirect (via citizens or companies) paper- based information exchange between actors in the social sector has been abolished –in 2007, 656 million electronic messages were exchanged amongst actors in the social sector, which saved as many paper exchanges electronic services for citizens –maximal automatic granting of benefits based on electronic information exchange between actors in the social sector –8 electronic services via an integrated portal 3 services to apply for social benefits 5 services for consultation of social benefits –about 30 new electronic services are foreseen

7. 7 26th June 2008 Frank Robben The solution 41 electronic services for employers, either based on the electronic exchange of structured messages or via an integrated portal site –50 social security declaration forms for employers have been abolished –in the remaining 30 (electronic) declaration forms the number of headings has on average been reduced to a third of the previous number –declarations are limited to 4 events immediate declaration of recruitment (only electronically) immediate declaration of discharge (only electronically) quarterly declaration of salary and working time (only electronically) occurence of a social risk (electronically or on paper) –in 2007, 23 million electronic declarations were made by all 220,000 employers, 98 % of which from application to application

8. 8 26th June 2008 Frank Robben The solution an integrated portal site containing –electronic transactions for citizens, employers and professionals –simulation environments –information about the entire social security system –harmonized instructions and information model relating to all electronic transactions –a personal page for each citizen, each company and each professional an integrated multimodal contact centre supported by a customer relationship management tool a data warehouse containing statistical information with regard to the labour market and all branches of social security

9. 9 26th June 2008 Frank Robben The solution reference directory –directory of available services/information which information/services are available at any actor depending on the capacity in which a person/company is registered at each actor –directory of authorized users and applications list of users and applications definition of authentication means and rules definition of authorization profiles: which kind of information/service can be accessed, in what situation and for what period of time depending on in which capacity the person/company is registered with the actor that accesses the information/service –directory of data subjects which persons/companies have personal files at which actors for which periods of time, and in which capacity they are registered –subscription table which users/applications want to automatically receive what information/services in which situations for which persons/companies in which capacity

10. 10 26th June 2008 Frank Robben CBSS as driving force coordination by the Crossroads Bank for Social Security –Board of Directors consists of representatives of the companies, the citizens and the actors in the social sector –mission definition of the vision and the strategy on eGovernment in the social sector definition of the common principles related to information management, information security and privacy protection definition, implementation and management of an interoperability framework –technical: secure messaging of several types of information (structured data, documents, images, metadata, …) –semantic: harmonization of concepts and co-ordination of necessary legal changes –business logic and orchestration support coordination of business process reengineering stimulation of service oriented applications driving force of the necessary innovation and change consultancy and coaching

11. 11 26th June 2008 Frank Robben Co-operative governance CBSS has an innovative model of governance, steering the business process re-engineering with complex interdependencies between all actors involved Board of Directors of the CBSS –consists of representatives of the stakeholders (employers associations, trade unions, social security institutions, …) –approves the strategic, operational and financial plans of the CBSS General Coordination Committee with representation of all users acts as debating platform for the elaboration and implementation of eGovernment initiatives within the social sector

12. 12 26th June 2008 Frank Robben Co-operative governance permanent or ad hoc working groups are instituted within the General Coordination Committee in order to co- ordinate the execution of programs and projects the chairmen of the various working groups meet regularly as a Steering Committee besides project planning and follow-up, proper measuring facilities are available to assure permanent monitoring and improvement after the implementation of the electronic services

13. 13 26th June 2008 Frank Robben Adequate management and control techniques annual priority plan debated with all users within the General Coordination Committee of the CBSS cost accounting and zero-based budgeting resulting in financial transparency, an informed budget and a good evaluation of the management contract with the Belgian federal government internal control based on the COSO-methodology (see www.coso.org) in order to provide reasonable assurance regarding the achievement of objectives with regard to www.coso.org –effectiveness and efficiency of operations –reliability of financial reporting –compliance with applicable laws and regulations external audit with regard to the correct functioning of the internal control system

14. 14 26th June 2008 Frank Robben Adequate management and control techniques program management through the whole social sector issue management during the management of each program use of a system of project management combined with a time keeping system to follow up projects that are realized by the CBSS and its partners frequent reports to all users which describe the progress of the various projects and eventual adjustment measures use of balanced scorecards and a dashboard to measure, follow-up and evaluate the performance of the electronic services and the CBSS use of ITIL (see www.itil-itsm-world.com) for ICT-service deliverywww.itil-itsm-world.com use of a coherent set of monitoring techniques to guarantee an optimal control and transparency of the electronic services

15. 15 26th June 2008 Frank Robben Internet Extranet region or commmunity Extranet region or commmunity FEDMAN Services repository FPS ASS Services repository Extranet social sector ASS RPS Services repository VPN, Publi- link, VERA, … City Province Municipality Services repository Service integrator (FEDICT) Service integrator (CBSS) Service integrator (Corve, Easi- Wal, CIRB, …) Towards a network of service integrators

16. 16 26th June 2008 Frank Robben Advantages gains in efficiency –in terms of cost: services are delivered at a lower total cost due to –a unique information collection using a common information model and administrative instructions –a lesser need to re-encoding of information by stimulating electronic information exchange –a drastic reduction of the number of contacts between actors in the social sector on the one hand and companies or citizens on the other –a functional task sharing concerning information management, information validation and application development –a minimal administrative burden according to a study of the Belgian Planning Bureau, rationalization of the information exchange processes between the employers and the social sector implies an annual saving of administrative costs of about 1.7 billion € a year for the companies

17. 17 26th June 2008 Frank Robben Advantages gains in efficiency –in terms of quantity: more services are delivered services are available at any time, from anywhere and from several devices services are delivered in an integrated way according to the logic of the customer –in terms of speed: the services are delivered in less time benefits can be allocated quicker because information is available faster waiting and travel time is reduced companies and citizens can directly interact with the competent actors in the social sector with real time feedback

18. 18 26th June 2008 Frank Robben Advantages gains in effectiveness: better social protection –in terms of quality: same services at same total cost in same time, but to a higher quality standard –in terms of type of services: new types of services, e.g. push system: automated granting of benefits active search of non-take-up using data warehousing techniques controlled management of own personal information personalized simulation environments better support of social policy more efficient combating of fraud

19. 19 26th June 2008 Frank Robben Critical success factors common vision on electronic service delivery, information management and information security amongst all stakeholders support of and access to policymakers at the highest level trust of all stakeholders, especially partners and intermediaries, based on –mutual respect –real mutual agreement –transparency respect for legal allocation of competences between actors co-operation between all actors concerned based on distribution of tasks rather than centralization of tasks focus on more effective and efficient service delivery and on cost control

20. 20 26th June 2008 Frank Robben Critical success factors reasoning in terms of added value for citizens and companies rather than in terms of legal competences quick wins combined with long term vision lateral thinking when needed adaptability to an ever changing societal and legal environment electronic service delivery as a structural reform process –process re-engineering within and across actors –back-office integration for unique information collection, re-use of information and automatic granting of benefits –integrated and personalized front-office service delivery

21. 21 26th June 2008 Frank Robben Critical success factors multidisciplinary approach –process optimization –legal coordination –ICT coordination –information security and privacy protection –change management –communication –coaching and training

22. 22 26th June 2008 Frank Robben Critical success factors appropriate balance between efficiency on the one hand and information security and privacy protection on the other technical and semantic interoperability legal framework creation of an institution that stimulates, co-ordinates and assures a sound program and project management availability of skills and knowledge => creation of an association that hires ICT-specialists at normal market conditions and puts them at the disposal of the actors in the social sector sufficient financial means for innovation: agreed possibility to re-invest efficiency gains in innovation service oriented architecture (SOA)

23. 23 26th June 2008 Frank Robben Critical success factors need for radical cultural change within government, e.g. –from hierarchy to participation and team work –meeting the needs of the customer, not the government –empowering rather than serving –rewarding entrepreneurship within government –ex post evaluation on output, not ex ante control of every input

24. 24 26th June 2008 Frank Robben Information security and privacy protection security, availability, integrity and confidentiality of information is ensured by integrated –structural –institutional –legal –organizational –HR-related –technical security measures according to agreed policies

25. 25 26th June 2008 Frank Robben Structural and institutional measures no central data storage the access authorization to personal information is granted by a Sector Committee of the Privacy Commission, designated by Parliament, after having checked whether the access conditions are met the access authorizations are public every actual electronic exchange of personal information has to pass an independent trusted third party (basically the CBSS) and is preventively checked on compliance with the existing access authorizations by that trusted third party every actual electronic exchange of personal information is logged, to be able to trace possible abuse afterwards

26. 26 26th June 2008 Frank Robben Structural and institutional measures every actor in the social sector disposes of an information security officer with an advisory, stimulating, documentary and control task specialized information security service providers in the social sector have been recognized in order to support the information security officers a working party on information security and privacy protection within the social sector has been established minimal information security and privacy protection standards are proposed by the working party on information security and privacy protection and are established by the Sector Committee

27. 27 26th June 2008 Frank Robben Structural and institutional measures every year, every actor in the social sector has to report to the Sector Committee on compliance with the minimal information security and privacy protection standards in case an actor in the social sector doesn’t meet the minimal information security and privacy protection standards, the actor can be prohibited by the Sector Committee to be connected to the CBSS

28. 28 26th June 2008 Frank Robben Independent Sector Committee established within the Privacy Commission composed of –2 members of the Privacy Commission –3 independent social security specialists designated by Parliament competences –supervision of information security –authorizing the information exchange –complaint handling –information security recommendations –extensive investigating powers –annual activity report

29. 29 26th June 2008 Frank Robben Information security department at each actor in the social sector composition –information security officer –one or more assistants control on independence and permanent education of the information security officers is performed by the Sector Committee the Sector Committee can allow to commit the task of the information security department to a recognized specialized information security service provider

30. 30 26th June 2008 Frank Robben Information security department: tasks information security department –recommends –promotes –documents –controls –reports directly to the general management –formulates the blueprint of the security plan –elaborates the annual security report general management –takes the decision –is finally responsible –gives motivated feedback –approves the security plan –supplies the resources

31. 31 26th June 2008 Frank Robben Contents of the security report general overview of the security situation overview of the activities –recommendations and their effects –control –campaigns in order to promote information security overview of the external recommendations and their effects overview of the received trainings

32. 32 26th June 2008 Frank Robben Specialized IS service providers to be recognized by the Government recognition conditions –non-profit association –having information security in the social sector as the one and only activity –respecting the tariff principles determined by the Government control on independence is performed by the Sector Committee tasks –keeping information security specialists at the disposal of the associated actors –recommending –organizing information security trainings –supporting campaigns promoting information security –external auditing on request of the actor or the Sector Committee each actor can only associate with one specialized information security service provider

33. 33 26th June 2008 Frank Robben Working party on information security composition –information security officers of all branches of the social sector task –coordination –communication –proposal of minimal information security and privacy protection standards –check list –recommendations to the Sector Committee

34. 34 26th June 2008 Frank Robben Legal measures obligations of the actors in the social sector as data controllers (i.e. the natural or legal person, public authority, agency or any other body which alone or jointly determines the purposes and means of the processing of personal data) rights of the data subjects (i.e. the natural persons the personal data relate to) remedies, liability and sanctions

35. 35 26th June 2008 Frank Robben Obligations of actors in the social sector principles relating to fair and lawful processing and data quality information to be given to the data subject confidentiality and security of processing

36. 36 26th June 2008 Frank Robben Fair and lawful processing and data quality fair and lawful processing collection only for specified, explicit and legitimate purposes no further processing in a way incompatible with those purposes personal data must be adequate, relevant and not excessive in relation to those purposes personal data must be accurate and kept up to date personal data must not be kept longer than necessary for those purposes in a form which permits the identification of the data subject

37. 37 26th June 2008 Frank Robben Fair and lawful processing and data quality respect of additional protection measures related to sensitive data, i.e. data revealing or concerning –racial or ethnic origin –political opinions –religious or philosophical beliefs –trade union membership –health –sexual life –offences, criminal convictions or security measures

38. 38 26th June 2008 Frank Robben Informing the data subject the controller or his representative must provide the data subject a minimum of information –when obtaining personal data from the data subject –when undertaking the recording or envisaging a disclosure to a third party of personal data that have not been obtained from the data subject exceptions: –the data subject already has the information –informing the data subject in case of processing of data obtained from another person proves impossible, in particular for processing for statistical purposes or purposes of historical or scientific research or would involve disproportionate effort for the controller in particular for processing for statistical purposes or purposes of historical or scientific research or is not necessary because the recording or disclosure is expressly laid down by law

39. 39 26th June 2008 Frank Robben Informing the data subject information to be given –identity of the controller and his representative, if any –the purposes of the processing –any further information necessary to guarantee fair processing in respect of the data subject such as categories of processed data (categories of) recipients whether replies are obligatory or not, as well as the possible consequences of failure to reply the existence of rights of access and rectification

40. 40 26th June 2008 Frank Robben Confidentiality and security no access to personal data is permitted except on instructions from the controller or if required by law appropriate technical and organizational security measures –protection against accidental or unlawful destruction accidental loss alteration unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network all other forms of unlawful processing –measures have to be appropriate to the risks represented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation

41. 41 26th June 2008 Frank Robben Confidentiality and security where processing is carried out by an external processor –the controller has to choose a processor guaranteeing sufficient technical and organizational security measures –the controller must ensure compliance of the processing with the security measures –the carrying out of the processing must be governed by a written contract or legal act stipulating in particular that the processor shall act only on instructions from the controller the security obligations shall also be incumbent on he processor

42. 42 26th June 2008 Frank Robben Recommendation Belgian Privacy Commission see http://www.privacycommission.be/nl/static/pdf/ referenciemaatregelen-vs-01.pdfhttp://www.privacycommission.be/nl/static/pdf/ referenciemaatregelen-vs-01.pdf risk analysis taking into account –the nature of the processed data –the applicable legal requirements –the size of the organization –the importance and the complexity of the information systems –the extent of internal and external access to personal data –the probability and the impact of the several risks –the cost of the implementation of risk mitigating measures

43. 43 26th June 2008 Frank Robben Recommendation Belgian Privacy Commission 10 types of measures –information security policy –information security officer –minimal organizational measures and measures related to staff –physical security –network security –access control –logging and investigation of logging –supervision, audit and maintenance –management of security incidents and continuity –documentation

44. 44 26th June 2008 Frank Robben Rights of the data subject right of privacy protection right of information –access to the public register –in case of collection of data –in case of the recording or disclosure of data obtained elsewhere right of access right of rectification, erasure or blocking right not to be subject to fully automated individual decisions right of a judicial remedy

45. 45 26th June 2008 Frank Robben Right of access the data subject has the right to obtain from the controller without constraint, at reasonable intervals and without excessive delay or expense –confirmation as whether or not data relating to him are being processed –information at least about the purposes of the processing the categories of data the (categories of) recipients –communication of the data and any available information as to their source –knowledge of the logic in case of an automated processing intended to evaluate certain personal aspects relating to him every time information is used to take a decision, the information used is communicated to the person concerned together with the decision

46. 46 26th June 2008 Frank Robben Right of rectification, erasure or blocking the data subject has the right to obtain from the controller the rectification, erasure or blocking of data, the processing of which does not comply with the provisions of the directive (e.g. incomplete or inaccurate data) the controller has to notify any rectification, erasure or blocking to third parties to whom the data have been disclosed, unless this proves impossible or involves a disproportionate effort

47. 47 26th June 2008 Frank Robben Automated individual decisions every person is granted the right not to be subject to a decision which produces legal effects for him or significantly effects him and which is based solely on the automated processing of data intended to evaluate certain personal aspects, such as his performance at work, creditworthiness, reliability, conduct,... derogations are possible –under certain circumstances, in the course of the entering into or the performance of a contract or –by law providing measures to safeguard the data subject’s legitimate interests

48. 48 26th June 2008 Frank Robben Remedies, liability and sanctions remedies –administrative remedies, inter alia before the Sector Committee –judicial remedies –for any breach of the rights guaranteed by the national law applicable liability –right to compensation from the controller for the damage suffered as a result of an unlawful processing operation, unless the controller proves not to be responsible for the event giving rise to the damage sanctions –penal sanctions –interdiction to process personal data

49. 49 26th June 2008 Frank Robben Organizational, HR-related & technical measures risk assessment security policies governance and organization of information security inventory and classification of information human resources security physical and environmental security management of communication and service processes processing of personal data access control acquisition, development and maintenance of information systems information security incident management business continuity management compliance: internal and external control communication to the public of the policies concerning security and the protection of privacy

50. 50 26th June 2008 Frank Robben Security policies an integrated set of security policies is being elaborated through step-by-step refinement the policies always have the following structure –material field of application: what the policy is all about –personal field of application: to whom does the policy apply –definitions of the concepts used under the policy –general principles: setting rules and responsibilities –requirements and references to other policies –sanctions, arising among other things from regulations, if the policy is not complied with –references to directives, architecture, procedures, standards and techniques to comply with the policy –date of validation by the bodies concerned –note of the person responsible for policy maintenance

51. 51 26th June 2008 Frank Robben Security policies directives, architecture, standards, procedures and techniques are being described to apply the integral set of security policies, in accordance with the priorities set by the working party on information security and privacy protection

52. 52 26th June 2008 Frank Robben Classification of information the purpose of classifying information is to determine the protection level per information item, taking two aspects into account –the importance of the business continuity of the actors (e.g. vital, critical, necessary, useful) –sensitivity in relation to protection of privacy (e.g. public, internal, confidential, secret) the field of application of the classification exercise covers information (mainly personal data) used for services to citizens, companies and civil servants, regardless of the support equipment on which they are kept information is labelled depending on the classification criteria use

53. 53 26th June 2008 Frank Robben HR-security security tasks and responsibilities are included in all job descriptions to which they apply; sensitive positions are stated as such in job descriptions applicants for sensitive jobs are screened carefully a secrecy declaration is signed by every staff member all staff members are briefed, educated and trained regarding information security and protection of privacy at each actor in the social sector, robust procedures have to be settled and implemented to report any security breaches or weak points to the information security officer

54. 54 26th June 2008 Frank Robben HR-security at each actor in the social sector, a working method is settled and implemented to analyse any security-related incidents and weak points reported by the information security officer, and adequate remedial measures are proposed (disciplinary) sanctions are foreseen when measures relating to the information security and protection of privacy are circumvented or not complied with it is checked that the (disciplinary) sanctions are sufficiently well-known when measures relating to the information security and protection of privacy are circumvented or not complied with it is checked that adequate measures are applied when a working relationship with a staff member is terminated

55. 55 26th June 2008 Frank Robben Physical and environmental security premises have to be available that are well secured against malign external influences, unauthorized access, break-in, flood, fire,..., and ICT infrastructure supporting vital and critical business processes has to be accommodated at these premises the electricity supply for ICT infrastructure supporting vital and critical business processes is guaranteed cables and air-waves are secured, especially against wire-tapping –a procedure for the import and export of business equipment, among other things in cases of maintenance and repairs, is settled and implemented –rules are settled for managing business equipment relating to people (e.g. laptops, handhelds, mobile phones, call tokens,...) giving access to information that needs to be protected

56. 56 26th June 2008 Frank Robben Management of processes the division of responsibilities for the management and maintenance of all parts of ICT infrastructure is settled and implemented security procedures, also procedures for resolving incidents, are settled and implemented, taking into account the necessary divisions of roles the internal rules for day-to-day work (e.g. back-ups, banned use of computer games, code of practice regarding use of the Internet, closing of equipment,...) are settled and complied with each stage in the life-cycle of an application, including acceptance scenarios, is settled and complied with

57. 57 26th June 2008 Frank Robben Management of processes new applications or amendments to existing applications are submitted for acceptance tests in an acceptance environment, separate from the production environment, before going into production the six areas of ITIL methodology concerning service support, and first two areas of ITIL methodology concerning service delivery are implemented –service support configuration management incident management problem management change management service/help-desk release management –service delivery service level management capacity management

58. 58 26th June 2008 Frank Robben Management of processes there are preventive measures for the securing of all information systems against viruses and harmful software procedures for information management supports (tapes, floppy disks, cassettes,...) are settled and complied with, including rules relating to –storage and access –shipping –accidental destruction

59. 59 26th June 2008 Frank Robben Management of processes networks are managed following well-defined procedures, especially when connected to external networks; in this respect, special attention is paid to –divisions between internal and external networks –peripheral securing of internal networks (firewalls,...) –authentication of components against one another –intrusion detection –application of encryption techniques where necessary interchange agreements are written down for the use of network services, especially for network services used for external collaboration, including –service level agreements concerning availability and performance; –demarcation of responsibilities relating to security and protection of privacy

60. 60 26th June 2008 Frank Robben Access control a user management system is settled and implemented, permitting –electronic identification of people, resources, applications and services –electronic authentication of the identity of people, resources, applications and services by appropriate means (user ID, password, token, digital certificate, electronic signature,...) –electronic verification of relevant characteristics and mandates of people in authentic sources an access management system is settled and implemented, indicating among other things roles and functions authorizations on the basis of those roles and functions authorization time-limits authorizations are managed at the levels of people resources applications services

61. 61 26th June 2008 Frank Robben User and access management identification of physical and legal persons –unique social identification number for physical persons –unique company number for companies authentication of the identity of physical persons –electronic identity card –user id – password – token authentic sources for –management and verification of characteristics (e.g. a capacity, a function, a professional qualification) of persons –management and verification of mandates between a legal or physical person to whom an electronic transaction relates and the person carrying out that transaction –management and verification of authorizations

62. 62 26th June 2008 Frank Robben Policy Enforcement Model User Policy Application (PEP) Application Policy Decision(PDP) Action on application Decision request Decision reply Action on application PERMITTED Policy Information (PIP) Information Request/ Reply Policy Administration (PAP) Retrieval Policies Authentic source Policy Information (PIP) Information Request/ Reply Policy repository Action on application DENIED Manager Policy management Authentic source

63. 63 26th June 2008 Frank Robben Policy Enforcement Point (PEP) intercepts the request for authorization with all available information about the user, the requested action, the resources and the environment passes on the request for authorization to the Policy Decision Point (PDP) and extracts a decision regarding authorization grants access to the application and provides relevant credentials User Policy Application (PEP) Application Policy Decision(PDP) Action on application Decision request Decision reply Action on application PERMITTED Action on application DENIED

64. 64 26th June 2008 Frank Robben Policy Decision Point (PDP) based on the request for authorization received, retrieves the appropriate authorization policy from the Policy Administration Point(s) (PAP) evaluates the policy and, if necessary, retrieves the relevant information from the Policy Information Point(s) (PIP) takes the authorization decision (permit/deny/not applicable) and sends it to the PEP Policy Application (PEP) Policy Decision(PDP) Decision request Decision reply Policy Information (PIP) Request / Reply Policy Administration (PAP) Retrieval Policies Policy Information (PIP) Information Request/ Reply Information

65. 65 26th June 2008 Frank Robben Policy Administration Point (PAP) environment to store and manage authorization policies by authorized person(s) appointed by the application managers puts authorization policies at the disposal of the PDP PDP PAP Retrieval Policies Manager Policy management Policy repository

66. 66 26th June 2008 Frank Robben Policy Information Point (PIP) puts information at the disposal of the PDP in order to evaluate authorization policies (authentic sources with characteristics, mandates, etc.) PDP PIP1 Information Request / Reply Authentic source PIP2 Authentic source Information Request / Reply

67. 67 26th June 2008 Frank Robben APPLICATIONS AuthorisationAuthen- tication PEP Role Mapper USER PAP ‘’Kephas’’ Role Mapper DB PDP Role Provider PIP Attribute Provider Role Provider DB UMAF PIP Attribute Provider DB XYZ WebApp XYZ APPLICATIONS AuthorisationAuthen- tication PEP Role Mapper USER WebApp XYZ PIP Attribute Provider PAP ‘’Kephas’’ Role Mapper DB PDP Role Provider Role Provider DB Management VAS PIP Attribute Provider DB XYZ PIP Attribute Provider DB Judicial exut- ers PIP Attribute Provider DB Mandates eHealth platform APPLICATIONS AuthorisationAuthen- tication PEP Role Mapper USER PAP ‘’Kephas’’ Provider DB Mandates Social sector (CBSS) Non social FPS (Fedict) Management VAS DB XYZ Architecture

68. 68 26th June 2008 Frank Robben Access control buildings are partitioned, securing rings are installed and access control measures to premises are implemented access control measures to physical resources (computers, networks,...) by users (people, resources or applications) are set and implemented, with particular attention to business equipment relating to people (e.g. laptops, handhelds, mobile phones, call tokens,...) access control measures to (sections of) application code are set and implemented access control measures to applications and services by internal and external users (people, resources or applications) are set and implemented (e.g. call-back procedures) ICT equipment is automatically timed out after a set period of inactivity all access and actions carried out are time-logged

69. 69 26th June 2008 Frank Robben Acquisition, development and maintenance security directives to be complied with during the acquisition, development and maintenance of applications and services are set and implemented –division of functions –audit trails during development; –documentation –regular interim back-ups the development environment is securized rules to build security into applications and services (e.g. validation of data input, checks of totals, verification of the authenticity of messages sent to subjects,...), mainly externally accessible applications and services, are settled and applied

70. 70 26th June 2008 Frank Robben Acquisition, development and maintenance procedures concerning technical and functional tests are settled and implemented in an acceptance environment, separate from the production environment, with clear go/no-go areas a method for analyzing the impact of amendments to operating systems on security and applications, on the permanent accessibility of information systems, and tests of the accessibility of information and applications in the amended environment before putting the amendments into effect, are settled and applied

71. 71 26th June 2008 Frank Robben Acquisition, development and maintenance a method for analyzing the impact of amendments to standard software used on security and applications, and on the continuous accessibility of information systems, and tests of the accessibility of information and applications in the amended environment before putting the amendments into effect, are settled and applied a procedure for the destruction of information in the event that further processing is no longer authorized due to application of the proportionality principle or occupation of the country’s territory, is settled and applied

72. 72 26th June 2008 Frank Robben Business continuity management back-up procedures for information and applications are settled and applied the code and written documentation on the latest version of all applications is kept at a secure site outside the production location the parts of information systems, certainly those supporting vital and critical business processes, are split up at geographically dispersed sites (no single points of failure)

73. 73 26th June 2008 Frank Robben Business continuity management a business continuity plan exists at each actor in the social sector and is made available to all those concerned –indicating vital and critical components and processes –with an inventory of necessary infrastructure and skills for each component and process –with a description of actions, responsibilities and procedures in the event of an (internal or external) emergency –with a description of continuation actions and procedures in the event of an emergency in order to return to normal operation –with a description of test scenarios for the continuity plan with third parties affected

74. 74 26th June 2008 Frank Robben Business continuity management the continuity plan is tested annually with the third parties affected and a report of the results is drawn up, aimed at permanent improvement the information systems for which this is justified are insured against physical risks such as fire, flood or earthquake, also against theft

75. 75 26th June 2008 Frank Robben Compliance: internal and external control permanent internal control on respect of legislation, policies, directives, architecture, procedures and standards and on any undesirable use of ICT facilities (e.g. use of ICT for non-business purposes,...) is carried out by the information security officer regular external check in respect of legislation, policies, directives, architecture, procedures and standards is carried out by an external auditor by order of the general manager of the actor in the social sector or of the Sector Committee

76. 76 26th June 2008 Frank Robben Compliance: internal and external control checking methods, and information systems and logs to be checked are, with the support of the ICT department, easily accessible to the persons carrying out internal and external control functions monitoring systems, that raise potential risks linked to the infringements of the law, policies, directives, architecture, procedures and standards, and on any undesirable use made of ICT facilities, are available for the information security officer a regular check is carried out by the controller of the processing in respect of the security measures incorporated into contracts with third parties

77. 77 26th June 2008 Frank Robben More information website Crossroads Bank for Social Security –http://www.ksz.fgov.behttp://www.ksz.fgov.be personal website Frank Robben –http://www.law.kuleuven.be/icri/frobbenhttp://www.law.kuleuven.be/icri/frobben social security portal –https://www.socialsecurity.behttps://www.socialsecurity.be

78. Th@nk you ! Any questions ?