Eurostat ESS Security and Secure exchange of information Expert Group (E4SWG) Report of the activity of the Task Force in 2015 Pascal Jacques ESTAT B0 Local Informatics Security Officer Eurostat Request to the DIME-ITDG SG take note of the activities of the Expert Group and the progress regarding the ESS IT security framework, give feedback on the objective and use of an multi-beneficiary grant agreement project to support the framework give feedback on the proposed schemes for assurance mechanism give feedback on the Role of ESS groups (ITDG and its working group and task forces) in supporting the IT security framework implementation and capacity building Eurostat Activities 2012 Presentation of the idea to SISAI 12-13/6/2012 Request support of ITDG for creation of a WG on IT security (29-30/11/2012) "Enterprise Architecture Security Workshop" - December 2012 Discuss security aspects, mandate of the WG 2013 Survey Questionnaire on IT Security January-May 2013 Presentation of first findings at SISAI 2013 (13-14/5/2013) Presentation of a document on IT security for ITDG (7/6/2013) 2 Field visits in IT and FR TF Meetings (5-6/6/2014 & 9-10/10/2014 in Helsinki) Field visits in DE, PT, FI, SI TF Meetings (28-29/5/2015 Lisbon & 26-27/11/2015) Field visits in ES, NL, DK Eurostat Results Mitigating risks of data exchange Build trustworthiness between ESS Members Security Framework Introduction Data classification Risk analysis IT security controls entry pack Level 1 Level 2 Guidelines for implementing controls Self-assessment Security Assurance Secureing Ensured with DE, IT, SI, ES, CH, GR, DK FI having its own system FR and PT: issues on certificates Eurostat Multi-beneficiary grant agreement Supporting ESS members in their implementation of the Common ESS IT Security Framework. Exchanging of information/security incidents, running the ESS IT security network. Developing guidelines/technical documents and providing best practices and technical solutions in IT security ( , video-conference, etc.). Developing further the Common ESS IT Security Framework and common rules, procedures, guidelines and standards for secure communication (i.e.s) and data storage/exchange/transfer. Advising ESS members on their level of compliance on IT security. Providing training (including on-the-job training), awareness activities, workshops on IT security. Providing consultancy on security of ESS projects and solutions. Managing the repository of information on IT Security people, roles, procedures, best practices and documentation of infrastructures Eurostat Assurance mechanism Self-assessment compiled by all ESS members based on documentation provided by the TF. Self-managed and financed certification mechanism - Conclusions of audit analysed and validated/endorsed by central ESS service; Self-managed certification mechanism, but financed by ESTAT- Conclusions of audit analysed and validated/endorsed by central ESS service; Use of central certification service provided and supported by ESTAT. Eurostat Governance ESS IT Security Expert Group reporting to ITDG Risk mitigation strategy for microdata exchange under VIG Assurance reports (Self-assessment and Audits) are sensitive information ESS central auditing capacity managed and directly financed by ESTAT Multi-beneficiary project includes TF members and financed by ESTAT Mono-beneficiary grants to help countries improving their security level financed by ESTAT ESSC ultimate recipient of the security assurance report for the ESS Eurostat Roadmap Expert Group 2016 Finalise the work on security framework. DIME/ITDG early 2016 VIG in ?? Prepare work on security assurance Organise 2 TF meetings in 2016 Continue field visits in Member States (SE, GR, PL, EE). Continue implementing secureexchange facility Involve more ESS members in the TF activities Prepare multi-beneficiary grant 2017 Start multi-beneficiary grant project Eurostat Tentative Roadmap ESS February ESSC endorse roadmap for IT security assurance included in risk management May 2016 ESSC endorse IT security framework Second part Run ESS Self-Assessment End 2016 Report to ESSC on ESS security level Endorsement of IT security assurance mechanism 2017 Start capacity building grants 2017 Certification mechanism ESS countries phase Certification mechanism ESS countries phase Certification mechanism ESS countries phase 3