Eurostat

ESS Security and Secure exchange of information Working Group (E4SWG)

ITDG – Item 4Security progress and issues

Pascal JacquesESTAT B0 Local Informatics Security Officer

Eurostat

The Context (1)• Regulation (EC) No 223/2009 of the European Parliament and of the

Council • (pream) The confidential information which the national and Community statistical

authorities collect for the production of European statistics should be protected, in order to gain and maintain the confidence of the parties responsible for providing that information. The confidentiality of data should satisfy the same principles in all the Member States.

• (pream) For that purpose, it is necessary to establish common principles and guidelines ensuring the confidentiality of data used for the production of European statistics and the access to those confidential data with due account for technical developments and the requirements of users in a democratic society.

• The NSIs and other national authorities and the Commission (Eurostat) shall take all necessary measures to ensure the harmonisation of principles and guidelines as regards the physical and logical protection of confidential data.

• COMMISSION DECISION of 17 September 2012 on Eurostat (2012/504/EU)• The Director-General of Eurostat shall, in addition, take all necessary measures to

protect data whose disclosure would cause prejudice to Union interests, or to the interests of the Member State to which they relate

NO IMPLEMENTING ACTIONS PROPOSED

Eurostat

The Context (2)• COMMISSION DECISION (EU) …/… OF 2015 ON SECURITY

IN THE COMMISSIONArticle 10 Security measures regarding Communication and Information Systems All Communication and Information Systems ("CIS") used by the Commission shall comply with the Commission's Information Systems Security Policy, as set out in Commission Decision C(2006)3602, its implementing rules and corresponding security standards. Commission services owning, managing or operating CIS shall only allow other Union Institutions, agencies, bodies or other organisations to have access to those systems provided that those Union Institutions, agencies, bodies or other organisations can provide reasonable assurance that their IT systems are protected at a level equivalent to the Commission’s Information Systems Security Policy as set out in Commission Decision C(2006)3602, its implementing rules and corresponding security standards. The Commission shall monitor such compliance, and in case of serious non-compliance or continued failure to comply, be entitled to prohibit access.

NEW SECURITY COMPLIANCE NEEDS

Eurostat

The Vision 2.0 – Security FrameworkDevelop an ESS that: • is guided by quality in all activities and continues to deliver coherent, relevant and

reliable statistics based on internationally harmonised concepts, sound methodologies and a strict data protection regime;

• engages users proactively and meets their demands in a cost-efficient and responsive manner;

• promotes efficiency and realises productivity gains through collaboration in sharing methods, tools, technological infrastructure and where appropriate data and human resources, based on legal frameworks and all prerequisites needed to ensure statistical confidentiality;

• embraces opportunities provided by the digital transformation and harnesses new data sources to produce meaningful statistics;

• delivers information in an interactive and easily understandable way, and improves the statistical literacy of European citizens and institutions by guiding them through the deluge of data and information from various origins.

Eurostat

Vision 2.0 - Security Elements• Privacy and security in Big Data

• " In the long run we will explore the potentials of setting up a protected data exchange area, in which the exchange of micro data does not cause any data privacy or security concerns in any member state. Since the partners of micro data exchange should be capable of implementing the highest data protection standards, we will explore starting the micro data exchange network within the partnership of statistical producers in the ESS only….

• It requires the development of appropriate technical and organisation measures to manage the risks and in so doing protect statistical confidentiality and provide appropriate mechanisms to react to any breach of security swiftly and effectively.

• Above all, the procedures accompanying micro data exchange will be organised in a transparent way, so as to build-up mutual trust based on evidence….

• common secure IT network for data exchange…• …We will investigate the appropriateness and possibility of statistical institutes

fulfilling the role of a trusted third party through which market competitors can share information without risk of disclosing sensitive data… "

Eurostat

Objectives of the working group• Know better each other in the ESS in terms of information security

and specificities,• Exchange of Best Practices in IT security,• Agree on common rules, procedures, guidelines and standards for

secure communication (i.e. emails) and data storage/exchange/transfer in order to build mutual trust,

• Agree on security level of shared applications, services, processes• Exchange of information on

• Security measures used in MS for data protection, data centre, access to micro data for research purposes;

• Projects/programmes linked to information security;• IT architecture in MS to better understand the MS’s capacity to connect

to a secured data exchange infrastructure like i.e. CCN network or sTesta;

• Set up a repository of information on people, roles, procedures, best practices and documentation of infrastructures

Eurostat

Activities• 2012

• Presentation of the idea to SISAI 12-13/6/2012• Request support of ITDG for creation of a WG on IT security (29-30/11/2012)• "Enterprise Architecture Security Workshop" - December 2012

• Discuss security aspects, mandate of the WG

• 2013• Survey Questionnaire on IT Security January-May 2013• Presentation of first findings at SISAI 2013 (13-14/5/2013)• Presentation of a document on IT security for ITDG (7/6/2013)• 2 Field visits in IT and FR• Due to budgetary constraints, WG converted to a Task Force

• 2014• 2 TF Meetings (5-6/6/2014 & 9-10/10/2014 in Helsinki)• Field visits in DE, PT, FI, SI

Eurostat

Results (1)• Secure emailing

• Ensured with DE, IT, SI, ES, CH, EL• FI having its own system• FR and PT: issues on certificates

• Repository of information• Available on CROS portal• OwnCloud solution in PT for more secure information

• Exchange of information and Common position• Share security guidelines and notices (Secure IT

development, use of video-conference facilities, etc..)

Eurostat

Results (2)• Build trustworthiness between ESS Members

• IT Security Framework• Introduction• Data classification• Risk analysis• IT security controls: entry pack – Level 1 – Level 2• Guidelines for implementing controls• Self-assessment

• Compliance Monitoring• Framework complementing the Code of Practice• Feedback mechanism towards ESSC and Member State• Work on labelling capacity for access facilities (557/2013) and NSIs

Eurostat

Next Phase (1)

• Finalise the work on security framework and compliance monitoring.

• Organise 2 TF meetings in 2015 (May/Lisbon; October/Lux).• Present security framework to ITDG in September 2015 for

endorsement and transmission to ESSC• Continue field visits in Member States (DK, NL, ES, SE, EL,…).• Continue implementing secure email exchange facility.• Involve more ESS members in the TF activities• Convert TF to an expert group in 2016. Broaden current

participation (CH, DE, DK, ES, FI, FR, IT, NL, PL, PT, SI)

Eurostat

Next Phase (2)

• Prepare an ESSnet project (2017) on IT security:• Support ESS members to reach minimum security level• Monitor and help ESS members to reach level 1 and level 2

security levels• Support the Compliance Monitoring (NSI and Access

facilities)• Support the labelling of MS in terms of IT security• Ensure communications between ESS members on security• Run the network for information exchange on security

breaches and threatsEnsure trustworthiness between ESS partners