Information security and privacy protection aspects of electronic information management in the...

Information security andprivacy protection aspects of

electronic information managementin the Belgian social sector

Frank RobbenGeneral managerCrossroads Bank for Social SecuritySint-Pieterssteenweg 375B-1040 BrusselsE-mail: [email protected] CBSS: www.ksz.fgov.bePersonal website: www.law.kuleuven.be/icri/frobben

mailto:[email protected]

http://www.ksz.fgov.be/

http://www.law.kuleuven.be/icri/frobben

2 26th June 2008Frank Robben

Stakeholders of the Belgian social sector• > 10,000,000 citizens• > 220,000 employers• about 3,000 public and private institutions (actors) at several levels

(federal, regional, local) dealing with– collection of social security contributions

– delivery of social security benefits• child benefits

• unemployment benefits

• benefits in case of incapacity for work

• benefits for the disabled

• re-imbursement of health care costs

• holiday pay

• old age pensions

• guaranteed minimum income

– delivery of supplementary social benefits

– delivery of supplementary benefits based on the social security status of a person


The problem• a lack of well coordinated service delivery processes and

of a lack of well coordinated information management led to– suboptimal effectiveness of social protection– a huge avoidable administrative burden and related costs for

• the citizens• the employers/companies• the actors in the social sector

– service delivery that didn’t meet the expectations of the citizens and the companies

– insufficient social inclusion– too high possibilities of fraud– suboptimal support of social policy


Expectations of citizens and companies• effective social protection• integrated services

– attuned to their concrete situation, and personalized when possible– delivered at the occasion of events that occur during their life cycle

(birth, going to school, starting to work, move, illness, retirement, starting up a company, …)

– across government levels, public services and private bodies

• attuned to their own processes• with minimal costs and minimal administrative burden• if possible, granted automatically• with active participation of the user (self service)• well performing and user-friendly• reliable, secure and permanently available• accessible via a channel chosen by the user (direct contact, phone,

PC, …)• sufficient privacy protection


The solution• a network between all 3,000 social sector actors with a

secure connection to the internet, the federal MAN, regional extranets, extranets between local authorities and the Belgian interbanking network

• a unique identification key– for every citizen, electronically readable from an electronic social

security card and an electronic identity card– for every company– for every establishment of a company

• an agreed division of tasks between the actors within and outside the social sector with regard to collection, validation and management of information and with regard to electronic storage of information in authentic sources


The solution• 210 electronic services for mutual information exchange

amongst actors in the social sector, defined after process optimization– nearly all direct or indirect (via citizens or companies) paper-

based information exchange between actors in the social sector has been abolished

– in 2007, 656 million electronic messages were exchanged amongst actors in the social sector, which saved as many paper exchanges

• electronic services for citizens– maximal automatic granting of benefits based on electronic

information exchange between actors in the social sector– 8 electronic services via an integrated portal

• 3 services to apply for social benefits• 5 services for consultation of social benefits

– about 30 new electronic services are foreseen


The solution• 41 electronic services for employers, either based on the

electronic exchange of structured messages or via an integrated portal site– 50 social security declaration forms for employers have been

abolished– in the remaining 30 (electronic) declaration forms the number of

headings has on average been reduced to a third of the previous number

– declarations are limited to 4 events• immediate declaration of recruitment (only electronically)• immediate declaration of discharge (only electronically)• quarterly declaration of salary and working time (only electronically)• occurence of a social risk (electronically or on paper)

– in 2007, 23 million electronic declarations were made by all 220,000 employers, 98 % of which from application to application


The solution• an integrated portal site containing

– electronic transactions for citizens, employers and professionals– simulation environments– information about the entire social security system– harmonized instructions and information model relating to all

electronic transactions– a personal page for each citizen, each company and each

professional

• an integrated multimodal contact centre supported by a customer relationship management tool

• a data warehouse containing statistical information with regard to the labour market and all branches of social security


The solution• reference directory

– directory of available services/information• which information/services are available at any actor depending on the

capacity in which a person/company is registered at each actor

– directory of authorized users and applications• list of users and applications• definition of authentication means and rules• definition of authorization profiles: which kind of information/service can be

accessed, in what situation and for what period of time depending on in which capacity the person/company is registered with the actor that accesses the information/service

– directory of data subjects• which persons/companies have personal files at which actors for which

periods of time, and in which capacity they are registered

– subscription table• which users/applications want to automatically receive what

information/services in which situations for which persons/companies in which capacity


CBSS as driving force• coordination by the Crossroads Bank for Social Security

– Board of Directors consists of representatives of the companies, the citizens and the actors in the social sector

– mission• definition of the vision and the strategy on eGovernment in the social sector• definition of the common principles related to information management,

information security and privacy protection• definition, implementation and management of an interoperability framework

– technical: secure messaging of several types of information (structured data, documents, images, metadata, …)

– semantic: harmonization of concepts and co-ordination of necessary legal changes

– business logic and orchestration support• coordination of business process reengineering• stimulation of service oriented applications• driving force of the necessary innovation and change• consultancy and coaching


Co-operative governance• CBSS has an innovative model of governance, steering

the business process re-engineering with complex interdependencies between all actors involved

• Board of Directors of the CBSS– consists of representatives of the stakeholders (employers

associations, trade unions, social security institutions, …)– approves the strategic, operational and financial plans of the

CBSS

• General Coordination Committee with representation of all users acts as debating platform for the elaboration and implementation of eGovernment initiatives within the social sector


Co-operative governance• permanent or ad hoc working groups are instituted within

the General Coordination Committee in order to co-ordinate the execution of programs and projects

• the chairmen of the various working groups meet regularly as a Steering Committee

• besides project planning and follow-up, proper measuring facilities are available to assure permanent monitoring and improvement after the implementation of the electronic services


Adequate management and control techniques• annual priority plan debated with all users within the

General Coordination Committee of the CBSS• cost accounting and zero-based budgeting resulting in

financial transparency, an informed budget and a good evaluation of the management contract with the Belgian federal government

• internal control based on the COSO-methodology (see www.coso.org) in order to provide reasonable assurance regarding the achievement of objectives with regard to – effectiveness and efficiency of operations – reliability of financial reporting – compliance with applicable laws and regulations

• external audit with regard to the correct functioning of the internal control system

http://www.coso.org/


Adequate management and control techniques• program management through the whole social sector• issue management during the management of each program• use of a system of project management combined with a time

keeping system to follow up projects that are realized by the CBSS and its partners

• frequent reports to all users which describe the progress of the various projects and eventual adjustment measures

• use of balanced scorecards and a dashboard to measure, follow-up and evaluate the performance of the electronic services and the CBSS

• use of ITIL (see www.itil-itsm-world.com) for ICT-service delivery• use of a coherent set of monitoring techniques to guarantee an

optimal control and transparency of the electronic services

http://www.itil-itsm-world.com/


InternetInternet

Extranetregion or

commmunity

Extranetregion or

commmunity

FEDMANFEDMAN

Servicesrepository

FPS

FPS

FPS

ASS

ASS

Servicesrepository

Extranetsocialsector

ASS

RPS

RPS

Servicesrepository

VPN, Publi-link, VERA,

…

VPN, Publi-link, VERA,

…

City Province

Municipality

Servicesrepository

Serviceintegrator(FEDICT)

Serviceintegrator(CBSS)

Serviceintegrator

(Corve, Easi-Wal, CIRB, …)

Towards a network of service integrators


Advantages• gains in efficiency

– in terms of cost: services are delivered at a lower total cost• due to

– a unique information collection using a common information model and administrative instructions

– a lesser need to re-encoding of information by stimulating electronic information exchange

– a drastic reduction of the number of contacts between actors in the social sector on the one hand and companies or citizens on the other

– a functional task sharing concerning information management, information validation and application development

– a minimal administrative burden• according to a study of the Belgian Planning Bureau, rationalization of the

information exchange processes between the employers and the social sector implies an annual saving of administrative costs of about 1.7 billion € a year for the companies


Advantages• gains in efficiency

– in terms of quantity: more services are delivered• services are available at any time, from anywhere and from several devices• services are delivered in an integrated way according to the logic of the

customer

– in terms of speed: the services are delivered in less time• benefits can be allocated quicker because information is available faster• waiting and travel time is reduced• companies and citizens can directly interact with the competent actors in the

social sector with real time feedback


Advantages• gains in effectiveness: better social protection

– in terms of quality: same services at same total cost in same time, but to a higher quality standard

– in terms of type of services: new types of services, e.g.• push system: automated granting of benefits• active search of non-take-up using data warehousing techniques• controlled management of own personal information• personalized simulation environments

• better support of social policy

• more efficient combating of fraud


Critical success factors• common vision on electronic service delivery, information

management and information security amongst all stakeholders• support of and access to policymakers at the highest level• trust of all stakeholders, especially partners and intermediaries,

based on– mutual respect

– real mutual agreement

– transparency

• respect for legal allocation of competences between actors• co-operation between all actors concerned based on distribution of

tasks rather than centralization of tasks• focus on more effective and efficient service delivery and on cost

control


Critical success factors• reasoning in terms of added value for citizens and

companies rather than in terms of legal competences• quick wins combined with long term vision• lateral thinking when needed• adaptability to an ever changing societal and legal

environment• electronic service delivery as a structural reform process

– process re-engineering within and across actors– back-office integration for unique information collection, re-use of

information and automatic granting of benefits– integrated and personalized front-office service delivery


Critical success factors• multidisciplinary approach

– process optimization– legal coordination– ICT coordination– information security and privacy protection– change management– communication– coaching and training


Critical success factors• appropriate balance between efficiency on the one hand

and information security and privacy protection on the other

• technical and semantic interoperability• legal framework• creation of an institution that stimulates, co-ordinates

and assures a sound program and project management• availability of skills and knowledge => creation of an

association that hires ICT-specialists at normal market conditions and puts them at the disposal of the actors in the social sector

• sufficient financial means for innovation: agreed possibility to re-invest efficiency gains in innovation

• service oriented architecture (SOA)


Critical success factors• need for radical cultural change within government, e.g.

– from hierarchy to participation and team work– meeting the needs of the customer, not the government– empowering rather than serving– rewarding entrepreneurship within government– ex post evaluation on output, not ex ante control of every input


Information security and privacy protection• security, availability, integrity and confidentiality of

information is ensured by integrated– structural– institutional– legal– organizational– HR-related– technical

security measures according to agreed policies


Structural and institutional measures• no central data storage• the access authorization to personal information is

granted by a Sector Committee of the Privacy Commission, designated by Parliament, after having checked whether the access conditions are met

• the access authorizations are public• every actual electronic exchange of personal information

has to pass an independent trusted third party (basically the CBSS) and is preventively checked on compliance with the existing access authorizations by that trusted third party

• every actual electronic exchange of personal information is logged, to be able to trace possible abuse afterwards


Structural and institutional measures• every actor in the social sector disposes of an

information security officer with an advisory, stimulating, documentary and control task

• specialized information security service providers in the social sector have been recognized in order to support the information security officers

• a working party on information security and privacy protection within the social sector has been established

• minimal information security and privacy protection standards are proposed by the working party on information security and privacy protection and are established by the Sector Committee


Structural and institutional measures• every year, every actor in the social sector has to report

to the Sector Committee on compliance with the minimal information security and privacy protection standards

• in case an actor in the social sector doesn’t meet the minimal information security and privacy protection standards, the actor can be prohibited by the Sector Committee to be connected to the CBSS


Independent Sector Committee• established within the Privacy Commission

• composed of– 2 members of the Privacy Commission– 3 independent social security specialists designated by

Parliament

• competences– supervision of information security– authorizing the information exchange– complaint handling– information security recommendations– extensive investigating powers– annual activity report


Information security department• at each actor in the social sector

• composition– information security officer– one or more assistants

• control on independence and permanent education of the information security officers is performed by the Sector Committee

• the Sector Committee can allow to commit the task of the information security department to a recognized specialized information security service provider


Information security department: tasks

• information security department – recommends

– promotes

– documents

– controls

– reports directly to the general management

– formulates the blueprint of the security plan

– elaborates the annual security report

• general management

– takes the decision

– is finally responsible

– gives motivated feedback

– approves the security plan

– supplies the resources


Contents of the security report

• general overview of the security situation

• overview of the activities– recommendations and their effects– control– campaigns in order to promote information security

• overview of the external recommendations and their effects

• overview of the received trainings


Specialized IS service providers• to be recognized by the Government• recognition conditions

– non-profit association– having information security in the social sector as the one and only

activity– respecting the tariff principles determined by the Government

• control on independence is performed by the Sector Committee• tasks

– keeping information security specialists at the disposal of the associated actors

– recommending– organizing information security trainings– supporting campaigns promoting information security– external auditing on request of the actor or the Sector Committee

• each actor can only associate with one specialized information security service provider


Working party on information security

• composition– information security officers of all branches of the social sector

• task– coordination– communication– proposal of minimal information security and privacy protection

standards– check list– recommendations to the Sector Committee


Legal measures

• obligations of the actors in the social sector as data controllers (i.e. the natural or legal person, public authority, agency or any other body which alone or jointly determines the purposes and means of the processing of personal data)

• rights of the data subjects (i.e. the natural persons the personal data relate to)

• remedies, liability and sanctions


Obligations of actors in the social sector

• principles relating to fair and lawful processing and data quality

• information to be given to the data subject

• confidentiality and security of processing


Fair and lawful processing and data quality

• fair and lawful processing• collection only for specified, explicit and legitimate

purposes• no further processing in a way incompatible with those

purposes• personal data must be adequate, relevant and not

excessive in relation to those purposes• personal data must be accurate and kept up to date• personal data must not be kept longer than necessary

for those purposes in a form which permits the identification of the data subject


Fair and lawful processing and data quality

• respect of additional protection measures related to sensitive data, i.e. data revealing or concerning– racial or ethnic origin– political opinions– religious or philosophical beliefs– trade union membership– health– sexual life– offences, criminal convictions or security measures


Informing the data subject• the controller or his representative must provide the data

subject a minimum of information– when obtaining personal data from the data subject– when undertaking the recording or envisaging a disclosure to a

third party of personal data that have not been obtained from the data subject

• exceptions:– the data subject already has the information– informing the data subject in case of processing of data obtained

from another person• proves impossible, in particular for processing for statistical purposes or

purposes of historical or scientific research or• would involve disproportionate effort for the controller in particular for

processing for statistical purposes or purposes of historical or scientific research or

• is not necessary because the recording or disclosure is expressly laid down by law


Informing the data subject• information to be given

– identity of the controller and his representative, if any– the purposes of the processing– any further information necessary to guarantee fair processing in

respect of the data subject such as• categories of processed data• (categories of) recipients• whether replies are obligatory or not, as well as the possible consequences

of failure to reply• the existence of rights of access and rectification


Confidentiality and security• no access to personal data is permitted except on

instructions from the controller or if required by law• appropriate technical and organizational security

measures– protection against

• accidental or unlawful destruction• accidental loss• alteration• unauthorized disclosure or access, in particular where the processing

involves the transmission of data over a network• all other forms of unlawful processing

– measures have to be appropriate• to the risks represented by the processing• and the nature of the data to be protected• having regard to the state of the art• and the cost of their implementation


Confidentiality and security• where processing is carried out by an external processor

– the controller has to choose a processor guaranteeing sufficient technical and organizational security measures

– the controller must ensure compliance of the processing with the security measures

– the carrying out of the processing must be governed by a written contract or legal act stipulating in particular that

• the processor shall act only on instructions from the controller• the security obligations shall also be incumbent on he processor


Recommendation Belgian Privacy Commission

• see http://www.privacycommission.be/nl/static/pdf/ referenciemaatregelen-vs-01.pdf

• risk analysis taking into account– the nature of the processed data– the applicable legal requirements– the size of the organization– the importance and the complexity of the information systems– the extent of internal and external access to personal data– the probability and the impact of the several risks– the cost of the implementation of risk mitigating measures

http://www.privacycommission.be/nl/static/pdf/referenciemaatregelen-vs-01.pdf




Recommendation Belgian Privacy Commission

• 10 types of measures– information security policy– information security officer– minimal organizational measures and measures related to staff– physical security– network security– access control– logging and investigation of logging– supervision, audit and maintenance– management of security incidents and continuity– documentation


Rights of the data subject• right of privacy protection• right of information

– access to the public register– in case of collection of data– in case of the recording or disclosure of data obtained elsewhere

• right of access• right of rectification, erasure or blocking• right not to be subject to fully automated individual

decisions• right of a judicial remedy


Right of access• the data subject has the right to obtain from the

controller without constraint, at reasonable intervals and without excessive delay or expense– confirmation as whether or not data relating to him are being

processed– information at least about

• the purposes of the processing• the categories of data• the (categories of) recipients

– communication of the data and any available information as to their source

– knowledge of the logic in case of an automated processing intended to evaluate certain personal aspects relating to him

• every time information is used to take a decision, the information used is communicated to the person concerned together with the decision


Right of rectification, erasure or blocking• the data subject has the right to obtain from the

controller the rectification, erasure or blocking of data, the processing of which does not comply with the provisions of the directive (e.g. incomplete or inaccurate data)

• the controller has to notify any rectification, erasure or blocking to third parties to whom the data have been disclosed, unless this proves impossible or involves a disproportionate effort


Automated individual decisions• every person is granted the right not to be subject to a

decision which produces legal effects for him or significantly effects him and which is based solely on the automated processing of data intended to evaluate certain personal aspects, such as his performance at work, creditworthiness, reliability, conduct, ...

• derogations are possible– under certain circumstances, in the course of the entering into or

the performance of a contract or– by law providing measures to safeguard the data subject’s

legitimate interests


Remedies, liability and sanctions• remedies

– administrative remedies, inter alia before the Sector Committee– judicial remedies– for any breach of the rights guaranteed by the national law

applicable

• liability– right to compensation from the controller for the damage

suffered as a result of an unlawful processing operation, unless the controller proves not to be responsible for the event giving rise to the damage

• sanctions– penal sanctions– interdiction to process personal data


Organizational, HR-related & technical measures

• risk assessment• security policies• governance and organization of information security• inventory and classification of information• human resources security• physical and environmental security• management of communication and service processes• processing of personal data• access control• acquisition, development and maintenance of information systems• information security incident management• business continuity management• compliance: internal and external control• communication to the public of the policies concerning security and

the protection of privacy


Security policies• an integrated set of security policies is being elaborated

through step-by-step refinement• the policies always have the following structure

– material field of application: what the policy is all about– personal field of application: to whom does the policy apply– definitions of the concepts used under the policy– general principles: setting rules and responsibilities– requirements and references to other policies– sanctions, arising among other things from regulations, if the

policy is not complied with– references to directives, architecture, procedures, standards and

techniques to comply with the policy– date of validation by the bodies concerned– note of the person responsible for policy maintenance


Security policies• directives, architecture, standards, procedures and

techniques are being described to apply the integral set of security policies, in accordance with the priorities set by the working party on information security and privacy protection


Classification of information• the purpose of classifying information is to determine the

protection level per information item, taking two aspects into account– the importance of the business continuity of the actors (e.g. vital,

critical, necessary, useful)– sensitivity in relation to protection of privacy (e.g. public, internal,

confidential, secret)

• the field of application of the classification exercise covers information (mainly personal data) used for services to citizens, companies and civil servants, regardless of the support equipment on which they are kept

• information is labelled depending on the classification criteria use


HR-security• security tasks and responsibilities are included in all job

descriptions to which they apply; sensitive positions are stated as such in job descriptions

• applicants for sensitive jobs are screened carefully• a secrecy declaration is signed by every staff member• all staff members are briefed, educated and trained

regarding information security and protection of privacy• at each actor in the social sector, robust procedures

have to be settled and implemented to report any security breaches or weak points to the information security officer


HR-security• at each actor in the social sector, a working method is

settled and implemented to analyse any security-related incidents and weak points reported by the information security officer, and adequate remedial measures are proposed

• (disciplinary) sanctions are foreseen when measures relating to the information security and protection of privacy are circumvented or not complied with

• it is checked that the (disciplinary) sanctions are sufficiently well-known when measures relating to the information security and protection of privacy are circumvented or not complied with

• it is checked that adequate measures are applied when a working relationship with a staff member is terminated


Physical and environmental security• premises have to be available that are well secured

against malign external influences, unauthorized access, break-in, flood, fire, ..., and ICT infrastructure supporting vital and critical business processes has to be accommodated at these premises

• the electricity supply for ICT infrastructure supporting vital and critical business processes is guaranteed

• cables and air-waves are secured, especially against wire-tapping– a procedure for the import and export of business equipment,

among other things in cases of maintenance and repairs, is settled and implemented

– rules are settled for managing business equipment relating to people (e.g. laptops, handhelds, mobile phones, call tokens, ...) giving access to information that needs to be protected


Management of processes• the division of responsibilities for the management and

maintenance of all parts of ICT infrastructure is settled and implemented

• security procedures, also procedures for resolving incidents, are settled and implemented, taking into account the necessary divisions of roles

• the internal rules for day-to-day work (e.g. back-ups, banned use of computer games, code of practice regarding use of the Internet, closing of equipment, ...) are settled and complied with

• each stage in the life-cycle of an application, including acceptance scenarios, is settled and complied with


Management of processes• new applications or amendments to existing applications are

submitted for acceptance tests in an acceptance environment, separate from the production environment, before going into production

• the six areas of ITIL methodology concerning service support, and first two areas of ITIL methodology concerning service delivery are implemented– service support

• configuration management

• incident management

• problem management

• change management

• service/help-desk

• release management

– service delivery• service level management

• capacity management


Management of processes• there are preventive measures for the securing of all

information systems against viruses and harmful software

• procedures for information management supports (tapes, floppy disks, cassettes,...) are settled and complied with, including rules relating to– storage and access– shipping– accidental destruction


Management of processes• networks are managed following well-defined

procedures, especially when connected to external networks; in this respect, special attention is paid to– divisions between internal and external networks– peripheral securing of internal networks (firewalls, ...)– authentication of components against one another– intrusion detection– application of encryption techniques where necessary

• interchange agreements are written down for the use of network services, especially for network services used for external collaboration, including– service level agreements concerning availability and

performance;– demarcation of responsibilities relating to security and protection

of privacy


Access control• a user management system is settled and implemented, permitting

– electronic identification of people, resources, applications and services

– electronic authentication of the identity of people, resources, applications and services by appropriate means (user ID, password, token, digital certificate, electronic signature, ...)

– electronic verification of relevant characteristics and mandates of people in authentic sources

• an access management system is settled and implemented, indicating among other things

• roles and functions

• authorizations on the basis of those roles and functions

• authorization time-limits

• authorizations are managed at the levels of• people

• resources

• applications

• services


User and access management• identification of physical and legal persons

– unique social identification number for physical persons– unique company number for companies

• authentication of the identity of physical persons– electronic identity card– user id – password – token

• authentic sources for– management and verification of characteristics (e.g. a capacity,

a function, a professional qualification) of persons– management and verification of mandates between a legal or

physical person to whom an electronic transaction relates and the person carrying out that transaction

– management and verification of authorizations


Policy Enforcement Model

User

Policy

Application

(PEP)

Application

Policy

Decision (PDP)

Action on

application Decisionrequest

Decisionreply

Actionon

applicationPERMITTED

Policy Information

(PIP)

InformationRequest /

Reply

Policy Administration

(PAP)

RetrievalPolicies

Authentic source

Policy Information

(PIP)


Reply

Policy

repository

Actionon

applicationDENIED

Manager

Policymanagement

Authentic source


Policy Enforcement Point (PEP)

• intercepts the request for authorization with all available information about the user, the requested action, the resources and the environment

• passes on the request for authorization to the Policy Decision Point (PDP) and extracts a decision regarding authorization

• grants access to the application and provides relevant credentials

UserPolicy

Application (PEP)

Application

PolicyDecision (PDP)

Action on

application Decisionrequest

Decisionreply

Actionon

applicationPERMITTED

Actionon

applicationDENIED


Policy Decision Point (PDP)

• based on the request for authorization received, retrieves the appropriate authorization policy from the Policy Administration Point(s) (PAP)

• evaluates the policy and, if necessary, retrieves the relevant information from the Policy Information Point(s) (PIP)

• takes the authorization decision (permit/deny/not applicable) and sends it to the PEP

Policy Application

(PEP)

PolicyDecision (PDP)

Decisionrequest

Decisionreply

Policy Information (PIP)

Request / Reply

Policy Administration(PAP)

RetrievalPolicies

Policy Information (PIP)


Reply

Information


Policy Administration Point (PAP)• environment to store and manage authorization policies

by authorized person(s) appointed by the application managers

• puts authorization policies at the disposal of the PDP

PDPPAP

RetrievalPolicies

Manager

Policymanagement

Policyrepository


Policy Information Point (PIP)

• puts information at the disposal of the PDP in order to evaluate authorization policies (authentic sources with characteristics, mandates, etc.)

PDP

PIP 1


Reply

Authentic source

PIP 2

Authentic source


Reply


APPLICATIONS

AuthorisationAuthen-tication PEP

Role Mapper

USER

PAP‘’Kephas’’

RoleMapper

DB

PDPRole

Provider

PIPAttributeProvider

RoleProvider

DB

UMAF


DBXYZ

WebAppXYZ

APPLICATIONS

AuthorisationAuthen -tication PEP

Role Mapper

USER

WebAppXYZ



RoleMapper

DB

PDPRole

Provider

RoleProvider

DB

ManagementVAS


DBXYZ


DBJudicialexut-ers


DBMandates

eHealth platform

APPLICATIONS

AuthorisationAuthen -tication PEP

Role Mapper

USER


RoleMapper

DB

PDPRole

Provider


RoleProvider

DB

RIZIV


DBXYZ

WebAppXYZ

ManagementVAS


DBMandates

Social sector(CBSS)

Non social FPS(Fedict)

ManagementVAS

DBXYZ

Architecture


Access control• buildings are partitioned, securing rings are installed and access

control measures to premises are implemented• access control measures to physical resources (computers,

networks, ...) by users (people, resources or applications) are set and implemented, with particular attention to business equipment relating to people (e.g. laptops, handhelds, mobile phones, call tokens, ...)

• access control measures to (sections of) application code are set and implemented

• access control measures to applications and services by internal and external users (people, resources or applications) are set and implemented (e.g. call-back procedures)

• ICT equipment is automatically timed out after a set period of inactivity

• all access and actions carried out are time-logged


Acquisition, development and maintenance

• security directives to be complied with during the acquisition, development and maintenance of applications and services are set and implemented– division of functions– audit trails during development;– documentation– regular interim back-ups

• the development environment is securized• rules to build security into applications and services (e.g.

validation of data input, checks of totals, verification of the authenticity of messages sent to subjects, ...), mainly externally accessible applications and services, are settled and applied



• procedures concerning technical and functional tests are settled and implemented in an acceptance environment, separate from the production environment, with clear go/no-go areas

• a method for analyzing the impact of amendments to operating systems on security and applications, on the permanent accessibility of information systems, and tests of the accessibility of information and applications in the amended environment before putting the amendments into effect, are settled and applied



• a method for analyzing the impact of amendments to standard software used on security and applications, and on the continuous accessibility of information systems, and tests of the accessibility of information and applications in the amended environment before putting the amendments into effect, are settled and applied

• a procedure for the destruction of information in the event that further processing is no longer authorized due to application of the proportionality principle or occupation of the country’s territory, is settled and applied


Business continuity management• back-up procedures for information and applications are

settled and applied• the code and written documentation on the latest version

of all applications is kept at a secure site outside the production location

• the parts of information systems, certainly those supporting vital and critical business processes, are split up at geographically dispersed sites (no single points of failure)


Business continuity management• a business continuity plan exists at each actor in the

social sector and is made available to all those concerned– indicating vital and critical components and processes– with an inventory of necessary infrastructure and skills for each

component and process– with a description of actions, responsibilities and procedures in

the event of an (internal or external) emergency– with a description of continuation actions and procedures in the

event of an emergency in order to return to normal operation– with a description of test scenarios for the continuity plan with

third parties affected


Business continuity management• the continuity plan is tested annually with the third

parties affected and a report of the results is drawn up, aimed at permanent improvement

• the information systems for which this is justified are insured against physical risks such as fire, flood or earthquake, also against theft


Compliance: internal and external control• permanent internal control on respect of legislation,

policies, directives, architecture, procedures and standards and on any undesirable use of ICT facilities (e.g. use of ICT for non-business purposes, ...) is carried out by the information security officer

• regular external check in respect of legislation, policies, directives, architecture, procedures and standards is carried out by an external auditor by order of the general manager of the actor in the social sector or of the Sector Committee


Compliance: internal and external control• checking methods, and information systems and logs to

be checked are, with the support of the ICT department, easily accessible to the persons carrying out internal and external control functions

• monitoring systems, that raise potential risks linked to the infringements of the law, policies, directives, architecture, procedures and standards, and on any undesirable use made of ICT facilities, are available for the information security officer

• a regular check is carried out by the controller of the processing in respect of the security measures incorporated into contracts with third parties


More information

• website Crossroads Bank for Social Security– http://www.ksz.fgov.be

• personal website Frank Robben– http://www.law.kuleuven.be/icri/frobben

• social security portal– https://www.socialsecurity.be





https://www.socialsecurity.be/

https://www.socialsecurity.be/

Th@nk you !

Any questions ?

Information security and privacy protection aspects of electronic information management in the...

Documents

Transcript of Information security and privacy protection aspects of electronic information management in the...