Information Security in Sweden

Transcription

1 Information Security in Sweden Action plan

2

3 Summary In January 2007, SEMA was commissioned by the government to prepare proposals for an action plan for information security in Sweden. The action plan consists of 47 proposed measures. The following four areas have been designated as prioritized. Improved sector-wide and cross-sectorial work is needed for information security in Sweden. All-embracing regulations for the field of information security should be able to be prepared to apply to all government agencies. At the same time, sector-specific responsibility must be clarified. Furthermore, there must be opportunities to provide practical recommendations to other civil sectors. A fundamental security level must be established for information security in Sweden. Such a basic level is a prerequisite for being able to secure the information assets that have become increasingly fundamental for both trade and industry and the public sector. Society must be able to deal with extensive IT-related disturbances and emergencies. An operative national coordinating function should therefore be established. There are competence deficiencies in the field of information security on all levels of society. The rapid development also entails that competence deficiencies on the part of individual users have increasingly greater consequences. For this reason, several proposals are submitted that jointly constitute a broad program to raise competence in the field. The proposed measures submitted in the action plan concern measures in the information security field and embrace all of society, from normal conditions to emergencies. Also proposed in the action plan is an administration process in which the measures are annually followed up and updated. The action plan proposes measures that address the problems reported in SEMA s annual situational assessment. The proposed measures also take consideration to, among other things, the Commission on Information Security s report Secure information (SOU 2005:42); the government bill for improved emergency preparedness (Bill 2007/08:92); and the committee directive for a new agency with responsibility for emergency preparedness and security matters (Dir. 2008:27). Work has been conducted in collaboration with government authorities on the national, county and municipal levels, as well as with trade and industry. The authorities of the Collaborative Group for Information Security (SAMFI) have agreed to confer on the action plan. 3

4

5 Table of contents Terms and abbreviations 8 1 Introduction SEMA s commission Interpretation of the commission Input values National strategy for information security Commission on Information Security s strategy Methods Collaboration Document studies In-depth studies Definition of information security Document structure Information security in Sweden Threats to and vulnerabilities of the information society Aspects of information security Holistic view on information security Standardization Competence and awareness Collaboration Resources Rules and regulations Execution Adoption of proposed measures Administration of the action plan Background information Proposed measures Legislative review and authorization to issue regulations Background information Proposed measures Information security in organizations Information security responsibility Background information Proposed measures Information security management systems Background information Proposed measures Framework for the governmental information security Background information Proposed measures Fundamental security level for information security Background information

6 5.4.2 Proposed measures Competence supply Knowledge center for information security Background information Proposed measure Awareness of information security in society Background information Proposed measures Elementary schools and high schools Background information Proposed measures Universities and colleges Background information Proposed measure Working population Background information Proposed measures Research Background information Proposed measures Information sharing, collaboration and response Operative national coordination function Background information Proposed measures Suppression of IT-related criminality Background information Proposed measures National coordination Background information Proposed measures Collaboration within the EU Background information Proposed measures Other international collaboration Background information Proposed measure Communications security Internet security Background information Proposed measure Signal security Background information Proposed measures Swedish Government Secure Intranet SGSI Background information Proposed measure Electronic government administration Background information

7 8.4.2 Proposed measure Security in products and systems Evaluation and certification of IT security products Proposed measures Security in digital control systems Background information Proposed measure References 63 Appendix 1: Compilation of proposed measures 67 Appendix 2: Proposal for legislative changes 69 Appendix 3: Collaboration report 71 Appendix 4: SAMFI agencies 73 7

8 Terms and abbreviations AgN Workgroup for trade and industry collaboration. AgN is a subgroup of the Information Security Council. BITS Baseline for Information Security, issued by SEMA CCRA Common Criteria Recognition Agreement. CCRA is a collaboration between 24 nations that recognize one another s certificates according to Common Criteria (CC). Sweden s representative for CCRA is SEMA. CERT - Computer Emergency Response Team CIIP - Critical Information Infrastructure Protection CIP Critical Infrastructure Protection Common Criteria (CC) The standard ISO/IEC IS 15408, Evaluation criteria for IT security. Common Criteria is a standard for requirement specifications, declarations and evaluations of security in IT products and in IT systems, as well as their application environments (see Section 9.1). CPNI Centre for the Protection of National Infrastructure. British authority for security, including information security CSEC Swedish Certification Body for IT Security. Is placed in the Defence and Material Administration and is responsible for establishment, operation and administration of a system for evaluation and certification of IT security in products and systems in accordance with the standard Common Criteria (CC). EPCIP European Programme for Critical Infrastructure Protection EU European Union FIDI Forum for information sharing concerning information security. A model for cooperation in information security between private and public entities (see Section 7.3.1). FIPS PUB 199 Standards for Security Categorization of Federal Information and Information Systems (FIPS, Federal Information Processing Standards Publications) FIRST Forum of Incident Reports and Security Teams. International collaborative forum for CERTs FISMA Federal Information Security Management Act of 2002 FM Swedish Armed Forces FMV Swedish Defence and Materiel Administration FOI Swedish Defence Research Agency FRA National Defence Radio Establishment IEC International Engineering Consortium Information Security Council A Swedish council for national information security matters with representatives from strategic entities in the field. The council is led by SEMA. 8

9 ISO International Organization for Standardization ISO/IEC Requirements standard for information security management systems ISO/IEC Best practices standard for information security management systems ISMS Information security management system (see ISO/IEC and ISO/IEC 27002) MSB An agency for civil protection and preparedness PP Protection Profile PTS Swedish Post and Telecom Agency RKP Swedish Criminal Investigation Department RPS National Police Board SAMFI Collaborative Group for Information Security. SAMFI is constituted by representatives from FM, FMV, FRA, PTS, RPS and Verva, and is led by SEMA. SÄPO Swedish Security Service S-BIT Common function at RKP and SÄPO for coordination of IT-related crimes and incidents SCADA See Supervisory Control and Data Acquisition (SCADA) SEMA Swedish Emergency Management Agency. SGSI Swedish Government Security Intranet. Swedish national network used for communications between Swedish government agencies and with the European Commission s TESTA (see Section 8.3) SITIC Swedish IT Incident Centre. Led by PTS Supervisory Control and Data Acquisition (SCADA) Computer-based system for control, regulation and monitoring of physical processes, such as the supply of electricity, gas and water, as well as rail-bound traffic (see Section 9.2). TESTA Trans-European Service for Telematics between Administrations. European Commission s network for communications with EU member states (see Section 8.3). TSS Swedish Armed Forces School of Communication Security Verva Swedish Administrative Development Agency 9

10

11 1 Introduction The Swedish Emergency Management Agency (SEMA) has the coordinating official responsibility for matters concerning information security, and in this role, has been commissioned by the government to prepare an action plan for implementing and administering the nation s strategy for information security. In this section, a description is provided of SEMA's commission, the interpretation of the commission and the methods selected for carrying out the commission. 1.1 SEMA s commission In the government s bill for coordination in the event of emergencies (Bill 2005/06:133), it is stipulated that SEMA shall prepare proposals for an action plan for information security. In the Swedish Emergency Management Agency s appropriation direction for 2007, the Ministry of Defence stipulates the following: The Swedish Emergency Management Agency shall within the framework of its information security work and based on present distribution of responsibility within the field, submit proposals for an action plan for implementation and administration of the national strategy for information security. Work shall be conducted in collaboration with concerned government authorities on the national, county and municipal levels, as well as with trade and industry. Special consideration shall be shown to responsibilities of the regulatory and sector agencies and they shall be given the opportunity to submit their views regarding the proposals. A situational report shall be presented no later than August 30, 2007, and a final report of the commission shall be presented in conjunction with the annual report for Interpretation of the commission The national strategy for information security is a basic prerequisite for formulation of the action plan. The government s strategy for information security is stated in the bill for civil security and preparedness (Bill 2001/02:158) and in the bill for coordination in the event of emergencies (Bill 2005/06:133). An report from the Commission on Information Security, Secure information proposals on information security policy (SOU 2005:42) includes a proposal for a strategy encompassing ten points, which should also be taken into consideration. Implementation involves a number of activities and measures intended to realize the strategy. Administration is interpreted as maintenance of the realized measures, for example, follow-up and updating, as well as the objectives of information security, namely the strategy. 1.2 Input values The action plan takes consideration to the government s bill for strengthened emergency preparedness (Bill 2007/08:92) and the committee directive for a new 11

12 agency with the responsibility for civil emergency preparedness and security (Dir. 2008:27) from March 13, The bill proposes that SEMA, the Swedish Rescue Service Agency and the Swedish National Board of Psychological Defence be phased out on December 31, 2008 and that a new agency for civil protection and emergency preparedness (MSB) be established on January 1, National strategy for information security The strategy referred to in the appropriation direction was proposed in the bill for civil security and preparedness (Bill 2001/02:158) and was later complemented in the bill for coordination in the event of emergencies (Bill 2005/06:133). The general strategy is formulated as follows (Bill 2001/02:158): The objective should be to establish high information security throughout society, which entails that disturbances to critical societal functions will be possible to prevent or properly deal with. The strategy for achieving this objective should, as well as other civil emergency management, be based on the responsibility principle, the similarity principle and the proximity principle. Fundamentally, the entity responsible for an information processing system is also responsible for the system having the necessary security for the system to function in a satisfactory manner. An important role for the government is therefore to attend to all of society s needs for information security and to take the measures that cannot be reasonably assigned to the individual system owner. To prevent serious information-related attacks against Sweden, the work of the intelligence and security service should be strengthened. The orientation of the national strategy for information security is complemented in Bill 2005/06:133 as follows: The strategy for information security established by the government in 2002 should be further developed to also encompass the ability to detect, counteract and take action in conjunction with disturbances in critical societal IT systems. Trust and assurance in using IT should be increased. Increased security and improved integrity protection should be sought. An action plan for information security should be prepared based on a national strategy for information security work Commission on Information Security s strategy The Commission on Information Security s report Secure information proposals on information security policy (SOU 2005:42) presents a proposal for an information security strategy. This strategy, as well as the study s other parts, have been considered in preparation of the action plan. The strategy consists of the following ten points: 1. Development of Sweden s position in the EU and in international contexts 2. Creation of trust, assurance, security and increased integrity protection 3. Encouragement for increased use of IT 4. Prevention and capability to deal with disturbances to information and communications systems 12

13 5. Strengthening of intelligence and security service work and improvement of sharing 6. Strengthening of capacity in the field of national security 7. Utilization of society s collected capacity 8. Focus on critical societal functions 9. Increased awareness of security risks and alternatives for protection 10. Assurance of competence supply 1.3 Methods The action plan is based on interaction with other entities, document studies and individual in-depth studies. These methods are described below. An important starting point for the action plan s proposed measures are indentified threats and vulnerabilities. These, however, are not presented in any detail in the action plan but can be found in other documents, including SEMA s annual situational assessments and the previously mentioned bills and studies Collaboration Experts in various fields have contributed with knowledge, constructive criticism and authorship. External collaboration has been conducted through meetings, conferences and workshops. Collaboration has primarily been conducted in SEMA s various forums for collaboration in information security: The Collaborative Group for Information Security (SAMFI). The participants are representatives from the following seven government entities: SEMA, the Swedish Post and Telecom Agency (PTS), the Swedish Administrative Development Agency (Verva), the Swedish Defence Materiel Administration (FMV), the National Defence Radio Establishment (FRA), the Swedish Armed Forces (FM), as well as the Swedish Criminal Investigation Department (RKP) and the Swedish Security Service (SÄPO). The respective duties and roles of these entities are presented in Appendix 4. The Information Security Council is a Swedish council for national information security matters with representatives from strategic entities in the field. Workgroup for trade and industry collaboration (AgN). AgN is a subgroup of the Information Security Council with representatives from Swedish trade and industry. Besides these forums, individual meetings have been held with Swedish entities, both those mentioned in the groups above, and other strategically important entities. International contacts have been cultivated through bilateral meetings with, for example, German and Norwegian authorities, and through participation in conferences and workshops. All entities that SEMA has collaborated with are presented in Appendix Document studies The investigation by the Commission on Information Security has been an important starting point in the preparation of the action plan due to it being current, detailed and 13

14 having been widely reviewed. Both national and international reports have also been used as source data. All documents that have constituted the basis for the action plan are listed in the reference section In-depth studies Three in-depth studies have been conducted: 1. Study of how Sweden can become better at taking action in regard to information security matters within the EU. The study was conducted by the Swedish Defence Research Agency (FOI). 2. Analysis of the medical care and financial sectors for the purpose of identifying current work with information security and future weaknesses (dependencies, vulnerabilities) and planned work (Meile AB). 3. Observation study of the IT attacks against Estonia in the spring of The investigation was conducted by SEMA s information security unit. 1.4 Definition of information security The terminology in the original Swedish version of this action plan complies with the SIS handbook for information security terminology (SIS HB 550, version 3). Information security encompasses both administrative and technical aspects with regard to confidentiality, integrity and availability of information assets. As a complement to these three aspects, the concept of traceability is also applied, among others. The term information asset refers both to information and the resources used to process the information. Information security thus concerns more than securing information systems. Other resources not the least, human resources are also important components of the information security concept. 1.5 Document structure The document begins with this introductory chapter and continues with Chapter 2, which provides a description of information security characteristics. Chapter 3 addresses execution of the action plan. This chapter contains the most important proposed measures that require decisions by the government, as well as proposed measures for how the action plan is to be administered. Chapters 4 through 9 cover the various subject areas (such as competence supply) along with subsections (research, for example). Each subsection consists of background information, a description of objectives and the proposed measures. 14

15 2 Information security in Sweden Information security embraces all of society and it is therefore a concern for all. Information security is about trust, with the objective of all parties in society being able to trust the information systems. Information security contributes to IT development in society being able to progress with high quality. Information security is a supporting factor for improving the quality of societal functions. It ultimately concerns protection of a large volume of various values and objectives in society, such as democracy, personal integrity, growth, and economic and political stability. Due to the increasing use of IT in society, information security is a prerequisite for new phenomena in society, such as electronic government administration. Through good civil information security, the following can be promoted: Society s efficiency and quality in information handling Profitability and growth of trade and industry Society s suppression of crime and preparedness for serious disturbances and emergencies Citizens freedoms and rights, as well as personal integrity Citizens and organizations trust in information handling and IT systems 2.1 Threats to and vulnerabilities of the information society A development in society is underway in which information handling is to an increasing degree conducted with the aid of IT. This increased dependency even entails increased risks for individuals and organizations. There is also a distinct increase in information security-related threats, such as unauthorized access to computer systems, fraud and the spread of malicious code. The entities behind such actions include organized crime, terrorists and national governments. Deficiencies in information systems can also have an impact on physical assets. Damage to the critical infrastructure can have disastrous consequences. Incidents that lead to incapacitation or destruction of such systems and assets can lead to serious crises that affect financial systems, public health, national security or combinations of these. Deficiencies in handling information lead to weakened trust in the pertinent services and the entities responsible for them, and can therefore even jeopardize entities' operations and the use of their services. Serious and recurring disturbances can lead to crises of confidence that can also spread to other entities and services, and even to other sectors. For example, weakened trust in Internet banks can infect other sectors in society that offer Internet-based services. 15

16 2.2 Aspects of information security To achieve good information security in Sweden, it is necessary to take special consideration to the following important aspects: Overview Standardization Competence and awareness Collaboration Resources Rules and regulations Holistic view on information security Information security is a complex and cross-border field that embraces, among other things, technology, administration, economy and law. In efforts to improve information security in organizations and on the national level, consideration must be taken to these fields. Protective measures should aim both to create more robust information handling under normal societal conditions and to deal with more serious disturbances and emergencies. Good everyday security is often equated with having good preparations for more serious incidents. For example, good internal control in operations, competence in information security and good collaboration constitute the foundation for good operative capabilities in the event of an emergency. A comprehensive view is required that is sector-comprehensive and cross-sectorial, beyond that which is handled by the respective sectors. Based on a wide view of information security, this action plan is intended to contribute to IT and information handling in society being further developed in an assured and secure manner that strengthens capabilities both under normal conditions and during emergencies. The measures in this action plan therefore link together the two levels in a variety of ways Standardization An important aspect of security-raising measures is that efforts are based on proven technologies and methodologies. Various forms of standards offer organizations the opportunity to implement something that is proven and based on experience, and therefore creating the prerequisites for improved security. Application of standards entails that one can adapt something that is well thought out to one s own needs. Large-scale benefits are gained when many use the same solutions, and timeconsuming service and product development is accelerated, easier and cheaper when the frameworks to be applied are known in advance. Through the spread of standards, training is simplified and the range of competence is subsequently improved. Standards also increase transparency between organizations, which facilitates requirement specification and assessment of security levels for products, systems and entire organizations. 16

17 2.2.3 Competence and awareness IT usage has become an integrated part of most organizations and in society in general. Deficiencies in competence lead to vulnerabilities, and the need for knowledge is therefore substantial. A variety of initiatives are consequently needed in society in the form of information, training and practical exercises, with the objective of eventually creating an information security culture. Investments in training must be made in organizations and educational systems, and efforts should be made to increase information security awareness in society on the whole, for example, by supporting general education in the field Collaboration Due to the complexity, cross-border character and rapid pace of development of information security, effective information sharing and collaboration is necessary to achieve good results. This concerns collaboration between various entities in Sweden, such as authorities on the national, county and municipal levels, trade and industry and interest groups, as well as international collaboration. Good collaboration in civil information security is important under normal conditions, but is a necessity for creating good operative capabilities during emergencies Resources To succeed with achieving secure and assured information handling in society, resources must be put into information security. Security aspects are not be seen as an extra burden, but rather as a self-evident investment to achieve the intended function and quality. Investments in information handling are often made to make societal services more efficient and rational. It is therefore reasonable that portions of the savings are invested in attaining quality and robustness through increased security efforts. Costs for integrating and improving security should always be compared with what it would cost to not do this Rules and regulations A requirement for good civil information security is that there are rules that are applicable to current information handling. Legislative enactments are necessary to achieve this objective. These enactments should be generic and technology-independent so as to ensure long-term applicability even during periods of rapid technical development. 17

18

19 3 Execution The proposed measures submitted in this action plan address information and responsibilities, time allocations and cost estimates in the field of information security, and embrace all of society, during both normal conditions and emergencies. The execution phase will involve many entities that independently or jointly carry out the measures. The specified allocations of responsibility refer to the entity or entities that are to assume responsibility for execution of each of the proposed measures. The starting point for execution of that which is specified in the action plan is based on the responsibility principle. Furthermore, the times allotted for the various proposed measures vary. Time allocations are specified within the framework of the year during which a measure should be initiated or the period during which a measure is scheduled for execution, varying from one to five years. The action plan contains 47 proposed measures that should be realized during a five-year period. Some can be carried out immediately and at low cost, while others can only be carried out on the long-term and involve major costs. A cost estimate is specified for each of the proposed measures. Cost estimates are indicated with the following categorization: Cost neutral: Negligible costs or costs that are encompassed by an agency's ordinary operations Minor: Under SEK 5 million Moderate: SEK 5 10 million Major: Over SEK 10 million The costs for the proposed measures are estimated on a yearly basis for each concerned agency. 3.1 Adoption of proposed measures The action plan consists of a total of 47 proposed measures. The measures that are deemed as especially important and comprehensive are described in this section. In other sections, a number of other measures are presented that are also deemed as important to implement. SEMA suggests that the government adopt the following: Proposed Measure 4: Survey of legislation in the field of information security (Chapter 4) The government should commission an investigating body to conduct full survey of improvements that concern the field of information security. Costs: The proposed measure entails moderate costs. Time: Should begin during 2008 Responsibility: Government investigation (SOU) 19

20 Proposed Measure 5: Right to issue regulations in the field of information security (Chapter 4) The government should authorize MSB to issue regulations and general advice so that government agencies are able to satisfy fundamental and special additional requirements for information security. The proposed measure for authorization is presented in Appendix 2. Costs: The proposed measure entails low to moderate costs. Time: During 2009 Responsibility: The government Proposed Measure 6: Agency top management s formal assumption of responsibility for dealing with information security risks (Chapter 5) The government should make the decision to require government agencies to specify in their annual reports, the ways in which the applicable demands for information security have been fulfilled. Costs: The proposed measure is cost neutral Time: During 2009 Responsibility: All agencies Proposed Measure 16: National knowledge center for information security (Chapter 6) The government should commission MSB to investigate in detail, how a national knowledge center for information security can be established. The purpose of the knowledge center would be to increase and coordinate professional knowledge development, and to constitute a center of expertise in the field. The knowledge center can be organized in the form of a foundation with a steering group that includes concerned parties from the government, trade and industry and academia. The center can be partially financed through government subventions. Costs: The proposed measure entails low costs. Time: During 2009 Responsibility: MSB in collaboration with trade and industry, and universities and colleges Proposed Measure 26: Operative national collaboration (Chapter 7) The government should commission SEMA and the concerned agencies to submit information to the government about how one can create an administrative and technical infrastructure for information sharing and responses within information security for all of society. The proposed measure should embrace joint knowledge sharing, a joint situational awareness function and the operative capacity to deal with extensive IT incidents. The organization is to operate under both normal conditions and during emergencies. Costs: The proposed measure entails low costs. Time: Should begin during 2008 Responsibility: SEMA in collaboration with concerned agencies, and trade and industry 20

21 Proposed Measure 28: Mandatory incident reporting (Chapter 7) The government should require that government agencies report information-related incidents, with the exception of the types of incidents that are exempted by legislation. Requirements for immediate reporting would apply to larger incidents that produced or could have produced serious consequences. Also see Proposed Measure 26. Costs: The proposed measure entails low costs. Time: Should begin during 2010 Responsibility: All government agencies Proposed Measure 29: Development of the capacity to prevent and suppress IT-related criminality (Chapter 7) The government should allocate special funds to the Swedish National Police Board for development of the capacity to prevent and suppress IT-related criminality. Costs: The proposed measure entails moderate to high costs. Time: Should begin during 2009 Responsibility: The government Proposed Measure 36: Establishment of forum for collaboration within the framework of EPCIP (Chapter 7) The government should commission MSB with the support of PTS and prior to Sweden s chairmanship in the EU in the fall of 2009 to develop an EU forum for sector-comprehensive collaboration in information security and protection of critical information infrastructures. Such a forum should be based on existing EPCIP collaboration (European Programme for Critical Infrastructure Protection). Costs: The proposed measure entails low costs. Time: Should begin during 2009 Responsibility: MSB with support of PTS Proposed Measure 47: Government-coordinated initiative for security of digital control systems in critical societal functions (Chapter 9) The government should commission MSB to conduct a government program for security of digital control systems. The intention of such an initiative is to create an improved national capability to prevent and deal with disturbances in the information and communications systems that are used for regulation, monitoring and control of critical societal functions. Costs: The proposed measure entails high costs. Time: Responsibility: MSB in collaboration with concerned government agencies, and trade and industry 21

22 3.2 Administration of the action plan Background information Included in administration is follow-up of how the proposed measures are being executed, and revision of the action plan and putting it into concrete form based on needs and changed conditions. In this way, the action plan can be constantly adapted based on societal developments. The action plan should be updated on an annual basis, beginning in Administration of the action plan should be conducted in broad collaboration with societal entities, in a similar manner as when the plan was prepared. Updated versions of the action plan should be submitted to the government in conjunction with the situational assessment that is currently prepared by SEMA. A clear connection is thus attained between threats, vulnerabilities and trends, and the proposed measures to counteract them. In conjunction with revision of the action plan for 2009, the national strategy should also be updated. Because of the large number of events that have occurred in the field of information security in recent times, a new strategy should be formulated. Once an updated strategy has been formulated, it should be revised in a cycle of three to five years Proposed measures Administration objective The overall objective of administration is to attain a continual process in which both the strategy and action plan are updated on a regular basis. Proposed Measure 1: Administration of the action plan during 2008 The government should commission SEMA in collaboration with the concerned government agencies to administer the action plan until December 31, Costs: The proposed measure is cost neutral. Time: During 2008 Responsibility: SEMA in collaboration with concerned government agencies Proposed Measure 2: Continued administration of the action plan The government should commission MSB to administer the action plan beginning in 2009 and to annually report how implementation of the proposed measures is progressing, as well as needs for new measures. Administration of the action plan should be conducted in collaboration with societal entities. Costs: The proposed measure entails low costs. Time: Should begin during 2009 Responsibility: MSB in collaboration with concerned government agencies Proposed Measure 3: Strategy updates The government should commission MSB to submit proposals for updating the national strategy based on current societal developments. Once the strategy has been formulated, it should thereafter be updated in a cycle of three to five years. Costs: The proposed measure entails moderate costs. Time: 2009 Responsibility: MSB in collaboration with concerned government agencies 22

23 4 Legislative review and authorization to issue regulations 4.1 Background information Rapid developments in the field of information security during recent years have entailed that legislation that concerns information security must be adapted thereafter. It is difficult to achieve good information security on the comprehensive societal level in Sweden without the support of legislation that is adapted as much as possible to current forms of information handling. The regulations that are created in the field of information security should be generic and technology-independent so as not to become quickly obsolete. Information security has connections to a large number of legal areas, including public administration, accountability, archiving, personal information handling, national security, defense against terrorism, electronic communications and emergency preparedness. In the Commission on Information Security s report Secure information proposals on information security policy (SOU 2005:42, Page 229), it is maintained that legislative changes are necessary (see Appendix 2). Widened, more cohesive and all-embracing rules and regulations are needed that correspond to the wider definition of the information security concept that is presented in the report. In conformity with the investigators perception, SEMA is of the opinion that the government should commission an investigation to conduct the extensive and thorough analysis needed to carry out such a legislative review. There is currently no government agency with the authority to issue regulations and recommendations for information security on a comprehensive and strategic level. It was suggested in the Commission on Information Security s report (SOU 2005:42, beginning on Page 33) that the government should appoint an agency with authorization to issue regulations on administrative and technical measures for satisfying the fundamental and special requirements of information security at government agencies. In the government bill for stronger emergency preparedness (Bill 2007/08:92) it is stated that the government intends to grant authorization to MSB to issue general regulations. In specific regard to security legislation and security enactments, the following needs for updating can be identified. The current legislation s strong connection to the Official Secrets Act and orientation to the concept of national security entails that some legal entities are only encompassed by security legislation to a certain extent and that security protection for defense against terrorism is limited. Another issue that has been identified in the application of security legislation is the outdated description of what is worth protecting in a modern society. It has been shown that many organizations worthy of protection configure their security protection and information security in terms of preparedness planning and thus do not satisfy the requirements for reasonable security. The legislation should have a simpler structure and a modern view of 23

24 vulnerability and what is worth protecting in society. The provisions shall ensure good security protection and information security, regardless of if activities are conducted by the public sector or private parties. 4.2 Proposed measures Objectives for legislative matters Swedish legislation shall be harmonized with developments in IT and information security. An agency shall be authorized to issue regulations concerning fundamental and special requirements for government agencies administrative and technical information security. Proposed Measure 4: Survey of legislation in the field of information security The government should commission an investigating body to conduct a full survey of legislation that concerns the field of information security. Costs: The proposed measure entails moderate costs. Time: Should begin during 2008 Responsibility: Government investigation (SOU) Proposed Measure 5: Authorization to issue regulations in the field of information security The government should authorize MSB to issue regulations and general advice so that government agencies are able to satisfy fundamental and special additional requirements for information security. The proposal for authorization is presented in Appendix 2. Costs: The proposed measure entails low to moderate costs. Time: During 2009 Responsibility: The government 24

25 5 Information security in organizations Information handling occurs in all segments of society, and information security in Sweden is subsequently dependent on a large number of entities. Authorities on the national, county and municipal levels, businesses and other organizations handle information that is more or less confidential and critical in respect to integrity and availability. Having good information security is an important internal matter for most organizations in satisfying their quality and efficiency requirements. At the same time, information security cannot be considered solely as an internal matter for organizations. Flows of services and products move along several paths. Deficient information security can have consequences far beyond the boundaries of an organization. It is ultimately a matter of establishing and maintaining trust in the entire information society and its services. Problems with trust that affect an organization can via the branch or sector, spread to other segments of society. It is important to point out that information security relates to an organization s quality. Improving information security does not just entail satisfying external requirements, but rather improving the actual organization. Having good information security must therefore be seen as a quality aspect, a way of achieving good internal control, order and tidiness. Good information security constitutes a prerequisite for several different IT-based services that can provide cost savings or generate revenue for an organization. To achieve good information security in organizations that are especially worthy of protection (such as those for national security and defense against terrorism) there are requirements in the Security Protection Ordinance (1996:633) stipulating that these organizations shall undergo a security analysis so as to establish appropriate security protection (information security, physical security and protection against insiders) for the operations worthy of protection. There are, however, no expressed requirements relating to the intervals at which security analyses are to be conducted. With consideration to the rapid development at organizations worthy of protection, it is important that in the future, there are requirements stipulating security analyses on a yearly basis. 5.1 Information security responsibility Background information As mentioned above, information security should be considered as a quality aspect. Achieving the requisite level of information security is therefore a part of each organization s responsibility and should be considered as an integrated part of organizational quality and security work. Several reports, however, have indicated that agencies top management sometimes have difficulty in handling this responsibility. This can be due to the field being relatively new and that sufficient knowledge is still lacking. There can also be a tendency for agencies top management to consider information security matters as something that only concerns IT departments. 25

26 If should be further stressed that information security must be integrated into organizations quality and efficiency requirements and be a self-evident part of organizational responsibility. Technology shifts such as the transition from analog to IP telephony or other changes involving other extensive investments should be preceded by continuity planning, risk and vulnerability analyses and security analyses so as to gain an understanding of what the changes entail for the organization and to produce the appropriate requirement specifications. Some of the problems that can arise during technology shifts can be attributed to deficiencies in setting requirements and in buyer competence. It is therefore very important that procurements of new technology are conducted in a professional manner. This requires that competence is sufficiently high to specify relevant security requirements. Furthermore, it is important that after implementation, third-part assessments are carried out on a regular basis to ensure that fulfillment of the requirements is maintained. Due to the transition to new technology primarily being motivated by economic reasons, it is realistic to require that a portion of the gains achieved from cost reducing investments is put into such assessments Proposed measures Objectives for information security responsibility It shall be clearly indicated that information security is a part of organizations quality criteria. Organizations top management shall be aware that the responsibility for information security is an aspect of organizational responsibility and ensure that there is a sufficient level of competence in their organizations. Organizations shall be aware of which risks exist for their own organizations and have taken measures to counteract these risks. For organizations especially worthy of protection and that are subject to the Security Protection Ordinance (1996: 633), requirements should be established for annual security analyses. These security analyses should put special focus on information security aspects. Proposed Measure 6: Government agency top management s formal assumption of responsibility for dealing with information security risks The government should make the decision to require government agencies to specify in their annual reports, the ways in which the applicable demands for information security have been fulfilled. Costs: The proposed measure is cost neutral. Time: During 2009 Responsibility: All government agencies 26

27 Proposed Measure 7: Clarification of information security guidelines for risk and vulnerability analyses Information and recommendations for risk and vulnerability analyses regarding information security should be clarified in guidelines that are based on the act concerning municipalities and county councils measures prior to and during exceptional events in peacetime and during heightened preparedness (2006:544), and the ordinance on emergency preparedness and heightened preparedness (2006: 942) that regulate the public sector s risk and vulnerability analyses. The task should be assigned to MSB due to this being something that is currently within SEMA s domain. Costs: The proposed measure is cost neutral. Time: During 2009 Responsibility: MSB Proposed Measure 8: Recommendations for specifying requirements during procurements Information and recommendations should be prepared for how information security should be considered in conjunction with procurements. Information and recommendations should encompass: Risk analyses Continuity planning Requirement specification during procurement Third-party assessments Costs: The proposed measure entails low costs. Time: Should begin during 2009 Responsibility: FMV and Verva Proposed Measure 9: Information material for government agencies top management Informational materials should be prepared for government agencies top management that provide an introduction to information security and describe the responsibilities of the agencies top management in regard to information security. Costs: The proposed measure is cost neutral. Time: During 2009 Responsibility: MSB 5.2 Information security management systems Background information The information security management system (ISMS) is an aid for how to manage information security in organizations. The international standard series ISO/IEC is a management system in which the starting point for the level of security is an organization-adapted risk analysis, and in which information security tasks follow a distinct process. Application of the standards in this series facilitates work with 27

28 information security within organizations and also improves capabilities for externally assessing security and revising it a uniform manner. Verva s regulations for the application of information security standards by government agencies (VERVAFS 2007:2) have been in effect since January 1, The regulations entail mandatory application of the standards ISO/IEC and on the part of government agencies. Although the regulations are limited to government agencies, it should be recommended that other organizations also apply these standards. The longterm objective should be application even by municipalities and county councils, as well as entities in trade and industry that have critical societal functions. A problem that is often mentioned is that the standards are expensive and can be difficult to implement. This is especially noticeable for smaller organizations and in academic contexts. Supporting materials for work with these standards should therefore be prepared and made available, which will lead to wider adoption and better implementation. The standard series for a information security management system can be difficult to understand for those who are not familiar with information security. This can lead to communications problems between top management and those responsible for information security. To obtain a better overview of a management system s status, one can create methods for evaluation and measurement. These can then be used during internal evaluations or during internal and external audits. Through a distributed solution, the methods can be used to consolidate the statuses of several organizations. It can also be used in inversely, to compare individual organizations levels with those of other organizations. Verva motivates its regulations for government agencies work with secure electronic information exchange with the argument that an organization s internal information security is a prerequisite for secure information exchange between organizations. This also applies to the medical care sector where critical information is communicated electronically. This is one of the reasons why internal information security in medical care organizations must be regulated in a uniform manner. In common with government agencies, the medical care sector should therefore apply the standards ISO/IEC and The degree to which these standards should be adapted to the medical care sector, or complemented with guidelines for implementation within the medical care sector, should be examined Proposed measures Objectives for information security management systems Information security work in organizations shall comply with applicable standards for management systems in the field. Entities and functions in the medical care sector shall have very strong capacity to deal with serious disturbances and emergencies. 28