STANDARDISATION IN E-ARCHIVING

Transcription

1 STANDARDISATION IN E-ARCHIVING R E Q U I R E M E N T S A N D C O N T R O L S F O R D I G I T I S AT I O N A N D E - A R C H I V I N G S E R V I C E P R O V I D E R S Alain Wahl 1

2 Requirements and cntrls fr qualified PSDCs OBJECTIVES OF THIS PRESENTATION Understand what infrmatin security is Understand what an Infrmatin Security Management System (ISMS) is Understand what are the activities f risk assessment and risk treatment Understand what infrmatin security cntrls are 2

3 Requirements and cntrls fr qualified PSDCs SUMMARY Intrductin Supervisin scheme fr qualified PSDCs Grand-ducal regulatin f 25 July 2015 n executin f article 4 paragraph 1 f the law f 25 July 2015 n electrnic archiving Infrmatin Security Management System (ISMS) Infrmatin Security Risk Management Infrmatin Security Cntrls 3

4 Requirements and cntrls fr qualified PSDCs SUMMARY Intrductin Supervisin scheme fr qualified PSDCs Grand-ducal regulatin f 25 July 2015 n executin f article 4 paragraph 1 f the law f 25 July 2015 n electrnic archiving Infrmatin Security Management System (ISMS) Infrmatin Security Risk Management Infrmatin Security Cntrls 4

5 Requirements and cntrls fr qualified PSDCs INTRODUCTION Infrmatin Security Management System (ISMS) Infrmatin security needs gd management Gd prcesses Gd technlgy 5

6 Requirements and cntrls fr qualified PSDCs INTRODUCTION 6

7 Requirements and cntrls fr qualified PSDCs INTRODUCTION Infrmatin Security Management System (ISMS) Objectives Reduce the number f incidents Reduce the impact f incidents Learn frm wn and thers experience 7

8 Requirements and cntrls fr qualified PSDCs INTRODUCTION Infrmatin Security Management System (ISMS) Bruce Schneier: Security is a chain: it is as strng as its weakest link Kevind Mitnick: Peple are the weakest link. 8

9 Requirements and cntrls fr qualified PSDCs SUMMARY Intrductin Supervisin scheme fr qualified PSDCs Grand-ducal regulatin f 25 July 2015 n executin f article 4 paragraph 1 f the law f 25 July 2015 n electrnic archiving Infrmatin Security Management System (ISMS) Infrmatin Security Risk Management Infrmatin Security Cntrls 9

10 Digital trust and e-archiving SUPERVISION SCHEME FOR QUALIFIED PSDC Trusted list Eurpean cperatin fr Accreditatin (EA) Internatinal Accreditatin Frum (IAF) Supervisin status ILNAS (Natinal Supervisry Bdy) Assessment & supervisin cnclusins Digitisatin Electrnic archiving Organisatin Ntificatin fr supervisin Assessment reprt Natinal Accreditatin Bdy (OLAS) Accredited Cnfrmity Assessment Bdy (CAB) Accreditatin against ETSI EN Assessrs Cnfrmity assessment (audit) against the grand-ducal regulatin f 25 July 2015 n executin f article 4 paragraph 1 10

11 Requirements and cntrls fr qualified PSDCs SUMMARY Intrductin Supervisin scheme fr qualified PSDCs Grand-ducal regulatin f 25 July 2015 n executin f article 4 paragraph 1 f the law f 25 July 2015 n electrnic archiving Infrmatin Security Management System (ISMS) Infrmatin Security Risk Management Infrmatin Security Cntrls 11

12 Requirements and cntrls fr qualified PSDCs Requirements and cntrls fr certifying digitizatin r e-archiving service prviders Unique reference cntaining all the cnditins fr btaining the qualified PSDC status Based n internatinal standards ISO/IEC 27001:2013 ISO/IEC 27002:2013 ISO 30301:2011 Published in the Mémrial A N 150 f 4 August 2015 ( 12

13 Requirements and cntrls fr qualified PSDCs General cncepts Descriptin f the digitizatin and e-archiving prcesses Security framewrk Infrmatin Security Management System (ISMS) Based n ISO/IEC 27001:2013 Cmplements related t the digitisatin prcess Cmplements related t the e-archiving prcess Objectives and cntrls related t the security management and the peratinal management Based n ISO/IEC 27002:2013 Cmplements related t the digitisatin prcess Cmplements related t the e-archiving prcess Appendixes 13

14 Requirements and cntrls fr qualified PSDCs Digitisatin prcess 14

15 Requirements and cntrls fr qualified PSDCs Preservatin prcess 15

16 Requirements and cntrls fr qualified PSDCs SUMMARY Intrductin Supervisin scheme fr qualified PSDCs Grand-ducal regulatin f 25 July 2015 n executin f article 4 paragraph 1 f the law f 25 July 2015 n electrnic archiving Infrmatin Security Management System (ISMS) Infrmatin Security Risk Management Infrmatin Security Cntrls 16

17 Requirements and cntrls fr qualified PSDCs Infrmatin Security Management System (ISMS) Management f the Infrmatin Security Cnfidentiality, Integrity, Availability, Nn-repudiatin Management system Set f prcedures an rganisatin shall apply in rder t reach its bjectives Systemizing f the rganisatin in its way f perating Define, implement, maintain and imprve an ISMS In rder t manage the risks related t the prcesses f digitizatin and e-archiving Qualified PSDCs shall respect all the infrmatin security requirements specified in : The internatinal standard ISO/IEC 27001:2013 The clause 6 f the appendix f the grand-ducal regulatin f 25 July 2015 n executin f article 4 paragraph 1, cmpleting the requirements 17

18 Requirements and cntrls fr qualified PSDCs Infrmatin Security Management System (ISMS) Applicable t any rganisatin Small r big, fr any prduct r service, fr any sectr Everyne is cncerned within the scpe f the standard Cntinual imprvement An rganisatin r a cmpany evaluates its situatin, determines bjectives and creates a strategy, invests actins t achieve these bjectives, then evaluates the results and adapts the prcesses t imprve (PDCA) Assessable Smene may assess that there is n gap between the standard and the management system Dcumentatin transitin frm ral traditin t scriptural traditin Cnfrmity assessment Prvides trust t stakehlders 18

19 Requirements and cntrls fr qualified PSDCs Infrmatin Security Management System (ISMS) Security cntrls Organisatinal and technical setting allwing t reduce ne r several security risks Reducing vulnerability f the assets Reducing impact f incidents Prevent and anticipate threats Final aim f the discipline: Security f infrmatin system Management f security cntrls Wh is ding what? When? Hw? These cntrls are they: Dcumented? Apprpriate and prprtinal? Efficient? 19

20 Requirements and cntrls fr qualified PSDCs Infrmatin Security Management System (ISMS) Management f cnfrmity D I knw the applicable requirements: Legal and regulatry Cntractual Am I able t listen them in terms f: Security cntrls? Security needs? 20

21 Requirements and cntrls fr qualified PSDCs Infrmatin Security Management System (ISMS) Risk Management Which events n the infrmatin system culd harm my infrmatin and my cre business prcesses? D I knw cntrls t reduce the risk f these events r t reduce the cnsequences? D I invest the resurces needed fr the risk management? Management f incidents D I identify events harming security f my infrmatin prcesses? D I establish the needed resurces: T minimise the cnsequences? T insure business cntinuity? D I learn frm my incidents? 21

22 Requirements and cntrls fr qualified PSDCs Infrmatin Security Management System (ISMS) Security plicy Are my management prcesses applicable t all my activities? Are my activities crdinated? Is my leadership invlved in the security management? Des my security management imprve? 22

23 Requirements and cntrls fr qualified PSDCs Infrmatin Security Management System (ISMS) 6.1 General requirements ISMS in accrdance with all the requirements specified in ISO/IEC Cntext f the rganizatin Understand the rganisatin and its cntext Understand the needs and expectatins f the stakehlders Define the scpe f the ISMS 6.3 Leadership invlvement fr the ISMS Infrmatin security plicy with bjectives shall be defined Necessary resurces are available ISMS achieves given gals Guarantee f cntinued perfrmance, in case f cessatin f activity 23

24 Requirements and cntrls fr qualified PSDCs Infrmatin Security Management System (ISMS) 6.4 Planning the ISMS The management shall establish a Security plicy (bjectives, cmmitment f the management, imprvement) Plicy Risk evaluatin Statement f Applicability (SA) including cntrls f ISO/IEC 27002:2013 Cntrls can nly be excluded if n risks r belw level f risk acceptance Risk Evaluatin Risk Treatment Plan Any exclusin shall be dcumented and justified in SA SA 24

25 Requirements and cntrls fr qualified PSDCs Infrmatin Security Management System (ISMS) 6.5 Evaluatin f the perfrmance f the ISMS Internal audit, impartiality f auditrs Review at least nce a year r in case f majr changes The Results f risk analysis The financial stability f the rganizatin Management review 6.6 Imprvement Nn-cnfrmity and crrective actin React t nn-cnfrmities crrective actins management f cnsequences Evaluate the need t eliminate causes f nn-cnfrmity Establish actins and changes t ISMS if needed Check effectiveness f crrective actins Dcumentatin 25

26 Requirements and cntrls fr qualified PSDCs SUMMARY Intrductin Supervisin scheme fr qualified PSDCs Grand-ducal regulatin f 25 July 2015 n executin f article 4 paragraph 1 f the law f 25 July 2015 n electrnic archiving Infrmatin Security Management System (ISMS) Infrmatin Security Risk Management Infrmatin Security Cntrls 26

27 Requirements and cntrls fr qualified PSDCs Infrmatin Security Risk Management What is a risk? Effect f uncertainty n bjectives An effect is a deviatin frm the expected psitive r negative (in infrmatin security we deal with negative effects) Risk is ften characterized by reference t ptential events and cnsequences, r a cmbinatin f these. Infrmatin security risk is assciated with the ptential that threats will explit vulnerabilities f an infrmatin asset r grup f infrmatin assets and thereby cause harm t an rganizatin. 27

28 Requirements and cntrls fr qualified PSDCs Infrmatin Security Risk Management Risk assessment Establish the cntext and the scpe Risk Identificatin Risk Analysis Risk Evaluatin Risk Treatment Mnitring 28

29 Requirements and cntrls fr qualified PSDCs Infrmatin Security Risk Management Infrmatin security risk assessment Identify the risks: threats Examples: Virus intrusin Fire Spying Overlad f infrmatin netwrk Crruptin f the data, vilatin f user rights Vulnerabilities: Missing f daily update Prtable database Plicy f easy passwrd Light internet netwrk security ISO/IEC 27005:

30 Requirements and cntrls fr qualified PSDCs Infrmatin Security Risk Management R = L * C 30

31 Requirements and cntrls fr qualified PSDCs Infrmatin Security Risk Management Level f risk: magnitude f a risk expressed in terms f the cmbinatin f cnsequences and their likelihd R = L * C Threat: ptential cause f an unwanted incident, which may result in harm t a system r rganisatin Cnsequence: utcme f an event affecting bjectives Vulnerability: weakness f an asset r cntrl that can be explited by ne r mre threats 31

32 Requirements and cntrls fr qualified PSDCs Infrmatin Security Risk Management Risk treatment Aviding the risk by deciding nt t start r cntinue with the activity that gives rise t the risk Taking r increasing risk in rder t pursue an pprtunity Remving the risk surce (i.e. the threat; nt applicable t infrmatin security) Changing the likelihd (i.e. f the threat; t read as changing the likelihd that and incident happens ) Changing the cnsequences Sharing the risk with anther party r parties (including cntracts and risk financing) Accepting the risk by infrmed chice 32

33 Requirements and cntrls fr qualified PSDCs Infrmatin Security Risk Management Threats Risk Evaluatin Risk Treatment Cntrls 33

34 Requirements and cntrls fr qualified PSDCs SUMMARY Intrductin Supervisin scheme fr qualified PSDCs Grand-ducal regulatin f 25 July 2015 n executin f article 4 paragraph 1 f the law f 25 July 2015 n electrnic archiving Infrmatin Security Management System (ISMS) Infrmatin Security Risk Management Infrmatin Security Cntrls 34

35 Requirements and cntrls fr qualified PSDCs Infrmatin Security Cntrls Security recmmendatins r requirements Classical recmmendatins f security experts Sme cntrls are quite general, sme precise Sme cntrls are applicable t all the rganisatin, sme are applicable t specific areas Prvide recmmendatins which may be large and may include ther security cntrls Selected t reduce risk t an acceptable level after their evaluatin Plicies (rules), dcumented prcedures, guidelines, practices, rganizatinal structures Administrative Technical Legal 35

36 Requirements and cntrls fr qualified PSDCs Infrmatin Security Cntrls ISO/IEC ISO/IEC & Articles r Clauses Security cntrls Appendix A Detailed descriptin f security cntrls 36

37 Requirements and cntrls fr qualified PSDCs Infrmatin Security Cntrls Security Plicy Prvide a security rientatin Management supprt Digitizatin plicy E-archiving plicy Take in accunt strategy, legal & cntractual requirements, threats Cntain definitin f infrmatin security, bjectives and principles, respnsibilities Examples f cntent: access cntrl, classificatin f infrmatin, physical security, backup, transfer f infrmatin, prtectin against malware, management f vulnerabilities, Revue f plicies: Within regular intervals r during significant changes Shall be validated regularly by management 37

38 Requirements and cntrls fr qualified PSDCs Infrmatin Security Cntrls Organisatin f the infrmatin security Management f infrmatin security Cntrl the implementatin f infrmatin security Rles and respnsibilities in infrmatin security: Frmalised attributin f respnsibilities Segregatin f duties: Identificatin f rles Actin, validatin and supervisin Limitatin f gathering functins Relatinship with authrities: Updating the related listing Incident management t cmmunicate 38

39 Requirements and cntrls fr qualified PSDCs Infrmatin Security Cntrls Management f assets Inventry f assets Owners and respnsibilities related t assets Crrect use f assets Classificatin f infrmatin: Criteria value, legal requirements, sensibility and criticality Media handling USB key, CDs, physical transfer Security f human resurces Befre recruitment During cntract End r mdificatin f cntract 39

40 Requirements and cntrls fr qualified PSDCs Infrmatin Security Cntrls Access cntrl Manage access t infrmatin User access management Registratin and suppressin f users Creatin f accunts and access rights Management f privileged access rights Management f secret infrmatin fr authenticatin Review f access rights Suppressin and mdificatin f access rights User respnsibilities System and applicatin access cntrl Restricted access t infrmatin Prcedure fr secured cnnexin Use f sftware fr privileged rights Access cntrl t surce cde 40

41 Requirements and cntrls fr qualified PSDCs Infrmatin Security Cntrls Physical and envirnmental security Prhibit any nn authrized access Security znes Material security Operatinal security and telecmmunicatin Dcumentatin f peratinal prcedures Separate dmains and tasks f respnsibility Separate testing, develpment and peratinal equipment Prtectin against malware Establish back-up cpies Management f netwrk security Supervisin Prvide a crrect and secured management f digitizatin and e-archiving prcesses 41

42 Requirements and cntrls fr qualified PSDCs Infrmatin Security Cntrls Cryptgraphy: Plicy fr use f cryptgraphy Management f cryptgraphic keys Management f keys and certificates PKI Acquisitin, develpment and maintenance f infrmatin systems Mnitring the inclusin f security issues in the infrmatin systems Gd functining f the applicatin Cryptgraphic cntrls 42

43 Requirements and cntrls fr qualified PSDCs Infrmatin Security Cntrls Management f infrmatin security incidents Reprting f incidents and failures Management f imprvements and incidents Management f business cntinuity activity Prevent interruptins Cnfrmity Cnfrmity with legal requirements Cnfrmity t plicy and standards Cnsideratin f the audit reprt 43

44 THANK YOU Fr Yur Attentin Fr mre infrmatin: ILNAS Département de la cnfiance numérique 1, Avenue du Swing L-4367 Belvaux (+352) (+352)