Requirements and perspectives of Information Security and IT-Grundschutz in Romania

Transcription

1 Requirements and perspectives of Information Security and IT-Grundschutz in Romania Faceți clic pentru editarea stilului de subtitlu al coordonatorului Nuremberg, October 2010

2 Agenda e-context and perspectives in Romania» Regulators» e-romania» Major initiatives» Security requirements - Limitations of ISO certification - Case study - joint use of ISO and IT Grundschutz for critical infrastructure protection

3 Regulatory bodies Ministry of Communication and Information Society ANCOM National Authority for Communications Regulation and Management Sectorial regulators: ANRE National Authority for Energy Regulation IGSU Inspectorate for Emergency Situations Ministry of Administration and Interior National Bank of Romania

4 e-romania Designed by the Ministry of Communication and Informational Society and approved by G.O. in 2010 National strategy to promote an information and knowledge-based society Vision implement a structured and comprehensive set of e-government services for citizens and companies 3 sets of objectives: Increasing public bodies capacity to provide e-services Prioritary services to be provided (aligned with EU priorities) Content and functionality of e-romania

5 e-romania - security Security and confidentiality one of the 7 underlying principles Specific objective increase confidence by: Design and implement standards and rules for security and monitoring Security audit for all projects or systems of public e-services Promote digital signature Specific objective audit and certification of quality egov certification mark for performance and maturity Other related objectives (such as interoperability, monitoring and analysis, etc.)

6 E-government major initiatives e-tender public system National e-payments gateway - announced 2011 Unique Point of Contact & One-stop Shop Widespread implementation of e-services in central and local governments, financed through Structural funds Budget Meuro 3 axes access to services, e-government, support for companies

7 A few security requirements Regulated and operational e-services - Electronic signature, Time-stamping according to applicable international standards - E-notary requirements for security according to ISO and ISO E-banking requirements for a security plan audited by a CISA - Electronic invoicing requirements for a security plan audited by a CISA - Privacy law requirement for a security plan not standardized No standard to evaluate e-services and information systems of local and central governments!!

8 ISO 27001, an alternative? Pro: International standard easily acceptable Decent framework for implementation (PDCA) Array of complementary standards Existing assessment and certification framework Con: Lack of specific technical guidelines To permisive framework for evaluation ISO-based certification devalued (?)

9 ISO certification in Romania 3 Romanian bodies accredited by Romanian Accreditation RENAR or international accrediter Major international players, e.g.tüv Nord But also Rogue international certification bodies International accreditation Local sales and audit offices Local rogue certifiers Requirements of ISO not understood / used By the certifier national / international By the accrediter

10 Why I don t always trust ISO certifications Local practice requirements for exotic certifications to participate in public tenders Result: loads of certificates 17% Case study: Romanian operating certification body 140 certificates Main area of certification: building?!! ISO requirements not used 4% 20% 20% Building & installations Physical security and guard IT&C Food Other 39%

11 Case study IT Grundschutz for CI Electrical energy sector Critical infrastructure - Council Directive 2008/114/EC Critical IT Systems Network monitoring and control Local monitoring and control Metering Well defined requirements with many sources Local laws EU Regulation Sector regulation Increasing threat awareness Stuxnet

12 CI Directive Timeframe Enactement 12 January 2009 Implementation Identify and Designate OLS Member states Periodic revision CI Operator Operator Security Plans Periodic revision Threat, Vuln & Risk Assessment Today Revision Energy and Transports Possibly other sectors ex. ICT months

13 Case study IT Grundschutz for CI (2) The approach: combination of ISO and Grundschutz ISO basis for the company wide Security Management approach: PDCA Risk Management practices Integrate all specific requirements: Physical security Information security Incident response & Continuity Legal compliance

14 Case study IT Grundschutz for CI (3) Where falls short, IT-Grundschutz takes over Inventory and classification of IT Systems Security Management of critical IT systems: Risk assessment Implementation guidance Evaluation tool

15 My take: Urgent need for defined security standard(s) Management framework Technical requirements Implementation guidelines Reliable assessment and certification framework Possible areas of application: e-services e-government company-operated IT Systems of public governments IT Systems for critical infrastructures IT Grundschutz a possible solution

16 How could it be done Increase awareness of IT-Grundschutz in Romania Ministries: Communication, Interior, Economy Regulator: Authority for communications, energy, inspectorate for emergency situations Interested parties: professional associations, association of cities, etc Support localisation of Grundschutz-based Standards & Guidelines: RA Implementation Assessment Create a framework for training and assessment of competencies

17 List of useful contacts: Ministry of Communication and Informtaion Security Ministry of Interior Authority for Regulation of Communications National Autority for Energy Regulation Inspectorate for Emergency Situations responsible for Critical Infrastructure regulation and protection ANIAP association of IT Professionals in the Public Administration Association of Romanian Municipia

18 Thank you! Q&A Andrei Hohan FiaTest