Eurostat

Coverage of Security Issues

Pascal JacquesESTAT B0 Local Informatics Security Officer

Eurostat

The Context• Regulation (EC) No 223/2009 of the European Parliament and of the

Council • (pream) The confidential information which the national and Community statistical

authorities collect for the production of European statistics should be protected, in order to gain and maintain the confidence of the parties responsible for providing that information. The confidentiality of data should satisfy the same principles in all the Member States.

• (pream) For that purpose, it is necessary to establish common principles and guidelines ensuring the confidentiality of data used for the production of European statistics and the access to those confidential data with due account for technical developments and the requirements of users in a democratic society.

• The NSIs and other national authorities and the Commission (Eurostat) shall take all necessary measures to ensure the harmonisation of principles and guidelines as regards the physical and logical protection of confidential data.

• COMMISSION DECISION of 17 September 2012 on Eurostat (2012/504/EU)• The Director-General of Eurostat shall, in addition, take all necessary measures to

protect data whose disclosure would cause prejudice to Union interests, or to the interests of the Member State to which they relate

Eurostat

Challenges• 4 strategic directions of implementation of the vision

• Network• Secure connection of large databases (secured data warehouse architecture)• Transfer/Access of confidential information between ESS partners• Secure data formats and protocols• Networks integration

• Information Stores• More and more exchange of microdata sets for data linking• Combination of confidential/non confidential/administrative datasets.

Security/confidentiality of the output?• Modular Production

• Towards more exchange of SW. Ensure shared SW is secure (certification?)• Optimal Collaboration

• Secured access to datasets/rules for validation• Procedures for collaboration/accesses/sharing/User management• AAA Protocol: Authentication/Autorisation/Auditing.

Traceability/Privacy/Monitoring/Reporting

Needs to increase IT security in order to build trust between ESS partners

Eurostat

The Threats• 2012 Data Breach Investigations Report (DBIR)

• 855 incidents, 174 million compromised records in 2011.

• Security incidents are capable of rendering critical government functions unavailable for several days (i.e. the cyber-attacks against Estonia in 2007), which severely affected not only the provisioning of online services such as e-government and e-banking within the country, but also prevented citizens from accessing online services across borders.

• Businesses and other organisations can be seriously affected if the networks and information systems underpinning their industrial processes are compromised. In 2009, 16 % of enterprises in the EU-27 had experienced some kind of NIS (Network and Information Security) incident

• (http://appsso.eurostat.ec.europa.eu/nui/show.do?dataset=isoc_cisce_ic&lang=en)

Eurostat

12-13 Jun 2012 5

2007 2008 2009 2010 2011 2012

---------------------------------------------------------------

Estonia---Monster.com

Lithuania---Georgia---Cables cuts in the Mediterranean

Stuxnet (origin 2007)---Verisign

EmissionTrading System(EU ETS)---French Government---EC and EEAS---Sony---DigiNotar

Flamer---10% probabilityOf a major CIIbreakdown inthe next 10 years – potential global economic cost of over$250B (Source WEF)

$175M

EU ETS €30M

Global cybercrime: $388B/year

Google---

Eurostat

The Request

• Creation of a new working group "ESS Security and Secure exchange of data" (E4SWG)

• Further discuss its mandate • Agree and comments/contribute on the list of

proposed actions

Eurostat

Role of the Working Group

• Know better each other and our specificities

• Exchange information and best practices on• Security measures used in MS for data protection, running the data

centre, access to microdata for research purposes• Projects/programmes linked to information security• IT architecture in MS to better understand the MS’s capacity to join a

future shared secured datawarehouse

• Agree on common rules, procedures, guidelines and standards for secure communication (i.e. emails) and data storage, exchange and transfer

• Agree on security level of shared applications, shared services, shared processes

7

Eurostat

Related projects

• ESSnet projects• data warehouse• decentralised access• EGR

• VIP projects• SICON• Data Validation• CENSUS Hub• SIMSTAT• Data Warehouse

8

• ESS-VIP projects• NAPS• Data Warehouse• SIMSTAT• EBR• ICT

• FP7 projects • Data Without Boundaries• DASISH, ENGAGE, EUDAT

Eurostat

Proposed Actions

• Ask opinion of ITDG on the creation of the WG

• Organise « Enterprise Architecture Security Workshop » on 13-14/12/2012 to discuss further the mandate

• Discuss the possibility and opportunity to use existing and under development infrastructure for exchange of secure messages like CCN/CCN 2 or sTesta/sTesta II

• Visits to some NSIs to understand their infrastructure

• Set up a shared secured repository on information on security aspects, people, roles, procedures, best practices and documentation of infrastructures in MS

12-13 Jun 2012 9

Eurostat

State of Security 2012

McAfee/Evalueserve