information security and privacy protection aspects of electronic information management in the...
TRANSCRIPT
Information security andprivacy protection aspects of
electronic information managementin the Belgian social sector
Frank RobbenGeneral managerCrossroads Bank for Social SecuritySint-Pieterssteenweg 375B-1040 BrusselsE-mail: [email protected] CBSS: www.ksz.fgov.bePersonal website: www.law.kuleuven.be/icri/frobben
2 26th June 2008Frank Robben
Stakeholders of the Belgian social sector• > 10,000,000 citizens• > 220,000 employers• about 3,000 public and private institutions (actors) at several levels
(federal, regional, local) dealing with– collection of social security contributions
– delivery of social security benefits• child benefits
• unemployment benefits
• benefits in case of incapacity for work
• benefits for the disabled
• re-imbursement of health care costs
• holiday pay
• old age pensions
• guaranteed minimum income
– delivery of supplementary social benefits
– delivery of supplementary benefits based on the social security status of a person
3 26th June 2008Frank Robben
The problem• a lack of well coordinated service delivery processes and
of a lack of well coordinated information management led to– suboptimal effectiveness of social protection– a huge avoidable administrative burden and related costs for
• the citizens• the employers/companies• the actors in the social sector
– service delivery that didn’t meet the expectations of the citizens and the companies
– insufficient social inclusion– too high possibilities of fraud– suboptimal support of social policy
4 26th June 2008Frank Robben
Expectations of citizens and companies• effective social protection• integrated services
– attuned to their concrete situation, and personalized when possible– delivered at the occasion of events that occur during their life cycle
(birth, going to school, starting to work, move, illness, retirement, starting up a company, …)
– across government levels, public services and private bodies
• attuned to their own processes• with minimal costs and minimal administrative burden• if possible, granted automatically• with active participation of the user (self service)• well performing and user-friendly• reliable, secure and permanently available• accessible via a channel chosen by the user (direct contact, phone,
PC, …)• sufficient privacy protection
5 26th June 2008Frank Robben
The solution• a network between all 3,000 social sector actors with a
secure connection to the internet, the federal MAN, regional extranets, extranets between local authorities and the Belgian interbanking network
• a unique identification key– for every citizen, electronically readable from an electronic social
security card and an electronic identity card– for every company– for every establishment of a company
• an agreed division of tasks between the actors within and outside the social sector with regard to collection, validation and management of information and with regard to electronic storage of information in authentic sources
6 26th June 2008Frank Robben
The solution• 210 electronic services for mutual information exchange
amongst actors in the social sector, defined after process optimization– nearly all direct or indirect (via citizens or companies) paper-
based information exchange between actors in the social sector has been abolished
– in 2007, 656 million electronic messages were exchanged amongst actors in the social sector, which saved as many paper exchanges
• electronic services for citizens– maximal automatic granting of benefits based on electronic
information exchange between actors in the social sector– 8 electronic services via an integrated portal
• 3 services to apply for social benefits• 5 services for consultation of social benefits
– about 30 new electronic services are foreseen
7 26th June 2008Frank Robben
The solution• 41 electronic services for employers, either based on the
electronic exchange of structured messages or via an integrated portal site– 50 social security declaration forms for employers have been
abolished– in the remaining 30 (electronic) declaration forms the number of
headings has on average been reduced to a third of the previous number
– declarations are limited to 4 events• immediate declaration of recruitment (only electronically)• immediate declaration of discharge (only electronically)• quarterly declaration of salary and working time (only electronically)• occurence of a social risk (electronically or on paper)
– in 2007, 23 million electronic declarations were made by all 220,000 employers, 98 % of which from application to application
8 26th June 2008Frank Robben
The solution• an integrated portal site containing
– electronic transactions for citizens, employers and professionals– simulation environments– information about the entire social security system– harmonized instructions and information model relating to all
electronic transactions– a personal page for each citizen, each company and each
professional
• an integrated multimodal contact centre supported by a customer relationship management tool
• a data warehouse containing statistical information with regard to the labour market and all branches of social security
9 26th June 2008Frank Robben
The solution• reference directory
– directory of available services/information• which information/services are available at any actor depending on the
capacity in which a person/company is registered at each actor
– directory of authorized users and applications• list of users and applications• definition of authentication means and rules• definition of authorization profiles: which kind of information/service can be
accessed, in what situation and for what period of time depending on in which capacity the person/company is registered with the actor that accesses the information/service
– directory of data subjects• which persons/companies have personal files at which actors for which
periods of time, and in which capacity they are registered
– subscription table• which users/applications want to automatically receive what
information/services in which situations for which persons/companies in which capacity
10 26th June 2008Frank Robben
CBSS as driving force• coordination by the Crossroads Bank for Social Security
– Board of Directors consists of representatives of the companies, the citizens and the actors in the social sector
– mission• definition of the vision and the strategy on eGovernment in the social sector• definition of the common principles related to information management,
information security and privacy protection• definition, implementation and management of an interoperability framework
– technical: secure messaging of several types of information (structured data, documents, images, metadata, …)
– semantic: harmonization of concepts and co-ordination of necessary legal changes
– business logic and orchestration support• coordination of business process reengineering• stimulation of service oriented applications• driving force of the necessary innovation and change• consultancy and coaching
11 26th June 2008Frank Robben
Co-operative governance• CBSS has an innovative model of governance, steering
the business process re-engineering with complex interdependencies between all actors involved
• Board of Directors of the CBSS– consists of representatives of the stakeholders (employers
associations, trade unions, social security institutions, …)– approves the strategic, operational and financial plans of the
CBSS
• General Coordination Committee with representation of all users acts as debating platform for the elaboration and implementation of eGovernment initiatives within the social sector
12 26th June 2008Frank Robben
Co-operative governance• permanent or ad hoc working groups are instituted within
the General Coordination Committee in order to co-ordinate the execution of programs and projects
• the chairmen of the various working groups meet regularly as a Steering Committee
• besides project planning and follow-up, proper measuring facilities are available to assure permanent monitoring and improvement after the implementation of the electronic services
13 26th June 2008Frank Robben
Adequate management and control techniques• annual priority plan debated with all users within the
General Coordination Committee of the CBSS• cost accounting and zero-based budgeting resulting in
financial transparency, an informed budget and a good evaluation of the management contract with the Belgian federal government
• internal control based on the COSO-methodology (see www.coso.org) in order to provide reasonable assurance regarding the achievement of objectives with regard to – effectiveness and efficiency of operations – reliability of financial reporting – compliance with applicable laws and regulations
• external audit with regard to the correct functioning of the internal control system
14 26th June 2008Frank Robben
Adequate management and control techniques• program management through the whole social sector• issue management during the management of each program• use of a system of project management combined with a time
keeping system to follow up projects that are realized by the CBSS and its partners
• frequent reports to all users which describe the progress of the various projects and eventual adjustment measures
• use of balanced scorecards and a dashboard to measure, follow-up and evaluate the performance of the electronic services and the CBSS
• use of ITIL (see www.itil-itsm-world.com) for ICT-service delivery• use of a coherent set of monitoring techniques to guarantee an
optimal control and transparency of the electronic services
15 26th June 2008Frank Robben
InternetInternet
Extranetregion or
commmunity
Extranetregion or
commmunity
FEDMANFEDMAN
Servicesrepository
FPS
FPS
FPS
ASS
ASS
Servicesrepository
Extranetsocialsector
ASS
RPS
RPS
Servicesrepository
VPN, Publi-link, VERA,
…
VPN, Publi-link, VERA,
…
City Province
Municipality
Servicesrepository
Serviceintegrator(FEDICT)
Serviceintegrator(CBSS)
Serviceintegrator
(Corve, Easi-Wal, CIRB, …)
Towards a network of service integrators
16 26th June 2008Frank Robben
Advantages• gains in efficiency
– in terms of cost: services are delivered at a lower total cost• due to
– a unique information collection using a common information model and administrative instructions
– a lesser need to re-encoding of information by stimulating electronic information exchange
– a drastic reduction of the number of contacts between actors in the social sector on the one hand and companies or citizens on the other
– a functional task sharing concerning information management, information validation and application development
– a minimal administrative burden• according to a study of the Belgian Planning Bureau, rationalization of the
information exchange processes between the employers and the social sector implies an annual saving of administrative costs of about 1.7 billion € a year for the companies
17 26th June 2008Frank Robben
Advantages• gains in efficiency
– in terms of quantity: more services are delivered• services are available at any time, from anywhere and from several devices• services are delivered in an integrated way according to the logic of the
customer
– in terms of speed: the services are delivered in less time• benefits can be allocated quicker because information is available faster• waiting and travel time is reduced• companies and citizens can directly interact with the competent actors in the
social sector with real time feedback
18 26th June 2008Frank Robben
Advantages• gains in effectiveness: better social protection
– in terms of quality: same services at same total cost in same time, but to a higher quality standard
– in terms of type of services: new types of services, e.g.• push system: automated granting of benefits• active search of non-take-up using data warehousing techniques• controlled management of own personal information• personalized simulation environments
• better support of social policy
• more efficient combating of fraud
19 26th June 2008Frank Robben
Critical success factors• common vision on electronic service delivery, information
management and information security amongst all stakeholders• support of and access to policymakers at the highest level• trust of all stakeholders, especially partners and intermediaries,
based on– mutual respect
– real mutual agreement
– transparency
• respect for legal allocation of competences between actors• co-operation between all actors concerned based on distribution of
tasks rather than centralization of tasks• focus on more effective and efficient service delivery and on cost
control
20 26th June 2008Frank Robben
Critical success factors• reasoning in terms of added value for citizens and
companies rather than in terms of legal competences• quick wins combined with long term vision• lateral thinking when needed• adaptability to an ever changing societal and legal
environment• electronic service delivery as a structural reform process
– process re-engineering within and across actors– back-office integration for unique information collection, re-use of
information and automatic granting of benefits– integrated and personalized front-office service delivery
21 26th June 2008Frank Robben
Critical success factors• multidisciplinary approach
– process optimization– legal coordination– ICT coordination– information security and privacy protection– change management– communication– coaching and training
22 26th June 2008Frank Robben
Critical success factors• appropriate balance between efficiency on the one hand
and information security and privacy protection on the other
• technical and semantic interoperability• legal framework• creation of an institution that stimulates, co-ordinates
and assures a sound program and project management• availability of skills and knowledge => creation of an
association that hires ICT-specialists at normal market conditions and puts them at the disposal of the actors in the social sector
• sufficient financial means for innovation: agreed possibility to re-invest efficiency gains in innovation
• service oriented architecture (SOA)
23 26th June 2008Frank Robben
Critical success factors• need for radical cultural change within government, e.g.
– from hierarchy to participation and team work– meeting the needs of the customer, not the government– empowering rather than serving– rewarding entrepreneurship within government– ex post evaluation on output, not ex ante control of every input
24 26th June 2008Frank Robben
Information security and privacy protection• security, availability, integrity and confidentiality of
information is ensured by integrated– structural– institutional– legal– organizational– HR-related– technical
security measures according to agreed policies
25 26th June 2008Frank Robben
Structural and institutional measures• no central data storage• the access authorization to personal information is
granted by a Sector Committee of the Privacy Commission, designated by Parliament, after having checked whether the access conditions are met
• the access authorizations are public• every actual electronic exchange of personal information
has to pass an independent trusted third party (basically the CBSS) and is preventively checked on compliance with the existing access authorizations by that trusted third party
• every actual electronic exchange of personal information is logged, to be able to trace possible abuse afterwards
26 26th June 2008Frank Robben
Structural and institutional measures• every actor in the social sector disposes of an
information security officer with an advisory, stimulating, documentary and control task
• specialized information security service providers in the social sector have been recognized in order to support the information security officers
• a working party on information security and privacy protection within the social sector has been established
• minimal information security and privacy protection standards are proposed by the working party on information security and privacy protection and are established by the Sector Committee
27 26th June 2008Frank Robben
Structural and institutional measures• every year, every actor in the social sector has to report
to the Sector Committee on compliance with the minimal information security and privacy protection standards
• in case an actor in the social sector doesn’t meet the minimal information security and privacy protection standards, the actor can be prohibited by the Sector Committee to be connected to the CBSS
28 26th June 2008Frank Robben
Independent Sector Committee• established within the Privacy Commission
• composed of– 2 members of the Privacy Commission– 3 independent social security specialists designated by
Parliament
• competences– supervision of information security– authorizing the information exchange– complaint handling– information security recommendations– extensive investigating powers– annual activity report
29 26th June 2008Frank Robben
Information security department• at each actor in the social sector
• composition– information security officer– one or more assistants
• control on independence and permanent education of the information security officers is performed by the Sector Committee
• the Sector Committee can allow to commit the task of the information security department to a recognized specialized information security service provider
30 26th June 2008Frank Robben
Information security department: tasks
• information security department – recommends
– promotes
– documents
– controls
– reports directly to the general management
– formulates the blueprint of the security plan
– elaborates the annual security report
• general management
– takes the decision
– is finally responsible
– gives motivated feedback
– approves the security plan
– supplies the resources
31 26th June 2008Frank Robben
Contents of the security report
• general overview of the security situation
• overview of the activities– recommendations and their effects– control– campaigns in order to promote information security
• overview of the external recommendations and their effects
• overview of the received trainings
32 26th June 2008Frank Robben
Specialized IS service providers• to be recognized by the Government• recognition conditions
– non-profit association– having information security in the social sector as the one and only
activity– respecting the tariff principles determined by the Government
• control on independence is performed by the Sector Committee• tasks
– keeping information security specialists at the disposal of the associated actors
– recommending– organizing information security trainings– supporting campaigns promoting information security– external auditing on request of the actor or the Sector Committee
• each actor can only associate with one specialized information security service provider
33 26th June 2008Frank Robben
Working party on information security
• composition– information security officers of all branches of the social sector
• task– coordination– communication– proposal of minimal information security and privacy protection
standards– check list– recommendations to the Sector Committee
34 26th June 2008Frank Robben
Legal measures
• obligations of the actors in the social sector as data controllers (i.e. the natural or legal person, public authority, agency or any other body which alone or jointly determines the purposes and means of the processing of personal data)
• rights of the data subjects (i.e. the natural persons the personal data relate to)
• remedies, liability and sanctions
35 26th June 2008Frank Robben
Obligations of actors in the social sector
• principles relating to fair and lawful processing and data quality
• information to be given to the data subject
• confidentiality and security of processing
36 26th June 2008Frank Robben
Fair and lawful processing and data quality
• fair and lawful processing• collection only for specified, explicit and legitimate
purposes• no further processing in a way incompatible with those
purposes• personal data must be adequate, relevant and not
excessive in relation to those purposes• personal data must be accurate and kept up to date• personal data must not be kept longer than necessary
for those purposes in a form which permits the identification of the data subject
37 26th June 2008Frank Robben
Fair and lawful processing and data quality
• respect of additional protection measures related to sensitive data, i.e. data revealing or concerning– racial or ethnic origin– political opinions– religious or philosophical beliefs– trade union membership– health– sexual life– offences, criminal convictions or security measures
38 26th June 2008Frank Robben
Informing the data subject• the controller or his representative must provide the data
subject a minimum of information– when obtaining personal data from the data subject– when undertaking the recording or envisaging a disclosure to a
third party of personal data that have not been obtained from the data subject
• exceptions:– the data subject already has the information– informing the data subject in case of processing of data obtained
from another person• proves impossible, in particular for processing for statistical purposes or
purposes of historical or scientific research or• would involve disproportionate effort for the controller in particular for
processing for statistical purposes or purposes of historical or scientific research or
• is not necessary because the recording or disclosure is expressly laid down by law
39 26th June 2008Frank Robben
Informing the data subject• information to be given
– identity of the controller and his representative, if any– the purposes of the processing– any further information necessary to guarantee fair processing in
respect of the data subject such as• categories of processed data• (categories of) recipients• whether replies are obligatory or not, as well as the possible consequences
of failure to reply• the existence of rights of access and rectification
40 26th June 2008Frank Robben
Confidentiality and security• no access to personal data is permitted except on
instructions from the controller or if required by law• appropriate technical and organizational security
measures– protection against
• accidental or unlawful destruction• accidental loss• alteration• unauthorized disclosure or access, in particular where the processing
involves the transmission of data over a network• all other forms of unlawful processing
– measures have to be appropriate• to the risks represented by the processing• and the nature of the data to be protected• having regard to the state of the art• and the cost of their implementation
41 26th June 2008Frank Robben
Confidentiality and security• where processing is carried out by an external processor
– the controller has to choose a processor guaranteeing sufficient technical and organizational security measures
– the controller must ensure compliance of the processing with the security measures
– the carrying out of the processing must be governed by a written contract or legal act stipulating in particular that
• the processor shall act only on instructions from the controller• the security obligations shall also be incumbent on he processor
42 26th June 2008Frank Robben
Recommendation Belgian Privacy Commission
• see http://www.privacycommission.be/nl/static/pdf/ referenciemaatregelen-vs-01.pdf
• risk analysis taking into account– the nature of the processed data– the applicable legal requirements– the size of the organization– the importance and the complexity of the information systems– the extent of internal and external access to personal data– the probability and the impact of the several risks– the cost of the implementation of risk mitigating measures
43 26th June 2008Frank Robben
Recommendation Belgian Privacy Commission
• 10 types of measures– information security policy– information security officer– minimal organizational measures and measures related to staff– physical security– network security– access control– logging and investigation of logging– supervision, audit and maintenance– management of security incidents and continuity– documentation
44 26th June 2008Frank Robben
Rights of the data subject• right of privacy protection• right of information
– access to the public register– in case of collection of data– in case of the recording or disclosure of data obtained elsewhere
• right of access• right of rectification, erasure or blocking• right not to be subject to fully automated individual
decisions• right of a judicial remedy
45 26th June 2008Frank Robben
Right of access• the data subject has the right to obtain from the
controller without constraint, at reasonable intervals and without excessive delay or expense– confirmation as whether or not data relating to him are being
processed– information at least about
• the purposes of the processing• the categories of data• the (categories of) recipients
– communication of the data and any available information as to their source
– knowledge of the logic in case of an automated processing intended to evaluate certain personal aspects relating to him
• every time information is used to take a decision, the information used is communicated to the person concerned together with the decision
46 26th June 2008Frank Robben
Right of rectification, erasure or blocking• the data subject has the right to obtain from the
controller the rectification, erasure or blocking of data, the processing of which does not comply with the provisions of the directive (e.g. incomplete or inaccurate data)
• the controller has to notify any rectification, erasure or blocking to third parties to whom the data have been disclosed, unless this proves impossible or involves a disproportionate effort
47 26th June 2008Frank Robben
Automated individual decisions• every person is granted the right not to be subject to a
decision which produces legal effects for him or significantly effects him and which is based solely on the automated processing of data intended to evaluate certain personal aspects, such as his performance at work, creditworthiness, reliability, conduct, ...
• derogations are possible– under certain circumstances, in the course of the entering into or
the performance of a contract or– by law providing measures to safeguard the data subject’s
legitimate interests
48 26th June 2008Frank Robben
Remedies, liability and sanctions• remedies
– administrative remedies, inter alia before the Sector Committee– judicial remedies– for any breach of the rights guaranteed by the national law
applicable
• liability– right to compensation from the controller for the damage
suffered as a result of an unlawful processing operation, unless the controller proves not to be responsible for the event giving rise to the damage
• sanctions– penal sanctions– interdiction to process personal data
49 26th June 2008Frank Robben
Organizational, HR-related & technical measures
• risk assessment• security policies• governance and organization of information security• inventory and classification of information• human resources security• physical and environmental security• management of communication and service processes• processing of personal data• access control• acquisition, development and maintenance of information systems• information security incident management• business continuity management• compliance: internal and external control• communication to the public of the policies concerning security and
the protection of privacy
50 26th June 2008Frank Robben
Security policies• an integrated set of security policies is being elaborated
through step-by-step refinement• the policies always have the following structure
– material field of application: what the policy is all about– personal field of application: to whom does the policy apply– definitions of the concepts used under the policy– general principles: setting rules and responsibilities– requirements and references to other policies– sanctions, arising among other things from regulations, if the
policy is not complied with– references to directives, architecture, procedures, standards and
techniques to comply with the policy– date of validation by the bodies concerned– note of the person responsible for policy maintenance
51 26th June 2008Frank Robben
Security policies• directives, architecture, standards, procedures and
techniques are being described to apply the integral set of security policies, in accordance with the priorities set by the working party on information security and privacy protection
52 26th June 2008Frank Robben
Classification of information• the purpose of classifying information is to determine the
protection level per information item, taking two aspects into account– the importance of the business continuity of the actors (e.g. vital,
critical, necessary, useful)– sensitivity in relation to protection of privacy (e.g. public, internal,
confidential, secret)
• the field of application of the classification exercise covers information (mainly personal data) used for services to citizens, companies and civil servants, regardless of the support equipment on which they are kept
• information is labelled depending on the classification criteria use
53 26th June 2008Frank Robben
HR-security• security tasks and responsibilities are included in all job
descriptions to which they apply; sensitive positions are stated as such in job descriptions
• applicants for sensitive jobs are screened carefully• a secrecy declaration is signed by every staff member• all staff members are briefed, educated and trained
regarding information security and protection of privacy• at each actor in the social sector, robust procedures
have to be settled and implemented to report any security breaches or weak points to the information security officer
54 26th June 2008Frank Robben
HR-security• at each actor in the social sector, a working method is
settled and implemented to analyse any security-related incidents and weak points reported by the information security officer, and adequate remedial measures are proposed
• (disciplinary) sanctions are foreseen when measures relating to the information security and protection of privacy are circumvented or not complied with
• it is checked that the (disciplinary) sanctions are sufficiently well-known when measures relating to the information security and protection of privacy are circumvented or not complied with
• it is checked that adequate measures are applied when a working relationship with a staff member is terminated
55 26th June 2008Frank Robben
Physical and environmental security• premises have to be available that are well secured
against malign external influences, unauthorized access, break-in, flood, fire, ..., and ICT infrastructure supporting vital and critical business processes has to be accommodated at these premises
• the electricity supply for ICT infrastructure supporting vital and critical business processes is guaranteed
• cables and air-waves are secured, especially against wire-tapping– a procedure for the import and export of business equipment,
among other things in cases of maintenance and repairs, is settled and implemented
– rules are settled for managing business equipment relating to people (e.g. laptops, handhelds, mobile phones, call tokens, ...) giving access to information that needs to be protected
56 26th June 2008Frank Robben
Management of processes• the division of responsibilities for the management and
maintenance of all parts of ICT infrastructure is settled and implemented
• security procedures, also procedures for resolving incidents, are settled and implemented, taking into account the necessary divisions of roles
• the internal rules for day-to-day work (e.g. back-ups, banned use of computer games, code of practice regarding use of the Internet, closing of equipment, ...) are settled and complied with
• each stage in the life-cycle of an application, including acceptance scenarios, is settled and complied with
57 26th June 2008Frank Robben
Management of processes• new applications or amendments to existing applications are
submitted for acceptance tests in an acceptance environment, separate from the production environment, before going into production
• the six areas of ITIL methodology concerning service support, and first two areas of ITIL methodology concerning service delivery are implemented– service support
• configuration management
• incident management
• problem management
• change management
• service/help-desk
• release management
– service delivery• service level management
• capacity management
58 26th June 2008Frank Robben
Management of processes• there are preventive measures for the securing of all
information systems against viruses and harmful software
• procedures for information management supports (tapes, floppy disks, cassettes,...) are settled and complied with, including rules relating to– storage and access– shipping– accidental destruction
59 26th June 2008Frank Robben
Management of processes• networks are managed following well-defined
procedures, especially when connected to external networks; in this respect, special attention is paid to– divisions between internal and external networks– peripheral securing of internal networks (firewalls, ...)– authentication of components against one another– intrusion detection– application of encryption techniques where necessary
• interchange agreements are written down for the use of network services, especially for network services used for external collaboration, including– service level agreements concerning availability and
performance;– demarcation of responsibilities relating to security and protection
of privacy
60 26th June 2008Frank Robben
Access control• a user management system is settled and implemented, permitting
– electronic identification of people, resources, applications and services
– electronic authentication of the identity of people, resources, applications and services by appropriate means (user ID, password, token, digital certificate, electronic signature, ...)
– electronic verification of relevant characteristics and mandates of people in authentic sources
• an access management system is settled and implemented, indicating among other things
• roles and functions
• authorizations on the basis of those roles and functions
• authorization time-limits
• authorizations are managed at the levels of• people
• resources
• applications
• services
61 26th June 2008Frank Robben
User and access management• identification of physical and legal persons
– unique social identification number for physical persons– unique company number for companies
• authentication of the identity of physical persons– electronic identity card– user id – password – token
• authentic sources for– management and verification of characteristics (e.g. a capacity,
a function, a professional qualification) of persons– management and verification of mandates between a legal or
physical person to whom an electronic transaction relates and the person carrying out that transaction
– management and verification of authorizations
62 26th June 2008Frank Robben
Policy Enforcement Model
User
Policy
Application
(PEP)
Application
Policy
Decision (PDP)
Action on
application Decisionrequest
Decisionreply
Actionon
applicationPERMITTED
Policy Information
(PIP)
InformationRequest /
Reply
Policy Administration
(PAP)
RetrievalPolicies
Authentic source
Policy Information
(PIP)
InformationRequest /
Reply
Policy
repository
Actionon
applicationDENIED
Manager
Policymanagement
Authentic source
63 26th June 2008Frank Robben
Policy Enforcement Point (PEP)
• intercepts the request for authorization with all available information about the user, the requested action, the resources and the environment
• passes on the request for authorization to the Policy Decision Point (PDP) and extracts a decision regarding authorization
• grants access to the application and provides relevant credentials
UserPolicy
Application (PEP)
Application
PolicyDecision (PDP)
Action on
application Decisionrequest
Decisionreply
Actionon
applicationPERMITTED
Actionon
applicationDENIED
64 26th June 2008Frank Robben
Policy Decision Point (PDP)
• based on the request for authorization received, retrieves the appropriate authorization policy from the Policy Administration Point(s) (PAP)
• evaluates the policy and, if necessary, retrieves the relevant information from the Policy Information Point(s) (PIP)
• takes the authorization decision (permit/deny/not applicable) and sends it to the PEP
Policy Application
(PEP)
PolicyDecision (PDP)
Decisionrequest
Decisionreply
Policy Information (PIP)
Request / Reply
Policy Administration(PAP)
RetrievalPolicies
Policy Information (PIP)
InformationRequest /
Reply
Information
65 26th June 2008Frank Robben
Policy Administration Point (PAP)• environment to store and manage authorization policies
by authorized person(s) appointed by the application managers
• puts authorization policies at the disposal of the PDP
PDPPAP
RetrievalPolicies
Manager
Policymanagement
Policyrepository
66 26th June 2008Frank Robben
Policy Information Point (PIP)
• puts information at the disposal of the PDP in order to evaluate authorization policies (authentic sources with characteristics, mandates, etc.)
PDP
PIP 1
InformationRequest /
Reply
Authentic source
PIP 2
Authentic source
InformationRequest /
Reply
67 26th June 2008Frank Robben
APPLICATIONS
AuthorisationAuthen-tication PEP
Role Mapper
USER
PAP‘’Kephas’’
RoleMapper
DB
PDPRole
Provider
PIPAttributeProvider
RoleProvider
DB
UMAF
PIPAttributeProvider
DBXYZ
WebAppXYZ
APPLICATIONS
AuthorisationAuthen -tication PEP
Role Mapper
USER
WebAppXYZ
PIPAttributeProvider
PAP‘’Kephas’’
RoleMapper
DB
PDPRole
Provider
RoleProvider
DB
ManagementVAS
PIPAttributeProvider
DBXYZ
PIPAttributeProvider
DBJudicialexut-ers
PIPAttributeProvider
DBMandates
eHealth platform
APPLICATIONS
AuthorisationAuthen -tication PEP
Role Mapper
USER
PAP‘’Kephas’’
RoleMapper
DB
PDPRole
Provider
PIPAttributeProvider
RoleProvider
DB
RIZIV
PIPAttributeProvider
DBXYZ
WebAppXYZ
ManagementVAS
PIPAttributeProvider
DBMandates
Social sector(CBSS)
Non social FPS(Fedict)
ManagementVAS
DBXYZ
Architecture
68 26th June 2008Frank Robben
Access control• buildings are partitioned, securing rings are installed and access
control measures to premises are implemented• access control measures to physical resources (computers,
networks, ...) by users (people, resources or applications) are set and implemented, with particular attention to business equipment relating to people (e.g. laptops, handhelds, mobile phones, call tokens, ...)
• access control measures to (sections of) application code are set and implemented
• access control measures to applications and services by internal and external users (people, resources or applications) are set and implemented (e.g. call-back procedures)
• ICT equipment is automatically timed out after a set period of inactivity
• all access and actions carried out are time-logged
69 26th June 2008Frank Robben
Acquisition, development and maintenance
• security directives to be complied with during the acquisition, development and maintenance of applications and services are set and implemented– division of functions– audit trails during development;– documentation– regular interim back-ups
• the development environment is securized• rules to build security into applications and services (e.g.
validation of data input, checks of totals, verification of the authenticity of messages sent to subjects, ...), mainly externally accessible applications and services, are settled and applied
70 26th June 2008Frank Robben
Acquisition, development and maintenance
• procedures concerning technical and functional tests are settled and implemented in an acceptance environment, separate from the production environment, with clear go/no-go areas
• a method for analyzing the impact of amendments to operating systems on security and applications, on the permanent accessibility of information systems, and tests of the accessibility of information and applications in the amended environment before putting the amendments into effect, are settled and applied
71 26th June 2008Frank Robben
Acquisition, development and maintenance
• a method for analyzing the impact of amendments to standard software used on security and applications, and on the continuous accessibility of information systems, and tests of the accessibility of information and applications in the amended environment before putting the amendments into effect, are settled and applied
• a procedure for the destruction of information in the event that further processing is no longer authorized due to application of the proportionality principle or occupation of the country’s territory, is settled and applied
72 26th June 2008Frank Robben
Business continuity management• back-up procedures for information and applications are
settled and applied• the code and written documentation on the latest version
of all applications is kept at a secure site outside the production location
• the parts of information systems, certainly those supporting vital and critical business processes, are split up at geographically dispersed sites (no single points of failure)
73 26th June 2008Frank Robben
Business continuity management• a business continuity plan exists at each actor in the
social sector and is made available to all those concerned– indicating vital and critical components and processes– with an inventory of necessary infrastructure and skills for each
component and process– with a description of actions, responsibilities and procedures in
the event of an (internal or external) emergency– with a description of continuation actions and procedures in the
event of an emergency in order to return to normal operation– with a description of test scenarios for the continuity plan with
third parties affected
74 26th June 2008Frank Robben
Business continuity management• the continuity plan is tested annually with the third
parties affected and a report of the results is drawn up, aimed at permanent improvement
• the information systems for which this is justified are insured against physical risks such as fire, flood or earthquake, also against theft
75 26th June 2008Frank Robben
Compliance: internal and external control• permanent internal control on respect of legislation,
policies, directives, architecture, procedures and standards and on any undesirable use of ICT facilities (e.g. use of ICT for non-business purposes, ...) is carried out by the information security officer
• regular external check in respect of legislation, policies, directives, architecture, procedures and standards is carried out by an external auditor by order of the general manager of the actor in the social sector or of the Sector Committee
76 26th June 2008Frank Robben
Compliance: internal and external control• checking methods, and information systems and logs to
be checked are, with the support of the ICT department, easily accessible to the persons carrying out internal and external control functions
• monitoring systems, that raise potential risks linked to the infringements of the law, policies, directives, architecture, procedures and standards, and on any undesirable use made of ICT facilities, are available for the information security officer
• a regular check is carried out by the controller of the processing in respect of the security measures incorporated into contracts with third parties
77 26th June 2008Frank Robben
More information
• website Crossroads Bank for Social Security– http://www.ksz.fgov.be
• personal website Frank Robben– http://www.law.kuleuven.be/icri/frobben
• social security portal– https://www.socialsecurity.be