strategic importance of identity and access management (iam) the case of the belgian social and...

Strategic importance ofidentity and access management (IAM)

The case of the Belgiansocial and health sector

Frank RobbenGeneral managerCrossroads Bank for Social SecurityeHealth PlatformSint-Pieterssteenweg 375B-1040 Brussels - BelgiumE-mail: [email protected] CBSS: www.ksz.fgov.bePersonal website: www.law.kuleuven.be/icri/frobben

mailto:[email protected]

http://www.ksz.fgov.be/

http://www.law.kuleuven.be/icri/frobben

2 November 5th, 2009Frank Robben

Structure of the presentation• expectations of the stakeholders of the Belgian social

and health sector• the Crossroads Bank for Social Security and the eHealth

platform• advantages for citizens, companies and public

administrations• strategic importance of identity and access management• concrete implementation of identity and access

management• issues with regard to privacy protection and information

security


Stakeholders of the Belgian social sector• > 10,000,000 citizens• > 220,000 employers• about 3,000 public and private institutions (actors) at

several levels (federal, regional, local) dealing with– collection of social security contributions– delivery of social security benefits: child benefits, unemployment

benefits, benefits in case of incapacity for work, benefits for the disabled, re-imbursement of health care costs, holiday pay, old age pensions, guaranteed minimum income, …

– delivery of supplementary social benefits– delivery of supplementary benefits based on the social security

status of a person


Stakeholders of the Belgian health sector• > 10,000,000 citizens• > 100.000 health care providers (physicians, dentists,

clinical labs, pharmacists, physiotherapists, home nurses, …)

• > 300 health care institutions (hospitals, rest homes, nursing homes, …)

• sickness funds• public institutions

– federal level (Federal Public Service for Public Health, National Institute for Health Insurance, Belgian Health Care Knowledge Centre, …)

– regional level


Expectations in the social sector• effective social protection• effective support of social policy• effective fraud prevention and detection• integrated services

– attuned to the concrete situation of the citizens and companies, and personalized when possible

– delivered at the occasion of events that occur during their life cycle (birth, going to school, starting to work, move, illness, retirement, starting up a company, …)

– across government levels, public services and private bodies

• attuned to their own processes• if possible, granted automatically


Expectations in the health sector• optimal quality of health care• optimal patient safety• adequate support of health policy• patient centric care and empowerment of the patient• integrated services

– multidisciplinary– holistic– continuous– across health care institutions and health care providers

• remote care (monitoring, assistance, consultation, diagnosis, operation, …), a.o. home care

• quickly evolving knowledge => need for reliable, coordinated knowledge management and accessibility


Common expectations in both sectorselectronic services• with minimal costs and minimal administrative burden• with active participation of the user (self service)• well performing and user-friendly• reliable, secure and permanently available• accessible via a channel chosen by the user (direct

contact, phone, PC, …)• with adequate information security and privacy protection


The solution in the social sector• creation in 1990 of the Crossroads Bank for Social

Security as a coordinator and service integrator, with co-operative governance

• no central data storage• a network between all 3,000 social sector actors with a

secure connection to the internet, the federal MAN, regional extranets, extranets between local authorities and the Belgian interbanking network

• a unique identification key– for every citizen, electronically readable from an electronic social

security card and an electronic identity card– for every company– for every establishment of a company


The solution in the social sector• an agreed division of tasks between the actors within

and outside the social sector with regard to collection, validation and management of information and with regard to electronic storage of information in authentic sources

• 210 electronic services for mutual information exchange amongst actors in the social sector, defined after process optimization– nearly all direct or indirect (via citizens or companies) paper-

based information exchange between actors in the social sector has been abolished

– in 2008, 686 million electronic messages were exchanged amongst actors in the social sector, which saved as many paper exchanges


The solution in the social sector• 42 electronic services for employers, either based on the

electronic exchange of structured messages or via an integrated portal site– 50 social security declaration forms for employers have been

abolished– in the remaining 30 (electronic) declaration forms the number of

headings has on average been reduced to a third of the previous number

– declarations are limited to 4 events• immediate declaration of recruitment (only electronically)• immediate declaration of discharge (only electronically)• quarterly declaration of salary and working time (only electronically)• occurrence of a social risk (electronically or on paper)

– in 2008, 23 million electronic declarations were made by all 220,000 employers, 98 % of which from application to application


The solution in the social sector• electronic services for citizens

– maximal automatic granting of benefits based on electronic information exchange between actors in the social sector

– 8 electronic services via an integrated portal• 3 services to apply for social benefits• 6 services for consultation of social benefits

– about 30 new electronic services are foreseen

• an integrated portal site containing– electronic transactions for citizens, employers and professionals– simulation environments– information about the entire social security system– harmonized instructions and information model relating to all

electronic transactions– a personal page for each citizen, each company and each

professional


The solution in the social sector• an integrated multimodal contact centre supported by a

customer relationship management tool• a data warehouse containing statistical information with

regard to the labor market and all branches of social security


The solution in the social sector• reference directory

– directory of available services/information• which information/services are available at any actor depending on the

capacity in which a person/company is registered at each actor

– directory of authorized users and applications• list of users and applications• definition of authentication means and rules• definition of authorization profiles: which kind of information/service can be

accessed, in what situation and for what period of time depending on in which capacity the person/company is registered with the actor that accesses the information/service

– directory of data subjects• which persons/companies have personal files at which actors for which

periods of time, and in which capacity they are registered

– subscription table• which users/applications want to automatically receive what

information/services in which situations for which persons/companies in which capacity


The solution in the health sector• creation in 2008 of the eHealth platform as a coordinator

and service integrator, with co-operative governance and with the following legal assignments– to develop a vision and a strategy for effective, efficient and

secure electronic services and information exchange in health care, with respect for privacy protection and in close cooperation with the various public and private actors in the health care sector

– to establish useful ICT-related functional and technical norms, standards, specifications and basic architecture for using ICT in order to support this vision and strategy

– to check whether software packages for managing electronic health records comply with the established ICT-related functional and technical norms, standards and specifications, as well as to register those software packages



and service integrator, with co-operative governance and with the following legal assignments– to create, to manage and to develop a cooperation platform for

secure electronic data exchange with useful basic services (see hereafter)

– to agree on a distribution of tasks with regard to the collection, the validation, the storage and the availability of data exchanged over the cooperation platform and on the quality norms which those data have to meet, and to verify whether the quality norms are met

– to promote and to coordinate the realization of programs and projects which reflect the vision and strategy and use the cooperation platform and/or its basic services



and service integrator, with co-operative governance and with the following legal assignments– to manage and to coordinate ICT-related aspects of data

exchange with regard to electronic health records and electronic care prescriptions

– to act as an independent trusted third party (TTP) for coding and anonymizing personal health care data for certain organizations, listed in the law in order to support scientific research and policy making

– to conduct the necessary changes in order to execute the vision and strategy

– to organize the cooperation with other public services in charge of the coordination of electronic service delivery


The solution in the health sector• no central data storage• a well secured virtual private network based on the

internet with end-to-end encryption of personal data between all 100,000 health care actors

• a unique identification key– for every citizen, electronically readable from an electronic social

security card and an electronic identity card– for every health care provider– for every health care institution

• multidisciplinary, high quality electronic patient records • care pathways


The solution in the health sector• basic services offered by the eHealth platform on its own

ICT infrastructure– orchestration of electronic subprocesses– portal environment including a content management system and

a search engine– integrated user and access management– logging– system for end-to-end encryption– personal electronic mailbox for each health care provider– time stamping– coding and anonymizing for certain organizations, listed by the

law– reference directory (what, about whom, where – no content!)


Basic servicesBasic serviceseHealth platformeHealth platform

Network

The solution in the health sectorPatients, health care providersPatients, health care providers

and institutionsand institutions

VASVAS VASVASVASVAS

Suppliers

Users

PortalPortaleHealtheHealth

PortaHealthPortaHealthAVSAVSAVSAVSAVSAVSAVSAVS

Software Software health care health care institutioninstitution

AVSAVSAVSAVSAVSAVSAVSAVSMyCareNetMyCareNet

AVSAVSAVSAVSAVSAVSAVSAVS

Software health Software health care providercare provider

AVSAVSAVSAVSAVSAVSAVSAVSSite INAMISite INAMI

AVSAVSAVSAVSAVSAVSAVSAVS

VASVASVASVASVASVAS


The solution in the health sector• basic service

– a service developed and made available by the eHealth platform, which can be used by an added value service provider for developing and offering an added value service

• added value service (AVS)– a service put at the disposal of the patients and/or the health

care providers– the entity that develops and offers an added value service can

use the basic services offered by the eHealth platform for this purpose

• validated authentic source (VAS)– a database with information used by the eHealth platform– the administrator of the database is responsible for the

availability and (the organization of) the quality of the information made available


InternetInternet

Extranetregion or

commmunity

Extranetregion or

commmunity

FEDMANFEDMAN

Servicesrepository

FPS

FPS

FPS

ASS

ASS

Servicesrepository

Extranetsocialsector

ASS

RPS

RPS

Servicesrepository

VPN, Publi-link, VERA,

…

VPN, Publi-link, VERA,

…

City Province

Municipality

Servicesrepository

Serviceintegrator(FEDICT)

Serviceintegrator(CBSS)

Serviceintegrator

(Corve, Easi-Wal, CIRB, …)

Towards a network of service integrators


Advantages• gains in efficiency

– in terms of cost: services are delivered at a lower total cost• due to

– a unique information collection using a common information model and administrative instructions

– a lesser need to re-encoding of information by stimulating electronic information exchange

– a drastic reduction of the number of contacts between actors in the social and health sector on the one hand and companies or citizens on the other

– a functional task sharing concerning information management, information validation and application development

– a minimal administrative burden– a connection to one electronic platform is sufficient for using several

applications• according to a study of the Belgian Planning Bureau, rationalization of the

information exchange processes between the employers and the social sector implies an annual saving of administrative costs of about 1.7 billion € a year for the companies


Advantages• gains in efficiency

– in terms of quantity: more services are delivered• services are available at any time, from anywhere and from several devices• services are delivered in an integrated way according to the logic of the

customer

– in terms of speed: the services are delivered in less time• benefits can be allocated quicker because information is available faster• waiting and travel time is reduced• companies and citizens can directly interact with the competent actors in the

social or health sector with real time feedback


Advantages• gains in effectiveness: better social protection, higher

quality of health care and higher patient safety– in terms of quality: same services at same total cost in same

time, but to a higher quality standard– in terms of type of services: new types of services, e.g.

• automated granting of benefits• active search of non-take-up using data warehousing techniques• controlled management of own personal information• personalized simulation environments• easier referring between health care providers/institutions

– in terms of support of professionals in executing their profession

• better support of social and health policy• more efficient combating of fraud


Strategic importance of IAM• reliable exchange of personal data requires sufficient

certainty about the identity of the data subjects• adequate access control requires sufficient certainty

about– the identity of the users– the authentication of the identity of the users– the verification of certain characteristics of the users– the verification of certain relationships between the users and

the data subjects– the verification of certain mandates of the users


IAM: objectives to be reached• be able to (electronically)

– identify all relevant entities (physical persons, companies, applications, machines, …)

– know the relevant characteristics of the entities– know the relevant relationships between entities– know that an entity has been mandated by another entity to

perform a legal action– know the authorizations of the entities

• in a sufficiently certain and secure way• in as much relations as possible (C2C, C2B, C2G, B2B,

B2G, …)• using open interoperability standards


Conceptual framework• entity

– someone or something that has to be identified– e.g. a physical person, a company, a computer application, …

• attribute– a piece of information about an entity

• identity– a number or a set of attributes of an entity that allows to know

precisely who or what the entity is– an entity has only one identity, but this identity can be

determined by several numbers or sets of attributes


Conceptual framework• characteristic

– an attribute of an entity, other than an attribute determining its identity

– an entity can have several characteristics– e.g. a capacity, a function, a professional qualification, ...

• relationship– a link between two or more entities– an entity can have several relationships– e.g. a therapeutical relationship between a health care provider

and a patient


Conceptual framework• mandate

– a right granted by an identified entity to another identified entity to perform well-defined legal actions in her name and for her account

– an entity can have several mandates

• registration– the process of determining the identity, a characteristic, a

relationship or a mandate of an entity with sufficient certainty– before putting at the disposal means by which the identity can be

authenticated, or the characteristic, the relationship or the mandate can be verified


Conceptual framework• authentication of the identity

– the process of checking whether the identity that an entity pretends to have, corresponds to the real identity

– authentication of the identity can be done based on the verification of

• knowledge (e.g. a password)• possession (e.g. an electronic card)• biometrical characteristics• a combination of those


Conceptual framework• verification of a characteristic, a relationship or a

mandate– the process of checking whether a characteristic, a relationship

or a mandate that an entity pretends to have, corresponds to a real characteristic, relationship or mandate of that entity

– the verification of a characteristic, a relationship or a mandate can be done by

• the same kind of means as those used for the authentication of the identity• or, after the authentication of the identity, by consulting a database that

contains information about characteristics, relationships or mandates related to identified entities


Conceptual framework• authorization

– a permission to an entity to perform a defined action or to use a defined service

• authorization group– a group of authorizations

• role– a group of authorizations or authorization groups related to a

specific service

• role based access– a method of assigning authorizations to entities by means of

authorization groups and roles, in order to simplify the management of authorizations and their assignment to entities


Choices made in Belgium• identification number for every citizen and every

company– characterictics

• unicity– one entity – one identification number– same identification number is not assigned to several entities

• exhaustivity– every entity to be identified has an identification number

• stability through time– identification number should not contain variable characterics of the

identified entity– identification number should not contain references to the identification

number or characteristics of other entities– identification number should not change when a quality or characteristic

of the identified entity changes


Choices made in Belgium• art. 8, 7 Directive 95/46/EC: "Member States shall

determine the conditions under which a national identification number or any other identifier of general application may be processed"– evolution towards meaningless identification numbers– unique identification numbers of citizens can only be used by

instances authorized by a Sectoral Committee of the National Privacy Commission

– regulation on interconnection of personal data

• registration of the identity of citizens by the municipalities• registration of the identity of companies by company

counters


Choices made in Belgium• registration of characteristics, relationships and

mandates relevant for eGovernment by private or public bodies designated by government

• authentication of the identity of physical persons by the electronic identity card

• verification of characteristics, relationships and mandates relevant for eGovernment preferably by consulting authentic databases

• multifunctional use of authentication and verification means

• authorization is the responsibility of each service provider

• implementation based on a policy enforcement model


Policy Enforcement Model

User

Policy

Application

(PEP)

Application

Policy

Decision (PDP)

Action on

application Decisionrequest

Decisionreply

Actionon

applicationPERMITTED

Policy Information

(PIP)

InformationRequest /

Reply

Policy Administration

(PAP)

RetrievalPolicies

Authentic source

Policy Information

(PIP)


Reply

Policy

repository

Actionon

applicationDENIED

Manager

Policymanagement

Authentic source


Policy Enforcement Point (PEP)

• intercepts the request for authorization with all available information about the user, the requested action, the resources and the environment

• passes on the request for authorization to the Policy Decision Point (PDP) and extracts a decision regarding authorization

• grants access to the application and provides relevant credentials

UserPolicy

Application (PEP)

Application

PolicyDecision (PDP)

Action on

application Decisionrequest

Decisionreply

Actionon

applicationPERMITTED

Actionon

applicationDENIED


Policy Decision Point (PDP)

• based on the request for authorization received, retrieves the appropriate authorization policy from the Policy Administration Point(s) (PAP)

• evaluates the policy and, if necessary, retrieves the relevant information from the Policy Information Point(s) (PIP)

• takes the authorization decision (permit/deny/not applicable) and sends it to the PEP

Policy Application

(PEP)

PolicyDecision (PDP)

Decisionrequest

Decisionreply

Policy Information (PIP)

Request / Reply

Policy Administration(PAP)

RetrievalPolicies

Policy Information (PIP)


Reply

Information


Policy Administration Point (PAP)• environment to store and manage authorization policies

by authorized person(s) appointed by the application managers

• puts authorization policies at the disposal of the PDP

PDPPAP

RetrievalPolicies

Manager

Policymanagement

Policyrepository


Policy Information Point (PIP)

• puts information at the disposal of the PDP in order to evaluate authorization policies (authentic sources with characteristics, relationships, mandates, etc.)

PDP

PIP 1


Reply

Authentic source

PIP 2

Authentic source


Reply


APPLICATIONS

AuthorisationAuthen-tication PEP

Role Mapper

USER

PAP‘’Kephas’’

RoleMapper

DB

PDPRole

Provider

PIPAttributeProvider

RoleProvider

DB

UMAF


DBXYZ

WebAppXYZ

APPLICATIONS

AuthorisationAuthen -tication PEP

Role Mapper

USER

WebAppXYZ



RoleMapper

DB

PDPRole

Provider

RoleProvider

DB

ManagementVAS


DBXYZ


DBJudicialexut-ers


DBMandates

eHealth platform

APPLICATIONS

AuthorisationAuthen -tication PEP

Role Mapper

USER


RoleMapper

DB

PDPRole

Provider


RoleProvider

DB

RIZIV


DBXYZ

WebAppXYZ

ManagementVAS


DBMandates

Social sector(CBSS)

Non social FPS(Fedict)

ManagementVAS

DBXYZ

Global architecture


Electronic identity card (eID)• aims to enable Belgian citizens

– to identify themselves (electronically)– to electronically authenticate their identity towards diverse

applications– and to put digital signatures

• validity period of 5 years, extended to 10 years for elderly people


Electronic identity card (eID)• from a visual point of view the electronic identity card

contains– the name– the first two Christian names– the first letter of the third Christian name– the nationality– the place and date of birth– the sex– the place of delivery of the card– the begin and end data of the validity of the card– the denomination and number of the card– the photo of the holder– the signature of the holder– the identification number of the National Register


Electronic identity card (eID)• from an electronic point of view the chip of the electronic

identity card contains the same information as printed on the card, filled up with– the identity and signature keys– the identity and signature certificates– the accredited certification service furnisher– information necessary for authentication of the card and

securization of the electronic data– the main residence of the holder

• no other data than identification data• no encryption certificates• no electronic purse• no biometric data (yet)


No other data than identification data• why not ?

– preventing perception of the card as a big brother– preventing loss of data, when the card is lost– preventing frequent updates of the card

• stimulation of the controlled access to data over networks, using the card as an access tool, rather than storage of data on the card


eID organization model• government has chosen a card producer and certification

authority issuing the identity certificates as a result of a public call for tenders

• the municipality calls the holder for the issuing of the electronic identity card

• the municipality acts as registration authority for 2 certificates: authentication of the identity and electronic signature

• 2 key pairs are generated within the card at production time and the private keys are stored within the processor chip of the card

• the 2 certificates are created by the certification authority, but published only when the holder agrees


eID organization model• the use of the private keys within the chip needs an

activation of the card by a municipal official using his PUK2 and the PUK1 sent to the holder

• first authentication within one session (first private key) and every generation of an electronic signature (second private key) requires the PIN code of the holder

• the second private key and identity certificate on the electronic identity card can be used to generate a legally valid electronic signature


eID partners


National Register and CBSS Register• National Register

– database managed by the Ministry of the Interior– containing identification data with regard to all people living in

Belgium and registered within the municipal population registers– data are managed by the municipalities

• CBSS register– database managed by the Crossroads Bank for Social Security– containing identification data with regard to all people that are

not registered (anymore) within the National Register, but that are in relation with the Belgian public or social sector

– subsidiary and complementary to the National Register– data are managed by the sickness funds


National Register and CBSS Register• content

– unique identification key– name and Christian names– place and date of birth– place and date of death– sex– nationality– civil status– main residence– family composition (not in CBSS register)– profession (not in CBSS register)


Division of costs• population registers: municipalities

• National Register: Ministry of the Interior

• CBSS Register: Crossroads Bank for Social Security

• eID: citizen (10 €)


International context: some issues• determination of the means by which an entity can be

identified within each country and across countries

• the way identity management on the one hand, and characteristics, relationships and mandates management on the other, are well separated in order to guarantee the multifunctional use of identity authentication means

• the quality insurance criteria for the registration procedures that are used to determine the identity, relevant characteristics, relationships or mandates before linking it to authentication or verification means


International context: some issues• the quality insurance criteria for authentication and

verification means and their use

• an organizational, functional and technical interoperability framework to exchange identity, characteristics, relationships, mandates and authentication data based on open standards

• the necessary legal framework for identity, characteristics, relationships and mandates management, with a good balance between trust enhancing measures and measures guaranteeing a free market


International context: proposed method• to work out a common conceptual framework, a common

vision and common basic principles

• to translate these principles in common, measurable objectives

• to ask every state to develop an action plan to achieve these objectives

• to elaborate an architecture and guidebooks to implement the principles

• to create a forum for the exchange of best practices


Information security and privacy protection• overall policy on security and privacy protection for

eGovernment– security, integrity and confidentiality of government information

are ensured by integrating ICT measures with structural, organizational, physical, personnel screening and other security measures according to agreed policies

– personal information is only used for purposes compatible with the purposes of the collection of the information

– personal information is only accessible to authorized institutions and users according to business needs, legislative or policy requirements



eGovernment– the authorizations for government bodies to communicate

personal information to third parties are granted by Sectoral Committees of the Privacy Commission, designated by Parliament, after having checked whether the communication conditions (e.g. purpose limitation, proportionality) are met

– the authorizations for communication are public– every concrete electronic communication of personal information

by a government body is preventively checked on compliance with the existing authorizations by an independent institution managing the interoperability framework used for the communication

– every concrete electronic communication of personal information by a government body is logged, to be able to trace possible abuse afterwards



eGovernment– every time information is used to take a decision, the used

information is communicated to the concerned person together with the decision

– every person has right to access and correct his own personal data

– this system has been implemented in the Belgian social security sector for about 20 years and is being extended to the whole Belgian government sector


Information security and privacy protection• security, availability, integrity and confidentiality of

information is ensured by integrated– institutional– legal– organizational– HR-related– technical

security measures according to agreed policies


Institutional measures• no central data storage• every actor disposes of an information security officer

with an advisory, stimulating, documentary and control task

• specialized information security service providers have been recognized in order to support the information security officers

• a working party on information security and privacy protection has been established

• minimal information security and privacy protection standards are proposed by the working party on information security and privacy protection and are established by the competent Sectoral Committee


Institutional measures• every year, every actor has to report to the competent

Sectoral Committee on compliance with the minimal information security and privacy protection standards

• in case an actor doesn’t meet the minimal information security and privacy protection standards, the actor can be prohibited by the competent Sectoral Committee to be connected to the system for electronic data exchange


Independent Sectoral Committees• established within the Privacy Commission

• composed of– 2 members of the Privacy Commission– 4 independent domain specialists designated by Parliament

• competences– supervision of information security– authorizing the information exchange– complaint handling– information security recommendations– extensive investigating powers– annual activity report


Legal measures• obligations of the actors as data controllers

– principles relating to fair and lawful processing and data quality– information to be given to the data subject– confidentiality and security of processing

• rights of the data subjects (i.e. the natural persons the personal data relate to)– right of privacy protection– right of information– right of access– right of rectification, erasure or blocking– right not to be subject to fully automated individual decisions– right of a judicial remedy

• remedies, liability and sanctions


Fair and lawful processing and data quality

• fair and lawful processing• collection only for specified, explicit and legitimate

purposes• no further processing in a way incompatible with those

purposes• personal data must be adequate, relevant and not

excessive in relation to those purposes• personal data must be accurate and kept up to date• personal data must not be kept longer than necessary

for those purposes in a form which permits the identification of the data subject


Fair and lawful processing and data quality

• respect of additional protection measures related to sensitive data, i.e. data revealing or concerning– racial or ethnic origin– political opinions– religious or philosophical beliefs– trade union membership– health– sexual life– offences, criminal convictions or security measures


Confidentiality and security• no access to personal data is permitted except on

instructions from the controller or if required by law• appropriate technical and organizational security

measures– protection against

• accidental or unlawful destruction• accidental loss• alteration• unauthorized disclosure or access, in particular where the processing

involves the transmission of data over a network• all other forms of unlawful processing

– measures have to be appropriate• to the risks represented by the processing• and the nature of the data to be protected• having regard to the state of the art• and the cost of their implementation


Confidentiality and security• where processing is carried out by an external processor

– the controller has to choose a processor guaranteeing sufficient technical and organizational security measures

– the controller must ensure compliance of the processing with the security measures

– the carrying out of the processing must be governed by a written contract or legal act stipulating in particular that

• the processor shall act only on instructions from the controller• the security obligations shall also be incumbent on he processor


Remedies, liability and sanctions• remedies

– administrative remedies, inter alia before the Sectoral Committee

– judicial remedies– for any breach of the rights guaranteed by the national law

applicable

• liability– right to compensation from the controller for the damage

suffered as a result of an unlawful processing operation, unless the controller proves not to be responsible for the event giving rise to the damage

• sanctions– penal sanctions– interdiction to process personal data


Organizational, HR-related & technical measures

• risk assessment• security policies• governance and organization of information security• inventory and classification of information• human resources security• physical and environmental security• management of communication and service processes• processing of personal data• access control• acquisition, development and maintenance of information systems• information security incident management• business continuity management• compliance: internal and external control• communication to the public of the policies concerning security and

the protection of privacy


More information

• website Crossroads Bank for Social Security– http://www.ksz.fgov.be

• website eHealth platform– https://www.ehealth.fgov.be

• personal website Frank Robben– http://www.law.kuleuven.be/icri/frobben



https://www.ehealth.fgov.be/

https://www.ehealth.fgov.be/



Th@nk you !

Any questions ?

strategic importance of identity and access management (iam) the case of the belgian social and...

Documents