Policy and legal frameworkdevelopment for Digital Security in Estonia Hannes Astok Project Manager eGovernance Academy Estonia
Why policy framework?• Growing threats and security concerns• Vulnerability of the critical information systems• Need for coordinated activities• Clear roles and responsibilities between the institutions• Better protection of information systems and criticl infrastucture• Estonian Cyber Security Strategy 2008-2013
Goals of the strategy1. The development and large-scale implementation of a system of security measures2. Increasing competence in cyber security3. Improvement of the legal framework for supporting cyber security4. Bolstering international co-operation5. Raising awareness on cyber security
Relations to the other national development plans• Information Security Interoperability Framework (2007)• Information Society Strategy 2013• Knowledge-Based Estonia: R&D Development Strategy 2007-2013• Criminal policy development strategy• Education and health development plans
Legal framework -International lawCouncil of Europe:• Convention on Cybercrime 2004
EU legal framework• attacks against information systems: Council Framework Decision 222/2005/JHA• protection of personal data (95/46/EC and 2002/58/EC);• electronic communications (2002/58/EC);• retention of data (2006/24/EC);• re-use of public sector information (2003/98/EC);• information society services (2000/31/EC).
National legal framework• Penal Code: responsibility and penalties about various types of crime and attacks• Electronic Communications Act: requirements for publicly available electronic communications networks and communications services
National legal framework 2• Personal Data Protection Act: clear legal basis for processing any kind of personal data• Public Information Act: regulates the basis and procedures for the accessing of public information
National legal framework 3• Information Society Services Act: limits the liability of Internet service providers for the content of their service, spam related issues and general requirements for the provision of information society services.
International Cooperation• United Nations: issues of cyber security are addressed by a high-level expert group of the Internet Governance Forum (IGF) and the International Telecommunication Union (ITU).
International Cooperation: EU• European Commission• The European Network and Information Security Agency (ENISA) provides support to EU member states, institutions and entrepreneurs in the prevention and management of breaches in information security.
International Cooperation: EU 2• European Programme for Critical Infrastructure Protection – EU reseach network realted to cyber security
The tool Three-level baseline securitysystem for information systems
Information Security• Information security is an on-going process, which is aimed at ensuring the confidentiality, integrity and availability of data (data assets). Information security does not solely represent the classification of information or fitting of firewalls. The goal is to find a balance between these three components.
Data availability• Data availability represents timely and easy availability (i.e. at the necessary/required moment of time and within the necessary/required period of time that has been previously agreed upon) of data to authorised users (individuals or technical systems) during the required/agreed working time
Data integrity• Data integrity means ensuring the accuracy/completeness/up-to-date nature of data, authenticity of their origin and absence of any unauthorised modifications.
Data confidentiality• Data confidentiality means making data available only to authorised users (individuals or technical systems), while keeping them unavailable for all other entities.
What is three-level baseline security system for information systems (ISKE)?• An information security standard that is developed for the Estonian public sector.• One of the systems that is supposed to ensure the state information system• The preparation and development of ISKE is based on a German information security standard - IT Baseline Protection Manual (IT-Grundschutz in German), which has been adapted to match the Estonian situation.• ISKE has absolute nature – all the identified security measures must be applied to ensure compliance with ISKE.
ISKE or three-level baseline security system for information systems• Baseline security system – one set of developed security measures, which will be applicable to all information assets, regardless of their real security requirements. ISKE is based upon the German BSI baseline security system, which contains more than 1,000 security measures. The main disadvantage of the system is the implementation of an average set of measures to systems with different security requirements.
ISKE or three-level baseline security system for information systems• Three-level baseline security system – three different sets of security measures for three different security requirements have been developed (different databases and information systems may have different security levels). Compared to the one-level baseline security system this version is more accurate (economic), while being more inaccurate, compared to detailed risk analysis.
Identifying the security level of information assets for ISKE
ISKE or three-level baseline security system for information systems• The levelled baseline security system is more economical, as there is no need to exercise expensive security measures on data with limited security requirements.• Additional expenses on data and information system analysis and for outsourcing the required set of security measures will be applicable to the implementation of a security system of different levels.
Legislation for the implementation of ISKE• The terms and conditions for auditing the implementation of are established by the Regulation of the Government of Estonia
Hannes AstokE email@example.comM +372 5091366S hannesastokW www.ega.ee