1. Policy and legal framework
development for Digital Security
in Estonia
Hannes Astok
Project Manager
eGovernance Academy Estonia
2. Why policy framework?
• Growing threats and security concerns
• Vulnerability of the critical information systems
• Need for coordinated activities
• Clear roles and responsibilities between the
institutions
• Better protection of information systems and criticl
infrastucture
• Estonian Cyber Security Strategy 2008-2013
3. Goals of the strategy
1. The development and large-scale
implementation of a system of security
measures
2. Increasing competence in cyber security
3. Improvement of the legal framework for
supporting cyber security
4. Bolstering international co-operation
5. Raising awareness on cyber security
4. Relations to the other national
development plans
• Information Security Interoperability
Framework (2007)
• Information Society Strategy 2013
• Knowledge-Based Estonia: R&D
Development Strategy 2007-2013
• Criminal policy development strategy
• Education and health development plans
6. EU legal framework
• attacks against information systems: Council
Framework Decision 222/2005/JHA
• protection of personal data (95/46/EC and
2002/58/EC);
• electronic communications (2002/58/EC);
• retention of data (2006/24/EC);
• re-use of public sector information (2003/98/EC);
• information society services (2000/31/EC).
7. National legal framework
• Penal Code: responsibility and penalties
about various types of crime and attacks
• Electronic Communications Act:
requirements for publicly available
electronic communications networks and
communications services
8. National legal framework 2
• Personal Data Protection Act: clear legal
basis for processing any kind of personal
data
• Public Information Act: regulates the
basis and procedures for the accessing of
public information
9. National legal framework 3
• Information Society Services Act: limits
the liability of Internet service providers for
the content of their service, spam related
issues and general requirements for the
provision of information society services.
10. International Cooperation
• United Nations: issues of cyber security
are addressed by a high-level expert
group of the Internet Governance Forum
(IGF) and the International
Telecommunication Union (ITU).
11. International Cooperation: EU
• European Commission
• The European Network and Information
Security Agency (ENISA) provides
support to EU member states, institutions
and entrepreneurs in the prevention and
management of breaches in information
security.
12. International Cooperation: EU 2
• European Programme for Critical
Infrastructure Protection – EU reseach
network realted to cyber security
14. Information Security
• Information security is an on-going
process, which is aimed at ensuring the
confidentiality, integrity and availability of
data (data assets). Information security
does not solely represent the classification
of information or fitting of firewalls. The
goal is to find a balance between these
three components.
15. Data availability
• Data availability represents timely and
easy availability (i.e. at the
necessary/required moment of time and
within the necessary/required period of
time that has been previously agreed
upon) of data to authorised users
(individuals or technical systems) during
the required/agreed working time
16. Data integrity
• Data integrity means ensuring the
accuracy/completeness/up-to-date nature
of data, authenticity of their origin and
absence of any unauthorised
modifications.
17. Data confidentiality
• Data confidentiality means making data
available only to authorised users
(individuals or technical systems), while
keeping them unavailable for all other
entities.
18. What is three-level baseline security
system for information systems (ISKE)?
• An information security standard that is developed for
the Estonian public sector.
• One of the systems that is supposed to ensure the state
information system
• The preparation and development of ISKE is based on a
German information security standard - IT Baseline
Protection Manual (IT-Grundschutz in German), which
has been adapted to match the Estonian situation.
• ISKE has absolute nature – all the identified security
measures must be applied to ensure compliance with
ISKE.
19. ISKE or three-level baseline security
system for information systems
• Baseline security system – one set of developed
security measures, which will be applicable to all
information assets, regardless of their real security
requirements. ISKE is based upon the German BSI
baseline security system, which contains more
than 1,000 security measures. The main
disadvantage of the system is the implementation
of an average set of measures to systems with
different security requirements.
20. ISKE or three-level baseline security
system for information systems
• Three-level baseline security system – three
different sets of security measures for three
different security requirements have been
developed (different databases and information
systems may have different security levels).
Compared to the one-level baseline security
system this version is more accurate
(economic), while being more inaccurate,
compared to detailed risk analysis.
22. ISKE or three-level baseline security
system for information systems
• The levelled baseline security system is more
economical, as there is no need to exercise expensive
security measures on data with limited security
requirements.
• Additional expenses on data and information system
analysis and for outsourcing the required set of
security measures will be applicable to the
implementation of a security system of different
levels.
23. Legislation for the implementation of
ISKE
• The terms and conditions for auditing the
implementation of are established by the
Regulation of the Government of Estonia