2. DIGIT
Directorate-General for Informatics
Legal base
• Regulation (EU) No 211/2011 of the European Parliament
and of the Council of 16 February 2011 on the citizens'
initiative
• Commission Implementing Regulation (EU) No 1179/2011
of 17 November 2011 laying down technical
specifications for online collection systems pursuant to
Regulation (EU) No 211/2011 of the European Parliament
and of the Council on the citizens' initiative
3. DIGIT
Directorate-General for Informatics
(EU) No 211/2011
3
Article 6 Online collection systems
1. Where statements of support are collected online,
the data obtained through the online collection
system shall be stored in the territory of a Member
State.
The online collection system shall be certified in
accordance with paragraph 3 in the Member State in
which the data collected through the online
collection system will be stored.
4. DIGIT
Directorate-General for Informatics
(EU) No 211/2011 (ctd.)
4
Article 6 Online collection systems
4. Online collection systems shall have adequate
security and technical features in place in order to
ensure that:
a) only natural persons may submit a statement of
support form online;
b) the data provided online are securely collected and
stored,
c) the system can generate statements of support in a
form complying with the models set out in Annex III
5. DIGIT
Directorate-General for Informatics
(EU) No 1179/2011
5
Provides technical specifications to address Article 6(4)
of REGULATION (EU) No 211/2011.
(a) and (c) are addressed by the Online Collection
Software provided by the European Commission
(Section 1 and 3 of the annex)
(b) is addressed in section 2 of the annex that details
requirements which
have to be addressed by the Organisers
are addressed by the Online Collection Software provided
by the European Commission
have to be addressed by the hosting infrastructure
6. DIGIT
Directorate-General for Informatics
(EU) No 1179/2011 (ctd.)
6
Section 2 of the annex provides technical specifications
for the following domains:
• Information assurance standards (→ Organisers)
• Functional requirements (→ OCS)
• Application level security (→ OCS + hosting
infrastructure)
• Database security and data integrity (→ OCS +
hosting infrastructure)
• Infrastructure security (→ hosting infrastructure)
• Organiser client security (→ Organisers)
8. DIGIT
Directorate-General for Informatics
EC as hosting provider … only?
8
The main objective was to
• provide a suitable hosting infrastructure
(compliant with 1179/2011 section 2
requirements)
However, it quickly appeared that EC could also help:
• in drafting documents required by 2.1 and 2.2
• in fulfilling Organiser client security requirements
(Live-DVD)
10. DIGIT
Directorate-General for Informatics
Information assurance standards
10
2.1. Organisers provide documentation showing that they
fulfil the requirements of standard ISO/IEC 27001, short
of adoption. For that purpose, they have:
a) performed a full risk assessment, …;
b)designed and implemented measures for treating
risks …;
c) identified the residual risks in writing;
d) provided the organisational means to receive feedback
on new threats and security improvements.
11. DIGIT
Directorate-General for Informatics
Information assurance standards (ctd)
11
2.2. Organisers choose security controls based on the risk
analysis in 2.1(a) from the following standards:
1) ISO/IEC 27002; or
2) the Information Security Forum’s ‘Standard of Good Practice’
to address the following issues:
a) risk assessments (ISO/IEC 27005 or another specific and
suitable risk assessment methodology are recommended);
b) physical and environmental security;
c) human resources security;
d) communications and operations management;
e) …
12. DIGIT
Directorate-General for Informatics
ISO 27000 security standards
• ISO 27001 formally specifies a management
system that is intended to bring information
security under explicit management control
ISO 27001
• ISO 27002 provides best practice
recommendations on information security
management for use by those responsible for
initiating, implementing or maintaining
Information Security Management Systems
(ISMS)
ISO 27002
13. DIGIT
Directorate-General for Informatics
ISO27002 domains
Information
Security
Policy
Information security
organization
Access control
Compliance
Physical and
environmental
security
Communications and
operations management
OPERATIONAL
Information
Security Policy
Risk
Assessment
ISMS Policy
Statement of
applicability
Information security
incident management
Business continuity
management
Personnel security
Asset
classification
and control
Systems development
and maintenance
14. DIGIT
Directorate-General for Informatics
ISO27001 ISMS
Perform a gap
analysis
Define / review
the security
perimeter
Perform risk
assessment
Obtain approval
Formulate risk
treatment plan
Update
information
security policy
Risk management
Prepare a
Statement of
Applicability
ISO
27001
PLAN
DO
ACT
CHECK
Implement the risk
treatment plan
and selected
controls
Implement
training and
awareness
programs
ISMS
Perform
Information
Security audits
Measure
effectiveness
15. DIGIT
Directorate-General for Informatics
ECI Documentation package
15
To fulfil the above requirements, EC agreed with the
Luxembourgish Authorities to build the following security
documentation package :
1. the Security Scope
2. the Business Impact Analysis (BIA)
3. the Risk Assessment Report (RAR)
4. the Risk Treatment Plan (including Residual Risks)
(RTP)
5. the Statement of Applicability (SoA)
16. DIGIT
Directorate-General for Informatics
ECI Documentation package (ctd)
16
EC also built guidance documents to help the Organisers
drafting their part of the security documentation, i.e.:
1. Organiser Risk Assessment Guidance
2. Organiser Risk Treatment Plan Guidance
3. Organiser Statement of Applicability Guidance
The guidance documents have been drafted to be
reusable as much as possible and thus to minimize
Organiser's documentation effort.
17. DIGIT
Directorate-General for Informatics
Organiser client security
17
2.20. Organiser client security
For the sake of end-to-end security, the organisers take
necessary measures to secure their client
application/ device that they use to manage and access
the online collection system, such as:
2.20.1. Users run non-maintenance tasks (such as office
automation) with the lowest set of privileges that they require
to run.
2.20.2. When relevant updates and patches of the OS, any
installed applications, or anti-malware become public, then
such updates or patches are installed expediently.
Strong captcha is suggested
Annex section 2. OCS already address: 1, 2.3, 2.4, 2.5, 2.6, 2.7 (except §2.7.6.a, b, c and d, §2.7.9.a and c ), 2.11, 2.12, 2.13 and 2.14
SCOPE: It defines the scope and the boundaries of the ISMS at Hosting side
BIA: It assess the business impacts upon the organisation that might result from security failures
RAR: It presents the results of the Risk Assessment for the ECI OCSI hosted at the premises of the European Commission
RTP: Hosting Risk Treatment Plan
SoA : It includes the controls selected from the ISO27002 standard and controls excluded by EC data centre and the reason for their exclusion.