Information Security and Privacy Regulations in the EU Dr. Arpad Janko, CISA, CISSP.

Information Security and Privacy Regulations in the EUDr. Arpad Janko, CISA, CISSP

KFKI PRESENTATION ÉLŐLÁB 2

Agenda

• Information Security – Introduction

• Risk Management

• Information Security Regulations

• How it works in Hungary

• Privacy Regulations


Information Security - General

•What is Information Security?• Information security is is defined by ISO 17799 as the protection of information

from a wide range of threats in order to ensure business continuity

• Information can exists in many forms• Represented electronically• Printed on paper• Shown on films• Spoken in conversation


Information Security - General

• Confidentiality• Keeps information private

• Integrity• Keeps information accurate, complete and authentic

• Availability• Keeps information available


Information Security - Threats

• Potential threats that may arise• Interception of communications

• Unauthorized access into computers and computer networks

• Network disruptions

• Execution of malicious software

• Malicious misrepresentation

• Environmental and unintentional events

• Social Engineering

• Denial of Service Attack


Information Security - Impact

• Potential impact of security breaches• Business/operational activities are suspended or partially suspended

• Classified business/operational data are made available to competitors and unauthorized parties

• Private data abused

• Fraudulent manipulation of data

• Legal issues

• Damage to reputation

• Loss of both tangible and intangible assets (e.g. IT systems, liabilities, compensation, etc.)


Security Risk Management

• Risk = function (Threat, Impact)

• Risk Management• Risk assessment• Calculating risks

• Risk handling:• Mitigation, Acceptance, Transfer, Ignorance

• Risk Tolerance

• Implement and maintain a set of control• Administrative, technical and physical controls


Security Risk Management

• Driving factors• The number and severity of security breaches has increased dramatically • Stakeholder demand has increased• Self-initiatives are not effective

• Resulted in• Growing regulatory activity• Statutory and regulatory requirements (e.g. defining frameworks, mandating or

recommending certain technologies, or controls)• Compliance with these requirements results in lower risk exposure• Financial, government and telecommunication sectors are the most regulated

ones


Regulations

• Standards and guidelines• Standards are not necessarily binding directly, but can be mandated or

recommended by laws• Guidelines are not mandatory• Guidelines help to implement the requirements of standards

• Statutory requirements• Laws, acts, bills• Legally binding documents


Regulations

• Based on geographical area• Global (International regulations)• E.g. ISO/IEC, OECD Guidelines, Basel II, Convention on Cybercrime

• Regional• EU: E.g. ETSI, EU Directives• North-America: E.g. ANSI, SOX

• Local (National regulations)• E.g. MSZ 27001:2006, BS25999

• Based on Scope• General• Specific for a certain industry vertical• Financial, Government, Telecommunications, Retail, Health, Educations, etc.


Standards, Guidelines

• Standards• De-jure (e.g. ISO)• De-facto (e.g. RFC)

• Based on content• Information Security Management (e.g. ISO/IEC 27001)• Technical, technological (e.g. encryptions, etc.)• Process-oriented (e.g. ITIL, ISO13335-2)• Countermeasures (e.g. ISO/IEC TR 15947 Intrusion Detection Framework)• Auditing (e.g. IAS, PCAOB AS 5)• Certification (Common Criteria)

• Standardization bodies• ISO, ANSI, EITF



• ISO/IEC• ISO/IEC 27000 family• ISO/IEC 13335 – Guidelines for the Management of IT Security• ISO/IEC 15408 – Common Criteria

• ISO/IEC 18044 - Information security incident management• ISO/IEC 18028-1 – Network Security Management• ISO/IEC 18028-2 – Network Security Architecture• ISO/IEC 18028-3 – Securing communications between networks using security

gateways • ISO/IEC 18028-4 - Securing remote access • ISO/IEC 15947 – IT Intrusion Detection Framework



• ISMS family of standards (ISO/IEC 27xxx)• ISO/IEC 27001 – ISMS (BS 7799-2)• ISO/IEC 27002 – ISO/IEC 17799 (BS 7799-1)• ISO/IEC 27005 – Guidelines for information security risk management• ISO/IEC 27006 – Guide to ISMS certification process

• ISO/IEC 27003 – ISMS implementation guide• ISO/IEC 27004 – Information security management measurements• ISO/IEC 27007 - Guideline for ISMS auditing • ISO/IEC 27011 - ISMS implementation guideline for the telecommunications

industry• ISO/IEC 27034 - a guideline for application security



• ISO/IEC 27001 – ISMS (BS 7799-2)• ISMS: Information Security Management System• Model for establishing, implementing, operating, monitoring, reviewing,

maintaining and improving an.• Process approach - "Plan-Do-Check-Act" (PDCA)



• ISO/IEC 27002 – ISO/IEC 17799 (BS 7799-1)• Code of practice for information security management• Security domains• Security Policy• Organizing Information Security• Asset Management• Human Resources Security• Physical and Environmental Security• Communications and Operations Management• Access Control• Information Systems Acquisition, Development and Maintenance• Information Security Incident Management• Business Continuity Management• Compliance



• ISO/IEC 27002 – ISO/IEC 17799 (BS 7799-1)• Each domain contains multiple security categories• Each main security categories contains• Control objective• One or more controls

• The most widely accepted Information Security standard• Can be linked to other IT or Information Security framework, standard• E.g. ISO 27xxx, ITIL, COBIT



• Common Criteria - ISO/IEC 15408• Framework for system security evaluation and certification• International standard• Unlike its predecessors

• Orange Book (US), ITSEC (EU), CTCPEC (CA)

• More flexible than its predecessors• Custom evaluation profiles

• Provides assurance about security capabilities• computer system users specify their security requirements• vendors implement the security attributes of the products• testing laboratories evaluate the products



• International standards -> Local standards

• ISO/IEC 27001:2005 -> MSZ ISO/IEC 27001:2006• ISO/IEC 17799:2005 -> MSZ ISO/IEC 17799:2006• ISO/IEC 15947 -> MSZ ISO/IEC 15947 • ISO/IEC 15408 (CC) -> MSZ ISO/IEC 15408• Etc.



• COBIT• Control Objectives for Information and related Technology • De-facto Standard• IT governance framework and supporting toolset• Bridge the gap between business and IT• Enhance delivery of value by IT (business enabler)• Emphasizes regulatory compliance and risk management• Performance measurement ->effective resource utilization

• Umbrella framework - Aligned with other frameworks• E.g. COSO, ISO/IEC 27001, ISO/IEC 27001

• Promoted by numerous regulations/regulator body• E.g. SOX, Hungarian Financial Supervisory Authority (HFSA)



• COBIT• Current version 4.1 • Structured by IT processes – 34 core IT process• How to control (control objectives)• How to manage (I/O, RACI)• How to measure (maturity model)

• 34 IT Process grouped into 4 domains• Plan and Organize• Acquire and Implement• Deliver and Support• Monitor and Evaluate



• Basel II• International regulation• Promote greater stability in the financial system• Rigorous risk and capital management requirements • Operational risk management

• PCI DSS• International regulation• VISA, MC, American Express, Discover, Diner’s Club, JCB• Protecting credit card data


EU Legislation

• EU legislation hierarchy

• Regulations

• Directives

• Decisions

• Recommendations

• Communications

• Green and white papers


EU Legislation

• Regulations• Have general application, i.e. they are applicable to all those falling within their

scope• Are directly applicable and binding to every Member State• Do not require any national legislative act to support them. This means that

they become national legislation without any further adjustment and act just like any other law of the country.

• Directives• Require a formal legislative act to transpose them into national law• Each Member State has the freedom to choose the specific measures to

achieve the desired goal or target designated in a Directive. • However many Directives are quite detailed, which leaves the Member States

less room to choose of measures.• More detailed Directives ensure greater consistency throughout the EU.


EU Legislation

• Decisions• Are directed at specific recipients (one or more Member States, private citizens,

enterprises, etc.)• Are binding upon those to whom they are addressed.

• Recommendations• Are issued to encourage desirable coordinated actions in a given policy field

when the EU does not want or cannot issue legally binding acts• Are declaratory, non binding acts• May bear political weight• In the field of public health, Recommendations are the only type of act that the

EC can adopt and they are used to help Member States formulate and implement coordinated objectives and strategies.


EU Legislation

• Communications• Their nature may vary significantly• to explain and present a new piece of legislation or a new policy• documents where the Commission explains its planned actions or policy

• Are not legally binding• but they may incorporate the proposal for future legislation

• Green and White Papers• Specific type of Communication to hold discussions with European civil society

or other Institutions• With the purpose of developing future legislation• A Green Paper is a discussion document at the very first step, which normally

does not include any legislative proposal• Paves the way towards the drafting of a proposal.


ENISA

• ENISA: European Network and Information Security Agency• Established in 2001

• Centre of Expertise for the EU Member States and EU Institutions in Network and Information Security• Advising/assisting EU-institutions and the Member States on information

security• Collecting/analyzing data on security incidents in Europe and emerging risks• Promoting risk assessment and risk management methods• Awareness-raising• Co-operation between different actors in the information security field (EU-

institutions, the Members States and the private business & industry actors)

• Switchboard of information for best practices


EU Legislation - Key EU Documents

• 8th Company Law Directive (2006/43/EC) on Statutory Audits of Annual and Consolidated Accounts• Discussed later

• A Community framework for electronic signature (1999/93/EC)• The purpose is to facilitate the use of electronic signatures and to contribute to

their legal recognition• Establishes a legal framework for electronic signatures and certain certification-

services• Directives on data protection (1995/46/EC) and privacy in electronic

communications (2002/58/EC)• Discussed later

• Directive on electronic commerce (2000/31/EC)


EU Legislation - Key EU Documents

• Directives on electronic communication networks and services (2002/19/EC – 2002/22/EC)• Framework Directive, Authorization Directive, Universal Service Directive,

Access Directive

• Regulation (EC) No 1007/2008• Establishing the European Network and Information Security Agency (ENISA)

• Communication (COM/2008/199) on Preparing Europe's digital future i2010 Mid-Term Review• Communication (COM/2007/285 final) on the evaluation of ENISA• Convention on Cybercrime• Discussed later


EU Legislation - EuroSOX

• US and EU accounting scandals• Enron, Worldcom, Parmalat

•With the aim to restore investor confidence in the EU• SOX, C-SOX, J-SOX, EuroSOX• Closely follow the US regulations • EuroSOX• to safeguard shareholder’s investments• establish Corporate Governance• increase disclosure requirements• establish separate audit committees.

• Affects only publicly traded companies



• Consists of in total 3 separate Directives• 4th Directive 78/660/EEC - Annual Accounts of specific type of companies• 7th directive 83/349/EEC - Consolidated Accounts• 8th directive 84/253/EEC• Company Law Directive and Corporate Governance• Company Law Directive on Statutory Audit• Committees and Interpretations

• The 8th Company Law Directive and Corporate Governance• The impact of MiFID on corporate governance• The role of the board of directors and executive management• Internal controls and external auditors



• 8th directive 84/253/EEC• The 8th Company Law Directive on Statutory Audit• Approval, continuing education and mutual recognition of statutory auditors and

audit firms• Registration of statutory auditors and audit firms• Professional ethics, independence and objectivity• Auditing standards• Audit reporting• Auditors' liability

• The 8th Company Law Directive: Committees and Interpretations• The European Group of Auditors’ Oversight Bodies (EGAOB)• The Audit Regulatory Committee (AuRC)• The European Forum on Auditors’ Liability


EU Legislation - Convention on Cybercrime

• First international treaty on crimes committed via the Internet and other computer networks• E.g. infringements of copyright, computer-related fraud, child pornography and

violations of network security

• Involvement• Created by the EU, US, Canada and Japan• Signed in Budapest in 2001• Signed by 43 counties• Hungary ratified among the first countries


EU Legislation - Convention on Cybercrime

• Purpose• To harmonize national laws• To improve investigative techniques• To increase cooperation among nations

• Contains a series of powers and procedures (e.g. search of computer networks and interception).


EU Legislation

• EU legislation -> Local legislation• Directive may be mapped to one or multiple legislation pieces (acts, decrees,

etc.)• Directive 1999/93/EC of the European Parliament and the Council on a Community

framework for electronic signature -> Hungarian Act 2001/XXXV• 8th Company Law Directive on Statutory Audit is mapped to multiple legislation

pieces due to its complexity


Hungarian Laws and Regulations

• Local Legislation• Mirrors global legislation• Adapts global legislation considering local conditions

• ISO/IEC Standards• ISO/IEC 17799:2005• MSZ ISO/IEC 17799:2006• IBIK (Information Security Management System)• Government Decree 84/2007

• ISO/IEC 27001:2005• MSZ ISO/IEC 27001:2006

• Also other ISO/IEC standards



• 8th Company Law Directive (2006/43/EC) on Statutory Audits• 2007/LXXV. Act on Statutory Auditors

• Common Criteria• Government IT Committee’s Proposal: IT Hungarian IT Security Evaluation and

Certification Schema (MIBÉTS)

• COBIT promoted by• Hungarian Financial Supervisory Authority (PSZÁF)• State Audit Office of Hungary (ÁSZ)



• Convention on Cybercrime• Hungarian Criminal Code has been modified

• Privacy Law• 1992/LXIII Act, Hungarian Privacy Act


How it Works

• Implementation • „Member States shall bring into force the laws, regulations and administrative

provisions necessary to comply with this Directive before xxxx”• Member States are mandated to comply with EU legislation

• Significant difference between the government and financial sectors

• Financial sector (also other business segments)• Influence of foreign companies in business sector• Higher awareness and maturity level• Regular audits (1-2 years)• No serious consequences of audit findings


How it Works

• Government Sector• Low security awareness• Low compliance awareness• Regular audits (1-2 years)• No serious or no consequences at all• Advanced eGovernance

• IS consultant companies may raise the compliance awareness level

• Key success factors• Enforcement• Security Awareness


Privacy Regulation

• Europe <-> USA• Different approach• US: sectoral approach that relies on a mix of legislation, regulation• EU: comprehensive legislation

• Safe Harbour• Bridges the two approaches

• Data Protection Directive (97/66/EC)• The Privacy and Electronic Communications Directive (2002/58/EC)• A complement to the Data Protection Directive• Due to the growing online marketing practices• Free movement of lawfully obtained personal data within EU member states• Internet and telephone lines


Privacy Regulation

• OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data• 7 privacy principles• Collection Limitation• Data Quality• Purpose Specification• Use Limitation• Security Safeguards• Openness• Individual Participation• Accountability

• Hungary• 1992/LXIII Act - Privacy Act


Thank YouDr. Arpad Janko, CISA, CISSP

[email protected]


Questions

• Which one is not part of the EU legislation hierarchy?1. Communications2. Directives3. Regulations4. Red Papers

• Which one is meant to restore investor confidence in the EU?1. Data Protection Directive2. EuroSOX3. Common Criteria4. COBIT

Information Security and Privacy Regulations in the EU Dr. Arpad Janko, CISA, CISSP.

Documents

Transcript of Information Security and Privacy Regulations in the EU Dr. Arpad Janko, CISA, CISSP.