ESS IT SECURITY ASSURANCE MECHANISM
1.
INTRODUCTION
1.1.
Objective
The objective of the document is to propose a list of potential solutions for implementing
the IT Security Assurance applicable to all ESS members in order to build common and
mutual trust.
"From an information security perspective, trust is the belief that a security-relevant
entity will behave in a predictable manner when satisfying a defined set of security
requirements under specified conditions/circumstances and while subjected to
disruptions, human errors, component faults and failures, and purposeful attacks that
may occur in the environment of operation. Trust is usually determined relative to a
specific security capability and can be decided relative to an individual system
component or the entire information system”1
In the current business case, trustworthiness between ESS partners would mean the belief
that all ESS members preserve with the same degree of protection, the confidentiality,
integrity, and availability of the confidential information being transmitted to them
during its processing, storage and further retransmission.
Two fundamental elements affecting trust and trustworthiness are: security functionality
and security assurance.

Security functionality is typically defined in terms of the security features,
functions, mechanisms, services, procedures and architectures. This is proposed
in the ESS IT security framework.

Security assurance is the measure of confidence that the security functionality is
implemented correctly, operating as intended, and producing the desired outcome.
This is part of the current document.
The ESS IT Security framework and related guidelines have been developed to achieve
more secure information systems and effective risk management within the ESS by:




1
Facilitating a more consistent, comparable, and repeatable approach for selecting
and specifying security controls for information systems and organizations;
Providing a stable list of security controls meeting current information protection
needs and the demands of future protection needs based on changing threats,
requirements, and technologies;
Creating a foundation for the development of assessment methods and procedures
for determining security control effectiveness;
Facilitating communication and information exchange among ESS members
regarding IT security;
NIST Special Publication 800-53 Revision 4
Commission européenne, 2920 Luxembourg, LUXEMBOURG - Tel. +352 43011
Office: BECH
http://epp.eurostat.ec.europa.eu
1.2.
Scope
The Scope of the security framework is limited to the "management and exchange of
microdata between Member States on a mandatory basis" and only referring to
identifiable data about businesses and not for the time being about individuals. The "ESS
Core IT Security Framework " documents prepared by ESS expert group focus only on
this defined scope.
2.
COMPLIANCE/ASSURANCE MECHANISMS
There are several key questions that should be answered by organizations when
addressing the information security considerations for information systems:
 What security controls are needed to satisfy the security requirements and to
adequately mitigate risks incurred by using information and information systems in
the use, storage and exchange of confidential information?
The list of controls selected and proposed in the ESS IT Security framework are
covering the business needs related to the protection of microdata during their
transmission and storage in the different Member States.
 Have the security controls been implemented, or is there an implementation plan in
place?
This question will be covered by the self-assessment activities and will allow to
understand and measure the state of implementation of the necessary controls.
 What is the desired or required level of assurance that the selected security controls,
as implemented, are effective in their application?
The objectives of an IT security audit service is to ensure that the essential security
functionalities highlighted in the Entry pack are effectively implemented and to
provide the ESS partners with an assessment/certification of the effectiveness of the
implementation of the mandatory security functions.
The following assurance mechanisms are now proposed for discussion and decision on
the preferred options by the ESS members. The objective is to give enough flexibility to
Member States in the selection of the solution while preserving confidence on the output.
In the following points, ESS members will include all the national authorities having
to exchange mandatory microdata (NSIs or ONAs) and Eurostat.
2.1.
Internal audit
The first option is to make use of existing audit resources available in the ESS members.
Members can choose to carry out their own internal audit based on the requirements of
the ESS IT Security Framework (e.g. guidelines, self-assessment). Once the internal
audit has been finalised, the results should be provided confidentially to a central
certification service managed by Eurostat in order to be assessed and certified.
2.2.
Audit provided by central ESS service managed by ESTAT
When ESS member do not have the capacity to manage, organise or finance internal
audits, they can opt for the possibility to use auditors proposed and managed by Eurostat.
Such auditors should be coming from a professional auditing company selected through
2
an open call for tenders. In such situation, the auditing report can be used directly for
reporting to ESSC.
2.3.
Other considerations
a) Members States ISO 27K compliant
When a member state is already ISO27001 certified, the certification scope should be
checked to compare if it is aligned to the defined ESS security framework specific scope.
In case it is not related to, another audit using one of the mentioned systems covering the
mandatory scope should be carried out.
b) Private Cloud, External providers
ESS members need also to build appropriate chains of trust when dealing with the
many issues associated with information system security. This level of trust
between ESS partners should be extended to any service providers providing
services to the organizations and that those services receive the adequate
protection. In such case, the audit will be based on SLA and reports received but also
cover some of key security controls like access control management.
c) Case of ONAs (Other National Authorities)
In case ONAs are mandated to cover the provision and use of microdata on mandatory
basis, they should respect the rules established in the ESS IT Security framework and
follow the same compliance and protection rules as any other NSIs in the field.
d) Audit frequency and follow-up
Compliance follow-up reviews, to check the implementation of the action plans resulting
from audits, have to be considered in the audit capacity. It is forecasted that compliance
audits regarding the ESS IT security framework are conducted with a frequency of three
years.
e) Central certification authority
The central certification service will be an independent body (Private auditing company
or auditing consortium) selected by Eurostat through a 'call for tenders' planned to be
launched by mid-2016. Tasks and roles will be dependent of the options selected by
Member States.
The central certification service will support and be managed by Eurostat and will
be handling the audit results coming from the Member States with the adequate
protection measures.
f) Participation of members of the ESS IT Security Expert Group
A potential variant of the peer-review option is to include one member of the Expert
Group on ESS IT Security in the professional auditing team. The advantage of the
latter is that Expert Group members have a particular understanding and
knowledge of the requirements and specificities of NSIs and can facilitate/support
the work of the auditors
g) Potential other auditing options
3
If the two proposed options for the security assurance cannot fit with Member States'
requirements or obligations, other options can be investigated on a case by case basis.
4