Information Security and Privacy Regulations in the EU
Dr. Arpad Janko, CISA, CISSP
Agenda
• Information Security – Introduction
• Risk Management
• Information Security Regulations
• How it works in Hungary
• Privacy Regulations
KFKI PRESENTATION ÉLŐLÁB
2
Information Security - General
• What is Information Security?
• Information security is is defined by ISO 17799 as the protection of information
from a wide range of threats in order to ensure business continuity
• Information can exists in many forms
•
•
•
•
Represented electronically
Printed on paper
Shown on films
Spoken in conversation
KFKI PRESENTATION ÉLŐLÁB
3
Information Security - General
• Confidentiality
• Keeps information private
• Integrity
• Keeps information accurate, complete and authentic
• Availability
• Keeps information available
KFKI PRESENTATION ÉLŐLÁB
4
Information Security - Threats
• Potential threats that may arise
• Interception of communications
• Unauthorized access into computers and computer networks
• Network disruptions
• Execution of malicious software
• Malicious misrepresentation
• Environmental and unintentional events
• Social Engineering
• Denial of Service Attack
KFKI PRESENTATION ÉLŐLÁB
5
Information Security - Impact
• Potential impact of security breaches
• Business/operational activities are suspended or partially suspended
• Classified business/operational data are made available to competitors and
unauthorized parties
• Private data abused
• Fraudulent manipulation of data
• Legal issues
• Damage to reputation
• Loss of both tangible and intangible assets (e.g. IT systems, liabilities,
compensation, etc.)
KFKI PRESENTATION ÉLŐLÁB
6
Security Risk Management
• Risk = function (Threat, Impact)
• Risk Management
• Risk assessment
• Calculating risks
• Risk handling:
• Mitigation, Acceptance, Transfer, Ignorance
• Risk Tolerance
• Implement and maintain a set of control
• Administrative, technical and physical controls
KFKI PRESENTATION ÉLŐLÁB
7
Security Risk Management
• Driving factors
• The number and severity of security breaches has increased dramatically
• Stakeholder demand has increased
• Self-initiatives are not effective
• Resulted in
• Growing regulatory activity
• Statutory and regulatory requirements (e.g. defining frameworks, mandating or
recommending certain technologies, or controls)
• Compliance with these requirements results in lower risk exposure
• Financial, government and telecommunication sectors are the most regulated
ones
KFKI PRESENTATION ÉLŐLÁB
8
Regulations
• Standards and guidelines
• Standards are not necessarily binding directly, but can be mandated or
recommended by laws
• Guidelines are not mandatory
• Guidelines help to implement the requirements of standards
• Statutory requirements
• Laws, acts, bills
• Legally binding documents
KFKI PRESENTATION ÉLŐLÁB
9
Regulations
• Based on geographical area
• Global (International regulations)
• E.g. ISO/IEC, OECD Guidelines, Basel II, Convention on Cybercrime
• Regional
• EU: E.g. ETSI, EU Directives
• North-America: E.g. ANSI, SOX
• Local (National regulations)
• E.g. MSZ 27001:2006, BS25999
• Based on Scope
• General
• Specific for a certain industry vertical
• Financial, Government, Telecommunications, Retail, Health, Educations, etc.
KFKI PRESENTATION ÉLŐLÁB
10
Standards, Guidelines
• Standards
• De-jure (e.g. ISO)
• De-facto (e.g. RFC)
• Based on content
•
•
•
•
•
•
Information Security Management (e.g. ISO/IEC 27001)
Technical, technological (e.g. encryptions, etc.)
Process-oriented (e.g. ITIL, ISO13335-2)
Countermeasures (e.g. ISO/IEC TR 15947 Intrusion Detection Framework)
Auditing (e.g. IAS, PCAOB AS 5)
Certification (Common Criteria)
• Standardization bodies
• ISO, ANSI, EITF
KFKI PRESENTATION ÉLŐLÁB
11
Standards, Guidelines
• ISO/IEC
• ISO/IEC 27000 family
• ISO/IEC 13335 – Guidelines for the Management of IT Security
• ISO/IEC 15408 – Common Criteria
ISO/IEC 18044 - Information security incident management
ISO/IEC 18028-1 – Network Security Management
ISO/IEC 18028-2 – Network Security Architecture
ISO/IEC 18028-3 – Securing communications between networks using security
gateways
• ISO/IEC 18028-4 - Securing remote access
• ISO/IEC 15947 – IT Intrusion Detection Framework
•
•
•
•
KFKI PRESENTATION ÉLŐLÁB
12
Standards, Guidelines
• ISMS family of standards (ISO/IEC 27xxx)
•
•
•
•
ISO/IEC 27001 – ISMS (BS 7799-2)
ISO/IEC 27002 – ISO/IEC 17799 (BS 7799-1)
ISO/IEC 27005 – Guidelines for information security risk management
ISO/IEC 27006 – Guide to ISMS certification process
ISO/IEC 27003 – ISMS implementation guide
ISO/IEC 27004 – Information security management measurements
ISO/IEC 27007 - Guideline for ISMS auditing
ISO/IEC 27011 - ISMS implementation guideline for the telecommunications
industry
• ISO/IEC 27034 - a guideline for application security
•
•
•
•
KFKI PRESENTATION ÉLŐLÁB
13
Standards, Guidelines
• ISO/IEC 27001 – ISMS (BS 7799-2)
• ISMS: Information Security Management System
• Model for establishing, implementing, operating, monitoring, reviewing,
maintaining and improving an.
• Process approach - "Plan-Do-Check-Act" (PDCA)
KFKI PRESENTATION ÉLŐLÁB
14
Standards, Guidelines
• ISO/IEC 27002 – ISO/IEC 17799 (BS 7799-1)
• Code of practice for information security management
• Security domains
•
•
•
•
•
•
•
•
•
•
•
Security Policy
Organizing Information Security
Asset Management
Human Resources Security
Physical and Environmental Security
Communications and Operations Management
Access Control
Information Systems Acquisition, Development and Maintenance
Information Security Incident Management
Business Continuity Management
Compliance
KFKI PRESENTATION ÉLŐLÁB
15
Standards, Guidelines
• ISO/IEC 27002 – ISO/IEC 17799 (BS 7799-1)
• Each domain contains multiple security categories
• Each main security categories contains
• Control objective
• One or more controls
• The most widely accepted Information Security standard
• Can be linked to other IT or Information Security framework, standard
• E.g. ISO 27xxx, ITIL, COBIT
KFKI PRESENTATION ÉLŐLÁB
16
Standards, Guidelines
• Common Criteria - ISO/IEC 15408
• Framework for system security evaluation and certification
• International standard
• Unlike its predecessors
• Orange Book (US), ITSEC (EU), CTCPEC (CA)
• More flexible than its predecessors
• Custom evaluation profiles
• Provides assurance about security capabilities
• computer system users specify their security requirements
• vendors implement the security attributes of the products
• testing laboratories evaluate the products
KFKI PRESENTATION ÉLŐLÁB
17
Standards, Guidelines
• International standards
•
•
•
•
•
ISO/IEC 27001:2005
ISO/IEC 17799:2005
ISO/IEC 15947
ISO/IEC 15408 (CC)
Etc.
KFKI PRESENTATION ÉLŐLÁB
->
Local standards
->
->
->
->
MSZ ISO/IEC 27001:2006
MSZ ISO/IEC 17799:2006
MSZ ISO/IEC 15947
MSZ ISO/IEC 15408
18
Standards, Guidelines
• COBIT
• Control Objectives for Information and related Technology
• De-facto Standard
• IT governance framework and supporting toolset
•
•
•
•
Bridge the gap between business and IT
Enhance delivery of value by IT (business enabler)
Emphasizes regulatory compliance and risk management
Performance measurement ->effective resource utilization
• Umbrella framework - Aligned with other frameworks
• E.g. COSO, ISO/IEC 27001, ISO/IEC 27001
• Promoted by numerous regulations/regulator body
• E.g. SOX, Hungarian Financial Supervisory Authority (HFSA)
KFKI PRESENTATION ÉLŐLÁB
19
Standards, Guidelines
• COBIT
• Current version 4.1
• Structured by IT processes – 34 core IT process
• How to control (control objectives)
• How to manage (I/O, RACI)
• How to measure (maturity model)
• 34 IT Process grouped into 4 domains
•
•
•
•
Plan and Organize
Acquire and Implement
Deliver and Support
Monitor and Evaluate
KFKI PRESENTATION ÉLŐLÁB
20
Standards, Guidelines
• Basel II
•
•
•
•
International regulation
Promote greater stability in the financial system
Rigorous risk and capital management requirements
Operational risk management
• PCI DSS
• International regulation
• VISA, MC, American Express, Discover, Diner’s Club, JCB
• Protecting credit card data
KFKI PRESENTATION ÉLŐLÁB
21
EU Legislation
• EU legislation hierarchy
• Regulations
• Directives
• Decisions
• Recommendations
• Communications
• Green and white papers
KFKI PRESENTATION ÉLŐLÁB
22
EU Legislation
• Regulations
• Have general application, i.e. they are applicable to all those falling within their
scope
• Are directly applicable and binding to every Member State
• Do not require any national legislative act to support them. This means that
they become national legislation without any further adjustment and act just like
any other law of the country.
• Directives
• Require a formal legislative act to transpose them into national law
• Each Member State has the freedom to choose the specific measures to
achieve the desired goal or target designated in a Directive.
• However many Directives are quite detailed, which leaves the Member States
less room to choose of measures.
• More detailed Directives ensure greater consistency throughout the EU.
KFKI PRESENTATION ÉLŐLÁB
23
EU Legislation
• Decisions
• Are directed at specific recipients (one or more Member States, private citizens,
enterprises, etc.)
• Are binding upon those to whom they are addressed.
• Recommendations
• Are issued to encourage desirable coordinated actions in a given policy field
when the EU does not want or cannot issue legally binding acts
• Are declaratory, non binding acts
• May bear political weight
• In the field of public health, Recommendations are the only type of act that the
EC can adopt and they are used to help Member States formulate and
implement coordinated objectives and strategies.
KFKI PRESENTATION ÉLŐLÁB
24
EU Legislation
• Communications
• Their nature may vary significantly
• to explain and present a new piece of legislation or a new policy
• documents where the Commission explains its planned actions or policy
• Are not legally binding
• but they may incorporate the proposal for future legislation
• Green and White Papers
• Specific type of Communication to hold discussions with European civil society
or other Institutions
• With the purpose of developing future legislation
• A Green Paper is a discussion document at the very first step, which normally
does not include any legislative proposal
• Paves the way towards the drafting of a proposal.
KFKI PRESENTATION ÉLŐLÁB
25
ENISA
• ENISA: European Network and Information Security Agency
• Established in 2001
• Centre of Expertise for the EU Member States and EU Institutions in
Network and Information Security
• Advising/assisting EU-institutions and the Member States on information
security
• Collecting/analyzing data on security incidents in Europe and emerging risks
• Promoting risk assessment and risk management methods
• Awareness-raising
• Co-operation between different actors in the information security field (EUinstitutions, the Members States and the private business & industry actors)
• Switchboard of information for best practices
KFKI PRESENTATION ÉLŐLÁB
26
EU Legislation - Key EU Documents
• 8th Company Law Directive (2006/43/EC) on Statutory Audits of
Annual and Consolidated Accounts
• Discussed later
• A Community framework for electronic signature (1999/93/EC)
• The purpose is to facilitate the use of electronic signatures and to contribute to
their legal recognition
• Establishes a legal framework for electronic signatures and certain certificationservices
• Directives on data protection (1995/46/EC) and privacy in electronic
communications (2002/58/EC)
• Discussed later
• Directive on electronic commerce (2000/31/EC)
KFKI PRESENTATION ÉLŐLÁB
27
EU Legislation - Key EU Documents
• Directives on electronic communication networks and services
(2002/19/EC – 2002/22/EC)
• Framework Directive, Authorization Directive, Universal Service Directive,
Access Directive
• Regulation (EC) No 1007/2008
• Establishing the European Network and Information Security Agency (ENISA)
• Communication (COM/2008/199) on Preparing Europe's digital future
i2010 Mid-Term Review
• Communication (COM/2007/285 final) on the evaluation of ENISA
• Convention on Cybercrime
• Discussed later
KFKI PRESENTATION ÉLŐLÁB
28
EU Legislation - EuroSOX
• US and EU accounting scandals
• Enron, Worldcom, Parmalat
• With the aim to restore investor confidence in the EU
• SOX, C-SOX, J-SOX, EuroSOX
• Closely follow the US regulations
• EuroSOX
•
•
•
•
to safeguard shareholder’s investments
establish Corporate Governance
increase disclosure requirements
establish separate audit committees.
• Affects only publicly traded companies
KFKI PRESENTATION ÉLŐLÁB
29
EU Legislation - EuroSOX
• Consists of in total 3 separate Directives
• 4th Directive 78/660/EEC - Annual Accounts of specific type of companies
• 7th directive 83/349/EEC - Consolidated Accounts
• 8th directive 84/253/EEC
• Company Law Directive and Corporate Governance
• Company Law Directive on Statutory Audit
• Committees and Interpretations
• The 8th Company Law Directive and Corporate Governance
• The impact of MiFID on corporate governance
• The role of the board of directors and executive management
• Internal controls and external auditors
KFKI PRESENTATION ÉLŐLÁB
30
EU Legislation - EuroSOX
• 8th directive 84/253/EEC
• The 8th Company Law Directive on Statutory Audit
• Approval, continuing education and mutual recognition of statutory auditors and
audit firms
• Registration of statutory auditors and audit firms
• Professional ethics, independence and objectivity
• Auditing standards
• Audit reporting
• Auditors' liability
• The 8th Company Law Directive: Committees and Interpretations
• The European Group of Auditors’ Oversight Bodies (EGAOB)
• The Audit Regulatory Committee (AuRC)
• The European Forum on Auditors’ Liability
KFKI PRESENTATION ÉLŐLÁB
31
EU Legislation - Convention on Cybercrime
• First international treaty on crimes committed via the Internet and
other computer networks
• E.g. infringements of copyright, computer-related fraud, child pornography and
violations of network security
• Involvement
•
•
•
•
Created by the EU, US, Canada and Japan
Signed in Budapest in 2001
Signed by 43 counties
Hungary ratified among the first countries
KFKI PRESENTATION ÉLŐLÁB
32
EU Legislation - Convention on Cybercrime
• Purpose
• To harmonize national laws
• To improve investigative techniques
• To increase cooperation among nations
• Contains a series of powers and procedures (e.g. search of
computer networks and interception).
KFKI PRESENTATION ÉLŐLÁB
33
EU Legislation
• EU legislation -> Local legislation
• Directive may be mapped to one or multiple legislation pieces (acts, decrees,
etc.)
• Directive 1999/93/EC of the European Parliament and the Council on a Community
framework for electronic signature -> Hungarian Act 2001/XXXV
• 8th Company Law Directive on Statutory Audit is mapped to multiple legislation
pieces due to its complexity
KFKI PRESENTATION ÉLŐLÁB
34
Hungarian Laws and Regulations
• Local Legislation
• Mirrors global legislation
• Adapts global legislation considering local conditions
• ISO/IEC Standards
• ISO/IEC 17799:2005
• MSZ ISO/IEC 17799:2006
• IBIK (Information Security Management System)
• Government Decree 84/2007
• ISO/IEC 27001:2005
• MSZ ISO/IEC 27001:2006
• Also other ISO/IEC standards
KFKI PRESENTATION ÉLŐLÁB
35
Hungarian Laws and Regulations
• 8th Company Law Directive (2006/43/EC) on Statutory Audits
• 2007/LXXV. Act on Statutory Auditors
• Common Criteria
• Government IT Committee’s Proposal: IT Hungarian IT Security Evaluation and
Certification Schema (MIBÉTS)
• COBIT promoted by
• Hungarian Financial Supervisory Authority (PSZÁF)
• State Audit Office of Hungary (ÁSZ)
KFKI PRESENTATION ÉLŐLÁB
36
Hungarian Laws and Regulations
• Convention on Cybercrime
• Hungarian Criminal Code has been modified
• Privacy Law
• 1992/LXIII Act, Hungarian Privacy Act
KFKI PRESENTATION ÉLŐLÁB
37
How it Works
• Implementation
• „Member States shall bring into force the laws, regulations and administrative
provisions necessary to comply with this Directive before xxxx”
• Member States are mandated to comply with EU legislation
• Significant difference between the government and financial sectors
• Financial sector (also other business segments)
•
•
•
•
Influence of foreign companies in business sector
Higher awareness and maturity level
Regular audits (1-2 years)
No serious consequences of audit findings
KFKI PRESENTATION ÉLŐLÁB
38
How it Works
• Government Sector
•
•
•
•
•
Low security awareness
Low compliance awareness
Regular audits (1-2 years)
No serious or no consequences at all
Advanced eGovernance
• IS consultant companies may raise the compliance awareness level
• Key success factors
• Enforcement
• Security Awareness
KFKI PRESENTATION ÉLŐLÁB
39
Privacy Regulation
• Europe <-> USA
• Different approach
• US: sectoral approach that relies on a mix of legislation, regulation
• EU: comprehensive legislation
• Safe Harbour
• Bridges the two approaches
• Data Protection Directive (97/66/EC)
• The Privacy and Electronic Communications Directive (2002/58/EC)
•
•
•
•
A complement to the Data Protection Directive
Due to the growing online marketing practices
Free movement of lawfully obtained personal data within EU member states
Internet and telephone lines
KFKI PRESENTATION ÉLŐLÁB
40
Privacy Regulation
OECD Guidelines on the Protection of Privacy and Transborder
Flows of Personal Data
•
•
7 privacy principles
•
•
•
•
•
•
•
•
Collection Limitation
Data Quality
Purpose Specification
Use Limitation
Security Safeguards
Openness
Individual Participation
Accountability
Hungary
•
•
1992/LXIII Act - Privacy Act
KFKI PRESENTATION ÉLŐLÁB
41
Thank You
Dr. Arpad Janko, CISA, CISSP
Janko.Arpad@kfkizrt.hu
KFKI PRESENTATION ÉLŐLÁB
42
Questions
•
Which one is not part of the EU legislation hierarchy?
1.
2.
3.
4.
•
Communications
Directives
Regulations
Red Papers
Which one is meant to restore investor confidence in the EU?
1.
2.
3.
4.
Data Protection Directive
EuroSOX
Common Criteria
COBIT
KFKI PRESENTATION ÉLŐLÁB
43