Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

The Laws of Information Security

advertisement 
The laws of information security
by Dr. Tuomas Pöysti
counsellor of the Ministry of Finance
(chief adviser on public economic and public law, regulatory policy, management and governance
issues),
deputy member of the Government board of public sector information management,
docent of administrative law (university of Helsinki)



The information security has been a concern for law for a long time.
Initially information security has been tacit knowledge embedded in the
rationale of many rules of law. In the age of computing information
security became explicit technical knowledge. In the information age and
network society information security has become a legal principle and
constitutional meta-right which is part of the requirements of good
governance.
The regulatory change is connected to informatiosation and convergence
which all are parts of the emergence of network society. The law of
network society regulates information security generally and in its
particular fields. Current information security regulation calls for a new
pluri-disciplinary co-operation and new role for lawyers.
These lectures aim to systematise current information security legislation in
European and Finnish law and to build an understanding of the inter-action
between technology and security theory and law.
MINISTRY OF FINANCE
Counsellor, Docent Tuomas Pöysti
5.12.2003
1
The unfortunate company





The company strategy was based on the increase of market
value of its shares and then a eventual merger. IT –boom
accelerated rise of the value.
Eventually disputes among the company management and
particularly among the Board members
Helsingin sanomat (a major Finnish newspaper) made critical
reports on the disputes and bad atmosphere. Company
started to investigate ’’leaks’’.
Sonere security chief and his team, eventually on the
request or at least for the CEO used information Sonera
possessed as telecom operator on the communications the
board members and personnel had made to press (traffic
data).
Sidestory: networking of the security personnel. The head of
security of Government got access to and used Sonera
telecom operator traffic data to analyse a case in which
driver of the Prime Minister and from a portable phone at
the disposal of the Prime Minister in his car calls were made
to a person suspected of serious tax fraud.
MINISTRY OF FINANCE
Counsellor, docent Tuomas Pöysti
5.12.2003
2
FICORA decision on the ’’Sonera
telecom espionage’’



Request by FICORA (Finnish Communications Regulatory
Authority, in Finnish Viestintävirasto) to Sonera. Response:
first an internal investigation report, at the further request:
system login reports, data protection and information
security instructions and policies and internal audit reports.
According to FICORA the general information security policy
and awareness of it were sufficient. Recording of the
processing of traffic data was, however, not sufficient, and
the purpose of the processing in cases where information
was drawn from the operator systems was not systematically
written down. In some areas the internal information
security policies were not uniform enogh or comprehensive.
The supervision of the compliance with the security policies
had to be strenghened.
According to FICORA there is reason to believe that operator
traffic data has been processed in unlawful manner and
FICORA forwards its report to the police investigating the
case.
MINISTRY OF FINANCE
Counsellor, docent Tuomas Pöysti
5.12.2003
3
The unfortunate company



The e-mail services of TeliaSonera overloaded due
to the messages and return messages sent as a
consequence of viruses.
Consequently sending e-mails via TeliaSonera was
slowed down substantially, even by several days or
weeks
Finnish communications regulatory authority
(FICORA) asked the service provider to set the email communications to the good technical level
required by the Communications Market Act.
Additionally FICORA found that the operator had
not been informing its clients sufficiently
MINISTRY OF FINANCE
Counsellor, docent Tuomas Pöysti
5.12.2003
4
The unfortunate society

Virus attack causes a disfuntion of the electricity
network



MINISTRY OF FINANCE
Counsellor, docent Tuomas Pöysti
may cause a blackout or atleast slow down recovery
from a failure
evidence that this was partially the reason to the
slow recovery of the recent blackout in the U.S.
=> warning letter of the Ministry of Trafic and
Communications and the National Emergency
Supply Agency
5.12.2003
5
Information security

Information security is a state of affairs in which
there is no significant risk to





Availability
Integrity & authentication
Confidentiality
Auditability is an additional information security
feature.
Information security refers to the entirety of
measures aiming at guaranteeing availability,
integrity, authentication and confidentiality in all
circumstances (information security work)
MINISTRY OF FINANCE
Counsellor, docent Tuomas Pöysti
5.12.2003
6
Availability


Accessibility and availability of information, ITC
system and services
Ability to utilise information, service and systems
in correct time



MINISTRY OF FINANCE
Counsellor, docent Tuomas Pöysti
usability
availability of updates, meta-data & metainformation (name-servers, structured documents)
In legal sense: making access-to rights effective in
the infrastructure and practise
5.12.2003
7
Integrity and authentication




data unaltered and correct (structurally, logically),
non-compromised
completeness of data
recognition and confirmation of the asserted
identity, user or source
Non-repudiation of the message and content
MINISTRY OF FINANCE
Counsellor, docent Tuomas Pöysti
5.12.2003
8
Confidentiality



protection of the data and messages against
interception and access by unauthorised persons
and protection of information from accidental or
intentional but non-authorised losses
protection of data and systems against unlawful
use or use for an unlawful purpose
safeguarding the secrecy & confidentiality rights
and other exclusive rights to information and
information processing
MINISTRY OF FINANCE
Counsellor, docent Tuomas Pöysti
5.12.2003
9
Information security is often about
risks

Different definitions of risks
1.
2.
3.
MINISTRY OF FINANCE
Counsellor, docent Tuomas Pöysti
risk is a propability of an adverse event (loss or
other)
monetary value of an adverse event or expected
monetary value of an adverse event: monetary
value x propabilility
propability of the realisation of a threat
5.12.2003
10
Dimensions of information security

1.
2.
3.
4.
5.
6.
7.
8.
Distinguishing the different dimensions helps
planning and management of information security
measures
Administrative and organisational security
Personnel security
Physical security
Communications security
Hardware security / facilities security
Software security
Data security
Operations security
MINISTRY OF FINANCE
Counsellor, docent Tuomas Pöysti
5.12.2003
11
Data security – information
security – security of knowledge

The pyramid of data, information and knowledge
Intuition, wisdom
Tacit knowledge
Documented knowledge
Knowledge
Information
Data
MINISTRY OF FINANCE
Counsellor, docent Tuomas Pöysti
5.12.2003
Knowledge management
Personnel security
IPR and business secrets
Technical
security
and legal
principles
concerning it
12
Historical evolution and driving forces
of information security regulation




First stage: information security is tacit knowledge and
embedded in the rationale of some rules and principles of
law.
 form requirements in private law
 individual information security rules and administrative
regulations (noticeboards, archives, notarius publicus
system)
Computing brings gradually information security as explicit ,
documented knowledge distinct from document
management and archiving. Information security, however,
does not yet have a status in the recognised legal knowledge
Personal data laws have been the source of development of
legal information security rules and principles.
Confidentiality rules in the public administration defined the
development of information security rules
MINISTRY OF FINANCE
Counsellor, docent Tuomas Pöysti
5.12.2003
13
Historical evolution and driving
forces of information security
legislation




First generation data protection laws: concept of data protection
and information security not clearly distinguished. Register –based
rules on access to personal data, no very well defined information
security rules
Second generation data protection laws (in Finland the Personal
Registry Act of 1987). Fairly wide concept of personal register and
the requirements of good register practise. Particular information
security obligations and information security a clear embedded
objective of data protection laws. Information security is not yet an
explicit obligation.
Third generation personal data legislation: logical concept of
personal register in which law regulates all computerised use of
personal data. General information security obligation and
particular information security provisions. Good information
management practise as a leading concern.
Fourth generation: information security as a legal institution of its
own, regulated in the information security and management acts.
Abuse model in the personal data legislation. General laws
governing the digital communications
MINISTRY OF FINANCE
Counsellor, docent Tuomas Pöysti
5.12.2003
14
Phenomena leading the development of
information security law



Informatiosation – the Information Age – and the
emergence of the network society. Networks and
networking are essential modes of organisation and work in
public and private sector. Information, information
processing capacity and knowledge are the strategic assets
or key success factors of individuals, organisations and
societies.
 information and network depedence of individuals,
organisations and societies as a whole
Commoditification of information and the related
juridification of information and information processing.
Information is increasingly a product, a commodity, and
subject for value and trade.
Convergence of technologies and media. Different medias
and platforms are able to provide similar or inter-operable
services. Convergence has a technical, economic, cultura,
legal l and societal dimension
MINISTRY OF FINANCE
Counsellor, docent Tuomas Pöysti
5.12.2003
15
Information security law today






Necessity for the efficiency of information-bound
fundamental and basic rights
Legal principle and constitutional meta-right
Part of the requirements of good governance
General obligation prescibed in European and national law
and in contracts, general object for legal protection
Particular information security obligations and working tools
for information security work in sectoral legislation
Normative element in the system and infrastructure design,
operation and in organisation management
 proactive and preventive law
 challenge for lawyers
MINISTRY OF FINANCE
Counsellor, docent Tuomas Pöysti
5.12.2003
16
The constitutional foundation of
information security law





Evolution of rule of law: From formal rule of law to material
rule of law.
The efficiency of rights is an essential component of rights in
the contemporary legal thinking
 the ECHR practise
 the EC law
Positive obligation to promote the realisation of fundamental
and basic rights
Concept of good constitutional governance embodies the
requirements of materiality of fundamental and basic rights
and the efficiency of rights.
In today’s context technical security is needed for the
efficiency of rights. In other words technical security is a
necessary condition for legal certainty (legal security)
MINISTRY OF FINANCE
Counsellor, docent Tuomas Pöysti
5.12.2003
17
Information security – legal
certainty
Technical security
Legal certainty
Requirement for the
efficiency of rights and
thereby legal certainty
Dependent of technical infrastructure
Information security: encountering technical reguirements and the
legal interests related to information and information processing
• technical and legal security encounter
• risk management is a common backbone for both
•genuine encountering requires that neither technical nor legal
aspect suppress the other perspective. This requires new pluridisciplinary co-operation and discussion
MINISTRY OF FINANCE
Counsellor, docent Tuomas Pöysti
5.12.2003
18
Systematics of information security
law




General information security legislation and soft law
General public information security law – e-Goverment acts
Particular information security provisions covering some
aspects of:
1.
Administrative and organisational security provisions
2.
Personnel security provisions
3.
Physical security provisions
4.
Communications security provisions
5.
Hardware security / facilities security provisions
6.
Software security provisions
7.
Data security provisions
8.
Operations security provisions
Law in this dimension either establishes obligations for
security work, or provides governance tools or sets limits
and boundaries for information security work
Information security contracts
MINISTRY OF FINANCE
Counsellor, docent Tuomas Pöysti
5.12.2003
19
General information security
legislation

EC personal data directive 95/46/EC and the
implementing national personal data laws




EC directive on privacy and electronic
communications (2002/58/EC)


article 17: general information security obligation
particular information security rules
information security as a principle of information
infrastructure
information security requirements for electronic
communications
Penal law provisions on information crime: Council
of Europe Cybercrime convention
MINISTRY OF FINANCE
Counsellor, docent Tuomas Pöysti
5.12.2003
20
Principles of general information
security legislation






The general doctrines of information security in law which
are part of the general doctrines of information law
Establishment of information security as meta-right and legal
principle
General information security obligation: technical,
organisational and other measures (art 17 of Personal data
directive, art. 4 of the privacy and electronic communications
directive)
Requirement for effective risk management
 risk analyses, establishment of management
responsibilities and measures for prevention and
limitation of risks
Principle of proportionality and reasonableness on risk
measures
Principle of due care (precaution). Stance to technology as
enablener and duty to follow technical development
MINISTRY OF FINANCE
Counsellor, docent Tuomas Pöysti
5.12.2003
21
General Public Information
Security Legislation


Trend towards more general e-Government acts or
government information management acts
Examples:


MINISTRY OF FINANCE
Counsellor, docent Tuomas Pöysti
the U.S. e-Government Act of 2002,
Finnish Act on the Openness in the Government
5.12.2003
22
Good information management practise


Openness of Government Act, section 18
Obligation to safeguard
 accessibility
 availability
 protection
 integrity
 other factors having an influence on
 the quality of information
of the information in documents and
information systems
MINISTRY OF FINANCE
Counsellor, docent Tuomas Pöysti
5.12.2003
23
Good Information Management
Obligations in section 18



Obligations cover the whole life cycle of
information
from creation to destroying
emphasis on the planning procedures

MINISTRY OF FINANCE
Counsellor, docent Tuomas Pöysti
planning optimism as a model of rationality
5.12.2003
24
Objective of section 18




Efficient and easy use of the principle of openness
Information security
Quality of information
Efficiency


MINISTRY OF FINANCE
Counsellor, docent Tuomas Pöysti
efficiency of administration
economic efficiency and functioning of the markets
5.12.2003
25
Key contents of section 18






Obligation to create and maintain good
information management practise
Creation of catalogues and reports serving the
implementation of openness
Mapping and preserving the rights related to
information
Planning obligations
Principle of information security
Principle of the quality of information
MINISTRY OF FINANCE
Counsellor, docent Tuomas Pöysti
5.12.2003
26
Good information management practise in
the systematic of the Act on the Opennes
of Government

Right to information

public information



Obligations safeguarding the openness



exception: exhaustive (?) list of secrecy grounds
access to file of a party
duty to promote access to information
good information management practise
Principles concerning the interpretation

MINISTRY OF FINANCE
Counsellor, docent Tuomas Pöysti
Openness-friendly interpretation
5.12.2003
27
Section 18 and the paradigm of law
of the network society


Regulation focuses also on the information
infrastructure and information logistics
Good practise as a regulatory model


codes of conducts
Efficiency as a concern for positive law; scarcity of
law and rights
MINISTRY OF FINANCE
Counsellor, docent Tuomas Pöysti
5.12.2003
28
Problems related to Act on the
Openness of Government





Law-making risk ?
Attempt of the all at once -solution
Recognition of the imperfect governance ?
Exhaustive and wide list of rules and exceptions
Lack of the recognition of codes of conducts


planning optimism
Formulation and appearance
MINISTRY OF FINANCE
Counsellor, docent Tuomas Pöysti
5.12.2003
29
Administrative and organisational
security





Administrative and organisational security is the backbone of
the information security work.
Administrative security is often the reason for serious
information security problems (together with the malicious
software and junk mail).
The EC personal data directive and EC privacy and electronic
communications directive require particular attention to
organisational security.
 ex. internal ’’Chinese walls’’ concerning the use of traffic
data in a communications enterprise
Sectoral regulation may in some ares establish additional
requirements.
 Example financial market law in which high information
security is embeddly required.
Information security provisions in contracts often require
organisational information security measures.
MINISTRY OF FINANCE
Counsellor, docent Tuomas Pöysti
5.12.2003
30
Dimensions of administrative and
organisational information security
1.
Security environment
1.
2.
3.
4.
5.
6.
7.
2.
3.
4.
Ethical and moral principles and their implementation in
practise
Organisational policies
Definition of responsibilities
Organisational structure favouring security
Sufficient financial resourses and reliability
Sufficient skills and expertice, continous learning and
education
Awareness of legal and security requirements among
management and personnel
Objectives and risks, riskmanagement
Supervision and controls, security audits
Follow-up, reporting and learning
MINISTRY OF FINANCE
Counsellor, docent Tuomas Pöysti
5.12.2003
31
Personnel security


Main sources of law concerning personnel security
are the obligations set for employee in the labour
legislation and the prohibition of unauthorised use
of business secrets.
In Finnish law:


Main contractual instruments for personnel
security are the non-disclosure agreements and
non-recruitement clauses.


the Act on Work Contracts
The labour legislation may limit the possibilities to
agree on the duration of non-disclosure and no-use
clauses
Act on Security Clearances: a security clearance
procedure for the protection of state security
MINISTRY OF FINANCE
Counsellor, docent Tuomas Pöysti
5.12.2003
32
Physical security




Physical security is legally protected by the penal law
provisions concerning trespassing, inviolability of public and
private premises and damaging property.
Certain penal law provisions recognise information security
as the additional objective of legal protection. Example:
General and particular information security provisions require
often physical security measures.
 Ex. electronic accounting documents, Ministry of Trade
and Commerce Decision (47/1998) 6 § 2 parag. Double
copies, other copy shall be kept in a secure location and
separate from other copy
Organisations own norms require often particular physical
security measures
MINISTRY OF FINANCE
Counsellor, docent Tuomas Pöysti
5.12.2003
33
Communications security






Communications security is the fastest developing area of
regulation
Privacy on electronic communications directive and implementing ecommunications privacy and information security laws
Universal service rules and communication markets: a user access
to (technically) high quality communication services imply also right
to information security
 example: FICORA decisions
 Informatoion security is a part of a wider right to quality
Electronic signatures directive and law on electronic signatures
Uncitral model law on electronic signatures covers certain areas
which have not been regulated in the EC electronic signature
directive
The new Act on the Use of Freedom of Speech in Mass
Communications
MINISTRY OF FINANCE
Counsellor, docent Tuomas Pöysti
5.12.2003
34
Particular security requirements for
electronic signature certification service
providers


Art. 6: particular liability rules for issuers of
qualified certificates
Annex II of the directive





MINISTRY OF FINANCE
Counsellor, docent Tuomas Pöysti
organisational and economic security and reliability
personnel security and adequate personnel and
expertice
adequate hardware and software systems and
security
adequate data recording and promt revocation lists
prohibition of storing private keys as part of keymanagement
5.12.2003
35
Hardware security / facilities
security



In the communications sector some particular
hardware requirements.
A hardware connected to general communications
network may not cause harm to the network or to
the others. Only standard-conforming equipment
may be used.
Risk-division: each party bears the risks related to
the hardware in his possession. This risk-provision
is standardly repeated in the information security
provisions in contracts.
MINISTRY OF FINANCE
Counsellor, docent Tuomas Pöysti
5.12.2003
36
Software security



General rules follow from personal data directive
and privacy and electronic communications
directive
Act on the Electronic Communications with the
Public Authorities
Particular problem: the liability for defective
software and creating proper incentives for good
software in law
MINISTRY OF FINANCE
Counsellor, docent Tuomas Pöysti
5.12.2003
37
Data security




Technical measures for the protection of copyright:
article 6 of the Infosoc –directive (directive
2001/29/EC). In the U.S. the DMCA
Directive on the conditional access services
Several sectoral rules on the data security
Contractual provisions often require secure storing
and even deletion of stored data

MINISTRY OF FINANCE
Counsellor, docent Tuomas Pöysti
implementation of these provisions. A follow-up
report should be required
5.12.2003
38
Operations security



Electronic commerce directive establishes rules on
the operations security in the e-commerce
In sensitive domains the operations security
require constant surveillance and instruction /
training
In security sensitive services contractual provisions
on operations security and risk-division may be
required
MINISTRY OF FINANCE
Counsellor, docent Tuomas Pöysti
5.12.2003
39
Information security provisions in
contracts




Contract is the principal governance tool of
business co-operation. Contract is among the legal
devices to built reasoned trust and a tool in the
risk prevention and risk management
Due to importance of information security risks
and strategic value of information information
security provisions are often needed in contracts.
A good information security provision is not the
transfer of all responsibility to other party.
Legislation may limit such a contract.
More sensitive information risk is the more
detailed and clear contract is needed.
MINISTRY OF FINANCE
Counsellor, docent Tuomas Pöysti
5.12.2003
40
Related documents
The project of the European Area of Freedom, Security, Justice in a
The project of the European Area of Freedom, Security, Justice in a
The theories of integration and changing notions of
The theories of integration and changing notions of
Joel MINT Forum - Motivational Interviewing
Joel MINT Forum - Motivational Interviewing
child & youth wellness centre - Children`s Mental Health of Leeds
child & youth wellness centre - Children`s Mental Health of Leeds
Community Initiative - RCCG Cornerstone Worship Center
Community Initiative - RCCG Cornerstone Worship Center
EMPATHY
EMPATHY
WORD FUNCTION - Rocky Mountain Conference
WORD FUNCTION - Rocky Mountain Conference
Art Docent - Covington Elementary PTA
Art Docent - Covington Elementary PTA
WORD FUNCTION - Rocky Mountain Conference
WORD FUNCTION - Rocky Mountain Conference
Download
advertisement