ESS IT Security Assurance Mechanism Compliance Process

DRAFT

Vision 2020
ESS IT security assurance mechanism

Compliance Process

ESS IT Security Assurance mechanism –Compliance process

1Objective

The ESS IT security framework has been developed under the supervision of the ITDG to achieve secure management of data exchangeswithin the ESS, particularly in compliance with the Core Principles for the exchange of confidential data on business for statistical purposes endorsed by the ESSC in February 2016.

The ESS IT security frameworkhas been presented and endorsed in May 2016 by the ESSC.Itsaim is to describe the mandatory conditions and controls ensuringthe adequate degree ofprotection (confidentiality, integrity, and availability) of the information being exchangedbetween ESS partners.

The ESS IT security assurance ensures building trustworthiness between ESS partners in the belief that all ESS members preserve with the same degree of protection, the confidentiality, integrity, and availability of the confidential information being transmitted to them during its processing, storage and further retransmission. Its implementation has been endorsed byNovember'16 ESSC[1]. Its objectives are to ensure that the mandatory security functionalities envisaged by the ESS IT Security Framework are effectively implemented in the context of micro-data exchange, and to provide the ESS partners with an assessment/certification of the effectiveness of the implementation of the mandatory security functions in ESS premises.

The present document has for objective to describe the process in place for measuring compliance to the ESS IT security entry pack and the remedial actions to be applied in case some ESS partners failing the certification process.

2Background

The objective of the IT security assurance mechanism is to ensure that the mandatory security functionalities proposed by the ESS IT security framework are implemented and to provide the ESS partners with a monitoring and reporting system. The mechanism involves all the relevant players in the ESS within the scope defined below, including NSIs, ONAs, government departments in charge of IT services to NSIs and Eurostat.

The certification process relies on a combination of: (i) ESS-member internal auditing of their IT security controls; along with (ii) an independent, third-party certification of the compliance with the ESS IT security framework.

Thethird-party certification service funded through Eurostat budget has started its activities beginning of June 2017. The list of ESS members to be certified during 2017, 2018 and 2019 has been elaborated following ESS members preferences communicated end 2016 to Eurostat.

3Scope

Following the Core Principles endorsed by the ESSC, the ESS IT security framework and security assurance mechanism are designed to be implemented in the exchange of data with the following characteristics: (i) confidential data; (ii) focusing on intra-EU trade statistics; (iii) exchanged for the production of European statistics; (iv)exchanged between ESS members(including NSIs, relevant involved ONAs).

4The ESS IT Security assurance process – Non Compliance

The results of national internal audits carried out on the components of the ESS IT security entry pack, including supporting evidences must be provided confidentially to the third-partycertification service for validation.

The certification service will assess and analyse the transmitted evidences and complete its examination through an on-site visit to the ESS partner in order to physically check the implementation of some of the controls and access some of the documentation which could not have been transmitted due to technical or legal reasons.

The certification service will have all the necessary technical and language skills on order to assess the evidences transmitted in the national language of the ESS member.

Based on the transmitted evidences, the on-site visit and if needed additional exchanged information and clarifications the certification service will provide its conclusions on the evaluation of the ESS member.

Three conclusionsof the analysis are possible:

all the security controls of the ESS IT Security Entry pack are fully implemented and the ESS member is 'certified' compliant with the ESS IT security framework;
the majority of security controls of the ESS IT Security Entry pack are applied but some minor security controls are not fully implemented;
Some of the major security controls ESS IT Security Entry pack are not fully implemented.

In order to clarify the meaning of minor or major security controls, the list of controls from the ESS IT security entry pack has been classified with the help of the ESS IT security expert group (See Annex I). In addition, the scope of application of the controls is specified, either to the whole organisation or more specifically only to the environment where exchanged intra-EU trade microdata is hosted and managed.

In case of non-compliance, the certification service will identify any missing information, IT security gaps and inform back the ESS membersin providing the list of problematic controls, and the related mitigation/remedial actions together with a proposed roadmap and deadlinesfor implementation.

4.1.Non-Compliance towards minor controls

In case of minor non-compliance, the ESS member needs to remediate to the missing or unfulfilled controls within the proposed deadline. The ESS member has always the capacity to negotiate the deadline for implementing the remedial actions as well as their priority. Once all the remedial actions have been implemented, the related evidences must be transmitted to the certification service for final analysis and certification.

4.2.Non-Compliance towards major controls

In case of major non-compliance, the ESS member receives from the certification service aproposal for remediation of the missing or unfulfilled controls withimplementing deadlines. The remedial actions and related deadlines are discussed between the ESS member and the certification service in order to reach as much as possible a consensus-based solution.

Three options are possible at this stage:

Option 1: The ESS member and certification service arrive to a consensus regarding the remedial actions and deadlines.

Once all the remedial actions have been implemented, the related evidences must be transmitted to the central certification service for final analysis. The central certification service will then certify the ESS members based on the analysis of the supplied additional elements and if necessary anadditional on-site visit.

Option 2: The ESS member does not have the possibility to implement the remedial actions and/or deadlines.

If the ESS partneris unable to effectively implement the specific security controls in the ESS security entry pack (baseline controls) or when, due to the specific nature of the information systems or environments of operation, the controls are not a cost-effective means of obtaining the needed risk mitigation, it is possible to launch a procedure for using compensating security controls. Compensating controls are alternative security controls employed by ESS partners in place of the recommended controls presented in the IT security entry pack.

Compensating controls may be employed by ESS partners under the following conditions:

The ESS partner provides supporting rationale for how compensating controls provide equivalent security capabilities for organizational information systems and why the baseline security controls could not be employed;
The compensating controls and timeline for implementation are part of a procedure for exception to the ESS IT security entry pack. They arediscussed as a measure for mitigating the identified riskwith the support of the ESS IT security expert group through written consultation. The discussions and input by the ESS IT security expert group members cannot take more than 2 weeks.
The compensating controls together with the advice of the ESS IT security expert group regarding applicability of the controls and potential residual risksare presented for endorsement by written consultationof the ITDG. The ITDG has 2 weeks to make comments/modifications to the procedure. The new controls must be accepted by all the members of the ITDG.
The ESS through the endorsement of the ITDG assesses and accepts the risk associated with implementing compensating controls in the ESS partner's information systems.
The use of compensating controls is valid for a maximum of 3 years from the endorsement by the ITDG. The ESS partner has still the duty to implement the baseline security controls.

Once endorsed by the ITDG, the compensating controls for the specific ESS partners are communicated to the certification service. The ESS partner has the duty to submit the related evidences of implementation of the compensating controls to the certification service for analysis and if adequate, for certification.

Option 3: The ESS membercannot implement the remedial actions and/or deadlines nor compensating controls.

In such case, the ESS partner cannot be considered as meeting the mandatory IT security requirements regarding the transmission and protection of Intra-EU trade information. Report of non-compliance is done immediately to the ESSC for information. The ESSC will then take the necessary appropriate measure like for example, not sending any more Intra-EU trade microdata to the ESS partners and/or ask to delete any information received previously in relation with intra EU-trade statistics.

4.3.Specific cases

Private Clouds

As discussed at the May 2016 ESSC, regarding the use of private cloud or support from external private/institutional service provider(s), ESS members need to build appropriate chains of trust when dealing with the many issues associated with information system security. This level of trust between ESS partners should therefore be extended to any service provider(s), so that those services receive the adequate protection. In such case, the audit is based on SLAs and reports received, covering some of key security controls like e.g. access control and encryption key management. If one service provider/contractor fails the security controls the clauses of non-compliance will apply.

ONAs

In case ONAs are mandated for the provision and use of intra EU-trade microdata, they should respect the rules established in the ESS IT Security framework and follow the same compliance and protection rules as NSIs. For the certification mechanism, the certification servicewill interact directly with the relevant ONA or involve the NSI as intermediary, depending on specific national institutional arrangements. The results of the certification process will however be communicated to both the ESS partner and the ONA. As the ONA is not represented in the ESS IT security expert group, the related ESS partner will have the duty to present and defend the compensating controls.

Disagreement/dispute between certification service and ESS partner

In case of dispute between the certification service and an ESS partner, Eurostat will be play an arbitrary role in the discussions and invoke if necessary the advice either of the ESS IT security expert group if it is a technical issue or the ITDG if the dispute/disagreement if more of an administrative or legal issue.

Annex 1 – List of controls with impact and scope (UNDER REVISION)

Reference / Compliance Assessment Area
Reference / Section / Control / Standard / Section Name / Initial Assessment Points / Classification / Comments/scope
A. / 2. / A.2. / Information Security Policies
A. / 2. / 1. / A.2.1. / Management direction for information security
A. / 2. / 1.1 / A.2.1.1 / Policies for information security / Information Security policies have been defined / Major / general
Information Security policies have been approved by top organization management / Major / general
Policies have been internally published / Major / general
Policies have been communicated to relevant parties, employees and external parties / Major / general
A. / 2. / 1.2 / A.2.1.2 / Review of the policies for information security / Policies review is set within a specific interval (at least yearly) or when significant corporate changes related to information security occurs. / Major / general
Review period is approved by management. / Major / general
Adequacy of the information security policy is reviewed. / Major / general
Effectiveness of the information security policy is reviewed. / Major / general
A. / 3. / A.3. / Organisation of information security
A. / 3. / 1. / A.3.1. / Internal Organisation
A. / 3. / 1.1 / A.3.1.1 / Information security roles and responsibilities / Information security roles and responsibilities have been defined into the organization / Major / general
A. / 3. / 1.2 / A.3.1.2 / Segregation of duties / Duties and areas of responsibility are separated, in order to reduce opportunities for unauthorized modification or misuse of information, or services / Major / general
Assets are protected against unauthorized or unintentional modifications / Major / general
Assets are prepared to minimize opportunities of misuse or abuse / Major / general
A. / 3. / 1.3 / A.3.1.3 / Information security in project management / Information security assessment is included into project lifecycle management / minor / in relation with INTRASTAT management and SIMSTAT Information system
A. / 4. / A.4. / Human resources security
A. / 4. / 1. / A.4.1. / Prior employment
A. / 4. / 1.1 / A.4.1.1 / Terms and conditions of employment / Employees, contractors and third party users have signed confidentiality and non-disclosure agreements / Major / general
A. / 4. / 2. / A.4.2. / During employment
A. / 4. / 2.1 / A.4.2.1 / Management responsibilities / All levels managers are engaged in driving security within the business / Major / general
Management behaviour encourages to all employees, contractors and 3rd party users to apply security in accordance with corporate policies and procedures / Major / general
A. / 4. / 2.2 / A.4.2.2 / Information security awareness, education and training / Internal employees, contractors and 3rd party users receive regular information security updates / Major / general
Internal employees, contractors and 3rd party users are aware of information security policies and procedures and keep up-to-date with the latest changes / Major / general
Internal employees, contractors and 3rd party users undergo regular security awareness training appropriate to their role and function within the organisation / Major / general
A. / 5. / A.5. / Asset management
A. / 5. / 1. / A.5.1. / Responsibility for assets
A. / 5. / 1.1 / A.5.1.1 / Inventory of assets / Assets are inventoried, associating each of them with information and information processing facilities / Major / focussing on SIMSTAT environment and other environments using SIMSTAT data
Asset inventory is accurated and kept up to date / Major / focussing on SIMSTAT environment and other environments using SIMSTAT data
A. / 5. / 1.2 / A.5.1.2 / Acceptable use of assets / Acceptable use policy for each type of information asset is in place / Major / general
Users are made aware about existance of this policy prior asset usage / Major / general
A. / 5. / 1.3 / A.5.1.3 / Return of assets / Process in place to ensure all employees return the organisation's assets on termination of their employment, contract or agreement / Minor / general
A. / 5. / 2. / A.5.2. / Information classification
A. / 5. / 2.1 / A.5.2.1 / Classification of information / Information classification scheme is defined and used / Major / general
Information classified is according to the applicable legal requirements / Major / general
Information is classified according to the sensitivity of possible unauthorized disclosure or modifications / Major / general
Information is classified according to how valuable it is to the organization (alignment with business objectives) / Major / general
A. / 5. / 2.2 / A.5.2.2 / Labelling of information / Information labeling procedures are accordingly to the information classification scheme / Major / general
There is a process or procedure for ensuring information classification is appropriately marked on each asset / Major / focussing on SIMSTAT environment and other environments using SIMSTAT data
A. / 5. / 2.3 / A.5.2.3 / Handling of assets / There is a procedure for handling each information classification / minor / general
Procedure for information handling is accordingly to information classification scheme / minor / general
Users of information assets are made aware about corporate procedure / Major / general
A. / 5. / 3. / A.5.3. / Media handling
A. / 5. / 3.1 / A.5.3.1 / Management of removable media / There is a policy in place governing removable media / minor / Case of external hard disks or any removable media is used to transfer Intrastat information
There is a process covering how removable media is managed / minor / focussing on SIMSTAT environment and other environments using SIMSTAT data
Processes are aligned with the information classification scheme / minor / focussing on SIMSTAT environment and other environments using SIMSTAT data
A. / 5. / 3.2 / A.5.3.2 / Disposal of media / There is a formal procedure in place governing how removable media no longer required is disposed / minor / focussing on SIMSTAT environment and other environments using SIMSTAT data
A. / 5. / 3.3 / A.5.3.3 / Physical media transfer / There is a policy document and process detailing how physical media should be transported / minor / focussing on SIMSTAT environment and other environments using SIMSTAT data
Media in transport is protected against unauthorised access, misuse or corruption / minor / focussing on SIMSTAT environment and other environments using SIMSTAT data
A. / 6. / A.6. / Access control
A. / 6. / 1. / A.6.1. / Business requirements for access control
A. / 6. / 1.1 / A.6.1.1 / Access control policy / There is a documented access control policy in place / Major / general
Policy document is based on business requirements / Major / general
Policy is communicated appropriately / Major / general
A. / 6. / 1.2 / A.6.1.2 / Access to networks and network services / Controls are in place to ensure users only have access to the network resources they have been specially authorised to use and are required for their duties / Major / focussing on SIMSTAT environment and other environments using SIMSTAT data
A. / 6. / 2. / A.6.2. / User access management
A. / 6. / 2.1 / A.6.2.1 / User registration and de-registration / There is a formal user access registration process in place / Major / general
A. / 6. / 2.2 / A.6.2.2 / User access provisioning / There is a formal user access provisioning process in place to assign or revoke access rights for all user types and services / Major / general
A. / 6. / 2.3 / A.6.2.3 / Management of privileged access rights / Privileged access accounts are separately managed and controlled / Major / focussing on SIMSTAT environment and other environments using SIMSTAT data
A. / 6. / 2.4 / A.6.2.4 / Management of secret authentication information of users / There is a formal management process to control the allocation of secret authentication information established [no implemented] / Major / general
A. / 6. / 2.5 / A.6.2.5 / Review of user access rights / There is a process for asset owners to review access rights to their assets on a regular basis / minor / general