EUROSTAT
Directorate B: Methodology; Corporate statistical and IT services
Contact: Eurostat LISO
Guidelines for the implementation of the ESS Core IT Security Framework
Index
1.Introduction
1.1.Objective
1.2.Scope
2.Security Policy Management
2.1.Management direction for information security
3.Organization of information security
3.1.Internal organization
4.Human resource security
4.1.Prior to employment
4.2.During employment
5.Asset management
5.1.Responsibility for assets
5.2.Information classification
5.3.Media handling
6.Access control
6.1.Business requirements of access control
6.2.User access management
6.3.User responsibilities
6.4.System and application access control
7.Cryptography
7.1.Cryptography controls
8.Physical and environmental security
8.1.Secure areas
8.2.Equipment
9.Operations security
9.1.Operational procedures and responsibilities
9.2.Protection from malware
9.3.Backup
9.4.Logging and monitoring
9.5.Control of operational software
9.6.Technical vulnerability management
10.Communications security
10.1.Network security management
10.2.Information transfer
11.System acquisition, development and maintenance
11.1.Security requirements of information systems
11.2.Security in development and support processes
12.Supplier relationships
12.1.Information security in supplier relationships
13.Information security incident management
13.1.Management of information security incidents and improvements
14.Information security aspects of business continuity management
14.1.Information security continuity
15.Compliance
15.1.Compliance with legal and contractual requirements
1.Introduction
1.1.Objective
The objective of the document is to provide a common framework applicable to all and between ESS members on the security measures to be put in place in order to build common and mutual trust.
The purpose is to provide the basic guidelinesto cover entry pack level of the security controls to be implemented by the organizations and information systems supporting the ESS.
The framework and related guidelines have been developed to achieve more secure information systems and effective risk management within the ESS by:
- Facilitating a more consistent, comparable, and repeatable approach for selecting and specifying security controls for information systems and organizations;
- Providing a stable list of security controls meeting current information protection needs and the demands of future protection needs based on changing threats, requirements, and technologies;
- Creating a foundation for the development of assessment methods and procedures for determining security control effectiveness;
- Facilitating communication and information exchange among ESS members regarding IT security;
1.2.Scope
The Scope of the security framework is "management and exchange of microdata between member states". This "ESS Core IT Security Framework Guidelines" document prepared by ESS expert group is only focus on this defined scope, covering entry pack level controls.
2.Security Policy Management
2.1.Management direction for information security
Managementshouldsetaclearpolicy directioninlinewithbusinessobjectivesand demonstratesupportfor,andcommitmentto,informationsecurity throughtheissueand maintenanceof an information securitypolicyacrossthe organization.2.1.1.Policies for information security(5.1.1)
Control
A set of policies approved by the top management should be defined, published and communicated to all employees, external contractors and relevant parties.
Guidelines
A general corporate information security policy statement should be prepared. For this statement, information security objectives and security environment threats (current and projected) treatment should be clarified.
A high-level presentation of the scope of the information security policy should be provided including:
a)Strategic business needs and requirements
b)Organization legal requirements
- Regulatory requirements
- Legislative requirements
- Contractual requirements
The core of the information security policy should include
- Information security definition, objectives and principles, using basic principles to guide information security activities
- Information security management responsibilities should be included as well, assigning general and specifying responsibilities to defined roles.
- Processes for handling deviations and exceptions.
The information security statement should be supported by concrete policies at a lower level, which further mandate the implementation of information security controls. Those are usually structured to address the needs of specific groups within an organization (e.g. teleworkers) or to cover certain topics (e.g. statistical confidentiality and SDC).
Examples of such policy topics include:
a)access control
b)information classification (and handling)
c)physical and environmental security
d)end user oriented topics such as:
- acceptable use of assets
- clear desk and clear screen
- information transfer
- mobile devices and teleworking
- restrictions on software installations and use
e)backup
f)information transfer
g)protection from malware
h)management of technical vulnerabilities
i)cryptographic controls
j)communications security
k)privacy and protection of personally identifiable information
l)supplier relationships
Through an information security awareness, education and training programme (4.2.2), these policies should be communicated to employees and relevant external parties in a form that is relevant, accessible and understandable to all stakeholders.
Evidences
Last version of general policy statement as well as policy topic policies should be provided. Those documents should be available in English and published on the NSI's website.
2.1.2.Review of the policies for information security(5.1.2)
Control
Information security policy review should be carried out at regular intervals or whenever significant change occurs ensuring suitability, adequacy and effectiveness.
Guidelines
Information security policies approved by top-level management should have an owner caring for the development, review and evaluation for each of them.
Review of the policies for information security should include
a)Assessing opportunities for improvement
b)Response to organizational environment changes, business circumstances, legal conditions or technical environment
Evidences
An adequate frequency for information security policy review should be provided, with a maximum period of one review per year.
Management might approve the review periodicity. Finally, each policy document should contain a history document and/or revision history with at least document version, date and approval name to ensure that document is reviewed within planned intervals.
3.Organization of information security
3.1.Internal organization
A management framework should be established to initiate and control the implementation of information security within the organization.Management should approve the information security policy, assign security roles and co-ordinate and review the implementation of security across the organization.If necessary, a source of specialist information security advice should be established and made available within the organization. Contacts with external security specialists or groups, including relevant authorities, should be developed to keep up with industrial trends, monitor standards and assessment methods and provide suitable liaison points when handling information security incidents.A multi-disciplinary approach to information security should be encouraged.
3.1.1.Information security roles and responsibilities(6.1.1)
Control
Information security roles and responsibilities into the organization should be defined and allocated.
Guidelines
Security policies should set information security responsibilities into the organization, to act accordance to that. Protection for individual assets might be identifiedunder information security responsibilities. These responsibilities cover risk management activities, defining residual risk acceptance. Identification and definition for assets and information security processes should be done, assigning an entity responsible and documenting the details of this responsibility.
Security tasks may be delegated from security responsible to others, remaining accountable into all tasks ensuring that they have been correctly performed.
Authorization levels should be defined, ensuring that appointed individuals for information security responsibilities are covered with a minimum of quality level
Evidences
Organizational chart should be provided, highlighting security roles and providing job description for them. Background references for security positions should be provided in order to assess minimum required qualifications.
3.1.2.Segregation of duties(6.1.2)
Control
Assets should be protected against unauthorized or unintentional modifications by segregating conflicting duties and responsibilities, minimizing opportunities for asset misuse or abuse.
Guidelines
Controls should be designed and implemented in order to prevent that a single person can access, modify or use assets out of their responsibilities. Unauthorized employees should be restricted to initiate an event separating their duties.
Evidences
Provide proofs of controls in place (e.g. screenshots, configurations) to get appropriate segregation of duties and list of users based on role-based access control (RBAC) approach.
3.1.3.Information security in project management(6.1.5)
Control
In each project addressed by the organization information security should be part of the process.
Guidelines
In order to cover all possible information security risks that can exist in a project, information security should be integrated into project management process. Information security objectives should be added into project objectives, making information security as central part of each project phase and defining information security responsibilities.
Information security risk assessments should be done in the beginning of each project, ensuring that needed controls are identified.
Finally, regular reviews should be carried out for each project, addressing all possible information security issues and implications.
Evidences
Provide organization project management processes which reflect security as part of it and a proof of communication with security requirements for a specific internal project have been established.
4.Human resource security
4.1.Prior to employment
Security responsibilities should be addressed prior to employment in adequate job descriptions and in terms and conditions of employment. All candidates for employment, contractors and third party users should be adequately screened, especially for sensitive jobs. Employees, contractors and third party users of information processing facilities should sign an agreement on their security roles and responsibilities.4.1.1.Terms and conditions of employment(7.1.2)
Control
Information security responsibilities should be specified using contractual terms and conditions for employees, contractors and third parties.
Guidelines
Employees and contractors contractual obligations should reflect next points related to information security policies:
a)Sign a confidential or non-disclosure agreement (10.2.4) if access to confidential information is needed
b)Legal responsibilities and rights (e.g. copyright law, data protection legislation (15.1.3))
c)Responsibilities for the classification of information and management of corporate assets (Clause 5)
d)Handling of information received from other companies or third parties
e)Actions in case there are disregards with organization security requirements
Information security terms and conditions should be accepted before employees and contractors get access to organization assets associated with information systems and services.
Evidences
Provide a contract sample for employees and contractors, signed by all stakeholders where all above points are reflected.
4.2.
4.2.During employment
Management responsibilities should be defined to ensure that security is applied throughout an individual's employment within the organization.An adequate level of awareness, education, and training in security procedures and the correct use of information processing facilities should be provided to all employees, contractors and third party users to minimize possible security risks. A formal disciplinary process for handling security breaches should be established.4.2.1.Management responsibilities(7.2.1)
Control
All employees and contracts should be required to apply organization information security policies and procedures, endorsed by management.
Guidelines
Management should act as information security role models, supporting organization policies, procedures and controls, enforcing them and motivating employees and contractors.
At same time, management should make people aware of their responsibilities, clarifying information security responsibilities to each job and expecting that people achieve a certain level of security awareness. Management should enforce terms and conditions to employees and contractors, using the appropriate work methods.
All personnel should comply with minimum qualifications to become competent in their daily tasks, ensured by management that right skills and qualifications are covered. People knowledge should be followed-up. A confidential channel to report security policy and procedure violations should be set up by management.
Evidences
Provide a sample of internal communication signed by management supporting information security policies. Proof of corporate channel created with the purpose to report security policy and procedure violations, as well as an inventory of incidents reported by users as proof of employee's knowledge.
4.2.2.Information security awareness, education and training(7.2.2)
Control
Organization employees and contractor should receive information security updates, keeping them aware of organization security policies and procedures, last changes and receiving appropriate training and education accordingly to their job responsibilities.
Guidelines
Organization security policies and procedures should ensure that information security awareness programme is in compliance, providing to employees and contractors appropriate information for their roles.
Awareness programme should cover all relevant information for employees and contractors like specific security obligations, information that should be protected and controls to be adopted.
Information security awareness programme might be delivered using different options like:
a)Booklets and newsletters to raise awareness
b)Campaigns to raise security awareness
c)Classroom-based teaching methods
d)Web-based teaching methods
e)Self-paced learning methods
f)Distance learning methods
Awareness activities should be scheduled in a specific regular period for current employees, new employees or role changes. Activity should cover importance to comply within policies, legislation, regulations, agreements, standards and contracts, handling information security expectations and responsibilities. Acceptable usage policies (e.g. clear desk and screen policy) might be included in the training. Points of contact into security department to get additional information, further training materials or training resources should be provided to the users.
At the end of the information security awareness programme, users should be evaluated in order to ensure that they comply with organization policies and procedures, security measures and as a proof of assistance. Awareness programme might be updated based on lessons learnt from security incidents.
Evidences
Training presentation document sample should be provided. List of attendances with their signature should complement presentation proof. Training date should be included into attendance list, in order to proof period frequency. Training evaluations should be provided (questionnaire and marks). Internal communications within security awareness campaigns should be provided. Also internal channels, websites or web-based courses (e.g. using screenshots) if any should be demonstrated.
5.Asset management
5.1.Responsibility for assets
All assets should be accounted for and have a nominated owner.Owners should be identified for all assets and the responsibility for the maintenance of appropriate controls should be assigned. The implementation of specific controls may be delegated by the owner as appropriate but the owner remains responsible for the proper protection of the assets.5.1.1.Inventory of assets(8.1.1)
Control
Corporate assets which contain information and information processing facilities should be identified and an inventory containing all of them compiled and selected.
Guidelines
In order to protect corporate assets associated with information, organization should:
a)Identify assets in the lifecycle of information
b)Document each asset importance aligned with business objectives
c)Include into lifecycle of information the creation, processing, storage, transmission, deletion and destruction processes
d)Maintain documentation in dedicated or existing repositories, adequately protected (Clause 7)
e)Assign ownership for each identified asset, identifying information classification
Evidences
Provide an asset inventory within the owner of each asset and all relevant information needed for asset identification.
5.1.2.Acceptable use of assets(8.1.3)
Control
Acceptable use of assets associated with information and information processing facilities rules should be defined, documented and implemented.
Guidelines
All employees working into corporate facilities, as well as third parties, should comply with:
a)Be aware of the information security requirements of the organization related with information and information processing facilities and resources
b)Assign responsibility for the use of any information processing resources
Evidences
Provide a sample of acceptable use policy for corporate assets and internal communication sent to all users to be aware about this policy.
5.1.3.Return of assets(8.1.7)
Control
All employees, contractors and external parties should return corporate assets associated with information processing facilities when employment has been finished.
Guidelines
Process should be in place in order to ensure asset return in a formal way by employees, returning physical and electronic assets when employment or contract end. Valuable knowledge from all personnel should be preserved, documented and transferred before they leave company. Unauthorized copying of company information during noticed period of termination should be controlled and prevented.
Evidences
Provide security process sample for asset return for employees and how it is integrated into corporate processes.
5.2.Information classification
Information should be classified to indicate the need, priorities, and expected degree of protection when handling the information. Information has varying degrees of sensitivity and criticality. Some items may require an additional level of protection or special handling. An information classification scheme should be used to define an appropriate set of protection levels and communicate the need for special handling measures.5.2.1.Classification of information(8.2.1)
Control
Corporate information classification scheme should be adopted, in order to comply with applicable legal requirements, prevent unauthorized disclosure or modification of sensitive information and classify information according to criticality for corporate business.
Guidelines
Information classification scheme should be done in order to meet applicable legal requirements, following access control policy and addressing business needs. Scheme shall allow information sharing and access restrict. Owner assets should be accountable for applicable classification, ensuring consistency and sharing a common understanding. Adopted classification level scheme should have an intuitive name, making classifications at the same way for all employees. It should be ensured that security measures to protect confidential information are widely understood, ensuring that information security principles, those are confidentiality, availability and integrity requirements are covered and understood.
Information classification scheme should be included into corporate processes, in order to ensure that valuable, sensitive and critical information is protected. Lifecycle for information classification should be in place aligned with organizational changes. Lifecycle should be also reviewed reflecting changes in requirements (e.g. confidentiality, availability, integrity) and changes in information (e.g. valuable, criticality, sensitivity).