information security (management) at stake in belgium v1.1

INFORMATION SECURITY (MANAGEMENT) AT STAKE IN

BELGIUM

Dominique VolonTrusted Advisor – Sr Manager in IT & Information (Cyber) SecurityFormer DG of FEDICT for Information Security Management, IT Service Management, Legal (privacy) and Public Procurementhttp://be.linkedin.com/pub/dominique-volon/a/440/864

A ‘long’ journey from 2003 to 2016

1Copyright 2016 Dominique Volon – IT Transforming For Benefits – V1.1 – 06-10-2016

Copyright 2016 Dominique Volon 2

AGENDA Aim of presentation / We live in an Information Society ! Information Security Management : What’s in it for me ? Where it should apply ?

Protection of E-government social security assets (BCSS) Protection of E-governement other assets (FEDICT) Be-Aware : Evangelization of Federal Public Services Institutional Public Lansdcape in Belgium A glimpse at Legal contexts Be-Networked : BelNIS Federal State Level -> Belgian Center for Cybersecurity

Epilogue, Continuum


AIM OF THIS PRESENTATION

To relate the journey made to aware (so far) the field and political actors about Information Security Management in Belgium

To give you a view of the enourmous involvement of field security actors to shape the Belgian Information Society

And the need to continue !


WE LIVE IN AN INFORMATION SOCIETY !

Development of society’s education from the Arts, Science and ReligionSpeeding/spreading information and knowledge through Monks and the printed BibleRevolution separating political power from religion (1589 - 1789)

Industrial progress : Electricity (Edison), TSF (Marconi), Telephone (Bell), TV Faster evolution for counting machines and computers (1920’s -> now) Digitisation of physical phenonoms (A/D, D/A converters), transporting

at the speed of light and air (optical fibers, satellites) The network is the computer, information is a valued asset -> IOT


WE LIVE IN AN INFORMATION SOCIETY !Information has becomed an intelligence factor for Businesses in all the sectors of Economy

We want to know the habits of consuming and living people :

To attract them and propose new services in real life : E-banking and payment services, entertainment, E-health and social security services, E-learning, E-commerce Or simply make life easier through a bunch of digital channels

BUT what happens if these channels and the providers at the end of it are not protected ?

Our present and forthcoming way of life will be jeopardized (privacy, denial of service !)

We need Information Security Management at mass media level !


INFORMATION SECURITY MANAGEMENT : WHAT’S IN IT FOR ME ?

What is the value of Information Security Management at mass media level in our life ?

Known and safe usage of secured IT services over the Internet Cyberspace that is made more safe for both consumers/providers Trust in using Information and Telecommunication means Chasing the Bads out of the Web … (criminality and terrorism) Protection for our way of life

Realising it it’s :Adopting a Systems-wise protecting strategy and policy for our country-wide critical information assets

Adopt an ‘enlighted’ behaviour when using Cyberspace


WHERE INFORMATION SECURITY SHOULD APPLY?

How to obtain Information Security Management at the mass media level in our life ?

Be aware ! Risk and Threat evaluation is an on-going practice for making, using and dsitribution of information on a need-to-know basis

Protecting our way of life adopting a Systems-wise approach, a Vision for Information Security and protecting policies for our country-wide critical information assets

Social Security, Health;Transport (Ports and Civil Aviation), Energy (Electricity, Gas, Petrol);Finances (BNB, banks) and Telecom Operators;Education (Univerisity, R&D);Economy itself !Federal and federated public services;Political levels.

8

PROTECTION OF E-GOVERNMENT SOCIAL SECURITY ASSETS (CBSS – BCSS-KSZ)

Security Governance for Social SectorAssets to be protected :

Social security rights and Health practice for the belgian population Capacity of Information exchange through Social Security actors Data privacy

Response : A federated capacity of exchanging information using safe and reliable electronic means across all actors of the sector : The Cross Bank for Social Security - CBSS - BCCS - KSZ starting early 90’s The E-Health platform for federating health practitioners.

All both implements a strong Information Security Management strategy and policy within a legal framework based on a Royal Decree of 1993 and presence of Information Security Officers.

Copyright 2016 Dominique Volon


PROTECTION OF E-GOVERNEMENT ASSETS (CBSS – BCSS - KSZ)

BCSS (E-Health)

SPF Social Security &

Health

CPAS/OCMW

INASTI

OSSOM

INAMI/RIZIV

ONAFTS

……

ONP

Transformation at Stake

for 6th State

Reform

Only a High Level View, network of BCSS is quite larger


PROTECTION OF E-GOVERNMENT ASSETS (FEDICT : FEDERAL PUBLIC SERVICES ICT)

Security Governance for FEDICTAssets to be protected (the catalogue of e-gov services) : the digital identity of the belgian population using eID the accesses to the federal portal services the federal portal services themselves giving accesses to authentic sources such as Cross Road Bank of Enterprises, CBSS or in FPS Finances (Tax-On-Web application)

Trust has to be built when using communication services FedMan network; Middelware(s) Communication and services such as mail relay, file transfer, remote access. Offering a secured and reliable availaibility of 99,5% almost 24/7 a week and continuity of service.


PROTECTION OF E-GOVERNMENT ASSETS (FEDICT)

Security Governance for FEDICTResponse for digital identity:

Establishing eID pilot and roll-out programme with National Register

Royal Decree for eiD card, Governance of Certification Authority (Belgian root PKI), Service Management and monitoring, Business Continuity live-verification

Performing Risk assesment of cryptography with COSIC (KUL) and Crypto Lab (UCL)

eID proxy, eID middelware, eID card readers with IT industry actors (Microsoft)

Encouraging usage of the eID by linkin with AGORIA and Security initiatives (L-SEC) and pilot in Bank (Ethias), presentation to cities



Response for protecting accesses to www.belgium.be :

Perimeter security defense in several network zones (V1, V2) for public interface

IAM (simple and strong authentication) integrated with user management, mandates and federation of identities (led to e-gov logon and CZAM federal logon)

Disaster Recovery Planning on two nodes for V1, full Business Continuity-DRP Planning for V2

FedMan protection (technical and CERT.be organization) Regular and permanent usage of vulnerability scanning

13


Response for portal services themselves Escrow service for portal developped S/W Business Impact Analysis for Tax-on-Web verifying DRP Negotiation of tight SLA and penalties with Accenture

Managed secured services to protect communication channels

Secured mail relay, file transfer, Secured remote access VPN/SSL Additional shared firewall service Digital certificates for critical servers Vulnerability scanning

Copyright 2016 Dominique Volon


BE-AWARE : EVANGELIZATION OF FEDERAL PUBLIC SERVICES

Security Governance for Federal Public Services (13) Starts with Awareness of ISM to Chairmans about Business Continuity theme

Recruiting CISO and ISO team with focus on Risk Assessment and continuity as start of the Security expertise pole;

Organisating Infosec forum inside Federal Public Services with CISO and ISOs from the SPFs

Animating forum and adopting ISO 27k as InfoSec framework Definining Roles & Responsibilities of ISO and organic career inside Public Services via P&O

Standards and best practices for Information Security Management


BE-AWARE : EVANGELIZATION OF FEDERAL PUBLIC SERVICES

Security Governance for Federal Public Services (13) Royal Decree for formal nomination of ISO reporting to chairman of FPSs.

InfoSec expertise available at Fedict Service catalogue for all FPS, OIP and Regions Business Impact/Risk Assessment for deducting protection measures Presence in Business Continuity Steering Commitee of Finances (BIA-

DRP capabilites) General advice to the regions for Infosec matters (governance, R&R)

Offering of Managed Security (&Secured) Services available from Fedict catalogue


INSTITUTIONAL BELGIAN LANDSCAPE

Federal Public Services : 10 sectorial +4 horizontal (will change in 6th Reform)

FPS Interior : Registre National : accountable for manaaging the organic identification of the belgian polulation and keep it update inside a National Register

FPS Economy : Accountable for Economy, consumer regulations, …. And Crossroad Bank of enterprises

FPS Finance : Accountable for funding of the State for perceiving taxes FPS Justice : Accountable for Justice (Courts, Prisons, Law and legal enforcement,) FPS ICT (FEDICT) : Accountable for e-governnent (except in Social Security sector

-> BCSS)

-> description of the federal public services on www.belgium.be



Public Services nested at federal level dealing with Infosec :

ANS-NVO-[NSA] – FPS Foreign Affairs : Care for security clearance and accreditation of information systems dealing with classified information

Computer Crime Unit (federal and regional) – FPS Interior (Police) : Cares for cybercrime in civil society in general and investigates complaints

Crisis Center – FPS Interior : Cares for coordination of a crisis on the view point of emergency services when the dammage is at level 4 in the Country, Liaise with Province Governors

SGRS – [Military Intelligence] – FPS Defence : Accountable for Military Intelligence and protection of Military (Courts, Prisons, Law and legal enforcement)

State Security – FPS Justice : Civil intelligence , security clearance enquiries



Other legal institutions : Commission de la Protection de la Vie Privée (Data Privacy)

Parliamentary commission composed of Magistrates and experts Issue authorisation of treatments for personal data in Information Systems according laws of 1992,1998 and 2003

Gives exemptions in case of public security / state interest

FEDICT is the Sectoral Authority for introducing the FPS authorisation files to the Privacy Commission to obtain authorisation of privacy data treatements in the Federal Information Systems


A ‘GLIMPSE’ AT THE LEGAL CONTEXTSBelgium and European Union

Identity & Signature Protection of vital assets Privacy Intellectual Property Criminality Organisation of Federal Authorities

Outside European Union (United States) US Safe Harbor … US Patriot Act


A ‘GLIMPSE’ AT THE LEGAL CONTEXTSIdentity & Signature FPS Interior - National Register is the custodian of the Identity of the Belgian asof their birth until death – each Belgian is assigned a single and unique National Register Number whose first sequence is its birth date

Royal Decree of eID (format, information datafield, digital certificates on eID card) : the eID combines the legal definition of a document and of a digital container containing strictly the information data to identify and locate the official residence of the card holder plus two digital certificates that can be used to authenticate and signed documents as it was a qualified written signature.

Electronic Signature : EE Directive of 1999 : BelgianLaw 9/7/2001 : electronic signatures and certification services. Electronic signature : cannot be repudiated in Justice. Qualified electronic signature : usage of a digital certificate which is qualified by an accredited Certification Authority.

FPS Economy control and accredit Certification Authorities (e.g. Certipost)


A ‘GLIMPSE’ AT THE LEGAL CONTEXTSProtection of vital assetsClassified Information Is handled by Individuals and Information Systems Law of 11/12/1998 pave the way for information classification and security

clearance for individuals (and firms) handling this type of information, enforced by Royal Decree 24/3/2000. Classification and clearance for individuals is seen according the damage impact if the information is divulged. Royal Decree 2013 for the fees of obtaining clearance.

National Security Damage if information divulgation

BE UE NATO

Very Serious TRES SECRET TRES SECRET UE Cosmic Top Secret (CTS)Serious SECRET SECRET UE NATO Secret (NS)Breach CONFIDENTIEL CONFIDENTIEL UE NATO Confidential (NC)Effect (diffusion restreinte) RESTREINT UE NATO Restricted (NR)None NATO Unclassifed


A ‘GLIMPSE’ AT THE LEGAL CONTEXTSProtection of vital assetsClassified Information Security Clearance of Individuals (and firms) is handled by ANS-NVO-[NSA]

- Level is based on need to know for the job- ANS asks State Security (civilians) or SGRS (military) to enquire (private life

security)

Information Systems accreditation- EU regulation (2001/264) in 3 steps : Evaluation, Certification, Accreditation- Evaluation : by experts, auditors or accredited laboratory- Certification : Conformance certificates are issued by control organisms,

accredited by BELAC- Accreditation Body : ANS in association with BELAC


A ‘GLIMPSE’ AT THE LEGAL CONTEXTSProtection of vital assetsCritical Infrastructures of Belgium 2008/114 EU Directive : European Critical Infrastructures Energy and Transport sectors BE Law of 01/7/2011 : Belgian Critical Infrastructures, Royal Decree 27/5/2014 Adds Finance and electronic communications sectors Scoping Vital Functions, health, social, security/safety, economical

prosperity

Acting through Sectorial Authorities or ‘Regulators’ Finance : National Bank of Belgium (oversight of Banks and Financial

organisms) CFMA : regulator for Insurance companies Telecommunications : Belgian Institute for Post and Telecommuncations- Energy : CREG / AFCN- …..- Every operator of a recognized infrastructure as critical at the level of the Country must

develop and exercice a Security Plan, namely for Business Continuity

24

A ‘GLIMPSE’ AT THE LEGAL CONTEXTSPrivacy Electronic communications Law of 13/06/2005 concerns : Operators constrained for :

Security measures (technical / organisational) Free security services Notification of Security Incidents to IBPT, Privacy Commission,

Customers Allowing Audit by BIPT or mandated independent organism Retention of traffic data (traffic /geolocation)

IBPT as regulator accountable for : Security of telecommunication, Coordination, Oversight of problem

detection Instructions, control and recommendations to OperatorsCopyright 2016 Dominique Volon

25

A ‘GLIMPSE’ AT THE LEGAL CONTEXTS Privacy EU GPDR : European Union Global Data Privacy Regulation of May 2016. Not a Directive, replace the former EU Directive on Privacy (that needed

to be ratified by each national parliament to become an in country Member State law – Subsisadirity Principle)

GDPR Regulates, thus place immediate compliance from the day it has been voted by European Parliament on all Member States and published in the L Official Journal (26 May 2016)

Imply immediate compliance exercice final for up to 2018 As of 2018, EU (EC) can audit companies and impose legally heavy

financial penalties : For light of medium infringment to GDPR, 10 millions € For severe infringment to GDPR, 20 millions € or 4% of the turn-over of the Group of

companies that an holding can detain.Copyright 2016 Dominique Volon

26

A ‘GLIMPSE’ AT THE LEGAL CONTEXTSPrivacy when working in private sector – CCT81 (26/4/2002) :

Controlling of communication data on workplace End Goals :1. Prevent illegal & illicit behaviours (hacking, racism, pedophilia,…)2. Protection of employer’s interests3. Technical security of systems4. Respect of internal regulations (policy for usage of Information Systems…)

Proportionality & Tranparency: Minimal interference in private life, Information is to be made collectively and

individually Anamoly in 1,2,3 case -> find the individual root cause Anomaly in 4th case -> collective warning and if anomaly is repeated -> find the

individual root cause Filtering of data (journalling and random controls) Copyright 2016 Dominique Volon


A ‘GLIMPSE’ AT THE LEGAL CONTEXTSIntellectual Property Directive 91/250 : computer programs Directive 96/9 : data bases Directive 2001/29 : Authors rights – information society Law(10/04/2014) : Intellectual Property

Best practices to protect critical IT assets for developed S/W by your providers :

Acquisition of a specialised escrow service; Inclusion of IP rights clause and escrow agreement mechanism in public

procurement procedures; Verification of systems rebuild capabilities at three levels (deposit of source

code, rebuild of a minimal system, rebuild of major part of the systems functions).

28

A ‘GLIMPSE’ AT THE LEGAL CONTEXTSCriminality Directive 2013/40 – Attacks against Information Systems Law (28/11/200) : computer criminality – ‘Code Pénal : art 116-118’

Directive 2006/24 : retention of traffic data Law (30/7/2013) : retention of traffic data and geolocation Court of Justice decision : abrogation of 2006 directive (you know more will come ….)

Scope : Computer forgery, Access rights abuse, Sabotage, Distribution of illicitly acquired data, dsitribution of harmful data; Defence / State Security : data and information communication to a

foreign country Retention of data / geolocation Copyright 2016 Dominique Volon


A ‘GLIMPSE’ AT THE LEGAL CONTEXTSOrganisation of Federal Authority 1990 : Organic Law constituting the CBSS – KSZ - BCSS

1993 :Royal Decree for information security in Social Security sector 1997 : Royal Decree for communicating between social institutions

2001 : Royal Decree establishing FEDICT 2007 : Modification of FEDICT Royal Decree to participate to 7th R&D

Research programme of European Commission with STORK projet (interoperability of digital identities across EU)

2012 : ‘FEDICT’ or ‘Only Once’ law : FEDICT as federal services integrator acting as Trusted Third Party

2103 : Royal Decree for (Chief) Information Security Officers in FPSs2014 : Royal Decree founding the Belgian Cybersecurity Center


A ‘GLIMPSE’ AT THE LEGAL CONTEXTSUnited States US Safe Harbour

EU Directive 95/46 : Prohibition of transferring personal data outside EEE with exceptions (at equivalent protection level)

2001 : Agreement CEC/US Department of Commerce Principles : Notification and freedom of choice of individual, Security,

Treatment of data conformant to the declared end goal, Access Rights and Correction

US Patriot Act (2001) Reaction to 09/11 -> Mandate for numerical screening and for retaining

data into custody. Concerns hosted data in US and anywhere in the world. Concerns any society (US, daugther companies and non-US on US ground)


BE-NETWORKED : BELNIS PLATFORM Initiative of FEDICT’s Minister Peter Vanvelthoven (2005) Identify major Information Security Stakeholders at the level of the State Put them inside a round table and discuss the competences of their

Insitutional mandate regarding Information Security (and available means …)

Federate the interests and form a guiding expert coalition to aware in the wider form the Belgian Governement first and the Belgian Information Society at large

Make the spirits ready for appraising the chain and the degree of Information Security maturity in Belgiumo Liaise with European Security initiatives (ENISA through BIPT)o Animate working groups on security subject matterso Make White Paper for Information Security and propose improvements (2007)o Goal : Make Information Security a dedicated point at the governmental

agenda


BelNIS

FCCU

FEDICT

CERT.be

Sureté de

l’Etat

CCB

ANS

DGCC

Belac

SGRS

BelNIS & Stratégie de Cybersécurité

IBPT

Industries

Academics

International

Transformation at

Stake for 6th State Reform

Redesign


BE-NETWORKED : BELNIS STAKEHOLDERSStarting in 2005 : FEDICT, actor and federator of the platform

Invited at an oval table : FCCU : Federal Computer Crime Unit from FPS Interior Belac : from FPS Economy – Accreditation body for Information Security DG CC : Crisis Center – from FPS Interior ANS : Autorité Nationale de Sécurité (habilitation et homologations des systèmes d’information classifiés) – from FPS Foreign Affairs

BIPT : Belgian Institute for Post and Telecommunications (regulator) State Security SGRS : Military Intelligence Belac : accreditation of IS dealing with classified information


BE-NETWORKED : BELNIS PLATFORMBelNIS made himself aware of a global InfoSec situation in Belgium

BelNIS liaise with the ENISA through IBPT/FEDICT sharing 2 seatsBelNIS structured itself in subject matter workgroups and has produced : The White Paper for Information Security for Belgium in 2007 Creation of Cert.be (FEDICT funding and BELNET operations) to protect federal assets in 2009 (namely FedMan and Internet connection points)

Examination the business case for creation of a Security National Agency and deduct that such a ‘vertical response’ was not quite appropriated

National Strategy for Cybersecurity in 2012 with a push for the creation for a CyberSecurityCenter for whole Belgium (the missing ‘Core’) in 2014


BE-NETWORKED : BELNIS PLATFORMBeLNIS actors also participated to the first steps for creating Industry and Academy awareness 2011 KUL initiative : B-CCentre : cybercrime center for Excellence, R&D and Education (COSIC, ICRI, L-Sec members, etc.)

2014-2015 : Cybersecuritycoalition Cybercoalition : cross-sector partnership between players from the academic world, the public authorities and the private sector to join forces in the fight against cybercrime (50 major actors … to develop further)


BE-NETWORKED : BCCBCC : Belgian Cybersecurity Center

Founded by Royal Decree in 2014, Headed by Miguel Debruycker Reporting to Chancellery under PM umbrella Operational Arm arising out of BelNIS platform

Missions : Supervision of Infosec Strategy Coordination of Public Authorities Coordination public / private / academy Proposal to adapt legal framework Crisis management with Cert.be Issuing standards and directives for Infosec Evaluation and accreditation of Classified Information Systems (with BELAC)

User awareness

37

THE WAY FORWARDMajor actors are still lacking in this story : FPS-Economy it self, for developping a Belgian Information Society (Policy is

hardly set from the FPS Economy) that care with e-services (e-commerce, e-payment infrastruture – Worldine and others) and establish a digital security capacity in Belgium, linking with the Eurpean Union level.

Sectorial regulators : BIPT is in it, NBB has warned the Banking sector to care for business continuity and

information security practices (will it be sufficient ?)Others ? What about CREG (energy), transport sector, etc. ? Market leader Operators in all the Sectors (only 50 in the coalition) Federation of providers and consumers (COMEOS) ? ….. We’ve still a huge chunk of work to aware, protect and enable growth of the complete Economy Blocks for Belgium !

.Copyright 2016 Dominique Volon


THE WAY FORWARD EUROPE IS MOVING ON DATA PROTECTION AND REGULATIONS To push Members

States to Act : EU GDPR – Global with heavy fines if not compliant for May 2018 -> huge impact on Data management Lifecyle by modification of data classification meaning impact on data back-up/restore capability of Global Storage solution and DR capabilities as well as on processes

EUROPE is contraining the Sectoral Authorities with a more stringent regulations in any sector to fight against crime and to upgrade business continuity operations, there will be more in coming months and put establish the relevant governance by forcing continuity .

Namely, this is the case of Finance Sectors trough BNB and CSSF regulations in Belux context which evolves under stronger pressure of European Central Bank and force compliance through continuity and security audits by competent experts from the domain. (Banking, Insurance, Investment companies, e-payment services)

The other domains follows also: Telecoms (BIPT), Energy (CREG), etc. that shall comply


EPILOGUE Information Security Management relies on a federation of interests :

public authorities, consumers and providers of information data and channels to do business.

Trust will be the combination of a chain of actions from all the actors of the Information Society : industry, academic, etc. But also internationally (EU, USA, Asia/Pacific, India, MiddelEast)

Information Security Management will provide protection only if a continuum of efforts and actions is continuously supported on the long run by business communities. It’s too often left to Techies people ! Think to secure and protect your business first before thinking of technologies : only business is capable of considering business risks and consequences.

Don’t leave public authorities alone in this journey, participate ! Convince your executives to fund Information Security Management

for their own good, care for that the highest Executive Level invests in a regular risk management and protection practice of your business assets using information.


CONTINUUM OF THE JOURNEYAccountable for InfoSec Management inside your corporation ? : Organize Security Governance (the use of it) and Management (the

making of it) inside your corporation – Use recognized international standards (COBIT 5, ISO 27k, MOR-ISO31k, InfoSec, ITIL, TOGAF, SABSA and IT Best Practices standards) AND tailored them to your businesses!

Be sponsored at the highest Level by a forming a Steering Commitee (or Sponsor Group)

Ask that you report to the highest Executive level of hiearchy (must be close to the business strategies and valued assets)

As a Senior Responsible Owner, propose a 360° Vision inside the company and outside the company (look at your customers) : Enterprise Architecture, IT services.

Information Security must protect, enable and support the growth of company’s businesses.


THANKS

To all Information Security professionals delivering ‘on top of’ their normal works sharing expertise and concerns !

For perseverance and being patientFor the audience listening or having read this journey

… and this is still a ‘Hobbit Journey’ or maybe a ‘Never ending Story’ because Information Security is staying for good …

information security (management) at stake in belgium v1.1

Documents