standardisation and regulation on information security margus püüa head of department department...
TRANSCRIPT
Standardisation and Standardisation and regulation on information regulation on information
security security
Margus PüüaMargus Püüa
Head of DepartmentHead of DepartmentDepartment of State Information SystemsDepartment of State Information Systems
Ministry of Economic Affairs and Communications, EstoniaMinistry of Economic Affairs and Communications, Estonia
AGENDAAGENDA
• Why standardisation and regulation?
• Legal acts and documentation• Secure data exchange
INFORMATION SOCIETYINFORMATION SOCIETY
• In the information society, information is stored, changed and transmitted in a universal digital form
• In the information society, access to digital information is ensured for all members of society through data exchange network
• In the information society, routine intellectual work is left for machines
• In the information society, based on the above- mentioned conditions, the way of life is rationalValdo Praust „Infoühiskond ja selle teetähised” 1998 aastaraamat „Infotehnoloogia haldusjuhtimises”.
CONCLUSION:CONCLUSION:
In the INFORMATION SOCIETYordinary daily life
depends, to a great extent,on the security of information systems!
OBJECTIVE:
Despite the growth of cyber security problems in the world, ICT will continue to be one of the most
important growth engines in Estonia
WWHAT DO WE HAVEHAT DO WE HAVE??
LLEGISLATIONEGISLATION and and DOKUMENTATIONDOKUMENTATION
• Emergency Preparedness Act https://www.riigiteataja.ee/ert/act.jsp?id=965540
• Estonian IT Architecture http://www.riso.ee/et/koosvoime/arhitektuur
• Estonian IT Interoperability Framework http://www.riso.ee/en/information-policy/interoperability
• Information Security Interoperability Framework http://www.riso.ee/wiki/Versioon_2007-01-31
• Government Regulation on establishing a system of security measures for information systems https://www.riigiteataja.ee/ert/act.jsp?id=791875
X-road is software, hardware andX-road is software, hardware and organisational methods organisational methods forfor standardised usage of national databasesstandardised usage of national databases
• Evidentiary Value and Integrity– All outgoing messages are signed. Signing keys are registered with third party– All incoming messages are logged. The message log is cryptographically protected.
The intermediate hash values are periodically time-stamped by the X-Road central agency.
– Message receiver can later prove with the help of the X-Road central agency when and by whom was the message sent.
• Availability - X-Road is built as a distributed system, with minimal number of central services– The directory service is built on top of Secure DNS (DNS-SEC). The usage of well-
proven DNS protocol and implementation provides very robust, scalable directory service with built‑in caching and redundancy. Security extensions of the DNS (signed zones) ensure that the data cannot be tampered.
– All X-Road servers have their own local caching DNS server that ensures the availability of directory information even in case of (partial) network outage
• Confidentiality– SSL protocol is used as a defence mechanism against external attackers. All
exchanged data is encrypted. – Two level access rights control mechanism is used as a defence mechanism against
internal attackers.
Thank you for your Thank you for your attention!attention!