Standardisation and Standardisation and regulation on information regulation on information

security security

Margus PüüaMargus Püüa

Head of DepartmentHead of DepartmentDepartment of State Information SystemsDepartment of State Information Systems

Ministry of Economic Affairs and Communications, EstoniaMinistry of Economic Affairs and Communications, Estonia

AGENDAAGENDA

• Why standardisation and regulation?

• Legal acts and documentation• Secure data exchange

INFORMATION SOCIETYINFORMATION SOCIETY

• In the information society, information is stored, changed and transmitted in a universal digital form

• In the information society, access to digital information is ensured for all members of society through data exchange network

• In the information society, routine intellectual work is left for machines

• In the information society, based on the above- mentioned conditions, the way of life is rationalValdo Praust „Infoühiskond ja selle teetähised” 1998 aastaraamat „Infotehnoloogia haldusjuhtimises”.

CONCLUSION:CONCLUSION:

In the INFORMATION SOCIETYordinary daily life

depends, to a great extent,on the security of information systems!

OBJECTIVE:

Despite the growth of cyber security problems in the world, ICT will continue to be one of the most

important growth engines in Estonia

WWHAT DO WE HAVEHAT DO WE HAVE??

LLEGISLATIONEGISLATION and and DOKUMENTATIONDOKUMENTATION

• Emergency Preparedness Act https://www.riigiteataja.ee/ert/act.jsp?id=965540

• Estonian IT Architecture http://www.riso.ee/et/koosvoime/arhitektuur

• Estonian IT Interoperability Framework http://www.riso.ee/en/information-policy/interoperability

• Information Security Interoperability Framework http://www.riso.ee/wiki/Versioon_2007-01-31

• Government Regulation on establishing a system of security measures for information systems https://www.riigiteataja.ee/ert/act.jsp?id=791875

X-road is software, hardware andX-road is software, hardware and organisational methods organisational methods forfor standardised usage of national databasesstandardised usage of national databases

• Evidentiary Value and Integrity– All outgoing messages are signed. Signing keys are registered with third party– All incoming messages are logged. The message log is cryptographically protected.

The intermediate hash values are periodically time-stamped by the X-Road central agency.

– Message receiver can later prove with the help of the X-Road central agency when and by whom was the message sent.

• Availability - X-Road is built as a distributed system, with minimal number of central services– The directory service is built on top of Secure DNS (DNS-SEC). The usage of well-

proven DNS protocol and implementation provides very robust, scalable directory service with built‑in caching and redundancy. Security extensions of the DNS (signed zones) ensure that the data cannot be tampered.

– All X-Road servers have their own local caching DNS server that ensures the availability of directory information even in case of (partial) network outage

• Confidentiality– SSL protocol is used as a defence mechanism against external attackers. All

exchanged data is encrypted. – Two level access rights control mechanism is used as a defence mechanism against

internal attackers.

Thank you for your Thank you for your attention!attention!