Information security and privacy protection aspects of electronic information management in the Belgian social sector

About This Presentation

Title:

Information security and privacy protection aspects of electronic information management in the Belgian social sector

Description:

delivery of social security benefits. child benefits. unemployment benefits ... 3 services to apply for social benefits. 5 services for consultation of social benefits ... – PowerPoint PPT presentation

Number of Views:145

Avg rating:3.0/5.0

Slides: 79

Provided by: bwo9

Category:

more less

Transcript and Presenter's Notes

Title: Information security and privacy protection aspects of electronic information management in the Belgian social sector

1
Information security andprivacy protection
aspects ofelectronic information managementin
the Belgian social sector
Frank Robben General manager Crossroads Bank for
Social Security Sint-Pieterssteenweg 375 B-1040
Brussels E-mail Frank.Robben_at_ksz.fgov.be Website
CBSS www.ksz.fgov.be Personal website
www.law.kuleuven.be/icri/frobben
2
Stakeholders of the Belgian social sector

gt 10,000,000 citizens
gt 220,000 employers
about 3,000 public and private institutions
(actors) at several levels (federal, regional,
local) dealing with
collection of social security contributions
delivery of social security benefits
child benefits
unemployment benefits
benefits in case of incapacity for work
benefits for the disabled
re-imbursement of health care costs
holiday pay
old age pensions
guaranteed minimum income
delivery of supplementary social benefits
delivery of supplementary benefits based on the
social security status of a person

3
The problem

a lack of well coordinated service delivery
processes and of a lack of well coordinated
information management led to
suboptimal effectiveness of social protection
a huge avoidable administrative burden and
related costs for
the citizens
the employers/companies
the actors in the social sector
service delivery that didnt meet the
expectations of the citizens and the companies
insufficient social inclusion
too high possibilities of fraud
suboptimal support of social policy

4
Expectations of citizens and companies

effective social protection
integrated services
attuned to their concrete situation, and
personalized when possible
delivered at the occasion of events that occur
during their life cycle (birth, going to school,
starting to work, move, illness, retirement,
starting up a company, )
across government levels, public services and
private bodies
attuned to their own processes
with minimal costs and minimal administrative
burden
if possible, granted automatically
with active participation of the user (self
service)
well performing and user-friendly
reliable, secure and permanently available
accessible via a channel chosen by the user
(direct contact, phone, PC, )
sufficient privacy protection

5
The solution

a network between all 3,000 social sector actors
with a secure connection to the internet, the
federal MAN, regional extranets, extranets
between local authorities and the Belgian
interbanking network
a unique identification key
for every citizen, electronically readable from
an electronic social security card and an
electronic identity card
for every company
for every establishment of a company
an agreed division of tasks between the actors
within and outside the social sector with regard
to collection, validation and management of
information and with regard to electronic storage
of information in authentic sources

6
The solution

210 electronic services for mutual information
exchange amongst actors in the social sector,
defined after process optimization
nearly all direct or indirect (via citizens or
companies) paper-based information exchange
between actors in the social sector has been
abolished
in 2007, 656 million electronic messages were
exchanged amongst actors in the social sector,
which saved as many paper exchanges
electronic services for citizens
maximal automatic granting of benefits based on
electronic information exchange between actors in
the social sector
8 electronic services via an integrated portal
3 services to apply for social benefits
5 services for consultation of social benefits
about 30 new electronic services are foreseen

7
The solution

41 electronic services for employers, either
based on the electronic exchange of structured
messages or via an integrated portal site
50 social security declaration forms for
employers have been abolished
in the remaining 30 (electronic) declaration
forms the number of headings has on average been
reduced to a third of the previous number
declarations are limited to 4 events
immediate declaration of recruitment (only
electronically)
immediate declaration of discharge (only
electronically)
quarterly declaration of salary and working time
(only electronically)
occurence of a social risk (electronically or on
paper)
in 2007, 23 million electronic declarations were
made by all 220,000 employers, 98 of which from
application to application

8
The solution

an integrated portal site containing
electronic transactions for citizens, employers
and professionals
simulation environments
information about the entire social security
system
harmonized instructions and information model
relating to all electronic transactions
a personal page for each citizen, each company
and each professional
an integrated multimodal contact centre supported
by a customer relationship management tool
a data warehouse containing statistical
information with regard to the labour market and
all branches of social security

9
The solution

reference directory
directory of available services/information
which information/services are available at any
actor depending on the capacity in which a
person/company is registered at each actor
directory of authorized users and applications
list of users and applications
definition of authentication means and rules
definition of authorization profiles which kind
of information/service can be accessed, in what
situation and for what period of time depending
on in which capacity the person/company is
registered with the actor that accesses the
information/service
directory of data subjects
which persons/companies have personal files at
which actors for which periods of time, and in
which capacity they are registered
subscription table
which users/applications want to automatically
receive what information/services in which
situations for which persons/companies in which
capacity

10
CBSS as driving force

coordination by the Crossroads Bank for Social
Security
Board of Directors consists of representatives of
the companies, the citizens and the actors in the
social sector
mission
definition of the vision and the strategy on
eGovernment in the social sector
definition of the common principles related to
information management, information security and
privacy protection
definition, implementation and management of an
interoperability framework
technical secure messaging of several types of
information (structured data, documents, images,
metadata, )
semantic harmonization of concepts and
co-ordination of necessary legal changes
business logic and orchestration support
coordination of business process reengineering
stimulation of service oriented applications
driving force of the necessary innovation and
change
consultancy and coaching

11
Co-operative governance

CBSS has an innovative model of governance,
steering the business process re-engineering with
complex interdependencies between all actors
involved
Board of Directors of the CBSS
consists of representatives of the stakeholders
(employers associations, trade unions, social
security institutions, )
approves the strategic, operational and financial
plans of the CBSS
General Coordination Committee with
representation of all users acts as debating
platform for the elaboration and implementation
of eGovernment initiatives within the social
sector

12
Co-operative governance

permanent or ad hoc working groups are instituted
within the General Coordination Committee in
order to co-ordinate the execution of programs
and projects
the chairmen of the various working groups meet
regularly as a Steering Committee
besides project planning and follow-up, proper
measuring facilities are available to assure
permanent monitoring and improvement after the
implementation of the electronic services

13
Adequate management and control techniques

annual priority plan debated with all users
within the General Coordination Committee of the
CBSS
cost accounting and zero-based budgeting
resulting in financial transparency, an informed
budget and a good evaluation of the management
contract with the Belgian federal government
internal control based on the COSO-methodology
(see www.coso.org) in order to provide reasonable
assurance regarding the achievement of objectives
with regard to
effectiveness and efficiency of operations
reliability of financial reporting
compliance with applicable laws and regulations
external audit with regard to the correct
functioning of the internal control system

14
Adequate management and control techniques

program management through the whole social
sector
issue management during the management of each
program
use of a system of project management combined
with a time keeping system to follow up projects
that are realized by the CBSS and its partners
frequent reports to all users which describe the
progress of the various projects and eventual
adjustment measures
use of balanced scorecards and a dashboard to
measure, follow-up and evaluate the performance
of the electronic services and the CBSS
use of ITIL (see www.itil-itsm-world.com) for
ICT-service delivery
use of a coherent set of monitoring techniques to
guarantee an optimal control and transparency of
the electronic services

15
Towards a network of service integrators
Service integrator (Corve, Easi- Wal, CIRB, )
RPS
RPS
Services repository
Extranet region or commmunity
Service integrator (CBSS)
Services repository
ASS
Extranet social sector
ASS
Internet
Municipality
FPS
ASS
VPN, Publi-link, VERA,
FPS
FEDMAN
Services repository
Service integrator (FEDICT)
City
Province
FPS
Services repository
16
Advantages

gains in efficiency
in terms of cost services are delivered at a
lower total cost
due to
a unique information collection using a common
information model and administrative instructions
a lesser need to re-encoding of information by
stimulating electronic information exchange
a drastic reduction of the number of contacts
between actors in the social sector on the one
hand and companies or citizens on the other
a functional task sharing concerning information
management, information validation and
application development
a minimal administrative burden
according to a study of the Belgian Planning
Bureau, rationalization of the information
exchange processes between the employers and the
social sector implies an annual saving of
administrative costs of about 1.7 billion a
year for the companies

17
Advantages

gains in efficiency
in terms of quantity more services are delivered
services are available at any time, from anywhere
and from several devices
services are delivered in an integrated way
according to the logic of the customer
in terms of speed the services are delivered in
less time
benefits can be allocated quicker because
information is available faster
waiting and travel time is reduced
companies and citizens can directly interact with
the competent actors in the social sector with
real time feedback

18
Advantages

gains in effectiveness better social protection
in terms of quality same services at same total
cost in same time, but to a higher quality
standard
in terms of type of services new types of
services, e.g.
push system automated granting of benefits
active search of non-take-up using data
warehousing techniques
controlled management of own personal information
personalized simulation environments
better support of social policy
more efficient combating of fraud

19
Critical success factors

common vision on electronic service delivery,
information management and information security
amongst all stakeholders
support of and access to policymakers at the
highest level
trust of all stakeholders, especially partners
and intermediaries, based on
mutual respect
real mutual agreement
transparency
respect for legal allocation of competences
between actors
co-operation between all actors concerned based
on distribution of tasks rather than
centralization of tasks
focus on more effective and efficient service
delivery and on cost control

20
Critical success factors

reasoning in terms of added value for citizens
and companies rather than in terms of legal
competences
quick wins combined with long term vision
lateral thinking when needed
adaptability to an ever changing societal and
legal environment
electronic service delivery as a structural
reform process
process re-engineering within and across actors
back-office integration for unique information
collection, re-use of information and automatic
granting of benefits
integrated and personalized front-office service
delivery

21
Critical success factors

multidisciplinary approach
process optimization
legal coordination
ICT coordination
information security and privacy protection
change management
communication
coaching and training

22
Critical success factors

appropriate balance between efficiency on the one
hand and information security and privacy
protection on the other
technical and semantic interoperability
legal framework
creation of an institution that stimulates,
co-ordinates and assures a sound program and
project management
availability of skills and knowledge gt creation
of an association that hires ICT-specialists at
normal market conditions and puts them at the
disposal of the actors in the social sector
sufficient financial means for innovation agreed
possibility to re-invest efficiency gains in
innovation
service oriented architecture (SOA)

23
Critical success factors

need for radical cultural change within
government, e.g.
from hierarchy to participation and team work
meeting the needs of the customer, not the
government
empowering rather than serving
rewarding entrepreneurship within government
ex post evaluation on output, not ex ante control
of every input

24
Information security and privacy protection

security, availability, integrity and
confidentiality of information is ensured by
integrated
structural
institutional
legal
organizational
HR-related
technical
security measures according to agreed policies

25
Structural and institutional measures

no central data storage
the access authorization to personal information
is granted by a Sector Committee of the Privacy
Commission, designated by Parliament, after
having checked whether the access conditions are
met
the access authorizations are public
every actual electronic exchange of personal
information has to pass an independent trusted
third party (basically the CBSS) and is
preventively checked on compliance with the
existing access authorizations by that trusted
third party
every actual electronic exchange of personal
information is logged, to be able to trace
possible abuse afterwards

26
Structural and institutional measures

every actor in the social sector disposes of an
information security officer with an advisory,
stimulating, documentary and control task
specialized information security service
providers in the social sector have been
recognized in order to support the information
security officers
a working party on information security and
privacy protection within the social sector has
been established
minimal information security and privacy
protection standards are proposed by the working
party on information security and privacy
protection and are established by the Sector
Committee

27
Structural and institutional measures

every year, every actor in the social sector has
to report to the Sector Committee on compliance
with the minimal information security and privacy
protection standards
in case an actor in the social sector doesnt
meet the minimal information security and privacy
protection standards, the actor can be prohibited
by the Sector Committee to be connected to the
CBSS

28
Independent Sector Committee

established within the Privacy Commission
composed of
2 members of the Privacy Commission
3 independent social security specialists
designated by Parliament
competences
supervision of information security
authorizing the information exchange
complaint handling
information security recommendations
extensive investigating powers
annual activity report

29
Information security department

at each actor in the social sector
composition
information security officer
one or more assistants
control on independence and permanent education
of the information security officers is performed
by the Sector Committee
the Sector Committee can allow to commit the task
of the information security department to a
recognized specialized information security
service provider

30
Information security department tasks

information security department
recommends
promotes
documents
controls
reports directly to the general management
formulates the blueprint of the security plan
elaborates the annual security report

general management
takes the decision
is finally responsible
gives motivated feedback
approves the security plan
supplies the resources

31
Contents of the security report

general overview of the security situation
overview of the activities
recommendations and their effects
control
campaigns in order to promote information
security
overview of the external recommendations and
their effects
overview of the received trainings

32
Specialized IS service providers

to be recognized by the Government
recognition conditions
non-profit association
having information security in the social sector
as the one and only activity
respecting the tariff principles determined by
the Government
control on independence is performed by the
Sector Committee
tasks
keeping information security specialists at the
disposal of the associated actors
recommending
organizing information security trainings
supporting campaigns promoting information
security
external auditing on request of the actor or the
Sector Committee
each actor can only associate with one
specialized information security service provider

33
Working party on information security

composition
information security officers of all branches of
the social sector
task
coordination
communication
proposal of minimal information security and
privacy protection standards
check list
recommendations to the Sector Committee

34
Legal measures

obligations of the actors in the social sector as
data controllers (i.e. the natural or legal
person, public authority, agency or any other
body which alone or jointly determines the
purposes and means of the processing of personal
data)
rights of the data subjects (i.e. the natural
persons the personal data relate to)
remedies, liability and sanctions

35
Obligations of actors in the social sector

principles relating to fair and lawful processing
and data quality
information to be given to the data subject
confidentiality and security of processing

36
Fair and lawful processing and data quality

fair and lawful processing
collection only for specified, explicit and
legitimate purposes
no further processing in a way incompatible with
those purposes
personal data must be adequate, relevant and not
excessive in relation to those purposes
personal data must be accurate and kept up to
date
personal data must not be kept longer than
necessary for those purposes in a form which
permits the identification of the data subject

37
Fair and lawful processing and data quality

respect of additional protection measures related
to sensitive data, i.e. data revealing or
concerning
racial or ethnic origin
political opinions
religious or philosophical beliefs
trade union membership
health
sexual life
offences, criminal convictions or security
measures

38
Informing the data subject

the controller or his representative must provide
the data subject a minimum of information
when obtaining personal data from the data
subject
when undertaking the recording or envisaging a
disclosure to a third party of personal data that
have not been obtained from the data subject
exceptions
the data subject already has the information
informing the data subject in case of processing
of data obtained from another person
proves impossible, in particular for processing
for statistical purposes or purposes of
historical or scientific research or
would involve disproportionate effort for the
controller in particular for processing for
statistical purposes or purposes of historical or
scientific research or
is not necessary because the recording or
disclosure is expressly laid down by law

39
Informing the data subject

information to be given
identity of the controller and his
representative, if any
the purposes of the processing
any further information necessary to guarantee
fair processing in respect of the data subject
such as
categories of processed data
(categories of) recipients
whether replies are obligatory or not, as well as
the possible consequences of failure to reply
the existence of rights of access and
rectification

40
Confidentiality and security

no access to personal data is permitted except on
instructions from the controller or if required
by law
appropriate technical and organizational security
measures
protection against
accidental or unlawful destruction
accidental loss
alteration
unauthorized disclosure or access, in particular
where the processing involves the transmission of
data over a network
all other forms of unlawful processing
measures have to be appropriate
to the risks represented by the processing
and the nature of the data to be protected
having regard to the state of the art
and the cost of their implementation

41
Confidentiality and security

where processing is carried out by an external
processor
the controller has to choose a processor
guaranteeing sufficient technical and
organizational security measures
the controller must ensure compliance of the
processing with the security measures
the carrying out of the processing must be
governed by a written contract or legal act
stipulating in particular that
the processor shall act only on instructions from
the controller
the security obligations shall also be incumbent
on he processor

42
Recommendation Belgian Privacy Commission

see http//www.privacycommission.be/nl/static/pdf/
referenciemaatregelen-vs-01.pdf
risk analysis taking into account
the nature of the processed data
the applicable legal requirements
the size of the organization
the importance and the complexity of the
information systems
the extent of internal and external access to
personal data
the probability and the impact of the several
risks
the cost of the implementation of risk mitigating
measures

43
Recommendation Belgian Privacy Commission

10 types of measures
information security policy
information security officer
minimal organizational measures and measures
related to staff
physical security
network security
access control
logging and investigation of logging
supervision, audit and maintenance
management of security incidents and continuity
documentation

44
Rights of the data subject

right of privacy protection
right of information
access to the public register
in case of collection of data
in case of the recording or disclosure of data
obtained elsewhere
right of access
right of rectification, erasure or blocking
right not to be subject to fully automated
individual decisions
right of a judicial remedy

45
Right of access

the data subject has the right to obtain from the
controller without constraint, at reasonable
intervals and without excessive delay or expense
confirmation as whether or not data relating to
him are being processed
information at least about
the purposes of the processing
the categories of data
the (categories of) recipients
communication of the data and any available
information as to their source
knowledge of the logic in case of an automated
processing intended to evaluate certain personal
aspects relating to him
every time information is used to take a
decision, the information used is communicated to
the person concerned together with the decision

46
Right of rectification, erasure or blocking

the data subject has the right to obtain from the
controller the rectification, erasure or blocking
of data, the processing of which does not comply
with the provisions of the directive (e.g.
incomplete or inaccurate data)
the controller has to notify any rectification,
erasure or blocking to third parties to whom the
data have been disclosed, unless this proves
impossible or involves a disproportionate effort

47
Automated individual decisions

every person is granted the right not to be
subject to a decision which produces legal
effects for him or significantly effects him and
which is based solely on the automated processing
of data intended to evaluate certain personal
aspects, such as his performance at work,
creditworthiness, reliability, conduct, ...
derogations are possible
under certain circumstances, in the course of the
entering into or the performance of a contract or
by law providing measures to safeguard the data
subjects legitimate interests

48
Remedies, liability and sanctions

remedies
administrative remedies, inter alia before the
Sector Committee
judicial remedies
for any breach of the rights guaranteed by the
national law applicable
liability
right to compensation from the controller for the
damage suffered as a result of an unlawful
processing operation, unless the controller
proves not to be responsible for the event giving
rise to the damage
sanctions
penal sanctions
interdiction to process personal data

49
Organizational, HR-related technical measures

risk assessment
security policies
governance and organization of information
security
inventory and classification of information
human resources security
physical and environmental security
management of communication and service processes
processing of personal data
access control
acquisition, development and maintenance of
information systems
information security incident management
business continuity management
compliance internal and external control
communication to the public of the policies
concerning security and the protection of privacy

50
Security policies

an integrated set of security policies is being
elaborated through step-by-step refinement
the policies always have the following structure
material field of application what the policy is
all about
personal field of application to whom does the
policy apply
definitions of the concepts used under the policy
general principles setting rules and
responsibilities
requirements and references to other policies
sanctions, arising among other things from
regulations, if the policy is not complied with
references to directives, architecture,
procedures, standards and techniques to comply
with the policy
date of validation by the bodies concerned
note of the person responsible for policy
maintenance

51
Security policies

directives, architecture, standards, procedures
and techniques are being described to apply the
integral set of security policies, in accordance
with the priorities set by the working party on
information security and privacy protection

52
Classification of information

the purpose of classifying information is to
determine the protection level per information
item, taking two aspects into account
the importance of the business continuity of the
actors (e.g. vital, critical, necessary, useful)
sensitivity in relation to protection of privacy
(e.g. public, internal, confidential, secret)
the field of application of the classification
exercise covers information (mainly personal
data) used for services to citizens, companies
and civil servants, regardless of the support
equipment on which they are kept
information is labelled depending on the
classification criteria use

53
HR-security

security tasks and responsibilities are included
in all job descriptions to which they apply
sensitive positions are stated as such in job
descriptions
applicants for sensitive jobs are screened
carefully
a secrecy declaration is signed by every staff
member
all staff members are briefed, educated and
trained regarding information security and
protection of privacy
at each actor in the social sector, robust
procedures have to be settled and implemented to
report any security breaches or weak points to
the information security officer

54
HR-security

at each actor in the social sector, a working
method is settled and implemented to analyse any
security-related incidents and weak points
reported by the information security officer, and
adequate remedial measures are proposed
(disciplinary) sanctions are foreseen when
measures relating to the information security and
protection of privacy are circumvented or not
complied with
it is checked that the (disciplinary) sanctions
are sufficiently well-known when measures
relating to the information security and
protection of privacy are circumvented or not
complied with
it is checked that adequate measures are applied
when a working relationship with a staff member
is terminated

55
Physical and environmental security

premises have to be available that are well
secured against malign external influences,
unauthorized access, break-in, flood, fire, ...,
and ICT infrastructure supporting vital and
critical business processes has to be
accommodated at these premises
the electricity supply for ICT infrastructure
supporting vital and critical business processes
is guaranteed
cables and air-waves are secured, especially
against wire-tapping
a procedure for the import and export of business
equipment, among other things in cases of
maintenance and repairs, is settled and
implemented
rules are settled for managing business equipment
relating to people (e.g. laptops, handhelds,
mobile phones, call tokens, ...) giving access to
information that needs to be protected

56
Management of processes

the division of responsibilities for the
management and maintenance of all parts of ICT
infrastructure is settled and implemented
security procedures, also procedures for
resolving incidents, are settled and implemented,
taking into account the necessary divisions of
roles
the internal rules for day-to-day work (e.g.
back-ups, banned use of computer games, code of
practice regarding use of the Internet, closing
of equipment, ...) are settled and complied with
each stage in the life-cycle of an application,
including acceptance scenarios, is settled and
complied with

57
Management of processes

new applications or amendments to existing
applications are submitted for acceptance tests
in an acceptance environment, separate from the
production environment, before going into
production
the six areas of ITIL methodology concerning
service support, and first two areas of ITIL
methodology concerning service delivery are
implemented
service support
configuration management
incident management
problem management
change management
service/help-desk
release management
service delivery
service level management
capacity management

58
Management of processes

there are preventive measures for the securing of
all information systems against viruses and
harmful software
procedures for information management supports
(tapes, floppy disks, cassettes,...) are settled
and complied with, including rules relating to
storage and access
shipping
accidental destruction

59
Management of processes

networks are managed following well-defined
procedures, especially when connected to external
networks in this respect, special attention is
paid to
divisions between internal and external networks
peripheral securing of internal networks
(firewalls, ...)
authentication of components against one another
intrusion detection
application of encryption techniques where
necessary
interchange agreements are written down for the
use of network services, especially for network
services used for external collaboration,
including
service level agreements concerning availability
and performance
demarcation of responsibilities relating to
security and protection of privacy

60
Access control

a user management system is settled and
implemented, permitting
electronic identification of people, resources,
applications and services
electronic authentication of the identity of
people, resources, applications and services by
appropriate means (user ID, password, token,
digital certificate, electronic signature, ...)
electronic verification of relevant
characteristics and mandates of people in
authentic sources
an access management system is settled and
implemented, indicating among other things
roles and functions
authorizations on the basis of those roles and
functions
authorization time-limits
authorizations are managed at the levels of
people
resources
applications
services

61
User and access management

identification of physical and legal persons
unique social identification number for physical
persons
unique company number for companies
authentication of the identity of physical
persons
electronic identity card
user id password token
authentic sources for
management and verification of characteristics
(e.g. a capacity, a function, a professional
qualification) of persons
management and verification of mandates between a
legal or physical person to whom an electronic
transaction relates and the person carrying out
that transaction
management and verification of authorizations

62
Policy Enforcement Model
Action
on
Action
application
Policy
on
DENIED
application
User
Application
Application
PERMITTED
(
PEP
)
Action
on
application
Decision
Decision
request
reply
Information
Request
/
Policy
Retrieval
Reply
Policies
Decision
(
PDP
)
Information
Request
/
Reply
Policy
Policy Administration
Policy Information
Policy Information
management
(
PAP
)
(
PIP
)
(
PIP
)
Manager
Authentic source
Authentic source
Policy
repository
63
Policy Enforcement Point (PEP)

intercepts the request for authorization with all
available information about the user, the
requested action, the resources and the
environment
passes on the request for authorization to the
Policy Decision Point (PDP) and extracts a
decision regarding authorization
grants access to the application and provides
relevant credentials

Action
on
Action
application
Policy
on
DENIED
application
User
Application
Application
PERMITTED
(
PEP
)
Action
on
application
Decision
Decision
request
reply
Policy
Decision
(
PDP
)
64
Policy Decision Point (PDP)

based on the request for authorization received,
retrieves the appropriate authorization policy
from the Policy Administration Point(s) (PAP)
evaluates the policy and, if necessary, retrieves
the relevant information from the Policy
Information Point(s) (PIP)
takes the authorization decision (permit/deny/not
applicable) and sends it to the PEP

Policy
Application
(
PEP
)
Decision
Decision
request
reply
Information
Request
/
Policy
Retrieval
Reply
Policies
Decision
(
PDP
)
Information
Request /
Reply
Policy Information
Policy Administration
Policy Information
(
PAP
)
(
PIP
)
(
PIP
)
65
Policy Administration Point (PAP)

environment to store and manage authorization
policies by authorized person(s) appointed by the
application managers
puts authorization policies at the disposal of
the PDP

Policy
Retrieval
management
Policies
PDP
PAP
Manager
Policy
repository
66
Policy Information Point (PIP)

puts information at the disposal of the PDP in
order to evaluate authorization policies
(authentic sources with characteristics,
mandates, etc.)

Information
Request /
Reply
PDP
Information
Request /
Reply
PIP
1
PIP
2
Authentic source
Authentic source
67
Architecture
Non social FPS (Fedict)
Social sector (CBSS)
eHealth platform
USER
USER
USER
APPLICATIONS
APPLICATIONS
APPLICATIONS
Authorisation
Authen
-
Authorisation
Authen
-
Authorisation
Authen
-
tication
tication
tication
PEP
PEP
PEP
WebApp
WebApp
Role
Role
Role
XYZ
XYZ
Mapper
Mapper
Mapper
Role
Role
Mapper
Mapper
DB
DB
PDP
Role
PAP
PDP
Role
PAP
PAP
Provider
Role
Provider
Role
Kephas
Kephas
Kephas
DB
Provider
DB
Provider
PIP
PIP
PIP
PIP
PIP
PIP
Attribute
Attribute
Attribute
Attribute
Attribute
Attribute
Provider
Provider
Provider
Provider
Provider
Provider
Provider
Management
DB
DB
Management
Judicial exut- ers
DB
DB
DB
DB
UMAF
XYZ
XYZ
XYZ
VAS
Mandates
Mandates
VAS
68
Access control

buildings are partitioned, securing rings are
installed and access control measures to premises
are implemented
access control measures to physical resources
(computers, networks, ...) by users (people,
resources or applications) are set and
implemented, with particular attention to
business equipment relating to people (e.g.
laptops, handhelds, mobile phones, call tokens,
...)
access control measures to (sections of)
application code are set and implemented
access control measures to applications and
services by internal and external users (people,
resources or applications) are set and
implemented (e.g. call-back procedures)
ICT equipment is automatically timed out after a
set period of inactivity
all access and actions carried out are time-logged

69
Acquisition, development and maintenance

security directives to be complied with during
the acquisition, development and maintenance of
applications and services are set and implemented
division of functions
audit trails during development
documentation
regular interim back-ups
the development environment is securized
rules to build security into applications and
services (e.g. validation of data input, checks
of totals, verification of the authenticity of
messages sent to subjects, ...), mainly
externally accessible applications and services,
are settled and applied

70
Acquisition, development and maintenance

procedures concerning technical and functional
tests are settled and implemented in an
acceptance environment, separate from the
production environment, with clear go/no-go areas
a method for analyzing the impact of amendments
to operating systems on security and
applications, on the permanent accessibility of
information systems, and tests of the
accessibility of information and applications in
the amended environment before putting the
amendments into effect, are settled and applied

71
Acquisition, development and maintenance

a method for analyzing the impact of amendments
to standard software used on security and
applications, and on the continuous accessibility
of information systems, and tests of the
accessibility of information and applications in
the amended environment before putting the
amendments into effect, are settled and applied
a procedure for the destruction of information in
the event that further processing is no longer
authorized due to application of the
proportionality principle or occupation of the
countrys territory, is settled and applied

72
Business continuity management

back-up procedures for information and
applications are settled and applied
the code and written documentation on the latest
version of all applications is kept at a secure
site outside the production location
the parts of information systems, certainly those
supporting vital and critical business processes,
are split up at geographically dispersed sites
(no single points of failure)

73
Business continuity management

a business continuity plan exists at each actor
in the social sector and is made available to all
those concerned
indicating vital and critical components and
processes
with an inventory of necessary infrastructure and
skills for each component and process
with a description of actions, responsibilities
and procedures in the event of an (internal or
external) emergency
with a description of continuation actions and
procedures in the event of an emergency in order
to return to normal operation
with a description of test scenarios for the
continuity plan with third parties affected

74
Business continuity management

the continuity plan is tested annually with the
third parties affected and a report of the
results is drawn up, aimed at permanent
improvement
the information systems for which this is
justified are insured against physical risks such
as fire, flood or earthquake, also against theft

75
Compliance internal and external control

permanent internal control on respect of
legislation, policies, directives, architecture,
procedures and standards and on any undesirable
use of ICT facilities (e.g. use of ICT for
non-business purposes, ...) is carried out by the
information security officer
regular external check in respect of legislation,
policies, directives, architecture, procedures
and standards is carried out by an external
auditor by order of the general manager of the
actor in the social sector or of the Sector
Committee

76
Compliance internal and external control

checking methods, and information systems and
logs to be checked are, with the support of the
ICT department, easily accessible to the persons
carrying out internal and external control
functions
monitoring systems, that raise potential risks
linked to the infringements of the law, policies,
directives, architecture, procedures and
standards, and on any undesirable use made of ICT
facilities, are available for the information
security officer
a regular check is carried out by the controller
of the processing in respect of the security
measures incorporated into contracts with third
parties