Title: Information security and privacy protection aspects of electronic information management in the Belgian social sector
1Information security andprivacy protection
aspects ofelectronic information managementin
the Belgian social sector
Frank Robben General manager Crossroads Bank for
Social Security Sint-Pieterssteenweg 375 B-1040
Brussels E-mail Frank.Robben_at_ksz.fgov.be Website
CBSS www.ksz.fgov.be Personal website
www.law.kuleuven.be/icri/frobben
2Stakeholders of the Belgian social sector
- gt 10,000,000 citizens
- gt 220,000 employers
- about 3,000 public and private institutions
(actors) at several levels (federal, regional,
local) dealing with - collection of social security contributions
- delivery of social security benefits
- child benefits
- unemployment benefits
- benefits in case of incapacity for work
- benefits for the disabled
- re-imbursement of health care costs
- holiday pay
- old age pensions
- guaranteed minimum income
- delivery of supplementary social benefits
- delivery of supplementary benefits based on the
social security status of a person
3The problem
- a lack of well coordinated service delivery
processes and of a lack of well coordinated
information management led to - suboptimal effectiveness of social protection
- a huge avoidable administrative burden and
related costs for - the citizens
- the employers/companies
- the actors in the social sector
- service delivery that didnt meet the
expectations of the citizens and the companies - insufficient social inclusion
- too high possibilities of fraud
- suboptimal support of social policy
4Expectations of citizens and companies
- effective social protection
- integrated services
- attuned to their concrete situation, and
personalized when possible - delivered at the occasion of events that occur
during their life cycle (birth, going to school,
starting to work, move, illness, retirement,
starting up a company, ) - across government levels, public services and
private bodies - attuned to their own processes
- with minimal costs and minimal administrative
burden - if possible, granted automatically
- with active participation of the user (self
service) - well performing and user-friendly
- reliable, secure and permanently available
- accessible via a channel chosen by the user
(direct contact, phone, PC, ) - sufficient privacy protection
5The solution
- a network between all 3,000 social sector actors
with a secure connection to the internet, the
federal MAN, regional extranets, extranets
between local authorities and the Belgian
interbanking network - a unique identification key
- for every citizen, electronically readable from
an electronic social security card and an
electronic identity card - for every company
- for every establishment of a company
- an agreed division of tasks between the actors
within and outside the social sector with regard
to collection, validation and management of
information and with regard to electronic storage
of information in authentic sources
6The solution
- 210 electronic services for mutual information
exchange amongst actors in the social sector,
defined after process optimization - nearly all direct or indirect (via citizens or
companies) paper-based information exchange
between actors in the social sector has been
abolished - in 2007, 656 million electronic messages were
exchanged amongst actors in the social sector,
which saved as many paper exchanges - electronic services for citizens
- maximal automatic granting of benefits based on
electronic information exchange between actors in
the social sector - 8 electronic services via an integrated portal
- 3 services to apply for social benefits
- 5 services for consultation of social benefits
- about 30 new electronic services are foreseen
7The solution
- 41 electronic services for employers, either
based on the electronic exchange of structured
messages or via an integrated portal site - 50 social security declaration forms for
employers have been abolished - in the remaining 30 (electronic) declaration
forms the number of headings has on average been
reduced to a third of the previous number - declarations are limited to 4 events
- immediate declaration of recruitment (only
electronically) - immediate declaration of discharge (only
electronically) - quarterly declaration of salary and working time
(only electronically) - occurence of a social risk (electronically or on
paper) - in 2007, 23 million electronic declarations were
made by all 220,000 employers, 98 of which from
application to application
8The solution
- an integrated portal site containing
- electronic transactions for citizens, employers
and professionals - simulation environments
- information about the entire social security
system - harmonized instructions and information model
relating to all electronic transactions - a personal page for each citizen, each company
and each professional - an integrated multimodal contact centre supported
by a customer relationship management tool - a data warehouse containing statistical
information with regard to the labour market and
all branches of social security
9The solution
- reference directory
- directory of available services/information
- which information/services are available at any
actor depending on the capacity in which a
person/company is registered at each actor - directory of authorized users and applications
- list of users and applications
- definition of authentication means and rules
- definition of authorization profiles which kind
of information/service can be accessed, in what
situation and for what period of time depending
on in which capacity the person/company is
registered with the actor that accesses the
information/service - directory of data subjects
- which persons/companies have personal files at
which actors for which periods of time, and in
which capacity they are registered - subscription table
- which users/applications want to automatically
receive what information/services in which
situations for which persons/companies in which
capacity
10CBSS as driving force
- coordination by the Crossroads Bank for Social
Security - Board of Directors consists of representatives of
the companies, the citizens and the actors in the
social sector - mission
- definition of the vision and the strategy on
eGovernment in the social sector - definition of the common principles related to
information management, information security and
privacy protection - definition, implementation and management of an
interoperability framework - technical secure messaging of several types of
information (structured data, documents, images,
metadata, ) - semantic harmonization of concepts and
co-ordination of necessary legal changes - business logic and orchestration support
- coordination of business process reengineering
- stimulation of service oriented applications
- driving force of the necessary innovation and
change - consultancy and coaching
11Co-operative governance
- CBSS has an innovative model of governance,
steering the business process re-engineering with
complex interdependencies between all actors
involved - Board of Directors of the CBSS
- consists of representatives of the stakeholders
(employers associations, trade unions, social
security institutions, ) - approves the strategic, operational and financial
plans of the CBSS - General Coordination Committee with
representation of all users acts as debating
platform for the elaboration and implementation
of eGovernment initiatives within the social
sector
12Co-operative governance
- permanent or ad hoc working groups are instituted
within the General Coordination Committee in
order to co-ordinate the execution of programs
and projects - the chairmen of the various working groups meet
regularly as a Steering Committee - besides project planning and follow-up, proper
measuring facilities are available to assure
permanent monitoring and improvement after the
implementation of the electronic services
13Adequate management and control techniques
- annual priority plan debated with all users
within the General Coordination Committee of the
CBSS - cost accounting and zero-based budgeting
resulting in financial transparency, an informed
budget and a good evaluation of the management
contract with the Belgian federal government - internal control based on the COSO-methodology
(see www.coso.org) in order to provide reasonable
assurance regarding the achievement of objectives
with regard to - effectiveness and efficiency of operations
- reliability of financial reporting
- compliance with applicable laws and regulations
- external audit with regard to the correct
functioning of the internal control system
14Adequate management and control techniques
- program management through the whole social
sector - issue management during the management of each
program - use of a system of project management combined
with a time keeping system to follow up projects
that are realized by the CBSS and its partners - frequent reports to all users which describe the
progress of the various projects and eventual
adjustment measures - use of balanced scorecards and a dashboard to
measure, follow-up and evaluate the performance
of the electronic services and the CBSS - use of ITIL (see www.itil-itsm-world.com) for
ICT-service delivery - use of a coherent set of monitoring techniques to
guarantee an optimal control and transparency of
the electronic services
15Towards a network of service integrators
Service integrator (Corve, Easi- Wal, CIRB, )
RPS
RPS
Services repository
Extranet region or commmunity
Service integrator (CBSS)
Services repository
ASS
Extranet social sector
ASS
Internet
Municipality
FPS
ASS
VPN, Publi-link, VERA,
FPS
FEDMAN
Services repository
Service integrator (FEDICT)
City
Province
FPS
Services repository
16Advantages
- gains in efficiency
- in terms of cost services are delivered at a
lower total cost - due to
- a unique information collection using a common
information model and administrative instructions - a lesser need to re-encoding of information by
stimulating electronic information exchange - a drastic reduction of the number of contacts
between actors in the social sector on the one
hand and companies or citizens on the other - a functional task sharing concerning information
management, information validation and
application development - a minimal administrative burden
- according to a study of the Belgian Planning
Bureau, rationalization of the information
exchange processes between the employers and the
social sector implies an annual saving of
administrative costs of about 1.7 billion a
year for the companies
17Advantages
- gains in efficiency
- in terms of quantity more services are delivered
- services are available at any time, from anywhere
and from several devices - services are delivered in an integrated way
according to the logic of the customer - in terms of speed the services are delivered in
less time - benefits can be allocated quicker because
information is available faster - waiting and travel time is reduced
- companies and citizens can directly interact with
the competent actors in the social sector with
real time feedback
18Advantages
- gains in effectiveness better social protection
- in terms of quality same services at same total
cost in same time, but to a higher quality
standard - in terms of type of services new types of
services, e.g. - push system automated granting of benefits
- active search of non-take-up using data
warehousing techniques - controlled management of own personal information
- personalized simulation environments
- better support of social policy
- more efficient combating of fraud
19Critical success factors
- common vision on electronic service delivery,
information management and information security
amongst all stakeholders - support of and access to policymakers at the
highest level - trust of all stakeholders, especially partners
and intermediaries, based on - mutual respect
- real mutual agreement
- transparency
- respect for legal allocation of competences
between actors - co-operation between all actors concerned based
on distribution of tasks rather than
centralization of tasks - focus on more effective and efficient service
delivery and on cost control
20Critical success factors
- reasoning in terms of added value for citizens
and companies rather than in terms of legal
competences - quick wins combined with long term vision
- lateral thinking when needed
- adaptability to an ever changing societal and
legal environment - electronic service delivery as a structural
reform process - process re-engineering within and across actors
- back-office integration for unique information
collection, re-use of information and automatic
granting of benefits - integrated and personalized front-office service
delivery
21Critical success factors
- multidisciplinary approach
- process optimization
- legal coordination
- ICT coordination
- information security and privacy protection
- change management
- communication
- coaching and training
22Critical success factors
- appropriate balance between efficiency on the one
hand and information security and privacy
protection on the other - technical and semantic interoperability
- legal framework
- creation of an institution that stimulates,
co-ordinates and assures a sound program and
project management - availability of skills and knowledge gt creation
of an association that hires ICT-specialists at
normal market conditions and puts them at the
disposal of the actors in the social sector - sufficient financial means for innovation agreed
possibility to re-invest efficiency gains in
innovation - service oriented architecture (SOA)
23Critical success factors
- need for radical cultural change within
government, e.g. - from hierarchy to participation and team work
- meeting the needs of the customer, not the
government - empowering rather than serving
- rewarding entrepreneurship within government
- ex post evaluation on output, not ex ante control
of every input
24Information security and privacy protection
- security, availability, integrity and
confidentiality of information is ensured by
integrated - structural
- institutional
- legal
- organizational
- HR-related
- technical
- security measures according to agreed policies
25Structural and institutional measures
- no central data storage
- the access authorization to personal information
is granted by a Sector Committee of the Privacy
Commission, designated by Parliament, after
having checked whether the access conditions are
met - the access authorizations are public
- every actual electronic exchange of personal
information has to pass an independent trusted
third party (basically the CBSS) and is
preventively checked on compliance with the
existing access authorizations by that trusted
third party - every actual electronic exchange of personal
information is logged, to be able to trace
possible abuse afterwards
26Structural and institutional measures
- every actor in the social sector disposes of an
information security officer with an advisory,
stimulating, documentary and control task - specialized information security service
providers in the social sector have been
recognized in order to support the information
security officers - a working party on information security and
privacy protection within the social sector has
been established - minimal information security and privacy
protection standards are proposed by the working
party on information security and privacy
protection and are established by the Sector
Committee
27Structural and institutional measures
- every year, every actor in the social sector has
to report to the Sector Committee on compliance
with the minimal information security and privacy
protection standards - in case an actor in the social sector doesnt
meet the minimal information security and privacy
protection standards, the actor can be prohibited
by the Sector Committee to be connected to the
CBSS
28Independent Sector Committee
- established within the Privacy Commission
- composed of
- 2 members of the Privacy Commission
- 3 independent social security specialists
designated by Parliament - competences
- supervision of information security
- authorizing the information exchange
- complaint handling
- information security recommendations
- extensive investigating powers
- annual activity report
29Information security department
- at each actor in the social sector
- composition
- information security officer
- one or more assistants
- control on independence and permanent education
of the information security officers is performed
by the Sector Committee - the Sector Committee can allow to commit the task
of the information security department to a
recognized specialized information security
service provider
30Information security department tasks
- information security department
- recommends
- promotes
- documents
- controls
- reports directly to the general management
- formulates the blueprint of the security plan
- elaborates the annual security report
- general management
- takes the decision
- is finally responsible
- gives motivated feedback
- approves the security plan
- supplies the resources
31Contents of the security report
- general overview of the security situation
- overview of the activities
- recommendations and their effects
- control
- campaigns in order to promote information
security - overview of the external recommendations and
their effects - overview of the received trainings
32Specialized IS service providers
- to be recognized by the Government
- recognition conditions
- non-profit association
- having information security in the social sector
as the one and only activity - respecting the tariff principles determined by
the Government - control on independence is performed by the
Sector Committee - tasks
- keeping information security specialists at the
disposal of the associated actors - recommending
- organizing information security trainings
- supporting campaigns promoting information
security - external auditing on request of the actor or the
Sector Committee - each actor can only associate with one
specialized information security service provider
33Working party on information security
- composition
- information security officers of all branches of
the social sector - task
- coordination
- communication
- proposal of minimal information security and
privacy protection standards - check list
- recommendations to the Sector Committee
34Legal measures
- obligations of the actors in the social sector as
data controllers (i.e. the natural or legal
person, public authority, agency or any other
body which alone or jointly determines the
purposes and means of the processing of personal
data) - rights of the data subjects (i.e. the natural
persons the personal data relate to) - remedies, liability and sanctions
35Obligations of actors in the social sector
- principles relating to fair and lawful processing
and data quality - information to be given to the data subject
- confidentiality and security of processing
36Fair and lawful processing and data quality
- fair and lawful processing
- collection only for specified, explicit and
legitimate purposes - no further processing in a way incompatible with
those purposes - personal data must be adequate, relevant and not
excessive in relation to those purposes - personal data must be accurate and kept up to
date - personal data must not be kept longer than
necessary for those purposes in a form which
permits the identification of the data subject
37Fair and lawful processing and data quality
- respect of additional protection measures related
to sensitive data, i.e. data revealing or
concerning - racial or ethnic origin
- political opinions
- religious or philosophical beliefs
- trade union membership
- health
- sexual life
- offences, criminal convictions or security
measures
38Informing the data subject
- the controller or his representative must provide
the data subject a minimum of information - when obtaining personal data from the data
subject - when undertaking the recording or envisaging a
disclosure to a third party of personal data that
have not been obtained from the data subject - exceptions
- the data subject already has the information
- informing the data subject in case of processing
of data obtained from another person - proves impossible, in particular for processing
for statistical purposes or purposes of
historical or scientific research or - would involve disproportionate effort for the
controller in particular for processing for
statistical purposes or purposes of historical or
scientific research or - is not necessary because the recording or
disclosure is expressly laid down by law
39Informing the data subject
- information to be given
- identity of the controller and his
representative, if any - the purposes of the processing
- any further information necessary to guarantee
fair processing in respect of the data subject
such as - categories of processed data
- (categories of) recipients
- whether replies are obligatory or not, as well as
the possible consequences of failure to reply - the existence of rights of access and
rectification
40Confidentiality and security
- no access to personal data is permitted except on
instructions from the controller or if required
by law - appropriate technical and organizational security
measures - protection against
- accidental or unlawful destruction
- accidental loss
- alteration
- unauthorized disclosure or access, in particular
where the processing involves the transmission of
data over a network - all other forms of unlawful processing
- measures have to be appropriate
- to the risks represented by the processing
- and the nature of the data to be protected
- having regard to the state of the art
- and the cost of their implementation
41Confidentiality and security
- where processing is carried out by an external
processor - the controller has to choose a processor
guaranteeing sufficient technical and
organizational security measures - the controller must ensure compliance of the
processing with the security measures - the carrying out of the processing must be
governed by a written contract or legal act
stipulating in particular that - the processor shall act only on instructions from
the controller - the security obligations shall also be incumbent
on he processor
42Recommendation Belgian Privacy Commission
- see http//www.privacycommission.be/nl/static/pdf/
referenciemaatregelen-vs-01.pdf - risk analysis taking into account
- the nature of the processed data
- the applicable legal requirements
- the size of the organization
- the importance and the complexity of the
information systems - the extent of internal and external access to
personal data - the probability and the impact of the several
risks - the cost of the implementation of risk mitigating
measures
43Recommendation Belgian Privacy Commission
- 10 types of measures
- information security policy
- information security officer
- minimal organizational measures and measures
related to staff - physical security
- network security
- access control
- logging and investigation of logging
- supervision, audit and maintenance
- management of security incidents and continuity
- documentation
44Rights of the data subject
- right of privacy protection
- right of information
- access to the public register
- in case of collection of data
- in case of the recording or disclosure of data
obtained elsewhere - right of access
- right of rectification, erasure or blocking
- right not to be subject to fully automated
individual decisions - right of a judicial remedy
45Right of access
- the data subject has the right to obtain from the
controller without constraint, at reasonable
intervals and without excessive delay or expense - confirmation as whether or not data relating to
him are being processed - information at least about
- the purposes of the processing
- the categories of data
- the (categories of) recipients
- communication of the data and any available
information as to their source - knowledge of the logic in case of an automated
processing intended to evaluate certain personal
aspects relating to him - every time information is used to take a
decision, the information used is communicated to
the person concerned together with the decision
46Right of rectification, erasure or blocking
- the data subject has the right to obtain from the
controller the rectification, erasure or blocking
of data, the processing of which does not comply
with the provisions of the directive (e.g.
incomplete or inaccurate data) - the controller has to notify any rectification,
erasure or blocking to third parties to whom the
data have been disclosed, unless this proves
impossible or involves a disproportionate effort
47Automated individual decisions
- every person is granted the right not to be
subject to a decision which produces legal
effects for him or significantly effects him and
which is based solely on the automated processing
of data intended to evaluate certain personal
aspects, such as his performance at work,
creditworthiness, reliability, conduct, ... - derogations are possible
- under certain circumstances, in the course of the
entering into or the performance of a contract or - by law providing measures to safeguard the data
subjects legitimate interests
48Remedies, liability and sanctions
- remedies
- administrative remedies, inter alia before the
Sector Committee - judicial remedies
- for any breach of the rights guaranteed by the
national law applicable - liability
- right to compensation from the controller for the
damage suffered as a result of an unlawful
processing operation, unless the controller
proves not to be responsible for the event giving
rise to the damage - sanctions
- penal sanctions
- interdiction to process personal data
49Organizational, HR-related technical measures
- risk assessment
- security policies
- governance and organization of information
security - inventory and classification of information
- human resources security
- physical and environmental security
- management of communication and service processes
- processing of personal data
- access control
- acquisition, development and maintenance of
information systems - information security incident management
- business continuity management
- compliance internal and external control
- communication to the public of the policies
concerning security and the protection of privacy
50Security policies
- an integrated set of security policies is being
elaborated through step-by-step refinement - the policies always have the following structure
- material field of application what the policy is
all about - personal field of application to whom does the
policy apply - definitions of the concepts used under the policy
- general principles setting rules and
responsibilities - requirements and references to other policies
- sanctions, arising among other things from
regulations, if the policy is not complied with - references to directives, architecture,
procedures, standards and techniques to comply
with the policy - date of validation by the bodies concerned
- note of the person responsible for policy
maintenance
51Security policies
- directives, architecture, standards, procedures
and techniques are being described to apply the
integral set of security policies, in accordance
with the priorities set by the working party on
information security and privacy protection
52Classification of information
- the purpose of classifying information is to
determine the protection level per information
item, taking two aspects into account - the importance of the business continuity of the
actors (e.g. vital, critical, necessary, useful) - sensitivity in relation to protection of privacy
(e.g. public, internal, confidential, secret) - the field of application of the classification
exercise covers information (mainly personal
data) used for services to citizens, companies
and civil servants, regardless of the support
equipment on which they are kept - information is labelled depending on the
classification criteria use
53HR-security
- security tasks and responsibilities are included
in all job descriptions to which they apply
sensitive positions are stated as such in job
descriptions - applicants for sensitive jobs are screened
carefully - a secrecy declaration is signed by every staff
member - all staff members are briefed, educated and
trained regarding information security and
protection of privacy - at each actor in the social sector, robust
procedures have to be settled and implemented to
report any security breaches or weak points to
the information security officer
54HR-security
- at each actor in the social sector, a working
method is settled and implemented to analyse any
security-related incidents and weak points
reported by the information security officer, and
adequate remedial measures are proposed - (disciplinary) sanctions are foreseen when
measures relating to the information security and
protection of privacy are circumvented or not
complied with - it is checked that the (disciplinary) sanctions
are sufficiently well-known when measures
relating to the information security and
protection of privacy are circumvented or not
complied with - it is checked that adequate measures are applied
when a working relationship with a staff member
is terminated
55Physical and environmental security
- premises have to be available that are well
secured against malign external influences,
unauthorized access, break-in, flood, fire, ...,
and ICT infrastructure supporting vital and
critical business processes has to be
accommodated at these premises - the electricity supply for ICT infrastructure
supporting vital and critical business processes
is guaranteed - cables and air-waves are secured, especially
against wire-tapping - a procedure for the import and export of business
equipment, among other things in cases of
maintenance and repairs, is settled and
implemented - rules are settled for managing business equipment
relating to people (e.g. laptops, handhelds,
mobile phones, call tokens, ...) giving access to
information that needs to be protected
56Management of processes
- the division of responsibilities for the
management and maintenance of all parts of ICT
infrastructure is settled and implemented - security procedures, also procedures for
resolving incidents, are settled and implemented,
taking into account the necessary divisions of
roles - the internal rules for day-to-day work (e.g.
back-ups, banned use of computer games, code of
practice regarding use of the Internet, closing
of equipment, ...) are settled and complied with - each stage in the life-cycle of an application,
including acceptance scenarios, is settled and
complied with
57Management of processes
- new applications or amendments to existing
applications are submitted for acceptance tests
in an acceptance environment, separate from the
production environment, before going into
production - the six areas of ITIL methodology concerning
service support, and first two areas of ITIL
methodology concerning service delivery are
implemented - service support
- configuration management
- incident management
- problem management
- change management
- service/help-desk
- release management
- service delivery
- service level management
- capacity management
58Management of processes
- there are preventive measures for the securing of
all information systems against viruses and
harmful software - procedures for information management supports
(tapes, floppy disks, cassettes,...) are settled
and complied with, including rules relating to - storage and access
- shipping
- accidental destruction
59Management of processes
- networks are managed following well-defined
procedures, especially when connected to external
networks in this respect, special attention is
paid to - divisions between internal and external networks
- peripheral securing of internal networks
(firewalls, ...) - authentication of components against one another
- intrusion detection
- application of encryption techniques where
necessary - interchange agreements are written down for the
use of network services, especially for network
services used for external collaboration,
including - service level agreements concerning availability
and performance - demarcation of responsibilities relating to
security and protection of privacy
60Access control
- a user management system is settled and
implemented, permitting - electronic identification of people, resources,
applications and services - electronic authentication of the identity of
people, resources, applications and services by
appropriate means (user ID, password, token,
digital certificate, electronic signature, ...) - electronic verification of relevant
characteristics and mandates of people in
authentic sources - an access management system is settled and
implemented, indicating among other things - roles and functions
- authorizations on the basis of those roles and
functions - authorization time-limits
- authorizations are managed at the levels of
- people
- resources
- applications
- services
61User and access management
- identification of physical and legal persons
- unique social identification number for physical
persons - unique company number for companies
- authentication of the identity of physical
persons - electronic identity card
- user id password token
- authentic sources for
- management and verification of characteristics
(e.g. a capacity, a function, a professional
qualification) of persons - management and verification of mandates between a
legal or physical person to whom an electronic
transaction relates and the person carrying out
that transaction - management and verification of authorizations
62Policy Enforcement Model
Action
on
Action
application
Policy
on
DENIED
application
User
Application
Application
PERMITTED
(
PEP
)
Action
on
application
Decision
Decision
request
reply
Information
Request
/
Policy
Retrieval
Reply
Policies
Decision
(
PDP
)
Information
Request
/
Reply
Policy
Policy Administration
Policy Information
Policy Information
management
(
PAP
)
(
PIP
)
(
PIP
)
Manager
Authentic source
Authentic source
Policy
repository
63Policy Enforcement Point (PEP)
- intercepts the request for authorization with all
available information about the user, the
requested action, the resources and the
environment - passes on the request for authorization to the
Policy Decision Point (PDP) and extracts a
decision regarding authorization - grants access to the application and provides
relevant credentials
Action
on
Action
application
Policy
on
DENIED
application
User
Application
Application
PERMITTED
(
PEP
)
Action
on
application
Decision
Decision
request
reply
Policy
Decision
(
PDP
)
64Policy Decision Point (PDP)
- based on the request for authorization received,
retrieves the appropriate authorization policy
from the Policy Administration Point(s) (PAP) - evaluates the policy and, if necessary, retrieves
the relevant information from the Policy
Information Point(s) (PIP) - takes the authorization decision (permit/deny/not
applicable) and sends it to the PEP
Policy
Application
(
PEP
)
Decision
Decision
request
reply
Information
Request
/
Policy
Retrieval
Reply
Policies
Decision
(
PDP
)
Information
Request /
Reply
Policy Information
Policy Administration
Policy Information
(
PAP
)
(
PIP
)
(
PIP
)
65Policy Administration Point (PAP)
- environment to store and manage authorization
policies by authorized person(s) appointed by the
application managers - puts authorization policies at the disposal of
the PDP
Policy
Retrieval
management
Policies
PDP
PAP
Manager
Policy
repository
66Policy Information Point (PIP)
- puts information at the disposal of the PDP in
order to evaluate authorization policies
(authentic sources with characteristics,
mandates, etc.)
Information
Request /
Reply
PDP
Information
Request /
Reply
PIP
1
PIP
2
Authentic source
Authentic source
67Architecture
Non social FPS (Fedict)
Social sector (CBSS)
eHealth platform
USER
USER
USER
APPLICATIONS
APPLICATIONS
APPLICATIONS
Authorisation
Authen
-
Authorisation
Authen
-
Authorisation
Authen
-
tication
tication
tication
PEP
PEP
PEP
WebApp
WebApp
Role
Role
Role
XYZ
XYZ
Mapper
Mapper
Mapper
Role
Role
Mapper
Mapper
DB
DB
PDP
Role
PAP
PDP
Role
PAP
PAP
Provider
Role
Provider
Role
Kephas
Kephas
Kephas
DB
Provider
DB
Provider
PIP
PIP
PIP
PIP
PIP
PIP
Attribute
Attribute
Attribute
Attribute
Attribute
Attribute
Provider
Provider
Provider
Provider
Provider
Provider
Provider
Management
DB
DB
Management
Judicial exut- ers
DB
DB
DB
DB
UMAF
XYZ
XYZ
XYZ
VAS
Mandates
Mandates
VAS
68Access control
- buildings are partitioned, securing rings are
installed and access control measures to premises
are implemented - access control measures to physical resources
(computers, networks, ...) by users (people,
resources or applications) are set and
implemented, with particular attention to
business equipment relating to people (e.g.
laptops, handhelds, mobile phones, call tokens,
...) - access control measures to (sections of)
application code are set and implemented - access control measures to applications and
services by internal and external users (people,
resources or applications) are set and
implemented (e.g. call-back procedures) - ICT equipment is automatically timed out after a
set period of inactivity - all access and actions carried out are time-logged
69Acquisition, development and maintenance
- security directives to be complied with during
the acquisition, development and maintenance of
applications and services are set and implemented - division of functions
- audit trails during development
- documentation
- regular interim back-ups
- the development environment is securized
- rules to build security into applications and
services (e.g. validation of data input, checks
of totals, verification of the authenticity of
messages sent to subjects, ...), mainly
externally accessible applications and services,
are settled and applied
70Acquisition, development and maintenance
- procedures concerning technical and functional
tests are settled and implemented in an
acceptance environment, separate from the
production environment, with clear go/no-go areas - a method for analyzing the impact of amendments
to operating systems on security and
applications, on the permanent accessibility of
information systems, and tests of the
accessibility of information and applications in
the amended environment before putting the
amendments into effect, are settled and applied
71Acquisition, development and maintenance
- a method for analyzing the impact of amendments
to standard software used on security and
applications, and on the continuous accessibility
of information systems, and tests of the
accessibility of information and applications in
the amended environment before putting the
amendments into effect, are settled and applied - a procedure for the destruction of information in
the event that further processing is no longer
authorized due to application of the
proportionality principle or occupation of the
countrys territory, is settled and applied
72Business continuity management
- back-up procedures for information and
applications are settled and applied - the code and written documentation on the latest
version of all applications is kept at a secure
site outside the production location - the parts of information systems, certainly those
supporting vital and critical business processes,
are split up at geographically dispersed sites
(no single points of failure)
73Business continuity management
- a business continuity plan exists at each actor
in the social sector and is made available to all
those concerned - indicating vital and critical components and
processes - with an inventory of necessary infrastructure and
skills for each component and process - with a description of actions, responsibilities
and procedures in the event of an (internal or
external) emergency - with a description of continuation actions and
procedures in the event of an emergency in order
to return to normal operation - with a description of test scenarios for the
continuity plan with third parties affected
74Business continuity management
- the continuity plan is tested annually with the
third parties affected and a report of the
results is drawn up, aimed at permanent
improvement - the information systems for which this is
justified are insured against physical risks such
as fire, flood or earthquake, also against theft
75Compliance internal and external control
- permanent internal control on respect of
legislation, policies, directives, architecture,
procedures and standards and on any undesirable
use of ICT facilities (e.g. use of ICT for
non-business purposes, ...) is carried out by the
information security officer - regular external check in respect of legislation,
policies, directives, architecture, procedures
and standards is carried out by an external
auditor by order of the general manager of the
actor in the social sector or of the Sector
Committee
76Compliance internal and external control
- checking methods, and information systems and
logs to be checked are, with the support of the
ICT department, easily accessible to the persons
carrying out internal and external control
functions - monitoring systems, that raise potential risks
linked to the infringements of the law, policies,
directives, architecture, procedures and
standards, and on any undesirable use made of ICT
facilities, are available for the information
security officer - a regular check is carried out by the controller
of the processing in respect of the security
measures incorporated into contracts with third
parties
77More information
- website Crossroads Bank for Social Security
- http//www.ksz.fgov.be
- personal website Frank Robben
- http//www.law.kuleuven.be/icri/frobben
- social security portal
- https//www.socialsecurity.be
78Th_at_nk you !Any questions ?