PANTA RHEI SECURITY WORKING GROUP

1
PANTA RHEI - SECURITY WORKING GROUP

• Presentation to Panta Rhei meeting Estoril,
  Portugal
• 20 March 2003
• Speakers Barbara Heymann
• Ian Pittock
• John Welch

2
Agenda - (Barbara) 1

• Introduction - 5 mins Barbara
• Recommendations - 25 mins Ian
• Discussion - 50 mins All
• Next Steps - 10 mins Barbara

3
Introduction 4

• DG Agriculture - IT security audits not ECs core
  business.
• Need to replace current guidelines, replacement
  open for discussion.
• PR - Madrid Oct 2001 and Berlin April 2002.
• Working Groups - Frankfurt, June and November
  2002.

4
Recommendations

• A. Abandon current guidelines.
• B. List of standards.
• C. PAs to chose standard from list.
• D. Audit mechanism appropriate for standard.
• E. EC and acceptable to Member States and EC.
• F. Compliance audits.
• G. EC to review regulations and guidelines.

5
A. The current guidelines are to be
abandoned 3

• DG Agriculture wishes the guidelines to be
  replaced.
• Unanimous agreement amongst working group members
  for replacement.
• Failing this - need to update and maintain
  current guidelines, also need mechanism for this.

6
B. There shall be an inaugural list of standards
consisting of 2

• BSI (IT Baseline Protection Standard).
• ISO17799/BS7799 (Information Security Management
  Standard).
• COBIT (Control Objectives for Information related
  Technology.
• Anyone subsequently proposing an additional
  standard shall show equivalence to one these
  standards.

7
Standards continuedApproach taken 2

• already in general use.
• has an audit mechanism.
• has an internationally recognised certification
  process.
• has sufficient rigour.
• CBs to accept certificates.

8
C.

• Subject to any requirements by National
  Governments and without Prejudice to European
  regulations, Paying Agencies shall choose for
  themselves which one of the standards on the
  approved list they shall adopt. As a corollary,
  if necessary, Competent Authorities must ensure
  that Certifying Bodies can handle a number of
  standards.

9
C continued 2

• Principle of self-determination.
• but, within limits of what auditors and in turn
  the CB that audits them can handle.

10
D. The audit mechanism that shall be used is
that associated with the chosen standard. 3

• Provides best fit for each standard.
• One meaningful mechanism for all standards is not
  possible - causes problems.

11
E. The EC and Certifying Bodies shall accept
certificates issued on behalf of national
standards bodies 4

• Reduction in auditing requirement, therefore
  management time.
• Possible confusion - no such thing as
  self-certification. Can only be awarded by a
  third party licensed by a national standards
  body.

12
F.

• As an alternative to certification, paying
  agencies may perform compliance audits using one
  of two methods self-checking or a third party. A
  score will be given to each high level objective.
  In these cases a generalised scoring mechanism
  shall be used taking four factors into
  consideration the score will be the lowest
  achieved in anyone of the factors.

13
F continued 2

• Self-checking - para 3(i) of annex to EC
  Regulation 1663/95.
• third party - another PA or independent audit or
  security supplier.
• not as strong nor independent as certification.
• robust enough if professional auditing team used.

14
F continued againScoring 3

• Marked 0 to 5 against 4 factors
• a. acknowledgement and communication.
• b. the policy exists.
• c. associated processes and training in place.
• d. measuring effectiveness and improvements.
• Score lowest achieved, no averaging, but auditors
  to recognise in report where issue scores higher.
  Also, CB to recognise auditors observations.

15
G. The Commission should review the regulations
and guidelines with regard to these
recommendations. 3

• Not for working group nor Panta Rhei to do this,
  Commission to decide mechanism.
• new mechanism for 16th October 2003.

16
Discussion (Barbara) 50

• Background - why change
• RecommendationsA. Abandon current guidelinesB.
  List of standardsC. PAs to chose standard from
  listD. Audit mechanism appropriate for
  standardE. EC and CBs to accept certificatesF.
  Compliance auditsG. EC to review regulators and
  guidelines

17
Next Steps (Barbara) 10

• Summary of progress so far.
• Any further work needed by Panta Rhei?
• Proposal to Directors, then Commission to decide
  how to implement (ie change to regulation or
  other method), finally Agricultural Committee to
  approve.