Pascal Steichen (<pascal steichen (a) eco etat lu>)

Ministère de l'Economie et du Commerce extérieur (Direction des Communications)

ENISA (alternate and liaison officer)

CLUSSIL (management board member)

CNLSI (management board member)

http://www.eco.public.lu/

http://www.cases.lu/

1. Security

A definition: "The ability to handle misuse or unpredicted events on systems."

The ACID principles:

Authentification
Confidentiality
Integrity
Disponibility

How should one approach this security thing ?

2. Security and politics

Security is a national issue !

Most of the countries have their specific governmental organisations to handle issues in the field of information security. Most often IS is althought linked to other aspects of security or even military, mainly focusing on the protection of national assets. In this constellation security is more seen as control and surveillance.

US

DOD (Department of Defense)
The mission of the Department of Defense is to provide the military forces needed to deter war and to protect the security of our country. The department's headquarters is at the Pentagon.
Back issue: in 1968 ARPA (Advanced Research Project Agency) starts ARPANET the ancestor of todays Internet.
- NSA (National Security Agency)
  The National Security Agency/Central Security Service is America's cryptologic organization. It coordinates, directs, and performs highly specialized activities to protect U.S. government information systems and produce foreign signals intelligence information. A high technology organization, NSA is on the frontiers of communications and data processing. It is also one of the most important centers of foreign language analysis and research within the government.
  Mission statement: "The ability to understand the secret communications of our foreign adversaries while protecting our own communications -- a capability in which the United States leads the world -- gives our nation a unique advantage."

DHS (Department of Homeland Security)
1. Increase overall preparedness, particularly for catastrophic events.
2. Create better transportation security systems to move people and cargo more securely and efficiently.
3. Strengthen border security and interior enforcement and reform immigration processes.
4. Enhance information sharing with our partners.
5. Improve DHS financial management, human resource development, procurement and information technology.
6. Realign the DHS organization to maximize mission performance.

UK

DTI (Department of Trade & Industry)
- Information Security Policy Team
  Promotes good information security management to business and provides a policy framework to encourage improved information security both at home and internationally.
  The prime responsibility of the DTI's Information Security Policy Team is to help UK businesses address this issue, and manage their information security more effectively. We work with business to:
  - identify the barriers to the adoption of new technologies
  - raise awareness of the importance of effective information security management
  - develop guidance on good practice in information security. This includes the development of 'ISO/IEC 17799/BS 7799: A Code of Practice for Information Security Management'
  - develop solutions to emerging problems. This has included the new arrangements for Trusted Third Parties that provide cryptographic services
  - promote the development of appropriate international standards and a regulatory framework that encourages the uptake of electronic commerce
Home Office
Responsible for ensuring that the UK’s Critical National Infrastructure is protected as well as policing for hi–tech crime. Building a safe, just and tolerant society is our main purpose. We aim to make a difference in the real world, helping build a society in which people are safer from crime and there is equality and fairness for all. Our aims are that:
1. People are and feel more secure in their homes and daily lives.
2. More offenders are caught, punished and stop offending and victims are better supported.
3. Fewer people's lives are ruined by drugs and alcohol.
4. Migration is managed to benefit the UK, while preventing abuse of the immigration laws and of the asylum system.
5. Citizens, communities and the voluntary sector are more fully engaged in tackling social problems and there is more equality of opportunity and respect for people of all races and religions.
CESG (Communications-Electronics Security Group)
CESG is the national technical authority for information assurance and responsible for enabling secure and trusted knowledge sharing to help our customers achieve their business aims. CESG is part of GCHQ (Government Communications Headquarters): GCHQ is an intelligence and security organisation. As Civil Service Department, we report to the Foreign Secretary and work closely with the UK's other intelligence agencies (commonly known as MI5 and MI6). Our primary customers are the Ministry of Defence, the Foreign and Commonwealth Office and law enforcement authorities, but we also serve a wide range of other Government Departments.
NISCC (National Infrastructure Security Co-ordination Centre)
Government organisation responsible for minimising the risk of electronic attack to the UK's Critical National Infrastructure. In the UK, essential services and systems are known as the Critical National Infrastructure (CNI). The role of NISCC is to minimise the risk to the CNI from electronic attack; other parts of government work to protect the CNI from physical attack or natural disasters. NISCC was set up in 1999 and is an inter-departmental centre drawing on contributions from across government. Defence, Central Government Policy, Trade, the Intelligence Agencies and Law Enforcement all contribute expertise and effort.

Germany

BMWi (Bundesministerium für Wirtschaft und Technologie)
- Technologiepolitik
  - Rahmenbedingungen
  - Förderlinien
  - Technologische und Ökonomische Infrastruktur
  - Internationale Technologiepolitik
- Informationsgesellschaft
  - Aktionsprogramm
  - Informationswirtschaft
  - Multimedia
  - Medienrecht
  - E-Business
  - Informationen des öffentlichen Sektors
  - E-Government
  - Sicherheit im Internet
  - Spam
  - Internationales
  - Wissensbilanz - Made in German
BSI (Bundesamt für Sicherheit in der Informationstechnik)
Das Bundesamt für Sicherheit in der Informationstechnik (BSI) wurde am 1. Januar 1991 gegründet und gehört zum Geschäftsbereich des Bundesministeriums des Innern. Das BSI ist eine unabhängige und neutrale Stelle für Fragen zur IT-Sicherheit in der Informationsgesellschaft. Als Behörde ist sie damit im Vergleich zu sonstigen europäischen Einrichtungen einzigartig. Derzeit sind dort über 400 Informatiker, Physiker, Mathematiker und andere Mitarbeiter beschäftigt. Seinen Hauptsitz hat das BSI in Bonn. Die Arbeit des BSI ist in vier Abteilungen organisiert: Verwaltung ; Sicherheit in Anwendungen, Kritischen Infrastrukturen und im Internet ; Kryptographie, Kryptotechnik und wissenschaftliche Grundlagen ; Abhörsicherheit, Zertifizierung, Zulassung, Akkreditierung.

France

DCSSI (Direction Centrale de la Sécurité des Systèmes d'Information)
La direction centrale de la sécurité des systèmes d'information apporte son concours aux services de l'Etat et assure la cohérence du cadre juridique de leur action. A cet effet :
1. Elle organise les travaux interministériels et prépare les mesures que le secrétaire général de la défense nationale propose au Premier ministre ;
2. Elle procède à l'évaluation des dispositifs de protection des services de l'Etat, analyse les besoins et propose des solutions propres à les satisfaire ; elle participe à l'orientation des études et du développement des produits ; elle formule une appréciation sur les produits qui lui sont soumis ;
3. Elle élabore et répartit les clefs de chiffrement des satellites nationaux ou construits en coopération avec d'autres Etats et les clefs de signature électronique dont elle a la charge ;
4. Elle anime un service de veille, d'alerte et de réaction aux intrusions dans les systèmes d'information de l'Etat ;
5. Elle participe aux négociations internationales.

The structure inside the SGDN:

The organisation:

CERTA (CERT Administration)
The CERTA is part of the Central directorate for Information Systems Security (DCSSI). Area of responsibility:
- keeping up with technological innovations (SW and HW vulnerabilities);
- solving computer incidents within the French government information system;
- creating and maintaining a trust network within the French government services composed of all ministries and independent administrative organisations.

Belgium

IBZ (SPF Intérieur Binnenlandse Zaken - FPS Home Affairs)
General CIP planning and preparedness.
FedICT (SPF Technologie de l'Information et de la Communication - FPS Information and Communication Technology)
Au moyen d’une collaboration étroite, Fedict encoure les services publics fédéraux à améliorer de façon permanente les services et la politique en transformant les relations internes et externes à l’aide de la technologie de l’ICT, notamment Internet et les nouveaux moyens de communication. Fedict joue en outre un rôle de coordinateur depuis et vers d’autres autorités de sorte que la communication et les services de toutes les autorités avec leurs clients se font plus vite, de manière plus transparente, plus conviviale, plus efficace et plus effective.
IBPT (Institut Belge des services Postaux et des Télécommunications - Belgian Institute for postal services and telecommunications)
En mai 2000, un système d'information concernant les virus informatiques a été mis sur pied à l'initiative du Ministre des Télécommunications comme suite aux dégâts occasionnés en Belgique par le tristement célèbre virus "I Love You". Cette E-Security Platform est administrée par l'Institut et se compose, en plus du "Point de Contact" joignable en permanence, d'une équipe d'une trentaine de spécialistes du monitoring des réseaux et de l'analyse des alertes informatiques.

The Netherlands

MINEZ (Ministerie van Economische Zaken - Ministry of Economic Affairs)
Development of the electronic communications market and information society including network and information security.
- Directorate-General for Telecommunications and Post:
  Promotes the smart use of communication networks, creates incentives for new developments, ensures stability, and formulates the ground rules for consumers and market parties. Its objective is: a dynamic and innovative market, a good contribution to sustainable economic growth, and the safe and reliable use of telecommunications and ICT. The Directorate General Telecommunications and Post policy objectives:
  - Consumers in position and ground rules for the market: for example Consumer policy, revised Telecommunications Act, Vision for Post, and the Frequency policy.
  - Continuity, security, reliability, quality: for example National Telecommunication Continuity Plan, Internet Vulnerability Programme, Alerting Service, Surf op Safe (Safe Surfing), Anti-Terrorism Action Plan, and the Tapping policy.
  - Competitiveness and modernisation: for example Broadband Action Programme, Digitalisation of the ether, ICT, and Administrative Costs (ICTAL).
  - Coordination, interrelationship, and application: for example coordination of national government ICT policy, ICT in public sectors, and implementation of the e-Europe action plan.
  - Directorate General Telecommunications and Post works closely together with the OPTA (Independent Post and Telecommunication Authority), Radiocommunications Agency Netherlands, and the NMa (Netherlands Competition Authority).
MINBZK (Ministerie van Binnenlandse Zaken en Koninkrijksrelaties - Ministry of the Interior and Kingdom Relations)
Steering and development of eGovernment including Government Information Security.
GOVCERT.NL
GOVCERT.NL is the Computer Emergency Response Team for the Dutch Government. We support the government in preventing and dealing with ICT-related security incidents. Our main tasks:
- act as the central emergency point dealing with ICT-related security incidents, such as computer viruses, hacking and vulnerabilities in applications and hardware,
- provide the right information to appropriate parties, at the right moment,
- assist government officials in preventing security incidents and, if necessary, responding appropriately.

Luxembourg

MINECO (Ministère de l'Économie et du Commerce extérieur)
- Direction des Communications
  - Commerce électronique (législation, promotion)
  - Signature électronique (PKI, LUXTRUST)
  - Sécurité informatique (CASES)
  - Entreprise des P&T (EPT)
  - Questions des sites Internet / Intranet
  - Communication interne et externe
CASES (Cyberworld Awareness and Security Ehancement Structure)
CASES Luxembourg est un projet du Ministère de l'Économie et du Commerce extérieur visant à vous sensibiliser contre les risques liés à la sécurité de l'information. Il opère à travers un portail Internet, des formations et une structure d'alertes anonymes, en mettant l'accent sur la compréhension facile des enjeux par les citoyens et les PME. CASES fait également partie intégrante d'une structure européenne d'échanges sur ce thème.
HCPN (Haut Commissariat à la Protection Nationale)
Le champ d’action du HCPN est aussi bien national qu’international.
- Sur le plan national, la mission principale du HCPN est celle de coordonner d’une part les attributions de tous les ministères, administrations et services en matière de gestion civile et militaire des crises internes et d’autre part les mesures de protection contre les effets de toute menace, armée ou non, qui porterait atteinte au fonctionnement normal du pays et la sécurité de la population. Cette mission lui incomberait en temps de paix comme en temps de crise et de guerre, que la menace soit conventionnelle ou nucléaire, biologique et chimique.
- Sur le plan international, le HCPN agit comme représentation nationale au sein des fora de l’Union européenne, de l’OTAN et de toute autre organisation internationale qui traitent la gestion des crises internes. Le Conseil ministériel de la Protection nationale est l’organe de décision politique, réunissant les membres du Conseil de gouvernement.
  A part cet organe de décision politique, la structure de Protection nationale, placée sous l’autorité du Premier ministre, ministre d’Etat devra comporter:
- Le Conseil supérieur de la Protection nationale comme organe de planification et de coordination, comprenant un délégué de chaque ministre de même que les directeurs et chefs des administrations et services directement concernés par la gestion des crises, est présidé par le Haut-commissaire à la Protection nationale;
- Le Haut-commissariat à la Protection nationale;
- Les Comités nationaux comme organes de consultation, de planification et de coordination, interministériels et civilo-militaire si nécessaire, où se fera la planification spécifique des différents domaines de la protection nationale. Deux Comités nationaux existent déjà. Le Comité national des Télécommunications et le Comité national de Sûreté de l’Aviation civile. Deux comités sont en instance de réactivation voire de création, le Comité national des Transports et le Comité national sur l’Infrastructure critique.

European Commission

"Making the EU the most competitive and dynamic knowledge-based economy in the world".

DG Information Society
- eEurope 2002, 2005 (the Lisbon strategy)
  - Security Policies:
    - Network and Information Security: a range of activities at European and Member State level will focus on improving the robustness of networks and information systems against both accidents and criminal attacks;
    - Secure Communications for eGovernment: the Commission and Member States are working together to develop a secure trans-European communications network through which they can share classified information, the IDA project.
  - Implementing Security in Europe:
    - ENISA
    - Safer Internet
    - FP6, FP7
    - Network and Information Security Focus Group (standardisation)
    - eTEN (electronic Trans-European Networks)
  - Electronic Signatures
  - Handbook of Legislative Procedures of Computer and Network Misuse in EU Countries
  - Risk Preparedness in Business in the field of Network and Information Security
  - Information Technology Risk Preparedness Study
- i2010 (A European Information Society for growth and employment)
  The 3 "i"'s:
  1. completion of a Single European Information Space which promotes an open and competitive internal market for information society and media;
  2. strengthening Innovation and Investment in ICT research to promote growth and more and better jobs;
  3. achieving an Inclusive European Information Society that promotes growth and jobs in a manner that is consistent with sustainable development and that prioritises better public services and quality of life.
    Making internet safer from fraudsters, harmful content and technology failures to increase trust amongst investors and consumers.
    Trustworthy, secure and reliable ICT are crucial for a wide take up of converging digital services. During 2006 the Commission will propose a Strategy for a SecureInformation Society to combine and update the instruments available, including raising awareness of the need for self-protection, vigilance and monitoring of threats, rapid and effective response to attacks and system failures. Support will be given to targeted research to `design-in' security and to deployment measures that test solutions for key issues such as identity management. Revision of regulation will be considered where necessary, for example in protection of privacy, electronic signature or discouraging illegal and harmful content.
    Deployment and adoption of ICT: Research alone is not enough. The benefits of ICT come from embedding them into products and services and the adoption of new business models, organisational change and skills. Businesses are getting productivity gains from ICT but still face a lack of interoperability, reliability and security; difficulties to reorganise and integrate ICT into the workplace and high cost of support. SMEs in particular have difficulties to adopt ICT.
- Safer Internet
  The Safer Internet plus programme aims to promote safer use of the Internet and new online technologies, particularly for children, and to fight against illegal content and content unwanted by the end-user, as part of a coherent approach by the European Union.
- Modinis (financial programme)
  Action 4 - Improvement of network and information security:
  preparation for the establishment of the European Network and Information Security Network by the financing surveys, studies, workshops on subjects such as security mechanisms and their interoperability, network reliability and protection, advanced cryptography, privacy and security in wireless communications.
DG Justice and Home Affairs
- cyber crime
  Framework Decision on attacks against information systems (a pillar 3 item)
- data protection
  Art. 4: The provider of a publicly available electronic communications service must take appropriate technical and organisational measures to safeguard security of its services, if necessary in conjunction with the provider of the public communications network with respect to network security.
DG Enterprise and Industry
- Electronic signatures
- Smart cards
FP6
- Strengthening identification & authentication (9 projects EUR 38.7 M)
  biometrics, multiple digital identities, privacy enhancement
- Minimizing disruption (3 projects EUR 7 M)
  attack tolerance, interdependencies modelling, resilience architecture
- Preventing & fighting attacks on the Internet (EUR 28.8 M)
  intrusion tolerance, quantum cryptography, dynamic security, advanced encryption, tamper proof smart cards
  FP7 to come

European Parliement

Galileo
Galileo is an attempt by the EU to create its own civilian satellite navigation system that will be entirely independent of existing American technology. At present the world has two such satellite navigation systems, the American (GPS) and the Russian (GLONASS) system. Both were developed by the military although only the American system has successfully been applied to civilian usage.
CIP (Competitiveness, Innovation and SME-Policy)
ICT Policy Support Programme:
- Creation of a European InformationArea and strengthening of common market for ICT related products
- Supporting Innovation by funding ICT solutionss
- Creation of ICT-society for all citziens and bridging digital divide
...

3. Security and industry

The industry or more globally the private sector has a more pragmatic, but also a more technology based approach to security, focusing on threats.

Companies

A whole security sector emerged with the raising Internet-threats, same examples of companies:

Symantec
McAfee
Cybertrust
RSA Security
Annual RSAConference (in US, Asia and Europe)
Lexsi (Laboratoire d'EXpertise en Sécurité Informatique)
Secunia
Hosts and sponsors the full-disclosure list
...

Institutes

Training/conference institutes:
- SANS (SysAdmin, Audit, Network, Security) Institute
  SANS is the most trusted and by far the largest source for information security training and certification in the world. It also develops, maintains, and makes available at no cost, the largest collection of research documents about various aspects of information security, and it operates the Internet's early warning system - Internet Storm Center. The SANS (SysAdmin, Audit, Network, Security) Institute was established in 1989 as a cooperative research and education organization. Its programs now reach more than 165,000 security professionals, auditors, system administrators, network administrators, chief information security officers, and CIOs who share the lessons they are learning and jointly find solutions to the challenges they face. At the heart of SANS are the many security practitioners in government agencies, corporations, and universities around the world who invest hundreds of hours each year in research and teaching to help the entire information security community.
- ISSA (Information Systems Security Association)
  The Information Systems Security Association is a not-for-profit, international organization of information security professionals and practitioners. It provides educational forums, publications and peer interaction opportunities that enhance the knowledge, skill and professional growth of its members. Activites:
  - Organize international conferences, local chapter meetings and seminars that offer educational programs, training and valuable networking opportunities.
  - Provide access to information through the ISSA website as well as an online newsletter and monthly journal.
  - Offer support for professional certification and development opportunities for security practitioners.
  - Create opportunities for members to join committees and boards, which provide significant leadership for the security industry.
  - Facilitate discussion and feedback on key issues, such as the National Strategy to Secure Cyberspace, in order to create a unified voice for security professionals around the world that can influence public opinion, government regulations, the media and other important audiences.
- CSI (Computer Security Institute)
  Computer Security Institute (CSI) is the world's leading membership organization specifically dedicated to serving and training the information, computer and network security professional. Since 1974, CSI has been providing education and aggressively advocating the critical importance of protecting information assets.
  CSI also publishes the annual CSI/FBI Computer Crime and Security Survey, Frontline end-user awareness newsletter, and Topline security brief for executives.
- ...
as well as other very interessting initiatives focused more on research, mostly non-for profit based:
- CERT-CC (Computer Emergency Response Team - Coordination Center)
- CVE (Common Vulnerabilities and Exposures)
  A list of standardized names for vulnerabilities and other information security exposures - CVE aims to standardize the names for all publicly known vulnerabilities and security exposures.
- MITRE
  The MITRE Corporation is a not-for-profit organization chartered to work in the public interest. As a national resource, we apply our expertise in systems engineering, information technology, operational concepts, and enterprise modernization to address our sponsors' critical needs.
- OSVDB (Open Source Vulnerability DataBase)
  OSVDB is an independent and open source database created by and for the community. Our goal is to provide accurate, detailed, current, and unbiased technical information.
- SecurityFocus (bugtraq)
- ...

Associations

Due to the ever increase and multiplication of threats, some theme specific associations are emerging:

APWG (Anti-Phising Working Group)
The Anti-Phishing Working Group (APWG) is the global pan-industrial and law enforcement association focused on eliminating the fraud and identity theft that result from phishing, pharming and email spoofing of all types.
ASC (Anti-Spyware Coalition)
The ASC is a group dedicated to building a consensus about definitions and best practices in the debate surrounding spyware and other potentially unwanted technologies. Composed of anti-spyware software companies, academics, and consumer groups, the ASC seeks to bring together a diverse array of perspective on the problem of controlling spyware and other potentially unwanted technologies.
CAUCE (Coalition Against Unsolicited Commercial Email)
CAUCE, The Coalition Against Unsolicited Commercial Email is an ad hoc, all volunteer organization, created by Netizens to advocate for a legislative solution to the problem of UCE (a/k/a "spam").
UCE is the leading complaint of Internet users. But junk e-mail is more than just annoying, it costs Internet users and Internet-based businesses billions per year. Junk e-mail is "postage due" marketing; it's like a telemarketer calling you collect. The economics of junk e-mail encourages massive abuse and because junk e-mailers can get into the business very cheaply, the volume of junk e-mail is increasing every day.
Other CAUCE orgs: EuroCAUCE, CAUBE.AU, CAUCEIndia, ...
...

Clubs

Last but not least, several security clubs exist in Europe:

CLUSIF (France)
Mostly known for its yearls "Panorama de la Cybercriminalité".
CLUSIB (Belgique)
Did a very nice survey on IT security in the belgian enterprises.
CLUSIT (Italie)
CLUSIS (Suisse)
CLUSSIL (Luxembourg)
Best known for its yearly thematic conference "Journée CLUSSIL" (next year revisiting PKI).
...

Fade to grey

"50% of the world's economy comes from underground markets." Anonymous

In the information security sector it isn't different. There are blackhats, mafia, terrorists out there with the sole aim to create chaos and terror. To give examples of such obscure associations would be difficult AND dangerous, so here some intermediate exampels from the grey zone:

packetstorm (resource of up-to-date and historical security tools, exploits, and advisories)
@stake (l0phtcrack guys, was acquired by Symantec)
CCC (Chaos Computer Club)
2600 (The Hacker's quaterly) (also in Europe: 2600-Paris)
astalavista (underground search plateform)
shmoo group (airsnort guys)
Hack-Tic (former dutch magazine)
cDc (Cult of the Dead Cow, backorifice guys)
...

4. Security and privacy

We had governments, we had the industry, but what about the users, well they most of the time do more suffer than really profit from all this security related stuff. Users need the privacy/protection part of security not the surveillance/control one. Some example approaches:

EFF (Electronic Frontier Foundation)
EFF is a nonprofit group of passionate people — lawyers, technologists, volunteers, and visionaries — working to protect your digital rights.
Statewatch
Monitoring the state and civil liberties in the European Union.
EPIC (Electronic Privacy Information Center)
EPIC is a public interest research center in Washington, D.C. It was established in 1994 to focus public attention on emerging civil liberties issues and to protect privacy, the First Amendment, and constitutional values.
Privacy international
For more than two decades, governments and companies have used technologies to collect, process and disseminate a vast spectrum of personal information. Since the late 1980s, when computer and telecommunications systems began to converge, this process has accelerated. The result is that personal privacy is endangered as never before.
In 1990, in response to a growing number of privacy threats, more than a hundred leading privacy experts and Human Rights organizations from forty countries linked arms to form a world organization for the protection of privacy. Members of the new body, including computer professionals, academics, lawyers, journalists, jurists and human rights activists, had a common interest in promoting an international understanding of the importance of privacy and data protection. Meetings of the group, which took the name Privacy International, were held throughout that year in North America, Europe, Asia and the South Pacific, and members agreed to work toward the establishment of effective privacy protection throughout the world.
The formation of Privacy International is the first successful attempt to establish a structured world focus on this crucial area of human rights.
Privacy International is an independent, non-government organization with the primary role of advocacy and support. We have an international advisory board with members from over 30 countries, and a board of trustees who oversee our staff.
- Big Brother Awards
  Each year, the national members and affiliated organizations of Privacy International present the "Big Brother" awards to the government and private sector organisations which have done the most to threaten personal privacy in their countries. Since 1998, over forty ceremonies have been held in sixteen countries and have given out hundreds of awards to some of the most powerful government agencies, individuals and corporations in those countries.
CNIL (Commission nationale de l'informatique et des libertés)
Face aux dangers que l'informatique peut faire peser sur les libertés, la CNIL a pour mission essentielle de protéger la vie privée et les libertés individuelles ou publiques. Elle est chargée de veiller au respect de la loi "Informatique et Libertés" qui lui confie 5 missions principales :
- Informer: La CNIL informe les personnes de leurs droits et obligations, et propose au gouvernement les mesures législatives ou réglementaires de nature à adapter la protection des libertés et de la vie privée à l'évolution des techniques. L'avis de la CNIL doit d’ailleurs être sollicité avant toute transmission au Parlement d'un projet de loi créant un traitement automatisé de données nominatives.
- Garantir le droit d'accès: La CNIL veille à ce que les modalités de mise en oeuvre du droit d'accès aux données contenues dans les traitements n'entravent pas le libre exercice de ce droit. Elle exerce, pour le compte des citoyens qui le souhaitent, l'accès aux fichiers intéressant la sûreté de l'État, la défense et la sécurité publique, notamment ceux des Renseignements généraux.
- Recenser les fichiers: Les traitements de données à “risques” sont soumis à autorisation de la CNIL. Elle donne un avis sur les traitements publics utilisant le numéro national d’identification des personnes. Elle reçoit les déclarations des autres traitements. Le non-respect de ces formalités par les responsables de fichiers est passible de sanctions administratives ou pénales. La CNIL tient à la disposition du public le "fichier des fichiers", c'est-à-dire la liste des traitements déclarés et leurs principales caractéristiques.
- Contrôler: La CNIL vérifie que la loi est respectée en contrôlant les applications informatiques. La Commission use de ses pouvoirs de vérification et d’investigation pour instruire les plaintes, pour disposer d'une meilleure connaissance de certains fichiers, pour mieux apprécier les conséquences du recours à l'informatique dans certains secteurs, pour assurer un suivi de ses délibérations. La CNIL surveille par ailleurs la sécurité des systèmes d'information en s'assurant que toutes les précautions sont prises pour empêcher que les données ne soient déformées ou communiquées à des personnes non-autorisées. La CNIL peut prononcer diverses sanctions graduées : avertissement, mise en demeure, sanctions pécuniaires pouvant atteindre 300 000 EUR, injonction de cesser le traitement. Enfin, le Président peut demander par référé à la juridiction compétente d'ordonner toute mesure de sécurité nécessaire. Il peut, au nom de la Commission, dénoncer au Procureur de la République les violations de la loi.
- Réglementer: La CNIL établit des normes simplifiées, afin que les traitements les plus courants et les moins dangereux pour les libertés fassent l'objet de formalités allégées. Elle peut aussi décider de dispenser de toute déclaration des catégories de traitement sans risques.
CNPD (Commission nationale pour la protection des données)
La Commission nationale pour la protection des données (CNPD) est une autorité indépendante instaurée par la loi du 2 août 2002 relative à la protection des personnes à l’égard du traitement des données à caractère personnel.
Elle est chargée de contrôler et de vérifier la légalité des traitements des données à caractère personnel et doit assurer le respect des libertés et droits fondamentaux des personnes en matière de protection des données.

5. Towards a security culture

OECD Guidelines for the Security of Information Systems and Networks:

"TOWARDS A CULTURE OF SECURITY"

The nine principles:

awareness
Participants should be aware of the need for security of information systems and networks and what they can do to enhance security.
responsibility
All participants are responsible for the security of information systems and networks.
response
Participants should act in a timely and co-operative manner to prevent, detect and respond to security incidents.
ethics
Participants should respect the legitimate interests of others.
democracy
The security of information systems and networks should be compatible with essential values of a democratic society.
risk assessment
Participants should conduct risk assessments.
security design and implementation
Participants should incorporate security as an essential element of information systems and networks.
security management
Participants should adopt a comprehensive approach to security management.
reassessment
Participants should review and reassess the security of information systems and networks, and make appropriate modifications to security policies, practices, measures and procedures.

ENISA

European Network and Information Security Agency

The European Network and Information Security Agency, Enisa, is a new agency of the European Union which formally came into being on 14 March 2004, following the adoption of Regulation (EC) No 460/2004 of the European Parliament and of the Council on 10 March 2004.

The Agency's work is essential to achieve a high and effective level of network and information security within the Community. It will also seek to develop a culture of network and information security for the benefit of citizens, consumers, business and public sector organisations in the European Union. This will also contribute to the smooth functioning of the Internal Market.

As its in-house expertise grows, Enisa shall help the Commission, the Member States and, consequently, the business community to address, respond and especially to prevent network and information security problems.

The Agency shall also assist the Commission in the technical preparatory work for updating and developing Community legislation in the field of network and information security.

Tasks:

Advising and assisting the Commission and the Member States on information security and in their dialogue with industry to address security-related problems in hardware and software products.
Collecting and analysing data on security incidents in Europe and emerging risks;
Promoting risk assessment and risk management methods to enhance our capability to deal with information security threats.
Awareness-raising and co-operation between different actors in the information security field, notably by developing public / private partnerships with industry in this field.

Structure

Internal organisation

Deliverables/Activites

"who's who" directory
ad-hoc working groups
- risk management
- awareness raising
- cert/csirt cooperation
best practice guidelines for
- awareness raising
- risk management
- security policy
- cert/csirt
- standardisation
ENISA quaterly (go and subscribe)

6. A global approach

Based on 4 pillars:

Prevention / Awareness raising

Actions:
- raise awareness and educate
- create a security culture
- responsiblize the users
- certification vs. regulation
Strategic interest:
- become proactif (best defense)
- preventives competences
- international constraints (cybercrime convention, eEurope, i2010, ... )
- create trust

Intervention

Actions:
- response to incidents
- assist attacked victimes
- plan reactions
- reassess processes
Strategic interest:
- technological independance
- curatives competences
- international constraints (cybercrime convention, eEurope, i2010, ... )
- confidentiality of attacks

Investigation

Actions:
- fight against cybercrime
- perform investigations
Strategic interest:
- souverainty
- repessives competences
- international constraints (cybercrime convention, eEurope, i2010, ... )

Legislation / Normalisation

Actions:
- participate actively in nation and international organisations
Strategic interest:
- defend national interests
- stay proactif
- international constraints (cybercrime convention, eEurope, i2010, ... )
- create attrative legal framework

Lecture planning

Nb	Date	Subject
1	01/12/2005	Intro & concept
2	08/12/2005	p1: Prevention / Awareness Raising
3	15/12/2005	p1: Secure Coding
4	02/02/2006	p2: Intervention / attacks
5	09/02/2006	p2: CERT
6	16/02/2006	p2: Pentest
7	23/02/2006	p3: Investigation / forensics
8	09/03/2006	p4: Legislation / Normalisation
9	16/03/2006	exam

pdf version

download here

pst.libre.lu

a global approach to network and information security - introduction

01/12/2005

toc