SECURITY STUDIES

The Council Decision 2001/264/EC (Council's Security Regulations), applying to Member States and the Council, and the Commission Decision 2001/844/EC (Commission Provisions on Security), applying to the Commission, define a common set of rules on how to treat EU classified information. IDA Security Studies aim to ensure that the results of relevant research and analysis are shared to enhance security systems and procedures and that security is approached in a thorough and consistent manner across European networks.

Last update: 11/2004

Top
What are Security Studies?
Objectives
How do they work?
Achievements
Who benefits?
The role of IDABC
Technical information
Documentation

What are Security Studies?

The execution of studies on security and risk analyses is an IDABC horizontal action that aims to ensure that measures and recommendations concerning information protection are harmonised between various networks and that results are reused as much as possible. The type of studies can vary from how to implement a particular technology, such as Public Key Infrastructure, to the identification of security needs for a given information exchange.

For instance, the subject of a possible study could be 'how a PKI can be implemented for a closed user group' or 'what modifications must be made to the organisation and the system if information classified at EU RESTRICTED level needs to be exchanged'.

Top of page

Objectives

The primary objective of the studies is to provide recommendations, to build up a set of guidelines for sectoral networks on best security practices and to help establish guidelines on the security measures for the electronic processing and transmission of EU classified information, notably at the lowest level, EU RESTRICTED. It must be underlined that security is an integral part of any system whether it is to protect the sensitivity of the information or to guarantee the reliability of the system.

Through this action IDABC aims to promote a common methodology on how to assess and determine security requirements based on the IDABC Architecture Guidelines, the IDA Authentication Policy Document, the Commission Provision on Security and the Council's Security Regulations.

Top of page

How do they work?

Like the PKI services most actions are based on demands from sectoral networks. Studies for DG Competition and DG Fisheries - which both deal with systems aimed at exchanging EU classified or very sensitive information - have been finalised. The study for DG Competition aimed to determine how security should be implemented in a system to support the new antitrust regulation. DG Fisheries' study identified the measures to be taken in the FIDES network if data classified at EU RESTRICTED level should be exchanged. Concerning recommendations for systems treating EU classified information it must be noted that any solution must be formally approved by an accreditation authority (as defined in the mentioned regulations) and that IDABC can only give advice and co-ordinate the various activities among sectors.

In addition to the generic security studies, this project has also produced a security self-assessment instrument for use by the new Projects of Common Interest (PCIs): the PCI Security Questionnaire. Developed with inputs from existing tools within the national administrations, this self-assessment security questionnaire allows the sectoral project managers of the PCIs to establish minimal security controls for their system or application. The Questionnaire is divided into 10 topics corresponding to the major Information Security Disciplines as defined by the ISO 17799 standards. Each applicable topic will guide the Sectoral Project Manager towards a set of controls that might be relevant to safeguard the assets being considered against common threats. The answers will be reported into the "PCI Security Questionnaire Report" using the template provided in Annex A of the Questionnaire, which also proposes a commitment target date for the application of the identified security controls.

Although the PCI Security Questionnaire is primarily addressed to the sectoral (PCIs) project managers, it can be used by any IT project manager developing a pan-European eGovernment application or project to establish a first assessment of the security requirements for their application or project.

Top of page

Achievements

• PKI feasibility and user requirement studies have been carried out for DG Regional Policy, the Secretariat General of the European Commission (Greffe 2000), European Council working groups, EMEA (European Agency for the Evaluation of Medicinal Products), the Eurodac network of DG Justice and Home Affairs, DG Competition and DG Fisheries.
• A specific study on the risk analysis of the TESTA Local Domain Connection Point was also carried out in 2003, and a risk analysis of the EudraVigilance network of EMEA was performed.
• The PCI Security Questionnaire was completed and has been made available to the sectoral (PCIs) project managers and any other interested IT project managers.

Top of page

Who benefits?

All IDABC projects needing security recommendations in any Community policy area.

Top of page

The role of IDABC

IDABC develops guidelines on the security measures, on the basis of the experience accumulated from different IDABC projects.

Top of page

Technical information

Top of page

Documentation on Security Studies

Back to:

Other Horizontal Actions and Measures