1 / 19

EMTOC Security Tasks

EMTOC instruction to cover the security aspects of the submission of confidential tobacco product information to governmental authorities Federal Office of Consumer Protection and Food Safety (BVL) Andreas Butschke. EMTOC Security Tasks. Companies. Internet.

ashleyj
Télécharger la présentation

EMTOC Security Tasks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. EMTOC instruction to cover the security aspects of the submission of confidential tobacco product information to governmental authorities Federal Office of Consumer Protection and Food Safety (BVL) Andreas Butschke

  2. EMTOC Security Tasks Companies Internet Web portal and database (Austria) Internet Competent authorities orEuropean Commission INSTRUCTION for secure data transmission from sender (industry) to receiver (competent authority) REQUIREMENTS for secure handling and storage of data Detailed description of proper use to prevent security leaks Detailed description of proper use to prevent security leaks Companies E M T O C Authorities

  3. EMTOC Documents 1. Manual for EMTOC web portal • Information about system requirements • Information how to use the web portal for up- and downloads • Public for all EMTOC users 2. Manual for further software • Information about the use of tool like Excel2xml • Public for all EMTOC users 3. EMTOC instructions Annex I: User Agreement • Description of the security relevant workflow • Public for all EMTOC users Annex II: Requirements 4. System description • Description of the Austrian IT structure that is relevant for EMTOC • Description of the Security measures in Austria • Not public due to security reasons

  4. Challenge: Find an Agreement • Each step of data processing and all technical specifications have to be defined exactly in detail • A contract has to be signed by all users and responsible persons Instructions • Internal processes and technical equipment are different in each Member State • The industry has to fulfill their obligations and the agencies are bound to confidentiality User Agreement Require-ments

  5. What‘s the purpose of the EMTOC instruction? • No contract! • Enhancement of security • Sensitisation of all users for security aspects • Defines the processes of EMTOC to be transparent and to set limits • It is necessary to follow the instruction • Information of the IT department of each agency about the EMTOC instruction is necessary

  6. EMTOC Instruction - HISTORY • SOP for German tobacco submission system • Adapted to the Austrian system • Adapted to EMTOC system (including enhanced security measures) • Translated to English • Information of all EMTOC partners • Notified to the Industry (1st draft) • Evaluation of the comments from the industry • Circulation of the 2nd draft to all project partners and the industry (renamed as Instruction) • Feedback of the industry concerning crucial items • Coming soon: Final version

  7. External Expert: BSI • The BVL was permanently in contact with the German governmental authority that is responsible for the safety in the field of IT: Federal Office for Information Security (BSI) • The BSI has given hints to improve the security of the system (hardware and operation process) • The BSI has checked the EMTOC instruction and found that the security level is well suited for the intended purpose - the overall security level depends now on the individual behaviour of the users

  8. Instruction: Purpose • Protect secret information on tobacco product formulation during the ingredient reporting process • Supplement to Regulators‘ indispensable existing provisions concerning data security

  9. Instruction: Scope and Terms • There will be an individual access to the system for each User with one defined role (industry, regulator, administrator) • Each User has to meet the requirements specified in this instruction • Main terms that are used with a special meaning are defined in the terms section

  10. Instruction: Principle • In this section the security aspects of critical steps have been described Granting of access Data transmission process Assessment of the need for protection Security measures

  11. Accounts Catalogues Instruction: Responsibilities • The responsibilities and rights of each role in the EMTOC system is described • The roles are defined in Annex III • The roles are: Trust Centre System Administrator all data of MS Reporting party Regulator Own data Regulator Public Database Regulator all data EC Database Administrator

  12. Instruction: Process • The process section is a brief description of the main technical processes • It is not a manual, but the nomination of decision criteria in the complete process Procedure for exchange of sensitive information Management of access information Management of access via the online portal Compromise incidents Information from the regulator Security incidents without compromisation

  13. Annex I: User Agreement • Acceptance of the individual user that he will prevent insecure data operations • Sensitization of the user and all responsible persons for the security risks • Giving suitable advices to enhance the security

  14. Annex II: Requirements on the management • These Requirements are defining the minimum IT security standard that is resulting from the confidentiality of the data • Harmonisation of the level of security in different agencies without determination of technical equipment

  15. Hackers stole data on Pentagon's newest fighter jet WASHINGTON (CNN) -- Thousands of confidential files on the U.S. military's most technologically advanced fighter aircraft have been compromised by unknown computer hackers over the past two years, according to senior defense officials. Internet intruders were able to gain access to data related to the design and electronics systems of the Joint Strike Fighter through computers of Pentagon contractors in charge of designing and building the aircraft, according to the officials, who did not want to be identified because of the sensitivity of the issue. In addition to files relating to the aircraft, hackers gained entry into the Air Force's air traffic control systems, according to the officials. Once they got in, the Internet hackers were able to see such information as the locations of U.S. military aircraft in flight. The plane uses stealth and other highly sensitive electronic equipment, but it does not appear that information on those systems was compromised, because it is stored on computers that are not connected to the Internet, according to the defense officials. April 21, 2009 Taken from: CNN.com

  16. Technical Consequences • Installation of TrueCrypt • Installation of the Card Reader (Driver) That‘s all what is needed for the use of the system, but: • An existing internal IT security concept in each organisation is mandatory that means: • Documentation of IT structure • Identification of sensitive data and cruicial processing steps • Implementation of safety and security measures in accordance to the required degree of confidentiality, integrity and availability (e.g. in acc. to ISO 27002)

  17. Consequences for working process • Be always aware about the potential security risks • Repeated verification that the work process is in accordance to the security requirements is required • Continuous improvement of security measures in cooperation with the own IT service is recommended • Exchange of experiences and sharing of questions between the responsible authorities of the Memeber States would be helpful

  18. Conclusion • The developed EMTOC system is well suited for the intended purpose • The security measures of the system itself are in general accepted by the industry • At the moment the crucial security aspect for the industry is the management of data after the download in each agency

  19. Thank you for your attention!

More Related