1 / 16

S.ICZ

S.ICZ. The enforcement of NATO INFOSEC requirements into the policy and architecture of CISs. Frantisek Vosejpka frantisek . vosejpka @i.cz. CATE 2003 Brno, 28.-30. April 2003. 1. The objective s.

aimee
Download Presentation

S.ICZ

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. S.ICZ The enforcement of NATO INFOSEC requirements into the policy and architecture of CISs Frantisek Vosejpka frantisek.vosejpka@i.cz CATE 2003 Brno, 28.-30. April 2003

  2. 1. The objectives • To sum up the breaches that have caused thatsome Czech government CISs have not reached the required functionality and failed their certification process. • General INFOSEC requirements of:- Czech Act No 148/1998, and- revised NATO Security Policy. • Possible „Target CIS INFOSEC architecture“ and migration steps.

  3. 2. The limitations of this presentation • The content of this article is unclassified and limited byquite weak access of a civil firm (even with industrial security clearance)to the whole suite of NATO Security Policy documents.

  4. 3. NATO INFOSEC Policy within the national conditions • sets out the policy and minimum standards for the protection of NATO classified information, supporting system services, and resources; • addresses:- the activities in system life cycle,- security principles,- INFOSEC responsibilities, and- system interconnection requirements.

  5. continuation • NATO INFOSEC policy is: • mandatory whenever the NATO CIS or its node is deployed within national conditions, • recommended and very useful in many other cases within national CISs. • NATO INFOSEC policy and the documents on INFOSEC Architecture contributes to compatibility and interoperability.

  6. continuation • NATO INFOSEC policy is applicable to MoD, MFA and other organizations, whose CISs should be connected to a CIS of the European Union. • The Security Arrangements: • All NATO classified information that is released to WEU is for official use only. It will be disseminated to individuals in WEU on a Need-To-Know basis; • WEU security regulations are based on NATO regulations; • NATO Unclassified information is only for official use and should be appropriately protected.

  7. 4. Current state of CISs within the CZ gov. organizations • Some government organizations currently have a large deployed base of problem-oriented CISs: • designed to different standards and are not interoperable, • information protection at its specific classification level, • use of different confidentiality algorithms. • The need to develop an integrated CISof the entire organization has arisen.

  8. 5. Problems of integration Diversity of CISs leads to difficulty in systems integration: • Broad diversity of technology; • Multiplicity of databases, mail and other common services; • High project investment needs and their low efficiency; • High operation and maintenance; requirements, lack of IT specialists; • High requirements on communication infrastructure;

  9. continuation … difficulty in systems integration: • Failure to meet user requirements on the operability and information availability from a single workstation; • Failure to meet security requirements necessary for issue of “Approval to Operate” classified information (the certificate); • Inability to fulfil security requirements simultaneously in all sites leads to operation limited to unclassified information; • “Approval to Operate” limited at one or several sites also causes failure to meet operational requirements.

  10. The user access fails from one computer

  11. 6. Way to integrate … • The analysis and design of the INFOSEC Architecture of the Target CIS • Core Services; • Functional Applications. • Projection of a Migration Plan • Definition of the Community Security Requirement Statement (CSRS); • Migration of CISs into the common network of the future “Target CIS“; • Smooth migration IT to common standards.

  12. The CISs integrated within the frame of CSRS

  13. The IT integrated within the common standards

  14. 7. Policy, classification level, and security mode of operation • Requirements: • Operational requirements; • Classified information of different levels. • Limitations • Commercial Off-The-Shelf (COTS) IT; • Security environment (physical, personnel); • Security mode of operation; • Need-to-know and other security principles.

  15. The CISs integrated within the frame of CSRS

  16. 9. Conclusions CZ CISs that handle classified information: • have to invoke minimum security requirement of Czech Act No 148/1998; • should followNATO Security Policy Directives and NATO INFOSEC Architecture to implement the detailed: • security principles and minimum standards, • life cycle requirements, • risk evaluation and vulnerability reports, • risk management procedures, • security operational procedures, • etc.

More Related