The world of information security standards is always changing. While telecommunication organizations are reviewing the publication of the ISO/IEC 27011 Information Technology - Information security management guidelines for telecommunications organizations (published May 2009), the European Parliament is discussing the inclusion of further legal requirements to safeguard the security and privacy of European citizens as part of the review of Directive 2002/58/EC. This Directive covers legal, technical, and organizational measures that need to be in place for the security and privacy of the services provided by EU electronic communication providers.
So, what are the primary objectives of the additional regulations being proposed? Overall, the review of Directive 2002/58 aims to establish a higher level of network security and privacy for European citizens by enhancing information security rules and promoting more transparency on the way personal data is handled. Some of the changes being discussed by the legislators propose mandating electronic communications services providers to define and implement security measures for access control (for example, electronic authentication) and for authorization to access personal data. At the same time, service providers would have to implement technical measures such as encryption, data loss prevention, etc to protect personal data during any type of processing. The proposals before the European Parliament also explicitly provide for a “security policy for personal data.”
Other requirements include the implementation of technical and organizational measures to protect service provider networks and services from accidental, unlawful, or unauthorized usage. Furthermore, special emphasis has been applied to the process of identification and assessment of vulnerabilities, which needs to be a continual process. In fact, the legislator has requested that the service providers define and implement a formal process for managing the vulnerability life cycle. The same approach will be required for security breaches, but in the case of security breaches, the regulation defines specific communication flows and rules that must be adhered to by the service providers and the national regulatory authority.
This is all very good security news—improved measures, controls, best practices—lots of process improvements that could raise the level of security awareness and control. Of course, regulations are put in place for a reason and must be respected. Once the changes to Directive 2002/58 have been agreed and implemented into European law (expected by the end of 2010) legislators will also be looking to national regulatory authorities in each European Member State to:
• Audit these measures
• Issue recommendations about best practices
• Issue recommendations about performance indicators (concerning the level of security)
Naturally I have had a few thoughts on what is being proposed and currently discussed regarding these new regulations. As you can see from the table below the contents of this directive are clearly in line with international standards such as ISO/IEC 27001 Information technology -- Security techniques -- Information security management systems -- Requirements. Some of the more relevant elements defined in the standard are listed below:
As far as I’m concerned, what is being suggested in the changes to Directive 2002/58 doesn’t reinvent the wheel, but it does represent a change. So, what is going to change? The increased focus on security represents a critical success factor, but what is actually changing is the approach. It will no longer be a case of simply suggesting that a service provider implements particular measures; rather, it will be a lawful requirement to implement certain processes.
While the proposed changes to Directive 2002/58 see the legislator defining what an electronic communication service provider has to implement, it doesn’t go as far as stating exactly how to implement it. This principle-based approach is similar to the one taken in the development of industry standards such as ISO/IEC 27001, where there is no mandated common method of implementing security controls. Some of the proposals under discussion include the creation of an implementation mechanism involving the European Commission and consultation with different stakeholders such as industry, the European Data Protection Supervisor and ENISA. I guess we will have to wait and see what the final law looks like and what the implementation mechanism will be.