Managing Information Security - Guidelines Panelfit

Managing information security is not an easy task and both information- and cybersecurity is are not tasks that can be “completed”. Instead, it involves a continuous process of monitoring threats and risks, identifying vulnerabilities and continuous improvements of an ISMS. To do so, multiple ISO/IEC standards can be utilized as references and to obtain certification on the specific standards.

The most important standards for information security, in general, are the following:

ISO/IEC 27000:2018 Information technology — Security techniques — Information security management systems — Overview and vocabulary
ISO/IEC 27001 INFORMATION SECURITY MANAGEMENT
ISO/IEC 27001:2013 Information technology — Security techniques — Information security management systems — Requirements
ISO/IEC 27002:2013 Information technology — Security techniques — Code of practice for information security controls
ISO/IEC 15408-1:2009 Information technology — Security techniques — Evaluation criteria for IT security
The BSI-Standard 200-2 on IT-Grundschutz methodology (formerly known as IT baseline protection manual)^[1]

Be aware that there are additional standards that focus on cybersecurity in specific domains such as IoT-devices or vehicles.^[2] While ISO/IEC 27000 provides an overview on the vocabulary of information security, ISO/IEC 27001 and ISO/IEC 27002 provide guidelines and requirements on how to establish and maintain an ISMS within an organization. These guidelines can be adapted to research projects and should be used by project coordinators and employees responsible for the management of information security in a research project.

Risk Management

ENISA provides SMEs with an online tool^[3]^[4] to assess information security risks for the protection of personal data that can be adapted towards researchers that handle personal data as part of their research endeavors and projects. Risk management encompasses identifying, quantifying, mitigating and communicating risks. To do so, ENISA divides risk management into four phases:

Risk assessment: The current level of risks is calculated through the identification of threats and the evaluation of the likelihood and their potential impact on the organization.
Risk treatment: Suitable security measures are taken to mitigate, transfer, avoid or retain the identified risks. Hereby, multiple security measures should be combined if possible.
Risk acceptance: As not all risks can be completely avoided, management decisions need to be taken on how to deal with residual risks.
Risk communication: Risks need to be communicated to relevant stakeholders.

Managing Information Security – A Walthrough

In the following, an exemplary approach towards risk evaluation to ensure information security in the processing of personal data in a research project is provided, based on the material provided by ENISA.^[5] ^[6]

This approach is based on five steps that are outlined in this chapter:

Definition of the processing operation and its context
Understanding and evaluating the impact
Definition of possible threats and evaluation of their likelihood
Evaluation of risk
Selection of appropriate security measures

1. Definition of the processing operation and its context

The person responsible for ensuring information security – and potentially the controller or processor for the processing of personal data in the context of the GDPR – need to define the context of the data processing system. This includes considering the different stages of the data (collecting, storing, processing, and disposing) as well as the entities and roles that are relevant to the data processing.

The following questions need to be clearly answered by the controller or processor of the data:

What is the personal data processing operation?
What are the types of personal data processed?
What is the purpose of the processing?
What are the means used for the processing of personal data?
Where does the processing of personal data take place?
Which are the categories of data subjects?
Which are the recipients of the data?^{^[7]}

Example: An EU ICT research project is to be conducted. The project coordinator acts as a controller and is responsible to ensure information security as well as GDPR compliance. The coordinator analyses that, to fulfill the projects objectives, personal data from data subjects need to be gathered through questionnaires, surveys and interviews. In these processing operations, sensitive data such as health-related information are gathered to develop innovative solutions and insights based on the data. Additionally, sensitive company information is gathered from the consortium. As means of processing, a non-automated way (surveys, interviews) were chosen for the collection of the data, while the transfer and evaluation of the data take place in an automated form.

The data is to be processed solely by the project consortium and stored at dedicated cloud infrastructure provided by consortium members.

2. Understanding and evaluating the impact

Secondly, the potential impact of threats, vulnerabilities and security incidents needs to be assessed. To do so, a set of pre-defined parameters can be used to evaluate the impact on confidentiality, integrity and availability of the data.

Impact Level	Explanation
Low	Minor inconveniences for individuals, data subjects or organizations such as annoyances or additional time spent
Medium	Significant inconvenience for individuals, data subjects or organizations such as additional costs, stress or denial of access to business services
High	Significant consequences that lead for instance to financial damage, worsening of health or loss of employment.

To evaluate the impact level of a potential security incident, the type and amount of personal data, the criticality of the processing or special characteristics of the data subjects or organizations can be used as assessment parameters. Such assessments need to be taken for all types of unauthorized data disclosures (confidentiality, integrity and availability) and all types of activities and actions that are conducted in a research project.

Example: The coordinator defines three impact levels for its data processing operations. The processing of sensitive organizational data is defined as medium as the loss of data through third parties could lead to a disruption of the processes of consortium members (confidentiality and availability security breach). The impact of a confidentiality security breach of health data from data subjects is seen as high as this could lead to the loss of employment of data subjects if the data would be made public to third parties.

3. Definition of possible threats and evaluation of their likelihood

Thirdly, threats and their likelihood of occurrence need to be evaluated. As explained above, a threat may be defined as an occurrence that could negatively affect an asset (here: data and information) through unauthorized access, destruction, disclosure or modification of data. Similar to the impact assessment, three threat occurrence likelihood levels can be defined from low, unlikely, to medium and high.

As detailed earlier, numerous threats can be classified into various types. To further simplify the classification, ENISA only defines four areas of types with exemplary threats:

Network and technical resources (hardware and software):external attackers might attack the network while internal security flaws, backdoors, bugs or communication errors between resources might pose vulnerabilities.
Processes related to the data processing operation:flawed processes and procedures can lead to threats such as the (un)intentional corruption of data, (un)intentional deletion or modification of data and access to the data by unauthorized internal and external entities.
Different parties and people involved in the processing operation:Arguably the greatest threat to information security is the human factor. This includes accidental and malicious mishandling of data by internal personnel as well as by external sub-contractors or recipients of data.
Business sector and scale of the processing:The amount and value of data might attract attackers that seek monetary profit by illegally obtaining the data. Similarly, ensuring cybersecurity increases in effort with the amount of data and organizations, individuals and processes that are involved in dealing with the data.

Example: The coordinator defines possible threats and their likelihood of occurrence for the data processing in the project.

Network and technical resources (hardware and software): The research project uses cloud services to process the data and to allow project members to access it. Servers are located by a project member. However, the coordinator cannot control which external individuals have access to these servers and whether they are shared with other organizations. The coordinator ensures that network components and software solutions have obtained the relevant ISO certifications and are obtained by trusted providers. The likelihood of hard-and software -related threats is regarded as low while the likelihood of access of unauthorized personnel to the software solutions and servers is regarded as a medium.
Processes related to the data processing operation: The project coordinator emphasizes the importance of strict and clear processes and procedures regarding the data processing. The roles and responsibilities of project members are defined and communicated. This includes access control and access management of which employees of which project member may process the data. Processing operations are time logged to ensure accountability. The likelihood of data misuse is nonetheless regarded as high as the project coordinator cannot verify whether employees of other project members are using their own devices for the processing or if devices are stored and used outside the premises of the specific project members.
Different parties and people involved in the processing operation: The research project consortium includes 15 members, universities and organizations. A significant number of members is not experienced with cybersecurity. Personal data is to be transferred and processed between member organizations. Member organizations are continuously introducing new employees to the project, with other employees leaving the project. The likelihood of threats such as accidental misuse or mishandling of the data is therefore seen as high.
Business sector and scale of the processing: Although the project does not primarily deal with commercially relevant data, attackers could be interested in gathering inside information of the organizations involved in the project. As one project member has already been attacked in the past, the project could add as an entrance for attackers in the future. This threat is therefore classified as having a medium likelihood of occurrence.

4. Evaluation of risks

Now that threat occurrence probabilities and the impact of risks have been obtained, the risk level in the form of a risk matrix can be calculated. Within the risk matrix, specific threats and vulnerabilities can now be grouped to allow an immediate assessment of which risks are most or least important.

Example: The following risk matrix demonstrates exemplary risks for a research project

	Impact Level
Threat Probability		Low	Medium	High
	Low	(Hardware related threats)		(Natural disaster destroys server with company specific data without backup)
	Medium		(Project member gets hacked and project-related information gets stolen)
	High		(Non-employees get unauthorized access to non-sensitive data)	(Sensitive health data accidentally shared by project members)

5. Selection of appropriate security measures

Following the development of a risk matrix, security measures can now be devised to counteract, mitigate and eliminate the identified risks. It is hereby advised to firstly focus on the risks that demonstrated the highest impact and/or threat probability of occurrence.

Security measures can be categorized into technical and organizational measures.^[8] These measures are defined in ISO/IEC 27001 Annex A and ISO/IEC 27002 and further clustered into sub-categories, as seen in the following figure.

Measure Type	Category	Sub-Category	Related to
Organizational	Security Management	Security policy and procedures for the protection of personal data	ISO 27001:2013 – A.5 Security policy
Organizational	Security Management	Roles and responsibilities	ISO 27001:2013 – A.6.1.1 Information security roles and responsibilities
Organizational	Security Management	Access control polity	ISO 27001:2013 – A.9.1.1 Access control policy
Organizational	Security Management	Resource / asset management	ISO 27001:2013 – A.8. Asset management
Organizational	Security Management	Change management	ISO 27001:2013 – A.12.1 Operational procedures and responsibilities
Organizational	Security Management	Data processors	ISO 27001:2013 – A.15 Supplier relationships
Organizational	Incident response and business continuity	Incidents handling / personal data breaches	ISO 27001:2013 – A.16 Information security incident management
Organizational	Incident response and business continuity	Business continuity	ISO 27001:2013 – A.17 Information security aspects of business continuity management
Organizational	Human resources	Confidentiality of personnel	ISO 27001:2013 – A.7 Human resource security
Organizational	Human resources	Training	ISO 27001:2013 – A.7.2.2 Information security awareness, education and training
Technical	Access control and authentication	–	ISO 27001:2013 – A.9 Access control
Technical	Logging and monitoring	–	ISO 27001:2013 – A.12.4 Logging and monitoring
Technical	Security of data at rest	Server/Database security	ISO 27001:2013 – A.12 Operations security
Technical	Security of data at rest	Workstation security	ISO 27001:2013 – A.14.1 Security requirements of information systems
Technical	Network / Communication security	–	ISO 27001:2013 – A.13 Communications Security
Technical	Backups	–	ISO 27001:2013 – A.12.3 Back-Up
Technical	Mobile / Portable devices	–	ISO 27001:2013 – A.6.2 Mobile devices and teleworking
Technical	Application lifecycle security	–	ISO 27001:2013 – A.12.6 Technical vulnerability management & A.14.2 Security in development and support processes
Technical	Data deletion /disposal	–	ISO 27001:2013 – A. 8.3.2 Disposal of media & A. 11.2.7 Secure disposal or re-use of equipment
Technical	Physical security	–	ISO 27001:2013 – A.11 – Physical and environmental security

For all categories, ISO defines multiple precise security measures that an organization should take. These security measures are mapped to the level of risk identified in the fourth step. ENISA is offering a free online tool for this mapping that includes descriptions for the specific measures that need to be taken, depending on the identified risk level.

Figure 2. ENISA online tool for (self)assessing the implemented security measures.^[9]

Example: The project coordinator concludes that undefined roles and responsibilities with regards to the data processing in the project pose a medium risk. Upon consulting ISO 27001:2013 – A.6.1.1 Information security roles and responsibilities, the project appoints a security officer. This security officer is responsible to define, communicate and oversee all roles and responsibilities in the project that relate to data processing. This includes for instance making sure that employees leaving the project have their access to the data revoked.

It needs to be emphasized that the creation of cybersecurity is not an easy task, particularly not for researchers and research projects, given the limited financial and human resources. Nonetheless, regulatory requirements for data protection and information security calls for standardized processes that researchers can take to analyze and mitigate risks. There exists no one-size-fits-all solution and researchers need to be aware of specific additional regulations and requirements in their sector. ENISA and other EU bodies and data protection authorities offer additional guidance on the application of cybersecurity measures that researchers are advised to seek in the interest of stakeholders and data subjects.^[10]

To Dos

Familiarize yourself with the ISO/IEC standards regarding cybersecurity such as ISO/IEC 27001 and ISO/IEC 27032:2012 on information security management that detail how to establish and maintain information security management systems (ISMS).
Use information provided by national information security agencies such as the BSI in Germany.
- The BSI-Standard 200-2 on IT-Grundschutz methodology (formerly known as IT baseline protection manual) provides additional information on information and cybersecurity.
- The Guide to Basic Protection based on IT-Grundschutz 3 Steps to Information Security offers a step-by-step guide for SMEs that could be adopted for research projects.
Follow a structured process on the identification, evaluation and mitigation of threats, vulnerabilities and risks
Be aware that cybersecurity is not something that can be achieved at one point in time. It is an endeavor through which all processes and resources are continuously re-evaluated. Your level of security can suddenly change with a change in risks, threats and vulnerabilities.
Be aware of new and upcoming regulation on cybersecurity as well as on new threats, attack scenarios or vulnerabilities.
Make use of the information and tools provided by cybersecurity agencies such as ENISA and data protection authorities:
- Tool for evaluating the level of risk for a personal data processing operation
- Tool for (self)assessing the implemented security measures

References

¹Bundesamt für Sicherheit in der Informationstechnik. 2017. BSI-Standard 200-2 on IT-Grundschutz methodology (formerly known as IT baseline protection manual) Available under: https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Grundschutz/International/bsi-standard-2002_en_pdf.pdf?__blob=publicationFile&v=2 (Last accessed: 11.11.2021) ↑

²See for instance ISO/SAE 21434 “Road vehicles – Cybersecurity engineering” or ETSI EN 303 645 for IoT-devices. ↑

³ENISA. Overview of the methodology. Available under: https://www.enisa.europa.eu/risk-level-tool/methodology (Last accessed: 03.11.2021) ↑

⁴A more detailed version of the guidelines can be found here: https://www.enisa.europa.eu/publications/guidelines-for-smes-on-the-security-of-personal-data-processing (Last accessed: 03.11.2021) ↑

⁵ENISA. Overview of the methodology. Available under: https://www.enisa.europa.eu/risk-level-tool/methodology (Last accessed: 03.11.2021) ↑

⁶It needs to be emphasized that, although the process deals with data protection and personal data, this process is not a data protection impact assessment (DPIA under GDPR Art.35). This assessment focuses solely on cybersecurity whereas a DPIA encompasses additional parameters. ↑

⁷Ibid. ↑

⁸Art. 32 (and Art. 24) GDPR Security of processing does also mention technical and organizational measures and lists some exemplary measures for data processing of personal data. This includes pseudonymization and encryption of data (Art. 32(1)(a) GDPR). ↑

⁹ENISA. (Self)assessing the implemented security measures. Available under: https://www.enisa.europa.eu/risk-level-tool/assessment (Last accessed: 05.11.2021) ↑

¹⁰ENISA. Additional tools and guidance for specific sectors and industries are available here: https://www.enisa.europa.eu/tools (Last accessed: 05.11.2021) ↑