Security controls implementation for a distinguished EU Institution
Providing security support across systems to bulletproof the EU Institution's operations and ensure compliance with applicable standards, policies and guidelines.
Our client is a distinguished EU Institution, a specific department of which has a coordinating role in the development of information technology systems addressing the European Commission.
Its main tasks include the provision of high quality and innovative workplace, business and infrastructure solutions that, among others, align IT investments with business priorities and balance risk with business value for the Institution. Moreover, the Department's operations facilitate support of the modernization of public administrations to be able to work in an interoperable manner.
Today's rapidly changing security landscape, requires EU Institutions to implement a baseline set of management, operational, and technical security controls in order to protect their IT systems, which was also the case with the system in our scope of work. The need for implementing security measures is based on an IT Security Risk Assessments for all EC systems is established in commission decision (EU, Euratom) 2017/46 of 10 January 2017.
The risk management process aims at determining the levels of IT security risks and defining security measures to reduce such risks to an appropriate level and at a proportionate cost. These measures, together with the details of their implementation, the resources needed and the scheduled progress would be included in the systems IT Security Plan. The specific system would be used by public authorities across Europe to exchange information as part of procedures that ensure the practical implementation of Single Market legislation. The launch of the ‘public interface’ would be highly visible in both the road transport sector and in public administrations and would be reported in the media.
Conduction of an IT security risk assessment regarding a high profile system which was in the development phase at the time, based on the IT Security Risk Management Methodology (ITSRM2), and development of an IT Security Plan.
The main tasks of the project include:
- Interviewing of all relevant stakeholders.
- Conduction of system Risk Assessment.
- Preparation/update of Security Plan according to the ITSRM2 methodology.
- Coordination of the approval process.
- Presentation of the Risk Assessment and Security Plan.
- Proposal, documentation and assistance in the implementation of technical and procedural improvements in terms of IT Security.
Our team used the IT Security Risk Management Methodology (ITSRM²), that was created by the European Commission to systematically approachi a risk-based security model. The tool used for the finalization of the risk assessment was GovSec.RM. ITSRM², consisting of the following processes:
- System Security Characterization
- Primary assets identification and valuation
- Supporting assets identification
- System modelling
- Risk identification
- Risk analysis and evaluation
- Risk treatment
The IT Security Risk Management process allowed us to identify the threats and vulnerabilities along with the risks that surround the specific system. The IT Security Plan, provided us with an overview of the system's security requirements and described the controls in place or planned for meeting those requirements.
The main benefits of the IT Security Risk Management Process were the following:
- The creation of a comprehensive document, which provided the organization with a much more informed view of the strength of the current security posture of the system.
- The Risk Assessment process exposed previously unknown vulnerabilities.
- It helped the organization determine which security measures needed to be implemented and which needed to be strengthened, by creating a prioritized list of risks.
- It provided cost-effective as well as sufficient Information Security protection on the system, by performing the risk assessment during the development phase.
- It increased compliance with applicable standards, policies, and guidelines.