Introduction

• Peter De Witte• Information Security Officer for the IT

Department• Advisor for

– Software Development– Infrastructure

Introduction SVB

• SVB Sociale Verzekeringsbank • 15 different national insurance schemes. • Child Benefits, AOW Pensions, Anw

Survivor Benefits • 100 years +• 5 Million Clients• € 35 Billion on a yearly basis.

how can SVB assure adequate levels of security and

gain customers trust, while maximizing

quality and effectiveness of citizen service?

25 may 2012

Security, Trust, Quality & Effectiveness

• Awareness• Provide a secure IT• Proper use of available channels• Adequate response to incidents

Customer Awareness

Employee Awareness

• Code ofConduct

• Security Guidelines

• Classification ofinformation

• Incident response• Organisation of

Information Security

Employee Awareness

• Email

policy

Provide a secure IT

• NEN-ISO/IEC 27002:2007 nl (BS27002)• CMMi• ITIL• OWASP• Security testing• Standard for webapplications provided by

Logius in cooperation with NCSC

Trusted Channels

3 Security levels for DIGID:

1. Basis: login code (username + password)

2. Middle: login code + text message on a mobile phone

3. High: electronic identifier (not yet implemented)

Open A Select serverSoon: SAML Server

Shared secretSoon: 2 way ssl authentications

PKI Government Certificates

Public channels

Response to incidents: Case Diginotar

• Diginotar: certificates were no longer trusted

• DIGID was affected directly, SVB indirectly

• If customers wanted to login, they received a warning of an unsafe certificate

Case Diginotar: response SVB (short term)

• Form an internal crisisteam• Inventory of SVB certificates• Link up with other sister organisations and

Ministry of the Interior and Kingdom Relations

• Communication to the customer, if necessary

Case Diginotar: response SVB (long term)

• Back-up CA• Investigation of the Dutch Safety Board• Cooperate with Logius and sister

organisations to develop and implement new standards framework for users of DIGID

• Start of expert center intiated by public service providers

Responses from external parties

SUWI:

“the SVB has a technical and organizational infrastructure of such a standard, that such an incident can be adequately addressed.Apparently the citizens understood where the problems where and have enough confidence in the SVB web service to continue its use.”

Dutch Safety Board (still unofficial):

Indication towards a positive reaction

National Ombudsman:

Positive reaction towards how SVB deals with customers and customer data

Future

• Keep our own security up to date

• Proactive towards new developments, like cloud.

• Cooperation with external parties

Questions?