View
219
Download
1
Tags:
Embed Size (px)
Citation preview
5.12.2003Counsellor, Docent Tuomas Pöysti 1MINISTRY OF FINANCE
The laws of information security
by Dr. Tuomas Pöysticounsellor of the Ministry of Finance
(chief adviser on public economic and public law, regulatory policy, management and governance issues),
deputy member of the Government board of public sector information management, docent of administrative law (university of Helsinki)
The information security has been a concern for law for a long time. Initially information security has been tacit knowledge embedded in the rationale of many rules of law. In the age of computing information security became explicit technical knowledge. In the information age and network society information security has become a legal principle and constitutional meta-right which is part of the requirements of good governance.
The regulatory change is connected to informatiosation and convergence which all are parts of the emergence of network society. The law of network society regulates information security generally and in its particular fields. Current information security regulation calls for a new pluri-disciplinary co-operation and new role for lawyers.
These lectures aim to systematise current information security legislation in European and Finnish law and to build an understanding of the inter-action between technology and security theory and law.
5.12.2003Counsellor, docent Tuomas Pöysti 2MINISTRY OF FINANCE
The unfortunate company The company strategy was based on the increase of
market value of its shares and then a eventual merger. IT –boom accelerated rise of the value.
Eventually disputes among the company management and particularly among the Board members
Helsingin sanomat (a major Finnish newspaper) made critical reports on the disputes and bad atmosphere. Company started to investigate ’’leaks’’.
Sonere security chief and his team, eventually on the request or at least for the CEO used information Sonera possessed as telecom operator on the communications the board members and personnel had made to press (traffic data).
Sidestory: networking of the security personnel. The head of security of Government got access to and used Sonera telecom operator traffic data to analyse a case in which driver of the Prime Minister and from a portable phone at the disposal of the Prime Minister in his car calls were made to a person suspected of serious tax fraud.
5.12.2003Counsellor, docent Tuomas Pöysti 3MINISTRY OF FINANCE
FICORA decision on the ’’Sonera telecom espionage’’
Request by FICORA (Finnish Communications Regulatory Authority, in Finnish Viestintävirasto) to Sonera. Response: first an internal investigation report, at the further request: system login reports, data protection and information security instructions and policies and internal audit reports.
According to FICORA the general information security policy and awareness of it were sufficient. Recording of the processing of traffic data was, however, not sufficient, and the purpose of the processing in cases where information was drawn from the operator systems was not systematically written down. In some areas the internal information security policies were not uniform enogh or comprehensive. The supervision of the compliance with the security policies had to be strenghened.
According to FICORA there is reason to believe that operator traffic data has been processed in unlawful manner and FICORA forwards its report to the police investigating the case.
5.12.2003Counsellor, docent Tuomas Pöysti 4MINISTRY OF FINANCE
The unfortunate company
The e-mail services of TeliaSonera overloaded due to the messages and return messages sent as a consequence of viruses.
Consequently sending e-mails via TeliaSonera was slowed down substantially, even by several days or weeks
Finnish communications regulatory authority (FICORA) asked the service provider to set the e-mail communications to the good technical level required by the Communications Market Act. Additionally FICORA found that the operator had not been informing its clients sufficiently
5.12.2003Counsellor, docent Tuomas Pöysti 5MINISTRY OF FINANCE
The unfortunate society
Virus attack causes a disfuntion of the electricity network may cause a blackout or atleast slow down
recovery from a failure evidence that this was partially the reason to
the slow recovery of the recent blackout in the U.S.
=> warning letter of the Ministry of Trafic and Communications and the National Emergency Supply Agency
5.12.2003Counsellor, docent Tuomas Pöysti 6MINISTRY OF FINANCE
Information security Information security is a state of affairs in
which there is no significant risk to Availability Integrity & authentication Confidentiality Auditability is an additional information
security feature. Information security refers to the entirety of
measures aiming at guaranteeing availability, integrity, authentication and confidentiality in all circumstances (information security work)
5.12.2003Counsellor, docent Tuomas Pöysti 7MINISTRY OF FINANCE
Availability
Accessibility and availability of information, ITC system and services
Ability to utilise information, service and systems in correct time usability availability of updates, meta-data & meta-
information (name-servers, structured documents)
In legal sense: making access-to rights effective in the infrastructure and practise
5.12.2003Counsellor, docent Tuomas Pöysti 8MINISTRY OF FINANCE
Integrity and authentication
data unaltered and correct (structurally, logically), non-compromised
completeness of data recognition and confirmation of the asserted
identity, user or source Non-repudiation of the message and content
5.12.2003Counsellor, docent Tuomas Pöysti 9MINISTRY OF FINANCE
Confidentiality
protection of the data and messages against interception and access by unauthorised persons and protection of information from accidental or intentional but non-authorised losses
protection of data and systems against unlawful use or use for an unlawful purpose
safeguarding the secrecy & confidentiality rights and other exclusive rights to information and information processing
5.12.2003Counsellor, docent Tuomas Pöysti 10MINISTRY OF FINANCE
Information security is often about risks
Different definitions of risks1. risk is a propability of an adverse event (loss
or other)2. monetary value of an adverse event or
expected monetary value of an adverse event: monetary value x propabilility
3. propability of the realisation of a threat
5.12.2003Counsellor, docent Tuomas Pöysti 11MINISTRY OF FINANCE
Dimensions of information security
Distinguishing the different dimensions helps planning and management of information security measures
1. Administrative and organisational security2. Personnel security3. Physical security4. Communications security5. Hardware security / facilities security6. Software security7. Data security8. Operations security
5.12.2003Counsellor, docent Tuomas Pöysti 12MINISTRY OF FINANCE
Data security – information security – security of knowledge The pyramid of data, information and
knowledge
Data
Information
Knowledge
Intuition, wisdomTacit knowledge
Knowledge managementPersonnel securityIPR and business secrets
Technical security and legal principles concerning it
Documented knowledge
5.12.2003Counsellor, docent Tuomas Pöysti 13MINISTRY OF FINANCE
Historical evolution and driving forces of information security regulation First stage: information security is tacit knowledge and
embedded in the rationale of some rules and principles of law. form requirements in private law individual information security rules and
administrative regulations (noticeboards, archives, notarius publicus system)
Computing brings gradually information security as explicit , documented knowledge distinct from document management and archiving. Information security, however, does not yet have a status in the recognised legal knowledge
Personal data laws have been the source of development of legal information security rules and principles.
Confidentiality rules in the public administration defined the development of information security rules
5.12.2003Counsellor, docent Tuomas Pöysti 14MINISTRY OF FINANCE
Historical evolution and driving forces of information security legislation First generation data protection laws: concept of data
protection and information security not clearly distinguished. Register –based rules on access to personal data, no very well defined information security rules
Second generation data protection laws (in Finland the Personal Registry Act of 1987). Fairly wide concept of personal register and the requirements of good register practise. Particular information security obligations and information security a clear embedded objective of data protection laws. Information security is not yet an explicit obligation.
Third generation personal data legislation: logical concept of personal register in which law regulates all computerised use of personal data. General information security obligation and particular information security provisions. Good information management practise as a leading concern.
Fourth generation: information security as a legal institution of its own, regulated in the information security and management acts. Abuse model in the personal data legislation. General laws governing the digital communications
5.12.2003Counsellor, docent Tuomas Pöysti 15MINISTRY OF FINANCE
Phenomena leading the development of information security law Informatiosation – the Information Age – and the
emergence of the network society. Networks and networking are essential modes of organisation and work in public and private sector. Information, information processing capacity and knowledge are the strategic assets or key success factors of individuals, organisations and societies. information and network depedence of
individuals, organisations and societies as a whole Commoditification of information and the related
juridification of information and information processing. Information is increasingly a product, a commodity, and subject for value and trade.
Convergence of technologies and media. Different medias and platforms are able to provide similar or inter-operable services. Convergence has a technical, economic, cultura, legal l and societal dimension
5.12.2003Counsellor, docent Tuomas Pöysti 16MINISTRY OF FINANCE
Information security law today Necessity for the efficiency of information-bound
fundamental and basic rights Legal principle and constitutional meta-right Part of the requirements of good governance General obligation prescibed in European and
national law and in contracts, general object for legal protection
Particular information security obligations and working tools for information security work in sectoral legislation
Normative element in the system and infrastructure design, operation and in organisation management proactive and preventive law challenge for lawyers
5.12.2003Counsellor, docent Tuomas Pöysti 17MINISTRY OF FINANCE
The constitutional foundation of information security law Evolution of rule of law: From formal rule of law to
material rule of law. The efficiency of rights is an essential component of
rights in the contemporary legal thinking the ECHR practise the EC law
Positive obligation to promote the realisation of fundamental and basic rights
Concept of good constitutional governance embodies the requirements of materiality of fundamental and basic rights and the efficiency of rights.
In today’s context technical security is needed for the efficiency of rights. In other words technical security is a necessary condition for legal certainty (legal security)
5.12.2003Counsellor, docent Tuomas Pöysti 18MINISTRY OF FINANCE
Information security – legal certainty
Technical security Legal certainty
Requirement for the efficiency of rights and thereby legal certainty
Information security: encountering technical reguirements and thelegal interests related to information and information processing• technical and legal security encounter• risk management is a common backbone for both•genuine encountering requires that neither technical nor legal aspect suppress the other perspective. This requires new pluri-disciplinary co-operation and discussion
Dependent of technical infra-structure
5.12.2003Counsellor, docent Tuomas Pöysti 19MINISTRY OF FINANCE
Systematics of information security law General information security legislation and soft law General public information security law – e-Goverment
acts Particular information security provisions covering
some aspects of: 1. Administrative and organisational security
provisions2. Personnel security provisions3. Physical security provisions4. Communications security provisions5. Hardware security / facilities security provisions6. Software security provisions7. Data security provisions8. Operations security provisionsLaw in this dimension either establishes obligations for security work, or provides governance tools or sets limits and boundaries for information security work
Information security contracts
5.12.2003Counsellor, docent Tuomas Pöysti 20MINISTRY OF FINANCE
General information security legislation
EC personal data directive 95/46/EC and the implementing national personal data laws article 17: general information security
obligation particular information security rules information security as a principle of
information infrastructure EC directive on privacy and electronic
communications (2002/58/EC) information security requirements for
electronic communications Penal law provisions on information crime:
Council of Europe Cybercrime convention
5.12.2003Counsellor, docent Tuomas Pöysti 21MINISTRY OF FINANCE
Principles of general information security legislation
The general doctrines of information security in law which are part of the general doctrines of information law
Establishment of information security as meta-right and legal principle
General information security obligation: technical, organisational and other measures (art 17 of Personal data directive, art. 4 of the privacy and electronic communications directive)
Requirement for effective risk management risk analyses, establishment of management
responsibilities and measures for prevention and limitation of risks
Principle of proportionality and reasonableness on risk measures
Principle of due care (precaution). Stance to technology as enablener and duty to follow technical development
5.12.2003Counsellor, docent Tuomas Pöysti 22MINISTRY OF FINANCE
General Public Information Security Legislation
Trend towards more general e-Government acts or government information management acts
Examples: the U.S. e-Government Act of 2002, Finnish Act on the Openness in the
Government
5.12.2003Counsellor, docent Tuomas Pöysti 23MINISTRY OF FINANCE
Good information management practise
Openness of Government Act, section 18 Obligation to safeguard
accessibility availability protection integrity other factors having an influence on the quality of information
of the information in documents and information systems
5.12.2003Counsellor, docent Tuomas Pöysti 24MINISTRY OF FINANCE
Good Information Management Obligations in section 18
Obligations cover the whole life cycle of information
from creation to destroying emphasis on the planning procedures
planning optimism as a model of rationality
5.12.2003Counsellor, docent Tuomas Pöysti 25MINISTRY OF FINANCE
Objective of section 18
Efficient and easy use of the principle of openness
Information security Quality of information Efficiency
efficiency of administration economic efficiency and functioning of the
markets
5.12.2003Counsellor, docent Tuomas Pöysti 26MINISTRY OF FINANCE
Key contents of section 18
Obligation to create and maintain good information management practise
Creation of catalogues and reports serving the implementation of openness
Mapping and preserving the rights related to information
Planning obligations Principle of information security Principle of the quality of information
5.12.2003Counsellor, docent Tuomas Pöysti 27MINISTRY OF FINANCE
Good information management practise in the systematic of the Act on the Opennes of Government
Right to information public information
exception: exhaustive (?) list of secrecy grounds
access to file of a party Obligations safeguarding the openness
duty to promote access to information good information management practise
Principles concerning the interpretation Openness-friendly interpretation
5.12.2003Counsellor, docent Tuomas Pöysti 28MINISTRY OF FINANCE
Section 18 and the paradigm of law of the network society
Regulation focuses also on the information infrastructure and information logistics
Good practise as a regulatory model codes of conducts
Efficiency as a concern for positive law; scarcity of law and rights
5.12.2003Counsellor, docent Tuomas Pöysti 29MINISTRY OF FINANCE
Problems related to Act on the Openness of Government
Law-making risk ? Attempt of the all at once -solution Recognition of the imperfect governance ? Exhaustive and wide list of rules and
exceptions Lack of the recognition of codes of conducts
planning optimism Formulation and appearance
5.12.2003Counsellor, docent Tuomas Pöysti 30MINISTRY OF FINANCE
Administrative and organisational security
Administrative and organisational security is the backbone of the information security work.
Administrative security is often the reason for serious information security problems (together with the malicious software and junk mail).
The EC personal data directive and EC privacy and electronic communications directive require particular attention to organisational security. ex. internal ’’Chinese walls’’ concerning the use of
traffic data in a communications enterprise Sectoral regulation may in some ares establish additional
requirements. Example financial market law in which high
information security is embeddly required. Information security provisions in contracts often require
organisational information security measures.
5.12.2003Counsellor, docent Tuomas Pöysti 31MINISTRY OF FINANCE
Dimensions of administrative and organisational information security1. Security environment
1. Ethical and moral principles and their implementation in practise
2. Organisational policies3. Definition of responsibilities4. Organisational structure favouring security5. Sufficient financial resourses and reliability6. Sufficient skills and expertice, continous learning and
education7. Awareness of legal and security requirements among
management and personnel
2. Objectives and risks, riskmanagement3. Supervision and controls, security audits4. Follow-up, reporting and learning
5.12.2003Counsellor, docent Tuomas Pöysti 32MINISTRY OF FINANCE
Personnel security
Main sources of law concerning personnel security are the obligations set for employee in the labour legislation and the prohibition of unauthorised use of business secrets.
In Finnish law: the Act on Work Contracts
Main contractual instruments for personnel security are the non-disclosure agreements and non-recruitement clauses. The labour legislation may limit the
possibilities to agree on the duration of non-disclosure and no-use clauses
Act on Security Clearances: a security clearance procedure for the protection of state security
5.12.2003Counsellor, docent Tuomas Pöysti 33MINISTRY OF FINANCE
Physical security
Physical security is legally protected by the penal law provisions concerning trespassing, inviolability of public and private premises and damaging property.
Certain penal law provisions recognise information security as the additional objective of legal protection. Example:
General and particular information security provisions require often physical security measures. Ex. electronic accounting documents, Ministry of
Trade and Commerce Decision (47/1998) 6 § 2 parag. Double copies, other copy shall be kept in a secure location and separate from other copy
Organisations own norms require often particular physical security measures
5.12.2003Counsellor, docent Tuomas Pöysti 34MINISTRY OF FINANCE
Communications security Communications security is the fastest developing area of
regulation Privacy on electronic communications directive and
implementing e-communications privacy and information security laws
Universal service rules and communication markets: a user access to (technically) high quality communication services imply also right to information security example: FICORA decisions Informatoion security is a part of a wider right to quality
Electronic signatures directive and law on electronic signatures
Uncitral model law on electronic signatures covers certain areas which have not been regulated in the EC electronic signature directive
The new Act on the Use of Freedom of Speech in Mass Communications
5.12.2003Counsellor, docent Tuomas Pöysti 35MINISTRY OF FINANCE
Particular security requirements for electronic signature certification service providers
Art. 6: particular liability rules for issuers of qualified certificates
Annex II of the directive organisational and economic security and
reliability personnel security and adequate personnel and
expertice adequate hardware and software systems and
security adequate data recording and promt revocation
lists prohibition of storing private keys as part of
key-management
5.12.2003Counsellor, docent Tuomas Pöysti 36MINISTRY OF FINANCE
Hardware security / facilities security
In the communications sector some particular hardware requirements.
A hardware connected to general communications network may not cause harm to the network or to the others. Only standard-conforming equipment may be used.
Risk-division: each party bears the risks related to the hardware in his possession. This risk-provision is standardly repeated in the information security provisions in contracts.
5.12.2003Counsellor, docent Tuomas Pöysti 37MINISTRY OF FINANCE
Software security
General rules follow from personal data directive and privacy and electronic communications directive
Act on the Electronic Communications with the Public Authorities
Particular problem: the liability for defective software and creating proper incentives for good software in law
5.12.2003Counsellor, docent Tuomas Pöysti 38MINISTRY OF FINANCE
Data security
Technical measures for the protection of copyright: article 6 of the Infosoc –directive (directive 2001/29/EC). In the U.S. the DMCA
Directive on the conditional access services Several sectoral rules on the data security Contractual provisions often require secure
storing and even deletion of stored data implementation of these provisions. A follow-
up report should be required
5.12.2003Counsellor, docent Tuomas Pöysti 39MINISTRY OF FINANCE
Operations security
Electronic commerce directive establishes rules on the operations security in the e-commerce
In sensitive domains the operations security require constant surveillance and instruction / training
In security sensitive services contractual provisions on operations security and risk-division may be required
5.12.2003Counsellor, docent Tuomas Pöysti 40MINISTRY OF FINANCE
Information security provisions in contracts
Contract is the principal governance tool of business co-operation. Contract is among the legal devices to built reasoned trust and a tool in the risk prevention and risk management
Due to importance of information security risks and strategic value of information information security provisions are often needed in contracts.
A good information security provision is not the transfer of all responsibility to other party. Legislation may limit such a contract.
More sensitive information risk is the more detailed and clear contract is needed.