Development of the Information Security Management System Standard for Public Sector Organisations in Estonia

Authors

DOI:

https://doi.org/10.52825/bis.v1i.43

Keywords:

Information Security Management System, ISMS, Public Sector, Requirements of Security Standards, Estonia

Abstract

Standardisation gives us a common understanding or processes to do something in a commonly accepted way. In information security management, it means to achieve the appropriate security level in the context of known and unknown risks. Each government’s goal should be to provide digital services to its citizens with the acceptable level of confidentiality, integrity and availability. This study elicits the EU countries’ requirements for information security management system (ISMS) standards and provides the standards’ comparison requirements. The Estonian case is an example to illustrate the method when choosing or developing the appropriate ISMS standard to public sector organisations.

Downloads

Download data is not yet available.

References

Purser, S., Standards for Cyber Security. In: Best Practices in Computer Network Defence: Incident Detection and Response, pp. 97–107. IOS Press, (2014), 0.3233/978-1-61499-372-8-97

Oja, T., X-Road Trust Model and Technology Threat Analysis. (2020), Master Thesis, Tallinn University of Technology

Mets, T., Parsovs, A., Time of Signing in the Estonian Digital Signature Scheme, In: Digital Evidence and Electronic Signature Law Review,16(2019), pp.40–50, https://doi.org/10.14296/deeslr.v16i0.5076

Seeba, M., A Specification of Layer-Based Information Security Management System for the Issue Tracking System (2019), Master Thesis, Institute of Computer Science University of Tartu

European Union, General Data Protection Regulation.(2018), http://eur-lex.europa.eu/. Last accessed 28 Jan 2021

European Union, Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union, (2016), http://data.europa.eu/. Last accessed 22 Jan 2021

Beckers, K., Cˆ ot ´ e, I., Fenz, S., Hatebur, D., Heisel, M., A Structured Comparison of Security Standards, (2014), 10.1007/978-3-319-07452-8 1

Nabi, S., I., Al-Ghmlas, G., S., Alghathbar, K., Enterprise Information Security Policies, Standards, and Procedures: A Survey of Available Standards and Guidelines, In: Strategic and Practical Approaches for Information Security Governance: Technologies and Applied Solutions, pp.67–89, (2012), IGI Global, ISBN 978-1-4666-0197-0

Tofan, D., Information Security Standards. In: Journal of Mobile, Embedded and Distributed Systems (3). (2011), ISSN 2067 – 4074

Grandclaudon, J. (Ed.), D11.1 International and national cybersecurity certification initiatives. Report of SPARTA project. (2020), https://www.sparta.eu/. Last accessed 10 Jan 2021

KPMG OY Ab, Digitaalisen turvallisuuden kansainv¨ alinen vertailu Valtiovarainministeri ¨ o. (2020) https://vm.fi/documents/10623/307681/Digitaalisen+turvallisuuden+kansainv%C3%A4linen+vertailu/7aafe82e-86e7-7450-358c-f1adfeecb3e5/Digitaalisen+turvallisuuden+kansainv%C3%A4linen+vertailu.pdf. Last accessed 10 Jan 2021

ENISA, Standardisation in support of the Cybersecurity Certification, (2020), 10.2824/481787

ENISA, Good practices in innovation on cybersecurity under the NCSS, (2021), 10.2824/01007

e-Governance Academy (eGA), NCSI National Cyber Security Index, (2021), https://ncsi.ega.ee. Last accessed 10 Jan 2021

Ottis,R., Analysis of the 2007 Cyber Attacks Against Estonia from the Information Warfare Perspective, Cooperative Cyber Defence Centre of Excellence, Tallinn, Estonia, https://ccdcoe.org/uploads/2018/10/Ottis2008_AnalysisOf2007FromTheInformationWarfarePerspective.pdf. Last accessed 10 Jan 2021

Estonian Information Authority (RIA), X-tee factsheet, https://www.x-tee.ee/factsheets/EE/#eng. Last accessed 01 Nov 2020

The Ministry of Economic Affairs and Communications of Estonian Republic, Cybersecurity Strategy Republic of Estonia 2019–2022, (2018). https://www.mkm.ee/sites/default/files/kyberturvalisuse_strateegia_2022_eng.pdf. Last accessed 10 Jan 2021

The Ministry of Economic Affairs and Communications of Estonian Republic, Info¨uhiskonna arengukava 2020, (2013) https://www.mkm.ee/sites/default/files/elfinder/article_files/eesti_infouhiskonna_arengukava.pdf. Last accessed 10 Jan 2021

Estonian Information System Authority Public Procurement No. 203534. Development of the Estonian information security standard. Description of works. (2019) https://riigihanked.riik.ee/. Last accessed 1 Nov 2020

International Standardisation Organisation (ISO), ISO/IEC 27001:2013 Information technology — Security techniques — Information security management systems — Requirements, (2013).https://www.iso.org/standard/54534.html. Last accessed 1 Nov 2020

Center of Internet Security (CIS), CIS Controls, 2020 hhttps://www.cisecurity.org/controls/cis-controls-list/. Last accessed 20 Nov 2020

German Federal Office for Information Security (BSI), BSI IT-Grundschutz Kompendium, 1-02-2020, https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/Kompendium/IT_Grundschutz_Kompendium_Edition2020.html. Last accessed 10 Jan 2021

German Federal Office for Information Security (BSI), BSI Standard 200-3: Risk Analysis based on IT-Grundschutz,(2017), https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Grundschutz/International/bsi-standard-2003_en_pdf.html. Last accessed 10 Jan 2021

Center of Internet Security (CIS), Mapping and Compliance. Collaboration Enhances Cybersecurity Compliance, https://www.cisecurity.org/cybersecurity-tools/mapping-compliance/. Last accessed 10 Jan 2021

International Standardisation Organisation (ISO), Frequently Asked Questions (FAQS), https://www.iso.org/footer-links/frequently-asked-questions-faqs/general-faqs.html. Last accessed 20 Nov 2020

Pro Publica Inc., Center for Internet Security Inc., Full text of ”Full Filing” for fiscal year ending Dec. 2019, https://projects.propublica.org/nonprofits/organizations/522278213/202041959349302934/full. Last accessed 10 Jan 2021

Estonian Information System Authority (RIA), Three Level IT Baseline Security System ISKE, (2020), https://www.ria.ee/en/cyber-security/it-baseline-security-system-iske.html. Last accessed 10 Jan 2021

German Federal Office for Information Security (BSI), Zuordnungstabelle. Zuordnung ISO/IEC 27001 sowie ISO/IEC 27002 zum modernisierten IT-Grundschutz, (2018) https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/Kompendium/Zuordnung_ISO_und_modernisierter_IT_Grundschutz.pdf?__blob=publicationFile&v=1. Last accessed 10 Jan 2021

Published

2021-07-02