Information Security in Sweden

(1)

Information Security in Sweden

Action plan 20

08 2009

2010

(2)

(3)

Summary

In January 2007, SEMA was commissioned by the government to prepare proposals for an action plan for information security in Sweden. The action plan consists of 47 proposed measures. The following four areas have been designated as prioritized.

Improved sector-wide and cross-sectorial work is needed for information security in Sweden. All-embracing regulations for the field of information security should be able to be prepared to apply to all government agencies. At the same time, sector-specific responsibility must be clarified. Furthermore, there must be opportunities to provide practical recommendations to other civil sectors.

A fundamental security level must be established for information security in Sweden. Such a basic level is a prerequisite for being able to secure the information assets that have become increasingly fundamental for both trade and industry and the public sector.

Society must be able to deal with extensive IT-related disturbances and emergencies. An operative national coordinating function should therefore be established.

There are competence deficiencies in the field of information security on all levels of society. The rapid development also entails that competence deficiencies on the part of individual users have increasingly greater consequences. For this reason, several proposals are submitted that jointly constitute a broad program to raise competence in the field.

The proposed measures submitted in the action plan concern measures in the information security field and embrace all of society, from normal conditions to emergencies. Also proposed in the action plan is an administration process in which the measures are annually followed up and updated.

The action plan proposes measures that address the problems reported in SEMA’s annual situational assessment. The proposed measures also take consideration to, among other things, the Commission on Information Security’s report Secure

information (SOU 2005:42); the government bill for improved emergency preparedness (Bill 2007/08:92); and the committee directive for a new agency with responsibility for

emergency preparedness and security matters (Dir. 2008:27).

Work has been conducted in collaboration with government authorities on the national, county and municipal levels, as well as with trade and industry. The authorities of the Collaborative Group for Information Security (SAMFI) have agreed to confer on the action plan.

(4)

(5)

Terms and abbreviations

AgN – Workgroup for trade and industry collaboration. AgN is a subgroup of the

Information Security Council.

BITS – Baseline for Information Security, issued by SEMA

CCRA – Common Criteria Recognition Agreement. CCRA is a collaboration between 24

nations that recognize one another’s certificates according to Common Criteria (CC). Sweden’s representative for CCRA is SEMA.

CERT - Computer Emergency Response Team CIIP - Critical Information Infrastructure Protection CIP – Critical Infrastructure Protection

Common Criteria (CC) – The standard ISO/IEC IS 15408, Evaluation criteria for IT

security. Common Criteria is a standard for requirement specifications, declarations and

evaluations of security in IT products and in IT systems, as well as their application environments (see Section 9.1).

CPNI – Centre for the Protection of National Infrastructure. British authority for

security, including information security

CSEC – Swedish Certification Body for IT Security. Is placed in the Defence and Material

Administration and is responsible for establishment, operation and administration of a system for evaluation and certification of IT security in products and systems in accordance with the standard Common Criteria (CC).

EPCIP – European Programme for Critical Infrastructure Protection EU – European Union

FIDI – Forum for information sharing concerning information security. A model for

cooperation in information security between private and public entities (see Section 7.3.1).

FIPS PUB 199 – Standards for Security Categorization of Federal Information and

Information Systems (FIPS, Federal Information Processing Standards Publications)

FIRST – Forum of Incident Reports and Security Teams. International collaborative

forum for CERTs

FISMA – Federal Information Security Management Act of 2002 FM – Swedish Armed Forces

FMV – Swedish Defence and Materiel Administration FOI – Swedish Defence Research Agency

FRA – National Defence Radio Establishment IEC – International Engineering Consortium

Information Security Council – A Swedish council for national information security

matters with representatives from strategic entities in the field. The council is led by

SEMA.

(9)

ISO – International Organization for Standardization

ISO/IEC 27001 – Requirements standard for information security management

systems

ISO/IEC 27002 – Best practices standard for information security management

systems

ISMS – Information security management system (see ISO/IEC 27001 and ISO/IEC

27002)

MSB – An agency for civil protection and preparedness PP – Protection Profile

PTS – Swedish Post and Telecom Agency

RKP – Swedish Criminal Investigation Department RPS –National Police Board

SAMFI – Collaborative Group for Information Security. SAMFI is constituted by

representatives from FM, FMV, FRA, PTS, RPS and Verva, and is led by SEMA.

SÄPO –Swedish Security Service

S-BIT – Common function at RKP and SÄPO for coordination of IT-related crimes and

incidents

SCADA – See Supervisory Control and Data Acquisition (SCADA) SEMA – Swedish Emergency Management Agency.

SGSI – Swedish Government Security Intranet. Swedish national network used for

communications between Swedish government agencies and with the European Commission’s TESTA (see Section 8.3)

SITIC – Swedish IT Incident Centre. Led by PTS

Supervisory Control and Data Acquisition (SCADA) – Computer-based system for

control, regulation and monitoring of physical processes, such as the supply of electricity, gas and water, as well as rail-bound traffic (see Section 9.2).

TESTA – Trans-European Service for Telematics between Administrations. European

Commission’s network for communications with EU member states (see Section 8.3).

TSS –Swedish Armed Forces’ School of Communication Security Verva –Swedish Administrative Development Agency

(10)

(11)

1 Introduction

The Swedish Emergency Management Agency (SEMA) has the coordinating official responsibility for matters concerning information security, and in this role, has been commissioned by the government to prepare an action plan for implementing and administering the nation’s strategy for information security. In this section, a description is provided of SEMA's commission, the interpretation of the commission and the methods selected for carrying out the commission.

1.1 SEMA’s commission

In the government’s bill for coordination in the event of emergencies (Bill 2005/06:133), it is stipulated that SEMA shall prepare proposals for an action plan for information security. In the Swedish Emergency Management Agency’s appropriation direction for 2007, the Ministry of Defence stipulates the following:

The Swedish Emergency Management Agency shall within the framework of its information security work and based on present distribution of responsibility within the field, submit proposals for an action plan for implementation and administration of the national strategy for information security. Work shall be conducted in collaboration with concerned government authorities on the national, county and municipal levels, as well as with trade and industry. Special consideration shall be shown to responsibilities of the regulatory and sector agencies and they shall be given the opportunity to submit their views regarding the proposals. A situational report shall be presented no later than August 30, 2007, and a final report of the commission shall be presented in conjunction with the annual report for 2008.

1.1.1 Interpretation of the commission

The national strategy for information security is a basic prerequisite for formulation of the action plan. The government’s strategy for information security is stated in the bill for civil security and preparedness (Bill 2001/02:158) and in the bill for coordination in the event of emergencies (Bill 2005/06:133). An report from the Commission on Information Security, Secure information – proposals on information security policy (SOU 2005:42) includes a proposal for a strategy encompassing ten points, which should also be taken into consideration.

Implementation involves a number of activities and measures intended to realize the strategy. Administration is interpreted as maintenance of the realized measures, for example, follow-up and updating, as well as the objectives of information security, namely the strategy.

1.2 Input values

The action plan takes consideration to the government’s bill for strengthened emergency preparedness (Bill 2007/08:92) and the committee directive for a new

(12)

agency with the responsibility for civil emergency preparedness and security (Dir. 2008:27) from March 13, 2008. The bill proposes that SEMA, the Swedish Rescue Service Agency and the Swedish National Board of Psychological Defence be phased out on December 31, 2008 and that a new agency for civil protection and emergency preparedness (MSB) be established on January 1, 2009.

1.2.1 National strategy for information security

The strategy referred to in the appropriation direction was proposed in the bill for civil security and preparedness (Bill 2001/02:158) and was later complemented in the bill for coordination in the event of emergencies (Bill 2005/06:133).

The general strategy is formulated as follows (Bill 2001/02:158):

The objective should be to establish high information security throughout society, which entails that disturbances to critical societal functions will be possible to prevent or properly deal with. The strategy for achieving this objective should, as well as other civil emergency management, be based on the responsibility principle, the similarity principle and the proximity principle.

Fundamentally, the entity responsible for an information processing system is also responsible for the system having the necessary security for the system to function in a satisfactory manner. An important role for the government is therefore to attend to all of society’s needs for information security and to take the measures that cannot be reasonably assigned to the individual system owner.

To prevent serious information-related attacks against Sweden, the work of the intelligence and security service should be strengthened.

The orientation of the national strategy for information security is complemented in Bill 2005/06:133 as follows:

The strategy for information security established by the government in 2002 should be further developed to also encompass the ability to detect, counteract and take action in conjunction with disturbances in critical societal IT systems. Trust and assurance in using IT should be increased. Increased security and improved integrity protection should be sought. An action plan for information security should be prepared based on a national strategy for information security work.

1.2.2 Commission on Information Security’s strategy

The Commission on Information Security’s report Secure information – proposals on

information security policy (SOU 2005:42) presents a proposal for an information

security strategy. This strategy, as well as the study’s other parts, have been considered in preparation of the action plan. The strategy consists of the following ten points:

1. Development of Sweden’s position in the EU and in international contexts 2. Creation of trust, assurance, security and increased integrity protection 3. Encouragement for increased use of IT

4. Prevention and capability to deal with disturbances to information and communications systems

(13)

5. Strengthening of intelligence and security service work and improvement of sharing 6. Strengthening of capacity in the field of national security

7. Utilization of society’s collected capacity 8. Focus on critical societal functions

9. Increased awareness of security risks and alternatives for protection 10.Assurance of competence supply

1.3 Methods

The action plan is based on interaction with other entities, document studies and individual in-depth studies. These methods are described below.

An important starting point for the action plan’s proposed measures are indentified threats and vulnerabilities. These, however, are not presented in any detail in the action plan but can be found in other documents, including SEMA’s annual situational assessments and the previously mentioned bills and studies.

1.3.1 Collaboration

Experts in various fields have contributed with knowledge, constructive criticism and authorship. External collaboration has been conducted through meetings, conferences and workshops. Collaboration has primarily been conducted in SEMA’s various forums for collaboration in information security:

• The Collaborative Group for Information Security (SAMFI). The participants are

representatives from the following seven government entities: SEMA, the Swedish Post and Telecom Agency (PTS), the Swedish Administrative Development Agency (Verva), the Swedish Defence Materiel Administration (FMV), the National Defence Radio Establishment (FRA), the Swedish Armed Forces (FM), as well as the Swedish Criminal Investigation Department (RKP) and the Swedish Security Service (SÄPO). The respective duties and roles of these entities are presented in Appendix 4.

• The Information Security Council is a Swedish council for national information

security matters with representatives from strategic entities in the field.

• Workgroup for trade and industry collaboration (AgN). AgN is a subgroup of the

Information Security Council with representatives from Swedish trade and industry.

Besides these forums, individual meetings have been held with Swedish entities, both those mentioned in the groups above, and other strategically important entities. International contacts have been cultivated through bilateral meetings with, for example, German and Norwegian authorities, and through participation in conferences and workshops. All entities that SEMA has collaborated with are presented in Appendix 3.

1.3.2 Document studies

The investigation by the Commission on Information Security has been an important starting point in the preparation of the action plan due to it being current, detailed and

(14)

having been widely reviewed. Both national and international reports have also been used as source data. All documents that have constituted the basis for the action plan are listed in the reference section.

1.3.3 In-depth studies

Three in-depth studies have been conducted:

1. Study of how Sweden can become better at taking action in regard to information security matters within the EU. The study was conducted by the Swedish Defence Research Agency (FOI).

2. Analysis of the medical care and financial sectors for the purpose of identifying current work with information security and future weaknesses (dependencies, vulnerabilities) and planned work (Meile AB).

3. Observation study of the IT attacks against Estonia in the spring of 2007. The investigation was conducted by SEMA’s information security unit.

1.4 Definition of information security

The terminology in the original Swedish version of this action plan complies with the SIS handbook for information security terminology (SIS HB 550, version 3). Information security encompasses both administrative and technical aspects with regard to confidentiality, integrity and availability of information assets. As a complement to these three aspects, the concept of traceability is also applied, among others.

The term information asset refers both to information and the resources used to process the information. Information security thus concerns more than securing information systems. Other resources – not the least, human resources – are also important components of the information security concept.

1.5 Document structure

The document begins with this introductory chapter and continues with Chapter 2, which provides a description of information security characteristics. Chapter 3 addresses execution of the action plan. This chapter contains the most important proposed measures that require decisions by the government, as well as proposed measures for how the action plan is to be administered.

Chapters 4 through 9 cover the various subject areas (such as competence supply) along with subsections (research, for example). Each subsection consists of background information, a description of objectives and the proposed measures.

(15)

2 Information security in Sweden

Information security embraces all of society and it is therefore a concern for all. Information security is about trust, with the objective of all parties in society being able to trust the information systems. Information security contributes to IT development in society being able to progress with high quality.

Information security is a supporting factor for improving the quality of societal functions. It ultimately concerns protection of a large volume of various values and objectives in society, such as democracy, personal integrity, growth, and economic and political stability. Due to the increasing use of IT in society, information security is a prerequisite for new phenomena in society, such as electronic government administration.

Through good civil information security, the following can be promoted:

• Society’s efficiency and quality in information handling • Profitability and growth of trade and industry

• Society’s suppression of crime and preparedness for serious disturbances and emergencies

• Citizens’ freedoms and rights, as well as personal integrity

• Citizens’ and organizations’ trust in information handling and IT systems

2.1 Threats to and vulnerabilities of the information society

A development in society is underway in which information handling is to an increasing degree conducted with the aid of IT. This increased dependency even entails increased risks for individuals and organizations. There is also a distinct increase in information security-related threats, such as unauthorized access to computer systems, fraud and the spread of malicious code. The entities behind such actions include organized crime, terrorists and national governments.

Deficiencies in information systems can also have an impact on physical assets. Damage to the critical infrastructure can have disastrous consequences. Incidents that lead to incapacitation or destruction of such systems and assets can lead to serious crises that affect financial systems, public health, national security or combinations of these.

Deficiencies in handling information lead to weakened trust in the pertinent services and the entities responsible for them, and can therefore even jeopardize entities' operations and the use of their services. Serious and recurring disturbances can lead to crises of confidence that can also spread to other entities and services, and even to other sectors. For example, weakened trust in Internet banks can infect other sectors in society that offer Internet-based services.

(16)

2.2 Aspects of information security

To achieve good information security in Sweden, it is necessary to take special consideration to the following important aspects:

• Overview • Standardization

• Competence and awareness • Collaboration

• Resources

• Rules and regulations

2.2.1 Holistic view on information security

Information security is a complex and cross-border field that embraces, among other things, technology, administration, economy and law. In efforts to improve information security in organizations and on the national level, consideration must be taken to these fields.

Protective measures should aim both to create more robust information handling under normal societal conditions and to deal with more serious disturbances and emergencies. Good everyday security is often equated with having good preparations for more serious incidents. For example, good internal control in operations, competence in information security and good collaboration constitute the foundation for good operative capabilities in the event of an emergency.

A comprehensive view is required that is sector-comprehensive and cross-sectorial, beyond that which is handled by the respective sectors. Based on a wide view of information security, this action plan is intended to contribute to IT and information handling in society being further developed in an assured and secure manner that strengthens capabilities both under normal conditions and during emergencies. The measures in this action plan therefore link together the two levels in a variety of ways.

2.2.2 Standardization

An important aspect of security-raising measures is that efforts are based on proven technologies and methodologies. Various forms of standards offer organizations the opportunity to implement something that is proven and based on experience, and therefore creating the prerequisites for improved security. Application of standards entails that one can adapt something that is well thought out to one’s own needs. Large-scale benefits are gained when many use the same solutions, and time-consuming service and product development is accelerated, easier and cheaper when the frameworks to be applied are known in advance. Through the spread of standards, training is simplified and the range of competence is subsequently improved. Standards also increase transparency between organizations, which facilitates requirement specification and assessment of security levels for products, systems and entire organizations.

(17)

2.2.3 Competence and awareness

IT usage has become an integrated part of most organizations and in society in general. Deficiencies in competence lead to vulnerabilities, and the need for knowledge is therefore substantial. A variety of initiatives are consequently needed in society in the form of information, training and practical exercises, with the objective of eventually creating an information security culture. Investments in training must be made in organizations and educational systems, and efforts should be made to increase information security awareness in society on the whole, for example, by supporting general education in the field.

2.2.4 Collaboration

Due to the complexity, cross-border character and rapid pace of development of information security, effective information sharing and collaboration is necessary to achieve good results. This concerns collaboration between various entities in Sweden, such as authorities on the national, county and municipal levels, trade and industry and interest groups, as well as international collaboration. Good collaboration in civil information security is important under normal conditions, but is a necessity for creating good operative capabilities during emergencies.

2.2.5 Resources

To succeed with achieving secure and assured information handling in society, resources must be put into information security. Security aspects are not be seen as an extra burden, but rather as a self-evident investment to achieve the intended function and quality. Investments in information handling are often made to make societal services more efficient and rational. It is therefore reasonable that portions of the savings are invested in attaining quality and robustness through increased security efforts. Costs for integrating and improving security should always be compared with what it would cost to not do this.

2.2.6 Rules and regulations

A requirement for good civil information security is that there are rules that are applicable to current information handling. Legislative enactments are necessary to achieve this objective. These enactments should be generic and technology-independent so as to ensure long-term applicability even during periods of rapid technical development.

(18)

(19)

3 Execution

The proposed measures submitted in this action plan address information and responsibilities, time allocations and cost estimates in the field of information security, and embrace all of society, during both normal conditions and emergencies. The execution phase will involve many entities that independently or jointly carry out the measures. The specified allocations of responsibility refer to the entity or entities that are to assume responsibility for execution of each of the proposed measures. The starting point for execution of that which is specified in the action plan is based on the responsibility principle.

Furthermore, the times allotted for the various proposed measures vary. Time allocations are specified within the framework of the year during which a measure should be initiated or the period during which a measure is scheduled for execution, varying from one to five years. The action plan contains 47 proposed measures that should be realized during a five-year period.

Some can be carried out immediately and at low cost, while others can only be carried out on the long-term and involve major costs. A cost estimate is specified for each of the proposed measures. Cost estimates are indicated with the following categorization:

Cost neutral: Negligible costs or costs that are encompassed by an agency's ordinary operations

Minor: Under SEK 5 million Moderate: SEK 5–10 million Major: Over SEK 10 million

The costs for the proposed measures are estimated on a yearly basis for each concerned agency.

3.1 Adoption of proposed measures

The action plan consists of a total of 47 proposed measures. The measures that are deemed as especially important and comprehensive are described in this section. In other sections, a number of other measures are presented that are also deemed as important to implement. SEMA suggests that the government adopt the following:

Proposed Measure 4: Survey of legislation in the field of information security (Chapter 4)

The government should commission an investigating body to conduct full survey of improvements that concern the field of information security.

Costs: The proposed measure entails moderate costs. Time: Should begin during 2008

Responsibility: Government investigation (SOU)

(20)

Proposed Measure 5: Right to issue regulations in the field of information security (Chapter 4)

The government should authorize MSB to issue regulations and general advice so that government agencies are able to satisfy fundamental and special additional requirements for information security. The proposed measure for authorization is presented in Appendix 2.

Costs: The proposed measure entails low to moderate costs. Time: During 2009

Responsibility: The government

Proposed Measure 6: Agency top management’s formal assumption of responsibility for dealing with information security risks (Chapter 5)

The government should make the decision to require government agencies to specify in their annual reports, the ways in which the applicable demands for information security have been fulfilled.

Costs: The proposed measure is cost neutral Time: During 2009

Responsibility: All agencies

Proposed Measure 16: National knowledge center for information security (Chapter 6)

The government should commission MSB to investigate in detail, how a national knowledge center for information security can be established. The purpose of the knowledge center would be to increase and coordinate professional knowledge development, and to constitute a center of expertise in the field. The knowledge center can be organized in the form of a foundation with a steering group that includes concerned parties from the government, trade and industry and academia. The center can be partially financed through government subventions.

Costs: The proposed measure entails low costs. Time: During 2009

Responsibility: MSB in collaboration with trade and industry, and universities and colleges

Proposed Measure 26: Operative national collaboration (Chapter 7)

The government should commission SEMA and the concerned agencies to submit information to the government about how one can create an administrative and technical infrastructure for information sharing and responses within information security for all of society. The proposed measure should embrace joint knowledge sharing, a joint situational awareness function and the operative capacity to deal with extensive IT incidents. The organization is to operate under both normal conditions and during emergencies.

Costs: The proposed measure entails low costs. Time: Should begin during 2008

Responsibility: SEMA in collaboration with concerned agencies, and trade and industry

(21)

Proposed Measure 28: Mandatory incident reporting (Chapter 7)

The government should require that government agencies report information-related incidents, with the exception of the types of incidents that are exempted by legislation. Requirements for immediate reporting would apply to larger incidents that produced or could have produced serious consequences. Also see Proposed Measure 26.

Responsibility: All government agencies

Proposed Measure 29: Development of the capacity to prevent and suppress IT-related criminality (Chapter 7)

The government should allocate special funds to the Swedish National Police Board for development of the capacity to prevent and suppress IT-related criminality.

Costs: The proposed measure entails moderate to high costs. Time: Should begin during 2009

Proposed Measure 36: Establishment of forum for collaboration within the framework of EPCIP (Chapter 7)

The government should commission MSB – with the support of PTS and prior to Sweden’s chairmanship in the EU in the fall of 2009 – to develop an EU forum for sector-comprehensive collaboration in information security and protection of critical information infrastructures. Such a forum should be based on existing EPCIP collaboration (European Programme for Critical Infrastructure Protection).

Responsibility: MSB with support of PTS

Proposed Measure 47: Government-coordinated initiative for security of digital control systems in critical societal functions (Chapter 9)

The government should commission MSB to conduct a government program for security of digital control systems. The intention of such an initiative is to create an improved national capability to prevent and deal with disturbances in the information and communications systems that are used for regulation, monitoring and control of critical societal functions.

Costs: The proposed measure entails high costs. Time: 2009–2011

Responsibility: MSB in collaboration with concerned government agencies, and trade and industry

(22)

3.2 Administration of the action plan

3.2.1 Background information

Included in administration is follow-up of how the proposed measures are being executed, and revision of the action plan and putting it into concrete form based on needs and changed conditions. In this way, the action plan can be constantly adapted based on societal developments. The action plan should be updated on an annual basis, beginning in 2009. Administration of the action plan should be conducted in broad collaboration with societal entities, in a similar manner as when the plan was prepared. Updated versions of the action plan should be submitted to the government in conjunction with the situational assessment that is currently prepared by SEMA. A clear connection is thus attained between threats, vulnerabilities and trends, and the proposed measures to counteract them. In conjunction with revision of the action plan for 2009, the national strategy should also be updated. Because of the large number of events that have occurred in the field of information security in recent times, a new strategy should be formulated. Once an updated strategy has been formulated, it should be revised in a cycle of three to five years.

3.2.2 Proposed measures

Administration objective

• The overall objective of administration is to attain a continual process in which

both the strategy and action plan are updated on a regular basis.

Proposed Measure 1: Administration of the action plan during 2008

The government should commission SEMA – in collaboration with the concerned government agencies – to administer the action plan until December 31, 2008.

Costs: The proposed measure is cost neutral. Time: During 2008

Responsibility: SEMA in collaboration with concerned government agencies

Proposed Measure 2: Continued administration of the action plan

The government should commission MSB to administer the action plan beginning in 2009 and to annually report how implementation of the proposed measures is progressing, as well as needs for new measures. Administration of the action plan should be conducted in collaboration with societal entities.

Responsibility: MSB in collaboration with concerned government agencies

Proposed Measure 3: Strategy updates

The government should commission MSB to submit proposals for updating the national strategy based on current societal developments. Once the strategy has been formulated, it should thereafter be updated in a cycle of three to five years.

Costs: The proposed measure entails moderate costs. Time: 2009

(23)

4 Legislative review and authorization to

issue regulations

4.1 Background information

Rapid developments in the field of information security during recent years have entailed that legislation that concerns information security must be adapted thereafter. It is difficult to achieve good information security on the comprehensive societal level in Sweden without the support of legislation that is adapted as much as possible to current forms of information handling. The regulations that are created in the field of information security should be generic and technology-independent so as not to become quickly obsolete.

Information security has connections to a large number of legal areas, including public administration, accountability, archiving, personal information handling, national security, defense against terrorism, electronic communications and emergency preparedness.

In the Commission on Information Security’s report Secure information – proposals on

information security policy (SOU 2005:42, Page 229), it is maintained that legislative

changes are necessary (see Appendix 2). Widened, more cohesive and all-embracing rules and regulations are needed that correspond to the wider definition of the information security concept that is presented in the report. In conformity with the investigators’ perception, SEMA is of the opinion that the government should commission an investigation to conduct the extensive and thorough analysis needed to carry out such a legislative review.

There is currently no government agency with the authority to issue regulations and recommendations for information security on a comprehensive and strategic level. It was suggested in the Commission on Information Security’s report (SOU 2005:42, beginning on Page 33) that the government should appoint an agency with authorization to issue regulations on administrative and technical measures for satisfying the fundamental and special requirements of information security at government agencies. In the government bill for stronger emergency preparedness (Bill 2007/08:92) it is stated that the government intends to grant authorization to MSB to issue general regulations.

In specific regard to security legislation and security enactments, the following needs for updating can be identified. The current legislation’s strong connection to the Official Secrets Act and orientation to the concept of national security entails that some legal entities are only encompassed by security legislation to a certain extent and that security protection for defense against terrorism is limited. Another issue that has been identified in the application of security legislation is the outdated description of what is worth protecting in a modern society. It has been shown that many organizations worthy of protection configure their security protection and information security in terms of preparedness planning and thus do not satisfy the requirements for reasonable security. The legislation should have a simpler structure and a modern view of

(24)

vulnerability and what is worth protecting in society. The provisions shall ensure good security protection and information security, regardless of if activities are conducted by the public sector or private parties.

4.2 Proposed measures

Objectives for legislative matters

• Swedish legislation shall be harmonized with developments in IT and information

security.

• An agency shall be authorized to issue regulations concerning fundamental and

special requirements for government agencies’ administrative and technical information security.

Proposed Measure 4: Survey of legislation in the field of information security

The government should commission an investigating body to conduct a full survey of legislation that concerns the field of information security.

Responsibility: Government investigation (SOU)

Proposed Measure 5: Authorization to issue regulations in the field of information security

The government should authorize MSB to issue regulations and general advice so that government agencies are able to satisfy fundamental and special additional requirements for information security. The proposal for authorization is presented in Appendix 2.

Costs: The proposed measure entails low to moderate costs. Time: During 2009

(25)

5 Information security in organizations

Information handling occurs in all segments of society, and information security in Sweden is subsequently dependent on a large number of entities. Authorities on the national, county and municipal levels, businesses and other organizations handle information that is more or less confidential and critical in respect to integrity and availability. Having good information security is an important internal matter for most organizations in satisfying their quality and efficiency requirements. At the same time, information security cannot be considered solely as an internal matter for organizations. Flows of services and products move along several paths. Deficient information security can have consequences far beyond the boundaries of an organization. It is ultimately a matter of establishing and maintaining trust in the entire information society and its services. Problems with trust that affect an organization can via the branch or sector, spread to other segments of society.

It is important to point out that information security relates to an organization’s quality. Improving information security does not just entail satisfying external requirements, but rather improving the actual organization. Having good information security must therefore be seen as a quality aspect, a way of achieving good internal control, order and tidiness. Good information security constitutes a prerequisite for several different IT-based services that can provide cost savings or generate revenue for an organization.

To achieve good information security in organizations that are especially worthy of protection (such as those for national security and defense against terrorism) there are requirements in the Security Protection Ordinance (1996:633) stipulating that these organizations shall undergo a security analysis so as to establish appropriate security protection (information security, physical security and protection against insiders) for the operations worthy of protection. There are, however, no expressed requirements relating to the intervals at which security analyses are to be conducted. With consideration to the rapid development at organizations worthy of protection, it is important that in the future, there are requirements stipulating security analyses on a yearly basis.

5.1 Information security responsibility

As mentioned above, information security should be considered as a quality aspect. Achieving the requisite level of information security is therefore a part of each organization’s responsibility and should be considered as an integrated part of organizational quality and security work. Several reports, however, have indicated that agencies’ top management sometimes have difficulty in handling this responsibility. This can be due to the field being relatively new and that sufficient knowledge is still lacking. There can also be a tendency for agencies’ top management to consider information security matters as something that only concerns IT departments.

(26)

If should be further stressed that information security must be integrated into organizations’ quality and efficiency requirements and be a self-evident part of organizational responsibility. Technology shifts – such as the transition from analog to IP telephony – or other changes involving other extensive investments should be preceded by continuity planning, risk and vulnerability analyses and security analyses so as to gain an understanding of what the changes entail for the organization and to produce the appropriate requirement specifications.

Some of the problems that can arise during technology shifts can be attributed to deficiencies in setting requirements and in buyer competence. It is therefore very important that procurements of new technology are conducted in a professional manner. This requires that competence is sufficiently high to specify relevant security requirements.

Furthermore, it is important that after implementation, third-part assessments are carried out on a regular basis to ensure that fulfillment of the requirements is maintained. Due to the transition to new technology primarily being motivated by economic reasons, it is realistic to require that a portion of the gains achieved from cost reducing investments is put into such assessments.

Objectives for information security responsibility

• It shall be clearly indicated that information security is a part of organizations’

quality criteria. Organizations’ top management shall be aware that the

responsibility for information security is an aspect of organizational responsibility and ensure that there is a sufficient level of competence in their organizations.

• Organizations shall be aware of which risks exist for their own organizations and

have taken measures to counteract these risks.

• For organizations especially worthy of protection and that are subject to the

Security Protection Ordinance (1996: 633), requirements should be established for annual security analyses. These security analyses should put special focus on information security aspects.

Proposed Measure 6: Government agency top management’s formal assumption of responsibility for dealing with information security risks

The government should make the decision to require government agencies to specify in their annual reports, the ways in which the applicable demands for information security have been fulfilled.

Responsibility: All government agencies

(27)

Proposed Measure 7: Clarification of information security guidelines for risk and vulnerability analyses

Information and recommendations for risk and vulnerability analyses regarding information security should be clarified in guidelines that are based on the act concerning municipalities’ and county councils’ measures prior to and during exceptional events in peacetime and during heightened preparedness (2006:544), and the ordinance on emergency preparedness and heightened preparedness (2006: 942) that regulate the public sector’s risk and vulnerability analyses. The task should be assigned to MSB due to this being something that is currently within SEMA’s domain.

Responsibility: MSB

Proposed Measure 8: Recommendations for specifying requirements during procurements

Information and recommendations should be prepared for how information security should be considered in conjunction with procurements. Information and recommendations should encompass:

• Risk analyses • Continuity planning

• Requirement specification during procurement • Third-party assessments

Responsibility: FMV and Verva

Proposed Measure 9: Information material for government agencies’ top management

Informational materials should be prepared for government agencies’ top management that provide an introduction to information security and describe the responsibilities of the agencies’ top management in regard to information security.

Responsibility: MSB

5.2 Information security management systems

The information security management system (ISMS) is an aid for how to manage information security in organizations. The international standard series ISO/IEC 27000 is a management system in which the starting point for the level of security is an organization-adapted risk analysis, and in which information security tasks follow a distinct process. Application of the standards in this series facilitates work with

(28)

information security within organizations and also improves capabilities for externally assessing security and revising it a uniform manner.

Verva’s regulations for the application of information security standards by government agencies (VERVAFS 2007:2) have been in effect since January 1, 2008. The regulations entail mandatory application of the standards ISO/IEC 27001 and 27002 on the part of government agencies. Although the regulations are limited to government agencies, it should be recommended that other organizations also apply these standards. The long-term objective should be application even by municipalities and county councils, as well as entities in trade and industry that have critical societal functions.

A problem that is often mentioned is that the standards are expensive and can be difficult to implement. This is especially noticeable for smaller organizations and in academic contexts. Supporting materials for work with these standards should therefore be prepared and made available, which will lead to wider adoption and better implementation.

The standard series for a information security management system can be difficult to understand for those who are not familiar with information security. This can lead to communications problems between top management and those responsible for information security. To obtain a better overview of a management system’s status, one can create methods for evaluation and measurement. These can then be used during internal evaluations or during internal and external audits. Through a distributed solution, the methods can be used to consolidate the statuses of several organizations. It can also be used in inversely, to compare individual organizations’ levels with those of other organizations.

Verva motivates its regulations for government agencies’ work with secure electronic information exchange with the argument that an organization’s internal information security is a prerequisite for secure information exchange between organizations. This also applies to the medical care sector where critical information is communicated electronically. This is one of the reasons why internal information security in medical care organizations must be regulated in a uniform manner. In common with government agencies, the medical care sector should therefore apply the standards ISO/IEC 27001 and 27002. The degree to which these standards should be adapted to the medical care sector, or complemented with guidelines for implementation within the medical care sector, should be examined.

Objectives for information security management systems

• Information security work in organizations shall comply with applicable

standards for management systems in the field.

• Entities and functions in the medical care sector shall have very strong capacity

to deal with serious disturbances and emergencies.

(29)

Proposed Measure 10: Recommendations for application of the standards ISO/IEC 27001 and 27002

Recommendations should be issued for organizations that not are embraced by Verva’s regulations that they shall apply the standards ISO/IEC 27001 and 27002.

Responsibility: Verva

Proposed Measure 11: Supporting material for implementation of information security management systems

Detailed material should be prepared that support application of the standards ISO/IEC 27001 and 27002. Existing material can serve as a starting point and be adapted to the standards ISO/IEC 27001 and 27002.

Financing: The proposed measure is cost neutral. Time: During 2009

Responsibility: Remains to be clarified

Proposed Measure 12: Development and implementation of an evaluation system for information security

A system should be developed and implemented for evaluation of government agencies’ information security. The system should facilitate internal evaluations, and during internal and external audits, how the requirements set for government agencies' information security are complied with.

Financing: The proposed measure entails low costs. Time: During 2009

5.3 Framework for the governmental information security

Information security measures that are to be implemented or planned in government organizations must be placed in a common framework. Security requirements for organizations vary depending on which information assets they have at their disposal and the threats that must be taken into consideration. To achieve adequate protection for information assets and services, measures must be chosen so that there is a balance between the costs of the measures and the consequences that incidents can lead to. Finding the balance between costs for protection and costs that arise in the event of incidents is a very key aspect of information security work.

The standards in the ISO/IEC 27000 series have no method or model for classification of information assets, which is an important prerequisite for being able to evaluate the need for information security in organizations in a uniform manner. Both in Sweden and abroad, there are good examples of how such classification can be conducted. There is a model in the United States, for example, that is based on the federal Standards for

(30)

Security Categorization of Federal Information and Information Systems (FIPS PUB 199), and a number of complementing publications within the framework of work on the federal level to implement the rules and regulations of the Federal Information Security Management Act (FISMA). A general classification model for information has also been created by SEMA, within the framework of the analysis tool BITS Plus (baseline for information security).

The work described above is being conducted on a long-term basis. A large portion of it should be coordinated and structured within the government to a higher degree than what has been the case thus far. The reasons for this are to reduce the government’s costs, to avoid duplicating tasks, and to coordinate and utilize expertise in the best possible manner.

A framework that enables such coordination of information security tasks can consist of a standard model for how information and information systems are classified. Classification of assets is based both on the types of protection that are necessary (confidentiality, integrity and availability), and the seriousness of the consequences in the event of an incident. For the respective information classes according to the above, advice, instructions and regulations can be provided for protective measures based on standards (ISMS, Common Criteria, etc.). These can be complemented with tailored instructions for individual sectors, such as the financial sector, the medical care sector and the energy sector. Organizations can therewith determine levels for their security work by:

• Identifying and defining their information assets and systems.

• Classifying these in accordance with the above-mentioned standards. • Applying protective measures for each class based on, for example, advice,

instructions or regulations.

Adaptations can be made when applying the framework in a specific organization. Through development of such a framework, societal resources can be coordinated and a “learning system” created in which experiences from one organization can be gathered and lead to improvements that benefit other organizations.

Objective for framework for governmental information security

• There should be a common governmental framework for classification of

information assets.

Proposed Measure 13: Common model for classification of information assets

A common model should be developed for classification of information assets. A method for the model shall be developed that supports identification, evaluation and classification of information assets. The method can be used as guidance for organizations in classifying information assets, and can thus serve as an aid in prioritizing and deciding on protective measures.

Financing: The proposed measure entails moderate costs. Time: Should begin during 2009

(31)

5.4 Fundamental security level for information security

As a part of achieving a robust information infrastructure in society, a common lowest information security level must be established. Such a fundamental level for information security shall not take consideration to the specific threat assessment for an organization, but rather reflect the general threat assessment in the form of, for example, malicious code, intrusion and internal threats. To eventually establish common trust in information security in Sweden, the application of information systems for information security must be complemented with a fundamental security level. This shall be adapted as distinctly as possible to the standards ISO/IEC 27001 and 27002, and together with these standards, provide a common framework for managing information security.

In this context, the government should serve as an example for the rest of society. All government agencies shall at least attain the fundamental security level. Regulations must therefore be issued that constitute the requirements for government agencies. Other organizations in society will be advised to at least attain the fundamental security level for information security. For municipalities, county councils, and trade and industry, the regulations will constitute recommendations that must be complied with to electronically communicate and exchange information with the national government agencies that are to comply with the regulations.

Because the regulations and recommendations deal with a defined, fundamental security level, they must be continually updated to keep pace with the rapid development in the field of information security.

Objective for fundamental security level for information security

• Each organization shall maintain fundamental information security that is

appropriate for the general threat assessment regarding the organization’s information assets.

Proposed Measure 14: A fundamental security level for information security in Sweden

A fundamental security level should be defined for information security in Sweden. It shall be applied based on the model for classification of information assets that is specified in Proposed Measure 13, and should be linked to the standards ISO/IEC 27001 and ISO/IEC 27002. During the transition period for a decreed fundamental security level, compliance with the existing fundamental level for information security (BITS) is advisable.

Responsibility: SEMA in collaboration with concerned government agencies

(32)

Proposed Measure 15: Recommendations for fundamental security level

MSB, in collaboration with concerned government agencies, should prepare recommendations for municipalities, county councils, and trade and industry based on the fundamental information security that applies for national government agencies.

Costs: The proposed measure is cost neutral. Time: Should begin during 2009

(33)

6 Competence supply

Knowledge of the risks involved in utilizing IT and the Internet must be strengthened at an early stage and become an integrated and natural part of initial IT usage. This must thereafter be included in all further schooling, including higher education, not the least as an integrated part of the academic programs that lead to careers with significant elements of information handling. The human factor is critical in many organizations. Several studies show that a majority of incident costs can be attributed to deficiencies in awareness and competence on the part of management, users and IT personnel. Various types of knowledge are needed in organizations in a variety of different roles. It is people who develop, install, configure and use technical systems. It is people who formulate, communicate and monitor administrative systems. An especially important group from an information security perspective is constituted by organizations’ top management. This is because they have the ultimate responsibility for organizational quality and security, and make decisions on protective measures.

A field as multi-faceted as information security must be studied in more depth. This can be done via research. A national focus on research and research studies is necessary to maintain both general knowledge and expert knowledge in the field. Increased national research and research studies also improve teaching skills in the field at colleges and universities.

6.1 Knowledge center for information security

A national knowledge center is needed for information security with national and international experts. The center can serve as expert support, a think-tank and as a common meeting place for both university/college students and staff, and practitioners in the field of information security.

A national knowledge center for information security entails a clear interface to society on the whole and can, for example, facilitate recruitment of teachers, students and researchers. A collective knowledge center can also lead to synergic effects and a critical mass of students, teachers, practitioners and researchers with, for example, increased business startups as a result. The knowledge center could set up scholarships for university/college students and staff, and/or practitioners in information security so as to stimulate expert knowledge development

6.1.2 Proposed measure

Objective for knowledge center

• Create the prerequisites for gathering and coordinating expert knowledge

development in information security.

(34)

Proposed Measure 16: National knowledge center for information security

The government should commission MSB to more closely investigate how a national knowledge center for information security can be established. The purpose of the knowledge center would be to increase and coordinate expert knowledge development, and to constitute a center of expertise in the field. The knowledge center can be organized in the form of a foundation with a steering group that includes concerned parties from government, trade and industry and academia. The center can be partially financed through government subventions.

Costs: The proposed measure entails low costs. Time: During 2009

Responsibility: MSB in collaboration with trade and industry, and universities and colleges

6.2 Awareness of information security in society

Most people in Sweden now use IT at home. With the development of electronic services, we use the Internet for several different services, such as banking, shopping, travel reservations and similar services. The expansion of electronic government administration entails that many societal services will be accessible from homes via computers, such as education and care services. At the same time, the risks for being subjected to malicious code and IT-related crime are increasing. This development places stringent demands on security awareness in society. The public sector should take responsibility in this area by providing information and instruction in security matters.

It is important that measures to increase competence and awareness are not limited to those in academia, and trade and industry. The spread of technology entails that measures must also be directed to those who are not reached via schools and workplaces. The campaign Surfa lugnt (surf calmly) can be mentioned as an example of this. The campaign is directed to home users, small business owners and youths (including parents and teachers). The campaign thus plays a key role in efforts to achieve increased information security awareness in Swedish society. The campaign also works with adult education in Sweden, which has an important role in this context.

Objectives for awareness of information security in society

• All who use IT shall be given the opportunity to become familiar with the

threats, risks and vulnerabilities that are associated with IT, and to gain an understanding of how one protects oneself and where advice can be obtained.

Proposed Measure 17: Expansion of Surfa lugnt campaign

The awareness-heightening campaign Surfa lugnt should be further developed and receive increased support for intensifying and widening its activities.

(35)

Costs: The proposed measure entails low to moderate costs. Time: 2009-2012

Responsibility: Concerned government agencies

Proposed Measure 18: Stimulate adult education in information security

The concerned agencies should further develop concrete proposals for how adult education in information security can be stimulated and for achieving increased range and availability of educational programs (courses, study circles, further training of teachers, etc.) as an aspect of raising security awareness on a broad front in society.

Costs: The proposed measure entails low to moderate costs. Time: Should begin during 2009

Responsibility: Concerned government agencies

6.3 Elementary schools and high schools

Information security should be included on the curriculums of elementary schools at an early stage and until schooling is completed. Instruction of students on the elementary and high school levels requires competence on the part of the teachers. Teachers on the various levels should therefore be offered further education in information security. Of special importance are matters of ethics relating to use of IT and the Internet. Ethical matters can be seen as an important aspect of information security.

Objectives for elementary schools and high schools

• Education in information security and IT ethics shall be included throughout

schooling, beginning in lower elementary school.

• Information security and IT ethics shall be included in an integrated manner in

all academic programs in which IT is used or that lead to career roles in which information handling is an important aspect.

Proposed Measure 19: Recommendations for elementary schools and high schools

Preparation of recommendations for elementary and high schools concerning how information security and IT ethics should be integrated into various types of academic programs.

Costs: The proposed measure entails low to moderate costs. Time: Should begin during 2009

Responsibility: Remains to be clarified

Information Security in Sweden