SEPAD description - CIRCA - Europa
SEPAD description - CIRCA - Europa
SEPAD description - CIRCA - Europa
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Problem statement<br />
In 2003 - 2004, after a call for tender initiated by ADMIN/IAC, an external<br />
company performed an audit control and issued a report on the access rights<br />
management of DG Admin Information Systems; the development and<br />
implementation a DG ADMIN specific security policy was one of the most<br />
important outcomes of that Audit;<br />
The specific recommendations were formally accepted by the DG, as tasks to<br />
be performed as soon as possible; however, mainly due to lack of human<br />
resources, the implementation of the recommendations has not been realised<br />
up to now.<br />
The recommendations<br />
A project should be set up to develop and implement a DG ADMIN specific<br />
security policy in compliance with the I.S. Security Policy. This should define<br />
the list of controls that need to be applied on an on-going basis, the scope or<br />
depth of the controls as well as who should operate the controls.<br />
A record of all information systems in DG ADMIN should be created with an<br />
assessment of the risk factors and the preventive and corrective measures<br />
introduced.<br />
A record should be created of all the persons authorised to maintain, modify<br />
or use any part of any of the information systems in DG ADMIN, specifying the<br />
exact type of authorisation granted to each individual.<br />
The checks required by the I.S. Security Policy should be executed. Reporting<br />
to management should be prepared.<br />
The <strong>SEPAD</strong> project<br />
Project goal is to develop and implement a DG ADMIN specific security policy<br />
and controls on the access rights management, taking into account the<br />
recommendations mentioned above.<br />
Legal basis<br />
Commission Decision 2001/844/EC, on Commission provisions on security;<br />
Commission Decision C(2006) 3602 on the security of information systems;<br />
Additional Documents<br />
Information Systems Security Policy (version 2001)
Organisation<br />
Steering Committee composition:<br />
Phases<br />
Adviser for Data protection and IT security;<br />
IRMs of DG ADMIN;<br />
Head of Unit of ADMIN/DS.5;<br />
Representative from the system owners;<br />
LISO of DG ADMIN (project coordinator).<br />
Create an inventory of all information systems in DG ADMIN, with an<br />
assessment of the risk factors associated to them;<br />
Create a “Security Policy” high level document, and define the list of controls<br />
that need to be applied on an on-going basis;<br />
Define preventive and corrective measures to mitigate the recorded risks;<br />
Create a record of all the persons authorised to maintain, modify or use any<br />
part of any of the information systems in DG ADMIN;<br />
Supervise the implementation of the established controls (“running-in”<br />
phase).<br />
Indicative Timetable<br />
Inventory of all information systems in DG ADMIN, with an assessment of the<br />
risk factors associated to them: by May 2007<br />
“Security Policy” high level document, with list of controls that need to be<br />
applied on an on-going basis: First version by July 2007, final version by<br />
middle 2008 (end of project)<br />
List of preventive and corrective measures to mitigate the recorded risks: by<br />
November 2007<br />
Record of all the persons authorised to maintain, modify or use any part of<br />
any of the information systems in DG ADMIN: by November 2007<br />
Running-in: January - April 2008<br />
Contact<br />
LISO of DG ADMIN (Mr. Petros Kosmetatos, tel. 54874 or by email:<br />
admin-liso@ec.europa.eu)<br />
Adviser for Data protection and IT security (Mr. Patrice Marcelli, tel. 52556)