Guideline 63. Security policies and measures for transactions and digital certificates

Submitted by Anonymous (not verified) on

The institution establishes ICT-related security policies and measures to protect transactions performed in the social security agreement as well as the digital certificates.

Guideline code
ICT_08400
Mechanism
Mechanism
  • The ICT unit should implement specific measures of security in access control systems related to transactions and digital certificates.
    • Only authorized staff should be able to access the software application(s) managing the operations implementing the agreement system as well as the related information.
    • Access control may be based on the digital certificates used to sign the exchanges.
  • The ICT unit should implement an inventory of certificates, specifying the respective owners.
  • The ICT unit should implement specific security measures in database systems, networks and communication systems related to electronic transactions and digital certificates.
    • Database access rights should be granted to business users according to their duties and responsibilities.
    • Networks and communication systems should be configured to use secured protocols, especially for internet-based exchanges (e.g. using HTTPS).
  • The ICT department should implement security measures concerning the access and manipulation of digital certificates, as well as physical security measures in the infrastructure involved. The access to these objects should be highly restricted.
  • The ICT unit should establish information security policies and protocols to govern interaction between human resources and certificates, emphasizing security prior to, during and following termination of employment. These protocols should apply to all staff: internal, external consultants, contractors and temporary staff.
Structure
Structure
  • The board and management, with the assistance of the ICT unit, should establish security policies for transactions performed in the social security agreement as well as for digital certificates.
  • The board and management should commission the ICT unit to implement data security policies related to transactions and digital certificates.
  • The security policies and measures to protect transactions and digital certificates should follow the institutional data security framework, as well as the international standard ISO/IEC 27002:2005 Information technology – Security techniques, and the recommendations of the current set of Guidelines, particularly Section B.2, Data Security and Privacy.
Title HTML
Guideline 63. Security policies and measures for transactions and digital certificates
Type
Guideline_1
Weight
87