Project start/finish:
Q1/2018 to Q4/2020
Parties involved:
European Commission (DG DIGIT, Agencies of EU involved in Cloud)
ISA² contribution:
EUR 650 000
Making the usage of Cloud safer
2018.09 GovSEC Cloud – Security Governance for Cloud
When is this action of interest to you?
You are a public administrator using services in the Cloud and you want to make sure your data and applications are safe.
What is this action about?
Public administrators are responsible for the operations and data safety of the information systems they are managing. The Cloud presents them with undeniable oportunities (in many aspects) but is not absent of certain challenges and concerns. While IT & information security and compliance raise many questions in the cloud, not all responsible officers have yet the required knowledge and tools to deal with those challenges. The GovSEC action intends to provide responsible officers with a simple and understandable tool to assess security and data protection risks, supporting their respective regulations and methodologies. GovSEC will assist IT specialists in producing security plans involving lists of actions to take in line with the various IT scenarios they face.
What are the objectives?
Security and data protection are important matters for everyone; by objectively reducing the complexity in evaluating risks and assessing compliance (specially in the public sector) GovSEC aims to lower entry barriers in Cloud adoption by:
- Easing the process for administrators with clear guidelines and application support
- Limiting the need to involve expensive ad-hoc expertise in terms of security and data protection
- Security assessments often happen once and as a one-shot event at the beginning of the project. GovSEC allows to keep an eye on security and data protection as Cloud infrastructures evolve.
The action targets at reducing drastically the time and costs spent on dealing with security and data protection issues.
What are the expected benefits?
For citizens
- Improving the overall security of the data provided by citizens and making sure that it is adequately protected and properly managed in the Cloud
For EU institutions and other EU bodies
- Cost-effective solution assisting strong compliance and policy management of security and data protection matters
- Increase the adoption footprint and raise security baselines by providing guidance and therefore bringing simplification to a sometimes complex matter
- Enable potential synergies and eventual convergence of security regulations by sharing best practices within the same toolset
For EU Member States
- Cost-effective solution enabling sound management of security and data protection matters
- Flexibility. The platform will be able to adapt to Member States' specific methodologies and peculiarities
- As common placeholders, the practitioners will have an exchange hub for their best practices and lessons learned.
What has been achieved?
- testing of the Risk Assessment module
- exposure of the concept of shared responsibility for IT security between the systems/services, which are depending on one another
- creating awareness of personal data protection in communities
What are the next steps?
In 2020 the action will focus on:
- testing the two other modules of the GovSec project (i.e. Governance and Security Plan) with member states and adding DPIA extension
- opening the modules through Joinup platform together with ITSRM2 methodology to start gathering inputs from community of practitioners