Periodic Reporting for period 2 - EU-SEC (The European Security Certification Framework)
Período documentado: 2018-07-01 hasta 2019-12-31
The EU-SEC project has worked on addressing these issues by the creation of EU-SEC framework that covers two main innovations, (i) a multiparty recognition framework for third party audit-based certification and (ii) a new approach for cloud assurance especially in the context of high-risk applications based on continuous auditing-based certification. The framework's development and innovations focus on automation, systematic governance, mutual recognition of certifications, reusability of already certified components, continuous audit, and monitoring to ultimately increase confidence in cloud certification while reducing the overall duration and cost of cloud certification processes.
The EU-SEC framework and both innovations have been developed and validated using two real-world pilots. In addition, the EU-SEC Project supported the initial effort from CSA for creating a Code of Conduct for GDPR compliance. The Privacy Level Agreement (PLA) Code of Conduct (CoC) provides guidance and support to CSPs as they work towards demonstrating compliance with the requirements of GDPR. Compliance can be achieved via PLA CoC Self-Attestation and PLA CoC Third-Party Certification.
Adopting the EU-SEC framework, stakeholders in the ICT security certification ecosystem will be equipped with a validated governance structure, an EU-SEC reference architecture, and the corresponding set of tools to improve the efficiency and effectiveness of existing security certification schemes. The EU-SEC framework addresses the issues related to security governance, risk management and compliance in the cloud while also enhancing trustworthiness and transparency in the ICT supply chain through positive results and business cases developed by industrial partners.
The two main innovations realized within the EU-SEC framework are the EU-SEC Multi-Party Recognition Framework (MPRF) and the EU-SEC Continuous Auditing based Certification (CACS). While the MPRF enables the mutual recognition between different cloud security certification schemes, CACS allows continuous assurance by addressing the lack of regularity and proactivity of traditional “point-in-time” certifications. As part of the two EU-SEC main innovations, further tools, facilities and methods have been developed, extended and tested in the course of the project and as part of the EU-SEC reference architecture. These tools, facilities and methods, namely the EU-SEC requirements repository, EU-SEC Audit API, Nuvla Extension for Evidence, STARwatch registry Extension are an essential part of the EU-SEC framework and are further exploited by individual partners. The EU-SEC framework and its architecture and tools have been validated within two pilots and reached TRL Level 7+ as envisioned in the DoA..
After conducting the two pilots, the EU-SEC project started into an extensive dissemination and fast exploitation phase by discussing the project’s main innovations with a broader audience. For both innovations, the project has elaborated a trainings and awareness plan as well as training material finally leading to so called EU-SEC Training and Awareness Packages that contain explanation videos, how-to documents, white papers and training slides and are available at the project web site. Following the business canvas method, the relevant stakeholder groups were identified for both innovations in order to subsequently derive stakeholder-specific exploitation strategies. The results of the Business Canvas workshops were discussed and sharpened in the public workshops with a broader audience and the EU-SEC Advisory Board in order to be subsequently integrated into the individual exploitation strategies of the partners. Finally, both innovations could be presented to ENISA representatives and integrated into the process of shaping the European Cyber Security Act through initiatives such as CSP CERT.