Key Benefits:
Police Information Security Scheme
The Minister for Home Affairs and the Minister of Justice,
Having regard to the Article 38, third paragraph , Article 46 and 48, first paragraph, of the Polition Act 1993 ;
Having regard to the opinion of the corporates managers, characteristic 0113 \1235\EMd ' H, of 17 December 1996, and of the Council of the National Police Services Corps, of 25 October 1996;
Decisions:
For the purposes of this arrangement:
determining the extent to which business processes supported by information systems depend on the reliability of these systems and determining which potential schades may occur as a result of the failure of these information systems;
the extent to which the police may rely on an information system for its information provision;
the extent to which an information system is in operation at the time when the police need it;
the extent to which an information system is without error;
the extent to which access to, and the knowledge of, an information system and information therein is limited to a defined group of beneficiaries;
a set of data sets, persons, procedures, software and storage processing and communication equipment;
a set of facilities available to one or more information systems within the police and for which the responsibility is unequivocally allocated to one organisational unit;
determining the influence of the manifest of threats to the functioning of an information system or a common IT service;
the establishment and maintenance of a coherent package of measures to ensure the availability, integrity and exclusivity of an information system and therefore of the information contained therein;
the enumeration of all the security measures or the sites thereof which are in force for an information system or a common IT service;
the enumeration of all the measures to be implemented in the event of a situation where the availability, integrity or exclusivity of an information system does not meet the requirements;
the extent to which the whole of the characteristics of an information system meets the requirements resulting from the intended use;
the proper functioning of an information system for the operation of (part of);
the concern for developing, buying, renting and the like and performing any adjustments to (parts of) an information system such as procedures, software, or equipment.
1 This arrangement applies to the whole process of information provision and the entire life cycle of information systems, regardless of the technology applied and regardless of the nature of the information.
2 De korpschef is responsible for information security, which forms part of the quality assurance for business processes and the supporting information systems.
3 In the exchange of information between the police and other bodies, agreements shall be made on the reliability of the information systems and on the information contained therein and on the manner in which security is obtained on their realization.
1 The basket chief sets out the information security policy in a policy document and carries out this policy. If the information security policy is involved in information systems for the detection of criminal offences, the basket document shall adopt this policy document after consultation with the chief officer of the judicial authorities.
2 The document shall contain at least:
a. the strategic principles and cross-compliance of the police with regard to information security, in particular the embedding in and alignment with the general security policy and the information policy;
b. the organisation of the security function, including the sharing of responsibilities, duties and powers;
c. the unambiguous and complete classification of information supply facilities in information systems and common IT services and allocation of responsibilities to executives;
d. the manner in which the policy is translated into concrete measures and the way in which they are financed;
e. the common reliability requirements and measures taken in accordance with the provisions of this Regulation. Annex , which are applicable to the police;
f. the manner in which detected or suspected breaches of information security are reported by police officers, the police officer to whom these infringements are reported and the manner in which they are handled;
g. the manner in which and the frequency with which, according to a defined schedule, the information security policy is evaluated and the adequacy of the information security policy and the implementation and implementation thereof are assessed by an independent expert;
h. the manner in which the security awareness is promoted and
(i) the measures to be taken in respect of interception facilities within the Corps, taking into account the interception facilities for the Standardization, intended in Annex II .
The basket chief shall ensure that each information system and for each common IT service are systematically subject to compliance with the reliability criteria and standards classes, as referred to in Article 2 (2). Annex I (i) the system of information security measures should be determined. This duty of care at least means that:
a. For each information system a dependency analysis shall be carried out in accordance with the reliability requirements to be set to the information system;
b. to perform a dependency analysis for each of the common IT services, including the reliability requirements to be provided to that IT service;
c. identify and analyse threats for each information system and for each common IT service;
d. should be selected for each information system and for each Joint IT service so as to ensure that the required reliability requirements are met by a vulnerability analysis;
e. an information security plan shall be established for each information system and for each Joint IT Service. It includes in any case:
1. an action plan for the implementation of all security measures;
2. a contingency paragraph from which the effectiveness is tested periodically.
The Korpschef shall ensure that for each business process the information security measures apply to the supporting information systems and that the measures applicable to any common business process should be implemented. IT service, to be captured, implemented or carried out, and that operation is controlled according to a fixed schedule. This duty of care at least means that:
a. for each information system and for each joint IT service, the measures resulting from the information security plan shall be established for the users and shall be carried out by the operator in the basket;
b. provide in writing for each information system and for each common IT service, the system exploitation measures resulting from the information security plan;
(c) an independent assessment of the quality of the information security measures taken and the maintenance and compliance of the information security measures taken in accordance with a set schedule;
d. for each information system and for each Joint IT service, the system management measures resulting from the information security plan are committed by the basket shearer in writing;
e. The system acquisition measures resulting from the information security plan shall be tested against their implementation and operation.
The basket chief shall ensure that the establishment of interception facilities complies with the requirements set out in the Standardisation Facility interception facilities specified in: Annex II , and that, in relation to such facilities, the method of operation is described in the said conformity.
The chief of staff shall ensure that the unauthorized knowledge of criminal intelligence and informants cannot take place. In this context, it shall ensure that:
a. This information is not detectable by unauthorised persons;
b. This information is not multiplied or destroyed without permission or from the quarters, intended for Article 12 of the Decision mandatory police data , taken;
c. Information carriers may be destroyed in an appropriate manner;
d. Access to automated registers is secured with a user name and periodically changing passwords;
e. adequate security measures shall be taken in the case of a computerized transport of criminal intelligence;
f. adequate security measures have been taken in the event of a network system to prevent the loss of information and to prevent the unauthorized search.
This scheme is based on: Article 23, first paragraph, point (b) of the Polition Act 2012 .
This arrangement shall enter into force on 1 April 1997.
This scheme is cited as Scheme information security police.
This arrangement will be based on the explanatory memorandum and the related notes. Annex in the Official Journal and the General Police Gazette.
' s-Gravenhage, 17 March 1997
TheMinister
from Home Affairs,H.F. Dijkstal
TheMinister
of the European UnionW. Sorgdrager
Article 2 of the scheme provides that in the case of data exchange within the police (paragraph 3) and with other bodies (paragraph 4), written agreements are made on the reliability of the information systems and the information therein.
Of course, such agreements, whether written or not, may also be made in the event of an exchange of information within the police.
These confidence agreements can be made at three levels:
at the level of sensitivity, where the agreements deal with the consequences for business processes using the information and information system and for the interests of persons and bodies on which data is provided. exchanged information as a result of the reliability of information and information systems;
at the level of requirements, where the arrangements relate to the degree of reliability of the information and the information systems;
at the level of measures, where the agreements relate to the realization of the reliability of the information and the information systems.
It will be clear that agreements at the level of sensitivity for the parties in exchange offer little support in completing security (reliability of reliability) of the information and information systems, while agreements are agreed upon. they will be comprehensive and complex at the level of measures and the period of validity of the agreements will also be limited as a result of technological and organisational developments. Agreements on the reliability of information and information systems should therefore be made at the level of requirements. In addition, it is important to define the requirements quantitatively in order to make the arrangements measurable.
This Annex defines the criteria and standards classes to be used by the police in the formulation of requirements for the reliability of information and information systems.
Availability is described as: the extent to which an information system is in operation at the time when the police need it. For the formulation of availability requirements, there are the following criteria:
Availability period: the time that the information and the information system is needed. The availability period is expressed in units of time, for example, office time, 7x24 hours, etc.
'Business security' means the extent to which data processing remains free of malfunctions or, in other words, the average time between the occurrence of availability failures. The business security shall be expressed in hours, for example: 1 availability failure per 200 hours is acceptable.
Restorability: the speed at which data processing can be restored after a failure. A distinction can be made in this respect:
the average duration of an availability failure and
The maximum allowed duration of an availability failure, both expressed in hours.
Availability is specified here in time-dependent criteria (the moment when the police need the information system), not in location-dependent criteria (the place where the information system is needed). If location-dependent availability requirements are also required, the criteria set out above may be specified by workplace, department or building or organisation.
Integrity is defined as: the extent to which an information system is without error. 'Without errors' means that the information processing takes place according to predetermined specifications. The edge condition for making arrangements regarding the integrity of information systems and the information therein is thus the presence of specifications of the processing, both automated and manual. For the formulation of integrity requirements, there are the following criteria.
Veracity: The percentage of data collection processed by the information system, according to specifications, is processed. For example, 95% of the data is processed correctly.
Completeness: the percentage of data collection that is fully (without manco) processed by the information system and single (without duplication).
Timeliness: the percentage of data collection that is processed by the information system within the specified time frame.
Recovery time: the number of hours after the detection of non-integer processed data in which the recovery operation has been carried out.
In those cases where the required accuracy, completeness and/or timeliness should be close to 100%, it is sometimes more practical to formulate the requirements in faal opportunities, for example: 1 incorrectly processed transaktie per 1000 transakties is acceptable.
Exclusivity is defined as: the extent to which access to and knowledge of an information system and the information therein is limited to a defined group of beneficiaries. The following criteria of service may be used for the formulation of requirements on exclusivity.
Authorisation: the designation of the group of persons entitled to access and knowledge of an information system and to the information therein. Although authorisation is in fact a specification of exclusivity and not of a guarantee of exclusivity, it is assumed that as the group of authorised persons is more precisely defined, the necessary fuse of the The exclusivity is higher.
Legality: the degree of assurance that access to, and knowledge of, an information system and of the information therein is exclusively available to persons entitled to do so. Legality is expressed as a percentage of the actual use of the information system. For example, 99% of the actual use of the system is permitted use. In those cases where the requirement of legality has to be almost 100% it is often more practical to formulate the requirement in faal opportunities, for example: 1 unauthorized access per 1000 accesses is acceptable.
Set-aside: the time that it costs to obtain unauthorized access to an information system, expressed in hours.
If specific reliability standards are formulated for each information system, then a complex standard system arises. What to do if one system establishes a business standard of 1 failure per 200 hours, sets the following system a standard of 1 failure per 240 hours and sets the third one to standard of 1 failure per 300 hours? In order to make arrangements, it will prove to be more convenient to use standard classes. In this scheme four classes are distinguished: 'low', 'average', 'high' and 'very high'.
It is intended that the standard classes should be completed by the police. The following is an example of a possible interpretation of standard classes for the different reliability criteria.
Standard class à Criterion | Low | Medium | High | Very high |
Availability | ||||
Availability period |
Office Time |
Office Time |
7x24 hours |
7x24 hours |
Security of business |
200 hours |
400 hours |
1500 hours |
6000 hours |
Recoverability |
8 hours |
4 hours |
2 hours |
1 hour |
Integrity | ||||
Correctness |
< 90% |
90-95% |
95-99,9% |
> 99.9% |
Completeness |
< 90% |
90-95% |
95-99,9% |
> 99.9% |
Timeliness |
< 90% |
90-95% |
95-99,9% |
> 99.9% |
Recovery Time |
> 24 hours |
24-8 hours |
8-1 hour |
< 1 hour |
Exclusivity | ||||
Authorization |
Everyone in the Corps |
specific departments |
specific functions |
Specific persons |
Legality |
90% |
99% |
99.99% |
99.99% |
Set-aside |
< 2 h |
2-4 hours |
4-12 hours |
> 12 hours |
The collection of reliability criteria set out in this annex is not complete and fixed. Like any language, the 'information security language' is also in development. Based on experience in applying the reliability criteria and of the standard classes, adjustments and extensions to the collection of criteria and fill in the normalisation classes will be expected.