Key Benefits:
Arrangement of the Minister for the Interior and Kingdom Relations of 5 December 2013, No 2013-0000744418, laying down rules implementing the Regulation (EU) No No 211/2011 of the European Parliament and of the Council of 16 February 2011 on the citizens 'initiative (PbEU 2011, L 65) (European citizens' initiative regulation)
The Minister of Internal Affairs and Kingdom Relations;
Having regard to Article 3 of the Implementing Law Regulation European Citizens ' Initiative ;
Decision:
An application for a certificate as referred to in Article 6 (3) of Regulation (EU) No 211/2011 of the European Parliament and of the Council of 16 February 2011 on the Citizens ' Initiative (PbEU 2011, L 65) is done by providing the fully completed application form, which is intended to be used in Annex 1 , in this scheme and is accompanied by a fully completed questionnaire, which is to be found in Annex 2 In this arrangement.
This arrangement shall enter into force from the day following the date of issuance of the Official Journal in which it is placed.
This arrangement is cited as: 'Implementing regulation of the European Citizens' Initiative '.
This arrangement will be set out in the Official Journal.
TheMinister
from Home Affairs and Kingdom Relations,R.H.A. Plastrong
| Online certification application collection system for European Citizens ' initiative |  |
| Questionnaire to be completed by the organiser |  |
European Citizens ' Initiative:
Contact:
Date filled:
If you want to collect statements of support online for your European citizens ' initiative, you will probably be using an online system. A system for the online collection of statements of support as referred to in Regulation (EU) No 248/ (2) 211/2011 is an information system consisting of software, hardware, a hosting environment, business processes and personnel, intended for the online collection of statements of support. In the Executive Regulation No 1179/2011 of the European Commission are the technical requirements (specifications) which are to be made available to the online system. If you are applying for certification of your online collection system at the Ministry of Home Affairs and Kingdom Relations, please complete with the application form this questionnaire and provide the requested documentation. to deliver.
Below, the table in the first two columns always contains the specifications of this Regulation.
• You are requested to indicate in the third column how the specifications have been implemented/worked out for your online collection system.
• If you use the software of the European Commission (OCS), you will see that you can skip various questions.
• For all the questions you need to fill out, if applicable and possible, you must build the answer with documentation.
• Please refer to the documentation to be submitted with the number of the technical specification to which it relates.
No in 1179
Specification in Regulation 1179/2011
You are requested to indicate in this column how the technical specification has been specified.
| TECHNICAL SPECIFICATIONS FOR THE IMPLEMENTATION OF ARTICLE 6 (4) (a) OF REGULATION (EU) No 211/2011 |
Don't fill in. | |
| 1 | In order to avoid automated submission of statements of support through the system, the Signatory, before submitting his statement of support, should follow an appropriate verification process in accordance with the current practice. One of the possible verification processes is the use of a strong performance of the "Captcha" system. |
Answer only if you are using a different application instead of OCS. Which verification process is applied? Functional description and printscreen svp most hours. |
| TECHNICAL SPECIFICATIONS FOR THE IMPLEMENTATION OF ARTICLE 6 (4) (b) OF REGULATION (EU) No 211/2011 |
Don't fill in. | |
| Standards for information security | Don't fill in. | |
| 2.1 | The organisers shall provide documentation demonstrating that they comply with the requirements of the ISO/IEC 27001 standard, but they do not have to be formally certified for this standard. In order to comply with the standard, they shall: |
Do not fill . |
| (a) to have carried out a complete risk assessment, in which the scope of the system has been established, the impact on the activities of all kinds of breaches of information security has been identified, the threats to and An indication of the vulnerabilities of the information system is a risk analysis that identifies countermeasures that will prevent these threats and measures that will be taken if a threat occurs, and finally a risk assessment of the risk assessment of the information system. prioritized list of improvements has been drawn up; |
Is there a comprehensive risk assessment carried out with attention to the said subjects? Documents from which this is shown to send svp. |
|
| (b) to have established and implemented risk-treatment measures with regard to the protection of personal data and the protection of family and family life and private life, as well as measures to be taken as a risk of occurrence; |
Have these measures been implemented and implemented? Documents from which this is shown to send svp. |
|
| (c) have given a written record of the residual risks; |
Are residual risks determined and documented in writing? Documents from which this is shown to send svp. |
|
| (d) to have provided the organisational means to receive feedback on new threats and improvements to security. |
What is the method for doing so? Documents from which this is shown to send svp. |
|
| 2.2 | On the basis of the risk analysis carried out in accordance with point 2.1 (a), the organisers shall choose safety management measures according to one of the following standards: |
Do not fill . |
| 1. ISO/IEC 27002, or 2. the "Standard of Good Practice" of the Information Security Forum, to address the following: |
Specify which standards framework is used here. |
|
| (a) risk assessments (recommended as ISO/IEC 27005 or any other specific appropriate assessment methodology); |
Comments: A specific method of risk assessment is recommended, but not mandatory. Please specify how and/or according to what method the risk assessment has been carried out. Documents from which this is shown to send svp. |
|
| (b) physical and environmental protection; |
Please specify here the measures taken to comply with this point. Documents from which this is shown to send svp. |
|
| (c) security related to the human factor; |
Please specify here the measures taken to comply with this point. Documents from which this is shown to send svp. |
|
| (d) communication and activity management; |
Please specify here the measures taken to comply with this point. Documents from which this is shown to send svp. |
|
| (e) standard access control measures, in addition to the measures provided for in this Implementing Regulation; |
Please specify here the measures taken to comply with this point. Documents from which this is shown to send svp. |
|
| (f) acquisition, development and maintenance of information systems; |
Please specify here the measures taken to comply with this point. Documents from which this is shown to send svp. |
|
| (g) management of information security incidents; |
Please specify here the measures taken to comply with this point. Documents from which this is shown to send svp. |
|
| (h) measures to eliminate infringements of information systems and to reduce their effects, where such infringements may lead to destruction, accidental loss, falsification or unauthorised disclosure of, or unauthorised access to, the personal data processed; |
Please specify here the measures taken to comply with this point. Documents from which this is shown to send svp. |
|
| (i) compliance with the requirements; |
Please specify here the measures taken to comply with this point. Documents from which this is shown to send svp. |
|
| (j) security of the computer network (ISO/IEC 27033 or the Standard or Good Practice that has already been mentioned). |
Please specify here the measures taken to comply with this point. Documents from which this is shown to send svp. |
|
| Functional requirements | If you are using OCS, you can skip standards 2.3 through 2.14. Continue to standard 2.15 | |
| 2.3 | The system for the online collection of statements of support consists of a web application body set up to collect support for a single citizens ' initiative. |
Answer only if you are using a different application instead of OCS. Is a Web application used, consisting of one 'instance', designed to collect support messages to a single citizens ' initiative? Documents from which this is shown to send svp. |
| 2.4 | Where different roles are required for the management of the system, different access control levels shall be provided in accordance with the principle that only strictly necessary rights are granted. |
Answer only if you are using a different application instead of OCS. Is this provided for? Documents from which this is shown to send svp. |
| 2.5 | -Publicly accessible facilities are clearly separated from the facilities intended for management purposes. -There is no access control which prevents the information from being read in the public part of the system, including information on the initiative and the electronic statement of support. -Endorses of an initiative may be submitted only through this public section. |
Answer only if you are using a different application instead of OCS. Please specify here svp which measures have been taken to meet these points Documents from which this is shown to send svp. |
| 2.6 | The system shall identify and prevent a statement of support from being sent more than once. |
Answer only if you are using a different application instead of OCS. Does the system detect and prevent the system from being sent more than once? Documents from which this is shown to send svp. |
| Application-level security | Do not fill . |
|
| 2.7 | The system is adequately protected against known vulnerabilities and exploits. To that end, it shall meet, inter alia, the following requirements: |
Do not fill . |
| 2.7.1 | The system is protected against the injection of searches through SQL (Structured Query Language), LDAP (Lightweight Directory Access Protocol), XPath (XML Path Language), operating system commands, or application arguments. To that end, the following shall in any event be required: |
Don't fill in. After this, only if you are using a different application instead of OCS. You must demonstrate by means of (the results of) a website penetration test that is met with points a, b and c. |
| (a) the user's input shall be validated; |
||
| (b) the validation shall be carried out at least on the server side; |
||
| c) when using interpreters, untrusted data is always separated from (search) commands. For SQL commands, this means that all prepared statements and stored procedures should be used with binding variables and that dynamic searches should be avoided. |
||
| 2.7.2 | The system is protected against cross-site scripting (XSS). To that end, the following shall in any event be required: |
Don't fill in. After this, only if you are using a different application instead of OCS. You must show penetration tests by means of an implemented website that points (a), (b) and (c) are fulfilled. |
| (a) from all user input sent back to the browser, security shall be verified (by means of input validation); |
||
| (b) all user input shall be provided with escape sequences, where necessary, before it is included in the output page; |
||
| (c) the output shall be coded in such a way that the input by the browser is always treated as text. No active content is used. |
||
| 2.7.3 | The system is equipped with strong authentication and session management, which requires, in any case, the following: |
Do not fill After this, only if you are using a different application instead of OCS. You must show penetration tests by means of an implemented website that the points (a)/(m) below are fulfilled. |
| (a) log-in information is always protected by hashing or encryption when stored. The risk of authentication by 'pass-the-hash' must be reduced; |
||
| b) log-in data cannot be guessed or overwritten due to weak account management (e.g. account creation, password change, password recovery, weak session identifiers (session ids)); |
||
| (c) session identifiers and session data are not displayed in the URL (Uniform Resource Locator); |
||
| d) Session ids are not prone to attack by session fixation; |
||
| (e) session identifiers expire, which causes users to be logged out; |
||
| (f) session identifiers will not be reused after a successful login; |
||
| (g) passwords, session identifiers, and other data will be transmitted only via Transport Layer Security (TLS); |
||
| (h) The management part of the system is foreclosed. If it is protected by single authentication, the password must consist of at least 10 characters, including at least one letter, one digit, and one special character. Duplicate authentication can also be used. Single authentication should be used for Internet access to the administrative part of the system in two steps: single authentication is extended by another authentication method, such as a single authentication method. Sms sent one-off waitline or wait code, or an asymmetrically encrypted randomized challenge, that is decrypted by the secret key of the organizers/administrators, who is not known to the system. |
||
| 2.7.4 | The system does not have an unsafe direct object preference. To that end, the following shall in any event be required: |
Do not fill After this, only if you are using a different application instead of OCS. You must show penetration tests by means of an implemented website that points a and b below are fulfilled. |
| (a) for direct references to devices subject to restrictions, the application or user may verify access to the requested facility; |
||
| (b) if it is an indirect reference, the mapping to the direct reference is limited to the values that are permitted for the user concerned. |
||
| 2.7.5 | The system is protected against cross-site request forgery. |
Answer only if you are using a different application instead of OCS. You have to show penetration tests by means of a website that runs through a website. |
| 2.7.6 | The system is equipped with a proper security configuration, which requires, in any case, the following: |
Don't fill in. Answer the following questions only if you are using a different application instead of OCS. |
| a) all software components are up to date, including the operating system, the web/application server, the database management system (DBMS), the applications, and all the codelibrarys; |
What is ensured by ensuring that software components are kept up to date? How is it ensured that the web/application server and the operating system (OS) are up to date? Documents that show that all software components up to date are forwarded to the user. |
|
| (b) unneeded operating system and web/application server services have been deactivated, removed, or uninstalled; |
You must show penetration tests by means of a website performed by means of a website performed according to the points b t/m e. |
|
| (c) default passwords for accounts have been changed or the default accounts deactivated; |
||
| (d) the error handling is set up in such a way that stack traces and other information error messages are not passed on; |
||
| (e) the security settings of development frameworks and libraries are in accordance with best practices, such as the OWASP guidelines. |
||
| 2.7.7 | Data in the system is crypted as follows: |
Do not fill After this, only if you are using a different application instead of OCS. You must specify the measures taken to ensure that the said points are satisfied. Documents from which this is shown to send svp. |
| (a) personal data in electronic form shall be encrypted before being stored or sent to the competent authorities of the Member States in accordance with Article 8 (1) of Regulation (EU) No (EU) No 211/2011. The management and back-up of the keys are separated from them; |
||
| (b) the use of strong standard algorithms and strong keys which comply with international standards shall be used. Key management has been ensured; |
||
| (c) passwords are hashed out using a strong standard algorithm, and an appropriate saltvalue is used; |
||
| (d) all keys and passwords shall be protected against unauthorised access. |
||
| 2.7.8 | The system restricts URL access based on the user's access and user rights. To that end, the following shall in any event be required: |
Do not fill Answer only if you are using a different application instead of OCS. You must specify points (a) and (b) below which measures you have taken to ensure that the said points are met. Documents from which this is shown to send svp. |
| (a) if the authentication and authorization checks for access to a page are carried out via external security mechanisms, they must be properly configured for each page; |
||
| (b) if it is used as a code level protection, it shall be valid for each page requested. |
||
| 2.7.9 | The system makes use of adequate protection of the transport layer. To this end, all the following measures shall be required, or measures that are at least as effective: |
Do not fill Answer only if you are using a different application instead of OCS. You must demonstrate by means of an executed website penetration test below that the points a t/m c are met. |
| (a) for access to any sensitive device, the system requires the most recent version of HTTPS (Hypertext Transfer Protocol Secure); the certificates must be valid, they may not have expired or revoked and they must match with all domains that are used for the site; |
||
| (b) the system shall set the flag "secure" for all sensitive cookies; |
||
| c) on the server, the TLS provider is configured to support only the best encryption algorithms. Users are informed that they need to activate TLS support in their browser. |
||
| 2.7.10 | The system shall be protected against invalidated redirects and forwards. |
Answer only if you are using a different application instead of OCS. You have to show penetration tests by means of a website that runs through a website. |
| Database security and data integrity | Do not fill . |
|
| 2.8 | If systems for online collection of support expressions using the same hardware and operating system facilities are used for different citizen initiatives, never data (including access or access) should be used. encryption data) will be shared. In addition, the risk assessment and the countermeasures used must be adapted to this situation. |
Answer only if you are using a different application instead of OCS. Documents from which this is shown to send svp. |
| 2.9 | The risk of database authentication by using "pass-the-hash" should be reduced. |
Answer only if you are using a different application instead of OCS. You have to show penetration tests by means of a website that runs through a website. |
| 2.10 | The data provided by the Signatories may be accessible only to the database administrator or administrator. |
Answer only if you are using a different application instead of OCS. You have to show penetration tests by means of a website that runs through a website. You will need to indicate what measures you have taken to ensure that they are met. Documents from which this is shown to send svp. |
| 2.11 | Management data, personal data specified by signers and back-ups thereof shall be protected by strong encryption algorithms as referred to in point 2.7.7 (b). However, the Member State in which the statement of support is to be counted, the date on which the statement of support was submitted, and the language in which the signatory has completed the form, may be entered into the system without encryption. |
Answer only if you are using a different application instead of OCS. Please indicate here the measures taken to ensure that the said points are met. Documents from which this is shown to send svp. |
| 2.12 | The Signatories may only be allowed access to the data specified during the session in which they have completed the statement of support form. Once the statement of support has been submitted, this session will be closed and the submitted data will no longer be accessible. |
Answer only if you are using a different application instead of OCS. Please indicate here the measures taken to ensure that the said points are met. Documents from which this is shown to send svp. |
| 2.13 | Personal data of the Signatory only appear in encrypted form in the system and in the backup for. For the consultation of data or certification by the national authorities pursuant to Article 8 of Regulation (EU) No 211/2011 shall be authorised by the organisers to export the encrypted data according to point 2.7.7 (a). |
Answer only if you are using a different application instead of OCS. Please indicate here the measures taken to ensure that the said points are met. Documents from which this is shown to send svp. |
| 2.14 | The data contained in the statement of support form shall be persistent in the system only in their entirety. That is, when the user has entered all the required data in the statement of support and validated his decision to support the citizens ' initiative, the system will either fully record all the details of the form, or None of that data, if an error occurs. The system informs the user whether the request has been successfully entered or not. |
Answer only if you are using a different application instead of OCS. Please indicate here the measures taken to ensure that the said points are met. Documents from which this is shown to send svp. |
| 2.15 | The database management system is up to date and is constantly updated when new exploits are detected. |
Please indicate here the measures taken to ensure that the said points are met. Documents from which this is shown to send svp. |
| 2.16 | All activity logs from the system are present. |
Please indicate here the measures taken to ensure that the said points are met. Documents from which this is shown to send svp. |
| The system ensures that exceptions and other security relevant events, as mentioned below, are listed in audit logs that can be displayed and retained until the data is destroyed in accordance with article. 12 (3) or (5) of Regulation (EU) No 211/2011. |
Please indicate here the measures taken to ensure that the said points are met. Documents from which this is shown to send svp. |
|
| These logs are protected by appropriate means, for example by storage on encrypted media. |
Please indicate here the measures taken to ensure that the said points are met. Documents from which this is shown to send svp. |
|
| The organizers/administrators regularly check out the logs for suspicious activity. |
Please indicate here the measures taken to ensure that the said points are met. Documents from which this is shown to send svp. |
|
| The logs shall include at least the following information: |
Don't fill in. Please specify the measures taken to ensure that the points a t/m c are fulfilled. Documents from which this is shown to send svp. |
|
| (a) the date and time at which the organisers/administrations log in and log out; |
||
| (b) back-ups; |
||
| (c) any changes and updates made by the administrator of the database. |
||
| Infrastructure security: physical location, network infrastructure, and server environment | Do not fill . Comments: Standards and measures within Infrastructure security can be covered by a hosting contract (SLA). A contract is not mandatory. |
|
| 2.17 | Physical Security Regardless of hosting type, the machine hosting the application should be properly protected, in the following manner: |
Don't fill in. Hereinafter referred to as "the measures taken to comply with these specifications for the points a t/m c" is set out below. Documents from which this is shown to send svp. |
| (a) access control and audit log regarding access to the hosting space; |
||
| (b) physical protection of the backup data against theft and search-related services; |
||
| (c) arrangement of the server to which the application runs in a secure rack. |
||
| 2.18 | Network Security | Do not fill . |
| 2.18.1 | The system is hosted on an Internet-connected server that is installed in a demilitarized zone (DMZ) and is protected by a firewall. |
Please indicate here the measures taken to ensure that the said points are met. Documents from which this is shown to send svp. |
| 2.18.2 | When relevant updates and patches are released for the firewall product, they will be installed as soon as possible. |
Please specify here the measures taken to ensure that the said point is met. Documents from which this is shown to send svp. |
| 2.18.3 | All incoming and outgoing traffic from the server (which is intended for the system) is screened and logged using the firewall rules. The firewall rules stop all traffic that is not necessary for the safe use and administration of the system. |
Please indicate here the measures taken to ensure that the said points are met. Documents from which this is shown to send svp. |
| 2.18.4 | The online collection system is hosted on an appropriately protected production segment of the network, separated from segments on which non-production systems are hosted, such as development or test environments. |
Please indicate here the measures taken to ensure that the said points are met. Documents from which this is shown to send svp. |
| 2.18.5 | The local network (LAN) will be protected by measures such as: |
Don't fill in. Please specify the measures taken to ensure compliance with the points mentioned above. |
| (a) access control list for the second tier (L2 )/port security; |
||
| (b) deactivation of unused ports; |
||
| (c) the DMZ is located on a separate virtual network (VLAN) or LAN; |
||
| (d) there is no L2-trunking on non-requisite ports. |
||
| 2.19 | Security of the operating system and the web/application server | Do not fill . |
| 2.19.1 | The security is configured correctly in accordance with paragraph 2.7.6. |
Please indicate here the measures taken to ensure that the said points are met. Documents from which this is shown to send svp. |
| 2.19.2 | The applications shall be implemented with only those rights which are necessary for their operation. |
Please specify here the measures taken to ensure that the said point is met. Documents from which this is shown to send svp. |
| 2.19.3 | An administrator access to the system management interface provides a short session timeout (maximum 15 minutes). |
Please specify here the measures taken to ensure that the said point is met. Documents from which this is shown to send svp. |
| 2.19.4 | When relevant updates and patches for the operating system, application runtimes, servers running applications, or malware application software are released, they will be installed as soon as possible. |
Please specify here the measures taken to ensure that the said point is met. Documents from which this is shown to send svp. |
| 2.19.5 | The risk of database authentication by using "pass-the-hash" should be reduced. |
Please specify here the measures taken to ensure that the said point is met. Documents from which this is shown to send svp. |
| 2.20 | Security of the clients used by the organisers To ensure that the entire system is secured from beginning to end, the organizers take measures to protect the client application or the machine they use for managing and accessing the online application system. gathering of statements of support, such as the following. |
Do not fill . |
| 2.20.1 | Non-management tasks (such as office automation) are carried out with only those rights that are necessary for their operation. |
Please specify here the measures taken to ensure that the said point is met. Documents from which this is shown to send svp. |
| 2.20.2 | When relevant updates and patches are released to the operating system, installed applications, or malting application, they will be installed as soon as possible. |
Please specify here the measures taken to ensure that the said point is met. Documents from which this is shown to send svp. |
| TECHNICAL SPECIFICATIONS FOR THE IMPLEMENTATION OF ARTICLE 6 (4) (c) OF REGULATION (EU) No 211/2011 |
Do not fill | |
| 3.1 | The system provides for the possibility of drawing up a report for each individual Member State in which the citizens 'personal data are included for the citizens' initiative, so that the competent authorities of the Member State concerned are subject to the can verify. |
Answer only if you are using a different application instead of OCS. Please specify here the measures taken to ensure that the said point is met. Documents from which this is shown to send svp. |
| 3.2 | The statements of support submitted by the Signatories can be exported in the format of Annex III to Regulation (EU) No 148/ (2). 211/2011. The system may also provide for the possibility to export the statements of support in an interoperable format such as Extensible Markup Language (xml). |
Answer only if you are using a different application instead of OCS. Please specify here the measures taken to ensure that the said point is met. Documents from which this is shown to send svp. |
| 3.3 | The exported support expressions shall be classified as classification: limited distribution made available to the Member State concerned and identified as personal data . |
Answer only if you are using a different application instead of OCS. Please specify here the measures taken to ensure that the said point is met. Documents from which this is shown to send svp. |
| 3.4 | The electronic transmission of the exported data to the Member States shall be protected against eavesdropping by appropriate end-to-door crypt. |
Please specify here the measures taken to ensure that the said point is met. Documents from which this is shown to send svp. |
| OTHER |
Do not fill . |
|
| Recital (6) | The certification process shall be facilitated if the organisers make use of the software provided by the Commission in accordance with Article 6 (2) of Regulation (EU) No 211/2011. |
Comments: The certification process will only be facilitated if the organisers Unchanged make use of the software provided by the Commission. Therefore please specify here whether the Hash of OCS has not changed. Documents from which this is shown to send svp. |
| The online system shall be established in accordance with Regulation (EU) No 211/2011 certified in the Member State where the data collected through the online system is stored. |
Here svp indicates that the data is stored in the Netherlands. Documents from which this is shown to send svp. |
