The Czech Republic Date: june 2008 Transition Facility – the Detailed Project Fiche



Download 124.97 Kb.
Date conversion02.06.2018
Size124.97 Kb.

The Czech Republic Date: JUNE 2008


Transition Facility – the Detailed Project Fiche



  1. Basic Information

    1. CRIS Number: CZ06/018-182.07.01.04

    2. Title: Strengthening data security in electronic data processing at the Czech Social Security Administration (CSSA) and data exchange between the Czech Republic and other EU Member States

    3. Sector: Social protection and health

    4. Location: Czech Republic, Ministry of Labour and Social Affairs – CSSA




  1. Objectives

    1. Overall Objective(s):

To enable the Czech Republic to take on the obligations of the EU membership, incl. adherence to the aims of political, economic and monetary union.


    1. Project purpose:

Creation of tools and methodology of the CSSA information security policy to eliminate risks of disturbing accessibility, reliability, confidentiality and integrity of social insurance data. The project is focused on fundamental security aspects and its goal is to analyse the whole CSSA security policy and to develop suitable procedures for improvement the existing CSSA security policy and to adapt the existing CSSA procedures to the EU ones.



    1. Justification:

Relevant Czech legislation is in line with the acquis after the EU accession and the Czech Social Security Administration (CSSA) when enforcing the acquis, must be looking for the ways to share experience with other relevant institutions on how to deal with problems concerning the methods, tools and procedures in the area of social insurance information systems security when enforcing the Convention on the protection of persons in relation to automated personal data processing No 108/1981. The Czech Republic has become bound by it based on the ratification process results under the Ministry of Foreign Affairs Communication No. 115/2001 Coll. m. c.



In spite of the fact that the relevant Czech legislation is in line with the acquis, the CSSA needs to gain experience in the field of ensuring security of information systems. The security policy department staff has no possibility to consult their concept and processes with similar institution in the Czech Republic. In other Member States there are technical tools as well as experts whose experience and also the possibility of utilising of technical means and tools would be of a great help.
Despite the fact that CSSA generally is in the line with legislation of the Czech Republic, there is need to deal with solved problems and used tools in the sphere of sensitive data protection. There is no comparable experience based on concrete implementation of “Directive 95/46/EC of the European parliament and of the council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data”.
There is no comparable institution in the Czech Republic that could provide information of this kind in compliance with TESS Programme for the development of telematics services designed to coordination of social security schemes in Europe, based on Regulations (EEC) No 1408/71 (now Reg.No.883/2004) and (EEC) No 574/72 (a new implementing regulation is being prepared, should be in force since 20097) and Technical Commission on Information Technology and Technical Commission on Administrative Management, Organization and Methods of ISSA.
According to these regulations it is necessary to provide Czech citizens living or working abroad as well as foreign citizens living or working in the Czech Republic with respective allowances they are entitled for. For this purpose it is necessary to have a well created reliable information systems as well as tools and methods for checking the security data of these citizens, which is also in responsibility of security policy department. This project is aimed to provide creation of tools and methodology of the CSSA information security policy to eliminate risks of disturbing accessibility, reliability, confidentiality and integrity of social insurance data in the above-mentioned area.
ISO/IEC 17799:2005 establishes guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization. The objectives outlined provide general guidance on the commonly accepted goals of information security management. ISO/IEC 17799:2005 contains best practices of control objectives and controls in the following areas of information security management: security policy; organization of information security; asset management; human resources security; physical and environmental security; communications and operations management; access control; information systems acquisition, development and maintenance; information security incident management; business continuity management; compliance. The control objectives and controls in ISO/IEC 17799:2005 are intended to be implemented to meet the requirements identified by a risk assessment. In 2007, ISO 17799 was renamed ISO/IEC 27002, bringing it into line with the other ISO 27000 series standards. This is currently expected to be a straight number change not an update although these things have a habit of changing.
All EU Member States are ISO members as they are aware of the importance of international standardization.
Reference to the Comprehensive Monitoring Report 2003:

Chapter 2:

Free movement of persons: ”The acquis under this chapter provides for non-discriminatory treatment of workers who are legally employed in a country other than their country of origin. This includes the possibility of cumulating or transferring social security rights, which requires administrative cooperation between Member States. …. With regard to co-ordination of social security systems, no transposition into national legislation is needed to achieve alignment with the acquis, but appropriate administrative capacity needs to be ensured through staffing increases and training. Although these structures remain to be completed, preparations, including training, are on track. Measures that are being taken for securing a corresponding administrative capacity in these fields should be further executed. “

Chapter 3:

The Czech Republic is essentially meeting the requirements for membership and is expected to be in a position to implement the acquis in the areas of banking, investment services and securities markets and the protection of personal data by the time of accession. Full transposition of the acquis in these areas needs to be completed and the independence of the supervisory bodies safeguarded.



  1. Description




    1. Background and justification:

The beneficiary of this project is the Czech Social Security Administration.

The Czech Social Security Administration is a governmental body directed by the Ministry of Labour and Social Affairs. It has competence in the sphere of pension insurance, sickness insurance and medical board responsible for evaluation of the state of health of the insured persons. The Czech Social Security Administration decides about pension insurance benefits, meets task arising from international agreements on social security, collects social insurance premiums and contributions to state employment policy, checks the performance of obligations of social security subjects, evaluates citizens' state of health and working ability for the purposes of social security, keeps register of citizens unable to work and, in the determined cases, executes sickness insurance. The CSSA operates pension and sickness insurance information systems and has to devote a great attention and at the same time a great emphasis on verification of functionality and security of the information systems. Specific features of the security policy department of the CSSA and especially of the information and communication technologies lie in a special position of CSSA in the state administration.

Security Policy Department (CSSA) is a organisational body of Director General of CSSA to exercise activities related to supervision over security of personal data protection while both processing and transmission within IT of CSSA. This department also provides interpretation, distribution and implementation of new regulations and standards within CSSA, in accordance with legal documents in the area of personal data protection and sensitive data protection valid in the Czech Republic.


The CSSA fulfils its obligations in the area of personal data protection and sensitive data protection, in accordance with Convention on the protection of persons in relation to automated personal data processing No 108/1981. The Czech Republic has become bound by it based on the ratification process results under the Ministry of Foreign Affairs Communication No. 115/2001 Coll. m. c.
In order to fully and properly implement the acquis this project should provide required experience in using of created tools, procedures and methodology. In other Member States there are technical tools as well as experts whose experience and also the possibility of utilizing of technical means and tools would be of a great help. Moreover, the CSSA processes within the framework of social security coordination are dependent on functional systems of ICT that are interconnected with other Member States (e.g. within the TESTA network). After gaining experience and acquiring adequate technical assistance it would be possible to have a system, which could be used with only small modifications as an example of a good practice for other new Members.

Implementation of these tools and methodology will also enable the CSSA to implement processes designed within the framework of ongoing CSSA update (data digitalization, creating of individual accounts of insurers, transition to e-government and e-office etc.) with minimum risk and subsequently also while carrying out the pension reform that is being currently prepared. Being aware of potential risks and for higher security of data and its processing, the results of this project will be used in implementation of further CSSA’s own projects on data access security.


The project should result in such CSSA information security policy that would be in accordance with Regulations (EEC) No 1408/71 (now Reg.No.883/2004) and (EEC) No 574/72 and with main international standards and in existence of a such kind of technically and methodologically adequate security policy system, which would by its results guarantee correctness of the information and databases of the CSSA. More specifically, setting up of such a system would enable to the security policy department to secure and eliminate the risks of disturbing of this base, especially risks of disturbing accessibility, reliability, confidentiality and integrity of the data relating in social insurance.



    1. Linked activities:



Project Phare CZ01/IB/SO-02 “Testing the preparedness for the application of EC social security legislation”

The overall objective of the project was testing whether the Czech institutions involved in the social security are prepared for enforcement of the acquis and the bulk of the project was dealing with the CSSA. A part of testing was focused on ICT environment and data security within the CSSA. The Finnish ecommended a number of measures, e.g. the CSSA should evaluate the risks of different models of pension and allowance administration, elaborate measures for risk management and minimising their effects.


Phare project CZ 00-03-03 "Support to Pension Reform" (CZ00/IB/SO-01).

The general objective of this project was to prepare the CSSA for a transformation into a fully operational insurance agency, with the necessary internal procedures and operational capacities (technical and personnel) to administer a digitalised pension system, meeting the requirements of EC legislation and EU co-ordination of social security, stress is put on the quality of state supervision of the system of supplementary pension schemes, including the employer sponsored schemes analysed/defined, with supervision systems strengthened.



Phare Project CZ03/IB/SO/01 “Information system for administration of free movement of persons“

The project was designed to strengthen and improve the administrative capacity of the CSSA. This included comprehensive assistance related to the set up of the information system which enables the CSSA to exchange social security data with relevant institutions in other Member States in electronic form and, in addition, to provide assistance related to the CSSA staff training in the field of European Social Security Law.
Phare project CZ 05/IB/SO/01Audit on Functionality and Security of Social Insurance Information Systems

The objective of the project was to set up a technically and methodologically adequate internal audit system which would by its results guarantee correctness of the information and databases of the CSSA. More specifically, setting up of such a system would enable the internal audit to secure and eliminate the risks of disturbing of this base, especially risks of disturbing accessibility, reliability, confidentiality and integrity of the data related to the social insurance, in compliance with relevant EU standards and directives. The German experts recommended in the Final Report (in July 2007) to involve the Internal Audit Department in all processes and to introduce specific controlling tools at CSSA into account By the start of the project in question the relevant recommendations and results will be taken into account.




    1. Results:

Creation of tools and methodology for an up-dated information security policy of Czech Social Security Administration.

3.3.1 Recommendations in the area of manipulation with health documentation while its interpretation incl. E-forms formulated.(T+6)



Benchmarks:

a) Elaboration of recommendations concerning processes that are used in the area of health insurance data in EU E-forms, submitted out of the CSSA(T+2)

b) Created manual concerning interpretation sensitive data information aimed at E-forms.(T+3)

c) Draft of a contract for authorization of social allowances while taking into account special provisions of Directive 95/64/EC elaborated. . T+6)



      1. Suggestions in the area of international electronic communication using the filing office of CSSA formulated.(T+6)

Benchmarks:

a) Recommendations of the twinning partner concerning the data security while data transmission.

b) Relevant measures for encryption discussed.

c) Created necessary upgrade of information security policy.

d) Discussed necessary changes incl. upgrade of operation manual of the filing office of CSSA.

3.3.3 Suggestion in the area of indicated security requirements regarding the international standard ISO/IEC 27002 formulated(T+6)



Benchmarks:

  1. Collection of other EU Member States approach to implementation of international standard ISO/IEC 27002 realized in accordance with Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data.

  2. Analysis of current status of the information security policy at the Czech Social Security Administration completed.




  1. The CSSA´s Security Policy Department staff and regional offices staff trained in using of the international standard ISO/IEC 27002 (approx. 15 persons). It regards a narrow field of experts who have practical experience and therefore it is essential they transmit their experience directly (and not via a mediator) to trained CSSA experts. Trained persons tested (approx. 15 persons).

3.3.4 Upgrade of the existing tools and methodology of the information security policy at the Czech Social Security Administration realized(T+6)



Benchmarks:

  1. Recommendations to the creation of the tools and methodology concerning information security policy at the Czech Social Security Administration given.

  2. Up-date of information security policy of Czech Social Security Administration completed, recommendations included.




      1. Development of a strategic document for information security policy(T+6)

  1. Measures in the area of the CSSA security policy consulted, in the area of personal and sensitive data protection.

b) A strategic document drafted with accordance to the international standard.

Benchmark: Study visit (2 persons for 5 days) realized; the know-how obtained discussed, analysed and possibly applied for purposes of the CSSA.



    1. Activities:

3.4.1 To give recommendations in the area of manipulation with health documentation

To create operational procedure to ensure confidentiality of health documentation while interpretation outside of CSSA in accordance with “Directive 95/46/EC of the European parliament and of the council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data”.
3.4.2 To provide CSSA with suggestions in the area of international electronic communication

To provide suggestions for secure international electronic data transmission containing sensitive information incl. health documentation, in accordance witch „Directive 95/46/EC of the European parliament and of the council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data”.


3.4.3 To provide the CSSA with suggestions in the area of indicated security requirements

To create a report on changes related to personal sensitive data protection as an impact of standard ISO/IEC 27002 related to Convention for the Protection of Personal Data.

To provide suggestions based on useful experience of other EU Member States to implementation of ISO/IEC 27002

To give recommendations concerning the current status of the tools and methodology of the information security policy at the CSSA


To create a report on possible improvements in the area of the CSSA security policy methodology based on the existing document “The CSSA information security policy at the CSSA

Assessment of current document “The CSSA information security policy” in combination with interviews

Recommendation how to adapt the CSSA original document

Recommendation and suggestions related to ISO/IEC 27002


To develop an strategic document for improvement of CSSA information security policy

To explain the international standard ISO/IEC 27002 subject to agreement of Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data.

To discuss the difficulties related to ISO/IEC 27002 for public administration esp. the CSSA

3.4.4 To develop an advisory assistance in updating of a strategic document for information the security policy of the CSSA



  • To present and discuss the ways to adapt the CSSA original document

  • Kick off for updating of the security policy document of the CSSA in accordance with ISO/IEC 27002 and Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data

Analysis of the updated security policy

Recommendation for additional changes

Recommendation for implementation of the updated security policy

Testing of knowledge of international standard as above (approx. 15 persons).


3.4.5 Study visit.

A study visit will be organised for CSSZ executives responsible for data security within the institution to observe the situation in the Member State of the twinning partner . The situation will be discussed and analysed for purposes of the CSSA.

Discussion on ISO/IEC 27002 standard and impact of ISO/IEC 27002 standard on institution in public administration.

Advisory assistance in changing of the current security policy according the international standard as above.

Training Security Policy Department of the CSSA staff .

The participants of the study visit will take use of it and implement their knowledge into an up-to-date internal managing document on data security policy within the CSSA

The participants of the study visit will draw up a detailed report.
Experts profile:

MTE + STEs

One MTE for ca. 44 man-days

All STEs are public servants from EU MS


Team Leader for coordination of the team of experts :

  • has good knowledge in the field of IT,

  • has knowledge about the project’s item,

  • has 5-years experience, previous participation on similar projects will be of favour

  • has good organisational and communication skills

  • is responsible for project management, especially human resources, budget discipline

  • solves problem in cooperation with Steering Committee members

  • s responsible for generating of outputs and meeting the objectives

Experience in the sphere of social insurance is an advantage.

Short-term Experts

should have practical experience in the field related to the project, knowledge of using security measures in accordance with ISO/IEC 27002 and in the area of health insurance data expected. Experience in area of security policy is an advantage.


Total man-days: 132

The project language is English.




    1. Lessons learned:

In previous projects the careful choice of the project partner was of great effectiveness. Experience of the project partner contributed to the flawless realization of the project. Experience from the previous projects proved that coordination of inputs in projects dealing with training of staff, with more activities and institutions involved is hardly substitutable and the role of PL is therefore very important. It is also uneasy to coordinate such project without a good knowledge of conditions on that twinning partner side that delivers experts for the project as the results of the project are relying on the experts’ quality and good timing of their input. PL has an important role in coordinating and realising all project activities, while project leader concentrates more on ensuring human resources involved (on Czech side) and on generating of outputs and meeting the objectives. After finishing the project he/she will ensure the relevant recommendations of the project will be implemented.



  1. Institutional Framework


Ministry of Labour and Social Affairs (MoLSA)

MoLSA is a central department of the State administration and is responsible for labour relations, occupational safety, employment and training, collective bargaining, civil service, wages and other forms of remuneration, pensions and sickness insurance, social protection, family and child affairs, care for vulnerable groups and other issues of wage and social policy. The number of MoLSA staff is approx. 500 employees.


Czech Social Security Administration (CSSA)

The Czech Social Security Administration is a governmental body directed by the Ministry of Labour and Social Affairs. It has competence in the sphere of pension insurance, sickness insurance and medical board responsible for evaluation of the state of health of the insured persons. The Czech Social Security Administration decides about pension insurance benefits, meets task arising from international agreements on social security, collects social insurance premiums and contributions to state employment policy, checks the performance of obligations of social security subjects, evaluates citizens' state of health and working ability for the purposes of social security, keeps register of citizens unable to work and, in the determined cases, executes sickness insurance.


The main competences of the CSSA are in the sphere of pension insurance system, sickness insurance system and the system of state employment policy (unemployment insurance and employment policy programs) and to arrange the calculation and payment of benefits from those schemes as well as the keeping of records on insured individuals (excluding the system of state employment policy).
The CSSA is divided into the Central Administration Office in Prague (Czech Republic) and local Social Security Administration (LSSA, 91 administrations in districts of Czech Republic)), Total CSSA staff is approx. 8 860 employees.
Steering Committee (SC)

The Steering Committee of the project will be established. It shall be composed of representatives of CFA and CFCU, representative of the Ministry of Labour and Social Affairs, representative of the Security Policy Section od Czech Social Security Administration. Project Leader will coordinate and supervise the implementation of all activities. The SC will meet quarterly.





  1. Detailed Budget (M €)

Strictly follow the following format.



Project Components

Transition Facility Support

National

Co financing

Total

Investment

Support


Institution

Building


Total TF(=I+IB)

TWL Contract

-

0,160

0,160

0,010

0,170

Total

-

0,160

0,160

0,010

0,170

There will be parallel co-financing from the state budget chapter No. 313, MoLSA.


  1. Implementation Arrangements





    1. Implementing Agency

The CFCU is the Implementing Agency responsible for procurement and financing related to the project.

CFCU - PAO is Monika Toušová phone +420 257 044 558, fax +420 257 044 550, e-mail: monika.tousova@mfcr.cz

CFCU - Administrative Office (AO) – contact point Ms. Liana Exner Bala, phone +420 257 044 555, fax +420 257 044 550, e-mail: liana.bala@mfcr.cz

National Contact Point for twinning (NCP) is Ms. Eva Anderova, Director of dpt.58 EU and international relations, Ministry of Finance, Letenska 15, 118 10 Prague 1, phone: +420 257 042 300, fax: +420 257 042 281.

Fully responsible for overall monitoring and interim evaluation of the project is the Centre for Foreign Assistance, unit 586, Ministry of Finance. The contact point is Ms. Dominika Heřtová, head of the unit 586, phone + 420 257 044 578, fax: +420 257 044 570, dominika.hertova@mfcr.cz.


6.2 Twinning Light
Responsibility for technical aspects related to the preparation, implementation and control rest with the beneficiary institution, which is the Ministry of Labour and Social Affairs (MoLSA). The Contact person at MoLSA is Mr. Vlastimil Vana, Deputy Director of the European Union and International Cooperation Department, Ministry of Labour and Social Affairs, tel. +420 221922386, fax +420 221922223, e-mail: vlastimil vana @mpsv.cz; address: Na Poříčním právu 1, 128 01 Prague 2
The contact person at the CSSA is Mr. Jiri Kudlik, Director of European Coordination and International Relations Section, tel. +420 2 5706 2984, fax: +420 2 5706 3032, e-mail: jiri.kudlik@cssz.cz.

Day-to-day contact at the CSSA is Ms Eva Beyerlova, Translation, documentation and international project unit, phone +420 257 063 039fax +420 257 063 032, e-mail: eva.beyerlova@cssz.cz




7 Implementation Schedule
7.1 Start of tendering/call for proposals: 3Q/2008

7.2 Start of project activity: 2Q/2009

7.3 Project Completion: 3Q/2009
8 Sustainability

The CSSA staff assigned to implement the above mentioned activities is appropriately experienced and has the necessary skills to undertake the required tasks.


9 Conditionality and sequencing

This project will build upon the achievements of the previous projects CZ00/IB/SO-01,

CZ03/IB/SO/01 and CZ 05/IB/SO/01 and will also reflect the status of transformation of the CSSA.

Central Harmonisation Unit is aware of this project and will monitor the project via participation in the Steering Committee.




Annexes to the Project Fiche

  1. Log frame planning matrix


ANNEX 1



LOGFRAME PLANNING MATRIX

Project Title: (add project name)

Strengthening data security in electronic data processing at the Czech Social Security Administration (CSSA) and data exchange between the Czech Republic and other EU Member States

Programme name and number: TF CZ 2006

Total Budget:

0.170 M€

TF contribution:

0.160 M€

Overall Objective

Objectively verifiable indicators*

Sources of verification




To enable the Czech Republic to take on the obligations of the EU membership, incl. adherence to the aims of political, economic and monetary union.

Acknowledgement by the European Commission

Relevant EC documents




Project Purpose
Objectively verifiable indicators

Sources of verification

Assumptions


Creation of tools and methodology of the CSSA information security policy to eliminate the risks of disturbing accessibility, reliability, confidentiality and integrity of social insurance data.


CSSA´s information security policy in accordance with the international standard ISO/IEC 27002







  • CSSA records

  • Evaluation from relevant national bodies

Other parts of the acquis implemented and enforced to fulfil the 3rd Copenhagen Criterion




Results

Objectively verifiable indicators

Sources of verification

Assumptions

Creation of tools and methodology for an up-dated information security policy of Czech Social Security Administration.

Recommendations in the area of manipulation with health documentation while its interpretation incl. E-forms.

Suggestions in the area of international electronic communication using the filling office of CSSA.

Suggestion in the area of indicated security requirements regarding the international standard ISO/IEC 27002 formulated

(T+6)

Upgrade of the existing tools and methodology of the information security policy at the Czech Social Security Administration (T+6)



Development of a strategic document for information security policy and study visit (T+6)

Study visit realized (2 persons for 5 days).




Analysis drafted and submitted, including international best practice and available by the end of the project,
a ) recommendations concerning processes that are used in the area of health insurance data in EU E-forms, submitted out of the CSSA(T+2), recommendations available by the end of the project at the latest,

b) Manual concerning interpretation sensitive data information aimed at E-forms(T+3)

available by the end of the project at the latest.

c) Draft of a contract for authorization of social allowances while taking into account special provisions of Directive 95/64/EC elaborated (T+6)a) Recommendations of the twinning partner concerning the data security while data transmission. (T+2)

b) Relevant measures for encryption discussed.(T+4)

c) Created necessary upgrade of information security policy.(T+6)

d) Discussed necessary changes incl. upgrade of operation manual of the filling office of CSSA.(T+6)


  1. Collection of other EU Member States approach to implementation of international standard ISO/IEC 27002 realized in accordance with Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data by the end of the project

b) The CSSA´s Security Policy Department staff and regional offices staff trained in using of the international standard ISO/IEC 27002 (approx. 15 persons)by the end of the project .

c) The CSSA´s Security Policy Department staff and regional offices staff trained in using of the international standard ISO/IEC 27002 (approx. 15 persons) by the end of the project.. It regards a narrow field of experts who have practical experience and therefore it is essential they transmit their experience directly (and not via a mediator) to trained CSSA experts. d) Trained persons tested by the end of the project: selection of suitable security measures according to the requests of the CSSA and its regional offices, implementation processes of selected security measures, creation of the management tools – tools for security management.. (approx. 15 persons). (T+6)

a) Recommendations to the creation of the tools and methodology concerning information security policy at the Czech Social Security Administration given.(T+3)

b) Up-dated final document of information security policy of Czech Social Security Administration completed, recommendations included. (T+6)



  1. Measures in the area of the CSSA security policy consulted, in the area of personal and sensitive data protection. (T+2)

b) A strategic document drafted in accordance with the international standard

(T+6).


a) Report of study visit (solution in the selected EU MS, experience, recommendations) prepared by the end of the project at the latest (T+6)
The participants of the study visit must be the CSSA data security managers.


  • Project progress and final reports

  • EC monitoring reports

  • Monitoring reports to be discussed by SMSC every 6 months

  • Record of proceedings

  • Project outputs reflected in individual policies of the CSSA

  • Internal evaluation of training

  • Results of the tests

  • Working manuals

  • Audits Reports

  • Study tour report




  • All tasks under umbrella of this Project are effectively coordinated and all people involved are well informed



Activities

Means




Assumptions

Recommendations in the area of manipulation with health documentation

- Create operational procedure to ensure confidentiality of health documentation while interpretation outside of CSSA in accordance with “Directive 95/46/EC of the European parliament and of the council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data”.


Suggestions in the area of international electronic communication

- Provide suggestions for secure transborder electronic data transmission containing sensitive information incl. health documentation, in accordance witch „Directive 95/46/EC of the European parliament and of the council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data”.


Suggestion in the area of indicated security requirements

- Collection of information from other EU Member States for implementation of international standard ISO/IEC 27002 within the CSSA.

- Discussion on changes related to personal and sensitive data protection as an impact of standard ISO/IEC 27002 related to Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data.

- Providing suggestions based on useful experience of other EU Member States to implementation of ISO/IEC 27002.

- Training and testing the CSSA´s employees how to implement international standard ISO/IEC 27002 on security policy documents.

- Explanation of international standard ISO/IEC 27002 subject to agreement of Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data..

- Discussion on difficulties related to ISO/IEC 27002 for public administration esp. the CSSA.

- Testing of knowledge of international standard as above (approx. 15 persons)


Upgrade of the existing tools and methodology of the information security policy at the CSSA

- Upgrade of current status of information security policy of the Czech Social Security Administration.

- Assessment of current document “The CSSA information security policy”

- Advisory assistance in drafting of an up-dated parts of security policy of the CSSA.

- Recommendation how to adapt the CSSA original document.

- Draft of an up-dated part of security policy document of the CSSA in accordance with ISO/IEC 27002 and Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data.

- Discussion on impact of the ISO/IEC 27002 standard on structure of security policy document.

- Drafting of an analytical document concerning possible improvements in the area of the CSSA security policy methodology based on the existing document “The CSSA information security policy

- Recommendation and suggestions related to ISO/IEC 27002.
Development of a strategic document for information security policy and Study visit.

- A study visit will be organised to observe the situation in the Member State of the twinning partner . The situation will be discussed and analysed for purposes of the CSSA.

- Discussion on ISO/IEC 27002 standard and impact of ISO/IEC 27002 standard on institution in public administration.

- Advisory assistance in changing of the current security policy according the international standard as above.

Training Security Policy Department of the CSSA staff .


TWL contract: 0,160 M€

MTE+STEs (in total 6 man-months ) -

analysis, recommendation and overall coordination and delivering the project outputs.

Experts must have minimum 5 years practical experience in the subject matter of the Project (and in the area of health insurance data).







The proposed project will further develop and deepen the results of the previous projects

Preconditions





















The database is protected by copyright ©ininet.org 2016
send message

    Main page