Home Consulting and Training ISKE
ISKE

Introduction

ISKE = three-level baseline security system for information systems

Every kind of information security is based on risk analysis. Considering risk factors, identifying the areas needing security measures and the security risks of these areas, determining the probability and severity of risks, determining and improving security measures, accepting the retained risk… This is a very labour-intensive process in its full scope. Thus, we only deal with baseline security today. Baseline security is a typical minimal set of security measures that need to be implemented in order to achieve and preserve the security level prescribed for information assets.

ISKE, a three-level baseline security system for information systems is intended for achieving and preserving the security of information systems processing the databases of the Estonian State and its local governments and the information assets related to these information systems. ISKE can also be easily implemented in business associations and non-profit organisations. ISKE is not intended for securing information systems dealing with state secrets.

ISKE was created and developed on the basis of the information security standard IT Baseline Protection Manual (IT-Grundschutz) issued by the German BSI (Bundesamt für Sicherheit in der Informationstechnik, Federal Office for Information Security).

The first version of the ISKE implementation manual was finished in October 2003; the current version is 4.01 (16.12.2008).

The Government of the Republic of Estonia has approved the System of Security Measures for Information Systems with its Regulation No. 252 (RT I 2007, 71, 440) from the date of December 20, 2007, entered into force on the date of 1.01.2008.. The obligatory implementation of ISKE is prescribed in the Estonian law AvTS § 439 subsection 3: "Use of support systems for the maintenance of the state information system is mandatory upon maintenance of all state and local government databases."

In addition to the registrars of databases (registries), the users of the relevant registries also are obliged to implement the measures of ISKE. The main reason of this is that although the state registries (for example the Registry of Construction Works, the Population Registry) are not located in the premises of the user (local government) and the user is also not the chief data processor of these registries, users still have rights to make queries to these registries, to update data and to perform other actions. If the user does not ensure a sufficient level of security, then it is impossible to ensure the security of the entire registry as a whole.

ISKE describes three levels of security – „L“ – low, „M“ – medium, „H“ – high. There is an additional marking „Z“ which denotes recommended measures that may be needed primarily in case of the highest security requirements. The set of measures has a layered structure, so that the medium security level is achieved by adding certain measures to the measures of the low security level and the high security level is achieved by adding certain measures to the measures of the medium security level.

The required level of security is determined according to the information security goals, via the parameters of availability (K as in käideldavus), integrity (T as in terviklus) and confidentiality (S as in salajasus). Each of these parameters is evaluated on a scale from 0 to 3. The security class marking of data is composed of the markings of the sub-classes in the specific order KTS (for example, K2T3S1).

The chief processor of a database belonging to the security class «H» is obliged to conduct the first audit of implementation of the system of security measures by the date of March 1, 2010 at the latest, in case of a database in the security class «M» this audit must be conducted by the date of December 1, 2010 at the latest and in case of a database in the security class «L» by the date of March 1, 2011 at the latest.

The chief processor of database belonging to the security class «H» must conduct an independent audit of implementation of the system of security measures after every two years, in case of a database in the security class «M» this audit must be conducted after every three years and in case of a database in the security class «L» after every four years.

Additional information:
Avo Raup
IT Consultations Manager
This e-mail address is being protected from spambots. You need JavaScript enabled to view it

MicroLink offers

Implementation of ISKE, consultations regarding this, auditing. We help you to prepare sufficient documentation, provide advice regarding the implementing of security classes for the information system and instruct you upon establishing the entire life cycle of security.

Activities
  • Preparing the project plan, selecting the contact persons of the client, notifying, questionnaires and information about the further organisation of work;
  • Mapping of databases, stock-taking of information assets;
  • Determining security classes and security levels for the databases and information assets;
  • Determining the ISKE modules and security measures to be implemented;
  • Preparing the action plan for implementing the security measures;
  • Performing financial analysis for every security measure to be implemented;
  • Supplementing or amending the existing documentation for implementing organisational security measures, if necessary.
Additionally
  • MicroLink specialists will provide continuous know-how about information security and will raise the awareness of the client’s employees regarding information security.
Advantages of MicroLink:
  • Long-term experience in housing and administration of business-critical information systems and related information assets;
  • Trained and certified project managers;
  • Trained and certified specialists (Microsoft, Unix/Linux, Oracle, network administration, computer workstations, data security, customer service / Helpdesk);
  • Trained and certified auditors (auditor with a CISA certificate as a sub-contractor [link: http://www.eisay.ee/166]);
  • Our processes conform to the ISO 9001:2008 quality standard;
  • Our team also has long-term experience with using and implementing ITIL (Information Technology Infrastructure Library, set of best practices for IT management) processes;
  • Options for security testing (penetration test).
Additional information:
Avo Raup
IT Consultations Manager
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
 
Estonian (Eesti)English (United Kingdom)Russian (CIS)