Frequently Asked Questions
Why is it necessary to create the EU-SEC Framework?
Today, many different certificates and labels are used by cloud service providers. Thus, for the Cloud user companies it is challenging to figure out, which services and providers can be trusted in terms of security, privacy, compliance and transparency. The EU-SEC Framework will define principles, rules and processes for mutual recognition between the different certification schemes and will provide guidance tested and validated in pilots involving industrial partners.
How does EU-SEC contribute to information security and compliance?
The EU-SEC project further contributes to an enhanced and sophisticated mapping of laws, regulation and industry requirements to widely recognised, best practise controls related to Cloud security. This mapping can be used by Cloud Service providers, member state officials as well as audit companies and certification institutions. EU-SEC also incorporates know-how from professionally conducted audit and assessment engagements, streamlining audits and lowering the cost of compliance. Furthermore, EU-SEC provides metrics on performance of controls, allowing for more streamlined and integrated risk management.
How do involved governments support the EU-SEC Project?
The Slovenian Government sees this project as the opportunity for an advanced and coherent quality management way of Slovenian emerging cloud ecosystem. The government has been giving the organisational, personnel and administrative support, as well as the diverse dissemination opportunities for public servants to get acquainted with the project. Slovak Government also provides personal capacities and will provide cloud infrastructure in the future, where EU SEC audit will be executed.
How important is automation in for banking industry’s compliance?
Currently, there is still a lack of control of outsourced services for financial as well as for every company that want to introduce new technologies without doing ‘in-house’ deployment. The automatic tools that will help with compliance control of externalised services will:
• allow the adoption of new technologies such as the Cloud Computing, which is aligned with the strategy of the Digital Single Market proposed by the European Commission,
• increase the competitiveness of CSP lowering cost and time of outsourced services deployment, which directly affects the competitiveness of all the companies to which it can subcontract,
• and speed up the provision of compliance responses to the Competent Authority requirements.
How can the audits be automated by the EU-SEC Framework?
Fully automated auditing process is a long-term goal with many milestones to be achieved in prior. Currently, the consortium is working on identifying the appropriate auditing requirements relevant for the EU-SEC Framework. It will help to enhance the continuous audit approach and relevant tools and concepts. The EU-SEC project unambiguously defines the approach with which Cloud services can be audited leveraging the approach of continuous audit. It defines, frame conditions which can be incorporated into the design of future security audit tools aiming to audit Cloud services, continuously.
How does EU-SEC ensure the framework’s trustworthiness?
The EU-SEC Project aims to create a framework, under which accepted and recognised certification and assurance approaches can co-exist. The framework will be trustworthy as it is open to stakeholders by providing transparent governance processes. These drive and support the continuous development of the mutual recognition between different certification schemes. Furthermore, the governance processes provide a reference architecture including a set of tools which enable for the contribution to the international standardisation of compliance initiatives.
Will the EU-SEC Framework be extended for countries outside Europe?
EU-SEC control and requirements repository will include security and privacy requirements from existing standards, laws and regulations such as CSA CCM, ISO27001, ISO27017, ISO27018, AICPA Trust and Security Principles, ENISA Information Assurance Framework, German Federal Security Agency (BSI) C5, ANSSI cloud certification standard, Slovak Ministry of Finance, Slovenian Ministry of Public Administration and other industry specific requirements. With that said, the scope of the EU-SEC Framework is already extending outside EU countries.
How will the EU-SEC Framework be brought to the market?
Dissemination and exploitation activities of the project partners will ensure that the EU-SEC framework will be known and adopted by the Cloud market. The project will also closely cooperate with the European commission and provide its results to the respective cyber security groups responsible for certification. The framework, validated by its pilots, will be presented Europe-wide in interactive workshops, conferences and delivery events supported by the project partners.