X-Road regulations

Transcript

1. X-Road regulations Version 1.0

2. AS Mandator Estonia X-Road regulations 2 Document history Date Version

   Description Author 19.12.2006 1.0 Final version Written by Lembe Käärmann Translated by Eric Reppo

3. AS Mandator Estonia X-Road regulations 3 Table of Contents Introduction

   ........................................................................................................ 4 1 Terminology.................................................................................................. 5 2 X-Road operating principles............................................................................. 7 2.1 Description of X-Road .............................................................................. 7 2.2 X-Road architecture................................................................................. 7 2.3 The path of queries in the X-Road.............................................................. 9 2.4 Security of the X-Road............................................................................. 9 2.5 X-Road administrative support provided by RIHA ....................................... 10 3 X-Road organization..................................................................................... 12 3.1 X-Road organization’s tasks, competencies and responsibilities.................... 12 3.1.1 X-Road management organization responsibilities ............................... 12 3.1.2 Tasks of the X-Road centre .............................................................. 13 3.1.3 Tasks for X-Road partners ............................................................... 15 3.2 X-Road organizational structure .............................................................. 16 3.2.1 X-Road management organization..................................................... 16 3.2.2 X-Road centre................................................................................ 16 3.2.3 X-Road partners ............................................................................. 17 3.2.4 X-Road organizational structure........................................................ 17 4 X-Road regulations ...................................................................................... 19 4.1 Requirements for the X-Road management organization ............................. 19 4.2 Requirements for the X-Road centre ........................................................ 19 4.2.1 Environmental requirements ............................................................ 19 4.2.2 Procedures for joining to the X-Road ................................................. 20 4.2.3 Maintenance procedures for X-Road hardware and software.................. 22 4.2.4 Auditing of the X-Road centre........................................................... 23 4.3 Requirements for X-Road partners........................................................... 24 4.3.1 Minimum security procedures for organizations joining to the X-Road..... 24 4.3.2 The joining of service consumers to the X-Road .................................. 26 4.3.3 The joining of service providers to the X-Road .................................... 27 4.3.4 The joining of application service providers to the X-Road .................... 27 4.3.5 Certificate application process .......................................................... 27 4.3.6 Procedures for changing the address of a security server or contact information................................................................................................. 28 4.3.7 Changing of the address or key of the central server ........................... 28 4.3.8 Other exchanges of information ........................................................ 28 4.4 Conditions for joining to the X-Road......................................................... 28 4.4.1 Conditions for joining for X-Road partners.......................................... 28 4.4.2 Technical procedure for joining to the X-Road..................................... 30 4.5 Incident management............................................................................ 30 4.6 X-Road development procedures ............................................................. 30 4.6.1 Development of X-Road components ................................................. 30 4.6.2 Development of new services ........................................................... 31 4.6.3 Service maintenance and administration ............................................ 31 4.6.4 Testing ......................................................................................... 31 5 Final comments........................................................................................... 32 6 Associated documents .................................................................................. 33 7 Appendix 1: Supplemental information ........................................................... 34 7.1 Security requirements............................................................................ 34 7.2 Incident handling procedure ................................................................... 34 7.3 Requirements for developers .................................................................. 35 7.4 X-Road centre archival and backup procedures.......................................... 36 7.4.1 Archival procedure.......................................................................... 36 7.4.2 Backup procedure........................................................................... 36 7.5 Hardware requirements for the X-Road .................................................... 36

4. AS Mandator Estonia X-Road regulations 4 Introduction The state information

   systems’ data transport layer X-Road(X-tee) is a technical and organizational environment that enables secure data transfer between digital state databases and enables secure data transfer between individuals and state institutions. It also coordinates the access of individuals to information being processed in state databases. The current document provides an overview of the operating principles of the X-Road, describes the structure and tasks of the organization responsible for the X-Road and defines regulations for X-Road functionality. Complying with X-Road regulations is mandatory for all organizations that have joined the X-Road. The current document is required reading for those parties that join the X-Road as well as for those that maintain the data transport layer. Technical documentation for the support and operation of the X-Road is available on the webpage of the Estonian Informatics Centre (http://www.ria.ee). X-Road is one of six core state information systems that provide support to all state information systems. The organization responsible for the X-Road uses the administration system of the state information system (RIHA) to help it administer the X- Road. RIHA is also one of the six supportive state information systems. Use of the six core supportive state information systems is mandatory for all national and local state information systems. RIHA is scheduled to begin operations by the end of 2007. The current document refers to functionality that will exist in RIHA. Until RIHA is ready, the existing state information systems registry (ARR) (https://www.eesti.ee/arr/index.jsp) will be used to administer the X-Road. ARR contains a list of state institutions that have joined the X-Road, their associated information systems, the services provided by the information systems and related information. Application forms for joining to the X-Road and additional information are available at the Estonian Informatics Centre homepage (http://www.ria.ee). Information referenced in the current document that will be available in RIHA must be available via the X-Road centre until RIHA begins operation. General principles of operation and administration of the X-Road are defined in the government statute „Implementation of Information systems data transport layer” RTI, 23.12.2003, 83, 568. English documentation for the X-Road is available on the Estonian Informatics Centre home page (http://www.ria.ee/27309). The current X-Road infrastructure and its associated support organization are based on the principle of separation and balance of powers as well as the distribution of responsibilities prescribed in legislation. The technical infrastructure of the X-Road is designed to be independent of the present guidelines document and X-Road associated legislation.

5. AS Mandator Estonia X-Road regulations 5 1 Terminology Adapter server

   is software that modifies queries arriving from X-Road to a form that can be processed by the database’s data server (which is independent of X-Road), and returns the data server's response in a form suitable for the X-Road. Authentication Service provider in the X-Road system is a bank that provides citizens authentication service. Bank offered authentication is an alternative to the ID card. Central server is software which controls that all service consumers are certified and directs their queries to the appropriate certified service providers. Certified security server information is transmitted to other security servers via the central server. Data Protection Inspectorate - According to Article 34 of the Personal Data Protection Act the Data Protection Inspectorate is, in the performance of its functions, independent and shall act pursuant to Personal Data Protection Act, other Acts and legislation established on the basis thereof. DNS - Domain Name System. DNS is a name service which associates IP addresses with domain names. DNSSEC - Domain Name System Security Extensions. DNSSEC modifies DNS to add support for cryptographically signed responses. Estonian Informatics Centre (Estonian abbreviation, RIA) is a subdivision of the Ministry of Economic Affairs and Communications, is responsible for the coordination and implementation of the development of state registers, computer networks and data communication, standardization, IT public procurement, monitoring Estonian IT situation, etc. ISKE – is based on the German IT Baseline Protection Manual. The goal of applying ISKE guidelines is to ensure the appropriate security level of data processed by databases/information systems. The ISKE guidelines are primarily meant for assuring the security levels of databases/information systems and related IT assets maintained by state and municipal governments. Local monitoring server is software which accepts monitoring information from security servers. MISP - Mini Information System Portal. MISP software allows the automatic generation of user interfaces for X-Road services. It also enables services to be segmented between different user groups. Monitoring server is software which allows X-Road monitoring and allows one to see the status of security servers. Monitoring servers are either local or central. RIHA - Administration system of the state information system is a registry of state databases and services. The objective of RIHA is to create an integrated information system that would give a clear view of the state’s registers and services provided by them. Service descriptions are held in a UDDI repository.

6. AS Mandator Estonia X-Road regulations 6 Security grade is a

   security level that has been determined based on the importance of underlying data using ISKE guidelines. Security measures are organizational tasks, methods, technical processes, that are implemented for the achievement and preservation of data security. Security Servers are physically separate computers, which have specialized software installed. All X-Road communication travels via security servers. Security servers encrypt and decrypt data, keep logs, and deny permission to unauthorized users. Service in the X-Road sense is a predefined query which is sent to a database where a response is generated and sent to the query initiator. An authorized and interested individual can initiate a service, which can result in addition, modification or deletion of data from a database according to processes dictated by government regulations. Service consumer is an institution or organization that wishes to use services provided by service providers. Service provider is a database that has been attached to the X-Road and modified to safely provide services over the X-Road SOAP - Simple Object Access Protocol is a protocol for exchanging XML-based messages over computer network, normally using HTTP. Test-road has architecture analogous to the X-Road but is used for testing and education. UDDI - Universal Description, Discovery, and Integration is a platform- independent, XML-based registry and one of the core Web Services standards. It is designed to be interrogated by SOAP messages and to provide access to Web Services Description Language documents describing the protocol bindings and message formats required to interact with the web services listed in its directory. WSDL – Web Service Definition Language is an XML-based language that provides a model for describing Web services. XMLRPC - Extensible Markup Language Remote Procedure Calls is a remote procedure call protocol which uses XML to encode its calls and HTTP as a transport mechanism. X-Road A platform-independent secure standard interface between databases and information systems to connect databases and information systems of the public sector.

7. AS Mandator Estonia X-Road regulations 7 2 X-Road operating principles

   2.1 Description of X-Road The X-Road was created in 2001 to standardize the growing number of connections being created over the internet between databases. The goal of the X-Road project was to develop software, hardware and a supporting organization for implementation of the data transport layer. The implementation had to be useable by the majority of state information systems. The X-Road project has been successfully implemented with the assistance of AS Cell Network and Cybernetica AS. The X-Road is a standard data communication layer between databases and information systems that allows information systems with differing underlying platforms to transfer data. Platform independence is achieved by using the SOAP and XMLRPC protocols. XMLRPC support will be discontinued at the end of 2008, after which SOAP will remain the only supported protocol. 2.2 X-Road architecture The X-Road architecture consists of X-Road servers, X-Road server software and databases/information systems that have joined to the X-Road, see figure 1. An X-Road web service consists of a predefined query-response. A query sent by a service consumer to an information system generates a response consisting of a predefined collection of data corresponding to the content of the query. The database that responds to the query is the service provider. Every request contains a header which consists of information regarding the individual making the query, institution of the individual making the query, information system making the query etc. The X-Road service may be part of a complex X-Road service where one X-Road service calls other X- Road services to generate its response. In addition to the standard X-Road service describe above, the X-Road can be used to transfer documents, files and large structured datasets. Institution that joins the X-Road and wish to use X-Road services may choose to install the X-Road MISP (Mini information system portal). MISP enables institutions to automatically create a user interface for X-Road services, as well as manage usage rights. Institutions are free to integrate X-Road services into their existing information systems. The X-Road infrastructure consists of security servers, central servers, certificate servers and monitoring servers. The X-Road security server consists of standard software which is installed on a server at each institution that joins the X-Road. All data travelling over the X-Road is transported via the security servers. All security servers are certified with the X-Road certification centre using a hardware module. Information regarding the certified security servers is distributed amongst the security servers via the central server. Security servers encrypt/decrypt data, generate usage logs, control usage rights to services and prevent unauthorized access. The use of security servers ensures institutions that their data is travelling securely over the internet. The X-Road uses local and central monitoring servers to monitor the status of security servers and gather usage statistics.

8. AS Mandator Estonia X-Road regulations 8 The X-Road architecture is

   described in the following drawing. Figure 1: X-Road architecture An analogous architecture is used for the Test-road. The Test-road is used for testing and education purposes. All X-Road services must be tested on the Test-road. Testing is forbidden in the production X-Road environment. All developers of X-Road services should join the Test-road. Example: A state official via their information system (service consumer) wishes to use an X-Road service to gain access to information in another institution’s database (service provider). This process takes place as follows: 1. The official logs into their institution’s information system as they would normally do to conduct everyday tasks; 2. The information system informs the institution’s security server that they would like to use an X-Road service provided by another institution’s database; 3. The institution’s security server sends the encrypted request to the security server of the X-Road service provider; 4. The security server of the X-Road provider checks if the requester is authorized to use the X-Road service. If the requester is authorized to use the X-Road service than the request is decrypted and sent to the adapter server of the database; 5. The adapter server receives the response to the X-Road query generated by the database server. The path of the response to the requester is practically the same as the path of the query to the database. The next section describes in detail the path travelled by X-Road queries.

9. AS Mandator Estonia X-Road regulations 9 2.3 The path of

   queries in the X-Road Service consumer’s security server: 1. Transforms the query received from the information system from XMLRPC to SOAP if necessary; 2. Signs the body of the query; 3. Asks for the IP-address (DNSSEC) of the service provider; 4. Sends its certificate to the security server of the service provider. Security server of the service provider: 1. Verifies the certificate of the service consumer’s security server (DNSSEC); 2. Returns a certified response. Security server of the service consumer: 1. Verifies the certificate of the service provider’s’ security server (DNSSEC); 2. Sends the digitally signed contents of the query. Security server of the service provider: 1. Verifies the signature of the query; 2. Logs the contents of the query; 3. Checks the service usage rights of the service; 4. If necessary transforms the query from XMLRPC to SOAP; 5. Sends the query to the adapter server. Adapter server: 1. Transforms the query into a format usable by the database platform; 2. Sends the query to the database; 3. Transforms the query response to SOAP or XMLRPC; 4. Sends the response to the security server. Security server of the service provider: 1. If necessary, transforms the response from XMLRPC to SOAP; 2. Digitally signs the response and sends it to the security server of the consumer. Security server of the service consumer: 1. Verifies the digital signature; 2. Logs the contents of the query response; 3. If necessary transforms the response from SOAP to XMLRPC; 4. Sends the query response to the information system. In addition to the query-response type of service, the X-Road also provides: • Complex queries – Queries that use other X-Road services to generate their response; • Authentication and authorization service; • Classifications; • Control of input-output parameter size and type; • SOAP with Attachments (SwA); • Asynchronous messages; • Document forwarding as an attachment; 2.4 Security of the X-Road The security of the X-Road is ensured by its architecture as well as its supporting organization and technical infrastructure. Data exchanged by service consumers and providers is encrypted as it travels between security servers. Central servers ensure that all service consumers are certified and route queries to the appropriate certified service provider. Local monitoring servers monitor the security servers of the service providers

10. AS Mandator Estonia X-Road regulations 10 and consumers. From the

    central monitoring servers it is possible to view the status of all security servers as well usage statistics of the entire X-Road. Query permission is controlled by a two step process 1. Permission to use a service is granted on an institutional and/or group of institutions level. These permissions are stored on the security server of the service provider. For example, service providers can specify that a specific service is available to all municipal governments. 2. Permissions on an individual user basis are governed by the information system of the service consumer. For example, the tax board defines which services each official may use. Individuals are authenticated by use of their ID-card or by use of the authentication services provided by the banks. This ensures users of the X-Road are authenticated. Every database administrator (person responsible for the database) determines the security grade of their database. Determination of the security grade is done with accordance to the ISKE guidelines (www.ria.ee/iske). In addition to determining security grades they must also apply appropriate security methods. Security methods must by applied to all components associated with the database – beginning with the database, application and ending with the infrastructure components, cables, server room etc. Appropriate security methods must be applied to all X-Road components – adapter servers, security servers, network connections etc. Service consumers must ensure that their security level meets the security level demanded by the service provider (IKSE security grades are L, M or H). To achieve the required security grade the service consumer must apply appropriate security methods. The security grade of the security server of the service provider handles all service requests and thus must be at the same grade as the database providing the service. The security grade of each service is determined by the service provider and it must be the same or higher than the security grade of the database providing the services. The security grade of the service consumer must be at least the same level as the highest security grade of the services it consumes. Determination of security grades must take into account the needs of the service provider as well as the needs of the service consumer. 2.5 X-Road administrative support provided by RIHA RIHA is used to assist in the administration of the X-Road RIHA contains contact information and technical information for all institutions that have joined the X-Road and Test-road. It also contains metadata for databases and their provided services RIHA is accessible via the X-Road or via a web interface. Users that have been authenticated with their ID card are able to register databases, make requests to join X- Road as well as sign agreements to join the X-Road. Database administrators register their databases and the services provided by their database along with technical, logical descriptions and principles of use. For example a service might be immediately available to all institutions (city governments, municipal governments). The person responsible for the database provides their contact

11. AS Mandator Estonia X-Road regulations 11 information. If the administrator

    differs from the person responsible their contact information must be provided as well. NB! Provisioning usage rights for services is the exclusive responsibility of the service provider Services descriptions in RIHA contain: service ID, inputs, outputs, classifications, (WSDL), semantic description, security grade, contact information, details on how to report incorrect data provided by a service The principle of use of a service determines to whom and under what guidelines a service is available for use. The principles of use must provide the availability level of a service. Service providers must meet the minimum availability levels outlined in their principles of use.

12. AS Mandator Estonia X-Road regulations 12 3 X-Road organization 3.1

    X-Road organization’s tasks, competencies and responsibilities The X-Road organization’s duty is to ensure the proper functioning of the X-Road as well the ongoing development of the X-Road in accordance with needs of the users. The X-Road organization consists of the following (see figure 2) • Management organization, consisting of the Estonian Informatics Centre (RIA) director and department heads • Operational organization, known as the X-Road centre, consisting of various individuals from various departments of RIA that administer and develop the X- Road • Cooperative organization, known as the X-Road partners, consisting of service providers, service consumers, application service providers and authentication service providers. The X-Road organization is conceptually roll based. For example, an individual can be a service provider as well as a consumer of services provided by another institution. The Estonian Informatics Centre fills the following roles in the X-Road organization: X- Road management organization, X-Road centre, database administrator and service provider (RIHA), application service provider (citizen’s portal and entrepreneur portal etc), see figure 3. 3.1.1 X-Road management organization responsibilities The management organization is responsible for planning and leading the X-Road organization, see figure 2. The management organization is divided into the following roles: • Head of the management organization; • Member of the management organization. The head of the management organization is responsible for: • The operational performance of the X-Road as well as preparation of reports; • The signing, changing, staying and ending of X-Road related agreements and contracts; • The signing, changing, staying and ending of work contracts for members of the X-Road centre; • Approval of the X-Road budget; • Representing or accrediting others to represent the X-Road organization; • Making decisions regarding the requirement and financing for new services; • The approval of X-Road centre backup procedures and plans; • The approval of X-Road centre archival procedures and plans; • The appointment of members of the management organization. The members and head of the management organization are responsible for carrying out the activities assigned by the management board including: • Planning of activities for the X-Road organization; • Validation of activities performed by the X-Road organization; • Preparation and validation of budgets for the X-Road organization;

13. AS Mandator Estonia X-Road regulations 13 • Planning and coordination

    of development for X-Road in accordance with state information technology development priorities; • The coordination of proceedings for legal acts dealing with the operation of the X- Road; • The planning and approval of audits; • The resolution of complaints registered with the X-Road centre; • The processing of development proposals made by the X-Road centre. 3.1.2 Tasks of the X-Road centre The X-Road centre carries out the tasks assigned to it by the X-Road management organization. It also ensures that the X-Road management organization has enough information to fulfil its responsibilities. The X-Road centre makes recommendations for development and improvement of the X-Road. The X-Road centre performs tasks directly related to the administration of the X-Road as well as tasks to support the operation of the X-Road. Individuals belonging to the X-Road centre are divided into the following roles: Roles directly related to X-Road administration: • X-Road centre manager; • System supervisor; • Education manager; • RIHA supervisor; • User support. Supportive roles: • X-Road development manager; • RIHA development manager; • Internal auditor; • Security manager; • Technical manager; • Documentation administrator. The tasks of the X-Road centre manager include: • Carrying out the directives of the X-Road management organization; • Managing X-Road operations; • X-Road documentation administration including the creation of agreements and other documents; • Informing users of the X-Road of events such as service interruptions; • Resolution of complaints made to the X-Road centre in accordance with “X-Road complaint presentation and resolution” guidelines; • Relaying X-Road user comments to the management organization including development proposals and deficiency complaints; • Development and implementation of X-Road backup procedures and plans; • Development and implementation of X-Road archival procedures and plans; • Decryption and provision of logs related to a citizen. The tasks of the system supervisor include: • Administration of central servers; • Monitoring the operations of the X-Road; • Creation of service consumer groups for the purposes of rights management simplification; • Ensuring that maintenance work is conducted in a timely manner with an appropriate level of quality; • Handling of security incidents; • Technical communication with X-Road partners and other parties;

14. AS Mandator Estonia X-Road regulations 14 • Planning and implementation

    of installations; • Resolving technical defects and the installation of software updates; • Changing the parameters of central servers; • Changing of the keys of central servers; • Archiving; • Backups; • Restoration of backups. The X-Road centre education manager carries out the educational directives assigned to it including the following tasks: • The development and organization of courses in accordance with X-Road developmental and educational requirements; • Preparation of educational timetables; • The organization of the preparation and administration of educational materials; • The coordination of educational resources (instructors, classrooms, materials) required during the provision of courses; • Analysis of the progress of education. The RIHA supervisor carries out directives assigned to it, including the following tasks: • Monitoring the functioning of RIHA; • Resolution of technical defects, installation of software updates and problem administration; • Collection, processing and presentation of development requests to the RIHA development manager and the X-Road management organization; • Organizing the input of non-electronic (paper based forms) information into RIHA. User support is responsible for user education, distributing information, incident management and incident resolution. This includes the following tasks: • Responding to telephone inquiries; • Registering incidents; • Responding and/or forwarding e-mails sent to the X-Road centre; • Providing first line support and advice to the system administrators of institutions that have joined the X-Road; • Collecting, processing and forwarding development requests to the X-Road development management; • Acting as a liaison between end users and the X-Road centre; • Monitoring the operations of the X-Road. The X-Road development manager is responsible for carrying out the following tasks: • Collecting, processing and forwarding X-Road development requests to the X- Road centre manager as well as the X-Road management organization; • Creating development reports, preparing and/assisting in the creation of development agreements; • Maintaining communication with X-Road partners in regards to development requirements and requests; • Creating timelines for X-Road developments and updates; • Creation of development specifications. The RIHA development manager is responsible for carrying out the following tasks: • Collecting, processing and forwarding RIHA development requests to the X-Road centre manager as well as the X-Road management organization; • Creating development reports, preparing and assisting in the creation of development agreements; • Maintaining communication in regards to RIHA development requirements and requests;

15. AS Mandator Estonia X-Road regulations 15 • Creating timelines for

    RIHA developments and updates; • Change management. The internal auditor is responsible for carrying out the following tasks: • Creation of audit plans and their presentation to the management organization for approval; • Carrying out regular audits in accordance to audit plans; • Analyzing and creating reports based on audit results. Presenting these reports as well as suggestions for correcting deficiencies to the management organization. The following audits are carried out by the auditor: a) Audit of X-Road operations in comparison to the X-Road regulations and formal procedures; b) Security audit in accordance to ISKE guidelines as well as X-Road specific requirements; c) Software audit. The security manager is responsible for carrying out the following tasks: • Determining the security grade of X-Road components in accordance with ISKE guidelines; • Monitoring the implementation of security guidelines; • Informing the X-Road centre and management organization of security risks; • Assisting X-Road partners in fixing security deficiencies; • Cooperation with the Estonian data protection inspectorate; • Participating in security audits. The technical manager is responsible for carrying out the following tasks: • Maintaining components associated with the X-Road; • Investigating the need for updates to X-Road components; • Creating proposals for X-Road component updates to the X-Road centre manager. The documentation administrator is responsible for the accuracy/timeliness of X-Road documentation as well ensuring that documentation corresponds to appropriate regulations. This includes: • Monitoring ongoing developments in government acts, decrees, statutes and regulations and informing the X-Road centre and management organization of required changes; • Updating document templates and informing the X-Road centre and management organization of changes; • Preparation of contracts/agreements. 3.1.3 Tasks for X-Road partners X-Road partners are institutions that have joined the X-Road including: • Service consumers; • Service providers; • Application providers; • Authentication service providers. X-Road partners make practical use of the X-Road by providing/consuming services and exchanging data. X-Road service providers are responsible for the availability of their services. X-Road service consumers are institutions or organizations that wish to consume the services provided by service providers. In order to join the X-Road the following roles must be defined within their organization/institution: • Legal representative of the organization/institution who is authorized to sign contracts on behalf of the organization;

16. AS Mandator Estonia X-Road regulations 16 • System administrator; •

    User rights administrator; • Officials (users). X-Road service providers are those organizations/institutions that have joined the X-Road and agreed to its usage guidelines. They have also enabled their databases to provide services electronically over the X-Road. In order to join the X-Road the following roles must be defined within their organization/institution: • Legal representative of the organization/institution who is authorized to sign contracts on behalf of the organization; • Authorized representative of the organization/institution if the organization that administers the database is different than the organization that is responsible for the database; • System administrator. X-Road application providers are organizations that provide a secure environment for consuming X-Road services and rights management but don’t provide any X-Road services themselves. In order to join the X-Road the following roles must be defined within their organization/institution: • Legal representative of the organization/institution who is authorized to sign contracts on behalf of the organization; • System administrator. Authentication service providers in the X-Road architecture are banks that provide citizens with a mechanism to authenticate themselves electronically. The bank provided authentication mechanism is an alternative to the ID card authentication mechanism. When all citizens possess an ID card the bank offered authentication mechanism will become unnecessary. The following roles must be defined in the organizations that provide authentication services: • Legal representative of the organization/institution who is authorized to sign contracts on behalf of the organization; • System administrator. Use of the authentication service is regulation by contracts between the banks and the X- Road organization. 3.2 X-Road organizational structure 3.2.1 X-Road management organization In accordance with the main statute that governs the Estonian Informatics Centre, administration and development of the X-Road is the domain of the Estonian Informatics Centre. The X-Road management organization consists of the director and department heads of the Estonian Informatics Centre. They are responsible for carrying out the responsibilities described in the statute in a timely and effective manner. 3.2.2 X-Road centre X-Road operations are carried out by the various departments of the Estonian Informatics Centre. Tasks are divided amongst departments according to the statute that governs the Estonian Informatics Centre. The head of the management department is responsible for maintenance and administration of the X-Road. Tasks which are not directly related to maintenance and administration are divided amongst the departments of the Estonian Informatics Centre. The department heads cooperatively decide the division of tasks between departments. Each department has determined which individuals have the responsibility of supporting the X-Road.

17. AS Mandator Estonia X-Road regulations 17 3.2.3 X-Road partners X-Road

    partners determine who within their organization will fill roles related to the X-Road. 3.2.4 X-Road organizational structure Figure 2. X-Road organizational scheme

18. AS Mandator Estonia X-Road regulations 18 The following drawing illustrates

    how the Estonian Informatics Centre structure relates to the X-Road organizational structure. Figure 3. Estonian Informatics Centre structure matched to X-Road roles

19. AS Mandator Estonia X-Road regulations 19 4 X-Road regulations 4.1

    Requirements for the X-Road management organization The X-Road management organization directs X-Road administration and development in accordance with the regulations in the present document and existing acts/laws. The management organization makes important decisions regarding the X-Road including - planning development and coordinating budgets, determining who may join the X-Road, signing contracts with those that join the X-Road and supervising the activities of the X- Road centre. The management organization, in cooperation with other government institutions and X- Road developers, coordinates discussion forums and seminars in regards to future development activities. 4.2 Requirements for the X-Road centre The X-Road centre carries out its tasks according to the present regulations document and other respective laws/acts which include, collecting materials to enable management organization decisions, day to day activities related to the operation of the X-Road, processing and resolving complaints and arguments, as well as required cooperation with individuals and institutions. The X-Road centre creates the following documents to support the operations of the X- Road: • Archival procedures which include the archival of X-Road logs; • Archival plans which include management organization approved archival frequency and location etc; • Backup guidelines which include procedures necessary for recovering X-Road related components; • Backup plans which include the frequency and location of backups; • Internal guidelines which correspond to the state public information act (Avaliku teabe seadus) in regards to information distribution policies and complaint resolution; • Precise guidelines which are communicated to all X-Road centre employees in regards to crisis resolution. The guidelines must include contact information for those individuals that are responsible for reacting to and resolving crisis situations (head of the management organization, system supervisors, developers etc); • Security procedures corresponding to ISKE requirements as well as determining ISKE security grades for services provided by the X-Road. 4.2.1 Environmental requirements The hardware and servers rooms of the X-Road central servers and certification servers must meet the highest security levels as defined by ISKE guidelines because the X-Road handles data transfer between databases with the highest security levels. There should be at least two central servers, preferably in separate locations with network connections provided by separate providers (ISP). There is one certification server. Hardware requirements are described in the appendix: Hardware requirements for the X-Road. Hardware must have guarantees in place with short service response times.

20. AS Mandator Estonia X-Road regulations 20 The Test-road must be

    maintained in parallel with the X-Road. Test-road hardware should be identical to hardware in the production X-Road (central servers and certification servers). The Test-road is an environment suitable for testing, development and carrying out education. The security level of the Test-road must be suitably low to allow access from developers, trainers and other individuals not directly involved with the X-Road. 4.2.2 Procedures for joining to the X-Road 4.2.2.1 Electronic (paperless) joining procedure X-Road partners can digitally join the X-Road with the following procedure: 1. The authorized representative of the X-Road partner reads the conditions of joining via the RIHA web interface. 2. The authorized representative of the X-Road partner logs into the RIHA system using their ID card and submits their institution’s contact information, registration code, contact information for the individual in the institution responsible for X- Road related activities and if necessary the appropriate security grades of the institution. 3. The authorized representative than digitally signs an agreement where they agree to following the usage conditions of the X-Road. 4. The X-Road centre controls the information submitted which include phoning the contact individuals listed. If the information submitted is deficient than an e-mail listing the deficiencies and deadline for fixing them is sent to the applicant institution. 5. The X-Road centre ensures that the applicant meets the X-Road joining requirements. 6. The head of the management organization or their authorized representative approves the institution’s application to join the X-Road, registers the institution in the RIHA system and the X-Road centre coordinates the technical procedures involved with joining the institution to the X-Road. If the applicant institution does not meet the requirements of joining to the X-Road they will be sent a letter from the X-Road centre manager with a deadline for fixing their deficiencies. If the deficiencies are fixed before the deadline than the institution will be registered in RIHA as joining to the X-Road and technical joining procedures will be initiated. If the deficiencies are not fixed by the deadline than the applicant’s information will be removed from RIHA. 4.2.2.2 Paper based joining procedure The paper based joining procedure is similar to the electronic joining procedure. 1. The authorized representative of the X-Road partner reads the conditions of joining via the RIHA web interface. 2. The authorized representative of the X-Road partner logs into the RIHA system using their ID card and enters their institutions contact information, registration code, contact information for the individual in the institution responsible for X- Road related activities and if necessary the appropriate security grades of the institution. They then print out two copies of the completed forms, sign them and sends them to the X-Road centre. 3. The X-Road centre controls the information submitted which includes phoning the contact individuals listed. If the information submitted is deficient than an e-mail listing the deficiencies and deadline for fixing them is sent to the applicant institution. 4. The X-Road centre ensures that the applicant meets the X-Road joining requirements.

21. AS Mandator Estonia X-Road regulations 21 5. The head of

    the management organization signs the contracts and sends one copy to the applicant organization. The head of the X-Road centre coordinates the technical procedures involved with joining the institution to the X-Road. If the applicant institution does not meet the requirements of joining to the X-Road they will be sent a letter from the X-Road centre manager with a deadline for fixing their deficiencies. If the deficiencies are fixed before the deadline than the institution will be registered in RIHA as joining to the X-Road and technical joining procedures will be initiated. If the deficiencies are not fixed by the deadline than the applicant’s information will be removed from RIHA. 4.2.2.3 Procedures for joining to the X-Road before RIHA begins operations RIHA is scheduled to begin operations at the end of 2007. Until then the procedures for joining to the X-Road will remain paper based. 1. The authorized representative of the applicant institution reads the requirements for joining to the X-Road http://www.ria.ee/26431 and downloads the necessary forms. The applicant enters into an agreement with the X-Road centre regarding their joining of the X-Road. If the applicant institution wishes to install a security server they will sign the respective agreement. Similarly if the institution wishes to install a MISP, attach a database or information system they will sign the respective agreement. 2. The applicant will complete and sign two copies of the X-Road joining agreement and send them to the X-Road centre. 3. The X-Road centre control the information submitted which includes phoning the contact individuals listed. If the information submitted is deficient than the applicant institution will be informed via letter or e-mail. 4. The X-Road centre ensures that the applicant meets the X-Road joining requirements. 5. The head of the management organization signs the contracts and sends one copy to the applicant organization. The head of the X-Road centre coordinates the technical procedures involved with joining the institution to the X-Road. If the applicant institution does not meet the requirements of joining to the X-Road they will be sent a letter from the X-Road centre manager with a deadline for fixing their deficiencies. If the deficiencies are fixed before the deadline than technical joining procedures will be initiated. 4.2.2.4 Rejection of a application to join the X-Road An institution or organization will not be joined to the X-Road if: • The application to join is not properly completed; • The applicant does meet the requirements for joining to the X-Road. For example, their procedures for protecting personal information are deficient or they haven’t appointed individuals to required X-Road related roles. The X-Road centre ensures that all applicants meet the X-Road requirements. If an applicant does meet the joining requirements of the X-Road than a formal explanation of the rejection will be presented to the management organization. The formal explanation must include the reason(s) for the rejection of the applicant. If the deficiencies in the application are resolvable then the head of the X-Road centre will send a letter to the applicant describing assistance that the X-Road centre can provide in resolving the deficiency. The rejection of the application is registered in RIHA.

22. AS Mandator Estonia X-Road regulations 22 4.2.2.5 Appealing the rejection

    of an application to join the X-Road Institutions have a right to appeal the rejection of their application to join the X-Road in court or with the Ministry of Economic Affairs and Communications. Appeals must be in writing and they will be processed and resolved according to appropriate regulations. 4.2.2.6 Termination of an institution’s X-Road joining agreement The X-Road management organization has the right to terminate an X-Road partner’s joining agreement if • The X-Road partner submitted false or misleading information when they joined the X-Road; • The X-Road partner broke X-Road regulations or other X-Road related agreements; • In the process of providing services it becomes apparent that an X-Road partner cannot fulfil their responsibilities; • If the X-Road management organization believes the X-Road partner is abusing services offered via the X-Road. Termination of an institution’s X-Road joining agreement is registered in RIHA. The termination of X-Road authentication service providers is regulated in existing contracts. 4.2.3 Maintenance procedures for X-Road hardware and software 4.2.3.1 Creation of user groups (groups of institutions) for services provided by the X-Road Creation of user groups is the responsibility of the X-Road centre. User groups are formed to simplify the management of service usage rights by service providers. For example, if a service is intended for municipal governments than service providers do not need to manually add all municipal governments, they simply add the appropriate user group, municipal governments. RIHA allows one to see what groups an institution belongs to as well as what rights a group has. Institutions new to the X-Road see what services are open to them and are able to set appropriate security levels for their information systems. Service providers can quickly see who belongs to a specific group. Service providers can request the creation of new user groups. The service provider must submit a description of the desired new user group to the X-Road centre. Procedures and principles related to user groups will be available in RIHA. 4.2.3.2 Installation of X-Road security patches The X-Road centre system supervisor is responsible for the timely installation of X-Road security patches. They also must ensure that the operation of the X-Road is uninterrupted. Non-critical patches should be installed during a period of low X-Road use (middle of the night). Critical patches should be installed as quickly as deemed possible by the system supervisor. Backup and archival procedures should be carried out before and after installation of the security patch. 4.2.3.3 Archiving Archiving is a procedure that saves information to a differing media for long term storage. The X-Road centre must have an approved archival procedure including a list of information to be archived and archival frequency. An archival plan must exist which outlines what, where and when archiving takes place. The archives must enable the X- Road centre to retrieve query contents.

23. AS Mandator Estonia X-Road regulations 23 4.2.3.4 Backup Backup procedures

    ensure that the central servers and certification servers can be recovered following a disaster event. The X-Road centre must have backup and restoration procedures in place. The procedures must include events that must be preceded by a backup, for example the installation of a security patch. The X-Road centre must have a backup plan that describes who, how and when backups are taken. 4.2.3.5 The changing of central server parameters The X-Road centre system supervisor has the right to change the parameters of the central servers (changing their IP, adding or removing secondary central servers, changing of time servers etc). If the IP address of the central server is to be changed the system supervisor must inform all the security server administrators by e-mail. 4.2.3.6 Central server key change The X-Road system supervisor is required to periodically change the keys of the central server and certification server. The suggested interval is one year. Immediate key change can be necessary if for example, an existing key and all backup copies have been destroyed or if the existing key has been compromised. Security server system administrators must be informed in advance via e-mail of scheduled key changes. The e-mail will also contain the authenticity code and activation date of the new key. In the case of a non-scheduled key changes security server administrators must be informed by previously agreed upon methods. 4.2.3.7 Recovery from backups The X-Road system supervisor is responsible for and has the right to restore X-Road service by restoring central servers from backups. The X-Road centre manager must be notified when restoration from backups has occurred. In the event of a security breach the system supervisor must remove the central server where the breach occurred, replace it with a backup server and inform the Estonian Data Protection Inspectorate. 4.2.4 Auditing of the X-Road centre It is the responsibility of the X-Road centre auditor to carry out regular internal audits of the X-Road centre. The X-Road auditor composes audit plans and submits them to the management organization for approval. The management organization selects an individual or company to carry out the audit. The following audits are conducted: • X-Road operations are audited for compliance with regulations and procedures; • Security audits in accordance with ISKE and X-Road requirements; • Software audits.

24. AS Mandator Estonia X-Road regulations 24 4.3 Requirements for X-Road

    partners 4.3.1 Minimum security procedures for organizations joining to the X- Road The following sections describe physical, organizational and technical security requirements for X-Road partners (service providers, service consumers, application service providers, authentication service providers). 4.3.1.1 Requirements for service providers Upon joining to the X-Road, service providers must install at least one security server and at least one adapter server. The security server is a PC type computer which has specially installed software and no other applications installed. The adapter server can be a stand alone computer or a module installed on the database server. Security server hardware requirements are described in the appendix (Hardware requirements for the X-Road). There must be at least one security server and depending on the service provided a second security server can be installed. Secondary security servers should be connected to the internet with differing internet service providers. To increase availability each security server should be connected to its own adapter server, but this is not a strict requirement as security servers can share adapter servers. Server room requirements for the X-Road related servers depend on the ISKE security grades of the database. All queries to the database flow through the security and adapter servers which means their security grade must be at least as high as the database’s security grade. All service providers that have joined the X-Road must also join the Test-road and provide test data to the Test-road. If the Test-road servers use the same hardware as the X-Road servers then the Test-road environment can be quickly switched to the X- Road environment if required. Service providers must archive query logs. The service providers must have archival procedures which describe what and how often information is archived. Archives should be kept indefinitely and access to logs must be strictly controlled (internal control procedures). The data medium which have been used to store the private keys of the security server or the query logs must be destroyed and/or permanently erased. This applies to diskettes, optical media, tape and hard drives that have been used for backups. 4.3.1.2 Requirements for service consumers Upon joining to the X-Road, service providers must install a security server and adapt their information systems for X-Road service use. They must also apply certain security procedures in order to have the right to use services. The level and extent of security procedures depends on the following: • What are the security grades of their consumed services; • How important and/or expensive are the decisions made on the basis of data; • The service provider takes into account the importance of decisions made on the basis of the information they provide via the service. Service consumers who only read data must apply security procedures corresponding to the highest security grade of the services they consume. If the service consumer uses the X-Road to change data then their security level must the same as the service provider.

25. AS Mandator Estonia X-Road regulations 25 The service consumer ensures

    that appropriate user identification and authentication procedures are in place. The service consumer is responsible for management of user rights within their organization. 1. The service consumer information system must append the user’s id code to all generated X-Road queries. 2. Automatically generated queries must also contain the id code of the user. 3. The service consumer must ensure that unauthorized individuals don’t have access to information obtained from the X-Road and/or information systems connected to the X-Road. 4. If the information system of the service consumer has access to more information than some end users are authorized to consume, than roll based authorization must be implemented. Service consumers and/or the developers of their information systems are encouraged to join the Test-road. If the Test-road servers use the same hardware as the X-Road servers then the Test-road environment can be quickly switched to the X-Road environment if required. 4.3.1.3 Requirements for application service providers This section describes the requirements for application service providers that wish to offer X-Road security servers to institutions or individuals. Service providers typically install security servers, adapter servers as well as MISP software. Server room requirements, network connection requirements are similar to X- Road centre requirements. Hardware requirements, security procedures, archival procedures, information protection are similar to requirements of service providers. Application service provider specific requirements and web server requirements follow. The security grade of the application service provider must be at least as high as the highest security grade of the services it mediates. All application service providers must join the Test-road. Application service provider system administrators must be authorized to perform the following activities: • Installation of servers; • Installation of security patches; • Archival of logs; • Backup configuration; • Restoration of servers from backups; • Changing of server parameters; • Changing of security server keys; • Administration of individuals to contact in case of service disruption; • Administration of user rights. The system administrator of the application service provider must ensure the above activities are carried out. They must also have the authority to react to disaster situations, for example if the system administrator believes their system is being attacked and its security (data integrity or confidentiality) is threatened they must have the authority to remove the server from the X-Road network. The system administrator of the application service provider must possess required training. There must be a trained backup system administrator who is capable of substituting for the main system administrator and capable of carrying out all necessary activities.

26. AS Mandator Estonia X-Road regulations 26 The system administrator of

    the application service provider must be able to react quickly to alerts and travel to the server room if required. This necessities appropriate transportation and communication devices. Installation of the adapter server must follow the guidelines and limitations prescribed by the X-Road software developers. 4.3.1.4 Requirements for authentication service providers Authentication service providers offer authentication to users of the citizen’s portal. The X-Road does not regulate the method of authentication used by an authentication service provider. Authentication service provider agreements must define the following: • How individuals seeking authentication identify themselves (Upon signing up for the service individuals must present a piece of photo identification); • How individuals seeking authentication authenticate their identity (at least with a password or open key encryption system) • What is the level of service provided (The agreement should specify what is the maximum allowed down time for the service). The providers of the authentication service take on the following obligations when signing up for the service: • Carry out the authentication protocol as described in the document „CY-TP-O-08- 0108 Riigi andmekogude teeninduskihi X-Road süsteemi loomine. X-Road süsteemi arhitektuur ja protokollid”; • Carry out the changing of keys as described in the document „CY-TP-O-08-0108 Riigi andmekogude teeninduskihi X-Road süsteemi loomine. X-Road süsteemi arhitektuur ja protokollid”. Provide the authentication service for the X-Road as well as for the Test-road (test data). 4.3.2 The joining of service consumers to the X-Road Prerequisites for joining to the X-Road: • Service consumer is aware of the need to acquire information from a specific database; • Desired databases are accessible via the X-Road; • The service consumer’s organization has specified who has the right to submit queries via the X-Road; • The service consumer’s information system is enabled for X-Road connectivity; • The processes and methods of their required security grade are in place. Required security grade depends on the security grade of the services that will be consumed. Procedure for joining: • The authorized representative of the organization becomes acquainted with the X- Road regulations and requirements, and agrees to abide by them; • The X-Road centre checks the application and confirms that the applicant fulfils the necessary requirements. If the applicant has fulfilled the necessary requirements their application to join the X-Road is accepted; • Management at the X-Road centre and applicant institution instruct their system administrators to begin the technical joining of the organization to the X-Road; • The applicant institution’s system administrator submits the following information (digitally signed), IP of the security server, server certificate query, person(s) to contact in case of technical difficulties) to the X-Road system supervisor; • The X-Road system supervisor registers the information in RIHA;

27. AS Mandator Estonia X-Road regulations 27 • The X-Road system

    supervisor transfers the submitted information to the X-Road system. If the process has been successful than the applicant institution’s information is available via the X-Road central server. • The organization and the X-Road management organization sign an X-Road joining agreement and an agreement that specifies terms of use. Successful completion of the application procedure results in the applicant becoming an X-Road partner in the role of service consumer. 4.3.3 The joining of service providers to the X-Road Prerequisites for joining to the X-Road: • The organization responsible for the database wishes to expose service via the X- Road; • The legal act governing the database allows the electronic exchange of data; • The organization responsible for the database has services as well as service descriptions ready for publication; • The database has an associated adapter server and the adapter server has the required functionality implemented for communicating with the database; • The appropriate security measures for connecting to the X-Road (depending on security grade of the data in the database), have been implemented. The database administrator’s everyday tasks and implemented security measures must correspond to the security level of the database. To simplify the job of the data protection inspectorate one can immediately order an audit of the system. The data protection inspectorate can use the audit as a basis for assessing the readiness of the database to be joined to the X-Road. The actual technical joining procedure is similar to the joining procedure for service consumers presented in the previous section. The organization responsible for the database accepts the responsibility of publishing services provided by the database to RIHA, agrees to grant usage rights to appropriate service consumers and agrees to provide the services at an agreed upon level of availability. Successful completion of the application procedure results in the applicant becoming an X-Road partner in the role of service provider. 4.3.4 The joining of application service providers to the X-Road Application service providers must fulfil the requirements presented for service consumers as well the requirements presented for service providers. 4.3.5 Certificate application process The certificate application process is the most security critical process in the X-Road system. To prevent illegitimate registration of certificates the following procedure should be followed: 1. The authorized representative of the X-Road partner informs the X-Road centre when they have completed the X-Road joining process and the relevant agreements are signed; 2. The X-Road partner’s authorized representative/system administrator submits a digitally signed application package (digidoc) which consists of the following • certificate query and checksum (certreq.gz and md5sum files), • name of institution, Institution’s registration code, • IP address of the security server, • E-mail address of the system administrator responsible for responding to technical queries;

28. AS Mandator Estonia X-Road regulations 28 3. The X-Road partners

    receive a digitally signed confirmation of the receipt of their application. The confirmation is sent to the X-Road partner’s official email address as well as the email address listed within the application. 4.3.6 Procedures for changing the address of a security server or contact information The changing of the address of the security server and/or the changing of the contact person is done according to the same rules as when the information was submitted initially. The authorized representative of the X-Road partner must log into the RIHA web interface using their ID-card and submit the request to change information. The X- Road centre’s system supervisor will automatically receive an e-mail from RIHA with the proposed changes. The system supervisor will confirm the change request by phone. If the X-Road partner’s authorized representative does not wish to submit the change request electronically they can visit the X-Road centre and submit a paper based change request form. The X-Road centre’s system supervisor will enter the information into RIHA on behalf of the applicant. 4.3.7 Changing of the address or key of the central server Contacts of institutions and information systems are informed of changes to the central server by e-mail as well as postings made to RIHA. The notification includes the authentication code of the new key. Before changing keys or addresses at the central server each organization must confirm the authenticity of the change request. This is done by calling the X-Road centre by phone and controlling the authenticity of the change request. 4.3.8 Other exchanges of information The X-Road centre and X-Road partners may exchange other information. Dispute resolution is described in a separate document. Other communication is not formally regulated. Communication with X-Road partners is done via the contact person registered in RIHA. Communication with X-Road centre is recorded according to X-Road centre procedures. 4.4 Conditions for joining to the X-Road 4.4.1 Conditions for joining for X-Road partners 1. Conditions for joining to the X-Road To join the X-Road an organization must: 1.1. Be acquainted with the X-Road regulations and agree to abide by them; 1.2. Implement security procedures that ensure that data obtained from the X- Road is used properly and enable the data protection inspectorate to investigate data use; 1.3. Create an X-Road interface for the information system added to X-Road; 1.4. Register oneself in RIHA. 2. X-Road partner rights X-Road partners have the following rights: 2.1. Join the X-Road if they have fulfilled the conditions required for joining; 2.2. Usage of services offered via the X-Road; 2.3. Receive notifications from the X-Road centre regarding the X-Road and support services available;

29. AS Mandator Estonia X-Road regulations 29 2.4. Demand that the

    X-Road centre fulfils the X-Road regulations and abides by the joining agreement; 2.5. Present suggestions and complaints to the X-Road centre, in regards to X- Road related services and future developments. 3. X-Road partner responsibilities X-Road partners have the following responsibilities: 3.1. Abide by X-Road regulations, joining agreements, and other X-Road agreements they have agreed to; 3.2. Register descriptions and principles of operation for services they provide over the X-Road; 3.3. Ensure delivered service availability meets promised availability levels; 3.4. Inform the X-Road centre of planning service outages; 3.5. Keep information registered in RIHA up to date. Changes in information must abide by RIHA regulations; 3.6. Ensure that the data received from service providers is used in accordance to data protection legislation and the requirements of the service provider; 3.7. Inform the X-Road centre immediately of X-Road service interruptions; 3.8. Ensure that contact personnel listed in RIHA are current. 4. Responsibilities of the X-Road centre The X-Road centre has the following responsibilities: 4.1. Abide by X-Road regulations and X-Road related agreements; 4.2. Inform X-Road partners of service malfunctions and incidents via its web page and direct correspondence with contact personnel listed in RIHA; 4.3. Ensure that X-Road information is available, regularly updated, correct and authentic. 5. Rights of the X-Road centre The X-Road centre has the following rights: 5.1. demand that X-Road partners abide by X-Road related regulations and agreements 5.2. receive information from X-Road partners required for X-Road joining and related to provided services; 5.3. Suspend or end the X-Road privileges of an X-Road partner if another X-Road partner requests it or if the X-Road partner has broken X-Road regulations or agreements; 5.4. Unilaterally change the services provided by the X-Road if the changes do not necessitate excessive additional costs for X-Road; 5.5. When necessary, temporarily suspend the provision of a service. X-Road partners must be notified as soon as possible. 6. Dispute resolution 6.1. Disputes between the X-Road centre and institutions should be resolved according to relevant guidelines and regulations. 7. Mutual responsibilities Responsibilities of all parties: 7.1. All parties are responsible for abiding by X-Road regulations and X-Road related legislation; 7.2. Ensure the validity of information presented; 7.3. Fulfil data protection inspectorate guidelines; 7.4. Follow other best practices related to the X-Road regulations; 7.5. Service provider is responsible for ensuring that the services accurately present data to service consumers.

30. AS Mandator Estonia X-Road regulations 30 4.4.2 Technical procedure for

    joining to the X-Road In order to join the X-Road one must have fulfilled the X-Road joining requirements, presented contact information, installed a security server and presented an application for certification. 1. Technical information required for partners to join the X-Road is available in RIHA: Certificate authority DNS key’s authentication code, Certificate authority key’s authentication code, central server IP address. 2. The X-Road centre checks the application and confirms that the applicant fulfils the necessary requirements. If the applicant has fulfilled the necessary requirements their application to join the X-Road is accepted; 3. Management at the X-Road centre and applicant institution instruct their system administrators to begin the technical joining of the organization to the X-Road; 4. The institution system administrator submits the following information (digitally signed), IP of the security server, server certificate query, person(s) to contact in case of technical difficulties) to the X-Road system supervisor; 5. The X-Road system supervisor registers the information in RIHA; 6. The X-Road system supervisor transfers the submitted information to the X-Road system. If the process has been successful than the applicant institution’s information is available via the X-Road central server. 7. The organization and the X-Road management organization sign an X-Road joining agreement and an agreement specifies terms of use. 4.5 Incident management Incidents in X-Road terms are any events that effect the normal functioning of the X- Road or interfere with the X-Road related activities of X-Road partners. Any events that result in the leaking of sensitive data from the X-Road are also incidents. Incident handling procedures are listed in the appendix. 4.6 X-Road development procedures 4.6.1 Development of X-Road components The X-Road development manager collects, organizes and presents development ideas to the X-Road management organization. The X-Road management organization approves development ideas, ensures necessary resources are available for implementation of development ideas and instructs the X-Road centre to implement the development ideas. Constructing detailed development plans, development contract creation and fulfilment as well as the final acceptance of development implementations are part of the X-Road development manager’s duties. Fundamental changes to the X-Road must be discussed with X-Road partners and X-Road developers. Information associated with fundamental changes must be available on the RIA homepage. All X-Road system software components • central servers, • security servers, • adapter servers and • application service providers (citizen’s portal, MISP) Must be developed in accordance with the ISO/IEC 12207 "Software lifecycle processes” standard. In order to ensure the smooth continuation of the X-Road, the principles and

31. AS Mandator Estonia X-Road regulations 31 methods used in originally

    creating the X-Road should be followed. New X-Road software should be audited by a certified auditor. 4.6.2 Development of new services New services provided by service providers are actually implemented in the adapter server of the service provider. New services can arise several ways: • Service provider decides to create a new service with their own resources; • An organization interested in creating a particular service requests the new service and supports it with their own resources; • The X-Road centre collects the requests of many service consumers and finances the creation of the new service itself. Such services must be required by several ministries and/or all municipal governments. If a service does not require authorization or authentication then generally it should not be provided over the X-Road. New services should be developed in accordance to X- Road centre publicly availably development guidelines. Once the service has been created it should be registered in RIHA. The service provider must also determine the security grade of the service and the principles of provision. 4.6.2.1 Service implementation via the X-Road centre New service request coordination by the X-Road centre follows the following procedure: 1) Service consumers submit requests for a new service to the X-Road centre (possibly through RIHA). 2) The X-Road centre collects the requests, analyzes them, creates an initial technical specification; forward it to the service consumers and the service provider for discussion. 3) Service consumers offer their opinion on whether the new service fulfils their requirements. 4) The service producer estimates the cost of implementing the new service. 5) The X-Road centre uses the discussion results to improve the specification. 6) The final specification is given to the service provider for implementation. 7) The new service is registered in RIHA. The development done by the X-Road is similarly organized: 1) X-Road centre collects and analyzes requests for development; 2) The management organization of the X-Road determines the necessity of development requests and the resources required; 3) The X-Road centre implements chosen developments, by ordering development of requiring components and confirming fulfilment 4.6.3 Service maintenance and administration Service description and maintenance is the duty of the service provider. Service descriptions are published in RIHA, unless their publication is specifically prohibited. If a service provider decides to change a particular or end the offering of a particular service they must register this in RIHA with sufficient notice to allow service consumers to rewrite their information systems or avoid using the service in the case of new information systems. Ideally a service provider should keep the new and old services in use to assist in migration. 4.6.4 Testing All components to be used in the X-Road must be tested in the Test-road.

32. AS Mandator Estonia X-Road regulations 32 5 Final comments X-Road

    regulations are reviewed on a regular basis by the X-Road management organization. New versions of the regulations are created annually and/or following major changes in the X-Road software. The X-Road centre must inform X-Road partners of updates to the X-Road regulations.

33. AS Mandator Estonia X-Road regulations 33 6 Associated documents •

    Guidelines for applying ISKE, version 2.01 http://www.ria.ee/public/ISKE_rakendusjuhend_2006_2_01_23112006.pdf. • Information system security level act, VV 12.08.04 määrus nr 273 http://www.riigiteataja.ee/ert/act.jsp?id=791875. • Data transport layer act, Vabariigi Valitsuse 19.12.03 määrus nr 331 https://www.riigiteataja.ee/ert/act.jsp?id=688079 • Document describing the state information system administration system (RIHA) concept http://www.riik.ee/arr/kontseptsioon.htm • Estonian Informatics Centre act https://www.riigiteataja.ee/ert/act.jsp?id=979912 • Public information act https://www.riigiteataja.ee/ert/act.jsp?id=921835 • Maintenance/administration procedures act https://www.riigiteataja.ee/ert/act.jsp?id=922122 • Database act https://www.riigiteataja.ee/ert/act.jsp?id=745339 • Personal information protection act https://www.riigiteataja.ee/ert/act.jsp?id=748829 • X-Road technical documentation and guidelines Security server user guide (In Estonian only) X-Road server hardware requirements/ (In Estonian only) Monitoring server user guide (In Estonian only) Query verification (In Estonian only) Portal installation guide (In Estonian only) Portal user guide (In Estonian only) Information system and adapter server requirements Creating an X-Road connection in Visual Studio .NET (In Estonian only) Description of complex queries (In Estonian only) http://www.ria.ee/26436

34. AS Mandator Estonia X-Road regulations 34 7 Appendix 1: Supplemental

    information 7.1 Security requirements The security of the X-Road is ensured by its architecture as well as its organizational and technical measures. Data sent between data consumers and providers is encrypted and travels through security servers. Central servers ensure that all service providers are certified and that all queries are routed to the appropriate certified service provider. Local monitoring servers collect monitoring information from the security servers of service consumers/producers. Via the central monitoring servers one can view the status of all security servers as well as collect user statistics. Data travelling from the service consumer’s information system to its associated security server as well as the data travelling from the service provider’s database to its security server must be secured (isolated connection or HTTPS). Service providers and consumers must ensure that the user info written to the query header is consistent and accurate. The security levels of X-Road components are assigned in accordance with the Estonian implementation of the IT Baseline Protection Manual (ISKE). Service consumers and providers must also assign their data appropriate security levels in accordance with ISKE guidelines. Security guidelines are chosen based on ISKE security grade. Security servers must have the same security grade as the databases they are connected to. The security grade of a service is determined by the service provider and it must be equal to or less than the security grade of the database providing the service. The security grade of a service consumer is equal to the highest security grade of the services it consumes. Usage rights to services are provisioned on the security server of the service consumer. Usage rights can be assigned to an institution or to a group of institutions. Usage rights to individual users can be assigned within the information system of the service consumer. Citizens and entrepreneurs are authenticated via their ID card or by authentication service providers (banks). The security measures associated with ID cards and the authentication service providers ensure that services are only accesses by the authenticated individuals. X-Road joining agreements are digitally signed to ensure authenticity. Following the X-Road regulations will prevent fraudulent registration of information systems. 7.2 Incident handling procedure The X-Road centre should have an electronic incident database (possibly within RIHA), where incidents involved the X-Road or affect the use of the X-Road by X-Road partners are registered. Incidents that involve information leaks, intentional or accidental should also be registered. The current X-Road regulations don’t specifically describe what constitutes a reportable incident or the procedure by which the registered incident is

35. AS Mandator Estonia X-Road regulations 35 resolved. An X-Road incident

    is any event that the X-Road centre determines is necessary to register in the incident database. The discussion of incident handling procedures in this section should simplify the work of the X-Road centre and ensure quick and effective service support for X-Road partners. To provide effective service support one must properly describe incidents. It is important that incident descriptions answer the following questions: What was done? What should have occurred? What actually occurred? The second step is determining the priority and negative repercussions associated with the incident, taking into account the need for the X-Road to provide a secure data transport layer. The highest priority incidents are those events that prevent X-Road partners from carrying out their work: A particular service is not responding, a query is returning incorrect information, a potential security etc. Medium priority incidents involve events that don’t prevent X-Road partners from carrying out tasks but delay or complicate them, for example a particular service is temporarily out of service. The lowest priority incidents are requests for improvement: request for a new service, request for info from the X-Road centre. The third step is recording all information associated with the incident: contact information for the presenter of the incident, security information and other technical information. The purpose of recording this information is a) to assist in resolving the incident b) to make it easier to recognize similar incidents in the future c) to make it possible to contact the presenter of the incident The fourth step is transferring the incident to the appropriate technical specialist. The technical specialist must analyze the incident and categorize it. 1. The incident requires further analysis before it can be resolved. 2. A solution is known, for example a known problem is fixed with a new version of the security server software or the presenter of the incident simply needed instruction 3. The X-Road centre can’t immediately resolve the incident and will not pursue resolution. This includes incidents that deal with problems outside the competence of the X-Road centre and problems that aren’t worth resolving (old unsupported hardware). After an incident has been classified the specialist must determine if the underlying problem identified is brand new or has been previously identified. If the problem is new than it we added to the known problem database. The last step is notifying the person who presented the incident to the X-Road centre of the specialist’s findings. If further analysis is required than a time estimate is given. If a solution exists than it is communicated. If the X-Road centre does not have a solution but has decided not to further investigate the incident than an explanation of why the incident does not warrant investigation is communicated. If further analysis is not required the incident is closed. The benefit of the above incident resolution procedures is that once a known problem is identified by a specialist the service support personnel become aware of it and can immediately respond to similar incidents, thus allowing specialists to use their time more effectively. 7.3 Requirements for developers Requirements for information systems and adapter servers. http://ftp.ria.ee/pub/X-Road/juhendid/nouded_infosysteemidele.pdf

36. AS Mandator Estonia X-Road regulations 36 All X-Road components must

    go through an audit conducted by a certified auditor. 7.4 X-Road centre archival and backup procedures 7.4.1 Archival procedure Archiving is a procedure that involves transferring data from its production medium to another medium where it can be retained for an extended period of time. The X-Road centre as well as the X-Road partners should have archival procedures in place including archival frequency and content. An archival plan should be in place that specifies who is responsible for archiving, archival frequency and location. Security server query logs and the hash values of central server query logs must be archived. Using the query logs and the hash values one can later prove a query took place and confirm its contents. These archives should be kept indefinitely. 7.4.2 Backup procedure Creating backups is necessary if one wants to be able to restore a system to a known state. All necessary data regarding the configuration of the server should be backed up. Backups should tape place at the following times: • Before and after the installation of security patches; • After the changes of keys on a central server; • After the changing of a certificate; • After an IP change on the central server or a security server; • After the addition of a new service consumer or the creation of a new user group; • After the permissions for a service have changed. The X-Road centre and all service providers must have documented backup/restoration plans that specify backup location, backup frequency and the person(s) responsible for backups. 7.5 Hardware requirements for the X-Road Hardware requirements for the X-Road are available online http://ftp.ria.ee/pub/X-Road/juhendid/nouded_riistvarale.pdf