Electronic Signatures and Infrastructures

I’ve written a lot about information security management. I’ve written about ISO 27001, ENS, PCI-DSS, ISA-95, etc. I’ve also written about cybersecurity strategies such as the EU Cybersecurity Strategy, the National Cybersecurity Strategy of Spain, the Revue Stratégique Cyberdéfense de France, the National Cyber Strategy of the U.S. of America, etc. However, I’m reading the Draft ETSI EN 319 401 - Electronic Signatures and Infrastructures (ESI) this week. Actually, I’m reading the General Policy Requirements for Trust Service Providers which is just released last february.

If we want to know what is this standard for, first of all, we'll have to know what is a Trust Service Provider (TSP). A TSP is an entity which provides one or more trust services, while a trust service is an electronic service for creation, verification and validation of digital signatures, time-stamps and certificates for website authentication. A trust service is also an electronic service for preservation of digital signatures. Therefore, a TSP is a very important entity for providing and preserving digital certificates.

Policy Requirements Document Structure

The ETSI 319 401 standard has requirements that all TSP should comply. One of them is a requirement where the TSP shall specify the set of policies and practices appropiate for the trust services it is providing. I think, this is the most important requirement. In fact, it is a common requirement for all security standards. It is really important because the security policy is going to define a set of “sub-policies” which have to be enforced.

Actually, there are 13 “sub-policies”. Most of them have requirements that refer to ISO/IEC 27002:2013. This is really useful because if you know ISO 27001, we’ll have lots of work done. However, there are also specific requirements to TSP such as they shall have the financial stability and resources required to operate in conformity with the policy, as well as, they shall maintain sufficient financial resources and/or obtain appropriate liability insurance, in accordance with applicable law, to cover liabilities arising from its operations and/or activities. These are two specific requirements from ETSI 319 401 in the organization reliability “sub-policy”.

It’s also interesting the network security “sub-policy” because there are requirements where the TSP shall undergo or perform a regular vulnerability scan on public and private IP addresses identified by the TSP, as well as, the TSP shall undergo or perform a penetration test on the TSP’s systems at set up and after infrastructure or application upgrades or modifications. I like these explicit requirements to perform vulnerability scan and penetration tests. It’s a best practice and they are written in this standard.

To sum up, this is another security standard with lots of requirements. Most of them similar to ISO 27001 but also some of them specific to provide trust and confidence in electronic transactions.

Did you know this standard?