introduction to the cwa process - crisp final conference
TRANSCRIPT
CRISP final conference 6th CoU Meeting, Brussels, 16 March 2017
THEMATIC WORKSHOP STEFI
Ronald Boon/Dick Hortensius
Netherlands Standardisation Institute (NEN)
CRISP final conference 6th CoU Meeting, 16 March 2017
Programme for this session
Introduction to the STEFi evaluation Nathalie Hirschman, TUB CTS
CCTV standards in support of certification Frank Rottman, Bosch, IEC CLCTC 79/WG 12
CCTV systems and privacy protection Erik Krempel, Fraunhofer Institute
CWA on the STEFi evaluation Dick Hortensius, NEN
Panel discussion Presenters plus expets of the CRISP consortium
Wrap-up and conclusions
CEN Workshop Agreement on STEFi evaluation
30 September 2016
Dick Hortensius Netherlands Standardisation Institute
Why a CEN Workshop Agreement?
Standards:
are voluntary agreements between parties
provide practical solutions
support international trade
can support public policies and legislation
are developed and maintained according to
systematic processes involving all relevant
stakeholders
effective means for disseminating results of
research projects
Standards for CRISP
Information provider
Audit
review & decision
Auditor
EVALUATION CERTIFICATION
Surveillance Attestation Assessment
STEFi
Configuration
Selection and
Determination
R2 R1
a.o. ISO 17065
Functional approach to (product) certification (ISO 17000)
CRISP Certification Scheme
CWA
CEN / CENELEC deliverables
Produced in Technical Committees with national delegations:
European Standards – EN Technical Specifications - TS Technical Reports - TR
Produced in Workshops with individual interested parties:
CEN/CLC Workshop Agreements - CWAs
The Workshop Concept
Flexible working platform: Light procedures
Direct and voluntary participation of stakeholders
Participants decide on the working arrangements
Open to any company or organization: Inside or outside Europe
Public process
Rapid elaboration of consensus documents Few physical meetings
Work by electronic means encouraged
CEN-CLC Workshop Agreement(CWA)
Final deliverable of the Workshop - Voluntary application
Content : technical specifications, guidance material, best practice,
information, etc.
They can be the basis for a European or international
standard at a later stage
CEN IPR policy and exploitation rights are applicable to CWAs (no
free availability)
Development process
Project Plan
Publication of CWA
CWA drafting & adoption
Kick-off Meeting
Describing
– Scope
– Objectives
– Schedule
Confirming
– Project Plan
– Rules of the
Workshop
– Chairperson
– Secretariat
Consensus
Process
– Workshop participants
– Public consultation where required
Validity of 3 years
- Re-confirmation possible only once
Development process
Project Plan
Publication of CWA
CWA drafting & adoption
Kick-off Meeting
Describing
– Scope
– Objectives
– Schedule
Confirming
– Project Plan
– Rules of the
Workshop
– Chairperson
– Secretariat
Consensus
Process
– Workshop participants
– Public consultation where required
Validity of 3 years
- Re-confirmation possible only once
CRISP:
August 2016
CRISP:
17 October
2016
CRISP:
November 2016
- January 2017
2nd WS:
16 January 2017
Consultation:
February 2017 Approval:
March 2017
Publication:
April 2017
CRISP final conference 6th CoU Meeting, 16 March 2017
CEN Workshop Agreement
Characteristics
Guidelines for STEFi
evaluation
Planned and installed
security systems (specific
context)
Example: video surveillance
systems (CCTV)
CRISP final conference 6th CoU Meeting, 16 March 2017
Content of the CWA
Scope
Terms and definitions
The methodology
Basics of the evaluation/certification approach
The four dimensions
Parties involved (roles/responsibilities)
The STEFi evaluation process
Certification
Annex A – STEFi assessment questions and related
requirementss for CCTV
Annex B – Overview of relevant standards
Focus of the CWA
Information provider
Audit
review & decision
Auditor
EVALUATION CERTIFICATION
Surveillance Attestation Assessment
STEFi
Configuration
Selection and
Determination
R2 R1
Aim: describe the STEFi evaluation in such a way that reproducible
results are achieved by different evaluation bodies
CRISP final conference 6th CoU Meeting, 16 March 2017
Annex A – Assessment questions and requirements for CCTV
For all 4 STEFi dimensions:
Security: 15
Trust: 16
Efficiency: 15
Freedom Infringement: 33
CRISP final conference 6th CoU Meeting, 16 March 2017
Example Annex A - Security
Ref. CRITERION, Attribute Assessment question Assessment requirement
Relation with standards or
regulation
SECURITY DIMENSION
S.1 Are there measures in place for assessing possible threats (prior as well as after the installation of the system) and in further consequence
to adequately address situations involving possible threats?
S.1.1 RISK, Threats
1. Has a risk assessment been
performed prior to the design and
installation of the video surveillance
system, assessing the probability and
the impact of threats and hazards on
the operational site? [yes/no]
2. Which issues have been addressed in
the risk assessment and have the
results of the assessment been
included in the design and installation
of the system? [qualitative]
Prior to video surveillance system design, a
risk assessment shall be performed, which
will identify threats and hazards to the
premises and assess their likelihood.
The required security functions for the
mitigation of the threats shall be identified
and the video surveillance system will be
designed in a way to mitigate the assessed
risks at the specified location and in regard to
the identified threats.
EN-IEC 62676-4 2015
(Clause 4.2ff.)
(ISO 31000:2009 describes
the principles for the
carrying out of a risk
assessment.)
CRISP final conference 6th CoU Meeting, 16 March 2017
Example Annex A – Freedom infringement
Fi.3.1
2
PERSONAL DATA,
Storage limitation
1. Is the retention limit of video footage
and/or the personal data potentially
extracted form it clearly defined? Does
the retention time reflect the minimum
time that is necessary for the purposes
for which the personal data are
processed? [yes/no]
2. How are retention limits enforced in
practice? [qualitative]
Personal data processed by the video
surveillance system shall be kept in a form
which permits identification of data subjects
for no longer than is necessary for the
purposes for which the personal data are
processed.
Art 5.1e GDPR
Provisions in national
legislation (if existing).
Fi.3.1
3
PERSONAL DATA,
Processing which does
not require identification
1. If the purposes for which the operator
processes personal data do not or do
no longer require the identification of a
data subject by the controller, does the
controller maintain, acquire or process
additional information in order to
identify the data subject? [yes/no]
2. What are the internal policy provisions
to assure non identification?
[qualitative]
Processing personal data by video
surveillance system which does not require
identification shall be in line with conditions
from GDPR Article 11.
Art. 11 GDPR
CRISP final conference 6th CoU Meeting, 16 March 2017
Next steps to a certification scheme
“CRISP organization” supported by relevant stakeholders
CRISP final conference 6th CoU Meeting, 16 March 2017
Panel discussion
Nathalie Hirschmann, TUB CST
Frank Rottmann, Bosch, IEC/CLC TC 79
Erik Krempel, Fraunhofer Institute
Dick Hortensius, NEN
Jelena Burnik, IPRS
Simone Wurster, TUB
Jorje Viguri, UJI
Roger von Laufenberg, VICESSE
Moderator: Ronald Boon, NEN