MIM6: Securing Data

OASC MIM6 (global) and MIM6 Plus (EU) on Securing Data

Description

As cities become smarter and more technology-driven, they become a target for cyber attacks with significant consequences in terms of costs and loss of services. In order to deliver reliable digital services for citizens, cities have to continuously evaluate the cyber risks and to put in place security measures to prepare for cyber attacks.

The first version of MIM 6 focuses on addressing interoperability for secure data transfer. The limited scope is to get progress and later iterations can and probably will expand the scope.

Objectives

  • When information is transferred, between parts of the data platform or externally, this is done securely.

  • Data processors know what requirements concerning security and interoperability to make of suppliers and systems when evaluating, procuring, developing, operating, and using solutions.

Capabilities & Requirements

(see Notes for additional information)

C1: Data is only accessible to users that should have access to it.

R1: Rules to control physical and logical access to information and other associated assets shall be established and implemented based on business and information security requirements.

R2: The full life cycle of identities shall be managed.

R3: Allocation and management of authentication information shall be controlled by a management process, including advising personnel on appropriate handling of authentication information.

R4: Access rights to information and other associated assets shall be provisioned, reviewed, modified and removed in accordance with the organization’s topic-specific policy on and rules for access control.

C2: Data that has been transmitted has not been altered.

R5: Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented.

C3: Data accessed by users originates from a verified source.

R3: See above

R5: See above

R6: Secure authentication technologies and procedures shall be implemented based on information access restrictions and the topic-specific policy on access control.

Specifications

(see Notes for Specifications from an earlier version of this MIM. This list includes relevant Specifications for the current stage of development; more detailed information to be added in due course)

Standard
Description

ISO 27001:2022

Information security, cybersecurity and privacy protection — Information security management systems — Requirements

IEC 62443

Requirements and processes for implementing and maintaining electronically secure industrial automation and control systems.

MIM6 Plus (EU version): EU Directives and overarching acts are not specifications but often point to relevant specifications. The following provides a non-comprehensive list of EU regulations with direct relevance for the EU version of MIM6 - and possible guidance for the global MIM6 version.

  • NIS2, or Network and Information Systems 2, is an EU-wide legislation on cybersecurity. It provides legal measures to boost the overall level of cybersecurity in the EU and is an important driver for cities working with secure data sharing.

  • CRA, or the Cyber Resilience Act, sets cybersecurity standards of digital products.

  • RED, or the Radio Equipment Directive, establishes a regulatory framework for ensuring "safety and health, electromagnetic compatibility, and the efficient use of the radio spectrum" when operating radio equipment. It also covers interoperability requirements.

PreviousMIM3: Exchanging DataNextMIM4: Personal Data

Last updated