MIMs Specification 7.5
  • MIMs Framework 2025
  • MIM0: Accessing Data
    • Notes
  • MIM1: Interlinking Data
  • MIM2: Representing Data
  • MIM3: Exchanging Data
    • Notes
  • MIM6: Securing Data
    • Notes
  • MIM4: Personal Data
  • MIM7: Geospatial Data
Powered by GitBook
On this page
Export as PDF
  1. MIM6: Securing Data

Notes

This is a space for keeping and discussing notes on the development on MIM6 - Security Management.

PreviousMIM6: Securing DataNextMIM4: Personal Data

Last updated 5 months ago

Meeting Notes

Working Group Meeting #9 (27 February 2025)

  • tba

Working Group Meeting #8 (12 December 2024)

  • Capabilities

    • We have agreed on the following three initial Capabilities to be included in MIMs (Plus) v7.5:

      C1: Data is only accessible to users that should have access to it

      C2: Data accessed by users has not been altered

      C3: Data accessed by users has not been altered and originates from a verified source

    • The fourth capability discussed previously ("Data is accessible to the extent intended by the publisher (SLA)") is not included for now; it may be covered by MIM3/is out of scope of this MIM due to it being a pre-requisite. To be revisited in 2025.

  • Specifications

    • An initial mapping of the above Capabilities against ISO 27001 by our Swedish colleagues showed its relevance for this MIM. Additional comments also highlighted a role for NIS2 - with high relevance to European cities - and IEC 62443. All three will be mentioned in the MIM6 Specifications. and their relevance, from high-level Capabilities to implementation guidance, be further explored.

    • Previous Specifications from an earlier version of the MIM have been moved here; their relevance will be assessed at a later stage

      • Standard
        Aspect
        References

        ISO27005

        International Standard ISO/IEC 27005:2018 Information technology – Security techniques – Information security risk management

        NIST SP800-53r5

        NIST Special Publication SP800-53, Security and Privacy Controls for Information Systems and Organizations

        GDPR

        REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27vApril 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

  • Suggestion to contact the Swedish Standards bodies to learn more about their activities relevant to this MIM

  • The next Working Group meeting is going to take place in February 2025. The January meeting has been cancelled and attending participants at the will be discussing the roadmap towards MIMs 2025/MIMs Plus version 8.

Working Group Meeting #7 (28 November 2024)

  • The December Working Group meeting is going to take place on 12 December 2024 from 13-14 CET.

  • Further discussion on the initial Capabilities

    • Suggested Capabilities worked on and finalised in the next meeting

      • "Data is only accessible to users that should have access to it"

      • "Data accessed by users has not been altered"

      • "Data accessed by users has not been altered and originates from a verified source"

      • "Data is accessible to the extent intended by the publisher" (SLA) -> might be covered by MIM3 (Data Exchange)

  • Scope of this MIM - further considerations

    • Are data classifications and user classifications/mapping (who should have the right to access what data and for what purpose?) covered by other MIMs, in particular MIM3?

    • Resulting of the above, how are we going to treat security-related pre-requisites, such as users having correct access rights?

  • We are considering to have expert input from standards and city practitioners on interoperable security in March/April 2025. To be discussed further in early 2025.

Working Group Meeting #6 (24 October 2024)

  • Discussed the initial scope of Capabilities

  • Mentioned resources to check for secure data transfer capabilities (with an interoperability scope):

  • Next steps

Working Group Meeting #5 (26 September 2024)

  • Working Group meetings will now be taking place on every fourth Thursday each month, lasting 90 minutes from 13:00-14:30 CE(S)T

  • A suggested new MIMs framework was presented. Discussion on it are ongoing. For MIM6, nothing will initially change

  • The immediate focus for the Working Group is to outline and establish Capabilities before outlining Requirements

  • Additional volunteers are welcome to start working on the MIM's Interoperability Guidance (which can cover a broad range of topics, e.g. infrastructure, implementation, procurement, required skills)

Working Group Meeting #4 (15 May 2024)

  • Agreement on the the MIM6 objective for MIMs 2024/MIMs Plus v7

  • Agreement that "risk assessment is a tool, not an objective" (and thus is not part of this version of the objectives)

  • Work started on discussing Capabilities. The following are early suggestions inspired by MIM1. The comments aim to reflect the thoughts of the audience during the meeting.

    • C1: Applications are able to securely access data from different sources (such as cities, communities and vertical solutions).

    • C2: Applications are able to use both current and historical data, use geospatial querying and be automatically updated when the source data changes. (Comment: Not relevant?)

    • C3: Applications can discover and retrieve data relevant to their context from a variety of sources Covered by C1? (Comment: Covered by C1?)

    • C4: Applications can retrieve a subset of data from a larger data set To detailed for MIM6? (Comment: Too detailed for MIM6?)

Working Group Meeting #3 (11 April 2024)

  • Ongoing work on defining the objective

Working Group Meeting #2 (15 March 2024)

Are the following aspects in scope?

  • Things and southbound APIs

    • Physical device security

    • The sending to and from data sources (databses, data platforms, devices)

    • Provisioning a data source: control plane interoperability (identity management and authorisation)

  • IoT/Data platform

    • Communication between modules

    • Sending of data to northbound APIs

  • Northbound APIs and marketplace enablers

    • Sharing of data

    • Connection to data spaces

    • Identification, authorisation, and monetarisation of services

  • Focus on the data platform itself or also on central/external security systems?

Working Group Meeting #1 (15 February 2024)

  • Establishment of the MIM6 Working Group

  • Meetings to be held on a monthly basis where possible

  • Immediate goal: define an objective by early June 2024 for MIMs 2024/MIMs Plus v7

    • Prior suggestion for objectives:

      • To develop a methodology to help identify security-related risks and choose the right measures to protect systems and data.

      • To provide cities with a framework for governance, risk management and control in the area of cybersecurity, along with a baseline of cybersecurity measures addressing the identified risks and providing a methodology for conducting regular maturity assessments.

The January Working Group meeting is cancelled. Informal chats will take place at the .

Data Space Support Centre -

Focus on Capabilities until the in January 2025

The (interim; awaiting formal approval) Champion of MIM6 is . Welcome!

OASC Conference in Tampere on 22/23 January 2025
OASC Conference in Tampere on 22/23 January 2025
Data Spaces Blueprint
iShare Trust Framework
Gaia-X Framework
IDSA Data Space Protocol
OASC Conference
Södertälje Municipality
https://www.iso.org/standard/75281.html
https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
https://eur-lex.europa.eu/eli/reg/2016/679/oj