MIM6: Securing Data
OASC MIM6 (global) and MIM6 Plus (EU) on Securing Data
Use Cases
Standalone use cases on the scope of this MIM are of limited value. Therefore, we intend to complement/share other use cases of other MIMs, in particular MIM3 Exchanging Data. The integration of (shared) use cases will take place in fall 2025.
(see the Use Case Information for additional information)
Description
As cities become smarter and more technology-driven, they become a target for cyber attacks with significant consequences in terms of costs and loss of services. In order to deliver reliable digital services for citizens, cities have to continuously evaluate the cyber risks and to put in place security measures to prepare for cyber attacks.
The first version of MIM 6 focuses on addressing interoperability for secure data transfer. The limited scope is to get progress and later iterations can and probably will expand the scope.
Objectives
When information is transferred, between parts of the data platform or externally, this is done securely.
Data processors know what requirements concerning security and interoperability to make of suppliers and systems when evaluating, procuring, developing, operating, and using solutions.
Capabilities & Requirements
(see Notes for additional information)
C1: Data is only accessible to users that should have access to it.
R1: Rules to control physical and logical access to information and other associated assets shall be established and implemented based on business and information security requirements. (ISO 27001 5.15 Access control)
R2: The full life cycle of identities shall be managed. (ISO 27001 5.16 Identity management)
R3: Allocation and management of authentication information shall be controlled by a management process, including advising personnel on appropriate handling of authentication information. (ISO 27001 5.17: Authentication information)
R4: Access rights to information and other associated assets shall be provisioned, reviewed, modified and removed in accordance with the organization’s topic-specific policy on and rules for access control. (ISO 27001 5.18: Access rights)
C2: Data accessed by users has not been altered.
R5: Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. (ISO 27001 8.24 Use of cryptography)
C3: Data accessed by users originates from a verified source.
R3: See above
R5: Se above
R6: Secure authentication technologies and procedures shall be implemented based on information access restrictions and the topic-specific policy on access control. (ISO 27001 8.5 Secure authentication)
Mechanisms
TBD
Specifications
(see Notes for Specifications from an earlier version of this MIM. This list includes relevant Specifications for the current stage of development; more detailed information to be added in due course)
Information security, cybersecurity and privacy protection — Information security management systems — Requirements
Requirements and processes for implementing and maintaining electronically secure industrial automation and control systems.
MIM6 Plus (EU version): EU Directives and overarching acts are not specifications but often point to relevant specifications. The following provides a non-comprehensive list of EU regulations with direct relevance for the EU version of MIM6 - and possible guidance for the global MIM6 version.
NIS2, or Network and Information Systems 2, is an EU-wide legislation on cybersecurity. It provides legal measures to boost the overall level of cybersecurity in the EU and is an important driver for cities working with secure data sharing.
CRA, or the Cyber Resilience Act, sets cybersecurity standards of digital products.
RED, or the Radio Equipment Directive, establishes a regulatory framework for ensuring "safety and health, electromagnetic compatibility, and the efficient use of the radio spectrum" when operating radio equipment. It also covers interoperability requirements.
Interoperability Guidance
TBD
Conformance and compliance testing
TBD
Last updated