Introduction to the CWA process - CRISP Final Conference

CRISP final conference 6th CoU Meeting, Brussels, 16 March 2017

THEMATIC WORKSHOP STEFI

Ronald Boon/Dick Hortensius

Netherlands Standardisation Institute (NEN)

CRISP final conference 6th CoU Meeting, 16 March 2017

Programme for this session

Introduction to the STEFi evaluation Nathalie Hirschman, TUB CTS

CCTV standards in support of certification Frank Rottman, Bosch, IEC CLCTC 79/WG 12

CCTV systems and privacy protection Erik Krempel, Fraunhofer Institute

CWA on the STEFi evaluation Dick Hortensius, NEN

Panel discussion Presenters plus expets of the CRISP consortium

Wrap-up and conclusions

CEN Workshop Agreement on STEFi evaluation

30 September 2016

Dick Hortensius Netherlands Standardisation Institute

Agenda for the presentation

Why a CWA?

Development process

Scope and content

Next steps

Why a CEN Workshop Agreement?

Standards:

are voluntary agreements between parties

provide practical solutions

support international trade

can support public policies and legislation

are developed and maintained according to

systematic processes involving all relevant

stakeholders

effective means for disseminating results of

research projects

Standards, legislation and conformity assessment

Standards as basis for certification

Standards for CRISP

Information provider

Audit

review & decision

Auditor

EVALUATION CERTIFICATION

Surveillance Attestation Assessment

STEFi

Configuration

Selection and

Determination

R2 R1

a.o. ISO 17065

Functional approach to (product) certification (ISO 17000)

CRISP Certification Scheme

CWA

CEN / CENELEC deliverables

Produced in Technical Committees with national delegations:

European Standards – EN Technical Specifications - TS Technical Reports - TR

Produced in Workshops with individual interested parties:

CEN/CLC Workshop Agreements - CWAs

The Workshop Concept

Flexible working platform: Light procedures

Direct and voluntary participation of stakeholders

Participants decide on the working arrangements

Open to any company or organization: Inside or outside Europe

Public process

Rapid elaboration of consensus documents Few physical meetings

Work by electronic means encouraged

CEN-CLC Workshop Agreement(CWA)

Final deliverable of the Workshop - Voluntary application

Content : technical specifications, guidance material, best practice,

information, etc.

They can be the basis for a European or international

standard at a later stage

CEN IPR policy and exploitation rights are applicable to CWAs (no

free availability)

Development process

Project Plan

Publication of CWA

CWA drafting & adoption

Kick-off Meeting

Describing

– Scope

– Objectives

– Schedule

Confirming

– Project Plan

– Rules of the

Workshop

– Chairperson

– Secretariat

Consensus

Process

– Workshop participants

– Public consultation where required

Validity of 3 years

- Re-confirmation possible only once

Development process

Project Plan

Publication of CWA

CWA drafting & adoption

Kick-off Meeting

Describing

– Scope

– Objectives

– Schedule

Confirming

– Project Plan

– Rules of the

Workshop

– Chairperson

– Secretariat

Consensus

Process

– Workshop participants

– Public consultation where required

Validity of 3 years

- Re-confirmation possible only once

CRISP:

August 2016

CRISP:

17 October

2016

CRISP:

November 2016

- January 2017

2nd WS:

16 January 2017

Consultation:

February 2017 Approval:

March 2017

Publication:

April 2017


CEN Workshop Agreement

Characteristics

Guidelines for STEFi

evaluation

Planned and installed

security systems (specific

context)

Example: video surveillance

systems (CCTV)


Content of the CWA

Scope

Terms and definitions

The methodology

Basics of the evaluation/certification approach

The four dimensions

Parties involved (roles/responsibilities)

The STEFi evaluation process

Certification

Annex A – STEFi assessment questions and related

requirementss for CCTV

Annex B – Overview of relevant standards

Focus of the CWA

Information provider

Audit

review & decision

Auditor

EVALUATION CERTIFICATION

Surveillance Attestation Assessment

STEFi

Configuration

Selection and

Determination

R2 R1

Aim: describe the STEFi evaluation in such a way that reproducible

results are achieved by different evaluation bodies


Parties involved in the process


Annex A – Assessment questions and requirements for CCTV

For all 4 STEFi dimensions:

Security: 15

Trust: 16

Efficiency: 15

Freedom Infringement: 33


Example Annex A - Security

Ref. CRITERION, Attribute Assessment question Assessment requirement

Relation with standards or

regulation

SECURITY DIMENSION

S.1 Are there measures in place for assessing possible threats (prior as well as after the installation of the system) and in further consequence

to adequately address situations involving possible threats?

S.1.1 RISK, Threats

1. Has a risk assessment been

performed prior to the design and

installation of the video surveillance

system, assessing the probability and

the impact of threats and hazards on

the operational site? [yes/no]

2. Which issues have been addressed in

the risk assessment and have the

results of the assessment been

included in the design and installation

of the system? [qualitative]

Prior to video surveillance system design, a

risk assessment shall be performed, which

will identify threats and hazards to the

premises and assess their likelihood.

The required security functions for the

mitigation of the threats shall be identified

and the video surveillance system will be

designed in a way to mitigate the assessed

risks at the specified location and in regard to

the identified threats.

EN-IEC 62676-4 2015

(Clause 4.2ff.)

(ISO 31000:2009 describes

the principles for the

carrying out of a risk

assessment.)


Example Annex A – Freedom infringement

Fi.3.1

2

PERSONAL DATA,

Storage limitation

1. Is the retention limit of video footage

and/or the personal data potentially

extracted form it clearly defined? Does

the retention time reflect the minimum

time that is necessary for the purposes

for which the personal data are

processed? [yes/no]

2. How are retention limits enforced in

practice? [qualitative]

Personal data processed by the video

surveillance system shall be kept in a form

which permits identification of data subjects

for no longer than is necessary for the

purposes for which the personal data are

processed.

Art 5.1e GDPR

Provisions in national

legislation (if existing).

Fi.3.1

3

PERSONAL DATA,

Processing which does

not require identification

1. If the purposes for which the operator

processes personal data do not or do

no longer require the identification of a

data subject by the controller, does the

controller maintain, acquire or process

additional information in order to

identify the data subject? [yes/no]

2. What are the internal policy provisions

to assure non identification?

[qualitative]

Processing personal data by video

surveillance system which does not require

identification shall be in line with conditions

from GDPR Article 11.

Art. 11 GDPR


Next steps to a certification scheme

“CRISP organization” supported by relevant stakeholders


Panel discussion

Nathalie Hirschmann, TUB CST

Frank Rottmann, Bosch, IEC/CLC TC 79

Erik Krempel, Fraunhofer Institute

Dick Hortensius, NEN

Jelena Burnik, IPRS

Simone Wurster, TUB

Jorje Viguri, UJI

Roger von Laufenberg, VICESSE

Moderator: Ronald Boon, NEN

Introduction to the CWA process - CRISP Final Conference

Science

Transcript of Introduction to the CWA process - CRISP Final Conference