Developer | Ministry of Digital Governance |
Project operator | Ministry of Digital Governance |
Budget | € 1.680.250,00 excluding VAT |
What is the object of the project?
The object of this project includes (a) the “end-to-end” formation and implementation of a security policy for the telecommunications service network of the Public Sector “SYZEFXIS II” under implementation, in accordance with international standards and best practices, (b) the continuous control of the security of all the goods of this network, (c) the integrated support of the Contracting Authority and the Operating Body of SYZEFXIS, in the management and control of the security of the above network and (d) the disposal and operation of an integrated information system, which will be offered as a service to the Contracting Authority and through it the management and control of the security of SYZEFXIS II will be possible. Through this project, the Contractor will be the Independent Auditor and Security Consultant of SYZEFXIS II, with the following responsibilities.
Initially, it will design and implement an Information Security Management System (ISMS) for SYZEFXIS II, which will comply with international standards (e.g. ISO27001, ISO27002). This system should be integrated to enable security issues of all underlying infrastructures, information systems and information constituting SYZEFXIS II from all the risk components that may arise. In addition, it should be widely accepted in the sense that it has been and continues to be successfully implemented in similar systems of the Public Sector both in Greece and in other countries. In addition, it should be realistic and applicable to the Greek reality.
In this context, the Contractor of this project will analyze the current situation of the existing networks and the wider environment of activity (in terms of underlying technologies, organizational processes, institutional / regulatory framework, etc.), will identify and analyze potential risks, will identify potential threats to each risk category, identify network vulnerabilities and then propose specific measures to address them, which will be included in the security policy proposed as part of the ISMS.
Subsequently and throughout the duration of the project, it will implement the aforementioned ISMS, monitor its success as well as any potential weaknesses that may arise and improve where necessary.
At the same time, and throughout the operation of SYZEFXIS II, the Contractor of the project – being the Independent Security Auditor – will monitor security for all SYZEFXIS II subprojects or its supporting projects on an ongoing basis (of par. A.1.2.5), offering an integrated service package “Security Operation Center” (SOC). In order to monitor the security of SYZEFXIS II, the Contractor shall carry out regular and extraordinary security controls on all SYZEFXIS II telecommunications systems. In order to carry out these actions, the Contractor will obtain data on the services provided by the Institutions participating in SYZEFXIS II and will then carry out security controls on the ultimately implemented SYZEFXIS II network, ensuring the uninterrupted provision of the above services. In this context, the Contractor shall check on a continuous basis whether the contractors of all sub-projects or projects constituting SYZEFXIS II (and in particular of Subproject 3 of the security) meet the required safety specifications and correctly apply the adopted ISMS, and if the above are not met will recommend countermeasures and related clauses.
At the same time, the Contractor – being also the main and permanent consultant of the Contracting Authority for the security of SYZEFXIS – will offer consulting and support services of the Contracting Authority and the Operator in matters relating to the security of SYZEFXIS II, such as submission of proposals (organizational or technical-operational character) for the prevention and response to malicious attacks, for crisis management, etc., the submission of expertise on the actions and deliverables of the contractors of SYZEFXIS II, which relate to this security, preparation for the certification of SYZEFXIS, in accordance with international standards security and take action to implement the above proposals.
Throughout the duration of the project, the Contractor will be responsible for the structured and documented transfer to the Contracting Authority of the necessary know-how and experience that will result from the provision of the above mentioned services. In this context, the Contractor should record, codify and register in the Integrated Security Management and Control Information System the actions, incidents and damages that may occur in the new SYZEFXIS II network and of the bodies, which are related to security incidents. The purpose of this codification is the systematic recording of the actions/events/damages with the ultimate goal of their easier processing and analysis and then the extraction of useful conclusions, which support the security of SYZEFXIS, as well as the continuous monitoring and updating/improvement of the ISMS and its associated security policy.