This is how Statistics Netherlands ensures that data is exchanged securely

© Hollandse Hoogte

Businesses and individuals transfer data to Statistics Netherlands (CBS) via secure channels, such as SFTP and FTPS connections or by logging into a questionnaire on https://antwoord.cbs.nl to upload and download data. CBS monitors the security of all connections for the purpose of data exchange constantly.

Statistics Netherlands complies with the legal requirements for securing online channels. Examples of national and international legislation include the Statistics Netherlands Act (Section 5), General Data Protection Regulation (AVG), Statistics and the European Statistics Code of Practice. CBS requires excellent security because businesses and individuals entrust us with sensitive data.

Security measures for the developing IT systems and applications

Statistics Netherlands uses the Internet Authentication Service (IAS) of Microsoft Windows Server and the guidelines of the Center for Internet Security (CIS) as a guideline for developing IT systems. In order to develop applications, CBS uses the MITRE framework for threat modelling, and the Open Web Application Security Project (OWASP).

Before releasing an application, a penetration test (or pen test) is performed by the independent cybersecurity expert Secura. In addition, Secura continuously runs various pen tests to guarantee security. The annual Grey-Box Application Assessments are an example of this. For this purpose, Secura gains access to application design information in the production environment. This allows Secura to detect vulnerabilities in security features and report how well the data is secured.

Secura is certified by the Netherlands Centre for Crime Prevention and Security (CVV) for pen testing and meets the ISO standards. For more information on this subject, go to: Certifications and accreditations Secura.

CBS and Secura specialise in security

CBS Security Service Centre employs a large number of data security experts. They perform scans continuously. Secura also runs regular penetration tests and vulnerability scans to assess the security of CBS’s digital channels. Secura uses the OWASP Application Security Verification Standard (ASVS) which provides a framework for assessing CBS’s security and uses the Common Vulnerability Scoring System (CVSS) to report the test results.

The results of scans, tests and inspections are analysed, shared and reported to the relevant teams and CBS’s Chief Information Security Officer (CISO). CBS has a zero-tolerance policy when it comes to information security and allows no critical vulnerabilities. When necessary, the CISO advises the Executive Council and the Deputy Director General on actions to be taken.

The results of the scans, penetration tests and vulnerability scans, or summaries thereof, are not revealed because they contain sensitive information.

CBS experts specialise in privacy

CBS’s Data Protection Officer (AVG Art. 37 et seq.), Chief Privacy Officer, privacy lawyers and privacy coordinators specialise in the protection and safeguarding of privacy. For more information on privacy, go to: www.cbs.nl/privacy. This page also included information on CBS’s Data Protection Impact Assessment (DPIA).

ISO certification and Privacy certification.

CBS meets the highest international standards for quality, information security and privacy protection. Read more about this at: ISO certification and Privacy certification.

More information

If you have any questions, please contact CBS Contact Centre.