Wednesday, July 28, 2010

New Minimum Requirements for Remote Access to Registered Databases - Israel

On September 1, 2010 a new directive will come into effect that establishes the minimum authentication requirements for remote access to registered databases.

The Israeli Ministry of Justice, Technology, and Information recently released a draft of a directive that establishes the authentication requirements for remote access to registered databases. The need for such a directive was reinforced of late, due to a partial and unauthorized copy of the Population Registry’s leakage to the Internet. This registry contains current information about all Israeli citizens (up to the year 2006), and includes details such as a person’s name, personal identification number, address, relatives, and more.

The Bottom Line
This directive represents a new requirement that states that it is prohibited to solely rely on information that is found in the Population Registry for authentication of an individual for the purpose of remote access to data found in any registered database.

Who Does this Directive Apply To?
Any body or organization that maintains a sensitive database that is subject to the Data Protection Act.

What Does Your Organization Need to Do?
Authentication for remote access to this sensitive data must be established through at least one unique piece of information that is only known to the information seeker (such as a password, or any other personal unique detail personally given to the individual), that is not found in the Population Registry or any other publicly accessible databases.

In addition, the higher the sensitivity of the data contained within the database, the number of required authentication methods should be increased, or further authentication measures should be demanded, such as a smart card or biometric authentication.

Is your organization prepared for this change?