19 May 2014: The UNFCCC Secretariat has published a note by the international transaction log (ITL) administrator, titled ‘Options for, and road map to, further implementation of information security controls in systems supporting emissions trading under the Kyoto Protocol’ (FCCC/SBI/2014/INF.6). The note reports on the Security Working Group’s (SWG) assessment of the impact of managing information security and options for implementing security controls in national registry systems, for consideration at the 40th session of the Subsidiary Body for Implementation (SBI 40).

The SWG identified relevant assets and associated information security requirements; reviewed information security threats and selected controls to manage risks; and applied a valuation scale to evaluate assets based on confidentiality, integrity and availability criteria.

On threats and vulnerabilities, the SWG identified known sources of threats, assessed the nature of threats as deliberate, accidental or environmental, and identified vulnerabilities related to, inter alia: absent, insufficient or incorrect use of information security policies, procedures and processes.

On risks and consequences, the SWG assessed possible impacts from the interruption or loss of confidentiality, integrity or availability of assets and identified risks originating from, inter alia: sources that can impair access to emissions trading systems, resulting in the retrieval, modification or disclosure of sensitive or restricted data. The SWG also identified the following consequences of emerging threats: financial loss due to theft of Kyoto Protocol units; and unplanned interruption of services leading to an inability to trade emissions and fulfill compliance obligations, among others.

The SWG identified two options to facilitate information security management system (ISMS) implementation in emissions trading systems: business as usual and further implementation. Business as usual refers to a normal execution of standard information security operations within emissions trading systems. Further implementation refers to a structured and planned extension of the current ISMS, which would require developing methods to monitor and measure progress towards achieving planned milestones and improving security awareness, and monitoring progress and costs on an ongoing basis to allow for mid-course corrections.

The note also includes: a roadmap with key performance indicators (KPIs) on ISMS implementation progress and effectiveness; and a section on monitoring.

The ITL verifies the validity of transactions proposed by national registries. [Publication: FCCC/SBI/2014/INF.6]