ckwoka's picture
From ckwoka rss RSS  subscribe Subscribe

CEN ISSS Public Workshop N Pope Wg3[1] 

 
 
 
Tags:  billing  invoicing  eei  invoice  vat  awareness  payment  platform  e-billing  finance  sepa  electronic  edi 
Views:  422
Published:  December 15, 2009
 
0
download

Share plick with friends Share
save to favorite
Report Abuse Report Abuse
 
Related Plicks
No related plicks found
 
More from this user
Boc cleaning bio-organic catalyst, inc.

Boc cleaning bio-organic catalyst, inc.

From: ckwoka
Views: 407
Comments: 0
Marketing In A Tough Economy Compiled Document

Marketing In A Tough Economy Compiled Document

From: ckwoka
Views: 459
Comments: 0
Testof A Friendpps

Testof A Friendpps

From: ckwoka
Views: 678
Comments: 0
Print media during recession: O2PR newsletter

Print media during recession: O2PR newsletter

From: ckwoka
Views: 28
Comments: 0
Paper Presentation On B.Tech, M.Tech Ece Storage Area Network

Paper Presentation On B.Tech, M.Tech Ece Storage Area Network

From: ckwoka
Views: 7
Comments: 0
Sr22 Car Insurance

Sr22 Car Insurance

From: ckwoka
Views: 286
Comments: 0
See all 
 
 
 URL:          AddThis Social Bookmark Button
Embed Thin Player: (fits in most blogs)
Embed Full Player :
 
 

Name

Email (will NOT be shown to other users)

 
 
 
Comments: (watch)
 
 
Notes:
 
Slide 1: eInvoicing Public Meeting Brussels, 19 June 2008 WG 3: Cost effective means to guarantee authenticity & integrity Johan Borendal – Trustweaver (Chair) Nick Pope – Thales e-Security (Technical Editor)
Slide 2: CEN eInvoicing Workshop – Phase 2 Aim: Stimulate further standardization work in the domain of electronic invoices in Europe building on Phase 1 activities: WG 1: Adoption WG 2: Compliance of electronic invoice implementations WG 3: Cost effective authenticity & integrity WG4: Emerging technologies and business processes WG5: eInvoice service operators and mobility of users eInvoicing Public Meeting Brussels, 19 June 2008 ©2005 CEN – all rights reserved
Slide 3: Terms of Reference “Cost-effective authenticity and integrity of electronic invoices and related business documents regardless of formats and technologies” Minimise unnecessary costs to businesses Ensure that major risks identified by Tax Authorities are addressed eInvoicing Public Meeting Brussels, 19 June 2008 ©2005 CEN – all rights reserved
Slide 4: CEN eInvoicing WG 3: Terms of Reference “Cost-effective authenticity and integrity of electronic invoices and related business documents regardless of formats and technologies” Authenticity & integrity in transfer Maintain authenticity & integrity over period of storage eInvoicing Public Meeting Brussels, 19 June 2008 ©2005 CEN – all rights reserved
Slide 5: CEN eInvoicing WG 3: Terms of Reference “Cost-effective authenticity and integrity of electronic invoices and related business documents regardless of formats and technologies” eInvoicing main legal pressure point for business Applicable to other aspects of eBusiness & eGovernment eInvoicing Public Meeting Brussels, 19 June 2008 ©2005 CEN – all rights reserved
Slide 6: CEN eInvoicing WG 3: Terms of Reference “Cost-effective authenticity and integrity of electronic invoices and related business documents regardless of formats and technologies” Addressing Authenticity & Integrity by: Electronic Signatures Electronic Data Interchange (EDI) Other means eInvoicing Public Meeting Brussels, 19 June 2008 ©2005 CEN – all rights reserved
Slide 7: What Already Done Inventory of Authenticity & Integrity Requirements Spreadsheet of Requirements against 28 EU States / EFTA members Integrity and authenticity Requirements in common einvoicing scenarios Model of eInvoicing exchanges Requirements derived from Directive 2006/112/EC + national implementations Authenticity and Integrity Requirements & Controls eInvoicing Public Meeting Brussels, 19 June 2008 ©2005 CEN – all rights reserved
Slide 8: WG2 Good Practice vs WG3 Requirements & Controls WG2 Requirements EInvoice Preparation. WG3 A&I EDI Mechanisms eInvoice Translation. Controls Signatures Protocols Self Billing. eInvoicing Public Meeting Brussels, 19 June 2008 ©2005 CEN – all rights reserved
Slide 9: Conclusion - Lets join forces CEN WG2 & WG3 / FISCALIS e-Invoicing Good Practice Guidelines eInvoicing Public Meeting Brussels, 19 June 2008 ©2005 CEN – all rights reserved
Slide 10: WG3 Current Approach Authenticity & Integrity Controls Option 1: General procedural and technical controls to protect data at each stage of process (EDI / Other), or Option 2: Advanced electronic signatures protecting data from creation through whole storage lifetime (AdES) Baseline security controls (e.g. audit, access control, contracts) should be applied throughout No end-to-end long-term signatures With end-to-end long-term signatures Technical controls Process controls Audit Documentation Contract General system security Technical controls Process controls Audit Documentation Contract General system security eInvoicing Public Meeting Brussels, 19 June 2008 ©2005 CEN – all rights reserved
Slide 11: WG3 – Example Authenticity & Integrity Controls Baseline controls Example controls for EDI (other) Scenario Example controls for Advanced Electronic signature based scenario eInvoicing Public Meeting Brussels, 19 June 2008 ©2005 CEN – all rights reserved
Slide 12: Baseline controls Recognised standard based practices for the security and integrity: e.g. ISO 27001, SAS70, OECD Guidance on Tax Compliance for Business and Accounting Software Includes general controls for: Audit trails Access control enforcing business roles Protected Communications Data correctness and accuracy checks Prior agreement for security of communications eInvoicing Public Meeting Brussels, 19 June 2008 ©2005 CEN – all rights reserved
Slide 13: EDI/Other Example: Requirements & Controls Supplier (Seller) Customer (Buyer) Communications Authenticity & Integrity (A& I) Processing & Storage Supplier’s A& I Service Provider Communications A& I Processing & Storage A& I Customer’s (Buyer’s) Service Provider ©2005 CEN – all rights reserved Comms A& I eInvoicing Public Meeting Brussels, 19 June 2008
Slide 14: EDI/Other Example: Communications A&I Requirement Ensure authenticity and integrity of invoice whilst being sent. Control The electronic invoice shall be sent through a secure channel which : a) Protects the integrity …. b) Authenticates the invoice issuer … Implementation examples: i) TLS with passwords. ii) AS/1-3 with signatures …… eInvoicing Public Meeting Brussels, 19 June 2008 ©2005 CEN – all rights reserved
Slide 15: EDI/Other Example: Storage A & I Requirement The authenticity and integrity of the content of the invoices stored must be guaranteed throughout the storage period.. Control The invoice and audit records regarding handling of the invoice, including information on authentication checks carried out, shall be protected by mechanisms that assure the integrity of data throughout the storage period. Implementation examples: - WORM, - Secure archive eInvoicing Public Meeting Brussels, 19 June 2008 ©2005 CEN – all rights reserved
Slide 16: EDI/Other Example: Processing A & I Met by a range of controls: Baseline security controls General eInvoice process requirements eInvoicing Public Meeting Brussels, 19 June 2008 ©2005 CEN – all rights reserved
Slide 17: AdES Example Requirements Supplier (Seller) Customer (Buyer) Communications A& I Signature Creation Signature Long term validity Signature Long term Customer’s validity (Buyer’s) Service Provider Supplier’s Service Provider eInvoicing Public Meeting Brussels, 19 June 2008 ©2005 CEN – all rights reserved
Slide 18: AdES Example: Signature creation Requirement The invoice is provided with an electronic signature to protect its integrity and authenticity. Control The application should ensure that signatures are applied when appropriate. The signature shall be created in accordance to an internationally recognised standard signature format. Implementation examples: eg: CAdES-T / XAdES-T … eInvoicing Public Meeting Brussels, 19 June 2008 ©2005 CEN – all rights reserved
Slide 19: AdES Example: Signature verification Requirement The authentication of origin and integrity of the invoice must be verified by verifying the signature. Control The validity of the AdES signature shall be checked and the results recorded including verification time and information (e.g. CRLs or OCSP and certificates) used to verify the signature. ....... eInvoicing Public Meeting Brussels, 19 June 2008 ©2005 CEN – all rights reserved
Slide 20: AdES Example: Signature long term validity Requirement Electronic signatures must remain verifiable during the storage period. Control The integrity of the signed invoice, including information used to reverify the signature (see above under invoice creation), shall be maintained beyond the lifetime of the signature algorithm and certificates. Implementation examples: 1) Applying archive timestamp to signature as in XAdES-A, CAdES-A 2) WORM devices. eInvoicing Public Meeting Brussels, 19 June 2008 ....... ©2005 CEN – all rights reserved
Slide 21: Next Steps Continue working with Good practice Authenticity & Integrity Controls (Joint deliverable with WG2) Further Guidance on Authenticity and Integrity Further guidance on example mechanisms and protocols Developed in next phase eInvoicing Public Meeting Brussels, 19 June 2008 ©2005 CEN – all rights reserved
Slide 22: Thank you Thanks any questions? nick.pope@thales-eSecurity (editor) johan.borendal@trustweaver.com (chair) eInvoicing Public Meeting Brussels, 19 June 2008 ©2005 CEN – all rights reserved

   
Time on Slide Time on Plick
Slides per Visit Slide Views Views by Location