best practices

Note-to-self: #DPIA for cloud – reference material (focus on #Microsoft cloud)

In interesting set of reference material, that is regularly coming back in data protection, cybersecurity and information security discussions I lately had with peers and colleagues.
May you can use it too…

Feel free to provide some feedback yourself, if you know additional pointers I should add.

You know where to find me.

Change history

2022-04-27 14:00: Added EDPB announcement to references section

Governmental DPIAs

Netherlands

2018-12-06: DPIA on Microsoft Office 2016 & 365

https://iapp.org/news/a/dutch-government-commissioned-dpia-on-microsoft-office-pro-plus/

Direct download of PDF:

2022-02-22: DPIA on Microsoft Office 365

https://www.dataguidance.com/news/netherlands-dutch-government-publishes-dpia-microsoft

Press release by Dutch Government:

2022-02-21 https://www.rijksoverheid.nl/documenten/publicaties/2022/02/21/public-dpia-teams-onedrive-sharepoint-and-azure-ad

Publication of DPIA by Dutch Government

2022-02-21 : https://www.rijksoverheid.nl/documenten/publicaties/2022/02/21/public-dpia-teams-onedrive-sharepoint-and-azure-ad

Source: Beltug news https://www.beltug.be/news/7430/Dutch_government_publishes_DPIA_and_DTIA_for_Microsoft/

2022-02: The Dutch Ministry of Justice and Security requested an analysis of US legislation in relation to the GDPR and Schrems II by GreenburgTraurig.

Switzerland

In a recent article (In French) by ICT journal, the Canton of Zurich published a

https://www.ictjournal.ch/articles/2022-04-26/comment-le-canton-de-zurich-a-estime-le-risque-de-passer-sur-le-cloud-de

Research

Researchgate

Data Protection Impact Assessment (DPIA) for Cloud-Based Health Organizations

https://www.researchgate.net/publication/349882283_Data_Protection_Impact_Assessment_DPIA_for_Cloud-Based_Health_Organizations

Guidelines

CNIL

https://www.cnil.fr/en/tag/Privacy+Impact+Assessment+(PIA)

https://www.cnil.fr/en/guidelines-dpia

IAPP

https://iapp.org/news/a/guidance-for-a-cloud-migration-privacy-impact-assessment/

Templates

IAPP

https://iapp.org/resources/article/transfer-impact-assessment-templates/

Referring to:

IAPP Templates

Supplier references

Microsoft

Data Protection Impact Assessment for the GDPR

2021-11-17: https://docs.microsoft.com/en-us/compliance/regulatory/gdpr-data-protection-impact-assessments

Data Protection Impact Assessments: Guidance for Data Controllers Using Microsoft Professional Services

Part 1: Determining whether a DPIA is needed

https://docs.microsoft.com/en-us/compliance/regulatory/gdpr-dpia-prof-services?view=o365-worldwide#part-1–determining-whether-a-dpia-is-needed

Part 2: Contents of a DPIA

https://docs.microsoft.com/en-us/compliance/regulatory/gdpr-dpia-prof-services?view=o365-worldwide#part-2-contents-of-a-dpia

Download Customizable DPIA document

https://www.microsoft.com/en-us/download/details.aspx?id=102398

(more to come, this article will be updated with additional references when necessary)

Other relevant references

EDPB (European Data Protection Board)

Launch of coordinated enforcement on use of cloud by public sector

https://edpb.europa.eu/news/news/2022/launch-coordinated-enforcement-use-cloud-public-sector_en

Note-to-self: free download of interesting guides for SME from DigitalSME.eu

Jean-Luc Allard pointed out to a #free#download of interesting guides for #SME on implementing the #informationsecurity basics we all need:

Freshly published: Essential controls for SMEs to protect user’s #privacy and data and ensure #GDPR compliance (based on new #ISO27002)
https://lnkd.in/epridtnY

Direct download of PDF: https://lnkd.in/en8rVMBY

And also: The #ISO27001 standard made easy for SMEs:
https://lnkd.in/eiaBbdmp
Direct PDF access: https://lnkd.in/eFR2yjp

And there is more on the website of European DIGITAL SME Alliance (website: https://www.digitalsme.eu/)

#smebusiness#smesupport#smallbusiness

Data Compliance: Get it right the first time

Below is a short overview of the #Hexnode webinar, presented 2022-04-07 about data compliance.

The webinar recording is published at the Hexnode website (and embedded below).
And the PDF version of the slide deck is published in full color and B/W print version on Slideshare, see links below.

PPT version available on request (send me a DM on LinkedIN).

Data is the new oil…

Whatever business you run…

.. it won’t run without data:

  • Business data
  • Management data
  • HR data
  • Technical data
  • Network data
  • Personal data (PII)
  • Communications
  • Mail data 
  • Financial data
  • Operational data
  • Intelligence
  • Intellectual Property (IP)
  • Ideas

Other businesses want your data as well…

There is a massive growth of digital business:

  • Direct marketing
  • Data brokers
  • Data Intelligence
  • Data analytics
  • Big data
  • Artificial intelligence
  • Machine learning
  • Health care, research & development

But also… the dark side wants your data.

And your data in the wrong hands.. is explosive.

Current state of crime

Company and user data, and personal data is an important target and leverage in cybercrime lik

  • Phishing
  • Ransomware
    • not only encryption
    • data leak extortion
  • Reconnaissance & Hacking
  • Data breaches 
  • Biometric data
  • Digital & Economical war

Now the question is… How do YOU get in control?

You can’t simply lock up your data… because data needs to flow. (You want to use it…)

Data management essentials to get grip

Ask yourself: how much €$ can you spend to protect your data? To answer that question, you’ll need to get grip of some basic data management principles, in relation to security:

  1. You can only protect what you know you have
  2. Without an owner there is no protection
  3. Nothing is stable, everything has a lifecycle
Data lifecycle

Data lifecycle

The start of the cycle is mostly

  • short,
  • easy to manage,
  • low security risk. (if the creation fails… you have no data to keep under control)

The end of the cycle is mostly

  • long, (there are various reasons why you need to keep the data for a while, eg in archive before you dispose of it..)
  • difficult to manage (if the process fails, it’s difficult to track or keep under control)
  • high security risk. (risk of losing ownership, risk of leakages, …)

What is risk?

Assets have

Vulnerabilities (weaknesses/properties) 

that can be exploited by 

Threats (activities)

with impact ($$ cost).

You need to balance the protection against the impact. You don’t want to over-spend or under-protect.

Your boss (or insurance, of CFO ) needs a budget, spreading cost over a year, or 2..3..4..5.

[Risk management is calculating impact over the rate of occurrence/frequency…]

How to get started

Know the external context

  • International regulations (GDPR, …)
  • National regulations (SOC, …)
  • Sector regulations (PCI-DSS, ..)
  • Contractual obligations
  • Enterprise vs PII/personal data requirements

Know the internal context

  • Know your business (what)
  • Know your organization (organigram)
  • Make an inventory of processes and interfaces
  • Assign business ownership
    • For each process
    • For each asset

Know the processes

  • Know the data flow 
  • Know your sources (IN)
  • Know the data processing
  • Know your receivers (OUT)

Know the data in the processes

  • Categorize your data – data types
    • Enterprise data
    • PII / Personal data (GDPR !)
    • Other ?

Categorization (define data classes)

  • Sensitivity = linked to business impact
  • Ask the owner : “What if data is …”
    • unavailable, 
    • changed,
    • destroyed,
    • leaked,
    • accessed unauthorized, illegally, unlawfully,
  • Categorize your data sensitivity
    • Enterprise data, for example
    • Unclassified, Official, Restricted, Confidential, Secret, Top Secret (NATO) 
    • Public, Company internal, Confidential, Strictly confidential  
    • TLP RED, TLP Amber, TLB Green, TLP White (public)

Classification (apply the labels)

  • Responsibility of owner
  • Label all data
  • Label containers if you can’t label the data
    • Folder or File share
    • Database
    • mailbox 
    •  …

Mind the lifecycle

  • Get started
  • Keep going
  • Start over again
  • Think about security when
    • creating new processes
    • changing processes
    • removing processes
    • recheck on a regular schedule (even when nothing changes)

Mind the business and legal requirements

  • Accountability & Responsibility 
  • Reporting & audit requirements (SOC I-II, …)
  • Incident management requirements
  • Data breach requirements (GDPR)
  • Subject rights 

Consequences of data management failure

  • Financial loss
  • Business loss
  • Reputation loss 
  • Contract SLA violation
  • Regulatory violations
  • Fines
  • Prosecution
  • Personal accountability

Think about

  • Direct and indirect impact
  • Short term and long term impact
  • How long can you survive a total breakdown?

TAKEAWAYS

  • Manage enterprise data like personal data
  • Keep the categories simple (<7)
  • 3 TLP (RedAmberGreen) + 2 categories (public + highly critical)
  • Define and maintain ownership
  • Involve everyone
  • Evangelize internal & external stakeholders (incl. customers…)
  • Lead by example

Use business best practices

  • Use standards and frameworks
  • ISO (international)
  • NIST (US)
  • ENISA (EU)
  • COBIT (ISACA)

Classification and labeling

  • Force labeling
  • Aim to classify everything
  • Start with new data first
  • Update labels when you change documents
  • Set a default label for archived data that doesn’t change
  • DO NOT set “public” as default

Think about the support processes

  • Incident management (ISO 27035 & NIST)
  • Data breach management (GDPR & other …)
  • Business continuity (ISO22301)
  • Disaster recovery

Questions

How to identify regulations you should follow?

  • know and analyse the services you’re offering,
  • where is your data stored?
  • what kind of data you have (enterprise data, personal data, financial, …)
  • identify the local, national, regional, international regulations of sector legislations that apply to your business (check partners/competition, sector representatives, …)

Is there difference in regulation for small or large business?

  • very limited impact of size of company…
  • very likely some impact on financial and tax reporting,
  • some legislation only apply in large scale operations (eg GDPR only requires a DPO for certain type of operations, …)

Best place to start for SME/SMB?

Webinar recording by Hexnode

Hexnode webinar

Presentations

Full color

Black/White print

#ICYMI, check these online fully accessible + freely downloadable ISO standards, relevant for information security, privacy & data protection

#ICYMI, In case you missed it.

Online freely accessible ISO standards

In the midst of the #COVID19 corona pandemic, the ISO (International Organization for Standardization) has unlocked free reading access to a bunch of relevant standards, including

  • ISO 22301:2019, Security and resilience – Business continuity management systems –Requirements
  • ISO 22316:2017, Security and resilience – Organizational resilience – Principles and attributes
  • ISO 22320:2018, Security and resilience – Emergency management – Guidelines for incident management
  • ISO 31000:2018, Risk management – Guidelines
  • ISO 13485:2016, Medical devices — Quality management systems – Requirements for regulatory purposes

The general access page with all online, fully accessible standards can be found here: https://www.iso.org/covid19.

Important note:

  • these standards are available online, but not downloadable (for legitimate downloads you need to purchase your copy in the ISO shop or with your national standards organisation)
  • there is no guarantee for continued free access once the Covid pandemic is over, if ever. That’s the sole discretion of the ISO, of course.

Freely downloadable ISO standards

Next to the (temporary) free online access, there is also a set of standards you can download for free, no payment required.
See here: https://standards.iso.org/ittf/PubliclyAvailableStandards/

Short url to bookmark: https://ffwd2.me/FreeISO.

Check the interesting ISO standards (from the information security point of view) below

ISO27000 (Information security)

The ISO27001 vocabulary

ISO/IEC 27000:2018
EN – FR
5thInformation technology — Security techniques — Information security management systems — Overview and vocabularyISO/IEC JTC 1/SC 27

Privacy Framework (ISO29100)

ISO/IEC 29100:2011
EN – FR
1stInformation technology — Security techniques — Privacy frameworkISO/IEC JTC 1/SC 27

Cloud Computing Reference architecture

SO/IEC 17788:2014
EN
1stInformation technology — Cloud computing — Overview and vocabularyISO/IEC JTC 1/SC 38
ISO/IEC 17789:2014
EN
1stInformation technology — Cloud computing — Reference architectureISO/IEC JTC 1/SC 38

Cloud computing vocabulary

ISO/IEC 22123-1:2021
EN
1stInformation technology — Cloud computing — Part 1: VocabularyISO/IEC JTC 1/SC 38

Cloud computing policy development

ISO/IEC TR 22678:2019
EN
1stInformation technology — Cloud computing — Guidance for policy developmentISO/IEC JTC 1/SC 38

Cloud Computing SLAs

ISO/IEC 19086-1:2016
EN
1stInformation technology — Cloud computing — Service level agreement (SLA) framework — Part 1: Overview and conceptsISO/IEC JTC 1/SC 38
ISO/IEC 19086-2:2018
EN
1stCloud computing — Service level agreement (SLA) framework — Part 2: Metric modelISO/IEC JTC 1/SC 38

Common Criteria (ISO 15408)

ISO/IEC 15408-1:2009
EN – FR
3rdInformation technology — Security techniques — Evaluation criteria for IT security — Part 1: Introduction and general modelISO/IEC JTC 1/SC 27
ISO/IEC 15408-2:2008
EN – FR
3rdInformation technology — Security techniques — Evaluation criteria for IT security — Part 2: Security functional componentsISO/IEC JTC 1/SC 27
ISO/IEC 15408-3:2008
EN – FR
3rdInformation technology — Security techniques — Evaluation criteria for IT security — Part 3: Security assurance componentsISO/IEC JTC 1/SC 27

Identity management

ISO/IEC 24760-1:2019
EN – FR
2ndIT Security and Privacy — A framework for identity management — Part 1: Terminology and conceptsISO/IEC JTC 1/SC 27

Why it’s not appropriate to ask for a copy of the identity card by default and systematically before you respond to a #GDPR data access request?

The EDPB guidelines on the data subject’s rights of access contain 60 pages of very useful instructions. This article is not elaborating all of it, but only highlights the topics relative to the use of ID card photocopies, as there has been a recent case at the Belgian Data Protection Authority strongly referring to the data access request guidelines by the European Data Protection board (EDPB).

Background

In a recent publication of a case (DOS-2020-05314), the Belgian Data protection Authority decided to classify the complaint itself without any consequences, but they explicitly confirmed that the use of a photocopy of the ID card is a very bad idea in general.

A very clear reminder that you shall not systematically request a copy of the identity card

In the motivation of the case it sets a very clear reminder that it’s considered illegal to systematically request for a copy of an identity card as a condition to respond to a GDPR data access request, in accordance with the EDPB (European Data Protection Board) guidelines on the right to access.

Why is a copy of an ID card a bad idea?

The copy of the ID card contains a lot of sensitive data like your national number, that can be abused to harm you, by stealing your identity.
Using your identity data, people can open bank accounts and credits, steal your many, empty your existing bank account, … so the impact is very personal, very real and very high when your identity is stolen.

EDPB guidelines Guidelines 01/2022 on data subject rights – Right of access

The highlights

The EDPB explains in the executive overview of their guidelines that “The right of access of data subjects is enshrined in Arti. 8 of the EU Charter of Fundamental Rights. It has been a part of the European data protection legal framework since its beginning and is now further developed by more specified and precise rules in Art. 15 GDPR.

“There are no specific requirements on the format of a request. The controller should provide appropriate and user-friendly communication channels that can easily be used by the data subject.”

“The request for additional information must be proportionate to the type of data processed, the damage that could occur etc. in order to avoid excessive data collection.”

Do not excessively demand for personal data when validation of access request

In the guidelines, the EDPB says:

“65. /../ In general, the fact that the controller may request additional information to assess the data subject’s identity cannot lead to excessive demands and to the collection of personal data which are not relevant or necessary to strengthen the link between the individual and the personal data requested.”

Copy of ID card should generally not be considered an appropriate way of authentication

EDPB guideline:

74. Taking into account the fact, that many organisations (e.g. hotels, banks, car rentals) request copies of
their clients’ ID card, it should generally not be considered an appropriate way of authentication
.

Alternatively, the controller may implement a quick and effective security measure to identify a data subject who has been previously authenticated by the controller, e.g. via e-mail or text message containing confirmation links, security questions or confirmation codes.”

Information on the ID that is not necessary for confirming the identity should be hidden

EDPB guidine 75:
In any case, information on the ID that is not necessary for confirming the identity of the data subject,
such as the access and serial-number, nationality, size, eye colour, photo and machine-readable zone,
may be blackened or hidden
by the data subject before submitting it to the controller, except where
national legislation requires a full unredacted copy of the identity card (see para. 77 below).

Generally, the date of issue or expiry date, the issuing authority and the full name matching with the online
account are sufficient for the controller to verify the identity, always provided that the authenticity of
the copy and the relation to the applicant are ensured. Additional information such as the birth date
of the data subject may only be required in case the risk of mistaken identity persists, if the controller
is able to compare it with the information it already processes.

Inform about data minimization and apply it.

EDPB guideline 76.

“To follow the principle of data minimisation

the controller should inform the data subject about the information that is not needed and

about the possibility to blacken or hide those parts of the ID document.

In such a case, if the data subject does not know how or is not able to blacken such information, it is good practice for the controller to blacken it upon receipt of the document, if this is possible for the controller, taking into account the means available to the controller in the given circumstances.”

Making the information available in a commonly used electronic form

Following EDPB guideline, paragraph 32, the controller must provide the answer in a commonly used electronic form.

the event of a request by electronic form means, information shall be provided by electronic means
where possible and unless otherwise requested by the data subject
(see Art. 12(3)). Art. 15(3), third
sentence, complements this requirement in the context of access requests by stating, that the
controller is in addition obliged to provide the answer in a commonly used electronic form, unless
otherwise requested by the data subject
. Art. 15(3) presupposes, that for controllers who are able to
receive electronic requests it will be possible to provide the reply to the request in a commonly used
electronic form (e.g. in PDF). This provision refers to all the information that needs to be provided in
accordance with Art. 15(1) and (2). Therefore, if the data subject submits the request for access by
electronic means, all information must be provided in a commonly used electronic form.”

Some practical data protection life hacks

Protecting your identity card

  • keep your ID card in your pocket or wallet as much as possible.
  • do NOT hand over your identity card to any party, unless it’s a legal authority (police, … )
  • Quickly showing your ID card for validation is fine, but resist to the requests to get a copy of your card.
  • prepare to have a masked paper copy of your ID card,
    • make sure to hide all the irrelevant, sensitive information yourself
    • keep a paper copy in your wallet
  • Prepare a masked digital photo copy of your ID card, yourself.
  • mask all all the irrelevant, sensitive information on your identity card, do it yourself
    • eg, use tippex to wipe out info, but you can simply scratch tippex when an official authority needs to validate your sensitive information)
    • ‘accidental’ copies will still mask your data, and you can detect if an unauthorized party scratches your ID card

From a corporate perspective

  • Do not request copies of identity cards by default, there are many more practical means to verify identity in a secure way
  • Only authenticate ID cards, when there are no other options.
  • use electronic authentication without disclosure of sensitive data
  • use an alternative means of authentication, there are many ways to do this securely
  • do not keep a copy of any identity card, there are virtually NO reasons to keep a copy, quick validation is mostly enough
  • delete any copy of identity cards as soon as possible…

Reference information:

Image by mohamed Hassan from Pixabay

Note-to-self: KopieID (to blur your ID card fotocopy)

Source:

As explained here (in Dutch) and here (Dutch), it’s a terrible ID (sorry, idea), to copy your identity card and hand over the unprotected copy to someone….

Therefore it’s highly interesting to protect the photocopy against abuse, in the ultimate case you need a photocopy of your identity card…

KopieID NL

In the Netherlands the government has provided an app for your mobile phone, to take a photo of your ID and then blur the redundant information and to add a remark / watermark to indicate the purpose limitation.

Check it out here:

They also provide an interesting video explanation:

KopieID BE

In Belgium, there is a website (without app) that does the same, see here:

References

Source articles:

Reference material from the articles:

Picture credits: Image by mohamed Hassan from Pixabay 

Image source: https://pixabay.com/illustrations/hack-fraud-card-code-computer-3671982/

Note-to-self: SOC2 mapping to ISO27001

Just in case you get into SOC2 and want to know how to map it to existing information security implementation, whatever it may be, GDPR, ISO27001, NIST, … check this page

https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/mappingsrelevanttothesocsuiteofservices.html

It includes:

These links have nice XLS format sheets, with a bidirectional comparison between the frameworks.

Info on SOC1/SOC2/SOC3

https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/sorhome.html

SOC and SOX?

 SOC reports refer to an audit of internal controls to ensure data security, minimal waste, and shareholder confidence; SOX relates to government-issued record keeping and financial information disclosure standards law. In other words, one is about keeping information safe, and the other is about keeping corporations in check.

https://immedis.com/blog/what-are-the-key-differences-between-soc-and-sox/

https://www.logicgate.com/blog/a-comparison-of-soc-and-sox-compliance/

Also

https://linfordco.com/blog/soc-2-security-vs-iso-27001-certification/

(braindump article, still in progress)

Whatsapp security dichttimmeren: stap voor stap (NL)

English version here: https://identityunderground.wordpress.com/2021/06/07/whatsapp-security-lockdown-step-by-step/

Gebruik je WhatsApp, of overweeg je om het te gebruiken (of ben je uitgenodigd door contacten)?

Dan kan de onderstaande checklist je stap-per-stap in detail uitleggen om

  • te evalueren of het de moeite waard is om WhatsApp te gebruiken, en
  • de beveiliging van je WhatsApp dicht te timmeren, om zo veilig mogelijk te blijven als je Whatsapp wil gebruiken.

Download dit article

At the end of this article, you can also find the download link for an offline version of this article.

Als je echt om privacy geeft en het is van het grootste belang…

Zoals hieronder uitgelegd, kun je WhatsApp zeker beveiligen, maar ze hebben nog steeds je gegevens en metadata en ze definiëren de regels waarmee WhatsApp de show uitvoert. En dat kan veranderen, wanneer ze maar willen.

En je moet weten dat WhatsApp eigendom is van en wordt beheerd door Facebook. En Facebook heeft al bewezen dat ze een echt slechte reputatie hebben als het gaat om privacy …

Als je echt niet wilt toegeven qua privacy, kijk dan eens naar alternatieven die niet zijn gebouwd door bedrijven die geld verdienen met je persoonlijke gegevens… (zie einde van dit artikel).

Het is aan jou om te beslissen welk risico je wilt nemen. Als je het gebruik van WhatsApp en je privacy wilt afwegen tegen de best mogelijke beveiliging, lees dan verder.

Als je om privacy geeft en toch Whatsapp wilt gebruiken

End-to-end encryptie

Het goede nieuws is dat WhatsApp een end-to-end encryptie gebruikt.

En hoewel Facebook of andere partijen mogelijk niet meeluisteren met uw gesprekken, kunnen de contactgegevens, de metagegevens (de gegevens over uw gesprekken) worden onderschept en eigendom zijn van / worden beheerd door Facebook / WhatsApp.

Verder is het belangrijk om te weten dat encryptie NIET van toepassing is op de WhatsApp back-ups.

Zoals hieronder wordt uitgelegd, kunt u dus overwegen whatsApp-back-up uit te schakelen om uw gegevens te beschermen.

En als je er toch voor wilt kiezen om WhatsApp te gebruiken, kun je de privacy en beveiliging in alle lagen van de applicatie beter vergrendelen.

Algemene beveiligingsregels

Minimaliseer uw gegevens

Over het algemeen is het altijd slim om uw gegevens in de applicatie te minimaliseren.

  • Geef geen persoonsgegevens weg
  • houd uw profielgegevens tot het minimum dat nodig is

Ga naar het WhatsApp status tabblad (rechts naast chats)

This image has an empty alt attribute; its file name is whatsapp_settings1.png

en klik vervolgens op “Instellingen” (Settings)

This image has an empty alt attribute; its file name is whatsapp_personal-info-1.png

Ook, heel belangrijk, beperk het delen van persoonlijke gegevens, er is een specifieke set opties in het gedeelte Privacy.

  • uw profiel alleen delen met vertrouwde contactpersonen
  • De publicatie van
    • “laatst gezien” tijdstempel
    • profielfoto
    • status
    • groepen
    • live locatie

Stel voor elk van deze opties de juiste keuze in om delen uit te schakelen.

Kies “Alleen delen met…” (Only Share with…) > geen contactpersonen selecteren (of enkel een beperkte set vertrouwde contactpersonen)

This image has an empty alt attribute; its file name is whatsapp_status-privacy.png

Resultaat

This image has an empty alt attribute; its file name is whatsapp_settings_privacy.png

Zorg er ook voor dat u het “Vingerafdrukslot” (Fingerprint lock) inschakelt, indien beschikbaar op uw smartphone.

Koperstip: voor de volgende smartphoneaankoop moet u rekening houden met de beschikbaarheid van een vingerafdrukscanner op uw telefoon.

Houd de app up-to-date

Werk uw apps continu bij, incl. WhatsApp, naar de nieuwste versie, om ervoor te zorgen dat alle beveiligingsfouten of beveiligingsproblemen meteen worden opgelost.

De meeste beveiligingsinbreuken of hacks richten zich specifiek op verouderde software.

Hoe u uw WhatsApp-beveiliging kunt vergrendelen, de controlelijst

Zonder beveiligingsconfiguratie is het vrij eenvoudig om een WhatsApp-account te kapen, omdat de eerste registratie alleen is gebaseerd op mobiele nummerregistratie en / of sms (kort bericht).

Dit maakt de eerste WhatsApp-gebruiker extreem gevoelig voor accountovername. Wees niet het volgende slachtoffer en vergrendel WhatsApp vanaf het eerste gebruik.

This image has an empty alt attribute; its file name is whatsapp_settings_account-2.png

Whatsapp tweestapsverificatie (2FA) of multifactorauthenticatie (MFA) inschakelen

Allereerst moet je MFA inschakelen, het is een must.

Wanneer je 2FA / MFA inschakelt op de WhatsApp-instellingen, voorkom je dat iemand anders gewoon je telefoonnummer of WhatsApp-account kan overnemen.

Gebruik de sterke authenticatie van je telefoon

This image has an empty alt attribute; its file name is whatsapp_settings_2fa.png

E-mailadres registreren voor je account

This image has an empty alt attribute; its file name is whatsapp_settings_2fa_mail.png

Een pincode instellen

Houd er rekening mee dat de pincode in WhatsApp geen inlogmethode is, maar een herstel- / herinstallatiefunctie.

Meer info: https://faq.whatsapp.com/android/security-and-privacy/adding-a-password/?lang=en

Maar u kunt de smartphonebeveiliging gebruiken om toegang tot toepassingen in te schakelen.

Het wordt sterk aangeraden om 2FA of MFA (multifactorauthenticatie, zoals uitgelegd in eerdere paragrafen) in te schakelen.

This image has an empty alt attribute; its file name is whatsapp_settings_2fa_pin.png

Whatsapp-tweestaps- of multifactorauthenticatie inschakelen

Gebruik telefoon sterke authenticatie

Vingerafdruk

Binnen de privacy-instellingen vindt u de optie “Vingerafdrukvergrendeling” (als uw smartphone de vingerafdrukscanner aan boord heeft).

This image has an empty alt attribute; its file name is whatsapp_fingerprint.png

Ga naar Instellingen > Account > Privacy om de vingerafdrukvergrendeling in te schakelen

This image has an empty alt attribute; its file name is whatsapp_settings_privacy_fp.png

Selecteer vervolgens de laatste optie (Vingerafdrukvergrendeling)

In dit vingerafdrukvergrendelingsmenu kunt u de ontgrendeling inschakelen en de time-outperiode kiezen. Hou het kort.

(Misschien is “meteen”/”immediately” een beetje lastig, zet ‘m dan op 1 minuut bijvoorbeeld…)

This image has an empty alt attribute; its file name is whatsapp_privacy_fingerprint.png

De beveiligingsmeldingen inschakelen

In de account settings

This image has an empty alt attribute; its file name is whatsapp_settings_account.png

er is een beveiligingsoptie

This image has an empty alt attribute; its file name is whatsapp_settings_security.png

Zorg ervoor dat u de optie “Beveiligingsmeldingen weergeven” inschakelt.

Dit zorgt ervoor dat u meldingen ontvangt wanneer de beveiligingscode van uw contacten verandert.

De privacy-instellingen vergrendelen

Verwijder overbodige persoonsgegevens uit uw profiel

Er is niet veel informatie die u zelf aan uw profiel kunt toevoegen.

Houd het tot het strikte minimum, en ik stel ook voor om geen persoonlijke foto toe te voegen, maar eerder een algemene foto.

This image has an empty alt attribute; its file name is whatsapp_settings_account-1.png

Schakel in de privacyinstellingen alle publicatie van uw profielgegevens uit.

This image has an empty alt attribute; its file name is whatsapp_settings_privacy-1.png

Locatietracking stoppen

Een belangrijke optie in de vorige lijst is ook het uitschakelen van locatietracking (“Live locatie”).

Back-up uitschakelen

Hoewel WhatsApp end-to-end-codering gebruikt voor zijn berichten, wordt de codering niet gehandhaafd wanneer de gegevens in de back-up worden opgeslagen

Als u zich echt zorgen maakt over privacy en beveiliging, schakelt u de back-up uit.

Trouwens, als u het verlopen van het bericht activeert, is de back-up toch overbodig…

This image has an empty alt attribute; its file name is whatsapp_settings_account2.png

Select de “Chats” optie

This image has an empty alt attribute; its file name is whatsapp_chats.png

Kies in de chatoptie de optie “Chat back-up”

This image has an empty alt attribute; its file name is whatsapp_backup1.png

In de Google drive settings (tenminste voor Android devices), selecteer “Backup to Google Drive” en selecteer dan “Nooit/Never”.

This image has an empty alt attribute; its file name is whatsapp_backup.png

Berichtvervaltijd inschakelen (berichten verdwijnen)

Als u het verlopen van berichten wilt inschakelen, moet u dit instellen op accountniveau van uw contactpersoon of op groepsniveau

Er is geen algemene beveiligingsinstelling en u kunt deze ook niet instellen op berichtniveau.

Waarschuwing

Houd er rekening mee dat het verdwijnen van berichten in WhatsApp enkele problemen kan hebben: https://www.androidauthority.com/whatsapp-disappearing-messages-feature-1173692/

Op contactniveau

This image has an empty alt attribute; its file name is whatsapp_contact_group_setting.png

Berichtvervaltijd op groepsniveau inschakelen

You can set the same options on group level too.

It’s highly suggested to enable these group options, and make sure information is not kept longer as needed.

Andere operationele beveiligingstaken

Verouderde leden uit groepen verwijderen

Het is heel belangrijk om groepen die u beheert te bewaken en overbodige leden zo snel mogelijk te verwijderen.

Zo voorkom je dat er gegevens ‘lekken’ naar deelnemers die die informatie niet nodig hebben.

Groepen verlaten die u niet meer gebruikt

Controleer groepen waarvan u lid bent en sluit deze groepen af/afsluit deze groepen als u ze niet meer nodig hebt, als u geen informatie meer wilt delen of als u niet wilt dat leden uw informatie/berichten zien.

This image has an empty alt attribute; its file name is whatsapp_leave-group.png

Zo voorkomt u dat u gegevens ‘lekt’ naar deelnemers om u te zien of te volgen.

Verzoek om toegang tot gegevens

Als je de informatie wilt controleren die WhatsApp over je weet, kun je een kopie van die infromation aanvragen

Ga naar je accountinstellingen

This image has an empty alt attribute; its file name is whatsapp_settings_requestinfo.png

En klik vervolgens op de optie “Informatie aanvragen”

Overweeg om andere tools te gebruiken, enkele alternatieven

Source:

Als je echt niet wilt toegeven aan privacy, kijk dan eens naar alternatieven die niet zijn gebouwd door bedrijven die geld verdienen met je persoonlijke gegevens…

Referenties

Whatsapp

Jezelf beschermen tegen WhatsApp-hacks

Uw gestolen account herstellen

Andere bronnen – aanvullende referenties die je kan raadplegen

Download

Dit artikel in het Nederlands kan je in PDF downloaden via deze link:

https://identityunderground.files.wordpress.com/2021/06/whatsapp-security-lockdown-step-by-step-nl-v1.pdf

Whatsapp security lockdown step-by-step

(NL versie vind je hier: https://identityunderground.wordpress.com/2021/06/07/whatsapp-security-dichttimmeren-stap-voor-stapnl/)

Are you using WhatsApp, or considering (or invited to, by contacts)?

Then the checklist below should provide you with detailed steps to

  • consider if it’s worth using WhatsApp
  • lock down the security of your WhatsApp to keep as secure as possible

Download this article

At the end of this article, you can also find the download link for an offline version of this article.

If you really care about privacy and it’s paramount…

As explained below you surely can lockdown WhatsApp, but they still have your data and metadata and they define the rules by which WhatsApp runs the show. And that can change, whenever they want.

And you should know that WhatsApp is owned and managed by Facebook.
And Facebook already has proven to maintain a really bad reputation when it comes down to privacy…

If you really do not want to give in on privacy, better check for alternatives that are not built by companies that make money with your personal data… (see end of this article).

It’s up to you to decide what risk you want to take. If you want to balance the use of WhatsApp and your privacy with the best possible security, continue to read.

If you care about privacy and still want to use Whatsapp

End-to-end encryption

The good news is, WhatsApp is using an end-to-end encryption.

And although Facebook or other parties might not listen in on your conversations, the contact data, the meta data (the data about your conversations) might be intercepted, and is owned/managed by Facebook/WhatsApp.

Furthermore it’s important to know that encryption DOES NOT apply to the WhatsApp backups.

So, as explained below, you might consider disabling WhatsApp backup to protect your data.

And if you still want to choose to use WhatsApp, better lock down the privacy and security in all layers of the application.

General security rules

Minimize your data

In general it’s always smart, to minimize your data in the application.

  • Don’t give away personal data
  • keep your profile data to the minimum needed

Go to the WhatsApp status tab

then click “Settings”

Also, very important, limit personal data sharing, there is a specific set of options in the Privacy section.

  • only share your profile with trusted contacts
  • Disable the publication of
    • “last seen” time stamp
    • profile photo
    • status
    • groups
    • live location

For each of these options set the right choice to disable sharing.

Choose “Only Share with…” > do not select any contacts (or a limited set of trusted contacts)

Result

Also make sure to enable the “Fingerprint lock” if available on your smartphone.

Buyers tip: for next smartphone purchase you must consider the availability of a fingerprint scanner on your phone.

Keep the app up to date

Continuously update your apps, incl. WhatsApp, to the latest version, to make sure that all security bugs or security issues are fixed right away.

Most of security breaches or hacks do specifically target outdated software.

How to lock down your WhatsApp security, the check list

Without security configuration it’s fairly easy to hijack a WhatsApp account, as the initial registration is only based on mobile number registration and/or SMS (short message).

This makes the initial WhatsApp user extremely sensitive to account take over. Don’t be the next victim, and lock down WhatsApp from the first use.

Enable Whatsapp Two-step (2FA) or multifactor authentication (MFA)

First of all you need to enable MFA, it’s a must.

When you enable 2FA/MFA on the WhatsApp settings, you avoid that someone else simply can take over your phone number or WhatsApp account.

Use phone strong authentication

Register email address to the account

Set a pin/password

Be aware that the PIN in WhatsApp is not a login method but a recovery/reinstallation feature.

More info: https://faq.whatsapp.com/android/security-and-privacy/adding-a-password/?lang=en

But you can use the smartphone security to enable application access security.

It’s strongly suggested to enable 2FA or MFA (multifactor authentication, as explained in previous paragraphs.

Enable Whatsapp Two-step or multifactor authentication

Use phone strong authentication

Finger print

Within the privacy settings, you can find the option “Fingerprint lock” (if your smartphone has the fingerprint scanner on board).

To enable the fingerprint lock, Go to Settings > Account > Privacy

Then select the last option (Fingerprint lock)

In this Fingerprint lock menu, you can enable the unlock and choose the time-out period. Keep it short.

(Maybe immediately is a bit inconvenient…)

Enable the security notifications

In the account settings

there is a security option

Make sure to enable the “Show Security notifications” option.

This will make sure you get notifications when the security code of your contacts change.

Lock down the privacy settings

Remove redundant personal data from your profile

There is not a lot of info you can add to your profile yourself.

Keep it to the strict minimum, and I also would suggest not to add a personal photo, but rather a general photo.

In the privacy settings, disable all publication of your profile data.

Stop location tracking

An important option in previous list is also to disable location tracking (“Live location”).

Disable backup

Although WhatsApp is using end-to-end encryption for it’s messaging, the encryption is not maintained when the data is stored in the backup

If you really are concerned about privacy and security, you disable the backup.

By the way, if you activate message expiration, the backup is redundant anyway…

Select the “Chats” option

In the chats option, choose the “Chat backup” option

In the Google drive settings (at least for Android devices), select “Backup to Google Drive” and then select “‘Never”.

Enable message expiration (disappearing messages)

To enable message expiration, you’ll need to set it on the account level of your contact or on group level

There is no general security setting, nor can you set it on the message level.

Warning

Please be aware that disappearing messages in WhatsApp might have some issues: https://www.androidauthority.com/whatsapp-disappearing-messages-feature-1173692/

On contact level

Enable message expiration on group level

You can set the same options on group level too.

It’s highly suggested to enable these group options, and make sure information is not kept longer as needed.

Other operational security tasks

Remove obsolete members from groups

It’s quite important to monitor groups you manage and remove redundant members as soon as possible.

This way you avoid ‘leaking’ data to participants who do not need that information.

Leave groups you don’t use anymore

Monitor groups you are member of, and you should quit/exit these groups if you do not need them anymore, or you do not want to share information anymore, or if you don’t want members to see your information/messages.

This way you avoid ‘leaking’ data to participants to see you or track you.

Data access request

If you want to check the information that WhatsApp knows about you, you can request a copy of that infromation

Go to your account settings

And then click the “Request Information option”

Consider to use other tools, some alternatives

Source:

If you really do not want to give in on privacy, better check for alternatives that are not built by companies that make money with your personal data…, like

Reference

Whatsapp

Protecting yourself from WhatsApp hacking

Recover your stolen account

Other sources – additional references you can check

Download

The current article is available for download here: https://identityunderground.files.wordpress.com/2021/06/whatsapp-security-lockdown-step-by-step.pdf

Note-to-self: 2020 IDG Security priorities study

Source: https://f.hubspotusercontent40.net/hubfs/1624046/2020_Security%20Priorities%20Executive%20Summary_final.pdf

End 2020 IDG published a study on Security priorities, and it provides important guidelines to the priorities of securing yourself and your company

  1. Protection of confidential and sensitive data
  2. End-user awareness
  3. Corporate resilience
  4. Enhance access control
  5. Understand external threats
  6. Application security
  7. Plan for unexpected risks

This pretty much confirms that your customers, stakeholder’s and staff interest in protecting personal data is driving security from business perspective.

If you see the increase of cyberattacks and ransomware hitting the business, it’s pretty obvious that Business Continuity Management and Disaster recovery must be on top of your priority list.
You need to have a tested plan against successful cyberattacks and ransomware, to avoid extended business damage and massive (ransom) costs … afterwards.

To put a plan together, you need to understand who is your adversary and what the current state of cybersecurity is.
And this study is a simple but smart guide to define your priorities.

The better you prepare, the less it will cost.
But you’ll only be able to tell when it goes wrong.

Don’t get caught by surprise, be ready.