download

Note-to-self: CIS Software Supply Chain security guide

CIS (Center for Internet Security) has published an interesting guide on software supply chain security.

Even if you do not build software on your own, it still is useful to to pick the relevant security measures/controls as part of your information security management to protect yourself and your enterprise.

As we all learned from the log4j issue which impacted many generally used platforms, it has become very clear that you need to look beyond the first level of control (your own)…

It’s critical to manage 2nd (your suppliers) and even third level (suppliers of suppliers)

Highlights

In high level overview, the document discusses:

  1. Source code
    • Code changes
    • Repository management
    • Contribution access
    • Third party
    • Code risks
  2. Build pipelines
    • Build environment
    • Build worker
    • Pipeline instructions
  3. Dependencies
    1. Third party packages
    2. Validate packages
  4. Artifacts
    • Verification
    • Access to artifacts
    • Package registries
    • Origin traceability
  5. Deployment
    • Deployment configuration
    • Deployment environment

Supply chain guide access (need to register on CIS)

https://workbench.cisecurity.org/files/3972 (login needed, but it’s non-commercial, limited data protection risk)

More info:

Extra references

Software impacted by Log4j, see the NCSC Github / Software inventory: https://github.com/NCSC-NL/log4shell/tree/main/software

(if necessary this post will be updated with more interesting material, when applicable)

Handige tip: snelle en volledige download van #BELAC auditor werkbestanden en documenten

(Update: 29/4/2022, link naar BELAC Management systeem)

Wanneer je als auditor voor BELAC (de Belgische Accreditatie-instantie) werkt, moet je gebruik maken van hun

  • richtlijnen
  • Procedures
  • juridische documenten & referentiestandaarden
  • aanwijzingen
  • beoordelingsrapporten

Deze worden allemaal (afzonderlijk) gepubliceerd op de website van BELAC onder de publicaties:

De meest recente updates vind je hier: https://economie.fgov.be/nl/themas/kwaliteit-veiligheid/accreditatie-belac/recent-gewijzigde-en-nieuwe

Er is jammer genoeg geen optie om alle bestanden in één keer te downloaden.

Informatie over het BELAC management systeem vindt je hier:

(NL) : https://economie.fgov.be/nl/themas/kwaliteit-veiligheid/accreditatie-belac/managementsysteem-van-belac

(FR): https://economie.fgov.be/fr/themes/qualite-securite/accreditation-belac/systeme-de-management-de-belac

(EN): https://economie.fgov.be/en/themes/quality-and-safety/accreditation-belac/management-system-belac

Download zelf de volledige collectie met Powershell

Om alle BELAC bestanden als collectie te downloaden kan je dit Powershell script gebruiken.

download BELAC docs.ps1Download

Om dit script te gebruiken, moet je de .txt extensie verwijderen (laat de .ps1 suffix staan).

Moest je geen Microsoft Windows gebruiken, dan kan je dit script ook op Linux draaien.
Meer info: https://docs.microsoft.com/en-us/powershell/scripting/install/installing-powershell-on-linux?view=powershell-7.2?WT.mc_id=ES-MVP-5002204

Full download zip (versie 2022-04-28)

Om het makkelijk te maken hier is de volledige download van 3 talen in zip formaat.

20220428_BELAC all languagesDownload

English version download zip (version 2022-04-28)

Download the EN version zip docs here:

20220428_BELAC_enDownload

Nederlandstalige download zip (version 2022-04-28)

Download de NL versie zip hier:

20220428_BELAC_nlDownload

Version francophone a télecharger(version 2022-04-28)

Version FR ici:

20220428_BELAC_frDownload

Versie beheer

2022-04-29: Update met BELAC mgmt systeem info

2022-04-28: Originele post

Note-to-self: Quick & full download of #BELAC auditor work files

(Latest update: 29 apr 2022, reference to BELAC Management system)

When working as auditor for BELAC (the Belgian Accreditation Body), you’ll need to use their

  • guidelines
  • procedures
  • legal documents & reference standards
  • instructions
  • assessment reports

These are all (separately) published on the BELAC website under the publications:

The most recent updates can be found here: https://economie.fgov.be/en/themes/quality-and-safety/accreditation-belac/recently-modified-and-new

But there is no option available to download the full set at once.

Information on the BELAC management system can be found here:

(NL) : https://economie.fgov.be/nl/themas/kwaliteit-veiligheid/accreditatie-belac/managementsysteem-van-belac

(FR): https://economie.fgov.be/fr/themes/qualite-securite/accreditation-belac/systeme-de-management-de-belac

(EN): https://economie.fgov.be/en/themes/quality-and-safety/accreditation-belac/management-system-belac

Download the full collection yourself – Powershell

Therefore you can use this Powershell script to get the most recent full collection of BELAC docs.

download BELAC docs.ps1Download

To execute the Powershell script, you need to remove the .txt extension (and leave the .ps1 suffix).

Even if you’re a Linux fan, you can run this script.
More info: https://docs.microsoft.com/en-us/powershell/scripting/install/installing-powershell-on-linux?view=powershell-7.2?WT.mc_id=ES-MVP-5002204

Full download zip (version 2022-04-28)

To make your life easy, here is the full download of 3 languages in zip.

20220428_BELAC all languagesDownload

English version download zip (version 2022-04-28)

Download the EN version zip docs here:

20220428_BELAC_enDownload

Dutch version download zip (version 2022-04-28)

Download the NL version zip docs here:

20220428_BELAC_nlDownload

French version download zip (version 2022-04-28)

Download the FR version zip docs here:

20220428_BELAC_frDownload

Versioning

2022-04-29: Updated with BELAC mgmt system info

2022-04-28: Original post

Note-to-self: #DPIA for cloud – reference material (focus on #Microsoft cloud)

In interesting set of reference material, that is regularly coming back in data protection, cybersecurity and information security discussions I lately had with peers and colleagues.
May you can use it too…

Feel free to provide some feedback yourself, if you know additional pointers I should add.

You know where to find me.

Change history

2022-04-27 14:00: Added EDPB announcement to references section

Governmental DPIAs

Netherlands

2018-12-06: DPIA on Microsoft Office 2016 & 365

https://iapp.org/news/a/dutch-government-commissioned-dpia-on-microsoft-office-pro-plus/

Direct download of PDF:

Click to access DPIA+Microsoft+Office+2016+and+365+-+20191105.pdf

2022-02-22: DPIA on Microsoft Office 365

https://www.dataguidance.com/news/netherlands-dutch-government-publishes-dpia-microsoft

Press release by Dutch Government:

2022-02-21 https://www.rijksoverheid.nl/documenten/publicaties/2022/02/21/public-dpia-teams-onedrive-sharepoint-and-azure-ad

Publication of DPIA by Dutch Government

2022-02-21 : https://www.rijksoverheid.nl/documenten/publicaties/2022/02/21/public-dpia-teams-onedrive-sharepoint-and-azure-ad

Source: Beltug news https://www.beltug.be/news/7430/Dutch_government_publishes_DPIA_and_DTIA_for_Microsoft/

2022-02: The Dutch Ministry of Justice and Security requested an analysis of US legislation in relation to the GDPR and Schrems II by GreenburgTraurig.

Switzerland

In a recent article (In French) by ICT journal, the Canton of Zurich published a

https://www.ictjournal.ch/articles/2022-04-26/comment-le-canton-de-zurich-a-estime-le-risque-de-passer-sur-le-cloud-de

Research

Researchgate

Data Protection Impact Assessment (DPIA) for Cloud-Based Health Organizations

https://www.researchgate.net/publication/349882283_Data_Protection_Impact_Assessment_DPIA_for_Cloud-Based_Health_Organizations

Guidelines

CNIL

https://www.cnil.fr/en/tag/Privacy+Impact+Assessment+(PIA)

https://www.cnil.fr/en/guidelines-dpia

IAPP

https://iapp.org/news/a/guidance-for-a-cloud-migration-privacy-impact-assessment/

Templates

IAPP

https://iapp.org/resources/article/transfer-impact-assessment-templates/

Referring to:

IAPP Templates

Supplier references

Microsoft

Data Protection Impact Assessment for the GDPR

2021-11-17: https://docs.microsoft.com/en-us/compliance/regulatory/gdpr-data-protection-impact-assessments

Data Protection Impact Assessments: Guidance for Data Controllers Using Microsoft Professional Services

Part 1: Determining whether a DPIA is needed

https://docs.microsoft.com/en-us/compliance/regulatory/gdpr-dpia-prof-services?view=o365-worldwide#part-1–determining-whether-a-dpia-is-needed

Part 2: Contents of a DPIA

https://docs.microsoft.com/en-us/compliance/regulatory/gdpr-dpia-prof-services?view=o365-worldwide#part-2-contents-of-a-dpia

Download Customizable DPIA document

https://www.microsoft.com/en-us/download/details.aspx?id=102398

(more to come, this article will be updated with additional references when necessary)

Other relevant references

EDPB (European Data Protection Board)

Launch of coordinated enforcement on use of cloud by public sector

https://edpb.europa.eu/news/news/2022/launch-coordinated-enforcement-use-cloud-public-sector_en

Note-to-self: free download of interesting guides for SME from DigitalSME.eu

Jean-Luc Allard pointed out to a #free#download of interesting guides for #SME on implementing the #informationsecurity basics we all need:

Freshly published: Essential controls for SMEs to protect user’s #privacy and data and ensure #GDPR compliance (based on new #ISO27002)
https://lnkd.in/epridtnY

Direct download of PDF: https://lnkd.in/en8rVMBY

And also: The #ISO27001 standard made easy for SMEs:
https://lnkd.in/eiaBbdmp
Direct PDF access: https://lnkd.in/eFR2yjp

And there is more on the website of European DIGITAL SME Alliance (website: https://www.digitalsme.eu/)

#smebusiness#smesupport#smallbusiness

Data Compliance: Get it right the first time

Below is a short overview of the #Hexnode webinar, presented 2022-04-07 about data compliance.

The webinar recording is published at the Hexnode website (and embedded below).
And the PDF version of the slide deck is published in full color and B/W print version on Slideshare, see links below.

PPT version available on request (send me a DM on LinkedIN).

Data is the new oil…

Whatever business you run…

.. it won’t run without data:

  • Business data
  • Management data
  • HR data
  • Technical data
  • Network data
  • Personal data (PII)
  • Communications
  • Mail data 
  • Financial data
  • Operational data
  • Intelligence
  • Intellectual Property (IP)
  • Ideas

Other businesses want your data as well…

There is a massive growth of digital business:

  • Direct marketing
  • Data brokers
  • Data Intelligence
  • Data analytics
  • Big data
  • Artificial intelligence
  • Machine learning
  • Health care, research & development

But also… the dark side wants your data.

And your data in the wrong hands.. is explosive.

Current state of crime

Company and user data, and personal data is an important target and leverage in cybercrime lik

  • Phishing
  • Ransomware
    • not only encryption
    • data leak extortion
  • Reconnaissance & Hacking
  • Data breaches 
  • Biometric data
  • Digital & Economical war

Now the question is… How do YOU get in control?

You can’t simply lock up your data… because data needs to flow. (You want to use it…)

Data management essentials to get grip

Ask yourself: how much €$ can you spend to protect your data? To answer that question, you’ll need to get grip of some basic data management principles, in relation to security:

  1. You can only protect what you know you have
  2. Without an owner there is no protection
  3. Nothing is stable, everything has a lifecycle
Data lifecycle

Data lifecycle

The start of the cycle is mostly

  • short,
  • easy to manage,
  • low security risk. (if the creation fails… you have no data to keep under control)

The end of the cycle is mostly

  • long, (there are various reasons why you need to keep the data for a while, eg in archive before you dispose of it..)
  • difficult to manage (if the process fails, it’s difficult to track or keep under control)
  • high security risk. (risk of losing ownership, risk of leakages, …)

What is risk?

Assets have

Vulnerabilities (weaknesses/properties) 

that can be exploited by 

Threats (activities)

with impact ($$ cost).

You need to balance the protection against the impact. You don’t want to over-spend or under-protect.

Your boss (or insurance, of CFO ) needs a budget, spreading cost over a year, or 2..3..4..5.

[Risk management is calculating impact over the rate of occurrence/frequency…]

How to get started

Know the external context

  • International regulations (GDPR, …)
  • National regulations (SOC, …)
  • Sector regulations (PCI-DSS, ..)
  • Contractual obligations
  • Enterprise vs PII/personal data requirements

Know the internal context

  • Know your business (what)
  • Know your organization (organigram)
  • Make an inventory of processes and interfaces
  • Assign business ownership
    • For each process
    • For each asset

Know the processes

  • Know the data flow 
  • Know your sources (IN)
  • Know the data processing
  • Know your receivers (OUT)

Know the data in the processes

  • Categorize your data – data types
    • Enterprise data
    • PII / Personal data (GDPR !)
    • Other ?

Categorization (define data classes)

  • Sensitivity = linked to business impact
  • Ask the owner : “What if data is …”
    • unavailable, 
    • changed,
    • destroyed,
    • leaked,
    • accessed unauthorized, illegally, unlawfully,
  • Categorize your data sensitivity
    • Enterprise data, for example
    • Unclassified, Official, Restricted, Confidential, Secret, Top Secret (NATO) 
    • Public, Company internal, Confidential, Strictly confidential  
    • TLP RED, TLP Amber, TLB Green, TLP White (public)

Classification (apply the labels)

  • Responsibility of owner
  • Label all data
  • Label containers if you can’t label the data
    • Folder or File share
    • Database
    • mailbox 
    •  …

Mind the lifecycle

  • Get started
  • Keep going
  • Start over again
  • Think about security when
    • creating new processes
    • changing processes
    • removing processes
    • recheck on a regular schedule (even when nothing changes)

Mind the business and legal requirements

  • Accountability & Responsibility 
  • Reporting & audit requirements (SOC I-II, …)
  • Incident management requirements
  • Data breach requirements (GDPR)
  • Subject rights 

Consequences of data management failure

  • Financial loss
  • Business loss
  • Reputation loss 
  • Contract SLA violation
  • Regulatory violations
  • Fines
  • Prosecution
  • Personal accountability

Think about

  • Direct and indirect impact
  • Short term and long term impact
  • How long can you survive a total breakdown?

TAKEAWAYS

  • Manage enterprise data like personal data
  • Keep the categories simple (<7)
  • 3 TLP (RedAmberGreen) + 2 categories (public + highly critical)
  • Define and maintain ownership
  • Involve everyone
  • Evangelize internal & external stakeholders (incl. customers…)
  • Lead by example

Use business best practices

  • Use standards and frameworks
  • ISO (international)
  • NIST (US)
  • ENISA (EU)
  • COBIT (ISACA)

Classification and labeling

  • Force labeling
  • Aim to classify everything
  • Start with new data first
  • Update labels when you change documents
  • Set a default label for archived data that doesn’t change
  • DO NOT set “public” as default

Think about the support processes

  • Incident management (ISO 27035 & NIST)
  • Data breach management (GDPR & other …)
  • Business continuity (ISO22301)
  • Disaster recovery

Questions

How to identify regulations you should follow?

  • know and analyse the services you’re offering,
  • where is your data stored?
  • what kind of data you have (enterprise data, personal data, financial, …)
  • identify the local, national, regional, international regulations of sector legislations that apply to your business (check partners/competition, sector representatives, …)

Is there difference in regulation for small or large business?

  • very limited impact of size of company…
  • very likely some impact on financial and tax reporting,
  • some legislation only apply in large scale operations (eg GDPR only requires a DPO for certain type of operations, …)

Best place to start for SME/SMB?

Webinar recording by Hexnode

Hexnode webinar
https://www.hexnode.com/events/webinars/data-compliance-get-it-right-the-first-time/

Presentations

Full color

Black/White print

Note-to-self: PCI-DSS update 4 published

The #pcidss standard has been updated to v4, free to download.

Very handy and useful guidance, linked to #ISO27001, and also useful outside the payment card industry…

Full information page – PCI-DSS Resource hub

https://blog.pcisecuritystandards.org/pci-dss-v4-0-resource-hub

PCI-DSS document library

https://www.pcisecuritystandards.org/document_library

Direct download of the #pcidssv4 pdf:

https://www.pcisecuritystandards.org/documents/PCI-DSS-v4_0.pdf

#ICYMI, check these online fully accessible + freely downloadable ISO standards, relevant for information security, privacy & data protection

#ICYMI, In case you missed it.

Online freely accessible ISO standards

In the midst of the #COVID19 corona pandemic, the ISO (International Organization for Standardization) has unlocked free reading access to a bunch of relevant standards, including

  • ISO 22301:2019, Security and resilience – Business continuity management systems –Requirements
  • ISO 22316:2017, Security and resilience – Organizational resilience – Principles and attributes
  • ISO 22320:2018, Security and resilience – Emergency management – Guidelines for incident management
  • ISO 31000:2018, Risk management – Guidelines
  • ISO 13485:2016, Medical devices — Quality management systems – Requirements for regulatory purposes

The general access page with all online, fully accessible standards can be found here: https://www.iso.org/covid19.

Important note:

  • these standards are available online, but not downloadable (for legitimate downloads you need to purchase your copy in the ISO shop or with your national standards organisation)
  • there is no guarantee for continued free access once the Covid pandemic is over, if ever. That’s the sole discretion of the ISO, of course.

Freely downloadable ISO standards

Next to the (temporary) free online access, there is also a set of standards you can download for free, no payment required.
See here: https://standards.iso.org/ittf/PubliclyAvailableStandards/

Short url to bookmark: https://ffwd2.me/FreeISO.

Check the interesting ISO standards (from the information security point of view) below

ISO27000 (Information security)

The ISO27001 vocabulary

ISO/IEC 27000:2018
EN – FR		5thInformation technology — Security techniques — Information security management systems — Overview and vocabularyISO/IEC JTC 1/SC 27

Privacy Framework (ISO29100)

ISO/IEC 29100:2011
EN – FR		1stInformation technology — Security techniques — Privacy frameworkISO/IEC JTC 1/SC 27

Cloud Computing Reference architecture

SO/IEC 17788:2014
EN		1stInformation technology — Cloud computing — Overview and vocabularyISO/IEC JTC 1/SC 38
ISO/IEC 17789:2014
EN		1stInformation technology — Cloud computing — Reference architectureISO/IEC JTC 1/SC 38

Cloud computing vocabulary

ISO/IEC 22123-1:2021
EN		1stInformation technology — Cloud computing — Part 1: VocabularyISO/IEC JTC 1/SC 38

Cloud computing policy development

ISO/IEC TR 22678:2019
EN		1stInformation technology — Cloud computing — Guidance for policy developmentISO/IEC JTC 1/SC 38

Cloud Computing SLAs

ISO/IEC 19086-1:2016
EN		1stInformation technology — Cloud computing — Service level agreement (SLA) framework — Part 1: Overview and conceptsISO/IEC JTC 1/SC 38
ISO/IEC 19086-2:2018
EN		1stCloud computing — Service level agreement (SLA) framework — Part 2: Metric modelISO/IEC JTC 1/SC 38

Common Criteria (ISO 15408)

ISO/IEC 15408-1:2009
EN – FR		3rdInformation technology — Security techniques — Evaluation criteria for IT security — Part 1: Introduction and general modelISO/IEC JTC 1/SC 27
ISO/IEC 15408-2:2008
EN – FR		3rdInformation technology — Security techniques — Evaluation criteria for IT security — Part 2: Security functional componentsISO/IEC JTC 1/SC 27
ISO/IEC 15408-3:2008
EN – FR		3rdInformation technology — Security techniques — Evaluation criteria for IT security — Part 3: Security assurance componentsISO/IEC JTC 1/SC 27

Identity management

ISO/IEC 24760-1:2019
EN – FR		2ndIT Security and Privacy — A framework for identity management — Part 1: Terminology and conceptsISO/IEC JTC 1/SC 27

Cadeautje! #MinistryofPrivacy Magazine n°3 – data brokers kweken nog steeds ongemerkt uw persoonlijke data

Afgelopen week werd het 3e nummer van het #MinistryofPrivacy gepubliceerd.

De nieuwe editie pakt opnieuw uit met interessante bijdragen van Ruben De Smet (met co-auteurs Thibaut Vandervelden, Kris Steenhaut en An Braeken), Koen Vervloesem, Arthur Zeeuw, Olivier Sustronck, Arno Jansen, Liesbet Demasure en mezelf.

In totaal 36 pagina’s artikels met volgende onderwerpen:

  • Voorwoord door Matthias Dobbelaere-Welvaert
  • End-to-end encryptie is niet het einde – Ruben De Smet
  • De Tandeloze Identiteit – Arthur Zeeuw
  • Hoe GDPR-conform is ‘The Squid Game’? – Olivier Sustronck
  • Voorstelling board member: Redona Ukshinaj
  • Pegasus in Europa. Een blijver? – Arno Jansen
  • Kort privacynieuws
  • GDPR killed the direct-marketing star- Peter Geelen
  • “Datamacht en tegenkracht” – Koen Vervloesem
  • Voorstelling board member: William Leemans
  • 2022, het jaar van cybersecurity. Niet? – Liesbet Demasure

Het magazine sluit af met een echte gloednieuwe cartoon van privacymakker Lectrr!

Leden kunnen het 3e nummer van het #MinistryofPrivacy lezen en ook downloaden.

Mijn artikel mag ik je alvast cadeau doen… download link onderaan dit artikel.

Korte samenvatting van m’n artikel

  • Bedrijfsdata, persoonlijke data of niet-persoonlijke data?
  • Wat is direct marketing?
  • Wat zijn data brokers?
  • Wat is het nadeel van het gebruik van onpersoonlijke bedrijfsdata voor data brokers?
  • Wat wordt er eigenlijk verwacht van een verwerkingsverantwoordelijke als ze persoonlijke data verzamelen?
  • En wat doen data brokers en direct marketing bedrijven in de praktijk?
  • Waarom is dat belangrijk voor jou?
  • Nog even wat praktische bedenkingen…
  • Wat kan (of moet) je nu zelf aan doen om misbruik tegen te gaan?

Referenties

Meer info over misbruik van KBO data voor direct marketing

Hoe zit dat met data brokers, direct marketing en KBO? Is dat legaal? En is dat nu GDPR of niet? Hoe aanpakken?

Download van m’n Ministry of Privacy artikel

Je kan m’n artikel alvast hier downloaden in PDF formaat om ‘t offline te lezen:

Click to access mopmag_nr3_petergeelen.pdf

MoP Magazine nr 3 – Artikel Peter Geelen

MOPMAG_nr3_PETERGEELENDownload

Note-to-self: SOC2 mapping to ISO27001

Just in case you get into SOC2 and want to know how to map it to existing information security implementation, whatever it may be, GDPR, ISO27001, NIST, … check this page

https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/mappingsrelevanttothesocsuiteofservices.html

It includes:

These links have nice XLS format sheets, with a bidirectional comparison between the frameworks.

Info on SOC1/SOC2/SOC3

https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/sorhome.html

SOC and SOX?

 SOC reports refer to an audit of internal controls to ensure data security, minimal waste, and shareholder confidence; SOX relates to government-issued record keeping and financial information disclosure standards law. In other words, one is about keeping information safe, and the other is about keeping corporations in check.

https://immedis.com/blog/what-are-the-key-differences-between-soc-and-sox/

https://www.logicgate.com/blog/a-comparison-of-soc-and-sox-compliance/

Also

https://linfordco.com/blog/soc-2-security-vs-iso-27001-certification/

(braindump article, still in progress)