Note-to-self

Note-to-self: Quick & full download of #BELAC auditor work files

(Latest update: 29 apr 2022, reference to BELAC Management system)

When working as auditor for BELAC (the Belgian Accreditation Body), you’ll need to use their

  • guidelines
  • procedures
  • legal documents & reference standards
  • instructions
  • assessment reports

These are all (separately) published on the BELAC website under the publications:

The most recent updates can be found here: https://economie.fgov.be/en/themes/quality-and-safety/accreditation-belac/recently-modified-and-new

But there is no option available to download the full set at once.

Information on the BELAC management system can be found here:

(NL) : https://economie.fgov.be/nl/themas/kwaliteit-veiligheid/accreditatie-belac/managementsysteem-van-belac

(FR): https://economie.fgov.be/fr/themes/qualite-securite/accreditation-belac/systeme-de-management-de-belac

(EN): https://economie.fgov.be/en/themes/quality-and-safety/accreditation-belac/management-system-belac

Download the full collection yourself – Powershell

Therefore you can use this Powershell script to get the most recent full collection of BELAC docs.

To execute the Powershell script, you need to remove the .txt extension (and leave the .ps1 suffix).

Even if you’re a Linux fan, you can run this script.
More info: https://docs.microsoft.com/en-us/powershell/scripting/install/installing-powershell-on-linux?view=powershell-7.2?WT.mc_id=ES-MVP-5002204

Full download zip (version 2022-04-28)

To make your life easy, here is the full download of 3 languages in zip.

English version download zip (version 2022-04-28)

Download the EN version zip docs here:

Dutch version download zip (version 2022-04-28)

Download the NL version zip docs here:

French version download zip (version 2022-04-28)

Download the FR version zip docs here:

Versioning

2022-04-29: Updated with BELAC mgmt system info

2022-04-28: Original post

Note-to-self: #DPIA for cloud – reference material (focus on #Microsoft cloud)

In interesting set of reference material, that is regularly coming back in data protection, cybersecurity and information security discussions I lately had with peers and colleagues.
May you can use it too…

Feel free to provide some feedback yourself, if you know additional pointers I should add.

You know where to find me.

Change history

2022-04-27 14:00: Added EDPB announcement to references section

Governmental DPIAs

Netherlands

2018-12-06: DPIA on Microsoft Office 2016 & 365

https://iapp.org/news/a/dutch-government-commissioned-dpia-on-microsoft-office-pro-plus/

Direct download of PDF:

2022-02-22: DPIA on Microsoft Office 365

https://www.dataguidance.com/news/netherlands-dutch-government-publishes-dpia-microsoft

Press release by Dutch Government:

2022-02-21 https://www.rijksoverheid.nl/documenten/publicaties/2022/02/21/public-dpia-teams-onedrive-sharepoint-and-azure-ad

Publication of DPIA by Dutch Government

2022-02-21 : https://www.rijksoverheid.nl/documenten/publicaties/2022/02/21/public-dpia-teams-onedrive-sharepoint-and-azure-ad

Source: Beltug news https://www.beltug.be/news/7430/Dutch_government_publishes_DPIA_and_DTIA_for_Microsoft/

2022-02: The Dutch Ministry of Justice and Security requested an analysis of US legislation in relation to the GDPR and Schrems II by GreenburgTraurig.

Switzerland

In a recent article (In French) by ICT journal, the Canton of Zurich published a

https://www.ictjournal.ch/articles/2022-04-26/comment-le-canton-de-zurich-a-estime-le-risque-de-passer-sur-le-cloud-de

Research

Researchgate

Data Protection Impact Assessment (DPIA) for Cloud-Based Health Organizations

https://www.researchgate.net/publication/349882283_Data_Protection_Impact_Assessment_DPIA_for_Cloud-Based_Health_Organizations

Guidelines

CNIL

https://www.cnil.fr/en/tag/Privacy+Impact+Assessment+(PIA)

https://www.cnil.fr/en/guidelines-dpia

IAPP

https://iapp.org/news/a/guidance-for-a-cloud-migration-privacy-impact-assessment/

Templates

IAPP

https://iapp.org/resources/article/transfer-impact-assessment-templates/

Referring to:

IAPP Templates

Supplier references

Microsoft

Data Protection Impact Assessment for the GDPR

2021-11-17: https://docs.microsoft.com/en-us/compliance/regulatory/gdpr-data-protection-impact-assessments

Data Protection Impact Assessments: Guidance for Data Controllers Using Microsoft Professional Services

Part 1: Determining whether a DPIA is needed

https://docs.microsoft.com/en-us/compliance/regulatory/gdpr-dpia-prof-services?view=o365-worldwide#part-1–determining-whether-a-dpia-is-needed

Part 2: Contents of a DPIA

https://docs.microsoft.com/en-us/compliance/regulatory/gdpr-dpia-prof-services?view=o365-worldwide#part-2-contents-of-a-dpia

Download Customizable DPIA document

https://www.microsoft.com/en-us/download/details.aspx?id=102398

(more to come, this article will be updated with additional references when necessary)

Other relevant references

EDPB (European Data Protection Board)

Launch of coordinated enforcement on use of cloud by public sector

https://edpb.europa.eu/news/news/2022/launch-coordinated-enforcement-use-cloud-public-sector_en

Note-to-self: free download of interesting guides for SME from DigitalSME.eu

Jean-Luc Allard pointed out to a #free#download of interesting guides for #SME on implementing the #informationsecurity basics we all need:

Freshly published: Essential controls for SMEs to protect user’s #privacy and data and ensure #GDPR compliance (based on new #ISO27002)
https://lnkd.in/epridtnY

Direct download of PDF: https://lnkd.in/en8rVMBY

And also: The #ISO27001 standard made easy for SMEs:
https://lnkd.in/eiaBbdmp
Direct PDF access: https://lnkd.in/eFR2yjp

And there is more on the website of European DIGITAL SME Alliance (website: https://www.digitalsme.eu/)

#smebusiness#smesupport#smallbusiness

Note-to-self: PCI-DSS update 4 published

The #pcidss standard has been updated to v4, free to download.

Very handy and useful guidance, linked to #ISO27001, and also useful outside the payment card industry…

Full information page – PCI-DSS Resource hub

https://blog.pcisecuritystandards.org/pci-dss-v4-0-resource-hub

PCI-DSS document library

https://www.pcisecuritystandards.org/document_library

Direct download of the #pcidssv4 pdf:

https://www.pcisecuritystandards.org/documents/PCI-DSS-v4_0.pdf

#ICYMI, check these online fully accessible + freely downloadable ISO standards, relevant for information security, privacy & data protection

#ICYMI, In case you missed it.

Online freely accessible ISO standards

In the midst of the #COVID19 corona pandemic, the ISO (International Organization for Standardization) has unlocked free reading access to a bunch of relevant standards, including

  • ISO 22301:2019, Security and resilience – Business continuity management systems –Requirements
  • ISO 22316:2017, Security and resilience – Organizational resilience – Principles and attributes
  • ISO 22320:2018, Security and resilience – Emergency management – Guidelines for incident management
  • ISO 31000:2018, Risk management – Guidelines
  • ISO 13485:2016, Medical devices — Quality management systems – Requirements for regulatory purposes

The general access page with all online, fully accessible standards can be found here: https://www.iso.org/covid19.

Important note:

  • these standards are available online, but not downloadable (for legitimate downloads you need to purchase your copy in the ISO shop or with your national standards organisation)
  • there is no guarantee for continued free access once the Covid pandemic is over, if ever. That’s the sole discretion of the ISO, of course.

Freely downloadable ISO standards

Next to the (temporary) free online access, there is also a set of standards you can download for free, no payment required.
See here: https://standards.iso.org/ittf/PubliclyAvailableStandards/

Short url to bookmark: https://ffwd2.me/FreeISO.

Check the interesting ISO standards (from the information security point of view) below

ISO27000 (Information security)

The ISO27001 vocabulary

ISO/IEC 27000:2018
EN – FR
5thInformation technology — Security techniques — Information security management systems — Overview and vocabularyISO/IEC JTC 1/SC 27

Privacy Framework (ISO29100)

ISO/IEC 29100:2011
EN – FR
1stInformation technology — Security techniques — Privacy frameworkISO/IEC JTC 1/SC 27

Cloud Computing Reference architecture

SO/IEC 17788:2014
EN
1stInformation technology — Cloud computing — Overview and vocabularyISO/IEC JTC 1/SC 38
ISO/IEC 17789:2014
EN
1stInformation technology — Cloud computing — Reference architectureISO/IEC JTC 1/SC 38

Cloud computing vocabulary

ISO/IEC 22123-1:2021
EN
1stInformation technology — Cloud computing — Part 1: VocabularyISO/IEC JTC 1/SC 38

Cloud computing policy development

ISO/IEC TR 22678:2019
EN
1stInformation technology — Cloud computing — Guidance for policy developmentISO/IEC JTC 1/SC 38

Cloud Computing SLAs

ISO/IEC 19086-1:2016
EN
1stInformation technology — Cloud computing — Service level agreement (SLA) framework — Part 1: Overview and conceptsISO/IEC JTC 1/SC 38
ISO/IEC 19086-2:2018
EN
1stCloud computing — Service level agreement (SLA) framework — Part 2: Metric modelISO/IEC JTC 1/SC 38

Common Criteria (ISO 15408)

ISO/IEC 15408-1:2009
EN – FR
3rdInformation technology — Security techniques — Evaluation criteria for IT security — Part 1: Introduction and general modelISO/IEC JTC 1/SC 27
ISO/IEC 15408-2:2008
EN – FR
3rdInformation technology — Security techniques — Evaluation criteria for IT security — Part 2: Security functional componentsISO/IEC JTC 1/SC 27
ISO/IEC 15408-3:2008
EN – FR
3rdInformation technology — Security techniques — Evaluation criteria for IT security — Part 3: Security assurance componentsISO/IEC JTC 1/SC 27

Identity management

ISO/IEC 24760-1:2019
EN – FR
2ndIT Security and Privacy — A framework for identity management — Part 1: Terminology and conceptsISO/IEC JTC 1/SC 27
Image by mohamed Hassan from Pixabay

Note-to-self: KopieID (to blur your ID card fotocopy)

Source:

As explained here (in Dutch) and here (Dutch), it’s a terrible ID (sorry, idea), to copy your identity card and hand over the unprotected copy to someone….

Therefore it’s highly interesting to protect the photocopy against abuse, in the ultimate case you need a photocopy of your identity card…

KopieID NL

In the Netherlands the government has provided an app for your mobile phone, to take a photo of your ID and then blur the redundant information and to add a remark / watermark to indicate the purpose limitation.

Check it out here:

They also provide an interesting video explanation:

KopieID BE

In Belgium, there is a website (without app) that does the same, see here:

References

Source articles:

Reference material from the articles:

Picture credits: Image by mohamed Hassan from Pixabay 

Image source: https://pixabay.com/illustrations/hack-fraud-card-code-computer-3671982/

Note-to-Self: workaround for bcc (blind copy) of meeting requests in Outlook


This article has also been posted on Microsoft Wiki, feel free to add suggestions and extra information.

Outlook Quick Tip: workaround for bcc (blind copy) of meeting requests

Issue

For meeting requests in Microsoft Outlook, the program does not have a bcc (aka Blind copy) option to add participants to a meeting, without publishing all personal data (mail addresses) to the other participants. 

Microsoft is aware of the issue, but hasn’t fixed the option yet.

Still you can request to have this option or request this function in Outlook, via Windows Feedback hub (hit the W10 Windows button, and type feedback) of via Microsoft Tech Community or Microsoft Q&A.

Visibility of participants to other participants

When you add participants to the “Required” or “Optional” section, they can see each others mail addresses. For smaller groups of people, that probably know each other, it’s not a big thing.

But for public events, this might be an issue. And certainly for large groups of participants, this is an overload of information.

And additionally, it might be considered as an inconvenience (or even a data breach) to publish data of other participants in a large group.

Limiting visibility to other participants

For matters of data protection it would be very handy to send the invite to the participants without exposing too much data.

Work around

As the bcc: option is missing, you can add people to the “Resources” option.

Steps

Create a new meeting request.

In the meeting options select, the “Required” or “Optional” button.

Then in the resources option, add the contacts or mail addresses of the participants.

Then add the required information to the invite, including online meeting options (Teams, …) and send the mail.

Alternative option : using iCAL file option via mail

Another option is

  1.  to create an meeting in your agenda,
  2. add the required meeting details (including teams invite)
  3. Save the meeting as iCAL file
  4. Create a mail,
    1. add the iCAL file
    2. add the the participants in bbc

References

More information can be found in these articles:

Resource option

Reddit

iCAL Option

Slipstick

RocketIT


Note-to-self: 2020 IDG Security priorities study

Source: https://f.hubspotusercontent40.net/hubfs/1624046/2020_Security%20Priorities%20Executive%20Summary_final.pdf

End 2020 IDG published a study on Security priorities, and it provides important guidelines to the priorities of securing yourself and your company

  1. Protection of confidential and sensitive data
  2. End-user awareness
  3. Corporate resilience
  4. Enhance access control
  5. Understand external threats
  6. Application security
  7. Plan for unexpected risks

This pretty much confirms that your customers, stakeholder’s and staff interest in protecting personal data is driving security from business perspective.

If you see the increase of cyberattacks and ransomware hitting the business, it’s pretty obvious that Business Continuity Management and Disaster recovery must be on top of your priority list.
You need to have a tested plan against successful cyberattacks and ransomware, to avoid extended business damage and massive (ransom) costs … afterwards.

To put a plan together, you need to understand who is your adversary and what the current state of cybersecurity is.
And this study is a simple but smart guide to define your priorities.

The better you prepare, the less it will cost.
But you’ll only be able to tell when it goes wrong.

Don’t get caught by surprise, be ready.

Note-to-self: Crowdstrike has published their 2021 Global Threat report

Crowdstrike has published their 2021 Global Threat report.

It’s always an interesting reference to see what the world in cybersecurity is about, certainly with the turbulent pandemic year.

They look at:

  • cybersecurity during COVID19
  • cybersecurity in health care
  • significant political, state based attacks
  • evolution of ransomware

And no one has to tell you, we’ve not seen the end yet.

Hang in, get ready, protect yourself for more bad stuff to come.

Keep patching your systems, all of them, all the time.

And by the way, don’t ay with your personal data for the download. Direct download is available at:

Note-to-self: #ZeroTrust #maturity model assessment by #Microsoft

Have you ever assessed the maturity of #cybersecurity implementation?

The #ZeroTrust #maturity model assessment by #Microsoft provides you with great insights, where to start or which part of your security needs improvement.

Easy to use, easy to understand, great results and great guidance.

You can find the assessment tool here:

https://www.microsoft.com/en-us/security/business/zero-trust/maturity-model-assessment-tool

And if you need more info, then bookmark this Zero Trust resources page: https://www.microsoft.com/security/blog/2021/05/24/resources-for-accelerating-your-zero-trust-journey