Note-to-self: CIS Software Supply Chain security guide

CIS (Center for Internet Security) has published an interesting guide on software supply chain security.

Even if you do not build software on your own, it still is useful to to pick the relevant security measures/controls as part of your information security management to protect yourself and your enterprise.

As we all learned from the log4j issue which impacted many generally used platforms, it has become very clear that you need to look beyond the first level of control (your own)…

It’s critical to manage 2nd (your suppliers) and even third level (suppliers of suppliers)

Highlights

In high level overview, the document discusses:

1. Source code
   • Code changes
   • Repository management
   • Contribution access
   • Third party
   • Code risks
2. Build pipelines
   • Build environment
   • Build worker
   • Pipeline instructions
3. Dependencies
   1. Third party packages
   2. Validate packages
4. Artifacts
   • Verification
   • Access to artifacts
   • Package registries
   • Origin traceability
5. Deployment
   • Deployment configuration
   • Deployment environment

Supply chain guide access (need to register on CIS)

https://workbench.cisecurity.org/files/3972 (login needed, but it’s non-commercial, limited data protection risk)

More info:

• Original post by Troels Oerting on LinkedIn: https://www.linkedin.com/feed/update/urn:li:activity:6945661110029045760/
• https://venturebeat-com.cdn.ampproject.org/c/s/venturebeat.com/2022/06/22/software-supply-chain-security/amp/

Extra references

Software impacted by Log4j, see the NCSC Github / Software inventory: https://github.com/NCSC-NL/log4shell/tree/main/software

(if necessary this post will be updated with more interesting material, when applicable)

Note-to-self: Quick & full download of #BELAC auditor work files

(Latest update: 29 apr 2022, reference to BELAC Management system)

When working as auditor for BELAC (the Belgian Accreditation Body), you’ll need to use their

• guidelines
• procedures
• legal documents & reference standards
• instructions
• assessment reports
• …

These are all (separately) published on the BELAC website under the publications:

• Dutch: https://economie.fgov.be/nl/publicaties?fulltext=%22Reeks+BELAC%22&sort_by=title
• French: https://economie.fgov.be/fr/publications?fulltext=%22S%C3%A9rie+BELAC%22&sort_by=title
• English: https://economie.fgov.be/en/publications?fulltext=%22Series%20BELAC%22&sort_by=title
• (not in German)

The most recent updates can be found here: https://economie.fgov.be/en/themes/quality-and-safety/accreditation-belac/recently-modified-and-new

But there is no option available to download the full set at once.

Information on the BELAC management system can be found here:

(NL) : https://economie.fgov.be/nl/themas/kwaliteit-veiligheid/accreditatie-belac/managementsysteem-van-belac

(FR): https://economie.fgov.be/fr/themes/qualite-securite/accreditation-belac/systeme-de-management-de-belac

(EN): https://economie.fgov.be/en/themes/quality-and-safety/accreditation-belac/management-system-belac

Download the full collection yourself – Powershell

Therefore you can use this Powershell script to get the most recent full collection of BELAC docs.

download BELAC docs.ps1Download

To execute the Powershell script, you need to remove the .txt extension (and leave the .ps1 suffix).

Even if you’re a Linux fan, you can run this script.
More info: https://docs.microsoft.com/en-us/powershell/scripting/install/installing-powershell-on-linux?view=powershell-7.2?WT.mc_id=ES-MVP-5002204

Full download zip (version 2022-04-28)

To make your life easy, here is the full download of 3 languages in zip.

20220428_BELAC all languagesDownload

English version download zip (version 2022-04-28)

Download the EN version zip docs here:

20220428_BELAC_enDownload

Dutch version download zip (version 2022-04-28)

Download the NL version zip docs here:

20220428_BELAC_nlDownload

French version download zip (version 2022-04-28)

Download the FR version zip docs here:

20220428_BELAC_frDownload

Versioning

2022-04-29: Updated with BELAC mgmt system info

2022-04-28: Original post

Note-to-self: #DPIA for cloud – reference material (focus on #Microsoft cloud)

In interesting set of reference material, that is regularly coming back in data protection, cybersecurity and information security discussions I lately had with peers and colleagues.
May you can use it too…

Feel free to provide some feedback yourself, if you know additional pointers I should add.

You know where to find me.

Change history

2022-04-27 14:00: Added EDPB announcement to references section

Governmental DPIAs

Netherlands

2018-12-06: DPIA on Microsoft Office 2016 & 365

https://iapp.org/news/a/dutch-government-commissioned-dpia-on-microsoft-office-pro-plus/

Direct download of PDF:

Click to access DPIA+Microsoft+Office+2016+and+365+-+20191105.pdf

2022-02-22: DPIA on Microsoft Office 365

https://www.dataguidance.com/news/netherlands-dutch-government-publishes-dpia-microsoft

Press release by Dutch Government:

2022-02-21 https://www.rijksoverheid.nl/documenten/publicaties/2022/02/21/public-dpia-teams-onedrive-sharepoint-and-azure-ad

Publication of DPIA by Dutch Government

2022-02-21 : https://www.rijksoverheid.nl/documenten/publicaties/2022/02/21/public-dpia-teams-onedrive-sharepoint-and-azure-ad

Source: Beltug news https://www.beltug.be/news/7430/Dutch_government_publishes_DPIA_and_DTIA_for_Microsoft/

2022-02: The Dutch Ministry of Justice and Security requested an analysis of US legislation in relation to the GDPR and Schrems II by GreenburgTraurig.

Switzerland

In a recent article (In French) by ICT journal, the Canton of Zurich published a

https://www.ictjournal.ch/articles/2022-04-26/comment-le-canton-de-zurich-a-estime-le-risque-de-passer-sur-le-cloud-de

Research

Researchgate

Data Protection Impact Assessment (DPIA) for Cloud-Based Health Organizations

https://www.researchgate.net/publication/349882283_Data_Protection_Impact_Assessment_DPIA_for_Cloud-Based_Health_Organizations

Guidelines

CNIL

https://www.cnil.fr/en/tag/Privacy+Impact+Assessment+(PIA)

https://www.cnil.fr/en/guidelines-dpia

IAPP

https://iapp.org/news/a/guidance-for-a-cloud-migration-privacy-impact-assessment/

Templates

IAPP

https://iapp.org/resources/article/transfer-impact-assessment-templates/

Referring to:

IAPP Templates

• Cloud Computing: Risk Assessment of Lawful Access By Foreign Authorities
• EU SCC Transfer Impact Assessment (TIA)

Supplier references

Microsoft

Data Protection Impact Assessment for the GDPR

2021-11-17: https://docs.microsoft.com/en-us/compliance/regulatory/gdpr-data-protection-impact-assessments

Data Protection Impact Assessments: Guidance for Data Controllers Using Microsoft Professional Services

Part 1: Determining whether a DPIA is needed

https://docs.microsoft.com/en-us/compliance/regulatory/gdpr-dpia-prof-services?view=o365-worldwide#part-1–determining-whether-a-dpia-is-needed

Part 2: Contents of a DPIA

https://docs.microsoft.com/en-us/compliance/regulatory/gdpr-dpia-prof-services?view=o365-worldwide#part-2-contents-of-a-dpia

Download Customizable DPIA document

https://www.microsoft.com/en-us/download/details.aspx?id=102398

(more to come, this article will be updated with additional references when necessary)

Other relevant references

EDPB (European Data Protection Board)

Launch of coordinated enforcement on use of cloud by public sector

https://edpb.europa.eu/news/news/2022/launch-coordinated-enforcement-use-cloud-public-sector_en

Note-to-self: free download of interesting guides for SME from DigitalSME.eu

Jean-Luc Allard pointed out to a #free#download of interesting guides for #SME on implementing the #informationsecurity basics we all need:

Freshly published: Essential controls for SMEs to protect user’s #privacy and data and ensure #GDPR compliance (based on new #ISO27002)
https://lnkd.in/epridtnY

Direct download of PDF: https://lnkd.in/en8rVMBY

And also: The #ISO27001 standard made easy for SMEs:
https://lnkd.in/eiaBbdmp
Direct PDF access: https://lnkd.in/eFR2yjp

And there is more on the website of European DIGITAL SME Alliance (website: https://www.digitalsme.eu/)

#smebusiness#smesupport#smallbusiness

Note-to-self: PCI-DSS update 4 published

The #pcidss standard has been updated to v4, free to download.

Very handy and useful guidance, linked to #ISO27001, and also useful outside the payment card industry…

Full information page – PCI-DSS Resource hub

https://blog.pcisecuritystandards.org/pci-dss-v4-0-resource-hub

PCI-DSS document library

https://www.pcisecuritystandards.org/document_library

Direct download of the #pcidssv4 pdf:

https://www.pcisecuritystandards.org/documents/PCI-DSS-v4_0.pdf

#ICYMI, check these online fully accessible + freely downloadable ISO standards, relevant for information security, privacy & data protection

#ICYMI, In case you missed it.

Online freely accessible ISO standards

In the midst of the #COVID19 corona pandemic, the ISO (International Organization for Standardization) has unlocked free reading access to a bunch of relevant standards, including

• ISO 22301:2019, Security and resilience – Business continuity management systems –Requirements
• ISO 22316:2017, Security and resilience – Organizational resilience – Principles and attributes
• ISO 22320:2018, Security and resilience – Emergency management – Guidelines for incident management
• ISO 31000:2018, Risk management – Guidelines
• ISO 13485:2016, Medical devices — Quality management systems – Requirements for regulatory purposes

The general access page with all online, fully accessible standards can be found here: https://www.iso.org/covid19.

Important note:

• these standards are available online, but not downloadable (for legitimate downloads you need to purchase your copy in the ISO shop or with your national standards organisation)
• there is no guarantee for continued free access once the Covid pandemic is over, if ever. That’s the sole discretion of the ISO, of course.

Freely downloadable ISO standards

Next to the (temporary) free online access, there is also a set of standards you can download for free, no payment required.
See here: https://standards.iso.org/ittf/PubliclyAvailableStandards/

Short url to bookmark: https://ffwd2.me/FreeISO.

Check the interesting ISO standards (from the information security point of view) below

ISO27000 (Information security)

The ISO27001 vocabulary

ISO/IEC 27000:2018 EN – FR

5th

Information technology — Security techniques — Information security management systems — Overview and vocabulary

ISO/IEC JTC 1/SC 27

Privacy Framework (ISO29100)

ISO/IEC 29100:2011 EN – FR

1st

Information technology — Security techniques — Privacy framework

ISO/IEC JTC 1/SC 27

Cloud Computing Reference architecture

SO/IEC 17788:2014 EN	1st	Information technology — Cloud computing — Overview and vocabulary	ISO/IEC JTC 1/SC 38
ISO/IEC 17789:2014 EN	1st	Information technology — Cloud computing — Reference architecture	ISO/IEC JTC 1/SC 38

Cloud computing vocabulary

ISO/IEC 22123-1:2021 EN

1st

Information technology — Cloud computing — Part 1: Vocabulary

ISO/IEC JTC 1/SC 38

Cloud computing policy development

ISO/IEC TR 22678:2019 EN

1st

Information technology — Cloud computing — Guidance for policy development

ISO/IEC JTC 1/SC 38

Cloud Computing SLAs

ISO/IEC 19086-1:2016 EN	1st	Information technology — Cloud computing — Service level agreement (SLA) framework — Part 1: Overview and concepts	ISO/IEC JTC 1/SC 38
ISO/IEC 19086-2:2018 EN	1st	Cloud computing — Service level agreement (SLA) framework — Part 2: Metric model	ISO/IEC JTC 1/SC 38

Common Criteria (ISO 15408)

ISO/IEC 15408-1:2009 EN – FR	3rd	Information technology — Security techniques — Evaluation criteria for IT security — Part 1: Introduction and general model	ISO/IEC JTC 1/SC 27
ISO/IEC 15408-2:2008 EN – FR	3rd	Information technology — Security techniques — Evaluation criteria for IT security — Part 2: Security functional components	ISO/IEC JTC 1/SC 27
ISO/IEC 15408-3:2008 EN – FR	3rd	Information technology — Security techniques — Evaluation criteria for IT security — Part 3: Security assurance components	ISO/IEC JTC 1/SC 27

Identity management

ISO/IEC 24760-1:2019 EN – FR

2nd

IT Security and Privacy — A framework for identity management — Part 1: Terminology and concepts

ISO/IEC JTC 1/SC 27

Note-to-self: KopieID (to blur your ID card fotocopy)

Source:

• Netherlands: https://www.rijksoverheid.nl/onderwerpen/identiteitsfraude/vraag-en-antwoord/veilige-kopie-identiteitsbewijs
• Belgium: https://kopieid.be/nl/

As explained here (in Dutch) and here (Dutch), it’s a terrible ID (sorry, idea), to copy your identity card and hand over the unprotected copy to someone….

Therefore it’s highly interesting to protect the photocopy against abuse, in the ultimate case you need a photocopy of your identity card…

KopieID NL

In the Netherlands the government has provided an app for your mobile phone, to take a photo of your ID and then blur the redundant information and to add a remark / watermark to indicate the purpose limitation.

Check it out here:

They also provide an interesting video explanation:

KopieID BE

In Belgium, there is a website (without app) that does the same, see here:

References

Source articles:

• (Dutch) https://www.linkedin.com/pulse/denk-2-keer-na-voor-je-een-fotokopie-laat-maken-van-peter-geelen-/
• (Dutch) https://www.linkedin.com/pulse/wat-dan-het-probleem-met-een-kopie-van-je-eid-extract-peter-geelen-/

Reference material from the articles:

• Ministry of Privacy Magazine: https://ministryofprivacy.eu/wat-we-doen/magazine-ministry-privacy/
• (LinkedIN) Het gebruik van uw identiteitskaart als waarborg?
• (GBA BE) Aanbeveling uit eigen beweging over het nemen van een kopie van de identiteitskaart en over het gebruik en de elektronische lezing ervan (CO-AR-2010-008)
• Dossier eID : https://www.gegevensbeschermingsautoriteit.be/burger/thema-s/elektronische-identiteitskaart-eid
• Zoek Overige eID topics: https://www.gegevensbeschermingsautoriteit.be/burger/zoeken?q=eid
• [GBA BE] Welke wetgeving is van toepassing?: https://www.gegevensbeschermingsautoriteit.be/eid

Picture credits: Image by mohamed Hassan from Pixabay 

Image source: https://pixabay.com/illustrations/hack-fraud-card-code-computer-3671982/

Note-to-Self: workaround for bcc (blind copy) of meeting requests in Outlook

---

This article has also been posted on Microsoft Wiki, feel free to add suggestions and extra information.

Outlook Quick Tip: workaround for bcc (blind copy) of meeting requests

Issue

For meeting requests in Microsoft Outlook, the program does not have a bcc (aka Blind copy) option to add participants to a meeting, without publishing all personal data (mail addresses) to the other participants. 

Microsoft is aware of the issue, but hasn’t fixed the option yet.

Still you can request to have this option or request this function in Outlook, via Windows Feedback hub (hit the W10 Windows button, and type feedback) of via Microsoft Tech Community or Microsoft Q&A.

Visibility of participants to other participants

When you add participants to the “Required” or “Optional” section, they can see each others mail addresses. For smaller groups of people, that probably know each other, it’s not a big thing.

But for public events, this might be an issue. And certainly for large groups of participants, this is an overload of information.

And additionally, it might be considered as an inconvenience (or even a data breach) to publish data of other participants in a large group.

Limiting visibility to other participants

For matters of data protection it would be very handy to send the invite to the participants without exposing too much data.

Work around

As the bcc: option is missing, you can add people to the “Resources” option.

Steps

Create a new meeting request.

In the meeting options select, the “Required” or “Optional” button.

Then in the resources option, add the contacts or mail addresses of the participants.

Then add the required information to the invite, including online meeting options (Teams, …) and send the mail.

Alternative option : using iCAL file option via mail

Another option is

1.  to create an meeting in your agenda,
2. add the required meeting details (including teams invite)
3. Save the meeting as iCAL file
4. Create a mail,
   1. add the iCAL file
   2. add the the participants in bbc

References

More information can be found in these articles:

Resource option

Reddit

•  https://www.reddit.com/r/Office365/comments/khfi0a/meeting_invites_in_outlook_dont_have_a_bcc_field/

iCAL Option

Slipstick

• https://www.slipstick.com/outlook/calendar/to-cc-or-bcc-a-meeting-request/

RocketIT

• https://rocketit.com/sending-emails-to-large-groups

---

Note-to-self: 2020 IDG Security priorities study

Source: https://f.hubspotusercontent40.net/hubfs/1624046/2020_Security%20Priorities%20Executive%20Summary_final.pdf

End 2020 IDG published a study on Security priorities, and it provides important guidelines to the priorities of securing yourself and your company

1. Protection of confidential and sensitive data
2. End-user awareness
3. Corporate resilience
4. Enhance access control
5. Understand external threats
6. Application security
7. Plan for unexpected risks

This pretty much confirms that your customers, stakeholder’s and staff interest in protecting personal data is driving security from business perspective.

If you see the increase of cyberattacks and ransomware hitting the business, it’s pretty obvious that Business Continuity Management and Disaster recovery must be on top of your priority list.
You need to have a tested plan against successful cyberattacks and ransomware, to avoid extended business damage and massive (ransom) costs … afterwards.

To put a plan together, you need to understand who is your adversary and what the current state of cybersecurity is.
And this study is a simple but smart guide to define your priorities.

The better you prepare, the less it will cost.
But you’ll only be able to tell when it goes wrong.

Don’t get caught by surprise, be ready.

Note-to-self: Crowdstrike has published their 2021 Global Threat report

Crowdstrike has published their 2021 Global Threat report.

It’s always an interesting reference to see what the world in cybersecurity is about, certainly with the turbulent pandemic year.

They look at:

• cybersecurity during COVID19
• cybersecurity in health care
• significant political, state based attacks
• evolution of ransomware

And no one has to tell you, we’ve not seen the end yet.

Hang in, get ready, protect yourself for more bad stuff to come.

Keep patching your systems, all of them, all the time.

And by the way, don’t ay with your personal data for the download. Direct download is available at:

Click to access Report2021GTR.pdf