risk management

Data Compliance: Get it right the first time

Below is a short overview of the #Hexnode webinar, presented 2022-04-07 about data compliance.

The webinar recording is published at the Hexnode website (and embedded below).
And the PDF version of the slide deck is published in full color and B/W print version on Slideshare, see links below.

PPT version available on request (send me a DM on LinkedIN).

Data is the new oil…

Whatever business you run…

.. it won’t run without data:

  • Business data
  • Management data
  • HR data
  • Technical data
  • Network data
  • Personal data (PII)
  • Communications
  • Mail data 
  • Financial data
  • Operational data
  • Intelligence
  • Intellectual Property (IP)
  • Ideas

Other businesses want your data as well…

There is a massive growth of digital business:

  • Direct marketing
  • Data brokers
  • Data Intelligence
  • Data analytics
  • Big data
  • Artificial intelligence
  • Machine learning
  • Health care, research & development

But also… the dark side wants your data.

And your data in the wrong hands.. is explosive.

Current state of crime

Company and user data, and personal data is an important target and leverage in cybercrime lik

  • Phishing
  • Ransomware
    • not only encryption
    • data leak extortion
  • Reconnaissance & Hacking
  • Data breaches 
  • Biometric data
  • Digital & Economical war

Now the question is… How do YOU get in control?

You can’t simply lock up your data… because data needs to flow. (You want to use it…)

Data management essentials to get grip

Ask yourself: how much €$ can you spend to protect your data? To answer that question, you’ll need to get grip of some basic data management principles, in relation to security:

  1. You can only protect what you know you have
  2. Without an owner there is no protection
  3. Nothing is stable, everything has a lifecycle
Data lifecycle

Data lifecycle

The start of the cycle is mostly

  • short,
  • easy to manage,
  • low security risk. (if the creation fails… you have no data to keep under control)

The end of the cycle is mostly

  • long, (there are various reasons why you need to keep the data for a while, eg in archive before you dispose of it..)
  • difficult to manage (if the process fails, it’s difficult to track or keep under control)
  • high security risk. (risk of losing ownership, risk of leakages, …)

What is risk?

Assets have

Vulnerabilities (weaknesses/properties) 

that can be exploited by 

Threats (activities)

with impact ($$ cost).

You need to balance the protection against the impact. You don’t want to over-spend or under-protect.

Your boss (or insurance, of CFO ) needs a budget, spreading cost over a year, or 2..3..4..5.

[Risk management is calculating impact over the rate of occurrence/frequency…]

How to get started

Know the external context

  • International regulations (GDPR, …)
  • National regulations (SOC, …)
  • Sector regulations (PCI-DSS, ..)
  • Contractual obligations
  • Enterprise vs PII/personal data requirements

Know the internal context

  • Know your business (what)
  • Know your organization (organigram)
  • Make an inventory of processes and interfaces
  • Assign business ownership
    • For each process
    • For each asset

Know the processes

  • Know the data flow 
  • Know your sources (IN)
  • Know the data processing
  • Know your receivers (OUT)

Know the data in the processes

  • Categorize your data – data types
    • Enterprise data
    • PII / Personal data (GDPR !)
    • Other ?

Categorization (define data classes)

  • Sensitivity = linked to business impact
  • Ask the owner : “What if data is …”
    • unavailable, 
    • changed,
    • destroyed,
    • leaked,
    • accessed unauthorized, illegally, unlawfully,
  • Categorize your data sensitivity
    • Enterprise data, for example
    • Unclassified, Official, Restricted, Confidential, Secret, Top Secret (NATO) 
    • Public, Company internal, Confidential, Strictly confidential  
    • TLP RED, TLP Amber, TLB Green, TLP White (public)

Classification (apply the labels)

  • Responsibility of owner
  • Label all data
  • Label containers if you can’t label the data
    • Folder or File share
    • Database
    • mailbox 
    •  …

Mind the lifecycle

  • Get started
  • Keep going
  • Start over again
  • Think about security when
    • creating new processes
    • changing processes
    • removing processes
    • recheck on a regular schedule (even when nothing changes)

Mind the business and legal requirements

  • Accountability & Responsibility 
  • Reporting & audit requirements (SOC I-II, …)
  • Incident management requirements
  • Data breach requirements (GDPR)
  • Subject rights 

Consequences of data management failure

  • Financial loss
  • Business loss
  • Reputation loss 
  • Contract SLA violation
  • Regulatory violations
  • Fines
  • Prosecution
  • Personal accountability

Think about

  • Direct and indirect impact
  • Short term and long term impact
  • How long can you survive a total breakdown?

TAKEAWAYS

  • Manage enterprise data like personal data
  • Keep the categories simple (<7)
  • 3 TLP (RedAmberGreen) + 2 categories (public + highly critical)
  • Define and maintain ownership
  • Involve everyone
  • Evangelize internal & external stakeholders (incl. customers…)
  • Lead by example

Use business best practices

  • Use standards and frameworks
  • ISO (international)
  • NIST (US)
  • ENISA (EU)
  • COBIT (ISACA)

Classification and labeling

  • Force labeling
  • Aim to classify everything
  • Start with new data first
  • Update labels when you change documents
  • Set a default label for archived data that doesn’t change
  • DO NOT set “public” as default

Think about the support processes

  • Incident management (ISO 27035 & NIST)
  • Data breach management (GDPR & other …)
  • Business continuity (ISO22301)
  • Disaster recovery

Questions

How to identify regulations you should follow?

  • know and analyse the services you’re offering,
  • where is your data stored?
  • what kind of data you have (enterprise data, personal data, financial, …)
  • identify the local, national, regional, international regulations of sector legislations that apply to your business (check partners/competition, sector representatives, …)

Is there difference in regulation for small or large business?

  • very limited impact of size of company…
  • very likely some impact on financial and tax reporting,
  • some legislation only apply in large scale operations (eg GDPR only requires a DPO for certain type of operations, …)

Best place to start for SME/SMB?

Webinar recording by Hexnode

Hexnode webinar
https://www.hexnode.com/events/webinars/data-compliance-get-it-right-the-first-time/

Presentations

Full color

Black/White print

Why it’s not appropriate to ask for a copy of the identity card by default and systematically before you respond to a #GDPR data access request?

The EDPB guidelines on the data subject’s rights of access contain 60 pages of very useful instructions. This article is not elaborating all of it, but only highlights the topics relative to the use of ID card photocopies, as there has been a recent case at the Belgian Data Protection Authority strongly referring to the data access request guidelines by the European Data Protection board (EDPB).

Background

In a recent publication of a case (DOS-2020-05314), the Belgian Data protection Authority decided to classify the complaint itself without any consequences, but they explicitly confirmed that the use of a photocopy of the ID card is a very bad idea in general.

A very clear reminder that you shall not systematically request a copy of the identity card

In the motivation of the case it sets a very clear reminder that it’s considered illegal to systematically request for a copy of an identity card as a condition to respond to a GDPR data access request, in accordance with the EDPB (European Data Protection Board) guidelines on the right to access.

Why is a copy of an ID card a bad idea?

The copy of the ID card contains a lot of sensitive data like your national number, that can be abused to harm you, by stealing your identity.
Using your identity data, people can open bank accounts and credits, steal your many, empty your existing bank account, … so the impact is very personal, very real and very high when your identity is stolen.

EDPB guidelines Guidelines 01/2022 on data subject rights – Right of access

The highlights

The EDPB explains in the executive overview of their guidelines that “The right of access of data subjects is enshrined in Arti. 8 of the EU Charter of Fundamental Rights. It has been a part of the European data protection legal framework since its beginning and is now further developed by more specified and precise rules in Art. 15 GDPR.

“There are no specific requirements on the format of a request. The controller should provide appropriate and user-friendly communication channels that can easily be used by the data subject.”

“The request for additional information must be proportionate to the type of data processed, the damage that could occur etc. in order to avoid excessive data collection.”

Do not excessively demand for personal data when validation of access request

In the guidelines, the EDPB says:

“65. /../ In general, the fact that the controller may request additional information to assess the data subject’s identity cannot lead to excessive demands and to the collection of personal data which are not relevant or necessary to strengthen the link between the individual and the personal data requested.”

Copy of ID card should generally not be considered an appropriate way of authentication

EDPB guideline:

74. Taking into account the fact, that many organisations (e.g. hotels, banks, car rentals) request copies of
their clients’ ID card, it should generally not be considered an appropriate way of authentication.

Alternatively, the controller may implement a quick and effective security measure to identify a data subject who has been previously authenticated by the controller, e.g. via e-mail or text message containing confirmation links, security questions or confirmation codes.”

Information on the ID that is not necessary for confirming the identity should be hidden

EDPB guidine 75:
In any case, information on the ID that is not necessary for confirming the identity of the data subject,
such as the access and serial-number, nationality, size, eye colour, photo and machine-readable zone,
may be blackened or hidden by the data subject before submitting it to the controller, except where
national legislation requires a full unredacted copy of the identity card (see para. 77 below).

Generally, the date of issue or expiry date, the issuing authority and the full name matching with the online
account are sufficient for the controller to verify the identity, always provided that the authenticity of
the copy and the relation to the applicant are ensured. Additional information such as the birth date
of the data subject may only be required in case the risk of mistaken identity persists, if the controller
is able to compare it with the information it already processes.

Inform about data minimization and apply it.

EDPB guideline 76.

“To follow the principle of data minimisation

the controller should inform the data subject about the information that is not needed and

about the possibility to blacken or hide those parts of the ID document.

In such a case, if the data subject does not know how or is not able to blacken such information, it is good practice for the controller to blacken it upon receipt of the document, if this is possible for the controller, taking into account the means available to the controller in the given circumstances.”

Making the information available in a commonly used electronic form

Following EDPB guideline, paragraph 32, the controller must provide the answer in a commonly used electronic form.

the event of a request by electronic form means, information shall be provided by electronic means
where possible and unless otherwise requested by the data subject (see Art. 12(3)). Art. 15(3), third
sentence, complements this requirement in the context of access requests by stating, that the
controller is in addition obliged to provide the answer in a commonly used electronic form, unless
otherwise requested by the data subject. Art. 15(3) presupposes, that for controllers who are able to
receive electronic requests it will be possible to provide the reply to the request in a commonly used
electronic form (e.g. in PDF). This provision refers to all the information that needs to be provided in
accordance with Art. 15(1) and (2). Therefore, if the data subject submits the request for access by
electronic means, all information must be provided in a commonly used electronic form.”

Some practical data protection life hacks

Protecting your identity card

  • keep your ID card in your pocket or wallet as much as possible.
  • do NOT hand over your identity card to any party, unless it’s a legal authority (police, … )
  • Quickly showing your ID card for validation is fine, but resist to the requests to get a copy of your card.
  • prepare to have a masked paper copy of your ID card,
    • make sure to hide all the irrelevant, sensitive information yourself
    • keep a paper copy in your wallet
  • Prepare a masked digital photo copy of your ID card, yourself.
  • mask all all the irrelevant, sensitive information on your identity card, do it yourself
    • eg, use tippex to wipe out info, but you can simply scratch tippex when an official authority needs to validate your sensitive information)
    • ‘accidental’ copies will still mask your data, and you can detect if an unauthorized party scratches your ID card

From a corporate perspective

  • Do not request copies of identity cards by default, there are many more practical means to verify identity in a secure way
  • Only authenticate ID cards, when there are no other options.
  • use electronic authentication without disclosure of sensitive data
  • use an alternative means of authentication, there are many ways to do this securely
  • do not keep a copy of any identity card, there are virtually NO reasons to keep a copy, quick validation is mostly enough
  • delete any copy of identity cards as soon as possible…

Reference information:

Note-to-self: SOC2 mapping to ISO27001

Just in case you get into SOC2 and want to know how to map it to existing information security implementation, whatever it may be, GDPR, ISO27001, NIST, … check this page

https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/mappingsrelevanttothesocsuiteofservices.html

It includes:

These links have nice XLS format sheets, with a bidirectional comparison between the frameworks.

Info on SOC1/SOC2/SOC3

https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/sorhome.html

SOC and SOX?

 SOC reports refer to an audit of internal controls to ensure data security, minimal waste, and shareholder confidence; SOX relates to government-issued record keeping and financial information disclosure standards law. In other words, one is about keeping information safe, and the other is about keeping corporations in check.

https://immedis.com/blog/what-are-the-key-differences-between-soc-and-sox/

https://www.logicgate.com/blog/a-comparison-of-soc-and-sox-compliance/

Also

https://linfordco.com/blog/soc-2-security-vs-iso-27001-certification/

(braindump article, still in progress)

Is “not paying” THE solution against ransomware?

The discussion and opinions on paying ransom in case of cyber-ransomware is very alive and vivid.

Many people have strong opinions, but the actual victims of ransomware are seldom heard. They mostly keep silent.

This article is the English translation and adaptation of an article, originally published in Dutch, earlier.

(Source) Initial article in Dutch : https://identityunderground.wordpress.com/2021/07/30/de-oplossing-tegen-ransomware-volgens-brian/

In Trends magazine, Brian Schippers published an opinion article a few days ago with a very easy and simple solution against ransomware: don’t pay. (Source: Trends)

I must admit, it’s a great opinion article to get a nice discussion going with companies. At least it helps to raise awareness of ransomware and ransom payments. But unfortunately the article is not a Greek ancient-wise talk [σοφςς].

But he’s right about the reprehensible statements made by some of the ransomware victims. It is outrageous that a company dares to claim that ‘only’ 300K has been paid.

(translated quote) “We understand that we are suffering reputation damage, but we can’t be blamed,” the company manager told reporters. That statement in the press will haunt him for a while.

And it’s not the first time we’ve witnessed such statements. For another company from the Westhoek (Western Belgian Region, near the coast) , it was “less than 1 million”…

It’s very meaningful, how little business leaders worry about ransomware or how careless they can be to protect their business.

And Brian puts forward a very nice theory how to stop ransomware, … in the ideal world.

But unfortunately, the article does not show in any way that the opinion-maker, in real life, has ever been on the side of a defenseless victim who is completely under the control of some remote criminal.

Because the choice to (NOT) pay a ransom is only available if you have a well-functioning and thoroughly tested backup and restore system.

At that moment, when it happens, all preventive measures have clearly failed already. Way too late to have regrets…

Prevention only works BEFORE the criminal strikes. Or when he has left again, to avoid repetition.

People do not choose to pay ransomware. It’s the last resort.

They just have no choice. All other means are already exhausted or unavailable.

You don’t pay a ransom if your backup/restore system works properly.

Without a guaranteed recovery function, mathematics is very simple

If you

  • DO NOT pay =  100% GUARANTEE that you LOSE your DATA and you’re almost certain that your company will also be dead very quickly, or at least suffer long-term or irreparable damage.
  • PAY = there is SOME chance that you may see (something) of your data again. That’s always better than the previous option, no matter what it costs.

The third option in between is that the cost of the ransom is lower than the real cost of restoring your data. If you run into a cheap criminal, you can only try to talk him out of it and limit the damage. Pure math.

What if…?

It’s very easy to imagine: if a good-looking homejacker just rings the doorbell at your home. And your dearest opens the heavily armed front door.

A few seconds later, the robber asks you to clear your bank account completely with a gun to your dearest one’s head.

Are you going to pay or not?!

Do you have a choice?!

Replacing your dearest… is not an option, I would think.

With ransomware, the situation is exactly the same.

Well, Brian Schippers apparently doesn’t think so.

In his article Mr. Schippers is very convinced that you should certainly not pay a ransom. But the article does not offer any concrete, useful solution or practical suggestion as alternative.

He talks about a “security solution”… and reading between the lines you easily know where it should come from.

But there is no mention of decent and continuous training of people, thorough awareness training and thorough backup/restore or even better offline backup, even in the current age of cloud.

Because with “wise” software alone, it won’t work.

Even with the best technical security you have, people remain the weak point.

And the stronger the security, the more crime will target people directly.

And people make mistakes. People make software. Each software contains errors.

And mistakes will always be exploited.

And you only need just one employee who is fooled by a cleverly designed, but infected mail or a noble unknown on the phone.

It happens in no time, there are more than enough statistics in practice.

Because the hack or phishing is so well designed these days, that even cyber professionals can’t easily detect fake mails.

“The budget should not be a problem.”

Yes, yes, of course it shouldn’t, Brian! Nice slogan.

NOT.

Because the practice proves something completely different:

cyber protection < a very small percent of the IT budget < a small percent of the company budget.

Well, now what?!

It would be quite different if business leaders and managers were personally held liable for a pertinent lack of “state-of-the-art” (i.e. up-to-date) security that aligns both people, processes and technology very well.

Only THAT would solve the whole ransomware problem, very quickly. Deprive the criminal from his leverage.

Don’t look too far. Just look at how the insurance companies are doing in real life.

See how they implement car, fire, liability or other insurance. If it is shown that you are negligent, knowingly refuse to implement sufficient security … then the insurance will not pay or will claim back the refund.

Easy and simple, isn’t it?

Not so in cyber insurance, that’s the wild west. For a couple a thousand Euros in insurance, you get a bag of money of a couple millions to pay the criminal.

You bet on hackers to give up.

And if you bet hackers will give up soon, start by giving a “tournée générale” (buying a beer to everyone).

Because cybercrime and ransomware is big business. They make a lot of money with crime, so they won’t give up. Not now, not ever.

[BTW, it’s not because known ransomware groups suddenly disappear that they’re gone too. We don’t know the facts about that yet…]

But criminals don’t respect any law or rule. And they certainly don’t have ethical principles. It’s just a business that makes a lot of money.

So they are always have a head start and they are very motivated. And they will twist your arm even harder… or worse.

Finally

We must keep repeating that state-of-the-art security is all about security solutions at different layers and levels, which look beyond technology.

When you keep claiming you should not pay for ransomware, you’re running after the facts. In practice, it doesn’t solve anything… People in distress and panic will ignore law and ethical guidelines.

Also in physical life, many authorities officially declare that they do not give in to ransom demands. Is paying a ransom prohibited by law? But in many cases, money is paid clandestinely. Reality check.

So?

Make sure that the liability for implementing poor security measures hurts the right person, in the right place. Not the employees, but their boss.

And consequently:

So make sure that cybersecurity is sponsored at the top management level.


Dé oplossing tegen ransomware volgens Brian

In Trends magazine, heeft Brian Schippers een paar dagen geleden een opinie artikel gepubliceerd met een poepsimpele oplossing tegen ransomware: niet betalen. (Bron: Trends)

Toegegeven, het is een geweldig opinie-artikel om een lekkere discussie met bedrijven op gang te trekken. Het helpt tenminste om de bewustwording van ransomware en losgeld aan te wakkeren. Maar het artikel is jammer genoeg geen Griekse oude-wijzen praat [σοφός].

En hij heeft wel gelijk over de laakbare uitlatingen van sommige slachtoffers. Het is schandalig dat een bedrijf durft beweren dat er ‘maar’ 300K betaald is.

Herinnert U het nog: “We begrijpen dat we imagoschade lijden, maar ons valt niks te verwijten.”, zei de bedrijfsverantwoordelijke in de pers. Die uitspraak in de pers zal ‘m nog wel een tijdje achtervolgen.

En het is niet de eerste keer dat we dergelijke uitspraken mogen noteren. Voor een ander bedrijf uit de Westhoek, was het “minder dan 1 miljoen”… 

Het zegt heel veel, hoe weinig zorgen bedrijfsleiders zich maken over ransomware of hoe nonchalant ze kunnen zijn om hun bedrijf te beschermen.

En Brian heeft een heel leuke theorie om ransomware te stoppen in de ideale wereld. 

Maar de tekst toont jammer genoeg op geen enkele manier dat de opiniemaker ooit met praktijkkennis aan de zijde heeft gestaan van ‘n weerloos slachtoffer dat volledig onder controle is van een of andere crimineel op afstand.

Want de keuze om losgeld (NIET) te betalen, heb je ENKEL EN ALLEEN als je een goedwerkend en grondig getest backup en restore systeem hebt.

Op zo’n moment hebben alle preventieve maatregelen duidelijk al gefaald. Dus dat zijn vijgen na Pasen.

Preventie werkt alleen VOOR de crimineel toeslaat. Of als ie weer vertrokken is, om herhaling te voorkomen.

Mensen kiezen niet om ransomware te betalen. Het is het laatste redmiddel.

Ze kunnen gewoon niet anders. Alle andere middelen zijn dan al uitgeput.

Je betaalt geen losgeld als je backup/restore systeem goed werkt.

Zonder gegarandeerde herstelfunctie is de wiskunde heel simpel

  • NIET betalen = 100% GARANTIE dat je je DATA KWIJT bent en zo goed als zeker dat je bedrijf ook heel snel kapot is, toch tenminste langdurige of onherstelbare schade lijdt.
  • BETALEN = enige kans dat je mogelijk nog (iets) van je data terug ziet. Da’s altijd beter dan vorige optie, wat het ook kost.

De derde optie hiertussen is dat de kost van het losgeld lager is als de reële kost om je data terug te zetten. Als je een goedkope crimineel tegenkomt, kan je maar proberen om ‘m om te praten en de schade te beperken. Pure wiskunde.

Wat als…?

Het is héél gemakkelijk voor te stellen: als een goedogende homejacker gewoon aanbelt bij je thuis. En je allerliefste doet de zwaar bewapende voordeur open. 

Een paar seconden later vraagt de overvaller jou om je rekening volledig leeg te maken met een pistool tegen het hoofd van je allerliefste.

Ga je betalen of niet?!

Heb je keuze dan?!

Jouw allerliefste vervangen… is geen optie, zou ik denken.

Met ransomware is de situatie net hetzelfde.

Nou, Brian Schippers vindt dus blijkbaar van niet.

Mr. Schippers roept in z’n opinie artikel hoog van de toren dat je zeker geen losgeld mag betalen. Maar enige concrete, bruikbare oplossing of praktische suggestie biedt het artikel anders niet echt.

Hij spreekt volop over “security oplossing”…het schemert anders wel duidelijk door waar die vandaan moet komen.

Maar er wordt echter geen woord gerept over goede en continue opleiding van mensen, doorgedreven awareness training en doorgedreven backup/restore of beter nog offline backup, zelfs in het huidige cloudtijdperk.

Want met “wijze” software alleen, zal het niet lukken.

Zelfs met de beste technische beveiliging die je hebt, mensen blijven het zwakke punt.

En hoe sterker de beveiliging, hoe meer de criminaliteit zich op de persoon zelf richt. 

En mensen maken fouten. Mensen maken software. Elke software bevat fouten.

En er zullen altijd fouten uitgebuit worden.

En je moet maar 1 medewerker hebben die om de tuin geleid wordt door een slim ontworpen, maar besmette mail of een nobele onbekende aan de telefoon. 

Het is zo gebeurd, meer als genoeg cijfers in de praktijk.

Want de hack of phishing is tegenwoordig zo goed ontworpen dat zelfs cyberprofessionals vals en echt moeilijk kunnen uit elkaar houden.

“Het budget mag daarbij geen probleem zijn.” 

Ja ja, tuurlijk mag dat niet, Brian! Mooie slogan.

NOT.

Want de praktijk zegt helemaal iets anders: cyberbescherming < een heel klein percent van ‘t IT budget < een klein percent van het bedrijfsbudget.

Nou, wat dan wel?

Het zou helemaal wat anders zijn als bedrijfsleiders en managers persoonlijk aansprakelijk zouden zijn voor een pertinent gebrek aan “state-of-the-art” (dus up-to-date) beveiliging die zowel personen, processen als technologie goed op mekaar afstemt.

DAT zou pas het hele ransomware probleem oplossen, heel snel.

Heel ver moet je niet kijken. Kijk maar hoe de verzekeringen het aanpakken in het fysieke leven.

Kijk wat toegepast wordt in auto-, brand-, aansprakelijkheids- of andere verzekering. Als aangetoond wordt dat je nalatig bent, willens en wetens weigert om voldoende beveiliging te spenderen … dan vordert de verzekering het terug.

Simpel toch?

Niet in cyberverzekering, dat is het wilde westen. Voor een koppel duizend Euro aan verzekering, zit je op een zak geld van een koppel miljoen Euro.

Wedden dat hackers het opgeven?

En als je erop wedt dat hackers het snel zullen opgeven, begin dan alvast maar met een tournée générale te geven.

Want cybercriminaliteit en ransomware is big business. Ze kunnen met misdaad veel geld verdienen, dus die geven niet op. Nu niet, nooit niet.

[BTW, het is niet omdat gekende ransomware groepen plots van de aardbol verdwijnen dat ze ook weg zijn. Daar weten we het fijne nog niet van…]

Maar criminelen houden zich aan geen enkele wet of regel. En ethische principes hebben ze al helemaal niet. Het is gewoon een business, die veel opbrengt.

Dus ze zijn altijd in het voordeel en erg gemotiveerd. En ze zullen je arm nog harder omwringen… of erger.

Tot slot

We moeten blijven herhalen dat goede beveiliging draait om beveilingsoplossingen op verschillende lagen en niveaus, die verder kijken als alleen maar technologie.

Je kan nog lang roeptoeteren dat je geen ransomware mag betalen. Dan loop je achter de feiten aan. Dat lost niets op in praktijk.

Ook in het fysieke leven, roepen heel wat staten officieel dat ze niet toegeven aan losgeldeisen. Is daar losgeld betalen bij wet verboden? Maar er wordt op veel plaatsen clandestien toch geld over tafel geschoven. Realiteit.

Dus?

Zorg dat de aansprakelijkheid voor gebrekkige veiligheid pijn doet, bij de juiste persoon, op de juiste plaats. Niet bij de werknemers, maar bij hun baas.

En bijgevolg,

Zorg dus dat cybersecurity gesponsord wordt op topmanagement niveau.

Privatum – Privacy After Work (2020-02-06 collaterals)

OP 6 feb jongstleden, presenteerde ik een sessie bij Privatum, voor hun avondsessies van  “Privacy After Work”.

Dat is een lichte, interessante aanpak om mensen bij elkaar te brengen ivm privacy en gegevensbescherming, dus  ideaal voor netwerking en interessante dingen te leren.

Meer info hier: https://www.privatum.be/privacy-after-work-2/

Hieronder vind je een overzicht van de links en URLs waar ik naar verwees tijdens de sessie.

De handouts van de sessie vind je op SlideShare:

Slide 10; de ISO27701 bouwstenen:

 

Slide 11: (*) Gratis downloads

Slide 21

Uitgebreide ISO27701 mapping met GDPR in XLS formaat (wat handiger)

https://github.com/PeterGeelen/ISO27701Collaterals

Direct links

Extended mapping

https://github.com/PeterGeelen/ISO27701Collaterals/blob/master/20200129%20PECB%20ISO27701%20vs%20GDPR%20-%20extended%20mapping.xlsx?raw=true

Handy mapping

https://github.com/PeterGeelen/ISO27701Collaterals/blob/master/20200129%20PECB%20ISO27701%20vs%20GDPR%20-%20handy%20mapping.xlsx?raw=true

Slide 52

Meer info: https://identityunderground.wordpress.com/2017/11/06/note-to-self-iso27001-iso27002-downloads-tools/

http://www.iso27001security.com/html/toolkit.html

GDPR-ISO27k mapping:  http://www.iso27001security.com/ISO27k_GDPR_mapping_release_1.docx

Meer info over de ISO27701, incl webinars & LinkedIn articles met Q&A

https://www.linkedin.com/in/pgeelen/detail/recent-activity/posts/

Interessante update:

Microsoft heeft een open-source mapping gepubliceerd tussen de controles in ISO / IEC 27701 (de nieuwe uitbreiding van de gegevensbescherming van ISO 27001 en 27002) en verschillende wettelijke regels, waaronder de GDPR (Europese Unie).
Het project bevat een Excel-bestand met de onbewerkte gegevens: zie https://github.com/microsoft/data-protection-mapping-project/raw/master/src/assets/database.xlsx

De directe link naar het volledige open source-project zelf is: https://github.com/microsoft/data-protection-mapping-project

Risk treatment options parody

The orginal meme on risk analysis is around for a while on the internet.

(sorry, can’t find the original credits, feel free to claim and prove the credit, happy to comply)

risk classification

But risk management is only complete with risk treatment.

(original quality below)

risk_treatment_options.png

Note-to-self: free Executive Guide: IT-security en riskmanagement #ZDNet

Source: http://www.zdnet.be/continuity/159407/gratis-executive-guide-it-security-en-riskmanagement

As add-on to their free seminar on businesscontinuity (11/dec) ZDNet offers a free guide on IT-security and riskmanagement.

It offers 10 IT-riskmanagement domains that are often forgotten. The guide also offers a simplified framework on IT Risk management for SMB.

Further more the guide discusses useful topics on risk management, to determine the possible risks and how to implement control mechanisms on insider threats.

Download the executive guide here.