Security

Note-to-self: 2019 …cost of a data breach…

Many InfoSec and data protection or privacy courses reference 3 authoritative yearly reports that show interesting numbers, statistics and trends about breaches year over year.

And these are extremely useful to talk about to your management…

Interesting to know they all have been updated for 2019.

1. Verizon DBIR

(The Verizon Data breach Investigations Report, DBIR)

https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf (click the view only option)

2. IBM-Ponemon – Cost of a data breach report 2019

https://www.ibm.com/downloads/cas/ZBZLY7KL

(You can always use the official link and give away your privacy…at https://www.ibm.com/security/data-breach)

3. IAPP-EY Annual Governance Report 2019

(IAPP members get it for free)

Hint: the IAPP link below also shows reports of previous years.

https://iapp.org/resources/article/iapp-ey-annual-governance-report-2019/

V2018 also available from the EY website: https://assets.ey.com/content/dam/ey-sites/ey-com/en_gl/topics/financial-services/ey-iapp-ey-annual-privacy-gov-report-2018.pdf

Note-to-self: CCSK vs CCSP

Just for easy, future reference… the difference between CSA CCSK and (ISC)² CCSP, quickly explained:

https://blog.cloudsecurityalliance.org/2018/04/24/ccsk-vs-ccsp-unbiased-comparison/

http://www.confidis.co/cloud-security-certifications-ccsk-vs-ccsp/

 

Microsoft MVP for another year: Thank you!

Just a few hours ago, I got the confirmation that I was awarded the 2019-2020 Microsoft Most Valuable Professional (MVP) award.

It’s a yearly award granted by Microsoft to community leaders and influencers who passionately share their knowledge and drive the MS community.

For some it’s the ultimate goal to get in the MVP program, but as the reward is granted year after year again, based on your impact of last year, it’s never sure you’re in for the next round.
It’s not about the award, but about the drive and mindset to build community. You can’t simply keep up if you don’t have the drive.

But more important, you simply can’t keep up without support.

So I’m proud to receive this award.

And I’m utterly grateful that lots of people around support me in this, very close and very far.

Thank you, my dearest wife and kids to keep me alive.

Thank you, dearest Microsoft TechNet Wiki Geeks (TOO MANY to list here), you keep me going.

Thank you, Ed Price, the greatest Wiki Wizz Kid,

Thank you Tina for supporting the MVP BeNelux and Nordic Community manager.

And many many others, … without you I could not do this!
I dedicate this award to you.

Thank you.

CCSK – DOMAIN 4 (Compliance and Audit Management) reference material

CCSK

Preparation tool kit (with registration): https://cloudsecurityalliance.org/artifacts/ccskv4_exam_prep_kit

Separate downloads:

(ISC)² Belux Chapter

2019-04-04 meeting presentation on CCSP-CCSK

ISC2-Belux-Chapter-20190404-Event

Additional Reading

PCI-DSS

Download PCI-DSS  without registration: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf

Documentation library: https://www.pcisecuritystandards.org/document_library

SOC1/SOC2/SOC3

https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/sorhome.html

Microsoft Azure – Cloud Security Compliance (Trust center)

https://www.microsoft.com/en-us/trustcenter/compliance/compliance-overview

Documents download: https://servicetrust.microsoft.com/ViewPage/MSComplianceGuideV3

https://servicetrust.microsoft.com/ViewPage/MSComplianceGuide

Regional & country compliance: https://www.microsoft.com/en-us/trustcenter/compliance/regional-country-compliance

Google Cloud Security Compliance

Google Cloud security compliance – general

ISO27001: https://cloud.google.com/security/compliance/iso-27001/

CSA STAR

ISO Standards

ISO27001

ISO27002

ISO27017 (Cloud security)

ISO27018 (Personal data)

ISO27032 (Cybersecurity)

CSA STAR

https://cloudsecurityalliance.org/star/#_overview

Other

Interesting collection of documents & references on compliance and standards: here,  including, HIPAA, PCI-DSS, ISO27001/27002, …

 

 

 

RGPD, GDPR, AVG, … et les jeux de mots linguistiques… ou confusions?

Au niveau de RGPD (réf. Art. 5.2), il y a une différence importante pour les francophones et les anglophones.
Téléchargez les versions ici: https://ffwd2.me/gdpr

 

Le GDPR en anglais, fait référence à “accountability

Le RGPD (FR) parle de « responsabilité » (personnel) seulement.

 

En fait, “accountability” (EN) = rendre compte (FR)

Mais “responsability” en anglais est aussi traduit en “responsabilité” (général) en français.

Pour la bonne compréhension, il est important de savoir qu’il y a une différence.

 

“accountability” en anglais,

  • veut dire “responsabilité personnel/individuelle”, rendre compte
  • s’applique typiquement
    • sur 1 personne,
    • Après les faits
  • Réf. au tribunal/juge

“responsability” en anglais,

  • Veut dire “responsabilité générale”
  • S’applique
    • Sur un group, plusieurs personnes
    • Qui planifie et prend soin des tâches, en avance/pendant

 

En plus, au niveau de GDPR, il y a une 2ème différence important expliqué dans GDPR considérant (4)

  • Privacy (EN) / vie privée (FR), versus/par contre
  • Personal data (EN) / données à caractère personnel= “données personnelles” (FR)

 

Si on parle de “vie privée”, on fait référence au droits fondamentaux, et “le respect de la vie privée et familiale, du domicile et des communications …”

Si on parle des données personnelles, on fait référence à l’info et les attributs qui identifient ou peuvent identifier quelqu’un.

Donc, dans la protection des données, on devrait parler de “données personnelles”.

Et l’histoire est identique pour le néerlandophones… (NL <> FR) 😉

GDPR word games, differences in EN/FR language versions and interpretation

Did you ever compare the different language versions of the GDPR?
Have a check at : https://ffwd2.me/gdpr

On the level of GDPR (ref. Art. 5.2), there is an important difference between French (FR) and English (EN). Same thing for Dutch, by the way

The GDPR (EN)  references “accountability”(EN). In FR (RGPD), they ONLY reference “responsabilité”.

In fact, “accountability” (EN) means “rendre compte” in French.

But “responsibility” (EN)  is translated to “responsabilité” in French TOO!

So, for clear understanding, it’s important to know that there IS a difference.

“accountability” (EN) means,

“responsability” (EN),

  • is rather “general” responsibility
  • applies to
    • a group of, or multiple, persons
    • who plan or execute tasks, in advance or during activities

Furthermore, on the level of GDPR, there is a 2nd important difference, explained in GDPR recital (4)

  • Privacy (EN) / vie privée (FR), versus
  • Personal data (EN), données à caractère personnel= “données personnelles” (FR)

If we talk about privacy / vie privée (FR) in GDPR, it’s about “fundamental rights” and «respect for private and family life, home and communications … »

If you talk about personal data, you refer to the information and attributes who identify (“identified”)or can identify an individual (“identifiable”).

So, in data protection (EN), protection des données” (FR) for GDPR, we should refer to personal data (EN), “données personnelles” (FR).