Posts

Accelerating feature delivery in software development

My company develops security products for all major operating systems. We work with startups and with big companies, all striving to develop features (functional and non-functional) as fast and as good as possible.

While on the first view this seems like a contradiction, there are actually ways of implementing exactly this.

For security software development teams aiming to deliver features more frequently, streamlined processes and efficient workflows are essential.

You guessed, the keywords are agile methods with the related activities such as automated testing, strategic prioritization, agile delivery, efficient workflows, regular and early feedback.

Below are several approaches that emphasize frequent and reliable delivery.

Define requirements with speed in mind

Clear, concise requirements set a strong foundation for quick delivery. Ensuring each feature has straightforward objectives and well-defined acceptance criteria reduces delays caused by back-and-forth clarifications. For security-focused teams, requirements should include key security considerations without overloading the development process. By clarifying expectations from the start, developers can stay on track, avoiding unnecessary revisions and accelerating overall delivery. This being said, also do not change the direction too often (called Pivoting). If you don’t allow feature to “sit”, the product will never reach maturity.

Setup incremental, agile delivery

Breaking down feature development into small, manageable increments supports faster delivery. Rather than waiting for a full release, an incremental approach allows developers to deliver small updates frequently. This Agile-inspired method brings quick wins, shortens feedback cycles, and lets teams adjust direction as needed based on real-world usage. Incremental delivery ensures that new functionality reaches users sooner, making the product more responsive to changing needs.

Optimize for efficiency

Security doesn’t have to slow down delivery. By embedding secure coding practices into the team’s daily workflows, developers can build security right into each feature rather than adding it at the end. Code reviews focused on security can be streamlined with checklists or automated tools, keeping the process efficient. This “security-first” mindset ensures that features remain secure while minimizing delays, as there’s no need for last-minute security fixes.

Invest in CI/CD

Automated testing is key to quick, reliable feature deployment. Automated tests that cover basic functionality and security requirements provide instant feedback, allowing developers to identify and address issues faster. Implementing continuous integration (CI) tools that automatically trigger these tests during development helps the team validate new features on the go. By automating tests, the team gains more time for development and can release updates with minimal manual intervention.

Integrating DevSecOps practices into the development pipeline enables seamless security without slowing down delivery. Automated security checks within the CI/CD pipeline provide fast, reliable security validations, allowing developers to address issues before deployment. This approach keeps the pipeline moving smoothly, as security checks become an integrated part of the process, rather than an additional step that slows down delivery.

Encourage collaborative and efficient workflow

Encourage open communication between developers, security teams, and testers to streamline workflows. Collaborative sessions for discussing roadblocks or coordinating on shared goals help prevent bottlenecks. An open environment where team members share updates and resolve issues collectively accelerates progress by addressing concerns in real time. By emphasizing collaboration, teams can work faster, catching potential blockers early and adapting quickly to new requirements.

Use regular retrospectives to identify and remove delivery obstacles

Post-release retrospectives focused on delivery efficiency help identify and eliminate roadblocks. By analyzing each release or sprint for delays and other issues, teams can identify specific pain points in the development or deployment process. These retrospective sessions allow the team to adjust practices and improve their ability to deliver quickly, refining the workflow with each iteration.

 

The post Accelerating feature delivery in software development first appeared on Sorin Mustaca on Cybersecurity.

Understanding the SOC 2 Certification

Introduction

SOC 2 (Service Organization Control 2) certification is a framework designed by the American Institute of CPAs (AICPA) to help organizations manage customer data based on five Trust Service Criteria: , confidentiality,processing integrity, availability, security and privacy. This certification is crucial for service organizations that store or process customer data in the cloud.

Comparison of Various SOC Certification Versions

SOC 1 (Service Organization Control 1)

  • Focus: SOC 1 is centered around internal control over financial reporting. It is particularly relevant for service organizations that impact their clients’ financial statements.
  • Users: Primarily used by financial auditors and companies that outsource services impacting financial operations.
  • Types: There are two types of SOC 1 reports:
    • Type I: Assesses the suitability of the design of controls at a specific point in time.
    • Type II: Examines the effectiveness of controls over a defined period.

SOC 2 (Service Organization Control 2)

  • Focus: SOC 2 addresses controls relevant to security, availability, processing integrity, confidentiality, or privacy, based on the AICPA’s Trust Services Criteria.
  • Users: Useful for management, customers, regulators, and other stakeholders concerned with information security and privacy.
  • Types: Like SOC 1, SOC 2 also offers Type I and Type II reports, focusing either on the design of controls at a point in time or their effectiveness over time.

Note: There is also SOC 3, but it is out of scope of this article.

 

Who Should Certify?

SOC 2 certification is essential for any organization that handles customer data, particularly cloud service providers, SaaS companies, and data centers.

It’s also relevant for companies in healthcare, finance, and other sectors where data security is paramount.

Why Certify?

Organizations pursue SOC 2 certification to demonstrate their commitment to data security, build customer trust, and comply with industry regulations. It also helps them stand out in competitive markets and avoid the financial and reputational damage associated with data breaches.

What Is Certified?

SOC 2 certification verifies that an organization adheres to robust information security policies and procedures. The certification evaluates five trust service criteria:

  1. Security: Protection of system resources against unauthorized access.
  2. Availability: Accessibility of the system as agreed upon.
  3. Processing Integrity: System processing is complete, valid, accurate, timely, and authorized.
  4. Confidentiality: Protection of confidential information.
  5. Privacy: Collection, use, retention, and disposal of personal information is in line with the organization’s privacy notice.

While some security frameworks like ISO 27001, PCI DSS, TISAX, HIPAA  have rigid requirements, SOC 2 considers that controls are unique to every organization.

Each company designs its own controls to comply with its Trust Services Criteria.

An independent auditor is then brought in to verify whether the company’s controls satisfy SOC 2 requirements.

After the audit, the auditor writes a report about how well the company’s systems and processes comply with SOC 2.

Every organization that completes a SOC 2 audit receives a report, regardless of whether they passed the audit.

There are two types of SOC 2 reports:

  • SOC 2 Type I reports evaluate a company’s controls at a single point in time. It answers the question: are the security controls designed properly?
  • SOC 2 Type II reports assess how those controls function over a period of time, generally 3-12 months. It answers the question: do the security controls a company has in place function as intended?

To choose between the two, consider your goals, cost, and timeline constraints.

A Type I report can be faster to achieve, but a Type II report offers greater assurance to your customers.

 

 

Topics Verified in SOC 2 Certification

1. Security

The Security Criteria are also known as the Common Criteria. They prove that a service organization’s systems and control environment are protected against unauthorized access and other risks.

Security is the only Trust Services Criteria required for every SOC 2 audit. The other criteria can be added to your report scope if your organization chooses, but they are not required to achieve SOC 2 compliance.

These are the security criteria needed for SOC 2:

  • CC1 — Control environment
    Does the organization value integrity and security?
  • CC2 — Communication and Information
    Are policies and procedures in place to ensure security? Are they communicated well to both internal and external partners?
  • CC3 — Risk Assessment
    Does the organization analyze risk and monitor how changes impact that risk?
  • CC4 — Monitoring Controls
    Does the organization monitor, evaluate, and communicate the effectiveness of its controls?
  • CC5 — Control Activities
    Are the proper controls, processes, and technologies in place to reduce risk?
  • CC6 – Logical and Physical Access Controls
    Does the organization encrypt data? Does it control who can access data and restrict physical access to servers?
  • CC7 – System Operations
    Are systems monitored to ensure they function properly? Are incident response and disaster recovery plans in place?
  • CC8 – Change Management
    Are material changes to systems properly tested and approved beforehand?
  • CC9 – Risk Mitigation
    Does the organization mitigate risk through proper business processes and vendor management?

Implementation: Organizations must establish and maintain a set of security controls to protect against unauthorized access. This includes firewalls, encryption, access controls, and intrusion detection systems.

Audit: Auditors examine security policies, test the effectiveness of security controls, and review incident response plans.

Responsibility: Chief Information Security Officers (CISOs) and IT security teams are typically responsible for implementing and maintaining these controls.

2. Availability

Implementation: Ensuring systems are available involves implementing redundancy, disaster recovery plans, and maintaining system performance monitoring.

Audit: Auditors assess the organization’s ability to meet service level agreements (SLAs) and review backup and recovery procedures.

Responsibility: IT operations teams and service managers oversee availability aspects.

3. Processing Integrity

Implementation: Organizations must ensure that data processing is accurate and complete. This includes validating input data, processing logic, and output accuracy.

Audit: Auditors review data processing controls, check for errors, and validate processing integrity.

Responsibility: Data quality teams and IT personnel are responsible for maintaining processing integrity.

4. Confidentiality

Implementation: Protecting confidential information involves data encryption, access controls, and secure storage solutions.

Audit: Auditors evaluate the measures in place to protect confidential data and check compliance with confidentiality agreements.

Responsibility: Data protection officers (DPOs) and compliance teams handle confidentiality matters.

5. Privacy

Implementation: Organizations must adhere to privacy policies that govern the collection, use, and disposal of personal data. This involves data anonymization and consent management.

Audit: Auditors examine privacy policies, consent forms, and data handling procedures to ensure compliance with relevant privacy laws.

Responsibility: Privacy officers and legal teams are responsible for privacy compliance.

Conclusion

SOC 2 certification is a comprehensive framework that ensures organizations adhere to best practices in data security and management.

By certifying under SOC 2, organizations can demonstrate their commitment to protecting customer data, comply with regulatory requirements, and gain a competitive edge in the market.

Implementing and maintaining SOC 2 controls requires collaboration across various teams, including IT, security, operations, and legal departments, to ensure continuous compliance and security.

The post Understanding the SOC 2 Certification first appeared on Sorin Mustaca on Cybersecurity.

Maping NIS2 requirements to the ISO 27001:2022 framework

We described here the process needed to perform a gap analysis for NIS2, but we did not add the details on how to approach this.

This article references on the ISO27001:2022 series, especially on the description of the Annex A controls. Make sure you are familiar with the ISO 27oo1:2022 requirements and the with the Annex A.

Introduction

The NIS2 Directive, aimed at strengthening network and information system security across the European Union, necessitates a thorough alignment with the latest iteration of the ISO 27001 standard, which was updated in 2022. This article explores a comprehensive methodology for conducting a gap analysis to ensure compliance with NIS2 using the framework provided by ISO 27001:2022.

Understand NIS2 Requirements

The NIS2 Directive expands upon its predecessor by setting stringent cybersecurity and resilience measures for essential and important entities across various sectors. Its key focus areas include incident response, supply chain security, and the security of network and information systems. These areas are critical in maintaining the integrity and availability of services that are vital to the internal market and public welfare.

 

The NIS2 Directive does not prescribe a specific set of controls for the affected companies.

Rather, it states that they should adopt measures that are appropriate to their specific risk profile, considering factors such as:

  • The state of the art in cybersecurity

  • The potential impact of incidents on their services

  • The costs of implementing the measures

  • The proportionality between the measures and the risks

The directive also refers to existing standards, guidelines, and best practices that can help entities to choose suitable controls.
For example, it mentions:
  • The NIST Cybersecurity Framework

  • The ENISA Good Practices for Security of Internet of Things

  • The ETSI Technical Specification on Critical Security Controls for Effective Cyber Defense

 

Read here our collection of articles about the NIS2 directive.

Overview of ISO 27001:2022

ISO 27001:2022 establishes requirements for an Information Security Management System (ISMS), providing a systematic approach to managing sensitive company information so that it remains secure.

It includes people, processes, and IT systems by applying a risk management process and clearly defines information security control requirements in its Annex A .

 

Similarities

Despite the differences in scope, objectives, requirements and controls, there are some similarities between the NIS2 Directive and the ISO 27001:2022 standard.

Here are the most evident similarities :

  • Risk management: Both frameworks are based on the concept of risk management, which involves identifying, analyzing, evaluating, and treating the information security risks that affect the organization or the service.

  • Involvement and commitment of top management: Both frameworks require the involvement and commitment of top management, who are responsible for ensuring that the appropriate resources, roles and responsibilities are allocated to support the implementation and maintenance of the measures.

  • Importance of continuous improvement: Both frameworks emphasize the importance of continuous improvement, which involves monitoring, measuring, reviewing, and updating the measures to ensure they remain effective and relevant in a changing environment.

  • Cooperation and information sharing: Both frameworks encourage cooperation and information sharing among relevant stakeholders, such as authorities, regulators, customers, suppliers, and peers, to enhance the overall level of cybersecurity.

Mapping NIS2 to ISO27001:2022 requirements

The mapping begins with identifying the specific NIS2 requirements that are applicable to the organization.

Step 1: Identify NIS2 requirements

1. Scope of Application

  • Expansion of Affected Entities: NIS2 extends its requirements beyond the sectors covered by the original NIS Directive, including essential and important entities across various sectors such as energy, transport, health, and digital services.

2. Risk Management Measures

  • Comprehensive Security Requirements: Entities are required to implement appropriate technical and organizational measures to manage the risks posed to the security of network and information systems, including measures for incident handling, business continuity, and supply chain security.

3. Incident Response and Reporting

  • Incident Reporting Obligations: NIS2 mandates strict incident reporting requirements, where entities must notify relevant national authorities about significant cybersecurity incidents with potentially severe operational impacts, within a short timeframe.

4. Supply Chain Security

  • Security of Supply Chains and Supplier Relationships: Entities need to address cybersecurity risks not only within their own operations but also across their supply chains, ensuring that suppliers meet security requirements to protect against potential vulnerabilities and threats.

5. Interoperability and Cooperation

  • Enhanced Cooperation Among States: NIS2 emphasizes improved information sharing and coordinated response among EU member states, with mechanisms for cross-border collaboration in cybersecurity threat detection, response, and recovery.

6. Security and Network Systems

  • Strengthening of Security Practices: Detailed requirements on securing network and information systems, ensuring the integrity, availability, and confidentiality of services, particularly in critical infrastructure sectors.

7. Regulatory Oversight and Compliance

  • Increased Enforcement Powers: Regulatory authorities are granted more significant powers to enforce the Directive, including the ability to conduct audits, review compliance, and impose sanctions on entities failing to meet the cybersecurity requirements.

8. Financial Penalties

  • Penalties for Non-Compliance: NIS2 introduces substantial financial penalties for non-compliance, aimed at ensuring that entities take their cybersecurity obligations seriously.

9. Cybersecurity Measures Specificity

  • Detailed Guidelines and Standards: The Directive encourages the use of established standards and specifications to fulfill the required security measures, promoting best practices in cybersecurity management.

 

This step involves a detailed review of NIS2, focusing on the obligations that directly impact the organizational processes and security measures.

Step 2: Map requirements to the ISO 27001:2022 chapters

The next step is to map relevant chapters and controls in ISO 27001:2022 to these NIS2 requirements:

  • Chapter 4 (Context of the Organization) -> NIS2 1,4,5
    • Understand external and internal issues that affect the ISMS, aligning with NIS2’s broader security requirements.
    • Identify if the company is falling into the two entity categories: Important and Essential.
    • An important step is also to identify and assess all external suppliers.
  • Chapter 5 (Leadership) -> NIS2 1,5,8
    • Ensures management’s commitment to the ISMS, mirroring NIS2’s emphasis on leadership and governance in cybersecurity.
  • Chapter 6 (Planning) -> NIS2 2,3,4,6 
    • Address the assessment and treatment of information security risks, a core component of proactive compliance under NIS2.
    • Conduct a risk assessment to identify threats, vulnerabilities, and impacts on information assets.
    • Develop a risk treatment plans to address identified risks, including mitigation, transfer, or acceptance.
  • Chapter 7 (Support) -> 5,7,9
    • Provide the framework for managing resources and operational planning,
    • Establish communication channels for reporting security incidents and seeking guidance on information security matters.
  • Chapter 8 (Operation) -> NIS2 2,3,4,6
    • Provide the framework for managing resources and operational planning, establishes incident response and business continuity plans to mitigate the impact of security incidents and disruptions, crucial for implementing the technical and organizational measures required by NIS2.
  • Chapter 9 (Performance Evaluation) -> NIS2 8,9
    • Assess the performance of the ISMS, helping to ensure continuous improvement in line with NIS2’s dynamic compliance landscape.

Disclaimer:
This mapping is author’s own interpretation based on his personal opinion and understanding of the requirements. It is not the only possible interpretation and it is most probably not the best one available.

 

Conclusion

By mapping NIS2 requirements to the structured framework provided by ISO 27001:2022, organizations can not only ensure compliance but also strengthen their overall security posture.

It is important to understand that this alignment is not a one-time effort but a continuous process of adaptation and improvement, reflecting the dynamic nature of cybersecurity threats and regulatory requirements.

As such, organizations should focus on regular reviews and updates to their ISMS, ensuring that it remains robust, responsive, and compliant.

The post Maping NIS2 requirements to the ISO 27001:2022 framework first appeared on Sorin Mustaca on Cybersecurity.

NIS-2: 10 common misconceptions about the regulation

We wrote here about NIS2 and we will continue to add more content about it.

Because we are getting closer to October 17th, many people are getting more and more nervous about NIS2.

Despite its significance, there are numerous misconceptions and misinterpretations circulating about the scope and implications of this regulation.

This article aims to clarify some of the misconceptions,  which I collected mostly from LinkedIn and articles about NIS-2.

 

Note:

“NIS2” and “NIS-2” are exactly the same thing. I am using both in this article only because of SEO.

 

 

1. NIS2 starts being applied in the EU starting 17.10.2024

Truth is that the regulation is already applicable in the EU since it was approved. This deadline applies to the individual countries of the EU to convert and apply the NIS2 requirements in local laws.

If national authorities fail to properly implement EU laws, the Commission may launch a formal infringement procedure against the country in question. If the issue is still not settled, the Commission may eventually refer the case to the Court of Justice of the European Union.

 

2. Limited scope of application

Contrary to the belief that NIS-2 only applies to large tech companies, the directive significantly broadens its scope compared to its predecessor, NIS.

NIS-2 extends beyond just critical infrastructure sectors like energy and transport, encompassing a wide array of sectors such as digital services, public administration, and healthcare.

It mandates a security and incident reporting framework that applies to both Essential and Important Entities, significantly expanding the list of sectors and services affected.

3. NIS-2 Is Just About Cybersecurity

While cybersecurity is a core component, NIS-2 is not merely about preventing cyberattacks. The directive emphasizes a comprehensive approach to security, which includes resilience against a wide range of threats.

This includes but it is not limited to:

  • supply chain security,
  • incident response, and
  • crisis management.

It establishes a baseline for security measures and incident notifications that entities must adhere to, ensuring a uniform level of security across member states.

4. NIS-2 compliance is the same across all EU countries

Although NIS-2 sets a framework for cybersecurity across the EU, member states have some flexibility in implementation. This means that there can be variations in how directives are enforced from one country to another, depending on local laws and regulations.

Companies operating across multiple jurisdictions need to be aware of and comply with local variations to ensure full compliance.

5. Heavy penalties are the main compliance driver

While it is true that NIS-2 can impose hefty fines for non-compliance, focusing solely on penalties misses the broader objective of the directive.

NIS-2 is designed to cultivate a culture of security and resilience. It encourages entities to proactively manage their cybersecurity risks and to collaborate with national authorities.

This cooperative approach is fundamental to enhancing the overall cybersecurity posture of the EU.

6. NIS-2 does not affect third-party suppliers

NIS-2 places explicit requirements on the security practices of third-party suppliers. Entities covered under the directive are required to ensure that their supply chains are secure.

This includes mandatory risk assessments and incident reporting requirements that extend to service providers, reflecting an understanding that security is only as strong as the weakest link in the supply chain.

 

7. NIS-2 contains rules for AI, IoT, Industry 4.0.

NIS-2 sets a framework for cybersecurity and it does not address anything in particular. However, the rules described can be very well applied to companies in the fields like those mentioned that fall under the regulation applicability.

The companies active in Digital Infrastructure Services (Internet Nodes, DNS Service Providers, TLD Registries, Cloud Providers, Data Centers, Content Delivery Networks, Trust Services, Communication Networks, Communication Services ) and in

ICT Service Management (B2B only) (Managed Services (IT, Networks/Infrastructure, Applications), Managed Security Services (Risk and Cyber Security) ) are potentially directly affected by the regulation. However, there are clear criteria about which companies are affected.

 

8. Any company with activity in the domains marked as Important and Essential is affected by NIS-2

Although the domains are under the NIS-2 regulation, a company is affected if it meets the criteria:

  • Essential Entities (EE):
    • at least 250 employees and
    • 50 Mil € revenue
  • Important Entities (IE):
    • at least 50 employees and
    • 10 Mil € revenue

If a company doesn’t have these characteristics, then, in general, it is not affected by the regulation directly. It is highly recommended that even in such cases the companies follow the regulation’s requirements, since it will increase their resilience against cyber attacks.

However, an entity may still be considered “essential” or “important” even if it does not meet the size criteria, in specific cases such as when it is the sole provider of a critical service for societal or economic activity in a Member State.

 

9. All affected companies must certify for NIS-2

A the time of writing this post there is no certification for NIS-2. This might change in the future, especially when because we don’t know at this time how the regulation will be implemented in each of the EU member states.

There are consulting companies that sell consulting services and guarantee that a company will get the “NIS-2  certification” if they bus their services. While buying consulting is in general a good thing, the only thing that can be obtained is help in meeting the requirements of the regulation.

I recommend to stay away from offers that promise things that don’t exist.

 

10. Companies can buy software/hardware products to become conform with NIS-2

Although conformity is sometimes made easier by using specialized software and hardware products, there is no requirement or recommendation to purchase anything.

Some security providers and consulting companies are offering On The Shelf  (OTS) products that promise immediate conformity with NIS-2 (or guarantee obtaining a “certification” – see point 9 above).

If you look at the series of articles in the NIS2 area of this website, you will see that actually quite a lot of  steps involve an ISMS, a cybersecurity framework, cybersecurity products and so on.

These can be implemented with commercial or open source products, but there is still need to know where and how to install them in order to become conform.

I can very well imagine that there will be soon commercial offerings with sets of templates for implementing the NIS-2 requirements, just like there are with ISO 27001, TISAX and other certifications.

The post NIS-2: 10 common misconceptions about the regulation first appeared on Sorin Mustaca on Cybersecurity.

Understanding ISO 27001:2022 Annex A.8 – Asset Management

 

ISO 27001:2022 Annex A.8, “Asset Management,” addresses the importance of identifying, classifying, and managing information assets within an organization. This annex emphasizes the need for organizations to establish processes for inventorying assets, assessing their value, and implementing appropriate controls to protect them. In this technical educational article, we’ll explore how to implement Annex A.8 in practice, highlight its significance, and discuss the audit process for assessing compliance.

 

 

 

 

What is an Asset ?

In the context of ISO 27001:2022, an asset refers to anything that has value to an organization and needs to be protected.

This includes not only tangible assets such as

  • Physical assets:
    • hardware and equipment
    • buildings
    • vehicles
  • People
    • Employees
    • Customers
    • Suppliers
  • Software
  • Intangible
    • Data
    • Intellectual property
    • Proprietary information
    • Reputation
    • Market Share

ISO 27001:2022 recognizes that assets come in various forms and play a crucial role in achieving an organization’s objectives.

What makes an asset worth to be added to the list?

Here are some key points to consider regarding assets in the context of ISO 27001:2022:

  1. Identification: Organizations need to identify and inventory all their assets, including both tangible and intangible ones. This involves understanding what assets the organization possesses, where they are located, and who has ownership or responsibility for them. If this can be done, then the asset is worth enough to be considered to be managed.
  2. Classification: Assets should be classified based on their value, sensitivity, and criticality to the organization. This classification helps prioritize protection efforts and allocate resources effectively. For example, sensitive customer data may be classified as high-value assets requiring stringent security measures. If an asset is classified with a category that makes it important for the company, then it should be definitely managed.
  3. Risk Management: Assets are subject to various risks, including cybersecurity threats, natural disasters, and human error. Organizations need to conduct risk assessments to identify and mitigate threats to their assets effectively. This involves evaluating the likelihood and potential impact of risks and implementing controls to reduce risk to an acceptable level.
  4. Protection: Based on the risk assessment for an asset, organizations must implement appropriate controls to protect their assets from unauthorized access, disclosure, alteration, or destruction. This includes measures such as access controls, encryption, backup procedures, and physical security measures. Based on the measures identified, an asset can be quite expensive to be protected, but losing it or damaging it might prove to be even more expensive.

 

Importance of Asset Management

Effective asset management is crucial for organizations to safeguard their information assets, optimize resource allocation, and mitigate risks. Annex A.8 underscores this importance by:

  1. Risk Reduction: Identifying and classifying information assets helps organizations prioritize security measures and allocate resources effectively to mitigate risks.
  2. Compliance: Maintaining an accurate inventory of assets and implementing appropriate controls ensures compliance with regulatory requirements and industry standards.
  3. Cost Savings: Efficient asset management practices enable organizations to optimize resource utilization and avoid unnecessary expenses associated with redundant or underutilized assets.

Implementing Annex A.8 in Practice

To effectively implement Annex A.8, organizations can follow these practical steps:

  1. Asset Identification: Begin by identifying all information assets within the organization, including hardware, software, data, and intellectual property. Establish criteria for identifying assets, such as ownership, criticality, and sensitivity.Example: Develop an asset inventory list categorizing assets based on their type, location, owner, and importance to business operations.
  2. Asset Classification: Classify information assets based on their value, sensitivity, and criticality to the organization. Define classification levels or categories to differentiate between assets requiring different levels of protection.Example: Classify data assets as public, internal use only, confidential, or restricted based on their sensitivity and impact on the organization if compromised.
  3. Asset Ownership: Assign ownership responsibilities for each information asset to designated individuals or departments within the organization. Clearly define roles and responsibilities for managing and protecting assigned assets.Example: Assign data ownership responsibilities to business units or functional departments responsible for creating, accessing, or managing specific types of data.
  4. Risk Assessment: Conduct risk assessments to identify threats, vulnerabilities, and potential impacts on information assets. Assess the likelihood and impact of potential risks to prioritize mitigation efforts.Example: Perform a vulnerability assessment to identify weaknesses in IT systems and applications that could expose information assets to security threats.
  5. Control Implementation: Implement appropriate controls to protect information assets from unauthorized access, disclosure, alteration, or destruction. Select controls based on the results of risk assessments and compliance requirements.Example: Implement access control mechanisms, such as user authentication, role-based access control (RBAC), and encryption, to safeguard sensitive information assets from unauthorized access.

Audit of Compliance with Annex A.8

Auditing compliance with Annex A.8 is essential for evaluating an organization’s adherence to asset management requirements. Here’s how the audit process typically unfolds:

  1. Audit Preparation: The organization gathers documentation related to asset management policies, procedures, and controls. An audit team is appointed to facilitate the audit process.
  2. Audit Planning: The audit team defines the audit scope, objectives, and criteria. They develop an audit plan outlining the audit activities, timelines, and responsibilities of auditors and auditees.
  3. On-site Audit: Auditors conduct on-site visits to assess the implementation of asset management controls. They review documentation, interview personnel, and observe asset management practices in action. Auditors may use checklists or standardized assessment tools to evaluate compliance.
  4. Audit Findings: After the on-site audit, auditors analyze their findings and identify areas of non-compliance or improvement opportunities. They document their observations, including strengths and weaknesses in the organization’s approach to asset management.
  5. Reporting: Auditors prepare an audit report summarizing their findings, conclusions, and recommendations for corrective actions. The report is shared with senior management and relevant stakeholders for review and action.
  6. Follow-up: Management addresses audit findings by implementing corrective actions and improvements as recommended. Follow-up audits may be conducted to verify the effectiveness of corrective measures and ensure ongoing compliance with Annex A.8 requirements.

Conclusions

ISO 27001:2022 Annex A.8 highlights the importance of asset management in safeguarding information assets and mitigating risks. By implementing robust processes for identifying, classifying, and managing information assets, organizations can optimize resource allocation, ensure compliance, and enhance their security posture. Regular audits help assess compliance with Annex A.8 requirements and drive continuous improvement in asset management practices. Prioritizing asset management is essential for organizations seeking to protect their valuable information assets and maintain trust in their operations.

The post Understanding ISO 27001:2022 Annex A.8 – Asset Management first appeared on Sorin Mustaca on Cybersecurity.

Understanding ISO 27001:2022 Annex A.6 – Organization of Information Security

We started the ISO 27001:2022 series with the promise of explaining how the 14 categories of controls can be implemented.

We start today with ISO 27001:2022 Annex A.6, “Organization of Information Security”, which outlines requirements for establishing an effective management framework to govern information security within an organization. This annex emphasizes the importance of defining roles, responsibilities, and processes to ensure the confidentiality, integrity, and availability of information assets.

In this technical educational article, we’ll explore how to implement Annex A.6 in practice and elucidate the audit process for assessing compliance.

 

Importance of Organization of Information Security

A well-organized approach to information security is essential for maintaining the confidentiality, integrity, and availability of organizational assets. Annex A.6 helps organizations achieve this by:

  1. Defining Responsibilities: Clearly delineating roles and responsibilities ensures accountability for information security tasks across the organization.
  2. Establishing Processes: Formalizing processes for risk management, incident response, and access control streamlines security operations and enhances responsiveness to security incidents.
  3. Ensuring Compliance: Implementing a structured framework for information security governance helps organizations meet regulatory and compliance requirements.

Implementing Annex A.6 in Practice

To effectively implement Annex A.6, organizations can follow these practical steps:

  1. Define Information Security Roles and Responsibilities: Identify key stakeholders responsible for information security governance, including senior management, IT personnel, data owners, and end-users. Clearly define their roles and responsibilities in safeguarding information assets.Example: Establish a Security Steering Committee comprising senior management representatives and department heads to oversee information security initiatives and decision-making.
  2. Develop Information Security Policies and Procedures: Create comprehensive policies and procedures covering areas such as access control, risk management, incident response, and asset management. Ensure alignment with organizational objectives and regulatory requirements.Example: Develop an Incident Response Plan outlining the steps to be followed in the event of a security incident, including incident detection, containment, eradication, and recovery.
  3. Implement Security Controls: Deploy technical and administrative controls to mitigate security risks and protect information assets. These controls may include firewalls, intrusion detection systems, encryption mechanisms, and user access controls.Example: Implement role-based access control (RBAC) to restrict access to sensitive information based on users’ roles and responsibilities within the organization.
  4. Provide Training and Awareness Programs: Educate employees about their roles in maintaining information security and raise awareness about common security threats and best practices. Conduct regular training sessions and awareness campaigns to reinforce security protocols.Example: Offer cybersecurity awareness training to employees covering topics such as phishing awareness, password hygiene, and social engineering tactics.
  5. Establish Security Incident Management Procedures: Develop procedures for reporting, investigating, and responding to security incidents promptly. Define escalation paths and communication channels to ensure swift resolution of incidents.Example: Establish a Security Incident Response Team (SIRT) tasked with coordinating incident response efforts, conducting forensic investigations, and implementing remediation measures.

Auditing Compliance with Annex A.6

Audits play a crucial role in evaluating an organization’s compliance with Annex A.6 requirements. Here’s how the audit process typically unfolds:

  1. Audit Preparation: The organization gathers documentation related to information security policies, procedures, and controls. An audit team is appointed to facilitate the audit process.
  2. Audit Planning: The audit team defines the audit scope, objectives, and criteria. They develop an audit plan outlining the audit activities, timelines, and responsibilities of auditors and auditees.
  3. On-site Audit: Auditors conduct on-site visits to assess the implementation of information security controls. They review documentation, interview personnel, and observe security practices in action. Auditors may use checklists or standardized assessment tools to evaluate compliance.
  4. Audit Findings: After the on-site audit, auditors analyze their findings and identify areas of non-compliance or improvement opportunities. They document their observations, including strengths and weaknesses in the organization’s approach to information security.
  5. Reporting: Auditors prepare an audit report summarizing their findings, conclusions, and recommendations for corrective actions. The report is shared with senior management and relevant stakeholders for review and action.
  6. Follow-up: Management addresses audit findings by implementing corrective actions and improvements as recommended. Follow-up audits may be conducted to verify the effectiveness of corrective measures and ensure ongoing compliance with Annex A.6 requirements.

Conclusion

ISO 27001:2022 Annex A.6 underscores the importance of establishing a structured framework for organizing information security within an organization.

By following best practices for defining roles, responsibilities, processes, and controls, organizations can strengthen their security posture and mitigate risks effectively. Regular audits help assess compliance with Annex A.6 requirements and drive continuous improvement in information security governance.

The post Understanding ISO 27001:2022 Annex A.6 – Organization of Information Security first appeared on Sorin Mustaca on Cybersecurity.

Annex A of ISO 27001:2022 explained and tips to prepare for an audit

We wrote in the previous article ISO 27001:2022: chapter by chapter description about ISO 27001:2022 Annex A.

Annex A of ISO 27001:2022 is a vital component of the standard, outlining a comprehensive set of controls that organizations can implement to mitigate information security risks effectively.

These controls cover a wide range of areas, including physical security, human resources, access control, and cryptography.

 

In this article, we go in each category of the Annex A controls, explore practical implementation strategies, and discuss auditing methodologies to ensure compliance and effectiveness.

This article just describes the categories and the strategies for implementation, the next articles will address each category and its controls in details.

Understanding Annex A Controls

Annex A of ISO 27001:2022 contains 14 control categories, each addressing specific aspects of information security management.

  1. Information Security Policies
  2. Organization of Information Security
  3. Human Resource Security
  4. Asset Management
  5. Access Control
  6. Cryptography
  7. Physical and Environmental Security
  8. Operations Security
  9. Communications Security
  10. System Acquisition, Development, and Maintenance
  11. Supplier Relationships
  12. Information Security Incident Management
  13. Information Security Continuity
  14. Compliance

Each of these categories encompasses a set of controls designed to address specific aspects of information security management within an organization. These categories encompass policies, procedures, and technical and organizational measures designed to safeguard critical assets, prevent unauthorized access, and mitigate security threats.

 

The primary purpose of Annex A controls is to guide organizations in selecting appropriate security measures based on their specific context and identified risks. They are not mandatory requirements but serve as best practices for information security management.

Compared to the 2013 version, ISO 27001:2022 streamlines Annex A. The number of controls is reduced from 114 to 93, with 11 new additions reflecting evolving security threats.

The 2022 revision of ISO 27001 restructured Annex A controls into four main categories:

Main Categories of ISO 27001:2022 Controls

1. Organizational Security

This category focuses on establishing the organizational framework and governance structure necessary to manage information security effectively. It encompasses policies, procedures, and responsibilities for safeguarding information assets and ensuring compliance with regulatory requirements.

Sub-Categories:

  • Information Security Policies (A.5)
  • Organization of Information Security (A.6)
  • Human Resource Security (A.7)
  • Asset Management (A.8)

2. Technical Security

This category addresses the technical aspects of information security, including access control, cryptography, and secure system development and maintenance. It involves implementing controls and measures to protect information assets from unauthorized access, alteration, or disclosure.

Sub-Categories:

  • Access Control (A.9)
  • Cryptography (A.10)
  • Physical and Environmental Security (A.11)
  • Operations Security (A.12)
  • Communications Security (A.13)
  • System Acquisition, Development, and Maintenance (A.14)

3. External Relationships

This category focuses on managing security risks associated with external relationships, such as third-party suppliers and service providers. It involves assessing and monitoring the security posture of external parties and establishing contractual agreements to ensure compliance and data protection.

Sub-Categories:

  • Supplier Relationships (A.15)

 

4. Incident Management and Continuity Planning

This category addresses preparedness and response to security incidents, as well as ensuring business continuity in the event of disruptions. It involves developing incident response plans, conducting drills, and implementing measures to minimize the impact of incidents on business operations.

Sub-Categories:

  • Information Security Incident Management (A.16)
  • Information Security Continuity (A.17)
  • Compliance (A.18)

By categorizing the controls into these main categories, organizations can better understand the holistic approach required to manage information security effectively. Each category addresses specific aspects of security management, ensuring comprehensive coverage and alignment with ISO 27001:2022 requirements.

 

Implementation in Practice

Implementing Annex A controls requires a systematic approach tailored to the organization’s unique needs and risk profile.

Organizations should start by conducting a gap analysis and a comprehensive risk assessment to identify vulnerabilities and prioritize control implementation.

Based on the assessment findings, organizations can develop action plans to address gaps and deploy appropriate controls across different layers of their information systems.

For example,

  • implementing access control measures may involve defining user roles and privileges, implementing authentication mechanisms, and enforcing least privilege principles.
  • deploying encryption controls may require selecting suitable encryption algorithms, managing encryption keys, and implementing secure transmission protocols.

While Annex A offers a rich library of controls, remember, it’s not a one-size-fits-all approach. Organizations should conduct a risk assessment to identify their specific vulnerabilities and choose the most relevant controls.

Remember:

  • Risk-Based Approach: Always prioritize controls that address the most significant information security risks identified in your organization.
  • Documentation: Document the implemented controls and how they address identified risks. This is crucial for audit purposes.
  • Continuous Improvement: Regularly review the effectiveness of your controls and update them as needed to adapt to evolving threats and organizational changes.

 

Summary of the 14 control categories of ISO 27001:2022

 

1. Information Security Policies (A.5)

Implementation

Develop comprehensive policies outlining security objectives, roles, and responsibilities.

Audit

Review policy documents for completeness, relevance, and alignment with organizational goals. Assess the effectiveness of policy communication and awareness initiatives.

2. Organization of Information Security (A.6)

Implementation

Designate an Information Security Officer (ISO) and establish clear reporting lines. Develop procedures for risk management and incident response.

 

Audit

Evaluate the clarity of roles and responsibilities within the security hierarchy. Review documentation for consistency and effectiveness.

3. Human Resource Security (A.7)

Implementation

Conduct background checks during recruitment, provide security training, and define procedures for employee departures.

 

Audit

Verify the existence of background checks and training records. Review access controls and permissions to ensure alignment with job roles.

4. Asset Management (A.8)

Implementation

Conduct an inventory of assets, classify based on criticality, and implement procedures for handling, storing, and disposing of assets.

 

Audit

Verify the accuracy of the asset inventory, assess the effectiveness of controls for managing assets, and review compliance with data protection regulations.

5. Access Control (A.9)

Implementation

Define access control policies, implement authentication mechanisms, and enforce least privilege principles.

 

Audit

Review access control lists, test authentication mechanisms, and analyze access logs for unauthorized activities.

6. Cryptography (A.10)

Implementation

Identify cryptographic requirements, implement encryption algorithms, and manage encryption keys securely.

 

Audit

Review cryptographic policies, assess the strength of encryption algorithms, and verify the integrity of key management practices.

7. Physical and Environmental Security (A.11)

Implementation

Implement physical access controls, surveillance systems, and environmental controls.

Audit

Conduct site visits to assess physical security measures, review access logs, and verify compliance with environmental control standards.

8. Operations Security (A.12)

Implementation
Develop procedures for system backups, change management, and incident response.

 

Audit
Review operational procedures, assess the effectiveness of malware protection, and analyze incident response plans.

9. Communications Security (A.13)

Implementation
Secure communication channels, implement encryption protocols, and establish procedures for remote access.

 

Audit
Review network configurations, assess the strength of encryption protocols, and analyze network logs for suspicious activities.

10. System Acquisition, Development, and Maintenance (A.14)

Implementation
Define secure coding practices, conduct security assessments, and implement change management procedures.

 

Audit
Review software development policies, assess code review and testing processes, and analyze change management records.

11. Supplier Relationships (A.15)

Implementation
Assess supplier security posture, establish contractual agreements, and monitor supplier performance.

 

Audit
Review supplier contracts, assess supplier assessment processes, and verify compliance with contractual security requirements.

12. Information Security Incident Management (A.16)

Implementation
Develop an incident response plan, define roles and responsibilities, and conduct regular drills.

 

Audit
Review the incident response plan, assess incident detection and response procedures, and analyze incident reports.

13. Information Security Continuity (A.17)

Implementation
Develop a business continuity plan, implement backup and recovery procedures, and conduct regular tests.

 

Audit
Review the business continuity plan, assess backup and recovery procedures, and analyze test results.

14. Compliance (A.18)

Implementation
Identify applicable regulations, develop policies and procedures, and conduct regular audits.

 

Audit
Review compliance documentation, assess compliance monitoring processes, and verify compliance with regulatory requirements.

Next article:

We analyze each of the categories of the Annex A ISO 27001:2022.

The post Annex A of ISO 27001:2022 explained and tips to prepare for an audit first appeared on Sorin Mustaca on Cybersecurity.

ISO 27001:2022: chapter by chapter description

I’ve been asked many times by customers, especially those in automotive industry, who deal with the TISAX certification, which is based on ISO 27001,  if I can make them a summary of the ISO 27001 standard.

It turns out that there has been a while since I read it, I think it was somewhere in 2016. That was the ISO 27001:2013 and in the meanwhile, the version 2022 was released.

So, let’s start with the delta between 2013 and 2022 and then we will focus on each chapter. For each chapter, we summary explain the goal, the actions required to implement the requirement and the implementation of the controls.

 

What’s New in ISO 27001:2022

The October 2022 revision of ISO 27001 incorporates several updates and enhancements compared to the previous 2013 version. The changes were mostly cosmetic and include restructuring and refining existing requirements.

The biggest change is Annex A which specific controls derived from ISO 27002:2022.

One significant change is the increased emphasis on the context of the organization, requiring organizations to conduct more comprehensive assessments of internal and external factors that impact information security.

The Annex A controls have been restructured and consolidated to reflect current security challenges and to reflect more modern risks and their associated controls.

Additionally, there is a greater focus on leadership involvement and accountability, with explicit requirements for top management to demonstrate active participation in setting information security objectives and promoting a culture of security awareness.

The revised standard also introduces updated terminology and references to align with current industry practices and emerging technologies, reflecting the evolving landscape of information security threats and challenges.

 

Chapter 1-3: Scope, Normative References and  Terms and Definitions

These chapters set the stage: they establish a common understanding of key terms used in the standard and identify relevant standards and guidelines that complement ISO 27001 requirements.

 

Chapter 4: Context of the Organization

Goal

Understand the internal and external factors that influence the organization’s information security objectives and risk management approach.

Actions

  1. Identify internal stakeholders, including management, employees, and third-party vendors.
  2. Assess external factors such as regulatory requirements, market trends, and competitive landscape.
  3. Determine the organization’s risk tolerance and strategic objectives.

Implementation

Conduct a SWOT (Strengths, Weaknesses, Opportunities, Threats) analysis to identify internal strengths and weaknesses, as well as external opportunities and threats. Use this analysis to inform decision-making and prioritize information security initiatives.

Chapter 5: Leadership

Goal

Demonstrate commitment from top management to establish and maintain an effective ISMS.

Actions

  1. Assign responsibility for information security to senior management.
  2. Establish a governance structure to oversee the ISMS implementation.
  3. Allocate resources and provide support for information security initiatives.

Implementation

Engage senior management through regular communication and reporting on information security performance and compliance. Obtain leadership buy-in for resource allocation and organizational changes necessary to support the ISMS.

Chapter 6: Planning

Goal

Develop a strategic approach to identify, assess, and mitigate information security risks.

Actions

  1. Conduct a risk assessment to identify threats, vulnerabilities, and impacts on information assets.
  2. Develop risk treatment plans to address identified risks, including mitigation, transfer, or acceptance.
  3. Define information security objectives and performance metrics to measure the effectiveness of the ISMS.

Implementation

Establish a cross-functional risk management team to conduct risk assessments and develop risk treatment plans. Define clear objectives and key performance indicators (KPIs) to track progress and ensure alignment with business goals.

Chapter 7: Support

Goal

Provide the necessary resources, competencies, and awareness to support the implementation and operation of the ISMS.

Actions

  1. Allocate financial, human, and technical resources to support information security initiatives.
  2. Provide training and awareness programs to enhance employee competencies and promote a culture of security.
  3. Establish communication channels for reporting security incidents and seeking guidance on information security matters.

Implementation

Develop a comprehensive training and awareness program tailored to different roles and responsibilities within the organization. Implement mechanisms for reporting security incidents and provide timely support and guidance to address emerging threats.

Chapter 8: Operation

Goal

Implement and maintain controls to manage information security risks effectively.

Actions

  1. Implement security controls based on the results of the risk assessment and risk treatment plans.
  2. Monitor and review security controls regularly to ensure effectiveness and compliance with policies and procedures.
  3. Establish incident response and business continuity plans to mitigate the impact of security incidents and disruptions.

Implementation

Automate routine security tasks where possible to streamline operations and improve efficiency. Conduct regular audits and assessments to verify compliance with security policies and procedures. Continuously improve security controls based on lessons learned from security incidents and emerging threats.

Chapter 9: Performance Evaluation

Goal: Monitor, measure, analyze, and evaluate the performance of the ISMS to ensure its effectiveness and continual improvement.

Actions:

  1. Define key performance indicators (KPIs) to measure the effectiveness of information security controls.
  2. Conduct internal audits and management reviews to assess compliance with ISO 27001 requirements and identify areas for improvement.
  3. Implement corrective and preventive actions to address non-conformities and enhance the performance of the ISMS.

Implementation: Establish a performance monitoring and reporting framework to track progress against established KPIs. Use data-driven insights to identify trends, patterns, and areas for improvement. Engage stakeholders in regular reviews and discussions to foster a culture of continual improvement.

Chapter 10: Improvement

Goal: Take corrective and preventive actions to address non-conformities, enhance the effectiveness of the ISMS, and achieve continual improvement.

Actions:

  1. Implement corrective actions to address non-conformities identified during audits, assessments, or incident investigations.
  2. Identify opportunities for preventive actions to mitigate potential risks and prevent recurrence of security incidents.
  3. Document lessons learned and best practices to inform future decision-making and enhance the maturity of the ISMS.

Implementation: Establish a formal process for documenting and tracking corrective and preventive actions. Encourage proactive identification and resolution of issues to prevent their escalation. Foster a culture of innovation and collaboration to drive continual improvement across the organization.

 

What’s next?

We will focus in one of the next articles on Annex A of ISO 27001:2022.

The information security controls listed in Table A.1 are directly derived from and aligned with those listed in ISO/IEC 27002:2022, Clauses 5 to 8, and shall be used in context with 6.1.3. Information security risk treatment.

 

The post ISO 27001:2022: chapter by chapter description first appeared on Sorin Mustaca on Cybersecurity.

Balancing functionality and privacy concerns in AI-based Endpoint Security solutions

The integration of Artificial Intelligence (AI) in endpoint security has revolutionized the way organizations protect their devices and data.

Ok, let’s take a break here: have you read the article about Artificial Intelligence vs. Machine Learning ?

 

By leveraging AI and machine learning models that analyze user behavior on devices, organizations can detect anomalies and potential security threats more effectively.

However, this advanced approach to endpoint security raises significant privacy concerns, as it necessitates the collection of user activity data, sometimes in real time.

One thing needs to be clear: if you want to do anomaly detection, you need to train your ML model with what “normal” is first – this is called “baseline”. And this means that data needs to be collected from the user.

Now the question remains, how can we reduce the privacy concerns?

This short article explores the privacy challenges I think are associated with using AI models that require user data(behavior), discusses potential solutions, and suggests ways to deploy AI on devices while minimizing privacy concerns.

What are the privacy concerns when data is collected for training an ML model?

Data Collection and Usage


Collecting user data for AI-driven endpoint security involves monitoring and logging user activities on devices.

This process includes:

  • capturing information about the applications used (URLs accessed, CPU usage, memory usage),
  • websites visited and items clicked
  • files accessed
  • applications installed
  • applications started
  • time of login, logout, inactivity
  • webcam usage
  • microphone usage
  • biometrics

This data is essential for creating baselines of normal behavior and identifying deviations that might indicate security threats.

This extensive data collection raises concerns about user privacy, as it creates a comprehensive profile of a user’s digital activities.

AI-based endpoint security solutions can infer or predict sensitive information from non-sensitive forms of data, such as user preferences, interests, or behaviors.

This can enable the systems to provide personalized or customized services or recommendations, but it can also violate the privacy or autonomy of the users or the owners of the devices or networks.

For example, someone’s keyboard typing patterns can be analyzed to deduce their emotional state, which includes emotions such as nervousness, confidence, sadness or anxiety

 

Data Security

Safeguarding the collected user data is critical, as it contains sensitive information about an individual’s online behavior.

The risk of data breaches or unauthorized access to this information poses a significant privacy threat.

Where is this data stored, how long, how is it stored, who has access to it, how is it going to be used/processed and by who, are just a few questions that need to be asked.

GDPR has made clear which are the responsibilities of the controller and processor(s) of the data.

 

Transparency and Consent

A good user experience of a security product means that users will be as unaware as possible that their activity data is being collected for security purposes.

Ensuring transparency and obtaining explicit user consent for data collection is critical. Without clear communication, users may feel their privacy is being violated.

 

Data Retention

Storing user data indefinitely can compound privacy concerns. Organizations should establish clear data retention policies, specifying how long the data will be retained and under what circumstances it will be deleted.

 

User Profiling and Discrimination

The detailed user activity data collected for AI analysis can lead to user profiling, which may be used for purposes beyond cybersecurity, such as targeted advertising.

AI-based endpoint security solutions can make automated decisions or recommendations based on the data they analyze, such as blocking access, flagging anomalies, or prioritizing alerts.

Discriminatory decisions and practices can arise from the insights drawn from user behavior data. However, these decisions or recommendations can be discriminatory, unfair, inaccurate, or biased, if the data or the algorithms are flawed, incomplete, or skewed.

For example, people can be misclassified, misidentified, or judged negatively, and such errors or biases may disproportionately affect certain demographics.

 

Solutions to address privacy concerns

The solutions to address these concerns are actually not new, they are covered pretty good by the GDPR and other privacy laws world-wide.

They are :

Data Minimization

Organizations should adopt a data minimization approach, collecting only the data necessary for security purposes.  This is definitely not as easy as it sounds.

In Security, you usually collect as much as possible, because the more you know about your target, the better it is for the ML model (better detection, less false positives).

However, the Compliance dept. should be involved from the early stages of developing the product in order to control what is being collected.

 

Anonymization

Anonymizing user data can be a privacy-enhancing technique. By removing personally identifiable information from collected data, the risk of individual users being identified is reduced.

This works good when data is collected from many computers, but when the solution works on a single computer, it usually needs time to “learn” the user’s behavior.

There is nothing anonymous there and this is usually OK, as long as this data is not sent to the backend for further processing and analysis.

 

Encryption

Encrypting the data collected for AI analysis ensures that even if a breach occurs, the information remains unreadable and inaccessible to unauthorized parties.

When “cleaned up” data needs to be sent, it is mandatory to send it encrypted and keep it at rest encrypted all the time.

 

Informed consent

Transparently informing users about data collection and obtaining their explicit consent is a fundamental step in addressing privacy concerns.

Users should have the option to opt in or out of data collection at any time. It is mandatory for the ML models to be able to cope without any datasets, because they could disappear at any time.

 

Data deletion

After the data is no longer needed for security analysis, organizations can ideally erase the data, and if this is not possible, then it should remove any direct or indirect associations with individual users.

Balancing Security and Privacy

Balancing AI-based endpoint security and privacy is essential. Organizations can adopt the following strategies to minimize privacy concerns:

  • Implement Strong Privacy Policies

Establish comprehensive privacy policies that clearly define data collection, usage, retention, and disposal procedures. These policies should adhere to legal and regulatory requirements for the region where the users reside (GDPR, CPA, etc.).

This can by itself be a challenging task, because no company is willing to block access to potential customers.

 

  • Regular risk assessment and impact analysis

Conduct periodic risk assessment and impact analysis to ensure that data collection and analysis practices align with privacy policies and legal requirements and correct any deviations promptly.

The audits should be first performed internally, in order to have time to fix any deviations. If an external audit body finds any irregularity, the company can be fined with large sums of money.

 

  • Third-Party Vetting

When using third-party AI solutions, organizations should thoroughly vet the security and privacy practices of these providers.

 

  • Ongoing Monitoring

Continuously monitor the effectiveness of privacy protection measures and adjust them as needed to address emerging privacy concerns.

 

Conclusion

AI-based endpoint security is a powerful tool for protecting devices and data from cyber threats. However, it should not come at the cost of user privacy or well-being.

Organizations must strike a delicate balance by implementing privacy-enhancing measures, obtaining informed consent, and adhering to transparent data collection and usage practices.

 

 

PS: The image of the post was generated using DALL-E.

 

The post Balancing functionality and privacy concerns in AI-based Endpoint Security solutions first appeared on Sorin Mustaca on Cybersecurity.

NIS2: 3.Establish a cybersecurity framework

We wrote here https://www.sorinmustaca.com/how-to-nis2-eu-directive/ that the 3rd  step in implementing the requirements of the directive is to establish a cybersecurity framework.

If you haven’t read what a cybersecurity framework means, then you should read article: https://www.sorinmustaca.com/demystifying-cybersecurity-terms-policy-standard-procedure-controls-framework/ .

 

Establishing a cybersecurity framework is critically important for organizations of all sizes and types because it is the basis on which you build your cybersecurity. The cybersecurity framework is the basis of the ISMS, which represents the plan of your cybersecurity strategy.

 

Why it is essential to have a cybersecurity framework

In case you still wonder if you need a cybersecurity framework, here are several key reasons why it is essential:

  1. Protection against Cyber Threats
    Cyber threats are constantly evolving and becoming more sophisticated. A cybersecurity framework provides a structured approach to identifying and mitigating these threats, reducing the risk of data breaches, cyberattacks, and other security incidents.
  2. Risk Management
    Cybersecurity frameworks help organizations assess their cybersecurity risks and prioritize their efforts to address the most critical vulnerabilities. This risk-based approach ensures that resources are allocated where they are needed most.
  3. Compliance and Legal Requirements
    Many industries and regions have specific cybersecurity regulations and legal requirements that organizations must adhere to. A cybersecurity framework provides a roadmap for meeting these compliance obligations, reducing the risk of fines and legal repercussions.
  4. Business Continuity
    Cybersecurity incidents can disrupt business operations, leading to downtime, financial losses, and damage to reputation. A well-structured cybersecurity framework helps organizations prepare for and respond to incidents, minimizing their impact and ensuring business continuity.
  5. Protection of Sensitive Data
    Organizations store vast amounts of sensitive and confidential data, including customer information, financial records, and intellectual property. A cybersecurity framework helps safeguard this data from unauthorized access or theft.
  6. Preservation of Reputation
    A security breach can seriously damage an organization’s reputation and erode customer trust. Implementing a cybersecurity framework demonstrates a commitment to security, which can enhance the organization’s reputation and instill confidence among customers, partners, and stakeholders.
  7. Cost Savings
    Proactively addressing cybersecurity through a framework can ultimately save an organization money. Preventing security incidents is more cost-effective than dealing with the aftermath of a breach, which can involve significant financial and legal expenses.
  8. Consistency and Standardization
    Cybersecurity frameworks promote consistency and standardization of security practices across an organization. This is especially important in larger enterprises with multiple locations, business units, or teams, ensuring that security measures are applied uniformly.
  9. Continuous Improvement
    Cyber threats and technology evolve rapidly. A cybersecurity framework emphasizes the importance of ongoing monitoring, assessment, and improvement, helping organizations stay ahead of emerging threats and vulnerabilities.
  10. Competitive Advantage
    Having a robust cybersecurity framework can be a competitive advantage. It can differentiate an organization in the eyes of customers, partners, and investors who prioritize security when choosing business partners.

Steps to Choose or Create a Cybersecurity Framework

Choosing a cybersecurity framework is a tedious process and potentially long. If you want to succeed, then you need to plan for it. In order to create a project plan, follow these milestones:

  1. Assess Organizational Needs and Objectives
    Begin by understanding your organization’s specific cybersecurity needs, objectives, and goals. Consider the industry you operate in, the types of data you handle, and your organization’s size and complexity.
  2. Identify Relevant Regulations and Standards
    Determine which cybersecurity regulations, standards, and compliance requirements are applicable to your organization. These may include GDPR, HIPAA, ISO 27001, NIST, CIS Controls, TISAX, ISO 21434 and industry-specific regulations.
  3. Conduct a Risk Assessment
    Perform a comprehensive risk assessment to identify potential cybersecurity threats, vulnerabilities, and the potential impact of security incidents. This assessment will help you prioritize security measures.
  4. Define Your Scope
    Clearly define the scope of your cybersecurity efforts. Consider which systems, data, and assets are in scope for protection and compliance efforts. Document this scope in detail.
  5. Research Existing Frameworks
    Investigate existing cybersecurity frameworks and standards that align with your organization’s needs and objectives. Consider well-established frameworks like NIST Cybersecurity Framework, ISO 27001, CIS Controls, and others.
    Have a look here to view a comparison. Consider country-specific frameworks like the recommendations or requirements from your country’s information security agency.
  6. Evaluate Framework Alignment
    Evaluate how closely each candidate framework aligns with your organization’s requirements, risk assessment findings, and compliance obligations. Consider factors like ease of implementation and ongoing maintenance.
  7. Customization vs. Adoption
    Decide whether to adopt an existing framework as-is or customize it to fit your organization’s specific needs. Customization may be necessary to address unique risks or industry-specific requirements.
  8. Engage Stakeholders
    Involve key stakeholders, including senior leadership, IT teams, compliance experts, and legal advisors, in the decision-making process. Ensure their input and buy-in throughout the framework selection or development process.
  9. Develop Framework Documentation
    If you choose to customize or create a framework, develop comprehensive documentation that outlines the framework’s policies, procedures, controls, and guidelines. This documentation serves as a roadmap for the implementation of the ISMS.
  10. Implement and Test
    Begin implementing the selected or customized framework within your organization. Test its effectiveness in addressing cybersecurity risks and compliance requirements.
  11. Training and Awareness
    Train employees and raise awareness about the cybersecurity framework, its policies, and best practices. Ensure that everyone in the organization understands their role in maintaining security.
  12. Continuous Monitoring and Improvement
    Establish ongoing monitoring and assessment processes to ensure the framework’s effectiveness. Regularly review and update the framework to adapt to evolving threats and technology.

 

Key Considerations When Choosing or Creating a Cybersecurity Framework

There are some things to keep in mind when implementing the project plan for choosing the cybersecurity framework. The project can easily go out of scope because of the security landscape continuously changing.

Please review regularly these considerations and make sure you go through the list before taking any big decisions.

  1. Alignment with Objectives: Ensure that the chosen framework aligns with your organization’s cybersecurity objectives, risk profile, and compliance requirements.
  2. Applicability: Consider the framework’s applicability to your industry and specific business needs.
  3. Resource Requirements: Assess the resources (financial, human, and technological) required for framework implementation and maintenance.
  4. Scalability: Determine whether the framework can scale with your organization’s growth and evolving cybersecurity needs.
  5. Integration: Ensure that the framework can integrate with existing security technologies and processes within your organization.
  6. Cost vs. Benefit: Evaluate the cost-effectiveness of implementing and maintaining the framework relative to the expected security benefits and risk reduction.
  7. Accessibility of Expertise: Consider the availability of expertise and training resources related to the chosen framework.
  8. Audit and Certification: If compliance or certification is a goal, verify that the framework is recognized and accepted by relevant certification bodies or authorities.
  9. Legal and Privacy Considerations: Ensure that the framework supports compliance with relevant data protection and privacy laws.
  10. Flexibility: Assess the framework’s flexibility to adapt to changing threat landscapes and emerging technologies.

 

Conclusions

Having a robust cybersecurity framework can be a competitive advantage. It can differentiate an organization in the eyes of customers, partners, and investors who prioritize security when choosing business partners.

Remember that selecting or creating a cybersecurity framework is not a one-size-fits-all process. It should be a thoughtful and strategic decision that aligns with your organization’s unique needs and circumstances.

Establishing a cybersecurity framework is essential to protect an organization’s digital assets, manage risks effectively, comply with legal requirements, and maintain the trust of stakeholders.

 

The post NIS2: 3.Establish a cybersecurity framework first appeared on Sorin Mustaca on Cybersecurity.