Call girls in Vashi Services : 9167673311 Free Delivery 24x7 at Your Doorstep
Information security (management) at stake in belgium 2017 v1.2
1. INFORMATION SECURITY
(MANAGEMENT) AT STAKE IN
BELGIUM
DominiqueVolon
Trusted Advisor – Sr Manager & Architect in IT & Information (Cyber) Security
Former DG of FEDICT for Information Security Management, IT Service Management, Legal (privacy) and Public Procurement
http://be.linkedin.com/pub/dominique-volon/a/440/864
A ‘long’ journey from 2003 to 2016 – Refresh 2017
1Copyright 2016 Dominique Volon – IT Transforming For Benefits – V1.1 – 06-10-2016
2. AGENDA
Aim of presentation /We live in an Information Society !
Information Security Management :What’s in it for me ?Where it should apply ?
Protection of E-government social security assets (BCSS)
Protection of E-governement other assets (FEDICT)
Be-Aware : Evangelization of Federal Public Services
Institutional Public Lansdcape in Belgium
A glimpse at Legal contexts
Be-Networked : BelNIS Federal State Level -> Belgian Center for Cybersecurity
Epilogue, Continuum
2Copyright 2016 Dominique Volon
3. AIM OFTHIS PRESENTATION
To relate the journey made to aware (so far) the field and political
actors about Information Security Management in Belgium
To give you a view of the enourmous involvement of field security
actors to shape the Belgian Information Society
To plan ahead for the future in a GlobalisedWorld of (Data)
Economy
And the need to continue !
3Copyright 2016 Dominique Volon
4. WE LIVE IN AN INFORMATION SOCIETY !
Development of society’s education from the Arts,
Science and Religion
Speeding/spreading information and knowledge through
Monks and the printed Bible
Revolution separating political power from religion (1589 - 1789)
Industrial progress : Electricity (Edison),TSF (Marconi),Telephone (Bell),TV
Faster evolution for counting machines and computers (1920’s -> now)
Digitisation of physical phenonoms (A/D, D/A converters), transporting
at the speed of light and air (optical fibers, satellites)
The network is the computer, information is a valued asset -> IOT
4Copyright 2016 Dominique Volon
5. WE LIVE IN AN INFORMATION SOCIETY !
Information has becomed an intelligence factor for Businesses in
all the sectors of Economy
We want to know the habits of consuming and living people :
To attract them and propose new services in real life :
E-banking and payment services, entertainment,
E-health and social security services, E-learning, E-commerce
Or simply make life easier through a bunch of digital channels
BUT what happens if these channels and the providers at the end
of it are not protected ?
Our present and forthcoming way of life will be jeopardized (privacy,
denial of service !)
We need Information Security Management at mass media level !
5Copyright 2016 Dominique Volon
6. INFORMATION SECURITY MANAGEMENT :
WHAT’S IN IT FOR ME ?
What is the value of Information Security Management at mass media level
in our life ?
Known and safe usage of secured IT services over the Internet
Cyberspace that is made more safe for both consumers/providers
Trust in using Information andTelecommunication means
Chasing the Bads out of theWeb … (criminality and terrorism)
Protection for our way of life
Realising it it’s :
Adopting a Systems-wise protecting strategy and policy for our country-
wide critical information assets
Adopt an ‘enlighted’ behaviour when using Cyberspace
6Copyright 2016 Dominique Volon
7. WHERE INFORMATION SECURITY SHOULD
APPLY?
How to obtain Information Security Management at the mass media
level in our life ?
Be aware ! Risk andThreat evaluation is an on-going practice for making, using
and dsitribution of information on a need-to-know basis
Protecting our way of life adopting a Systems-wise approach, aVision for
Information Security and protecting policies for our country-wide critical
information assets
Social Security, Health;
Transport (Ports and Civil Aviation), Energy (Electricity, Gas, Petrol);
Finances (BNB, banks) andTelecom Operators;
Education (Univerisity, R&D);
Economy itself !
Federal and federated public services;
Political levels. 7Copyright 2016 Dominique Volon
8. PROTECTION OF E-GOVERNMENT SOCIAL
SECURITY ASSETS (CBSS – BCSS-KSZ)
Security Governance for Social Sector
Assets to be protected :
Social security rights and Health practice for the belgian population
Capacity of Information exchange through Social Security actors
Data privacy
Response :
A federated capacity of exchanging information using safe and reliable
electronic means across all actors of the sector :
The Cross Bank for Social Security - CBSS - BCCS - KSZ starting early 90’s
The E-Health platform for federating health practitioners.
All both implements a strong Information Security Management strategy and policy within a
legal framework based on a Royal Decree of 1993 and presence of Information Security
Officers.
8Copyright 2016 Dominique Volon
9. PROTECTION OF E-GOVERNEMENT ASSETS
(CBSS – BCSS - KSZ)
BCSS
(E-Health)
SPF Social
Security & Health
CPAS/OCMW
INASTI
OSSOM
INAMI/R
IZIV
ONAFTS
……
ONP
Transformation
at Stake for 6th
State Reform
Only a High LevelView, network of BCSS is quite larger
9Copyright 2016 Dominique Volon
10. PROTECTION OF E-GOVERNMENT ASSETS
(FEDICT : FEDERAL PUBLIC SERVICES ICT)
Security Governance for FEDICT
Assets to be protected (the catalogue of e-gov services) :
the digital identity of the belgian population using eID
the accesses to the federal portal services
the federal portal services themselves giving accesses to authentic sources
such as Cross Road Bank of Enterprises, CBSS or in FPS Finances (Tax-On-
Web application)
Trust has to be built when using communication services
FedMan network; Middelware(s)
Communication and services such as mail relay, file transfer, remote
access. Offering a secured and reliable availaibility of 99,5% almost 24/7 a
week and continuity of service.
10Copyright 2016 Dominique Volon
11. PROTECTION OF E-GOVERNMENT ASSETS
(FEDICT)
Security Governance for FEDICT
Response for digital identity:
Establishing eID pilot and roll-out programme with National Register
Royal Decree for eiD card, Governance of Certification Authority (Belgian
root PKI), Service Management and monitoring, Business Continuity live-
verification
Performing Risk assesment of cryptography with COSIC (KUL) and Crypto
Lab (UCL)
eID proxy, eID middelware, eID card readers with IT industry actors
(Microsoft)
Encouraging usage of the eID by linkin with AGORIA and Security initiatives
(L-SEC) and pilot in Bank (Ethias), presentation to cities
11Copyright 2016 Dominique Volon
12. PROTECTION OF E-GOVERNMENT ASSETS
(FEDICT)
Response for protecting accesses to www.belgium.be :
Perimeter security defense in several network zones (V1,V2) for
public interface
IAM (simple and strong authentication) integrated with user
management, mandates and federation of identities (led to e-gov
logon and CZAM federal logon)
Disaster Recovery Planning on two nodes forV1, full Business
Continuity-DRP Planning forV2
FedMan protection (technical and CERT.be organization)
Regular and permanent usage of vulnerability scanning
12Copyright 2016 Dominique Volon
13. PROTECTION OF E-GOVERNMENT ASSETS
(FEDICT)
Response for portal services themselves
Escrow service for portal developped S/W
Business Impact Analysis forTax-on-Web verifying DRP
Negotiation of tight SLA and penalties with Accenture
Managed secured services to protect communication
channels
Secured mail relay, file transfer, Secured remote accessVPN/SSL
Additional shared firewall service
Digital certificates for critical servers
Vulnerability scanning
13Copyright 2016 Dominique Volon
14. BE-AWARE : EVANGELIZATION OF FEDERAL
PUBLIC SERVICES
Security Governance for Federal Public Services (13)
Starts with Awareness of ISM to Chairmans about Business Continuity theme
Recruiting CISO and ISO team with focus on Risk Assessment and continuity as
start of the Security expertise pole;
Organisating Infosec forum inside Federal Public Services with CISO and ISOs
from the SPFs
Animating forum and adopting ISO 27k as InfoSec framework
Definining Roles & Responsibilities of ISO and organic career inside Public
Services via P&O
Standards and best practices for Information Security Management
14Copyright 2016 Dominique Volon
15. BE-AWARE : EVANGELIZATION OF FEDERAL
PUBLIC SERVICES
Security Governance for Federal Public Services (13)
Royal Decree for formal nomination of ISO reporting to chairman of FPSs.
InfoSec expertise available at Fedict Service catalogue for all FPS, OIP and
Regions
Business Impact/Risk Assessment for deducting protection measures
Presence in Business Continuity Steering Commitee of Finances (BIA-DRP
capabilites)
General advice to the regions for Infosec matters (governance, R&R)
Offering of Managed Security (&Secured) Services available from Fedict
catalogue
15Copyright 2016 Dominique Volon
16. INSTITUTIONAL BELGIAN LANDSCAPE
Federal Public Services : 10 sectorial +4 horizontal (will change in 6th Reform)
FPS Interior : Registre National : accountable for manaaging the organic
identification of the belgian polulation and keep it update inside a National Register
FPS Economy : Accountable for Economy, consumer regulations, …. And Crossroad
Bank of enterprises
FPS Finance : Accountable for funding of the State for perceiving taxes
FPS Justice : Accountable for Justice (Courts, Prisons, Law and legal enforcement,)
FPS ICT (FEDICT) : Accountable for e-governnent (except in Social Security sector ->
BCSS)
-> description of the federal public services on www.belgium.be
16Copyright 2016 Dominique Volon
17. INSTITUTIONAL BELGIAN LANDSCAPE
Public Services nested at federal level dealing with Infosec :
ANS-NVO-[NSA] – FPS Foreign Affairs : Care for security clearance and
accreditation of information systems dealing with classified information
Computer Crime Unit (federal and regional) – FPS Interior (Police) : Cares
for cybercrime in civil society in general and investigates complaints
Crisis Center – FPS Interior : Cares for coordination of a crisis on the view point
of emergency services when the dammage is at level 4 in the Country, Liaise with
Province Governors
SGRS – [Military Intelligence] – FPS Defence : Accountable for Military
Intelligence and protection of Military (Courts, Prisons, Law and legal
enforcement)
State Security – FPS Justice : Civil intelligence , security clearance enquiries
17Copyright 2016 Dominique Volon
18. INSTITUTIONAL BELGIAN LANDSCAPE
Other legal institutions :
Commission de la Protection de laVie Privée (Data Privacy)
Parliamentary commission composed of Magistrates and experts
Issue authorisation of treatments for personal data in Information
Systems according laws of 1992,1998 and 2003
Gives exemptions in case of public security / state interest
FEDICT is the Sectoral Authority for introducing the FPS authorisation files
to the Privacy Commission to obtain authorisation of privacy data
treatements in the Federal Information Systems
18Copyright 2016 Dominique Volon
19. A ‘GLIMPSE’ ATTHE LEGAL CONTEXTS
Belgium and European Union
Identity & Signature
Protection of vital assets
Privacy
Intellectual Property
Criminality
Organisation of Federal Authorities
Outside European Union (United States)
US Safe Harbor …
US Patriot Act
19Copyright 2016 Dominique Volon
20. A ‘GLIMPSE’ ATTHE LEGAL CONTEXTS
Identity & Signature
FPS Interior - National Register is the custodian of the Identity of the
Belgian asof their birth until death – each Belgian is assigned a single and
unique National Register Number whose first sequence is its birth date
Royal Decree of eID (format, information datafield, digital certificates on
eID card) : the eID combines the legal definition of a document and of a
digital container containing strictly the information data to identify and
locate the official residence of the card holder plus two digital certificates
that can be used to authenticate and signed documents as it was a
qualified written signature.
Electronic Signature : EE Directive of 1999 : BelgianLaw 9/7/2001 :
electronic signatures and certification services. Electronic signature :
cannot be repudiated in Justice. Qualified electronic signature : usage of a
digital certificate which is qualified by an accredited Certification Authority.
FPS Economy control and accredit Certification Authorities (e.g. Certipost)
20Copyright 2016 Dominique Volon
21. A ‘GLIMPSE’ ATTHE LEGAL CONTEXTS
Protection of vital assets
Classified Information
Is handled by Individuals and Information Systems
Law of 11/12/1998 pave the way for information classification and security clearance for
individuals (and firms) handling this type of information, enforced by Royal Decree
24/3/2000. Classification and clearance for individuals is seen according the damage
impact if the information is divulged. Royal Decree 2013 for the fees of obtaining
clearance.
21Copyright 2016 Dominique Volon
National Security Damage
if information divulgation
BE UE NATO
Very Serious TRES SECRET TRES SECRET UE Cosmic Top Secret (CTS)
Serious SECRET SECRET UE NATO Secret (NS)
Breach CONFIDENTIEL CONFIDENTIEL UE NATO Confidential (NC)
Effect (diffusion restreinte) RESTREINT UE NATO Restricted (NR)
None NATO Unclassifed
22. A ‘GLIMPSE’ ATTHE LEGAL CONTEXTS
Protection of vital assets
Classified Information
Security Clearance of Individuals (and firms) is handled by ANS-NVO-[NSA]
- Level is based on need to know for the job
- ANS asks State Security (civilians) or SGRS (military) to enquire (private life security)
Information Systems accreditation
- EU regulation (2001/264) in 3 steps : Evaluation,Certification,Accreditation
- Evaluation : by experts, auditors or accredited laboratory
- Certification : Conformance certificates are issued by control organisms, accredited
by BELAC
- Accreditation Body : ANS in association with BELAC
22Copyright 2016 Dominique Volon
23. A ‘GLIMPSE’ ATTHE LEGAL CONTEXTS
Protection of vital assets
Critical Infrastructures of Belgium
2008/114 EU Directive : European Critical Infrastructures
Energy andTransport sectors
BE Law of 01/7/2011 : BelgianCritical Infrastructures, Royal Decree 27/5/2014
Adds Finance and electronic communications sectors
ScopingVital Functions, health, social, security/safety, economical prosperity
Acting through SectorialAuthorities or ‘Regulators’
Finance : National Bank of Belgium (oversight of Banks and Financial organisms)
CFMA : regulator for Insurance companies
Telecommunications : Belgian Institute for Post andTelecommuncations
- Energy : CREG / AFCN
- …..
- Every operator of a recognized infrastructure as critical at the level of the Country must develop
and exercice a Security Plan, namely for Business Continuity
23Copyright 2016 Dominique Volon
24. A ‘GLIMPSE’ ATTHE LEGAL CONTEXTS
Privacy
Electronic communications Law of 13/06/2005 concerns :
Operators constrained for :
Security measures (technical / organisational)
Free security services
Notification of Security Incidents to IBPT, Privacy Commission, Customers
AllowingAudit by BIPT or mandated independent organism
Retention of traffic data (traffic /geolocation)
IBPT as regulator accountable for :
Security of telecommunication,Coordination,Oversight of problem detection
Instructions, control and recommendations to Operators
24Copyright 2016 Dominique Volon
25. A ‘GLIMPSE’ ATTHE LEGAL CONTEXTS
Privacy
EU GPDR : European Union Global Data Privacy Regulation of May 2016.
Not a Directive, replace the former EU Directive on Privacy (that needed to be
ratified by each national parliament to become an in country Member State law –
Subsisadirity Principle)
GDPR Regulates, thus place immediate compliance from the day it has been
voted by European Parliament on all Member States and published in the L
Official Journal (26 May 2016)
Imply immediate compliance exercice final for up to 2018
As of 2018, EU (EC) can audit companies and impose legally heavy financial
penalties :
For light of medium infringment to GDPR, 10 millions €
For severe infringment to GDPR, 20 millions € or 4% of the turn-over of the Group of
companies that an holding can detain. 25Copyright 2016 Dominique Volon
26. A ‘GLIMPSE’ ATTHE LEGAL CONTEXTS
Privacy when working in private sector – CCT81 (26/4/2002) :
Controlling of communication data on workplace
End Goals :
1. Prevent illegal & illicit behaviours (hacking, racism, pedophilia,…)
2. Protection of employer’s interests
3. Technical security of systems
4. Respect of internal regulations (policy for usage of Information Systems…)
Proportionality &Tranparency:
Minimal interference in private life, Information is to be made collectively and
individually
Anamoly in 1,2,3 case -> find the individual root cause
Anomaly in 4th case -> collective warning and if anomaly is repeated -> find the
individual root cause
Filtering of data (journalling and random controls)
26Copyright 2016 Dominique Volon
27. A ‘GLIMPSE’ ATTHE LEGAL CONTEXTS
Intellectual Property
Directive 91/250 : computer programs
Directive 96/9 : data bases
Directive 2001/29 : Authors rights – information society
Law(10/04/2014) : Intellectual Property
Best practices to protect critical IT assets for developed S/W by your
providers :
Acquisition of a specialised escrow service;
Inclusion of IP rights clause and escrow agreement mechanism in public procurement
procedures;
Verification of systems rebuild capabilities at three levels (deposit of source code,
rebuild of a minimal system, rebuild of major part of the systems functions).
27Copyright 2016 Dominique Volon
28. A ‘GLIMPSE’ ATTHE LEGAL CONTEXTS
Criminality
Directive 2013/40 – Attacks against Information Systems
Law (28/11/200) : computer criminality – ‘Code Pénal : art 116-118’
Directive 2006/24 : retention of traffic data
Law (30/7/2013) : retention of traffic data and geolocation
Court of Justice decision : abrogation of 2006 directive (you know more will
come ….)
Scope :
Computer forgery, Access rights abuse, Sabotage,
Distribution of illicitly acquired data, dsitribution of harmful data;
Defence / State Security : data and information communication to a foreign country
Retention of data / geolocation
28Copyright 2016 Dominique Volon
29. A ‘GLIMPSE’ ATTHE LEGAL CONTEXTS
Organisation of Federal Authority
1990 : Organic Law constituting the CBSS – KSZ - BCSS
1993 :Royal Decree for information security in Social Security sector
1997 : Royal Decree for communicating between social institutions
2001 : Royal Decree establishing FEDICT
2007 : Modification of FEDICT Royal Decree to participate to 7th R&D Research
programme of European Commission with STORK projet (interoperability of digital
identities across EU)
2012 : ‘FEDICT’ or ‘Only Once’ law : FEDICT as federal services integrator acting as
TrustedThird Party
2103 : Royal Decree for (Chief) Information Security Officers in FPSs
2014 : Royal Decree founding the Belgian Cybersecurity
Center 29Copyright 2016 Dominique Volon
30. A ‘GLIMPSE’ ATTHE LEGAL CONTEXTS
United States
US Safe Harbour
EU Directive 95/46 : Prohibition of transferring personal data outside EEE with
exceptions (at equivalent protection level)
2001 : Agreement CEC/US Department of Commerce
Principles : Notification and freedom of choice of individual, Security,Treatment of data
conformant to the declared end goal,Access Rights and Correction
US Patriot Act (2001)
Reaction to 09/11 -> Mandate for numerical screening and for retaining data into custody.
Concerns hosted data in US and anywhere in the world.
Concerns any society (US, daugther companies and non-US on US ground)
30Copyright 2016 Dominique Volon
31. BE-NETWORKED : BELNIS PLATFORM
Initiative of FEDICT’s Minister PeterVanvelthoven (2005)
Identify major Information Security Stakeholders at the level of the State
Put them inside a round table and discuss the competences of their Insitutional
mandate regarding Information Security (and available means …)
Federate the interests and form a guiding expert coalition to aware in the wider
form the Belgian Governement first and the Belgian Information Society at large
Make the spirits ready for appraising the chain and the degree of Information
Security maturity in Belgium
o Liaise with European Security initiatives (ENISA through BIPT)
o Animate working groups on security subject matters
o MakeWhite Paper for Information Security and propose improvements (2007)
o Goal : Make Information Security a dedicated point at the governmental agenda
31Copyright 2016 Dominique Volon
33. BE-NETWORKED : BELNIS STAKEHOLDERS
Starting in 2005 :
FEDICT, actor and federator of the platform
Invited at an oval table :
FCCU : Federal Computer Crime Unit from FPS Interior
Belac : from FPS Economy – Accreditation body for Information Security
DG CC : Crisis Center – from FPS Interior
ANS : Autorité Nationale de Sécurité (habilitation et homologations des
systèmes d’information classifiés) – from FPS Foreign Affairs
BIPT : Belgian Institute for Post andTelecommunications (regulator)
State Security
SGRS : Military Intelligence
Belac : accreditation of IS dealing with classified information
33Copyright 2016 Dominique Volon
34. BE-NETWORKED : BELNIS PLATFORM
BelNIS made himself aware of a global InfoSec situation in Belgium
BelNIS liaise with the ENISA through IBPT/FEDICT sharing 2 seats
BelNIS structured itself in subject matter workgroups and has
produced :
TheWhite Paper for Information Security for Belgium in 2007
Creation of Cert.be (FEDICT funding and BELNET operations) to protect
federal assets in 2009 (namely FedMan and Internet connection points)
Examination the business case for creation of a Security National Agency
and deduct that such a ‘vertical response’ was not quite appropriated
National Strategy for Cybersecurity in 2012 with a push for the creation
for a CyberSecurityCenter for whole Belgium (the missing ‘Core’) in 2014
34Copyright 2016 Dominique Volon
35. BE-NETWORKED : BELNIS PLATFORM
BeLNIS actors also participated to the first steps for creating
Industry and Academy awareness
2011 KUL initiative : B-CCentre : cybercrime center for Excellence, R&D
and Education (COSIC, ICRI, L-Sec members, etc.)
2014-2015 : Cybersecuritycoalition
Cybercoalition : cross-sector partnership between players from
the academic world, the public authorities and the private
sector to join forces in the fight against cybercrime (50 major
actors … to develop further)
35Copyright 2016 Dominique Volon
36. BE-NETWORKED : BCC
BCC : Belgian Cybersecurity Center
Founded by Royal Decree in 2014, Headed by Miguel Debruycker
Reporting to Chancellery under PM umbrella
Operational Arm arising out of BelNIS platform
Missions :
Supervision of Infosec Strategy
Coordination of Public Authorities
Coordination public / private / academy
Proposal to adapt legal framework
Crisis management with Cert.be
Issuing standards and directives for Infosec
Evaluation and accreditation of Classified Information Systems (with BELAC)
User awareness 36Copyright 2016 Dominique Volon
37. THEWAY FORWARD
Major actors are still lacking in this story :
FPS-Economy it self, for developping a Belgian Information Society (Policy is hardly set
from the FPS Economy) that care with e-services (e-commerce, e-payment infrastruture –
Worldine and others) and establish a digital security capacity in Belgium, linking with the
Eurpean Union level.
Sectorial regulators :
BIPT is in it, NBB has warned the Banking sector to care for business continuity and
information security practices (will it be sufficient ?)
Others ? What about CREG (energy), transport sector, etc. ?
Market leader Operators in all the Sectors (only 50 in the coalition)
Federation of providers and consumers (COMEOS) ? …..
We’ve still a huge chunk of work to aware, protect and enable growth of the
complete Economy Blocks for Belgium !
37Copyright 2016 Dominique Volon
38. THEWAY FORWARD
EUROPE IS MOVING ON DATA PROTECTIONAND REGULATIONSTo push Members
States to Act : EU GDPR – Global with heavy fines if not compliant for May 2018 -> huge
impact on Data management Lifecyle by modification of data classification meaning
impact on data back-up/restore capability of Global Storage solution and DR capabilities
as well as on processes
EUROPE is contraining the SectoralAuthorities with a more stringent regulations in any
sector to fight against crime and to upgrade business continuity operations, there will be
more in coming months and put establish the relevant governance by forcing continuity .
Namely, this is the case of Finance Sectors trough BNB and CSSF regulations in Belux
context which evolves under stronger pressure of European Central Bank and force
compliance through continuity and security audits by competent experts from the
domain. (Banking, Insurance, Investment companies, e-payment services)
The other domains follows also:Telecoms (BIPT), Energy (CREG), etc. that shall comply
Copyright 2016 Dominique Volon 38
39. EPILOGUE
Information Security Management relies on a federation of interests : public
authorities, consumers and providers of information data and channels to do business.
Trust will be the combination of a chain of actions from all the actors of the
Information Society : industry, academic, etc. But also internationally (EU, USA,
Asia/Pacific, India, MiddelEast)
Information Security Management will provide protection only if a
continuum of efforts and actions is continuously supported on the long run
by business communities. It’s too often left to Techies people ! Think to secure
and protect your business first before thinking of technologies : only business is
capable of considering business risks and consequences.
Don’t leave public authorities alone in this journey, participate !
Convince your executives to fund Information Security Management
for their own good, care for that the highest Executive Level invests in a regular risk
management and protection practice of your business assets using information.
39Copyright 2016 Dominique Volon
40. CONTINUUM OFTHE JOURNEY IN 2016
Accountable for InfoSec Management inside your corporation ? :
Organize Security Governance (the use of it) and Management (the making of
it) inside your corporation – Use recognized international standards (COBIT 5,
ISO 27k, MOR-ISO31k, InfoSec, ITIL, TOGAF, SABSA and IT Best Practices
standards) AND tailored them to your businesses!
Be sponsored at the highest Level by a forming a Steering Commitee (or
Sponsor Group)
Ask that you report to the highest Executive level of hiearchy (must be close to
the business strategies and valued assets)
As a Senior Responsible Owner, propose a 360° Vision inside the company and
outside the company (look at your customers) : Enterprise Architecture, IT
services.
Information Security must protect, enable and support the growth of
company’s businesses.
40Copyright 2016 Dominique Volon
41. AND NOW 2017 - GDPR READINESS?
EU GDPR : readiness for 2018 is still fuzzy since practicla part of the
organization is not yet mature :
EDP Board has still some work to deliver with the National representatives
Compliance to GDPR :
How to organise recognition ? A label, a certificate ? This is not dealt.
What will be ‘sectoral code of conducts’ or ‘binding corporate rules’ ?
Reading of GDPR : some sections are still confused in the regulation
Interpretation of minor/major infridgment : where to put the cursor for repeated minor
ones ?
Copyright 2016 Dominique Volon 41
42. AND NOW 2017 - GDPR READINESS?
Preparation of each sector :
How to behave ?
Have we the fundamentals to act to handle personal data ?
Can we start from an existing practice (Privacy law, 95/46 integrated) in
house ?
Do we have enough knowledge to model the interactions dealing with
inside and outside Data Controller and Data processer Role models ?
Do we ask the right questions for data handling from the start (consent)?
For covering the past (history – right to be forgotten) ?
For anticipating the future (GDPR) ?
Copyright 2016 Dominique Volon 42
43. AND NOW 2017 - GDPR READINESS?
Do we have a clear view for modyfing our Information Systems about
providing the functions needed to support the rights claimed ?
And in each step of the Data Management handling cycles, including Data
Security inside and outside ?
Will we be more serious about Data Breaches and take complementary
security controls (Data Loss Prevention solutions ?)
It is anticipated that GDPR readiness will start with :
a Major Health-Check exercise for Information Systems against their capability of
supporting and handling classified data, amongt which ‘personal data’ can be labelled
and isolated from an aggregated (Big Data) or generic data set (Bulk back-ups)
Audit of / or installation / or reinforcement of Information and Cybersecurity
management systems
but also of the needed Architecture that provides the required services to the Persons
exercising their rights. Business processes and the DataArchitecture must be known.
Copyright 2016 Dominique Volon 43
44. THANKS
To all Information Security professionals delivering ‘on top of’
their normal works sharing expertise and concerns !
For perseverance and being patient
For the audience listening or having read this journey
… and this is still a ‘Hobbit Journey’ or maybe a ‘Never ending
Story’ because Information Security is staying for good …
Copyright 2016 Dominique Volon 44