SlideShare a Scribd company logo

Information security (management) at stake in belgium 2017 v1.2

Download as PPTX, PDF
Dominique Volon
Dominique Volon

Sécurité de l'Information en Belgique - les pas faits et les progrès encore à faire

Lifestyle
1 of 44
INFORMATION SECURITY (MANAGEMENT) AT STAKE IN BELGIUM DominiqueVolon Trusted Advisor – Sr Manager & Architect in IT & Information (Cyber) Security Former DG of FEDICT for Information Security Management, IT Service Management, Legal (privacy) and Public Procurement http://be.linkedin.com/pub/dominique-volon/a/440/864 A ‘long’ journey from 2003 to 2016 – Refresh 2017 1Copyright 2016 Dominique Volon – IT Transforming For Benefits – V1.1 – 06-10-2016
AGENDA  Aim of presentation /We live in an Information Society !  Information Security Management :What’s in it for me ?Where it should apply ?  Protection of E-government social security assets (BCSS)  Protection of E-governement other assets (FEDICT)  Be-Aware : Evangelization of Federal Public Services  Institutional Public Lansdcape in Belgium  A glimpse at Legal contexts  Be-Networked : BelNIS Federal State Level -> Belgian Center for Cybersecurity  Epilogue, Continuum 2Copyright 2016 Dominique Volon
AIM OFTHIS PRESENTATION To relate the journey made to aware (so far) the field and political actors about Information Security Management in Belgium To give you a view of the enourmous involvement of field security actors to shape the Belgian Information Society To plan ahead for the future in a GlobalisedWorld of (Data) Economy And the need to continue ! 3Copyright 2016 Dominique Volon
WE LIVE IN AN INFORMATION SOCIETY ! Development of society’s education from the Arts, Science and Religion Speeding/spreading information and knowledge through Monks and the printed Bible  Revolution separating political power from religion (1589 - 1789)  Industrial progress : Electricity (Edison),TSF (Marconi),Telephone (Bell),TV  Faster evolution for counting machines and computers (1920’s -> now)  Digitisation of physical phenonoms (A/D, D/A converters), transporting at the speed of light and air (optical fibers, satellites)  The network is the computer, information is a valued asset -> IOT 4Copyright 2016 Dominique Volon
WE LIVE IN AN INFORMATION SOCIETY ! Information has becomed an intelligence factor for Businesses in all the sectors of Economy  We want to know the habits of consuming and living people :  To attract them and propose new services in real life :  E-banking and payment services, entertainment,  E-health and social security services, E-learning, E-commerce  Or simply make life easier through a bunch of digital channels BUT what happens if these channels and the providers at the end of it are not protected ?  Our present and forthcoming way of life will be jeopardized (privacy, denial of service !)  We need Information Security Management at mass media level ! 5Copyright 2016 Dominique Volon
INFORMATION SECURITY MANAGEMENT : WHAT’S IN IT FOR ME ? What is the value of Information Security Management at mass media level in our life ?  Known and safe usage of secured IT services over the Internet  Cyberspace that is made more safe for both consumers/providers  Trust in using Information andTelecommunication means  Chasing the Bads out of theWeb … (criminality and terrorism)  Protection for our way of life Realising it it’s : Adopting a Systems-wise protecting strategy and policy for our country- wide critical information assets Adopt an ‘enlighted’ behaviour when using Cyberspace 6Copyright 2016 Dominique Volon
WHERE INFORMATION SECURITY SHOULD APPLY? How to obtain Information Security Management at the mass media level in our life ?  Be aware ! Risk andThreat evaluation is an on-going practice for making, using and dsitribution of information on a need-to-know basis  Protecting our way of life adopting a Systems-wise approach, aVision for Information Security and protecting policies for our country-wide critical information assets Social Security, Health; Transport (Ports and Civil Aviation), Energy (Electricity, Gas, Petrol); Finances (BNB, banks) andTelecom Operators; Education (Univerisity, R&D); Economy itself ! Federal and federated public services; Political levels. 7Copyright 2016 Dominique Volon
PROTECTION OF E-GOVERNMENT SOCIAL SECURITY ASSETS (CBSS – BCSS-KSZ) Security Governance for Social Sector  Assets to be protected :  Social security rights and Health practice for the belgian population  Capacity of Information exchange through Social Security actors  Data privacy  Response :  A federated capacity of exchanging information using safe and reliable electronic means across all actors of the sector :  The Cross Bank for Social Security - CBSS - BCCS - KSZ starting early 90’s  The E-Health platform for federating health practitioners. All both implements a strong Information Security Management strategy and policy within a legal framework based on a Royal Decree of 1993 and presence of Information Security Officers. 8Copyright 2016 Dominique Volon
PROTECTION OF E-GOVERNEMENT ASSETS (CBSS – BCSS - KSZ) BCSS (E-Health) SPF Social Security & Health CPAS/OCMW INASTI OSSOM INAMI/R IZIV ONAFTS …… ONP Transformation at Stake for 6th State Reform Only a High LevelView, network of BCSS is quite larger 9Copyright 2016 Dominique Volon
PROTECTION OF E-GOVERNMENT ASSETS (FEDICT : FEDERAL PUBLIC SERVICES ICT) Security Governance for FEDICT  Assets to be protected (the catalogue of e-gov services) :  the digital identity of the belgian population using eID  the accesses to the federal portal services  the federal portal services themselves giving accesses to authentic sources such as Cross Road Bank of Enterprises, CBSS or in FPS Finances (Tax-On- Web application)  Trust has to be built when using communication services  FedMan network; Middelware(s)  Communication and services such as mail relay, file transfer, remote access. Offering a secured and reliable availaibility of 99,5% almost 24/7 a week and continuity of service. 10Copyright 2016 Dominique Volon
PROTECTION OF E-GOVERNMENT ASSETS (FEDICT) Security Governance for FEDICT  Response for digital identity:  Establishing eID pilot and roll-out programme with National Register  Royal Decree for eiD card, Governance of Certification Authority (Belgian root PKI), Service Management and monitoring, Business Continuity live- verification  Performing Risk assesment of cryptography with COSIC (KUL) and Crypto Lab (UCL)  eID proxy, eID middelware, eID card readers with IT industry actors (Microsoft)  Encouraging usage of the eID by linkin with AGORIA and Security initiatives (L-SEC) and pilot in Bank (Ethias), presentation to cities 11Copyright 2016 Dominique Volon
PROTECTION OF E-GOVERNMENT ASSETS (FEDICT) Response for protecting accesses to www.belgium.be :  Perimeter security defense in several network zones (V1,V2) for public interface  IAM (simple and strong authentication) integrated with user management, mandates and federation of identities (led to e-gov logon and CZAM federal logon)  Disaster Recovery Planning on two nodes forV1, full Business Continuity-DRP Planning forV2  FedMan protection (technical and CERT.be organization)  Regular and permanent usage of vulnerability scanning 12Copyright 2016 Dominique Volon
PROTECTION OF E-GOVERNMENT ASSETS (FEDICT) Response for portal services themselves  Escrow service for portal developped S/W  Business Impact Analysis forTax-on-Web verifying DRP  Negotiation of tight SLA and penalties with Accenture Managed secured services to protect communication channels  Secured mail relay, file transfer, Secured remote accessVPN/SSL  Additional shared firewall service  Digital certificates for critical servers  Vulnerability scanning 13Copyright 2016 Dominique Volon
BE-AWARE : EVANGELIZATION OF FEDERAL PUBLIC SERVICES  Security Governance for Federal Public Services (13)  Starts with Awareness of ISM to Chairmans about Business Continuity theme  Recruiting CISO and ISO team with focus on Risk Assessment and continuity as start of the Security expertise pole;  Organisating Infosec forum inside Federal Public Services with CISO and ISOs from the SPFs  Animating forum and adopting ISO 27k as InfoSec framework  Definining Roles & Responsibilities of ISO and organic career inside Public Services via P&O  Standards and best practices for Information Security Management 14Copyright 2016 Dominique Volon
BE-AWARE : EVANGELIZATION OF FEDERAL PUBLIC SERVICES  Security Governance for Federal Public Services (13)  Royal Decree for formal nomination of ISO reporting to chairman of FPSs.  InfoSec expertise available at Fedict Service catalogue for all FPS, OIP and Regions  Business Impact/Risk Assessment for deducting protection measures  Presence in Business Continuity Steering Commitee of Finances (BIA-DRP capabilites)  General advice to the regions for Infosec matters (governance, R&R)  Offering of Managed Security (&Secured) Services available from Fedict catalogue 15Copyright 2016 Dominique Volon
INSTITUTIONAL BELGIAN LANDSCAPE  Federal Public Services : 10 sectorial +4 horizontal (will change in 6th Reform)  FPS Interior : Registre National : accountable for manaaging the organic identification of the belgian polulation and keep it update inside a National Register  FPS Economy : Accountable for Economy, consumer regulations, …. And Crossroad Bank of enterprises  FPS Finance : Accountable for funding of the State for perceiving taxes  FPS Justice : Accountable for Justice (Courts, Prisons, Law and legal enforcement,)  FPS ICT (FEDICT) : Accountable for e-governnent (except in Social Security sector -> BCSS) -> description of the federal public services on www.belgium.be 16Copyright 2016 Dominique Volon
INSTITUTIONAL BELGIAN LANDSCAPE  Public Services nested at federal level dealing with Infosec :  ANS-NVO-[NSA] – FPS Foreign Affairs : Care for security clearance and accreditation of information systems dealing with classified information  Computer Crime Unit (federal and regional) – FPS Interior (Police) : Cares for cybercrime in civil society in general and investigates complaints  Crisis Center – FPS Interior : Cares for coordination of a crisis on the view point of emergency services when the dammage is at level 4 in the Country, Liaise with Province Governors  SGRS – [Military Intelligence] – FPS Defence : Accountable for Military Intelligence and protection of Military (Courts, Prisons, Law and legal enforcement)  State Security – FPS Justice : Civil intelligence , security clearance enquiries 17Copyright 2016 Dominique Volon
INSTITUTIONAL BELGIAN LANDSCAPE  Other legal institutions :  Commission de la Protection de laVie Privée (Data Privacy)  Parliamentary commission composed of Magistrates and experts  Issue authorisation of treatments for personal data in Information Systems according laws of 1992,1998 and 2003  Gives exemptions in case of public security / state interest  FEDICT is the Sectoral Authority for introducing the FPS authorisation files to the Privacy Commission to obtain authorisation of privacy data treatements in the Federal Information Systems 18Copyright 2016 Dominique Volon
A ‘GLIMPSE’ ATTHE LEGAL CONTEXTS  Belgium and European Union  Identity & Signature  Protection of vital assets  Privacy  Intellectual Property  Criminality  Organisation of Federal Authorities  Outside European Union (United States)  US Safe Harbor …  US Patriot Act 19Copyright 2016 Dominique Volon
A ‘GLIMPSE’ ATTHE LEGAL CONTEXTS Identity & Signature  FPS Interior - National Register is the custodian of the Identity of the Belgian asof their birth until death – each Belgian is assigned a single and unique National Register Number whose first sequence is its birth date  Royal Decree of eID (format, information datafield, digital certificates on eID card) : the eID combines the legal definition of a document and of a digital container containing strictly the information data to identify and locate the official residence of the card holder plus two digital certificates that can be used to authenticate and signed documents as it was a qualified written signature.  Electronic Signature : EE Directive of 1999 : BelgianLaw 9/7/2001 : electronic signatures and certification services. Electronic signature : cannot be repudiated in Justice. Qualified electronic signature : usage of a digital certificate which is qualified by an accredited Certification Authority.  FPS Economy control and accredit Certification Authorities (e.g. Certipost) 20Copyright 2016 Dominique Volon
A ‘GLIMPSE’ ATTHE LEGAL CONTEXTS Protection of vital assets Classified Information  Is handled by Individuals and Information Systems  Law of 11/12/1998 pave the way for information classification and security clearance for individuals (and firms) handling this type of information, enforced by Royal Decree 24/3/2000. Classification and clearance for individuals is seen according the damage impact if the information is divulged. Royal Decree 2013 for the fees of obtaining clearance. 21Copyright 2016 Dominique Volon National Security Damage if information divulgation BE UE NATO Very Serious TRES SECRET TRES SECRET UE Cosmic Top Secret (CTS) Serious SECRET SECRET UE NATO Secret (NS) Breach CONFIDENTIEL CONFIDENTIEL UE NATO Confidential (NC) Effect (diffusion restreinte) RESTREINT UE NATO Restricted (NR) None NATO Unclassifed
A ‘GLIMPSE’ ATTHE LEGAL CONTEXTS Protection of vital assets Classified Information  Security Clearance of Individuals (and firms) is handled by ANS-NVO-[NSA] - Level is based on need to know for the job - ANS asks State Security (civilians) or SGRS (military) to enquire (private life security)  Information Systems accreditation - EU regulation (2001/264) in 3 steps : Evaluation,Certification,Accreditation - Evaluation : by experts, auditors or accredited laboratory - Certification : Conformance certificates are issued by control organisms, accredited by BELAC - Accreditation Body : ANS in association with BELAC 22Copyright 2016 Dominique Volon
A ‘GLIMPSE’ ATTHE LEGAL CONTEXTS Protection of vital assets Critical Infrastructures of Belgium  2008/114 EU Directive : European Critical Infrastructures  Energy andTransport sectors  BE Law of 01/7/2011 : BelgianCritical Infrastructures, Royal Decree 27/5/2014  Adds Finance and electronic communications sectors  ScopingVital Functions, health, social, security/safety, economical prosperity  Acting through SectorialAuthorities or ‘Regulators’  Finance : National Bank of Belgium (oversight of Banks and Financial organisms)  CFMA : regulator for Insurance companies  Telecommunications : Belgian Institute for Post andTelecommuncations - Energy : CREG / AFCN - ….. - Every operator of a recognized infrastructure as critical at the level of the Country must develop and exercice a Security Plan, namely for Business Continuity 23Copyright 2016 Dominique Volon
A ‘GLIMPSE’ ATTHE LEGAL CONTEXTS  Privacy  Electronic communications Law of 13/06/2005 concerns :  Operators constrained for :  Security measures (technical / organisational)  Free security services  Notification of Security Incidents to IBPT, Privacy Commission, Customers  AllowingAudit by BIPT or mandated independent organism  Retention of traffic data (traffic /geolocation)  IBPT as regulator accountable for :  Security of telecommunication,Coordination,Oversight of problem detection  Instructions, control and recommendations to Operators 24Copyright 2016 Dominique Volon
A ‘GLIMPSE’ ATTHE LEGAL CONTEXTS  Privacy  EU GPDR : European Union Global Data Privacy Regulation of May 2016.  Not a Directive, replace the former EU Directive on Privacy (that needed to be ratified by each national parliament to become an in country Member State law – Subsisadirity Principle)  GDPR Regulates, thus place immediate compliance from the day it has been voted by European Parliament on all Member States and published in the L Official Journal (26 May 2016)  Imply immediate compliance exercice final for up to 2018  As of 2018, EU (EC) can audit companies and impose legally heavy financial penalties :  For light of medium infringment to GDPR, 10 millions €  For severe infringment to GDPR, 20 millions € or 4% of the turn-over of the Group of companies that an holding can detain. 25Copyright 2016 Dominique Volon
A ‘GLIMPSE’ ATTHE LEGAL CONTEXTS  Privacy when working in private sector – CCT81 (26/4/2002) :  Controlling of communication data on workplace  End Goals : 1. Prevent illegal & illicit behaviours (hacking, racism, pedophilia,…) 2. Protection of employer’s interests 3. Technical security of systems 4. Respect of internal regulations (policy for usage of Information Systems…)  Proportionality &Tranparency:  Minimal interference in private life, Information is to be made collectively and individually  Anamoly in 1,2,3 case -> find the individual root cause  Anomaly in 4th case -> collective warning and if anomaly is repeated -> find the individual root cause  Filtering of data (journalling and random controls) 26Copyright 2016 Dominique Volon
A ‘GLIMPSE’ ATTHE LEGAL CONTEXTS Intellectual Property  Directive 91/250 : computer programs  Directive 96/9 : data bases  Directive 2001/29 : Authors rights – information society  Law(10/04/2014) : Intellectual Property  Best practices to protect critical IT assets for developed S/W by your providers :  Acquisition of a specialised escrow service;  Inclusion of IP rights clause and escrow agreement mechanism in public procurement procedures;  Verification of systems rebuild capabilities at three levels (deposit of source code, rebuild of a minimal system, rebuild of major part of the systems functions). 27Copyright 2016 Dominique Volon
A ‘GLIMPSE’ ATTHE LEGAL CONTEXTS Criminality  Directive 2013/40 – Attacks against Information Systems  Law (28/11/200) : computer criminality – ‘Code Pénal : art 116-118’  Directive 2006/24 : retention of traffic data  Law (30/7/2013) : retention of traffic data and geolocation  Court of Justice decision : abrogation of 2006 directive (you know more will come ….) Scope :  Computer forgery, Access rights abuse, Sabotage,  Distribution of illicitly acquired data, dsitribution of harmful data;  Defence / State Security : data and information communication to a foreign country  Retention of data / geolocation 28Copyright 2016 Dominique Volon
A ‘GLIMPSE’ ATTHE LEGAL CONTEXTS Organisation of Federal Authority  1990 : Organic Law constituting the CBSS – KSZ - BCSS  1993 :Royal Decree for information security in Social Security sector  1997 : Royal Decree for communicating between social institutions  2001 : Royal Decree establishing FEDICT  2007 : Modification of FEDICT Royal Decree to participate to 7th R&D Research programme of European Commission with STORK projet (interoperability of digital identities across EU)  2012 : ‘FEDICT’ or ‘Only Once’ law : FEDICT as federal services integrator acting as TrustedThird Party  2103 : Royal Decree for (Chief) Information Security Officers in FPSs  2014 : Royal Decree founding the Belgian Cybersecurity Center 29Copyright 2016 Dominique Volon
A ‘GLIMPSE’ ATTHE LEGAL CONTEXTS United States US Safe Harbour  EU Directive 95/46 : Prohibition of transferring personal data outside EEE with exceptions (at equivalent protection level)  2001 : Agreement CEC/US Department of Commerce  Principles : Notification and freedom of choice of individual, Security,Treatment of data conformant to the declared end goal,Access Rights and Correction US Patriot Act (2001)  Reaction to 09/11 -> Mandate for numerical screening and for retaining data into custody.  Concerns hosted data in US and anywhere in the world.  Concerns any society (US, daugther companies and non-US on US ground) 30Copyright 2016 Dominique Volon
BE-NETWORKED : BELNIS PLATFORM  Initiative of FEDICT’s Minister PeterVanvelthoven (2005)  Identify major Information Security Stakeholders at the level of the State  Put them inside a round table and discuss the competences of their Insitutional mandate regarding Information Security (and available means …)  Federate the interests and form a guiding expert coalition to aware in the wider form the Belgian Governement first and the Belgian Information Society at large  Make the spirits ready for appraising the chain and the degree of Information Security maturity in Belgium o Liaise with European Security initiatives (ENISA through BIPT) o Animate working groups on security subject matters o MakeWhite Paper for Information Security and propose improvements (2007) o Goal : Make Information Security a dedicated point at the governmental agenda 31Copyright 2016 Dominique Volon
BelNIS FCCU FEDICT CERT.be Sureté de l’Etat CCB ANS DGCC Belac SGRS BelNIS & Stratégie de Cybersécurité IBPT Industries Academics International Transformation at Stake for 6th State Reform Redesign 32Copyright 2016 Dominique Volon
BE-NETWORKED : BELNIS STAKEHOLDERS Starting in 2005 :  FEDICT, actor and federator of the platform  Invited at an oval table :  FCCU : Federal Computer Crime Unit from FPS Interior  Belac : from FPS Economy – Accreditation body for Information Security  DG CC : Crisis Center – from FPS Interior  ANS : Autorité Nationale de Sécurité (habilitation et homologations des systèmes d’information classifiés) – from FPS Foreign Affairs  BIPT : Belgian Institute for Post andTelecommunications (regulator)  State Security  SGRS : Military Intelligence  Belac : accreditation of IS dealing with classified information 33Copyright 2016 Dominique Volon
BE-NETWORKED : BELNIS PLATFORM  BelNIS made himself aware of a global InfoSec situation in Belgium  BelNIS liaise with the ENISA through IBPT/FEDICT sharing 2 seats  BelNIS structured itself in subject matter workgroups and has produced :  TheWhite Paper for Information Security for Belgium in 2007  Creation of Cert.be (FEDICT funding and BELNET operations) to protect federal assets in 2009 (namely FedMan and Internet connection points)  Examination the business case for creation of a Security National Agency and deduct that such a ‘vertical response’ was not quite appropriated  National Strategy for Cybersecurity in 2012 with a push for the creation for a CyberSecurityCenter for whole Belgium (the missing ‘Core’) in 2014 34Copyright 2016 Dominique Volon
BE-NETWORKED : BELNIS PLATFORM  BeLNIS actors also participated to the first steps for creating Industry and Academy awareness  2011 KUL initiative : B-CCentre : cybercrime center for Excellence, R&D and Education (COSIC, ICRI, L-Sec members, etc.)  2014-2015 : Cybersecuritycoalition  Cybercoalition : cross-sector partnership between players from the academic world, the public authorities and the private sector to join forces in the fight against cybercrime (50 major actors … to develop further) 35Copyright 2016 Dominique Volon
BE-NETWORKED : BCC  BCC : Belgian Cybersecurity Center  Founded by Royal Decree in 2014, Headed by Miguel Debruycker  Reporting to Chancellery under PM umbrella  Operational Arm arising out of BelNIS platform  Missions :  Supervision of Infosec Strategy  Coordination of Public Authorities  Coordination public / private / academy  Proposal to adapt legal framework  Crisis management with Cert.be  Issuing standards and directives for Infosec  Evaluation and accreditation of Classified Information Systems (with BELAC)  User awareness 36Copyright 2016 Dominique Volon
THEWAY FORWARD Major actors are still lacking in this story :  FPS-Economy it self, for developping a Belgian Information Society (Policy is hardly set from the FPS Economy) that care with e-services (e-commerce, e-payment infrastruture – Worldine and others) and establish a digital security capacity in Belgium, linking with the Eurpean Union level.  Sectorial regulators :  BIPT is in it, NBB has warned the Banking sector to care for business continuity and information security practices (will it be sufficient ?)  Others ? What about CREG (energy), transport sector, etc. ?  Market leader Operators in all the Sectors (only 50 in the coalition)  Federation of providers and consumers (COMEOS) ? …..  We’ve still a huge chunk of work to aware, protect and enable growth of the complete Economy Blocks for Belgium ! 37Copyright 2016 Dominique Volon
THEWAY FORWARD  EUROPE IS MOVING ON DATA PROTECTIONAND REGULATIONSTo push Members States to Act : EU GDPR – Global with heavy fines if not compliant for May 2018 -> huge impact on Data management Lifecyle by modification of data classification meaning impact on data back-up/restore capability of Global Storage solution and DR capabilities as well as on processes  EUROPE is contraining the SectoralAuthorities with a more stringent regulations in any sector to fight against crime and to upgrade business continuity operations, there will be more in coming months and put establish the relevant governance by forcing continuity .  Namely, this is the case of Finance Sectors trough BNB and CSSF regulations in Belux context which evolves under stronger pressure of European Central Bank and force compliance through continuity and security audits by competent experts from the domain. (Banking, Insurance, Investment companies, e-payment services)  The other domains follows also:Telecoms (BIPT), Energy (CREG), etc. that shall comply Copyright 2016 Dominique Volon 38
EPILOGUE  Information Security Management relies on a federation of interests : public authorities, consumers and providers of information data and channels to do business.  Trust will be the combination of a chain of actions from all the actors of the Information Society : industry, academic, etc. But also internationally (EU, USA, Asia/Pacific, India, MiddelEast)  Information Security Management will provide protection only if a continuum of efforts and actions is continuously supported on the long run by business communities. It’s too often left to Techies people ! Think to secure and protect your business first before thinking of technologies : only business is capable of considering business risks and consequences.  Don’t leave public authorities alone in this journey, participate !  Convince your executives to fund Information Security Management for their own good, care for that the highest Executive Level invests in a regular risk management and protection practice of your business assets using information. 39Copyright 2016 Dominique Volon
CONTINUUM OFTHE JOURNEY IN 2016 Accountable for InfoSec Management inside your corporation ? :  Organize Security Governance (the use of it) and Management (the making of it) inside your corporation – Use recognized international standards (COBIT 5, ISO 27k, MOR-ISO31k, InfoSec, ITIL, TOGAF, SABSA and IT Best Practices standards) AND tailored them to your businesses!  Be sponsored at the highest Level by a forming a Steering Commitee (or Sponsor Group)  Ask that you report to the highest Executive level of hiearchy (must be close to the business strategies and valued assets)  As a Senior Responsible Owner, propose a 360° Vision inside the company and outside the company (look at your customers) : Enterprise Architecture, IT services.  Information Security must protect, enable and support the growth of company’s businesses. 40Copyright 2016 Dominique Volon
AND NOW 2017 - GDPR READINESS?  EU GDPR : readiness for 2018 is still fuzzy since practicla part of the organization is not yet mature :  EDP Board has still some work to deliver with the National representatives  Compliance to GDPR :  How to organise recognition ? A label, a certificate ? This is not dealt.  What will be ‘sectoral code of conducts’ or ‘binding corporate rules’ ?  Reading of GDPR : some sections are still confused in the regulation  Interpretation of minor/major infridgment : where to put the cursor for repeated minor ones ? Copyright 2016 Dominique Volon 41
AND NOW 2017 - GDPR READINESS?  Preparation of each sector :  How to behave ?  Have we the fundamentals to act to handle personal data ?  Can we start from an existing practice (Privacy law, 95/46 integrated) in house ?  Do we have enough knowledge to model the interactions dealing with inside and outside Data Controller and Data processer Role models ?  Do we ask the right questions for data handling from the start (consent)?  For covering the past (history – right to be forgotten) ?  For anticipating the future (GDPR) ? Copyright 2016 Dominique Volon 42
AND NOW 2017 - GDPR READINESS?  Do we have a clear view for modyfing our Information Systems about providing the functions needed to support the rights claimed ?  And in each step of the Data Management handling cycles, including Data Security inside and outside ?  Will we be more serious about Data Breaches and take complementary security controls (Data Loss Prevention solutions ?)  It is anticipated that GDPR readiness will start with :  a Major Health-Check exercise for Information Systems against their capability of supporting and handling classified data, amongt which ‘personal data’ can be labelled and isolated from an aggregated (Big Data) or generic data set (Bulk back-ups)  Audit of / or installation / or reinforcement of Information and Cybersecurity management systems  but also of the needed Architecture that provides the required services to the Persons exercising their rights. Business processes and the DataArchitecture must be known. Copyright 2016 Dominique Volon 43
THANKS  To all Information Security professionals delivering ‘on top of’ their normal works sharing expertise and concerns !  For perseverance and being patient  For the audience listening or having read this journey … and this is still a ‘Hobbit Journey’ or maybe a ‘Never ending Story’ because Information Security is staying for good … Copyright 2016 Dominique Volon 44

Recommended

Information Security (Management) at Stake In Belgium
Information Security (Management) at Stake In BelgiumInformation Security (Management) at Stake In Belgium
Information Security (Management) at Stake In BelgiumDominique Volon
 
Information Security (Management) at Stake In Belgium v1.1
Information Security (Management) at Stake In Belgium v1.1Information Security (Management) at Stake In Belgium v1.1
Information Security (Management) at Stake In Belgium v1.1Dominique Volon
 
Why the Private Sector is Key to Cyber Defence
Why the Private Sector is Key to Cyber DefenceWhy the Private Sector is Key to Cyber Defence
Why the Private Sector is Key to Cyber DefenceGareth Niblett
 
Experience and strategy of Spain in eGovernment: three keys to sucess, the ba...
Experience and strategy of Spain in eGovernment: three keys to sucess, the ba...Experience and strategy of Spain in eGovernment: three keys to sucess, the ba...
Experience and strategy of Spain in eGovernment: three keys to sucess, the ba...Miguel A. Amutio
 
IDG Public Sector Brochure in 2013
IDG Public Sector Brochure in 2013IDG Public Sector Brochure in 2013
IDG Public Sector Brochure in 2013Annie Hoang
 
Internet of things- GSMA Capacity Building- Eng. Maha Ziad Mouasher
Internet of things- GSMA Capacity Building- Eng. Maha Ziad MouasherInternet of things- GSMA Capacity Building- Eng. Maha Ziad Mouasher
Internet of things- GSMA Capacity Building- Eng. Maha Ziad MouasherMahaZiadMouasher
 
Final projet
Final projetFinal projet
Final projetserge-parfait Goma
 
Trends and Prospects in the Information Society: Hungary and the New Member S...
Trends and Prospects in the Information Society: Hungary and the New Member S...Trends and Prospects in the Information Society: Hungary and the New Member S...
Trends and Prospects in the Information Society: Hungary and the New Member S...Filipe Mello
 

Recommended

Information Security (Management) at Stake In Belgium
Information Security (Management) at Stake In BelgiumInformation Security (Management) at Stake In Belgium
Information Security (Management) at Stake In BelgiumDominique Volon
 
Information Security (Management) at Stake In Belgium v1.1
Information Security (Management) at Stake In Belgium v1.1Information Security (Management) at Stake In Belgium v1.1
Information Security (Management) at Stake In Belgium v1.1Dominique Volon
 
Why the Private Sector is Key to Cyber Defence
Why the Private Sector is Key to Cyber DefenceWhy the Private Sector is Key to Cyber Defence
Why the Private Sector is Key to Cyber DefenceGareth Niblett
 
Experience and strategy of Spain in eGovernment: three keys to sucess, the ba...
Experience and strategy of Spain in eGovernment: three keys to sucess, the ba...Experience and strategy of Spain in eGovernment: three keys to sucess, the ba...
Experience and strategy of Spain in eGovernment: three keys to sucess, the ba...Miguel A. Amutio
 
IDG Public Sector Brochure in 2013
IDG Public Sector Brochure in 2013IDG Public Sector Brochure in 2013
IDG Public Sector Brochure in 2013Annie Hoang
 
Internet of things- GSMA Capacity Building- Eng. Maha Ziad Mouasher
Internet of things- GSMA Capacity Building- Eng. Maha Ziad MouasherInternet of things- GSMA Capacity Building- Eng. Maha Ziad Mouasher
Internet of things- GSMA Capacity Building- Eng. Maha Ziad MouasherMahaZiadMouasher
 
Final projet
Final projetFinal projet
Final projetserge-parfait Goma
 
Trends and Prospects in the Information Society: Hungary and the New Member S...
Trends and Prospects in the Information Society: Hungary and the New Member S...Trends and Prospects in the Information Society: Hungary and the New Member S...
Trends and Prospects in the Information Society: Hungary and the New Member S...Filipe Mello
 
Jim Clarke, Waterford Institute of Technology, IRELAND: Session Introduction
Jim Clarke, Waterford Institute of Technology, IRELAND: Session Introduction Jim Clarke, Waterford Institute of Technology, IRELAND: Session Introduction
Jim Clarke, Waterford Institute of Technology, IRELAND: Session Introduction FIA2010
 
Рынок средств электронной индентификации в Европе: Технологии, инфраструктура...
Рынок средств электронной индентификации в Европе: Технологии, инфраструктура...Рынок средств электронной индентификации в Европе: Технологии, инфраструктура...
Рынок средств электронной индентификации в Европе: Технологии, инфраструктура...Victor Gridnev
 
Information Society, Estonia
Information Society, EstoniaInformation Society, Estonia
Information Society, EstoniaAlianta INFONET
 
Ubiquitous computing
Ubiquitous computingUbiquitous computing
Ubiquitous computingMarco Ferruzca
 
GPNOct2017-Digital-Economy-Outlook
GPNOct2017-Digital-Economy-OutlookGPNOct2017-Digital-Economy-Outlook
GPNOct2017-Digital-Economy-OutlookHolly Richards
 
OECD Digital Economy Outlook 2017: Presentation at Global Parliamentary Netwo...
OECD Digital Economy Outlook 2017: Presentation at Global Parliamentary Netwo...OECD Digital Economy Outlook 2017: Presentation at Global Parliamentary Netwo...
OECD Digital Economy Outlook 2017: Presentation at Global Parliamentary Netwo...innovationoecd
 
Borrador 2 Documento Conpes - Seguridad Digital
Borrador 2 Documento Conpes - Seguridad Digital Borrador 2 Documento Conpes - Seguridad Digital
Borrador 2 Documento Conpes - Seguridad Digital Urna de Cristal
 
SC7 Workshop 2: Big Data Challenges in Cybersecurity
SC7 Workshop 2: Big Data Challenges in CybersecuritySC7 Workshop 2: Big Data Challenges in Cybersecurity
SC7 Workshop 2: Big Data Challenges in CybersecurityBigData_Europe
 
20210526 cybersafety first! Sirius Legal webinar for Comeos
20210526 cybersafety first! Sirius Legal webinar for Comeos20210526 cybersafety first! Sirius Legal webinar for Comeos
20210526 cybersafety first! Sirius Legal webinar for ComeosBart Van Den Brande
 
FIDO, Strong Authentication and elD in Germany
FIDO, Strong Authentication and elD in GermanyFIDO, Strong Authentication and elD in Germany
FIDO, Strong Authentication and elD in GermanyFIDO Alliance
 
Implementation in E-Government in Cameroon - Eric Sindeu
Implementation in E-Government in Cameroon - Eric SindeuImplementation in E-Government in Cameroon - Eric Sindeu
Implementation in E-Government in Cameroon - Eric SindeuCommonwealth Telecommunications Organisation
 
Cyber Security For Businesses
Cyber Security For BusinessesCyber Security For Businesses
Cyber Security For BusinessesParliamentary Yearbook
 
WISER @Ferma Forum, 4-7 October 2015, Venice, Italy
WISER @Ferma Forum, 4-7 October 2015, Venice, ItalyWISER @Ferma Forum, 4-7 October 2015, Venice, Italy
WISER @Ferma Forum, 4-7 October 2015, Venice, ItalyCYBERWISER .eu
 
Bosind ps4journeytocitizen-centricdigitalgovernmentinfinland-191106150321
Bosind ps4journeytocitizen-centricdigitalgovernmentinfinland-191106150321Bosind ps4journeytocitizen-centricdigitalgovernmentinfinland-191106150321
Bosind ps4journeytocitizen-centricdigitalgovernmentinfinland-191106150321Alaa Abo Assi
 
[EN] User Access & Information Protection | DLM Forum Industry Whitepaper 04 ...
[EN] User Access & Information Protection | DLM Forum Industry Whitepaper 04 ...[EN] User Access & Information Protection | DLM Forum Industry Whitepaper 04 ...
[EN] User Access & Information Protection | DLM Forum Industry Whitepaper 04 ...PROJECT CONSULT Unternehmensberatung Dr. Ulrich Kampffmeyer GmbH
 
The National Cyber Security Strategy: Success Through Cooperation
The National Cyber Security Strategy: Success Through CooperationThe National Cyber Security Strategy: Success Through Cooperation
The National Cyber Security Strategy: Success Through CooperationMark Johnson
 
National identity schemes - digital identity - national ID - eGovernment
National identity schemes - digital identity - national ID - eGovernmentNational identity schemes - digital identity - national ID - eGovernment
National identity schemes - digital identity - national ID - eGovernmentEric BILLIAERT
 
M. Claire Van de Velde - Green ICT Energy efficiëncy in and by ICT
M. Claire Van de Velde - Green ICT Energy efficiëncy in and by ICTM. Claire Van de Velde - Green ICT Energy efficiëncy in and by ICT
M. Claire Van de Velde - Green ICT Energy efficiëncy in and by ICTimec.archive
 
02_Exthand.pptx
02_Exthand.pptx02_Exthand.pptx
02_Exthand.pptxFinTech Belgium
 
Agenda PWC Cybersecurity Day - 18 octobre 2016
Agenda PWC Cybersecurity Day - 18 octobre 2016Agenda PWC Cybersecurity Day - 18 octobre 2016
Agenda PWC Cybersecurity Day - 18 octobre 2016ITnation Luxembourg
 
Mumbai Call Girls Malad West WhatsApp 9892124323 Full Night Enjoy -
Mumbai Call Girls Malad West WhatsApp 9892124323 Full Night Enjoy -Mumbai Call Girls Malad West WhatsApp 9892124323 Full Night Enjoy -
Mumbai Call Girls Malad West WhatsApp 9892124323 Full Night Enjoy -Pooja Nehwal
 
VIP Model Call Girls Buldhana Call ON 8617697112 Starting From 5K to 25K High...
VIP Model Call Girls Buldhana Call ON 8617697112 Starting From 5K to 25K High...VIP Model Call Girls Buldhana Call ON 8617697112 Starting From 5K to 25K High...
VIP Model Call Girls Buldhana Call ON 8617697112 Starting From 5K to 25K High...Nitya salvi
 

More Related Content

Similar to Information security (management) at stake in belgium 2017 v1.2

Jim Clarke, Waterford Institute of Technology, IRELAND: Session Introduction
Jim Clarke, Waterford Institute of Technology, IRELAND: Session Introduction Jim Clarke, Waterford Institute of Technology, IRELAND: Session Introduction
Jim Clarke, Waterford Institute of Technology, IRELAND: Session Introduction FIA2010
 
Рынок средств электронной индентификации в Европе: Технологии, инфраструктура...
Рынок средств электронной индентификации в Европе: Технологии, инфраструктура...Рынок средств электронной индентификации в Европе: Технологии, инфраструктура...
Рынок средств электронной индентификации в Европе: Технологии, инфраструктура...Victor Gridnev
 
Information Society, Estonia
Information Society, EstoniaInformation Society, Estonia
Information Society, EstoniaAlianta INFONET
 
GPNOct2017-Digital-Economy-Outlook
GPNOct2017-Digital-Economy-OutlookGPNOct2017-Digital-Economy-Outlook
GPNOct2017-Digital-Economy-OutlookHolly Richards
 
OECD Digital Economy Outlook 2017: Presentation at Global Parliamentary Netwo...
OECD Digital Economy Outlook 2017: Presentation at Global Parliamentary Netwo...OECD Digital Economy Outlook 2017: Presentation at Global Parliamentary Netwo...
OECD Digital Economy Outlook 2017: Presentation at Global Parliamentary Netwo...innovationoecd
 
Borrador 2 Documento Conpes - Seguridad Digital
Borrador 2 Documento Conpes - Seguridad Digital Borrador 2 Documento Conpes - Seguridad Digital
Borrador 2 Documento Conpes - Seguridad Digital Urna de Cristal
 
SC7 Workshop 2: Big Data Challenges in Cybersecurity
SC7 Workshop 2: Big Data Challenges in CybersecuritySC7 Workshop 2: Big Data Challenges in Cybersecurity
SC7 Workshop 2: Big Data Challenges in CybersecurityBigData_Europe
 
20210526 cybersafety first! Sirius Legal webinar for Comeos
20210526 cybersafety first! Sirius Legal webinar for Comeos20210526 cybersafety first! Sirius Legal webinar for Comeos
20210526 cybersafety first! Sirius Legal webinar for ComeosBart Van Den Brande
 
FIDO, Strong Authentication and elD in Germany
FIDO, Strong Authentication and elD in GermanyFIDO, Strong Authentication and elD in Germany
FIDO, Strong Authentication and elD in GermanyFIDO Alliance
 
WISER @Ferma Forum, 4-7 October 2015, Venice, Italy
WISER @Ferma Forum, 4-7 October 2015, Venice, ItalyWISER @Ferma Forum, 4-7 October 2015, Venice, Italy
WISER @Ferma Forum, 4-7 October 2015, Venice, ItalyCYBERWISER .eu
 
Bosind ps4journeytocitizen-centricdigitalgovernmentinfinland-191106150321
Bosind ps4journeytocitizen-centricdigitalgovernmentinfinland-191106150321Bosind ps4journeytocitizen-centricdigitalgovernmentinfinland-191106150321
Bosind ps4journeytocitizen-centricdigitalgovernmentinfinland-191106150321Alaa Abo Assi
 
The National Cyber Security Strategy: Success Through Cooperation
The National Cyber Security Strategy: Success Through CooperationThe National Cyber Security Strategy: Success Through Cooperation
The National Cyber Security Strategy: Success Through CooperationMark Johnson
 
National identity schemes - digital identity - national ID - eGovernment
National identity schemes - digital identity - national ID - eGovernmentNational identity schemes - digital identity - national ID - eGovernment
National identity schemes - digital identity - national ID - eGovernmentEric BILLIAERT
 
M. Claire Van de Velde - Green ICT Energy efficiëncy in and by ICT
M. Claire Van de Velde - Green ICT Energy efficiëncy in and by ICTM. Claire Van de Velde - Green ICT Energy efficiëncy in and by ICT
M. Claire Van de Velde - Green ICT Energy efficiëncy in and by ICTimec.archive
 
Agenda PWC Cybersecurity Day - 18 octobre 2016
Agenda PWC Cybersecurity Day - 18 octobre 2016Agenda PWC Cybersecurity Day - 18 octobre 2016
Agenda PWC Cybersecurity Day - 18 octobre 2016ITnation Luxembourg
 

Similar to Information security (management) at stake in belgium 2017 v1.2 (20)

Jim Clarke, Waterford Institute of Technology, IRELAND: Session Introduction
Jim Clarke, Waterford Institute of Technology, IRELAND: Session Introduction Jim Clarke, Waterford Institute of Technology, IRELAND: Session Introduction
Jim Clarke, Waterford Institute of Technology, IRELAND: Session Introduction
 
Рынок средств электронной индентификации в Европе: Технологии, инфраструктура...
Рынок средств электронной индентификации в Европе: Технологии, инфраструктура...Рынок средств электронной индентификации в Европе: Технологии, инфраструктура...
Рынок средств электронной индентификации в Европе: Технологии, инфраструктура...
 
Information Society, Estonia
Information Society, EstoniaInformation Society, Estonia
Information Society, Estonia
 
Ubiquitous computing
Ubiquitous computingUbiquitous computing
Ubiquitous computing
 
GPNOct2017-Digital-Economy-Outlook
GPNOct2017-Digital-Economy-OutlookGPNOct2017-Digital-Economy-Outlook
GPNOct2017-Digital-Economy-Outlook
 
OECD Digital Economy Outlook 2017: Presentation at Global Parliamentary Netwo...
OECD Digital Economy Outlook 2017: Presentation at Global Parliamentary Netwo...OECD Digital Economy Outlook 2017: Presentation at Global Parliamentary Netwo...
OECD Digital Economy Outlook 2017: Presentation at Global Parliamentary Netwo...
 
Borrador 2 Documento Conpes - Seguridad Digital
Borrador 2 Documento Conpes - Seguridad Digital Borrador 2 Documento Conpes - Seguridad Digital
Borrador 2 Documento Conpes - Seguridad Digital
 
SC7 Workshop 2: Big Data Challenges in Cybersecurity
SC7 Workshop 2: Big Data Challenges in CybersecuritySC7 Workshop 2: Big Data Challenges in Cybersecurity
SC7 Workshop 2: Big Data Challenges in Cybersecurity
 
20210526 cybersafety first! Sirius Legal webinar for Comeos
20210526 cybersafety first! Sirius Legal webinar for Comeos20210526 cybersafety first! Sirius Legal webinar for Comeos
20210526 cybersafety first! Sirius Legal webinar for Comeos
 
FIDO, Strong Authentication and elD in Germany
FIDO, Strong Authentication and elD in GermanyFIDO, Strong Authentication and elD in Germany
FIDO, Strong Authentication and elD in Germany
 
Implementation in E-Government in Cameroon - Eric Sindeu
Implementation in E-Government in Cameroon - Eric SindeuImplementation in E-Government in Cameroon - Eric Sindeu
Implementation in E-Government in Cameroon - Eric Sindeu
 
Cyber Security For Businesses
Cyber Security For BusinessesCyber Security For Businesses
Cyber Security For Businesses
 
WISER @Ferma Forum, 4-7 October 2015, Venice, Italy
WISER @Ferma Forum, 4-7 October 2015, Venice, ItalyWISER @Ferma Forum, 4-7 October 2015, Venice, Italy
WISER @Ferma Forum, 4-7 October 2015, Venice, Italy
 
Bosind ps4journeytocitizen-centricdigitalgovernmentinfinland-191106150321
Bosind ps4journeytocitizen-centricdigitalgovernmentinfinland-191106150321Bosind ps4journeytocitizen-centricdigitalgovernmentinfinland-191106150321
Bosind ps4journeytocitizen-centricdigitalgovernmentinfinland-191106150321
 
[EN] User Access & Information Protection | DLM Forum Industry Whitepaper 04 ...
[EN] User Access & Information Protection | DLM Forum Industry Whitepaper 04 ...[EN] User Access & Information Protection | DLM Forum Industry Whitepaper 04 ...
[EN] User Access & Information Protection | DLM Forum Industry Whitepaper 04 ...
 
The National Cyber Security Strategy: Success Through Cooperation
The National Cyber Security Strategy: Success Through CooperationThe National Cyber Security Strategy: Success Through Cooperation
The National Cyber Security Strategy: Success Through Cooperation
 
National identity schemes - digital identity - national ID - eGovernment
National identity schemes - digital identity - national ID - eGovernmentNational identity schemes - digital identity - national ID - eGovernment
National identity schemes - digital identity - national ID - eGovernment
 
M. Claire Van de Velde - Green ICT Energy efficiëncy in and by ICT
M. Claire Van de Velde - Green ICT Energy efficiëncy in and by ICTM. Claire Van de Velde - Green ICT Energy efficiëncy in and by ICT
M. Claire Van de Velde - Green ICT Energy efficiëncy in and by ICT
 
02_Exthand.pptx
02_Exthand.pptx02_Exthand.pptx
02_Exthand.pptx
 
Agenda PWC Cybersecurity Day - 18 octobre 2016
Agenda PWC Cybersecurity Day - 18 octobre 2016Agenda PWC Cybersecurity Day - 18 octobre 2016
Agenda PWC Cybersecurity Day - 18 octobre 2016
 

Recently uploaded

Mumbai Call Girls Malad West WhatsApp 9892124323 Full Night Enjoy -
Mumbai Call Girls Malad West WhatsApp 9892124323 Full Night Enjoy -Mumbai Call Girls Malad West WhatsApp 9892124323 Full Night Enjoy -
Mumbai Call Girls Malad West WhatsApp 9892124323 Full Night Enjoy -Pooja Nehwal
 
VIP Model Call Girls Buldhana Call ON 8617697112 Starting From 5K to 25K High...
VIP Model Call Girls Buldhana Call ON 8617697112 Starting From 5K to 25K High...VIP Model Call Girls Buldhana Call ON 8617697112 Starting From 5K to 25K High...
VIP Model Call Girls Buldhana Call ON 8617697112 Starting From 5K to 25K High...Nitya salvi
 
Call Girls in Sarita Vihar__ 8448079011 Escort Service in Delhi
Call Girls in Sarita Vihar__ 8448079011 Escort Service in DelhiCall Girls in Sarita Vihar__ 8448079011 Escort Service in Delhi
Call Girls in Sarita Vihar__ 8448079011 Escort Service in DelhiRaviSingh594208
 
💞ROYAL💞 UDAIPUR ESCORTS Call 09602870969 CaLL GiRLS in UdAiPuR EsCoRt SeRvIcE💞
💞ROYAL💞 UDAIPUR ESCORTS Call 09602870969 CaLL GiRLS in UdAiPuR EsCoRt SeRvIcE💞💞ROYAL💞 UDAIPUR ESCORTS Call 09602870969 CaLL GiRLS in UdAiPuR EsCoRt SeRvIcE💞
💞ROYAL💞 UDAIPUR ESCORTS Call 09602870969 CaLL GiRLS in UdAiPuR EsCoRt SeRvIcE💞Apsara Of India
 
💕COD Call Girls In Kurukshetra 08168329307 Pehowa Escort Service
💕COD Call Girls In Kurukshetra 08168329307 Pehowa Escort Service💕COD Call Girls In Kurukshetra 08168329307 Pehowa Escort Service
💕COD Call Girls In Kurukshetra 08168329307 Pehowa Escort ServiceApsara Of India
 
Call Girls In Karol Bagh__ 8448079011 Escort Service in Delhi
Call Girls In Karol Bagh__ 8448079011 Escort Service in DelhiCall Girls In Karol Bagh__ 8448079011 Escort Service in Delhi
Call Girls In Karol Bagh__ 8448079011 Escort Service in DelhiRaviSingh594208
 
Zirakpur Call Girls👧 Book Now📱8146719683 📞👉Mohali Call Girl Service No Advanc...
Zirakpur Call Girls👧 Book Now📱8146719683 📞👉Mohali Call Girl Service No Advanc...Zirakpur Call Girls👧 Book Now📱8146719683 📞👉Mohali Call Girl Service No Advanc...
Zirakpur Call Girls👧 Book Now📱8146719683 📞👉Mohali Call Girl Service No Advanc...rajveermohali2022
 
High Class Call Girls in Bangalore 📱9136956627📱
High Class Call Girls in Bangalore 📱9136956627📱High Class Call Girls in Bangalore 📱9136956627📱
High Class Call Girls in Bangalore 📱9136956627📱Pinki Misra
 
AliExpress Clothing Brand Media Planning
AliExpress Clothing Brand Media PlanningAliExpress Clothing Brand Media Planning
AliExpress Clothing Brand Media Planningjen_giacalone
 
New Call Girls In Panipat 08168329307 Shamli Israna Escorts Service
New Call Girls In Panipat 08168329307 Shamli Israna Escorts ServiceNew Call Girls In Panipat 08168329307 Shamli Israna Escorts Service
New Call Girls In Panipat 08168329307 Shamli Israna Escorts ServiceApsara Of India
 
Call Girls Service In Udaipur 9602870969 Sajjangarh Udaipur EsCoRtS
Call Girls Service In Udaipur 9602870969 Sajjangarh Udaipur EsCoRtSCall Girls Service In Udaipur 9602870969 Sajjangarh Udaipur EsCoRtS
Call Girls Service In Udaipur 9602870969 Sajjangarh Udaipur EsCoRtSApsara Of India
 
Call Girls In Lajpat Nagar__ 8448079011 __Escort Service In Delhi
Call Girls In Lajpat Nagar__ 8448079011 __Escort Service In DelhiCall Girls In Lajpat Nagar__ 8448079011 __Escort Service In Delhi
Call Girls In Lajpat Nagar__ 8448079011 __Escort Service In DelhiRaviSingh594208
 
Hi Profile Escorts In Udaipur 09602870969 Call Girls in Sobaghpura Bhopalpura
Hi Profile Escorts In Udaipur 09602870969 Call Girls in Sobaghpura BhopalpuraHi Profile Escorts In Udaipur 09602870969 Call Girls in Sobaghpura Bhopalpura
Hi Profile Escorts In Udaipur 09602870969 Call Girls in Sobaghpura BhopalpuraApsara Of India
 
Call Now ☎ 8264348440 !! Call Girls in Govindpuri Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Govindpuri Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Govindpuri Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Govindpuri Escort Service Delhi N.C.R.soniya singh
 
"Maximizing your savings:The power of financial planning".pptx
"Maximizing your savings:The power of financial planning".pptx"Maximizing your savings:The power of financial planning".pptx
"Maximizing your savings:The power of financial planning".pptxsadiisadiimano
 
Call Girls in civil lines Delhi 8264348440 ✅ call girls ❤️
Call Girls in civil lines Delhi 8264348440 ✅ call girls ❤️Call Girls in civil lines Delhi 8264348440 ✅ call girls ❤️
Call Girls in civil lines Delhi 8264348440 ✅ call girls ❤️soniya singh
 
9892124323 Pooja Nehwal - Book Local Housewife call girls in Nalasopara at Ch...
9892124323 Pooja Nehwal - Book Local Housewife call girls in Nalasopara at Ch...9892124323 Pooja Nehwal - Book Local Housewife call girls in Nalasopara at Ch...
9892124323 Pooja Nehwal - Book Local Housewife call girls in Nalasopara at Ch...Pooja Nehwal
 
Call girls in Vashi Services : 9167673311 Free Delivery 24x7 at Your Doorstep
Call girls in Vashi Services : 9167673311 Free Delivery 24x7 at Your DoorstepCall girls in Vashi Services : 9167673311 Free Delivery 24x7 at Your Doorstep
Call girls in Vashi Services : 9167673311 Free Delivery 24x7 at Your DoorstepPooja Nehwal
 

Recently uploaded (20)

Mumbai Call Girls Malad West WhatsApp 9892124323 Full Night Enjoy -
Mumbai Call Girls Malad West WhatsApp 9892124323 Full Night Enjoy -Mumbai Call Girls Malad West WhatsApp 9892124323 Full Night Enjoy -
Mumbai Call Girls Malad West WhatsApp 9892124323 Full Night Enjoy -
 
VIP Model Call Girls Buldhana Call ON 8617697112 Starting From 5K to 25K High...
VIP Model Call Girls Buldhana Call ON 8617697112 Starting From 5K to 25K High...VIP Model Call Girls Buldhana Call ON 8617697112 Starting From 5K to 25K High...
VIP Model Call Girls Buldhana Call ON 8617697112 Starting From 5K to 25K High...
 
Call Girls in Sarita Vihar__ 8448079011 Escort Service in Delhi
Call Girls in Sarita Vihar__ 8448079011 Escort Service in DelhiCall Girls in Sarita Vihar__ 8448079011 Escort Service in Delhi
Call Girls in Sarita Vihar__ 8448079011 Escort Service in Delhi
 
Rohini Sector 9 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 9 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 9 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 9 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
Private : +91 9999965857 Affairs: Paschim Vihar Call Girls {{ Monika}} Delh...
Private : +91 9999965857 Affairs: Paschim Vihar Call Girls {{ Monika}} Delh...Private : +91 9999965857 Affairs: Paschim Vihar Call Girls {{ Monika}} Delh...
Private : +91 9999965857 Affairs: Paschim Vihar Call Girls {{ Monika}} Delh...
 
💞ROYAL💞 UDAIPUR ESCORTS Call 09602870969 CaLL GiRLS in UdAiPuR EsCoRt SeRvIcE💞
💞ROYAL💞 UDAIPUR ESCORTS Call 09602870969 CaLL GiRLS in UdAiPuR EsCoRt SeRvIcE💞💞ROYAL💞 UDAIPUR ESCORTS Call 09602870969 CaLL GiRLS in UdAiPuR EsCoRt SeRvIcE💞
💞ROYAL💞 UDAIPUR ESCORTS Call 09602870969 CaLL GiRLS in UdAiPuR EsCoRt SeRvIcE💞
 
💕COD Call Girls In Kurukshetra 08168329307 Pehowa Escort Service
💕COD Call Girls In Kurukshetra 08168329307 Pehowa Escort Service💕COD Call Girls In Kurukshetra 08168329307 Pehowa Escort Service
💕COD Call Girls In Kurukshetra 08168329307 Pehowa Escort Service
 
Call Girls In Karol Bagh__ 8448079011 Escort Service in Delhi
Call Girls In Karol Bagh__ 8448079011 Escort Service in DelhiCall Girls In Karol Bagh__ 8448079011 Escort Service in Delhi
Call Girls In Karol Bagh__ 8448079011 Escort Service in Delhi
 
Zirakpur Call Girls👧 Book Now📱8146719683 📞👉Mohali Call Girl Service No Advanc...
Zirakpur Call Girls👧 Book Now📱8146719683 📞👉Mohali Call Girl Service No Advanc...Zirakpur Call Girls👧 Book Now📱8146719683 📞👉Mohali Call Girl Service No Advanc...
Zirakpur Call Girls👧 Book Now📱8146719683 📞👉Mohali Call Girl Service No Advanc...
 
High Class Call Girls in Bangalore 📱9136956627📱
High Class Call Girls in Bangalore 📱9136956627📱High Class Call Girls in Bangalore 📱9136956627📱
High Class Call Girls in Bangalore 📱9136956627📱
 
AliExpress Clothing Brand Media Planning
AliExpress Clothing Brand Media PlanningAliExpress Clothing Brand Media Planning
AliExpress Clothing Brand Media Planning
 
New Call Girls In Panipat 08168329307 Shamli Israna Escorts Service
New Call Girls In Panipat 08168329307 Shamli Israna Escorts ServiceNew Call Girls In Panipat 08168329307 Shamli Israna Escorts Service
New Call Girls In Panipat 08168329307 Shamli Israna Escorts Service
 
Call Girls Service In Udaipur 9602870969 Sajjangarh Udaipur EsCoRtS
Call Girls Service In Udaipur 9602870969 Sajjangarh Udaipur EsCoRtSCall Girls Service In Udaipur 9602870969 Sajjangarh Udaipur EsCoRtS
Call Girls Service In Udaipur 9602870969 Sajjangarh Udaipur EsCoRtS
 
Call Girls In Lajpat Nagar__ 8448079011 __Escort Service In Delhi
Call Girls In Lajpat Nagar__ 8448079011 __Escort Service In DelhiCall Girls In Lajpat Nagar__ 8448079011 __Escort Service In Delhi
Call Girls In Lajpat Nagar__ 8448079011 __Escort Service In Delhi
 
Hi Profile Escorts In Udaipur 09602870969 Call Girls in Sobaghpura Bhopalpura
Hi Profile Escorts In Udaipur 09602870969 Call Girls in Sobaghpura BhopalpuraHi Profile Escorts In Udaipur 09602870969 Call Girls in Sobaghpura Bhopalpura
Hi Profile Escorts In Udaipur 09602870969 Call Girls in Sobaghpura Bhopalpura
 
Call Now ☎ 8264348440 !! Call Girls in Govindpuri Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Govindpuri Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Govindpuri Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Govindpuri Escort Service Delhi N.C.R.
 
"Maximizing your savings:The power of financial planning".pptx
"Maximizing your savings:The power of financial planning".pptx"Maximizing your savings:The power of financial planning".pptx
"Maximizing your savings:The power of financial planning".pptx
 
Call Girls in civil lines Delhi 8264348440 ✅ call girls ❤️
Call Girls in civil lines Delhi 8264348440 ✅ call girls ❤️Call Girls in civil lines Delhi 8264348440 ✅ call girls ❤️
Call Girls in civil lines Delhi 8264348440 ✅ call girls ❤️
 
9892124323 Pooja Nehwal - Book Local Housewife call girls in Nalasopara at Ch...
9892124323 Pooja Nehwal - Book Local Housewife call girls in Nalasopara at Ch...9892124323 Pooja Nehwal - Book Local Housewife call girls in Nalasopara at Ch...
9892124323 Pooja Nehwal - Book Local Housewife call girls in Nalasopara at Ch...
 
Call girls in Vashi Services : 9167673311 Free Delivery 24x7 at Your Doorstep
Call girls in Vashi Services : 9167673311 Free Delivery 24x7 at Your DoorstepCall girls in Vashi Services : 9167673311 Free Delivery 24x7 at Your Doorstep
Call girls in Vashi Services : 9167673311 Free Delivery 24x7 at Your Doorstep
 

Information security (management) at stake in belgium 2017 v1.2

  • 1. INFORMATION SECURITY (MANAGEMENT) AT STAKE IN BELGIUM DominiqueVolon Trusted Advisor – Sr Manager & Architect in IT & Information (Cyber) Security Former DG of FEDICT for Information Security Management, IT Service Management, Legal (privacy) and Public Procurement http://be.linkedin.com/pub/dominique-volon/a/440/864 A ‘long’ journey from 2003 to 2016 – Refresh 2017 1Copyright 2016 Dominique Volon – IT Transforming For Benefits – V1.1 – 06-10-2016
  • 2. AGENDA  Aim of presentation /We live in an Information Society !  Information Security Management :What’s in it for me ?Where it should apply ?  Protection of E-government social security assets (BCSS)  Protection of E-governement other assets (FEDICT)  Be-Aware : Evangelization of Federal Public Services  Institutional Public Lansdcape in Belgium  A glimpse at Legal contexts  Be-Networked : BelNIS Federal State Level -> Belgian Center for Cybersecurity  Epilogue, Continuum 2Copyright 2016 Dominique Volon
  • 3. AIM OFTHIS PRESENTATION To relate the journey made to aware (so far) the field and political actors about Information Security Management in Belgium To give you a view of the enourmous involvement of field security actors to shape the Belgian Information Society To plan ahead for the future in a GlobalisedWorld of (Data) Economy And the need to continue ! 3Copyright 2016 Dominique Volon
  • 4. WE LIVE IN AN INFORMATION SOCIETY ! Development of society’s education from the Arts, Science and Religion Speeding/spreading information and knowledge through Monks and the printed Bible  Revolution separating political power from religion (1589 - 1789)  Industrial progress : Electricity (Edison),TSF (Marconi),Telephone (Bell),TV  Faster evolution for counting machines and computers (1920’s -> now)  Digitisation of physical phenonoms (A/D, D/A converters), transporting at the speed of light and air (optical fibers, satellites)  The network is the computer, information is a valued asset -> IOT 4Copyright 2016 Dominique Volon
  • 5. WE LIVE IN AN INFORMATION SOCIETY ! Information has becomed an intelligence factor for Businesses in all the sectors of Economy  We want to know the habits of consuming and living people :  To attract them and propose new services in real life :  E-banking and payment services, entertainment,  E-health and social security services, E-learning, E-commerce  Or simply make life easier through a bunch of digital channels BUT what happens if these channels and the providers at the end of it are not protected ?  Our present and forthcoming way of life will be jeopardized (privacy, denial of service !)  We need Information Security Management at mass media level ! 5Copyright 2016 Dominique Volon
  • 6. INFORMATION SECURITY MANAGEMENT : WHAT’S IN IT FOR ME ? What is the value of Information Security Management at mass media level in our life ?  Known and safe usage of secured IT services over the Internet  Cyberspace that is made more safe for both consumers/providers  Trust in using Information andTelecommunication means  Chasing the Bads out of theWeb … (criminality and terrorism)  Protection for our way of life Realising it it’s : Adopting a Systems-wise protecting strategy and policy for our country- wide critical information assets Adopt an ‘enlighted’ behaviour when using Cyberspace 6Copyright 2016 Dominique Volon
  • 7. WHERE INFORMATION SECURITY SHOULD APPLY? How to obtain Information Security Management at the mass media level in our life ?  Be aware ! Risk andThreat evaluation is an on-going practice for making, using and dsitribution of information on a need-to-know basis  Protecting our way of life adopting a Systems-wise approach, aVision for Information Security and protecting policies for our country-wide critical information assets Social Security, Health; Transport (Ports and Civil Aviation), Energy (Electricity, Gas, Petrol); Finances (BNB, banks) andTelecom Operators; Education (Univerisity, R&D); Economy itself ! Federal and federated public services; Political levels. 7Copyright 2016 Dominique Volon
  • 8. PROTECTION OF E-GOVERNMENT SOCIAL SECURITY ASSETS (CBSS – BCSS-KSZ) Security Governance for Social Sector  Assets to be protected :  Social security rights and Health practice for the belgian population  Capacity of Information exchange through Social Security actors  Data privacy  Response :  A federated capacity of exchanging information using safe and reliable electronic means across all actors of the sector :  The Cross Bank for Social Security - CBSS - BCCS - KSZ starting early 90’s  The E-Health platform for federating health practitioners. All both implements a strong Information Security Management strategy and policy within a legal framework based on a Royal Decree of 1993 and presence of Information Security Officers. 8Copyright 2016 Dominique Volon
  • 9. PROTECTION OF E-GOVERNEMENT ASSETS (CBSS – BCSS - KSZ) BCSS (E-Health) SPF Social Security & Health CPAS/OCMW INASTI OSSOM INAMI/R IZIV ONAFTS …… ONP Transformation at Stake for 6th State Reform Only a High LevelView, network of BCSS is quite larger 9Copyright 2016 Dominique Volon
  • 10. PROTECTION OF E-GOVERNMENT ASSETS (FEDICT : FEDERAL PUBLIC SERVICES ICT) Security Governance for FEDICT  Assets to be protected (the catalogue of e-gov services) :  the digital identity of the belgian population using eID  the accesses to the federal portal services  the federal portal services themselves giving accesses to authentic sources such as Cross Road Bank of Enterprises, CBSS or in FPS Finances (Tax-On- Web application)  Trust has to be built when using communication services  FedMan network; Middelware(s)  Communication and services such as mail relay, file transfer, remote access. Offering a secured and reliable availaibility of 99,5% almost 24/7 a week and continuity of service. 10Copyright 2016 Dominique Volon
  • 11. PROTECTION OF E-GOVERNMENT ASSETS (FEDICT) Security Governance for FEDICT  Response for digital identity:  Establishing eID pilot and roll-out programme with National Register  Royal Decree for eiD card, Governance of Certification Authority (Belgian root PKI), Service Management and monitoring, Business Continuity live- verification  Performing Risk assesment of cryptography with COSIC (KUL) and Crypto Lab (UCL)  eID proxy, eID middelware, eID card readers with IT industry actors (Microsoft)  Encouraging usage of the eID by linkin with AGORIA and Security initiatives (L-SEC) and pilot in Bank (Ethias), presentation to cities 11Copyright 2016 Dominique Volon
  • 12. PROTECTION OF E-GOVERNMENT ASSETS (FEDICT) Response for protecting accesses to www.belgium.be :  Perimeter security defense in several network zones (V1,V2) for public interface  IAM (simple and strong authentication) integrated with user management, mandates and federation of identities (led to e-gov logon and CZAM federal logon)  Disaster Recovery Planning on two nodes forV1, full Business Continuity-DRP Planning forV2  FedMan protection (technical and CERT.be organization)  Regular and permanent usage of vulnerability scanning 12Copyright 2016 Dominique Volon
  • 13. PROTECTION OF E-GOVERNMENT ASSETS (FEDICT) Response for portal services themselves  Escrow service for portal developped S/W  Business Impact Analysis forTax-on-Web verifying DRP  Negotiation of tight SLA and penalties with Accenture Managed secured services to protect communication channels  Secured mail relay, file transfer, Secured remote accessVPN/SSL  Additional shared firewall service  Digital certificates for critical servers  Vulnerability scanning 13Copyright 2016 Dominique Volon
  • 14. BE-AWARE : EVANGELIZATION OF FEDERAL PUBLIC SERVICES  Security Governance for Federal Public Services (13)  Starts with Awareness of ISM to Chairmans about Business Continuity theme  Recruiting CISO and ISO team with focus on Risk Assessment and continuity as start of the Security expertise pole;  Organisating Infosec forum inside Federal Public Services with CISO and ISOs from the SPFs  Animating forum and adopting ISO 27k as InfoSec framework  Definining Roles & Responsibilities of ISO and organic career inside Public Services via P&O  Standards and best practices for Information Security Management 14Copyright 2016 Dominique Volon
  • 15. BE-AWARE : EVANGELIZATION OF FEDERAL PUBLIC SERVICES  Security Governance for Federal Public Services (13)  Royal Decree for formal nomination of ISO reporting to chairman of FPSs.  InfoSec expertise available at Fedict Service catalogue for all FPS, OIP and Regions  Business Impact/Risk Assessment for deducting protection measures  Presence in Business Continuity Steering Commitee of Finances (BIA-DRP capabilites)  General advice to the regions for Infosec matters (governance, R&R)  Offering of Managed Security (&Secured) Services available from Fedict catalogue 15Copyright 2016 Dominique Volon
  • 16. INSTITUTIONAL BELGIAN LANDSCAPE  Federal Public Services : 10 sectorial +4 horizontal (will change in 6th Reform)  FPS Interior : Registre National : accountable for manaaging the organic identification of the belgian polulation and keep it update inside a National Register  FPS Economy : Accountable for Economy, consumer regulations, …. And Crossroad Bank of enterprises  FPS Finance : Accountable for funding of the State for perceiving taxes  FPS Justice : Accountable for Justice (Courts, Prisons, Law and legal enforcement,)  FPS ICT (FEDICT) : Accountable for e-governnent (except in Social Security sector -> BCSS) -> description of the federal public services on www.belgium.be 16Copyright 2016 Dominique Volon
  • 17. INSTITUTIONAL BELGIAN LANDSCAPE  Public Services nested at federal level dealing with Infosec :  ANS-NVO-[NSA] – FPS Foreign Affairs : Care for security clearance and accreditation of information systems dealing with classified information  Computer Crime Unit (federal and regional) – FPS Interior (Police) : Cares for cybercrime in civil society in general and investigates complaints  Crisis Center – FPS Interior : Cares for coordination of a crisis on the view point of emergency services when the dammage is at level 4 in the Country, Liaise with Province Governors  SGRS – [Military Intelligence] – FPS Defence : Accountable for Military Intelligence and protection of Military (Courts, Prisons, Law and legal enforcement)  State Security – FPS Justice : Civil intelligence , security clearance enquiries 17Copyright 2016 Dominique Volon
  • 18. INSTITUTIONAL BELGIAN LANDSCAPE  Other legal institutions :  Commission de la Protection de laVie Privée (Data Privacy)  Parliamentary commission composed of Magistrates and experts  Issue authorisation of treatments for personal data in Information Systems according laws of 1992,1998 and 2003  Gives exemptions in case of public security / state interest  FEDICT is the Sectoral Authority for introducing the FPS authorisation files to the Privacy Commission to obtain authorisation of privacy data treatements in the Federal Information Systems 18Copyright 2016 Dominique Volon
  • 19. A ‘GLIMPSE’ ATTHE LEGAL CONTEXTS  Belgium and European Union  Identity & Signature  Protection of vital assets  Privacy  Intellectual Property  Criminality  Organisation of Federal Authorities  Outside European Union (United States)  US Safe Harbor …  US Patriot Act 19Copyright 2016 Dominique Volon
  • 20. A ‘GLIMPSE’ ATTHE LEGAL CONTEXTS Identity & Signature  FPS Interior - National Register is the custodian of the Identity of the Belgian asof their birth until death – each Belgian is assigned a single and unique National Register Number whose first sequence is its birth date  Royal Decree of eID (format, information datafield, digital certificates on eID card) : the eID combines the legal definition of a document and of a digital container containing strictly the information data to identify and locate the official residence of the card holder plus two digital certificates that can be used to authenticate and signed documents as it was a qualified written signature.  Electronic Signature : EE Directive of 1999 : BelgianLaw 9/7/2001 : electronic signatures and certification services. Electronic signature : cannot be repudiated in Justice. Qualified electronic signature : usage of a digital certificate which is qualified by an accredited Certification Authority.  FPS Economy control and accredit Certification Authorities (e.g. Certipost) 20Copyright 2016 Dominique Volon
  • 21. A ‘GLIMPSE’ ATTHE LEGAL CONTEXTS Protection of vital assets Classified Information  Is handled by Individuals and Information Systems  Law of 11/12/1998 pave the way for information classification and security clearance for individuals (and firms) handling this type of information, enforced by Royal Decree 24/3/2000. Classification and clearance for individuals is seen according the damage impact if the information is divulged. Royal Decree 2013 for the fees of obtaining clearance. 21Copyright 2016 Dominique Volon National Security Damage if information divulgation BE UE NATO Very Serious TRES SECRET TRES SECRET UE Cosmic Top Secret (CTS) Serious SECRET SECRET UE NATO Secret (NS) Breach CONFIDENTIEL CONFIDENTIEL UE NATO Confidential (NC) Effect (diffusion restreinte) RESTREINT UE NATO Restricted (NR) None NATO Unclassifed
  • 22. A ‘GLIMPSE’ ATTHE LEGAL CONTEXTS Protection of vital assets Classified Information  Security Clearance of Individuals (and firms) is handled by ANS-NVO-[NSA] - Level is based on need to know for the job - ANS asks State Security (civilians) or SGRS (military) to enquire (private life security)  Information Systems accreditation - EU regulation (2001/264) in 3 steps : Evaluation,Certification,Accreditation - Evaluation : by experts, auditors or accredited laboratory - Certification : Conformance certificates are issued by control organisms, accredited by BELAC - Accreditation Body : ANS in association with BELAC 22Copyright 2016 Dominique Volon
  • 23. A ‘GLIMPSE’ ATTHE LEGAL CONTEXTS Protection of vital assets Critical Infrastructures of Belgium  2008/114 EU Directive : European Critical Infrastructures  Energy andTransport sectors  BE Law of 01/7/2011 : BelgianCritical Infrastructures, Royal Decree 27/5/2014  Adds Finance and electronic communications sectors  ScopingVital Functions, health, social, security/safety, economical prosperity  Acting through SectorialAuthorities or ‘Regulators’  Finance : National Bank of Belgium (oversight of Banks and Financial organisms)  CFMA : regulator for Insurance companies  Telecommunications : Belgian Institute for Post andTelecommuncations - Energy : CREG / AFCN - ….. - Every operator of a recognized infrastructure as critical at the level of the Country must develop and exercice a Security Plan, namely for Business Continuity 23Copyright 2016 Dominique Volon
  • 24. A ‘GLIMPSE’ ATTHE LEGAL CONTEXTS  Privacy  Electronic communications Law of 13/06/2005 concerns :  Operators constrained for :  Security measures (technical / organisational)  Free security services  Notification of Security Incidents to IBPT, Privacy Commission, Customers  AllowingAudit by BIPT or mandated independent organism  Retention of traffic data (traffic /geolocation)  IBPT as regulator accountable for :  Security of telecommunication,Coordination,Oversight of problem detection  Instructions, control and recommendations to Operators 24Copyright 2016 Dominique Volon
  • 25. A ‘GLIMPSE’ ATTHE LEGAL CONTEXTS  Privacy  EU GPDR : European Union Global Data Privacy Regulation of May 2016.  Not a Directive, replace the former EU Directive on Privacy (that needed to be ratified by each national parliament to become an in country Member State law – Subsisadirity Principle)  GDPR Regulates, thus place immediate compliance from the day it has been voted by European Parliament on all Member States and published in the L Official Journal (26 May 2016)  Imply immediate compliance exercice final for up to 2018  As of 2018, EU (EC) can audit companies and impose legally heavy financial penalties :  For light of medium infringment to GDPR, 10 millions €  For severe infringment to GDPR, 20 millions € or 4% of the turn-over of the Group of companies that an holding can detain. 25Copyright 2016 Dominique Volon
  • 26. A ‘GLIMPSE’ ATTHE LEGAL CONTEXTS  Privacy when working in private sector – CCT81 (26/4/2002) :  Controlling of communication data on workplace  End Goals : 1. Prevent illegal & illicit behaviours (hacking, racism, pedophilia,…) 2. Protection of employer’s interests 3. Technical security of systems 4. Respect of internal regulations (policy for usage of Information Systems…)  Proportionality &Tranparency:  Minimal interference in private life, Information is to be made collectively and individually  Anamoly in 1,2,3 case -> find the individual root cause  Anomaly in 4th case -> collective warning and if anomaly is repeated -> find the individual root cause  Filtering of data (journalling and random controls) 26Copyright 2016 Dominique Volon
  • 27. A ‘GLIMPSE’ ATTHE LEGAL CONTEXTS Intellectual Property  Directive 91/250 : computer programs  Directive 96/9 : data bases  Directive 2001/29 : Authors rights – information society  Law(10/04/2014) : Intellectual Property  Best practices to protect critical IT assets for developed S/W by your providers :  Acquisition of a specialised escrow service;  Inclusion of IP rights clause and escrow agreement mechanism in public procurement procedures;  Verification of systems rebuild capabilities at three levels (deposit of source code, rebuild of a minimal system, rebuild of major part of the systems functions). 27Copyright 2016 Dominique Volon
  • 28. A ‘GLIMPSE’ ATTHE LEGAL CONTEXTS Criminality  Directive 2013/40 – Attacks against Information Systems  Law (28/11/200) : computer criminality – ‘Code Pénal : art 116-118’  Directive 2006/24 : retention of traffic data  Law (30/7/2013) : retention of traffic data and geolocation  Court of Justice decision : abrogation of 2006 directive (you know more will come ….) Scope :  Computer forgery, Access rights abuse, Sabotage,  Distribution of illicitly acquired data, dsitribution of harmful data;  Defence / State Security : data and information communication to a foreign country  Retention of data / geolocation 28Copyright 2016 Dominique Volon
  • 29. A ‘GLIMPSE’ ATTHE LEGAL CONTEXTS Organisation of Federal Authority  1990 : Organic Law constituting the CBSS – KSZ - BCSS  1993 :Royal Decree for information security in Social Security sector  1997 : Royal Decree for communicating between social institutions  2001 : Royal Decree establishing FEDICT  2007 : Modification of FEDICT Royal Decree to participate to 7th R&D Research programme of European Commission with STORK projet (interoperability of digital identities across EU)  2012 : ‘FEDICT’ or ‘Only Once’ law : FEDICT as federal services integrator acting as TrustedThird Party  2103 : Royal Decree for (Chief) Information Security Officers in FPSs  2014 : Royal Decree founding the Belgian Cybersecurity Center 29Copyright 2016 Dominique Volon
  • 30. A ‘GLIMPSE’ ATTHE LEGAL CONTEXTS United States US Safe Harbour  EU Directive 95/46 : Prohibition of transferring personal data outside EEE with exceptions (at equivalent protection level)  2001 : Agreement CEC/US Department of Commerce  Principles : Notification and freedom of choice of individual, Security,Treatment of data conformant to the declared end goal,Access Rights and Correction US Patriot Act (2001)  Reaction to 09/11 -> Mandate for numerical screening and for retaining data into custody.  Concerns hosted data in US and anywhere in the world.  Concerns any society (US, daugther companies and non-US on US ground) 30Copyright 2016 Dominique Volon
  • 31. BE-NETWORKED : BELNIS PLATFORM  Initiative of FEDICT’s Minister PeterVanvelthoven (2005)  Identify major Information Security Stakeholders at the level of the State  Put them inside a round table and discuss the competences of their Insitutional mandate regarding Information Security (and available means …)  Federate the interests and form a guiding expert coalition to aware in the wider form the Belgian Governement first and the Belgian Information Society at large  Make the spirits ready for appraising the chain and the degree of Information Security maturity in Belgium o Liaise with European Security initiatives (ENISA through BIPT) o Animate working groups on security subject matters o MakeWhite Paper for Information Security and propose improvements (2007) o Goal : Make Information Security a dedicated point at the governmental agenda 31Copyright 2016 Dominique Volon
  • 32. BelNIS FCCU FEDICT CERT.be Sureté de l’Etat CCB ANS DGCC Belac SGRS BelNIS & Stratégie de Cybersécurité IBPT Industries Academics International Transformation at Stake for 6th State Reform Redesign 32Copyright 2016 Dominique Volon
  • 33. BE-NETWORKED : BELNIS STAKEHOLDERS Starting in 2005 :  FEDICT, actor and federator of the platform  Invited at an oval table :  FCCU : Federal Computer Crime Unit from FPS Interior  Belac : from FPS Economy – Accreditation body for Information Security  DG CC : Crisis Center – from FPS Interior  ANS : Autorité Nationale de Sécurité (habilitation et homologations des systèmes d’information classifiés) – from FPS Foreign Affairs  BIPT : Belgian Institute for Post andTelecommunications (regulator)  State Security  SGRS : Military Intelligence  Belac : accreditation of IS dealing with classified information 33Copyright 2016 Dominique Volon
  • 34. BE-NETWORKED : BELNIS PLATFORM  BelNIS made himself aware of a global InfoSec situation in Belgium  BelNIS liaise with the ENISA through IBPT/FEDICT sharing 2 seats  BelNIS structured itself in subject matter workgroups and has produced :  TheWhite Paper for Information Security for Belgium in 2007  Creation of Cert.be (FEDICT funding and BELNET operations) to protect federal assets in 2009 (namely FedMan and Internet connection points)  Examination the business case for creation of a Security National Agency and deduct that such a ‘vertical response’ was not quite appropriated  National Strategy for Cybersecurity in 2012 with a push for the creation for a CyberSecurityCenter for whole Belgium (the missing ‘Core’) in 2014 34Copyright 2016 Dominique Volon
  • 35. BE-NETWORKED : BELNIS PLATFORM  BeLNIS actors also participated to the first steps for creating Industry and Academy awareness  2011 KUL initiative : B-CCentre : cybercrime center for Excellence, R&D and Education (COSIC, ICRI, L-Sec members, etc.)  2014-2015 : Cybersecuritycoalition  Cybercoalition : cross-sector partnership between players from the academic world, the public authorities and the private sector to join forces in the fight against cybercrime (50 major actors … to develop further) 35Copyright 2016 Dominique Volon
  • 36. BE-NETWORKED : BCC  BCC : Belgian Cybersecurity Center  Founded by Royal Decree in 2014, Headed by Miguel Debruycker  Reporting to Chancellery under PM umbrella  Operational Arm arising out of BelNIS platform  Missions :  Supervision of Infosec Strategy  Coordination of Public Authorities  Coordination public / private / academy  Proposal to adapt legal framework  Crisis management with Cert.be  Issuing standards and directives for Infosec  Evaluation and accreditation of Classified Information Systems (with BELAC)  User awareness 36Copyright 2016 Dominique Volon
  • 37. THEWAY FORWARD Major actors are still lacking in this story :  FPS-Economy it self, for developping a Belgian Information Society (Policy is hardly set from the FPS Economy) that care with e-services (e-commerce, e-payment infrastruture – Worldine and others) and establish a digital security capacity in Belgium, linking with the Eurpean Union level.  Sectorial regulators :  BIPT is in it, NBB has warned the Banking sector to care for business continuity and information security practices (will it be sufficient ?)  Others ? What about CREG (energy), transport sector, etc. ?  Market leader Operators in all the Sectors (only 50 in the coalition)  Federation of providers and consumers (COMEOS) ? …..  We’ve still a huge chunk of work to aware, protect and enable growth of the complete Economy Blocks for Belgium ! 37Copyright 2016 Dominique Volon
  • 38. THEWAY FORWARD  EUROPE IS MOVING ON DATA PROTECTIONAND REGULATIONSTo push Members States to Act : EU GDPR – Global with heavy fines if not compliant for May 2018 -> huge impact on Data management Lifecyle by modification of data classification meaning impact on data back-up/restore capability of Global Storage solution and DR capabilities as well as on processes  EUROPE is contraining the SectoralAuthorities with a more stringent regulations in any sector to fight against crime and to upgrade business continuity operations, there will be more in coming months and put establish the relevant governance by forcing continuity .  Namely, this is the case of Finance Sectors trough BNB and CSSF regulations in Belux context which evolves under stronger pressure of European Central Bank and force compliance through continuity and security audits by competent experts from the domain. (Banking, Insurance, Investment companies, e-payment services)  The other domains follows also:Telecoms (BIPT), Energy (CREG), etc. that shall comply Copyright 2016 Dominique Volon 38
  • 39. EPILOGUE  Information Security Management relies on a federation of interests : public authorities, consumers and providers of information data and channels to do business.  Trust will be the combination of a chain of actions from all the actors of the Information Society : industry, academic, etc. But also internationally (EU, USA, Asia/Pacific, India, MiddelEast)  Information Security Management will provide protection only if a continuum of efforts and actions is continuously supported on the long run by business communities. It’s too often left to Techies people ! Think to secure and protect your business first before thinking of technologies : only business is capable of considering business risks and consequences.  Don’t leave public authorities alone in this journey, participate !  Convince your executives to fund Information Security Management for their own good, care for that the highest Executive Level invests in a regular risk management and protection practice of your business assets using information. 39Copyright 2016 Dominique Volon
  • 40. CONTINUUM OFTHE JOURNEY IN 2016 Accountable for InfoSec Management inside your corporation ? :  Organize Security Governance (the use of it) and Management (the making of it) inside your corporation – Use recognized international standards (COBIT 5, ISO 27k, MOR-ISO31k, InfoSec, ITIL, TOGAF, SABSA and IT Best Practices standards) AND tailored them to your businesses!  Be sponsored at the highest Level by a forming a Steering Commitee (or Sponsor Group)  Ask that you report to the highest Executive level of hiearchy (must be close to the business strategies and valued assets)  As a Senior Responsible Owner, propose a 360° Vision inside the company and outside the company (look at your customers) : Enterprise Architecture, IT services.  Information Security must protect, enable and support the growth of company’s businesses. 40Copyright 2016 Dominique Volon
  • 41. AND NOW 2017 - GDPR READINESS?  EU GDPR : readiness for 2018 is still fuzzy since practicla part of the organization is not yet mature :  EDP Board has still some work to deliver with the National representatives  Compliance to GDPR :  How to organise recognition ? A label, a certificate ? This is not dealt.  What will be ‘sectoral code of conducts’ or ‘binding corporate rules’ ?  Reading of GDPR : some sections are still confused in the regulation  Interpretation of minor/major infridgment : where to put the cursor for repeated minor ones ? Copyright 2016 Dominique Volon 41
  • 42. AND NOW 2017 - GDPR READINESS?  Preparation of each sector :  How to behave ?  Have we the fundamentals to act to handle personal data ?  Can we start from an existing practice (Privacy law, 95/46 integrated) in house ?  Do we have enough knowledge to model the interactions dealing with inside and outside Data Controller and Data processer Role models ?  Do we ask the right questions for data handling from the start (consent)?  For covering the past (history – right to be forgotten) ?  For anticipating the future (GDPR) ? Copyright 2016 Dominique Volon 42
  • 43. AND NOW 2017 - GDPR READINESS?  Do we have a clear view for modyfing our Information Systems about providing the functions needed to support the rights claimed ?  And in each step of the Data Management handling cycles, including Data Security inside and outside ?  Will we be more serious about Data Breaches and take complementary security controls (Data Loss Prevention solutions ?)  It is anticipated that GDPR readiness will start with :  a Major Health-Check exercise for Information Systems against their capability of supporting and handling classified data, amongt which ‘personal data’ can be labelled and isolated from an aggregated (Big Data) or generic data set (Bulk back-ups)  Audit of / or installation / or reinforcement of Information and Cybersecurity management systems  but also of the needed Architecture that provides the required services to the Persons exercising their rights. Business processes and the DataArchitecture must be known. Copyright 2016 Dominique Volon 43
  • 44. THANKS  To all Information Security professionals delivering ‘on top of’ their normal works sharing expertise and concerns !  For perseverance and being patient  For the audience listening or having read this journey … and this is still a ‘Hobbit Journey’ or maybe a ‘Never ending Story’ because Information Security is staying for good … Copyright 2016 Dominique Volon 44