Cost Effective Risk
26 October 2017
“Information Security is the process of establishing the required
reliability of information systems in terms of confidentiality, availability
and integrity as well as the establishment, maintenance and
monitoring of a coherent package of accompanying measures.”
baseline informatiebeveiliging rijksoverheid
❖ Dutch Government
❖ Departmentally confidential
& privacy risk class II.
❖ ISO:27001/2 + Extensions
❖ ± 300 requirements
❖ Comply or Explain
0 10 20 30 40 50 60
Organization of information security
Mgt of assets
Mgt of comm. and operational processes
Acquisition, maint. and dev.
Business Continuity Mgt
How do Microsoft Online Services comply
❖ KPMG report in Microsofts Trust Center
❖ Office 365, 91% of the BIR controls are either covered by
certifications or assurance standards or are not in scope.
❖ Real life scenario – SPO2 based DMS:
3 ‘explains’ out of 179 applicable requirements
❖ Data exfiltration
❖ Data deletion
❖ Malicious insider
❖ Accout breach
❖ Elevation of privilege
❖ Password cracking
❖ Data spillage
❖ Phishing / whaling
❖ Baseline provides extensive guidance,
not only for government.
❖ Microsoft Office 365 and Azure provide
good coverage of requirements.
❖ Secure Score is a handy tool, but:
❖ there’s more to it.
❖ There’s more coming up !
Thank you for your attention
Any questions ?
We take our time for you at our booth