Talk at the annual IT day - Iceland - 2016
In 2016, I was honored to give a talk at the annual IT Day, the second year in a row. The IT Day 2016: A Date with a secure Future - threats, opportunities and Challenges
This is an annual event organized by the Ministry of Interior in Iceland. Other speakers at the conference included the Director of the Data Protection Authority of Iceland, the Director of the Norwegian Data Protection Authority, the Director of the Post And Telecom Administration of Iceland, Lawyers from the Ministry of Interior in Iceland, the head of IT Security at the Data Protection Authority in Iceland and a member of Law Enforcement from the IT Forensic department of the Reykjavik Metropolitan Police.
I was thankful for the opportunity to introduce and share some of the work I had been doing with the Ministry of the Interior in Iceland. This includes a draft of a contract annex, an example risk assessment and risk treatment process, and an elementary & straightforward risk assessment and risk treatment form.
Contract annex (draft)
As we found out by the follow-up of some of the security vulnerabilities discovered in the previous year's security assessment, some people assume that when they outsource their IT systems to a hosting company, the hosting company will take care of IT security (installing security updates, notify them of potential breaches, perform vulnerability assessments, etc.). The same goes for outsourcing or buying software solutions (e.g., web content management systems). They expect that a formal and secure software development process is followed, that they will be notified of security vulnerabilities as they get discovered, and they expect to get security updates for free. As logical or illogical as those assumptions may be, this is not always the case.
The contract annex (draft) addresses these issues (and more). The contract annex spans eight pages and introduces various requirements on service providers, such as implementing a security policy, assigning IT security responsibilities to employees, risk assessments, formal access control, security updates, vulnerability assessments, penetration testing, intrusion detection/prevention systems, incident management, internal auditing, collaboration with the government, non-disclosure agreements, training of employees and contractors in IT security, reporting requirements (e.g. of security breaches) and more.
The idea was to cover all the areas people assumed were already being done. If you're interested, you can download the pdf of the contract annex and use Google Translate for files to translate the content of the contract annex to your language. While the primary goal of this contract annex is to be used by government entities, it is accessible and downloadable for others who can go through it and use it as an inspiration for their contracts/contract annex.
It's worth mentioning that the controls listed in the contract annex can be very valuable in GDPR compliance-related work.
Risk Assessment and Risk Treatment
A risk assessment is one of the cornerstones of information security. It is often overlooked and misunderstood. A risk assessment is the only realistic way to map out the risks your business faces, their probability, and the potential impact they can have on your business and prioritize your risk treatment plans accordingly. Here, you can find the Risk assessment and control implementation guidelines document, and here, you can find the Risk assessment and risk treatment template document.