SlideShare ist ein Scribd-Unternehmen logo

The network attached devices inventory as required by the Italian requirement of “Minimal measures for ICT security” and EU “General Data Protection Regulation”

Francesco Ciclosi
Francesco Ciclosi

The paper deals with implementation and management of software tools used for the inventory of all authorized and unauthorized devices in the University. The inventory of all active resources, as well as of both all the systems connected to the network and of the devices themselves, is implemented automatically using the SpiceWorks platform. The networks scanned are those of the systems, of the active network devices and of the active equipment of the data center, which are located in various University buildings. Our approach is an integrated approach, who provide us the ability to manage in unified mode different requirements provided by different laws and authority. The work describes the analysis of the different requirements of Regulation (EU) 2016/679, as well as of the Standards ISO/IEC 27001:2013 and ISO/IEC 27002:2013, and also, the Italian legislation on ICT Minimum Measures for Public Administration (which is directly derived from the “CIS Critical Controls for Effective Cyber Defense” version 6 of the 2015). Therefore, it describes how to integrate these requirements in the University’s Information Security Management System, to manage them, in a coherent and centralized way.

Präsentationen & Vorträge
1 von 25
Downloaden Sie, um offline zu lesen
The network attached devices inventory as required by the Italian requirement of “Minimal measures for ICT security” and EU “General Data Protection Regulation” Francesco Ciclosi, University of Camerino 1
© Francesco Ciclosi – June 2018 Summary • The implementation and management of software tools used for the inventory of all authorized and unauthorized devices in the University • The integrate Unicam’s approach at the problem, useful to manage: – ISO 27001 and 27002 requirements – Italian ICT Minimum Measures for Public Administration requirements (derived by CIS controls) – GDPR requirements – Our ISMS existing implementation 2
© Francesco Ciclosi – June 2018 The GDPR requirements • A personal data is «any information relating to an identified or identifiable natural person (data subject)» – (c.f. art. 4(1)) • This is an expansion of a concept already present in the Directive 95/46/EC by: – including a wider concept of identifiable natural person – generalizing the concept of identification number 3
© Francesco Ciclosi – June 2018 A more expanded scope of protection 4 An identifiable natural person directly indirectly in particular by reference to: is one who can be identified An identifier (name, identification number, location data, an online identifier) To one or more factors specific to the identity of a natural person (physical, physiological, genetic, mental, economic, cultural, social)
© Francesco Ciclosi – June 2018 Many types of information • For example according to Regulation (EU) 2016/679 can be classified as personal data – the person's name – a mobile number – an e-mail address – the credit card details – the payment details – the history of the web browsing – images – videos – temperature – GPS coordinates – clinical analysis data (such as blood pressure, diabetes level) 5
© Francesco Ciclosi – June 2018 Association as a source for identification • As a individuals’ source of identification are included the associations with (c.f. Recital 30): – “online identifiers provided by their devices, – applications, – tools and protocols, such as internet protocol addresses, – cookie identifiers or other identifiers such as radio frequency identification tags” • Furthermore, these identifiers “may leave traces which […] may be used to create profiles of the natural persons and identify them” • This is true, specially when these elements are combined with unique identifiers and other information received by the servers 6
© Francesco Ciclosi – June 2018 What’s meaning “all the means…”? • The Regulation (EU) 2016/679 says us to consider “all the means reasonably likely to be used […] to identify the natural person directly or indirectly” (c.f. Recital 26) • Therefore, we must consider: – all the aspects related to the identification activity – any related technological knowledge – a punctual assessment on a case-by-case basis • Or rather we must take into account: – all objective factors • (such as the costs of and the amount of time required for identification) – the available technology at the time of the processing – the technological developments 7
© Francesco Ciclosi – June 2018 Two important points 1. The possibility to identify a natural person (maybe through an IP address) is a clear mean of verifying whether the treatment in question is within the material or territorial scope of the GDPR 2. Also the correct use of the data protection techniques (namely, anonymization and pseudonymisation) could be useful to demining if a treatment is totally or partially in the scope of the GDPR 8
© Francesco Ciclosi – June 2018 The compliance with ISO 27000 family • The Unicam’s implementation of the network attached devices inventory system is a mean to ensure the compliance with the standards: – ISO 27001:2013 – ISO 27002:2013 • This is done from an organizational and technical perspective 9
© Francesco Ciclosi – June 2018 ISO 27001 and ISO 27002 compliance - 1 • In the main security control A.8 “Asset management”, there is the principal category A.8.1 “Responsibility for assets”, that is divided into four controls, namely: – inventory of assets (A.8.1.1) – ownership of assets (A.8.1.2) – acceptable use of assets (A.8.1.3) – return of assets (A.8.1.4) • The first two state that is necessary both: – to identify – to draw up – to maintain • an inventory of the assets associated with information and information processing facilities 10
© Francesco Ciclosi – June 2018 ISO 27001 and ISO 27002 compliance - 2 • In the main security control A.13 “Communications security”, there is the principal category named A.13.1 “Network security management”, that is divided into three controls, namely: – network controls (A.13.1.1) – security of network services (A.13.1.2) – segregation in networks (A.13.1.3) • The first one state that is necessary to manage and to control networks in order to protect information in systems and applications • Therefore, the full knowledge of which devices are connected in the network is an important element to guarantee its security 11
© Francesco Ciclosi – June 2018 Difference between ISO and ABSC controls • There are differences between controls provided in ISO 27002:2013 standard, and those present in the AgID Basic Security Controls (ABSC) • An inventory system must include: – All the assets connected to the network (according to ABSC controls) – All the assets owned by the organization (according to ISO controls) 12
© Francesco Ciclosi – June 2018 Our solution • We solved the controls dichotomy following two steps: 1. We have automatically populated the inventory with all the assets connected to the network 2. We have manually added other information related to assets • (that are authorized and/or owned by the university) 13
© Francesco Ciclosi – June 2018 The integration with ISMS • We issue a specific technical procedure in the Information Security Management System (ISMS) • This is a complex task, in fact there are references to: – log management procedure – backup procedure • This procedure was issued in December 2017 and it implements the indication of the Unicam Working Group about the application of the Italian Minimum Security Measures for ICT Security 14
© Francesco Ciclosi – June 2018 The ABSC in the technical procedure ABSC ID FNCS ID Control Description 1.1.1 ID.AM-1 Implement an inventory of active resources related to the ABSC 1.4 1.1.2 ID.AM-1 Implement ABSC 1.1.1 through an automated tool 1.2.1 ID.AM-1 Implement logging of the DHCP server operation 1.2.2 ID.AM-1 Use the information obtained from the DHCP logging to improve the inventory of resources and identify the resources not yet recorded 1.3.1 ID.AM-1 Update inventory when new approved devices are connected to the network 1.3.2 ID.AM-1 Update the inventory with an automated tool when new approved devices are connected to the network 1.4.1 ID.AM-1 Manage the inventory of the resources of all the systems connected to the network and of the network devices themselves, registering at least the IP address 1.4.2 ID.AM-1 For all devices that have an IP address, the inventory must indicate the names of the machines, the function of the system, a holder responsible for the resource and the associated office. The inventory of resources created must also include information on whether the device is portable and/or personal 15
© Francesco Ciclosi – June 2018 The ABSC first family • In this control there is a difference between “resources” and “active resources” – Active resources  is related to all the resources active on the network – Resources  is related to all the resources active on the network that have also been authorized (more restrictive) • The inventory must contain at least an IP address  Important point: this information could became a personal data 16
© Francesco Ciclosi – June 2018 Description of the solution • The implemented solution is the SpiceWorks platform, that: – scans various University networks in order to automatically discover: • all active resources • all systems connected to the network • all the network devices – is installed on a Unicam’s server in Windows mode – is available for ordinary administrative purpose on a SSL connection, but only after authentication – is also available via RDP connection, but only for specific system maintenance activities 17
© Francesco Ciclosi – June 2018 Reporting and information management • SpiceWorks system allow us to get: – the best filter information, in order to: • permit an immediate selection of events that need verification • organize the assets inventory – a general overview of the situation and of its evolution over time • by creating a custom reporting system • by creating custom dashboards 18
© Francesco Ciclosi – June 2018 A SpiceWorks custom dashboard 19
© Francesco Ciclosi – June 2018 The scanning tasks • Inventory scanning runs in two different modalities: – Automatic, once every day at an established time – Manual, on IT staff request, when the University have implemented new systems or network devices • SpiceWorks system, also monitor hourly the status of the servers and the network 20
© Francesco Ciclosi – June 2018 The data integration • The University’s IT staff manually integrates the data collected through the SpiceWorks inventory system, integrating them with any missing information • In particular, for the resources for which at least the IP address is registered, are added (manually if not already present) the following data: – name of the device (e.g. the host name or the NetBIOS name) – system function – indication of a holder responsible for the resource – structure to which the resource is associated – indication of whether the device is portable and/or personal 21
© Francesco Ciclosi – June 2018 Normal data analysis • The data collected by the inventory tool are: – manually analyzed – treated only by authorized personnel – integrated with the DHCP’s logs (only if necessary) • this operation is possible only with a legal ground and accordingly with Regulation (EU) 2016/679 22
© Francesco Ciclosi – June 2018 Special data analysis • In the case of events or security incidents it is possible to manually analyze DHCP’s log • This activity is finalized to correlate the data: – present in DHCP’s log – stored in the inventory management system • This operation is possible only: – with a legal ground – accordingly with Regulation (EU) 2016/679 – by authorized personnel 23
© Francesco Ciclosi – June 2018 Conclusions • Our integrated approach on the subject of network attached devices inventory of university’s devices is – a piece of a broader methodology adopted by the University of Camerino – related to the management of information protection • In this vision the university’s ISMS become a container for the data protection and compliance with every requirement established by law and by international standards • Accordingly to: – the continuous improvement of ISMS – the accountability principle, enunciated by Regulation (EU) 2016/679 24
© Francesco Ciclosi – June 2018 My contacts • Linkedin – http://it.linkedin.com/pub/francesco-ciclosi/62/680/a06/ • facebook – https://www.facebook.com/francesco.ciclosi • twitter – @francyciclosi • www – http://docenti.unimc.it/f.ciclosi – http://www.francescociclosi.it 25

Empfohlen

The risk analysis as a unified approach to satisfy GDPR, NIS Directive and IS...
The risk analysis as a unified approach to satisfy GDPR, NIS Directive and IS...The risk analysis as a unified approach to satisfy GDPR, NIS Directive and IS...
The risk analysis as a unified approach to satisfy GDPR, NIS Directive and IS...Francesco Ciclosi
 
Risk assessments and applying organisational controls for GDPR compliance
Risk assessments and applying organisational controls for GDPR complianceRisk assessments and applying organisational controls for GDPR compliance
Risk assessments and applying organisational controls for GDPR complianceIT Governance Ltd
 
Data Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPRData Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPRIT Governance Ltd
 
2016 02-14-nis directive-overview isc2 chapter
2016 02-14-nis directive-overview isc2 chapter2016 02-14-nis directive-overview isc2 chapter
2016 02-14-nis directive-overview isc2 chapterisc2-hellenic
 
MyNOG 9: Vulnerability Reporting Program on a Shoestring Budget
MyNOG 9: Vulnerability Reporting Program on a Shoestring BudgetMyNOG 9: Vulnerability Reporting Program on a Shoestring Budget
MyNOG 9: Vulnerability Reporting Program on a Shoestring BudgetAPNIC
 
Vulnerability Reporting Program on a Shoestring Budget by Jamie Gillespie, A...
Vulnerability Reporting Program on a Shoestring Budget by Jamie Gillespie, A...Vulnerability Reporting Program on a Shoestring Budget by Jamie Gillespie, A...
Vulnerability Reporting Program on a Shoestring Budget by Jamie Gillespie, A...MyNOG
 
PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)Kimberly Simon MBA
 
InfoSEC10062016Vlinkedin
InfoSEC10062016VlinkedinInfoSEC10062016Vlinkedin
InfoSEC10062016VlinkedinHans Oosterling
 

Empfohlen

The risk analysis as a unified approach to satisfy GDPR, NIS Directive and IS...
The risk analysis as a unified approach to satisfy GDPR, NIS Directive and IS...The risk analysis as a unified approach to satisfy GDPR, NIS Directive and IS...
The risk analysis as a unified approach to satisfy GDPR, NIS Directive and IS...Francesco Ciclosi
 
Risk assessments and applying organisational controls for GDPR compliance
Risk assessments and applying organisational controls for GDPR complianceRisk assessments and applying organisational controls for GDPR compliance
Risk assessments and applying organisational controls for GDPR complianceIT Governance Ltd
 
Data Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPRData Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPRIT Governance Ltd
 
2016 02-14-nis directive-overview isc2 chapter
2016 02-14-nis directive-overview isc2 chapter2016 02-14-nis directive-overview isc2 chapter
2016 02-14-nis directive-overview isc2 chapterisc2-hellenic
 
MyNOG 9: Vulnerability Reporting Program on a Shoestring Budget
MyNOG 9: Vulnerability Reporting Program on a Shoestring BudgetMyNOG 9: Vulnerability Reporting Program on a Shoestring Budget
MyNOG 9: Vulnerability Reporting Program on a Shoestring BudgetAPNIC
 
Vulnerability Reporting Program on a Shoestring Budget by Jamie Gillespie, A...
Vulnerability Reporting Program on a Shoestring Budget by Jamie Gillespie, A...Vulnerability Reporting Program on a Shoestring Budget by Jamie Gillespie, A...
Vulnerability Reporting Program on a Shoestring Budget by Jamie Gillespie, A...MyNOG
 
PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)Kimberly Simon MBA
 
InfoSEC10062016Vlinkedin
InfoSEC10062016VlinkedinInfoSEC10062016Vlinkedin
InfoSEC10062016VlinkedinHans Oosterling
 
Appointing a Data Protection Officer under the GDPR
Appointing a Data Protection Officer under the GDPRAppointing a Data Protection Officer under the GDPR
Appointing a Data Protection Officer under the GDPRIT Governance Ltd
 
AusCERT2022: Vulnerability Reporting Program on a Shoestring Budget - APNIC
AusCERT2022: Vulnerability Reporting Program on a Shoestring Budget - APNICAusCERT2022: Vulnerability Reporting Program on a Shoestring Budget - APNIC
AusCERT2022: Vulnerability Reporting Program on a Shoestring Budget - APNICAPNIC
 
Using cloud services: Compliance with the Security Requirements of the Spanis...
Using cloud services: Compliance with the Security Requirements of the Spanis...Using cloud services: Compliance with the Security Requirements of the Spanis...
Using cloud services: Compliance with the Security Requirements of the Spanis...Miguel A. Amutio
 
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical GuideFLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical GuideBlack Duck by Synopsys
 
Flight East 2018 Presentation–Data Breaches and the Law
Flight East 2018 Presentation–Data Breaches and the LawFlight East 2018 Presentation–Data Breaches and the Law
Flight East 2018 Presentation–Data Breaches and the LawSynopsys Software Integrity Group
 
PCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualPCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualKimberly Simon MBA
 
Legal Risks of Operating in the World of Connected Technologies (Internet of ...
Legal Risks of Operating in the World of Connected Technologies (Internet of ...Legal Risks of Operating in the World of Connected Technologies (Internet of ...
Legal Risks of Operating in the World of Connected Technologies (Internet of ...Quarles & Brady
 
Six Keys to Securing Critical Infrastructure and NERC Compliance
Six Keys to Securing Critical Infrastructure and NERC ComplianceSix Keys to Securing Critical Infrastructure and NERC Compliance
Six Keys to Securing Critical Infrastructure and NERC ComplianceLumension
 
More practical insights on the 20 critical controls
More practical insights on the 20 critical controlsMore practical insights on the 20 critical controls
More practical insights on the 20 critical controlsEnclaveSecurity
 
Critical Infrastructure Protection through Network Behavior Management
Critical Infrastructure Protection through Network Behavior ManagementCritical Infrastructure Protection through Network Behavior Management
Critical Infrastructure Protection through Network Behavior ManagementEnrique Martin
 
Cps sec sg sg2017 conf_iran
Cps sec sg sg2017 conf_iranCps sec sg sg2017 conf_iran
Cps sec sg sg2017 conf_iranAhmadreza Ghaznavi
 
Data Breaches and the EU GDPR
Data Breaches and the EU GDPRData Breaches and the EU GDPR
Data Breaches and the EU GDPRIT Governance Ltd
 
Khas bank isms 3 s
Khas bank isms 3 sKhas bank isms 3 s
Khas bank isms 3 sKhaltar Togtuun
 
GDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to complianceGDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to complianceIT Governance Ltd
 
10 the-finstix-data-model
10 the-finstix-data-model10 the-finstix-data-model
10 the-finstix-data-modelinnov-acts-ltd
 
10 the-finstix-data-model
10 the-finstix-data-model10 the-finstix-data-model
10 the-finstix-data-modelChristos Laganas
 
Data Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPRData Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPRIT Governance Ltd
 
The National Security Framework of Spain
The National Security Framework of SpainThe National Security Framework of Spain
The National Security Framework of SpainMiguel A. Amutio
 
Making PCI V3.0 Business as Usual (BAU)
Making PCI V3.0 Business as Usual (BAU)Making PCI V3.0 Business as Usual (BAU)
Making PCI V3.0 Business as Usual (BAU)ControlCase
 
Accountability under the GDPR: What does it mean for Boards & Senior Management?
Accountability under the GDPR: What does it mean for Boards & Senior Management?Accountability under the GDPR: What does it mean for Boards & Senior Management?
Accountability under the GDPR: What does it mean for Boards & Senior Management?IT Governance Ltd
 
La biometria come nuovo paradigma di autenticazione e identificazione
La biometria come nuovo paradigma di autenticazione e identificazioneLa biometria come nuovo paradigma di autenticazione e identificazione
La biometria come nuovo paradigma di autenticazione e identificazioneFrancesco Ciclosi
 
MODULO E02 –> Scelte di consumo intertemporale
MODULO E02 –> Scelte di consumo intertemporaleMODULO E02 –> Scelte di consumo intertemporale
MODULO E02 –> Scelte di consumo intertemporaleFrancesco Ciclosi
 

Weitere ähnliche Inhalte

Ähnlich wie The network attached devices inventory as required by the Italian requirement of “Minimal measures for ICT security” and EU “General Data Protection Regulation”

Appointing a Data Protection Officer under the GDPR
Appointing a Data Protection Officer under the GDPRAppointing a Data Protection Officer under the GDPR
Appointing a Data Protection Officer under the GDPRIT Governance Ltd
 
AusCERT2022: Vulnerability Reporting Program on a Shoestring Budget - APNIC
AusCERT2022: Vulnerability Reporting Program on a Shoestring Budget - APNICAusCERT2022: Vulnerability Reporting Program on a Shoestring Budget - APNIC
AusCERT2022: Vulnerability Reporting Program on a Shoestring Budget - APNICAPNIC
 
Using cloud services: Compliance with the Security Requirements of the Spanis...
Using cloud services: Compliance with the Security Requirements of the Spanis...Using cloud services: Compliance with the Security Requirements of the Spanis...
Using cloud services: Compliance with the Security Requirements of the Spanis...Miguel A. Amutio
 
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical GuideFLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical GuideBlack Duck by Synopsys
 
PCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualPCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualKimberly Simon MBA
 
Legal Risks of Operating in the World of Connected Technologies (Internet of ...
Legal Risks of Operating in the World of Connected Technologies (Internet of ...Legal Risks of Operating in the World of Connected Technologies (Internet of ...
Legal Risks of Operating in the World of Connected Technologies (Internet of ...Quarles & Brady
 
Six Keys to Securing Critical Infrastructure and NERC Compliance
Six Keys to Securing Critical Infrastructure and NERC ComplianceSix Keys to Securing Critical Infrastructure and NERC Compliance
Six Keys to Securing Critical Infrastructure and NERC ComplianceLumension
 
More practical insights on the 20 critical controls
More practical insights on the 20 critical controlsMore practical insights on the 20 critical controls
More practical insights on the 20 critical controlsEnclaveSecurity
 
Critical Infrastructure Protection through Network Behavior Management
Critical Infrastructure Protection through Network Behavior ManagementCritical Infrastructure Protection through Network Behavior Management
Critical Infrastructure Protection through Network Behavior ManagementEnrique Martin
 
Data Breaches and the EU GDPR
Data Breaches and the EU GDPRData Breaches and the EU GDPR
Data Breaches and the EU GDPRIT Governance Ltd
 
GDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to complianceGDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to complianceIT Governance Ltd
 
10 the-finstix-data-model
10 the-finstix-data-model10 the-finstix-data-model
10 the-finstix-data-modelinnov-acts-ltd
 
Data Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPRData Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPRIT Governance Ltd
 
The National Security Framework of Spain
The National Security Framework of SpainThe National Security Framework of Spain
The National Security Framework of SpainMiguel A. Amutio
 
Making PCI V3.0 Business as Usual (BAU)
Making PCI V3.0 Business as Usual (BAU)Making PCI V3.0 Business as Usual (BAU)
Making PCI V3.0 Business as Usual (BAU)ControlCase
 
Accountability under the GDPR: What does it mean for Boards & Senior Management?
Accountability under the GDPR: What does it mean for Boards & Senior Management?Accountability under the GDPR: What does it mean for Boards & Senior Management?
Accountability under the GDPR: What does it mean for Boards & Senior Management?IT Governance Ltd
 

Ähnlich wie The network attached devices inventory as required by the Italian requirement of “Minimal measures for ICT security” and EU “General Data Protection Regulation” (20)

Appointing a Data Protection Officer under the GDPR
Appointing a Data Protection Officer under the GDPRAppointing a Data Protection Officer under the GDPR
Appointing a Data Protection Officer under the GDPR
 
AusCERT2022: Vulnerability Reporting Program on a Shoestring Budget - APNIC
AusCERT2022: Vulnerability Reporting Program on a Shoestring Budget - APNICAusCERT2022: Vulnerability Reporting Program on a Shoestring Budget - APNIC
AusCERT2022: Vulnerability Reporting Program on a Shoestring Budget - APNIC
 
Using cloud services: Compliance with the Security Requirements of the Spanis...
Using cloud services: Compliance with the Security Requirements of the Spanis...Using cloud services: Compliance with the Security Requirements of the Spanis...
Using cloud services: Compliance with the Security Requirements of the Spanis...
 
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical GuideFLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
 
Flight East 2018 Presentation–Data Breaches and the Law
Flight East 2018 Presentation–Data Breaches and the LawFlight East 2018 Presentation–Data Breaches and the Law
Flight East 2018 Presentation–Data Breaches and the Law
 
PCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualPCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as Usual
 
Legal Risks of Operating in the World of Connected Technologies (Internet of ...
Legal Risks of Operating in the World of Connected Technologies (Internet of ...Legal Risks of Operating in the World of Connected Technologies (Internet of ...
Legal Risks of Operating in the World of Connected Technologies (Internet of ...
 
Six Keys to Securing Critical Infrastructure and NERC Compliance
Six Keys to Securing Critical Infrastructure and NERC ComplianceSix Keys to Securing Critical Infrastructure and NERC Compliance
Six Keys to Securing Critical Infrastructure and NERC Compliance
 
More practical insights on the 20 critical controls
More practical insights on the 20 critical controlsMore practical insights on the 20 critical controls
More practical insights on the 20 critical controls
 
Critical Infrastructure Protection through Network Behavior Management
Critical Infrastructure Protection through Network Behavior ManagementCritical Infrastructure Protection through Network Behavior Management
Critical Infrastructure Protection through Network Behavior Management
 
Cps sec sg sg2017 conf_iran
Cps sec sg sg2017 conf_iranCps sec sg sg2017 conf_iran
Cps sec sg sg2017 conf_iran
 
Data Breaches and the EU GDPR
Data Breaches and the EU GDPRData Breaches and the EU GDPR
Data Breaches and the EU GDPR
 
Khas bank isms 3 s
Khas bank isms 3 sKhas bank isms 3 s
Khas bank isms 3 s
 
GDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to complianceGDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to compliance
 
10 the-finstix-data-model
10 the-finstix-data-model10 the-finstix-data-model
10 the-finstix-data-model
 
10 the-finstix-data-model
10 the-finstix-data-model10 the-finstix-data-model
10 the-finstix-data-model
 
Data Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPRData Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPR
 
The National Security Framework of Spain
The National Security Framework of SpainThe National Security Framework of Spain
The National Security Framework of Spain
 
Making PCI V3.0 Business as Usual (BAU)
Making PCI V3.0 Business as Usual (BAU)Making PCI V3.0 Business as Usual (BAU)
Making PCI V3.0 Business as Usual (BAU)
 
Accountability under the GDPR: What does it mean for Boards & Senior Management?
Accountability under the GDPR: What does it mean for Boards & Senior Management?Accountability under the GDPR: What does it mean for Boards & Senior Management?
Accountability under the GDPR: What does it mean for Boards & Senior Management?
 

Mehr von Francesco Ciclosi

La biometria come nuovo paradigma di autenticazione e identificazione
La biometria come nuovo paradigma di autenticazione e identificazioneLa biometria come nuovo paradigma di autenticazione e identificazione
La biometria come nuovo paradigma di autenticazione e identificazioneFrancesco Ciclosi
 
MODULO E02 –> Scelte di consumo intertemporale
MODULO E02 –> Scelte di consumo intertemporaleMODULO E02 –> Scelte di consumo intertemporale
MODULO E02 –> Scelte di consumo intertemporaleFrancesco Ciclosi
 
La rappresentazione delle informazioni
La rappresentazione delle informazioniLa rappresentazione delle informazioni
La rappresentazione delle informazioniFrancesco Ciclosi
 
MODULO IB04 –> La memoria di massa
MODULO IB04 –> La memoria di massaMODULO IB04 –> La memoria di massa
MODULO IB04 –> La memoria di massaFrancesco Ciclosi
 
MODULO E01 –> Scelte d’investimento per un’impresa
MODULO E01 –> Scelte d’investimento per un’impresaMODULO E01 –> Scelte d’investimento per un’impresa
MODULO E01 –> Scelte d’investimento per un’impresaFrancesco Ciclosi
 
MODULO IB03 –> La memoria principale
MODULO IB03 –> La memoria principaleMODULO IB03 –> La memoria principale
MODULO IB03 –> La memoria principaleFrancesco Ciclosi
 
MODULO IB02 –> I bit e la loro memorizzazione
MODULO IB02 –> I bit e la loro memorizzazioneMODULO IB02 –> I bit e la loro memorizzazione
MODULO IB02 –> I bit e la loro memorizzazioneFrancesco Ciclosi
 
MODULO IB01 –> Elementi di base
MODULO IB01 –> Elementi di baseMODULO IB01 –> Elementi di base
MODULO IB01 –> Elementi di baseFrancesco Ciclosi
 
MODULO 00 –> Presentazione del corso
MODULO 00 –> Presentazione del corsoMODULO 00 –> Presentazione del corso
MODULO 00 –> Presentazione del corsoFrancesco Ciclosi
 
MODULO 28 –> La Business Continuity Management
MODULO 28 –> La Business Continuity ManagementMODULO 28 –> La Business Continuity Management
MODULO 28 –> La Business Continuity ManagementFrancesco Ciclosi
 
MODULO 27 –> Dai virus al malware
MODULO 27 –> Dai virus al malwareMODULO 27 –> Dai virus al malware
MODULO 27 –> Dai virus al malwareFrancesco Ciclosi
 
MODULO 26 –> Il controllo degli accessi
MODULO 26 –> Il controllo degli accessiMODULO 26 –> Il controllo degli accessi
MODULO 26 –> Il controllo degli accessiFrancesco Ciclosi
 
MODULO 25 –> Fondamenti delle tecnologie per il web
MODULO 25 –> Fondamenti delle tecnologie per il webMODULO 25 –> Fondamenti delle tecnologie per il web
MODULO 25 –> Fondamenti delle tecnologie per il webFrancesco Ciclosi
 
MODULO 24 –> I servizi di rete
MODULO 24 –> I servizi di reteMODULO 24 –> I servizi di rete
MODULO 24 –> I servizi di reteFrancesco Ciclosi
 
MODULO 23 –> Le reti geografiche
MODULO 23 –> Le reti geograficheMODULO 23 –> Le reti geografiche
MODULO 23 –> Le reti geograficheFrancesco Ciclosi
 
MODULO 22 –> Lo spazio degli indirizzi IP
MODULO 22 –> Lo spazio degli indirizzi IPMODULO 22 –> Lo spazio degli indirizzi IP
MODULO 22 –> Lo spazio degli indirizzi IPFrancesco Ciclosi
 
MODULO 21 –> Le reti locali
MODULO 21 –> Le reti localiMODULO 21 –> Le reti locali
MODULO 21 –> Le reti localiFrancesco Ciclosi
 
MODULO 20 –> Introduzione al TCP/IP
MODULO 20 –> Introduzione al TCP/IPMODULO 20 –> Introduzione al TCP/IP
MODULO 20 –> Introduzione al TCP/IPFrancesco Ciclosi
 
MODULO 19 –> Fondamenti dell’infrastruttura di rete
MODULO 19 –> Fondamenti dell’infrastruttura di reteMODULO 19 –> Fondamenti dell’infrastruttura di rete
MODULO 19 –> Fondamenti dell’infrastruttura di reteFrancesco Ciclosi
 
MODULO 18 –> Il sistema operativo
MODULO 18 –> Il sistema operativoMODULO 18 –> Il sistema operativo
MODULO 18 –> Il sistema operativoFrancesco Ciclosi
 

Mehr von Francesco Ciclosi (20)

La biometria come nuovo paradigma di autenticazione e identificazione
La biometria come nuovo paradigma di autenticazione e identificazioneLa biometria come nuovo paradigma di autenticazione e identificazione
La biometria come nuovo paradigma di autenticazione e identificazione
 
MODULO E02 –> Scelte di consumo intertemporale
MODULO E02 –> Scelte di consumo intertemporaleMODULO E02 –> Scelte di consumo intertemporale
MODULO E02 –> Scelte di consumo intertemporale
 
La rappresentazione delle informazioni
La rappresentazione delle informazioniLa rappresentazione delle informazioni
La rappresentazione delle informazioni
 
MODULO IB04 –> La memoria di massa
MODULO IB04 –> La memoria di massaMODULO IB04 –> La memoria di massa
MODULO IB04 –> La memoria di massa
 
MODULO E01 –> Scelte d’investimento per un’impresa
MODULO E01 –> Scelte d’investimento per un’impresaMODULO E01 –> Scelte d’investimento per un’impresa
MODULO E01 –> Scelte d’investimento per un’impresa
 
MODULO IB03 –> La memoria principale
MODULO IB03 –> La memoria principaleMODULO IB03 –> La memoria principale
MODULO IB03 –> La memoria principale
 
MODULO IB02 –> I bit e la loro memorizzazione
MODULO IB02 –> I bit e la loro memorizzazioneMODULO IB02 –> I bit e la loro memorizzazione
MODULO IB02 –> I bit e la loro memorizzazione
 
MODULO IB01 –> Elementi di base
MODULO IB01 –> Elementi di baseMODULO IB01 –> Elementi di base
MODULO IB01 –> Elementi di base
 
MODULO 00 –> Presentazione del corso
MODULO 00 –> Presentazione del corsoMODULO 00 –> Presentazione del corso
MODULO 00 –> Presentazione del corso
 
MODULO 28 –> La Business Continuity Management
MODULO 28 –> La Business Continuity ManagementMODULO 28 –> La Business Continuity Management
MODULO 28 –> La Business Continuity Management
 
MODULO 27 –> Dai virus al malware
MODULO 27 –> Dai virus al malwareMODULO 27 –> Dai virus al malware
MODULO 27 –> Dai virus al malware
 
MODULO 26 –> Il controllo degli accessi
MODULO 26 –> Il controllo degli accessiMODULO 26 –> Il controllo degli accessi
MODULO 26 –> Il controllo degli accessi
 
MODULO 25 –> Fondamenti delle tecnologie per il web
MODULO 25 –> Fondamenti delle tecnologie per il webMODULO 25 –> Fondamenti delle tecnologie per il web
MODULO 25 –> Fondamenti delle tecnologie per il web
 
MODULO 24 –> I servizi di rete
MODULO 24 –> I servizi di reteMODULO 24 –> I servizi di rete
MODULO 24 –> I servizi di rete
 
MODULO 23 –> Le reti geografiche
MODULO 23 –> Le reti geograficheMODULO 23 –> Le reti geografiche
MODULO 23 –> Le reti geografiche
 
MODULO 22 –> Lo spazio degli indirizzi IP
MODULO 22 –> Lo spazio degli indirizzi IPMODULO 22 –> Lo spazio degli indirizzi IP
MODULO 22 –> Lo spazio degli indirizzi IP
 
MODULO 21 –> Le reti locali
MODULO 21 –> Le reti localiMODULO 21 –> Le reti locali
MODULO 21 –> Le reti locali
 
MODULO 20 –> Introduzione al TCP/IP
MODULO 20 –> Introduzione al TCP/IPMODULO 20 –> Introduzione al TCP/IP
MODULO 20 –> Introduzione al TCP/IP
 
MODULO 19 –> Fondamenti dell’infrastruttura di rete
MODULO 19 –> Fondamenti dell’infrastruttura di reteMODULO 19 –> Fondamenti dell’infrastruttura di rete
MODULO 19 –> Fondamenti dell’infrastruttura di rete
 
MODULO 18 –> Il sistema operativo
MODULO 18 –> Il sistema operativoMODULO 18 –> Il sistema operativo
MODULO 18 –> Il sistema operativo
 

Kürzlich hochgeladen

Application of GIS in Landslide Disaster Response.pptx
Application of GIS in Landslide Disaster Response.pptxApplication of GIS in Landslide Disaster Response.pptx
Application of GIS in Landslide Disaster Response.pptxRoquia Salam
 
Quality by design.. ppt for RA (1ST SEM
Quality by design.. ppt for RA (1ST SEMQuality by design.. ppt for RA (1ST SEM
Quality by design.. ppt for RA (1ST SEMCharmi13
 
Internship Presentation | PPT | CSE | SE
Internship Presentation | PPT | CSE | SEInternship Presentation | PPT | CSE | SE
Internship Presentation | PPT | CSE | SESaleh Ibne Omar
 
THE COUNTRY WHO SOLVED THE WORLD_HOW CHINA LAUNCHED THE CIVILIZATION REVOLUTI...
THE COUNTRY WHO SOLVED THE WORLD_HOW CHINA LAUNCHED THE CIVILIZATION REVOLUTI...THE COUNTRY WHO SOLVED THE WORLD_HOW CHINA LAUNCHED THE CIVILIZATION REVOLUTI...
THE COUNTRY WHO SOLVED THE WORLD_HOW CHINA LAUNCHED THE CIVILIZATION REVOLUTI...漢銘 謝
 
Don't Miss Out: Strategies for Making the Most of the Ethena DigitalOpportunity
Don't Miss Out: Strategies for Making the Most of the Ethena DigitalOpportunityDon't Miss Out: Strategies for Making the Most of the Ethena DigitalOpportunity
Don't Miss Out: Strategies for Making the Most of the Ethena DigitalOpportunityApp Ethena
 
05.02 MMC - Assignment 4 - Image Attribution Lovepreet.pptx
05.02 MMC - Assignment 4 - Image Attribution Lovepreet.pptx05.02 MMC - Assignment 4 - Image Attribution Lovepreet.pptx
05.02 MMC - Assignment 4 - Image Attribution Lovepreet.pptxerickamwana1
 
cse-csp batch4 review-1.1.pptx cyber security
cse-csp batch4 review-1.1.pptx cyber securitycse-csp batch4 review-1.1.pptx cyber security
cse-csp batch4 review-1.1.pptx cyber securitysandeepnani2260
 
RACHEL-ANN M. TENIBRO PRODUCT RESEARCH PRESENTATION
RACHEL-ANN M. TENIBRO PRODUCT RESEARCH PRESENTATIONRACHEL-ANN M. TENIBRO PRODUCT RESEARCH PRESENTATION
RACHEL-ANN M. TENIBRO PRODUCT RESEARCH PRESENTATIONRachelAnnTenibroAmaz
 
A Guide to Choosing the Ideal Air Cooler
A Guide to Choosing the Ideal Air CoolerA Guide to Choosing the Ideal Air Cooler
A Guide to Choosing the Ideal Air Coolerenquirieskenstar
 
GESCO SE Press and Analyst Conference on Financial Results 2024
GESCO SE Press and Analyst Conference on Financial Results 2024GESCO SE Press and Analyst Conference on Financial Results 2024
GESCO SE Press and Analyst Conference on Financial Results 2024GESCO SE
 
INDIAN GCP GUIDELINE. for Regulatory affair 1st sem CRR
INDIAN GCP GUIDELINE. for Regulatory affair 1st sem CRRINDIAN GCP GUIDELINE. for Regulatory affair 1st sem CRR
INDIAN GCP GUIDELINE. for Regulatory affair 1st sem CRRsarwankumar4524
 
General Elections Final Press Noteas per M
General Elections Final Press Noteas per MGeneral Elections Final Press Noteas per M
General Elections Final Press Noteas per MVidyaAdsule1
 
proposal kumeneger edited.docx A kumeeger
proposal kumeneger edited.docx A kumeegerproposal kumeneger edited.docx A kumeeger
proposal kumeneger edited.docx A kumeegerkumenegertelayegrama
 
Engaging Eid Ul Fitr Presentation for Kindergartners.pptx
Engaging Eid Ul Fitr Presentation for Kindergartners.pptxEngaging Eid Ul Fitr Presentation for Kindergartners.pptx
Engaging Eid Ul Fitr Presentation for Kindergartners.pptxAsifArshad8
 
Chizaram's Women Tech Makers Deck. .pptx
Chizaram's Women Tech Makers Deck. .pptxChizaram's Women Tech Makers Deck. .pptx
Chizaram's Women Tech Makers Deck. .pptxogubuikealex
 
Testing with Fewer Resources: Toward Adaptive Approaches for Cost-effective ...
Testing with Fewer Resources: Toward Adaptive Approaches for Cost-effective ...Testing with Fewer Resources: Toward Adaptive Approaches for Cost-effective ...
Testing with Fewer Resources: Toward Adaptive Approaches for Cost-effective ...Sebastiano Panichella
 
Testing and Development Challenges for Complex Cyber-Physical Systems: Insigh...
Testing and Development Challenges for Complex Cyber-Physical Systems: Insigh...Testing and Development Challenges for Complex Cyber-Physical Systems: Insigh...
Testing and Development Challenges for Complex Cyber-Physical Systems: Insigh...Sebastiano Panichella
 

Kürzlich hochgeladen (17)

Application of GIS in Landslide Disaster Response.pptx
Application of GIS in Landslide Disaster Response.pptxApplication of GIS in Landslide Disaster Response.pptx
Application of GIS in Landslide Disaster Response.pptx
 
Quality by design.. ppt for RA (1ST SEM
Quality by design.. ppt for RA (1ST SEMQuality by design.. ppt for RA (1ST SEM
Quality by design.. ppt for RA (1ST SEM
 
Internship Presentation | PPT | CSE | SE
Internship Presentation | PPT | CSE | SEInternship Presentation | PPT | CSE | SE
Internship Presentation | PPT | CSE | SE
 
THE COUNTRY WHO SOLVED THE WORLD_HOW CHINA LAUNCHED THE CIVILIZATION REVOLUTI...
THE COUNTRY WHO SOLVED THE WORLD_HOW CHINA LAUNCHED THE CIVILIZATION REVOLUTI...THE COUNTRY WHO SOLVED THE WORLD_HOW CHINA LAUNCHED THE CIVILIZATION REVOLUTI...
THE COUNTRY WHO SOLVED THE WORLD_HOW CHINA LAUNCHED THE CIVILIZATION REVOLUTI...
 
Don't Miss Out: Strategies for Making the Most of the Ethena DigitalOpportunity
Don't Miss Out: Strategies for Making the Most of the Ethena DigitalOpportunityDon't Miss Out: Strategies for Making the Most of the Ethena DigitalOpportunity
Don't Miss Out: Strategies for Making the Most of the Ethena DigitalOpportunity
 
05.02 MMC - Assignment 4 - Image Attribution Lovepreet.pptx
05.02 MMC - Assignment 4 - Image Attribution Lovepreet.pptx05.02 MMC - Assignment 4 - Image Attribution Lovepreet.pptx
05.02 MMC - Assignment 4 - Image Attribution Lovepreet.pptx
 
cse-csp batch4 review-1.1.pptx cyber security
cse-csp batch4 review-1.1.pptx cyber securitycse-csp batch4 review-1.1.pptx cyber security
cse-csp batch4 review-1.1.pptx cyber security
 
RACHEL-ANN M. TENIBRO PRODUCT RESEARCH PRESENTATION
RACHEL-ANN M. TENIBRO PRODUCT RESEARCH PRESENTATIONRACHEL-ANN M. TENIBRO PRODUCT RESEARCH PRESENTATION
RACHEL-ANN M. TENIBRO PRODUCT RESEARCH PRESENTATION
 
A Guide to Choosing the Ideal Air Cooler
A Guide to Choosing the Ideal Air CoolerA Guide to Choosing the Ideal Air Cooler
A Guide to Choosing the Ideal Air Cooler
 
GESCO SE Press and Analyst Conference on Financial Results 2024
GESCO SE Press and Analyst Conference on Financial Results 2024GESCO SE Press and Analyst Conference on Financial Results 2024
GESCO SE Press and Analyst Conference on Financial Results 2024
 
INDIAN GCP GUIDELINE. for Regulatory affair 1st sem CRR
INDIAN GCP GUIDELINE. for Regulatory affair 1st sem CRRINDIAN GCP GUIDELINE. for Regulatory affair 1st sem CRR
INDIAN GCP GUIDELINE. for Regulatory affair 1st sem CRR
 
General Elections Final Press Noteas per M
General Elections Final Press Noteas per MGeneral Elections Final Press Noteas per M
General Elections Final Press Noteas per M
 
proposal kumeneger edited.docx A kumeeger
proposal kumeneger edited.docx A kumeegerproposal kumeneger edited.docx A kumeeger
proposal kumeneger edited.docx A kumeeger
 
Engaging Eid Ul Fitr Presentation for Kindergartners.pptx
Engaging Eid Ul Fitr Presentation for Kindergartners.pptxEngaging Eid Ul Fitr Presentation for Kindergartners.pptx
Engaging Eid Ul Fitr Presentation for Kindergartners.pptx
 
Chizaram's Women Tech Makers Deck. .pptx
Chizaram's Women Tech Makers Deck. .pptxChizaram's Women Tech Makers Deck. .pptx
Chizaram's Women Tech Makers Deck. .pptx
 
Testing with Fewer Resources: Toward Adaptive Approaches for Cost-effective ...
Testing with Fewer Resources: Toward Adaptive Approaches for Cost-effective ...Testing with Fewer Resources: Toward Adaptive Approaches for Cost-effective ...
Testing with Fewer Resources: Toward Adaptive Approaches for Cost-effective ...
 
Testing and Development Challenges for Complex Cyber-Physical Systems: Insigh...
Testing and Development Challenges for Complex Cyber-Physical Systems: Insigh...Testing and Development Challenges for Complex Cyber-Physical Systems: Insigh...
Testing and Development Challenges for Complex Cyber-Physical Systems: Insigh...
 

The network attached devices inventory as required by the Italian requirement of “Minimal measures for ICT security” and EU “General Data Protection Regulation”

  • 1. The network attached devices inventory as required by the Italian requirement of “Minimal measures for ICT security” and EU “General Data Protection Regulation” Francesco Ciclosi, University of Camerino 1
  • 2. © Francesco Ciclosi – June 2018 Summary • The implementation and management of software tools used for the inventory of all authorized and unauthorized devices in the University • The integrate Unicam’s approach at the problem, useful to manage: – ISO 27001 and 27002 requirements – Italian ICT Minimum Measures for Public Administration requirements (derived by CIS controls) – GDPR requirements – Our ISMS existing implementation 2
  • 3. © Francesco Ciclosi – June 2018 The GDPR requirements • A personal data is «any information relating to an identified or identifiable natural person (data subject)» – (c.f. art. 4(1)) • This is an expansion of a concept already present in the Directive 95/46/EC by: – including a wider concept of identifiable natural person – generalizing the concept of identification number 3
  • 4. © Francesco Ciclosi – June 2018 A more expanded scope of protection 4 An identifiable natural person directly indirectly in particular by reference to: is one who can be identified An identifier (name, identification number, location data, an online identifier) To one or more factors specific to the identity of a natural person (physical, physiological, genetic, mental, economic, cultural, social)
  • 5. © Francesco Ciclosi – June 2018 Many types of information • For example according to Regulation (EU) 2016/679 can be classified as personal data – the person's name – a mobile number – an e-mail address – the credit card details – the payment details – the history of the web browsing – images – videos – temperature – GPS coordinates – clinical analysis data (such as blood pressure, diabetes level) 5
  • 6. © Francesco Ciclosi – June 2018 Association as a source for identification • As a individuals’ source of identification are included the associations with (c.f. Recital 30): – “online identifiers provided by their devices, – applications, – tools and protocols, such as internet protocol addresses, – cookie identifiers or other identifiers such as radio frequency identification tags” • Furthermore, these identifiers “may leave traces which […] may be used to create profiles of the natural persons and identify them” • This is true, specially when these elements are combined with unique identifiers and other information received by the servers 6
  • 7. © Francesco Ciclosi – June 2018 What’s meaning “all the means…”? • The Regulation (EU) 2016/679 says us to consider “all the means reasonably likely to be used […] to identify the natural person directly or indirectly” (c.f. Recital 26) • Therefore, we must consider: – all the aspects related to the identification activity – any related technological knowledge – a punctual assessment on a case-by-case basis • Or rather we must take into account: – all objective factors • (such as the costs of and the amount of time required for identification) – the available technology at the time of the processing – the technological developments 7
  • 8. © Francesco Ciclosi – June 2018 Two important points 1. The possibility to identify a natural person (maybe through an IP address) is a clear mean of verifying whether the treatment in question is within the material or territorial scope of the GDPR 2. Also the correct use of the data protection techniques (namely, anonymization and pseudonymisation) could be useful to demining if a treatment is totally or partially in the scope of the GDPR 8
  • 9. © Francesco Ciclosi – June 2018 The compliance with ISO 27000 family • The Unicam’s implementation of the network attached devices inventory system is a mean to ensure the compliance with the standards: – ISO 27001:2013 – ISO 27002:2013 • This is done from an organizational and technical perspective 9
  • 10. © Francesco Ciclosi – June 2018 ISO 27001 and ISO 27002 compliance - 1 • In the main security control A.8 “Asset management”, there is the principal category A.8.1 “Responsibility for assets”, that is divided into four controls, namely: – inventory of assets (A.8.1.1) – ownership of assets (A.8.1.2) – acceptable use of assets (A.8.1.3) – return of assets (A.8.1.4) • The first two state that is necessary both: – to identify – to draw up – to maintain • an inventory of the assets associated with information and information processing facilities 10
  • 11. © Francesco Ciclosi – June 2018 ISO 27001 and ISO 27002 compliance - 2 • In the main security control A.13 “Communications security”, there is the principal category named A.13.1 “Network security management”, that is divided into three controls, namely: – network controls (A.13.1.1) – security of network services (A.13.1.2) – segregation in networks (A.13.1.3) • The first one state that is necessary to manage and to control networks in order to protect information in systems and applications • Therefore, the full knowledge of which devices are connected in the network is an important element to guarantee its security 11
  • 12. © Francesco Ciclosi – June 2018 Difference between ISO and ABSC controls • There are differences between controls provided in ISO 27002:2013 standard, and those present in the AgID Basic Security Controls (ABSC) • An inventory system must include: – All the assets connected to the network (according to ABSC controls) – All the assets owned by the organization (according to ISO controls) 12
  • 13. © Francesco Ciclosi – June 2018 Our solution • We solved the controls dichotomy following two steps: 1. We have automatically populated the inventory with all the assets connected to the network 2. We have manually added other information related to assets • (that are authorized and/or owned by the university) 13
  • 14. © Francesco Ciclosi – June 2018 The integration with ISMS • We issue a specific technical procedure in the Information Security Management System (ISMS) • This is a complex task, in fact there are references to: – log management procedure – backup procedure • This procedure was issued in December 2017 and it implements the indication of the Unicam Working Group about the application of the Italian Minimum Security Measures for ICT Security 14
  • 15. © Francesco Ciclosi – June 2018 The ABSC in the technical procedure ABSC ID FNCS ID Control Description 1.1.1 ID.AM-1 Implement an inventory of active resources related to the ABSC 1.4 1.1.2 ID.AM-1 Implement ABSC 1.1.1 through an automated tool 1.2.1 ID.AM-1 Implement logging of the DHCP server operation 1.2.2 ID.AM-1 Use the information obtained from the DHCP logging to improve the inventory of resources and identify the resources not yet recorded 1.3.1 ID.AM-1 Update inventory when new approved devices are connected to the network 1.3.2 ID.AM-1 Update the inventory with an automated tool when new approved devices are connected to the network 1.4.1 ID.AM-1 Manage the inventory of the resources of all the systems connected to the network and of the network devices themselves, registering at least the IP address 1.4.2 ID.AM-1 For all devices that have an IP address, the inventory must indicate the names of the machines, the function of the system, a holder responsible for the resource and the associated office. The inventory of resources created must also include information on whether the device is portable and/or personal 15
  • 16. © Francesco Ciclosi – June 2018 The ABSC first family • In this control there is a difference between “resources” and “active resources” – Active resources  is related to all the resources active on the network – Resources  is related to all the resources active on the network that have also been authorized (more restrictive) • The inventory must contain at least an IP address  Important point: this information could became a personal data 16
  • 17. © Francesco Ciclosi – June 2018 Description of the solution • The implemented solution is the SpiceWorks platform, that: – scans various University networks in order to automatically discover: • all active resources • all systems connected to the network • all the network devices – is installed on a Unicam’s server in Windows mode – is available for ordinary administrative purpose on a SSL connection, but only after authentication – is also available via RDP connection, but only for specific system maintenance activities 17
  • 18. © Francesco Ciclosi – June 2018 Reporting and information management • SpiceWorks system allow us to get: – the best filter information, in order to: • permit an immediate selection of events that need verification • organize the assets inventory – a general overview of the situation and of its evolution over time • by creating a custom reporting system • by creating custom dashboards 18
  • 19. © Francesco Ciclosi – June 2018 A SpiceWorks custom dashboard 19
  • 20. © Francesco Ciclosi – June 2018 The scanning tasks • Inventory scanning runs in two different modalities: – Automatic, once every day at an established time – Manual, on IT staff request, when the University have implemented new systems or network devices • SpiceWorks system, also monitor hourly the status of the servers and the network 20
  • 21. © Francesco Ciclosi – June 2018 The data integration • The University’s IT staff manually integrates the data collected through the SpiceWorks inventory system, integrating them with any missing information • In particular, for the resources for which at least the IP address is registered, are added (manually if not already present) the following data: – name of the device (e.g. the host name or the NetBIOS name) – system function – indication of a holder responsible for the resource – structure to which the resource is associated – indication of whether the device is portable and/or personal 21
  • 22. © Francesco Ciclosi – June 2018 Normal data analysis • The data collected by the inventory tool are: – manually analyzed – treated only by authorized personnel – integrated with the DHCP’s logs (only if necessary) • this operation is possible only with a legal ground and accordingly with Regulation (EU) 2016/679 22
  • 23. © Francesco Ciclosi – June 2018 Special data analysis • In the case of events or security incidents it is possible to manually analyze DHCP’s log • This activity is finalized to correlate the data: – present in DHCP’s log – stored in the inventory management system • This operation is possible only: – with a legal ground – accordingly with Regulation (EU) 2016/679 – by authorized personnel 23
  • 24. © Francesco Ciclosi – June 2018 Conclusions • Our integrated approach on the subject of network attached devices inventory of university’s devices is – a piece of a broader methodology adopted by the University of Camerino – related to the management of information protection • In this vision the university’s ISMS become a container for the data protection and compliance with every requirement established by law and by international standards • Accordingly to: – the continuous improvement of ISMS – the accountability principle, enunciated by Regulation (EU) 2016/679 24
  • 25. © Francesco Ciclosi – June 2018 My contacts • Linkedin – http://it.linkedin.com/pub/francesco-ciclosi/62/680/a06/ • facebook – https://www.facebook.com/francesco.ciclosi • twitter – @francyciclosi • www – http://docenti.unimc.it/f.ciclosi – http://www.francescociclosi.it 25