SlideShare ist ein Scribd-Unternehmen logo

The risk analysis as a unified approach to satisfy GDPR, NIS Directive and ISO 27001 requirements

Francesco Ciclosi
Francesco Ciclosi

- The document discusses the University of Camerino's unified approach to satisfying the requirements of the GDPR, NIS Directive, and ISO 27001 through an integrated risk management and information security system. - Key aspects included expanding the university's information security management system (ISMS) to fully integrate the Minimum ICT Security Measures for Public Administration and modifying technical procedures, documents, and the scope of assessment. - The approach represents the university's first step toward modifying its ISMS to directly integrate GDPR requirements regarding data protection and the security of personal information.

Präsentationen & Vorträge
1 von 21
Downloaden Sie, um offline zu lesen
The risk analysis as a unified approach to satisfy GDPR, NIS Directive and ISO 27001 requirements Francesco Ciclosi, University of Camerino 1
© Francesco Ciclosi – June 2018 Summary • In the last years there are been many changes both in the Italian, and in the European regulatory framework in matter of cybersecurity and data protection – European regulatory framework (i.e.: GDPR, NIS Directive, Directive 2016/680, eIDAS Regulation) – Italian regulatory framework (i.e.: National strategic framework for security of cyberspace, National plan for cyber protection and cybersecurity, Minimum ICT Measures for Public Administration) • This presentation cover the aspects related to the integrated management of these topics 2
© Francesco Ciclosi – June 2018 The minimum ICT measures for PA • In this document AgID has defined its own security controls derived from the CCSC control (also known as SANS 20) • The AgID circular n. 2/2017 requires that both the Italian public administration and the public service operators, as well as the publicly controlled companies adopt it by 31 December 2017 3
© Francesco Ciclosi – June 2018 The ABSC organization • The ABSC are eight and are arranged in families • Each family is divided in a finer family of detailed measurement, and then decomposed into elementary measures • The families are the following: – ABSC 1: Inventory of authorized and unauthorized devices – ABSC 2: Inventory of authorized and unauthorized software – ABSC 3: Protect hardware and software configurations on mobile devices, laptops, workstations and servers – ABSC 4: Continuous assessment and correction of vulnerability – ABSC 5: Appropriate use of administrator privileges – ABSC 8: Defence against malware – ABSC 10: Security copies – ABSC 13: Data protection 4
© Francesco Ciclosi – June 2018 An excerpt from the ABSC 13 family ABSC_ID# Description FNSC Min. Std. High 13 1 1 Carry out an analysis of the data to identify those with particular confidentiality requirements (relevant data) and in particular those to which cryptographic protection must be applied ID.AM-5    2 1 Use encryption systems for portable devices and systems that contain relevant information ID.AM-5, PR.DS-5   3 1 Use automatic tools on the perimeter of the network to block, limit or monitor in a timely manner, the traffic leaving your network, the use of unauthorized cryptography or access to sites that allow the exchange and the potential exfiltration of information ID.AM-3, PR.AC- 5, PR.DS-1, DE.AE-1  5
© Francesco Ciclosi – June 2018 The ABSC level of security • The ABSC controls are also subdivided into three macro categories that correspond to the particular level of security achievable following the complete implementation of all the controls corresponding to the particular level in question • These levels are the following: – Minimum, this is the basic level of safety under which no organization can go down – Normal, this is an average level of security that represents a fair compromise between the preventive effectiveness of the measures chosen and their implementation costs – Ideal, this is a particularly high level of safety, even when handling critical information or providing critical services 6
© Francesco Ciclosi – June 2018 Contextualization in the academic world • The academic world represent a particular challenge for the application of minimum ICT measures; in fact: 1. universities often do not directly manage all the resources that can be networked 2. access to the network is subject to a user- centered approval process and not on the device 3. the organizational structure of the Universities is complex, so it is difficult to identify who is responsible for the implementation of minimum measures 7
© Francesco Ciclosi – June 2018 AgID vision for the academic world • The perimeter to be considered is not defined in absolute terms • It is necessary to analyze every specific reality, taking into account: – its peculiarities – the reference context in which it is inserted • It must be absolutely guaranteed the respect of all the necessary measures to protect the central part («core»), that is the area of maximum criticality • It is necessary to adopt an organizational model based on a pyramid of responsibility – this is useful in order to manage the organizational structure of the Universities, which is characterized by an ample level of autonomy 8
© Francesco Ciclosi – June 2018 The ISO 27001 certification of Unicam • The University of Camerino, on behalf the CINFO has started since 2012 a certification process • In the last six year the University has successfully supported all periodic maintenance audits • In December 2017 Unicam has presented its unified approach to risk analysis and management that is at the base of the integration between: – Information security management system (ISMS) – Minimum ICT measures for Public Administration • This new approach represents the first step towards the modification of the scope of application in order to integrate the requirements of the Regulation (EU) 2016/679 into the ISMS 9
© Francesco Ciclosi – June 2018 The CODAU Guidelines • The Italian Conference of the General Managers of University Administration issued the “Guidelines on privacy and protection of personal data in universities” • This document contain a mapping of the most important treatments in the university field • Unicam has chosen to use this mapping as a basis for: – the compilation of the register of treatments – the review of the scope (SoA) of Unicam’s ISMS – the execution of an assessment of the impact of the envisaged processing operations on the protection of personal data carried out by the controller 10
© Francesco Ciclosi – June 2018 The types of treatment • The CODAU identifies (from an operational perspective) 33 types of treatments divided into the following macro-families: 1. main processing concerning students 2. main processing concerning employees or collaborators 3. transversal processing or connected to transversal activities 4. processing of personal data in the context of the provision of federated services • (such as EDUROAM, IDEM and SPID) 5. tracking of non-primary information • (such as the log data) 11
© Francesco Ciclosi – June 2018 The Unicam Working Group (1/2) • On 29 September 2017 the University of Camerino set up a special working group for the application of minimum security measures • This group had the explicit task of: – carrying out the technical activities in order to propose the necessary measures – to produce the relevant documentation, where applicable and necessary • It is coordinate by the ISMS manager • It works both in a full and in a restricted configuration 12
© Francesco Ciclosi – June 2018 The Unicam Working Group (2/2) • In the restricted configuration it was composed by: – Group coordinator and ISMS Manager (Ciclosi) – Network, Telephony and Help Desk Manager (Rappi) – Operating Systems and Hardware Sector Manager (Gentili) – Processing Infrastructure to support the activities of the Athenaeum Library System (Belfiore) • It produces some technical-organisational solution that are approved by both the General Manager and the Rector of the University 13
© Francesco Ciclosi – June 2018 Integration between ISMS and ICT Measures • The implementation form of the “Minimum ICT measures for Public Administration” is used as a sort of index that refers the ISMS’s documents • Because this document is signed by both General Manager and Rector, it transform the ISMS in a strategic system of the University 14 ABSC_ID# Description Implementation modalities Level 13 8 1 Block traffic to and from url present in a blacklist. The University blocks all traffic directed to URLs included in a special blacklist. The detail of this implementation is described in the SGSI document called “PT - 102 - URL Filtering”. M
© Francesco Ciclosi – June 2018 Changes to ISMS • Unicam has implemented: – 44 ABSC controls of minimum type – 43 ABSC controls of standard type – 3 ABSC controls of high type • Unicam has done many change at the ISMS: – 11 technical procedures are modified – 7 technical procedures are added – 6 operating instructions are added – 1 new type of document is added (the Athenaeum Regulation) – 3 system documents is modified 15
© Francesco Ciclosi – June 2018 The European Security Framework (1/2) • Art. 14 NIS Directive • Art. 29 Directive (EU) 2016/680 • Art. 19 eIDAS Regulation • Art. 32 GDPR appropriate appropriate appropriateappropriate 16 The security measures must be:
© Francesco Ciclosi – June 2018 The European Security Framework (2/2) • Art. 14 NIS Directive • Art. 29 Directive (EU) 2016/680 • Art. 19 eIDAS Regulation • Art. 32 GDPR to ensure a level of security appropriate to the risk To manage the risk posed to the security of the trust services to ensure a level of security appropriate to the risk to ensure a level of security appropriate to the risk 17 The security measures must:
© Francesco Ciclosi – June 2018 Two different perspectives of risks • The risk referred in the General data protection regulation is different from that referred in the ISO/IEC 27001:2013 – Risk in GDPR is a risk related to the rights and freedom of natural person – Risk in ISO 27001 is operational an related to the possible consequences for data controller or data processor • To realize an unified approach that include DPIA within a risk management process used in ISMS, so it might be useful to assume a representation of the existing treatments, and mapping them to the business process 18
© Francesco Ciclosi – June 2018 The modification of the SoA • Unicam has expanded its list of assets by redesigning its business processes • We have chosen to define for each type of treatment identified in the CODAU’s document a specific business process to which specific University services will correspond • These services will then be managed in the usual way by creating and valuing specific assets using the software tool PILAR • After that we have expanded the SoA 19 Macro family of CODAU processing Type of CODAU processing Unicam Business Process Unicam services Main processing concerning students Services to possible students Orientation services Service available at the URL orientamento.unicam.it Pre-registration services Service for conducting admission tests to degree programs Service for carrying out tests with a programmed number Services for registered students Career management services Esse3 service by CINECA Tutoring services Service available at the URL tutorato.unicam.it
© Francesco Ciclosi – June 2018 Conclusion • The integration of the minimum ICT security measures for the PA within the Information Security Management System allowed us to: 1. to expand the strategic level of ISMS, that now are approved at the Athenaeum top management level 2. to expand the scope of the measures contained in the ISMS, that now are to the whole University 3. to improve the global protection of the organization, and to acquire a greater knowledge of the “University of Camerino system”, as well as to highlight the correlations between its elements 20
© Francesco Ciclosi – June 2018 My contacts • linkedin – http://it.linkedin.com/pub/francesco-ciclosi/62/680/a06/ • facebook – https://www.facebook.com/francesco.ciclosi • twitter – @francyciclosi • www – http://docenti.unimc.it/f.ciclosi – http://www.francescociclosi.it 21

Empfohlen

The network attached devices inventory as required by the Italian requirement...
The network attached devices inventory as required by the Italian requirement...The network attached devices inventory as required by the Italian requirement...
The network attached devices inventory as required by the Italian requirement...
Francesco Ciclosi
 
Practical approach to NIS Directive's incident management
Practical approach to NIS Directive's incident managementPractical approach to NIS Directive's incident management
Practical approach to NIS Directive's incident management
DATA SECURITY SOLUTIONS
 
Lesson 1
Lesson 1Lesson 1
Lesson 1
MLG College of Learning, Inc
 
2016 02-14-nis directive-overview isc2 chapter
2016 02-14-nis directive-overview isc2 chapter2016 02-14-nis directive-overview isc2 chapter
2016 02-14-nis directive-overview isc2 chapter
isc2-hellenic
 
Lesson 2
Lesson 2Lesson 2
Lesson 2
MLG College of Learning, Inc
 
Hannes astok digital_security_2012
Hannes astok digital_security_2012Hannes astok digital_security_2012
Hannes astok digital_security_2012
E-Government Center Moldova
 
Presentation on EU Directives Impacting Cyber Security for Information Securi...
Presentation on EU Directives Impacting Cyber Security for Information Securi...Presentation on EU Directives Impacting Cyber Security for Information Securi...
Presentation on EU Directives Impacting Cyber Security for Information Securi...
Brian Honan
 
Towards an innovative systemic approach of risk management
Towards an innovative systemic approach of risk managementTowards an innovative systemic approach of risk management
Towards an innovative systemic approach of risk management
Luxembourg Institute of Science and Technology
 

Empfohlen

The network attached devices inventory as required by the Italian requirement...
The network attached devices inventory as required by the Italian requirement...The network attached devices inventory as required by the Italian requirement...
The network attached devices inventory as required by the Italian requirement...
Francesco Ciclosi
 
Practical approach to NIS Directive's incident management
Practical approach to NIS Directive's incident managementPractical approach to NIS Directive's incident management
Practical approach to NIS Directive's incident management
DATA SECURITY SOLUTIONS
 
Lesson 1
Lesson 1Lesson 1
Lesson 1
MLG College of Learning, Inc
 
2016 02-14-nis directive-overview isc2 chapter
2016 02-14-nis directive-overview isc2 chapter2016 02-14-nis directive-overview isc2 chapter
2016 02-14-nis directive-overview isc2 chapter
isc2-hellenic
 
Lesson 2
Lesson 2Lesson 2
Lesson 2
MLG College of Learning, Inc
 
Hannes astok digital_security_2012
Hannes astok digital_security_2012Hannes astok digital_security_2012
Hannes astok digital_security_2012
E-Government Center Moldova
 
Presentation on EU Directives Impacting Cyber Security for Information Securi...
Presentation on EU Directives Impacting Cyber Security for Information Securi...Presentation on EU Directives Impacting Cyber Security for Information Securi...
Presentation on EU Directives Impacting Cyber Security for Information Securi...
Brian Honan
 
Towards an innovative systemic approach of risk management
Towards an innovative systemic approach of risk managementTowards an innovative systemic approach of risk management
Towards an innovative systemic approach of risk management
Luxembourg Institute of Science and Technology
 
Towards an innovative systemic approach of risk management
Towards an innovative systemic approach of risk managementTowards an innovative systemic approach of risk management
Towards an innovative systemic approach of risk management
christophefeltus
 
Conference Paper at International Conference on Enterprise Information System...
Conference Paper at International Conference on Enterprise Information System...Conference Paper at International Conference on Enterprise Information System...
Conference Paper at International Conference on Enterprise Information System...
Malaysia University of Science and Technology (MUST)
 
ITU-T Study Group 17 Introduction
ITU-T Study Group 17 IntroductionITU-T Study Group 17 Introduction
ITU-T Study Group 17 Introduction
ITU
 
Bl cybersecurity z_dooly
Bl cybersecurity z_doolyBl cybersecurity z_dooly
Bl cybersecurity z_dooly
zdooly
 
ENISA - EU strategies for cyber incident response
ENISA - EU strategies for cyber incident responseENISA - EU strategies for cyber incident response
ENISA - EU strategies for cyber incident response
Kevin Duffey
 
Ise viii-information and network security [10 is835]-solution
Ise viii-information and network security [10 is835]-solutionIse viii-information and network security [10 is835]-solution
Ise viii-information and network security [10 is835]-solution
Vivek Maurya
 
Secure Use of Cloud Computing in the Finance Sector
Secure Use of Cloud Computing in the Finance SectorSecure Use of Cloud Computing in the Finance Sector
Secure Use of Cloud Computing in the Finance Sector
Eftychia Chalvatzi
 
APEC Framework for Securing the Digital Economy
APEC Framework for Securing the Digital EconomyAPEC Framework for Securing the Digital Economy
APEC Framework for Securing the Digital Economy
ETDAofficialRegist
 
SC7 Workshop 3: Enhancing cyber defence of cyber space systems
SC7 Workshop 3: Enhancing cyber defence of cyber space systemsSC7 Workshop 3: Enhancing cyber defence of cyber space systems
SC7 Workshop 3: Enhancing cyber defence of cyber space systems
BigData_Europe
 
Using cloud services: Compliance with the Security Requirements of the Spanis...
Using cloud services: Compliance with the Security Requirements of the Spanis...Using cloud services: Compliance with the Security Requirements of the Spanis...
Using cloud services: Compliance with the Security Requirements of the Spanis...
Miguel A. Amutio
 
Khas bank isms 3 s
Khas bank isms 3 sKhas bank isms 3 s
Khas bank isms 3 s
Khaltar Togtuun
 
OECD
OECDOECD
OECD
pragati241997
 
Using cloud services: Compliance with the Security Requirements of the Spanis...
Using cloud services: Compliance with the Security Requirements of the Spanis...Using cloud services: Compliance with the Security Requirements of the Spanis...
Using cloud services: Compliance with the Security Requirements of the Spanis...
Miguel A. Amutio
 
Обзор требований ГОСТ Р 57580.1-2017 en-GB.pdf
Обзор требований ГОСТ Р 57580.1-2017 en-GB.pdfОбзор требований ГОСТ Р 57580.1-2017 en-GB.pdf
Обзор требований ГОСТ Р 57580.1-2017 en-GB.pdf
SenseofAwareness
 
A Major Revision of the CISRCP Program
A Major Revision of the CISRCP ProgramA Major Revision of the CISRCP Program
A Major Revision of the CISRCP Program
GoogleNewsSubmit
 
Cybersecurity for Real Estate & Construction
Cybersecurity for Real Estate & ConstructionCybersecurity for Real Estate & Construction
Cybersecurity for Real Estate & Construction
Aronson LLC
 
Risk assessments and applying organisational controls for GDPR compliance
Risk assessments and applying organisational controls for GDPR complianceRisk assessments and applying organisational controls for GDPR compliance
Risk assessments and applying organisational controls for GDPR compliance
IT Governance Ltd
 
05 standards and general purpose regulations - impact on finance
05 standards and general purpose regulations - impact on finance05 standards and general purpose regulations - impact on finance
05 standards and general purpose regulations - impact on finance
innov-acts-ltd
 
Img s position-paper_for_h2020
Img s position-paper_for_h2020Img s position-paper_for_h2020
Img s position-paper_for_h2020
Marco Manso
 
Appointing a Data Protection Officer under the GDPR
Appointing a Data Protection Officer under the GDPRAppointing a Data Protection Officer under the GDPR
Appointing a Data Protection Officer under the GDPR
IT Governance Ltd
 
La biometria come nuovo paradigma di autenticazione e identificazione
La biometria come nuovo paradigma di autenticazione e identificazioneLa biometria come nuovo paradigma di autenticazione e identificazione
La biometria come nuovo paradigma di autenticazione e identificazione
Francesco Ciclosi
 
MODULO E02 –> Scelte di consumo intertemporale
MODULO E02 –> Scelte di consumo intertemporaleMODULO E02 –> Scelte di consumo intertemporale
MODULO E02 –> Scelte di consumo intertemporale
Francesco Ciclosi
 

Weitere ähnliche Inhalte

Ähnlich wie The risk analysis as a unified approach to satisfy GDPR, NIS Directive and ISO 27001 requirements

Conference Paper at International Conference on Enterprise Information System...
Conference Paper at International Conference on Enterprise Information System...Conference Paper at International Conference on Enterprise Information System...
Conference Paper at International Conference on Enterprise Information System...
Malaysia University of Science and Technology (MUST)
 
Secure Use of Cloud Computing in the Finance Sector
Secure Use of Cloud Computing in the Finance SectorSecure Use of Cloud Computing in the Finance Sector
Secure Use of Cloud Computing in the Finance Sector
Eftychia Chalvatzi
 
APEC Framework for Securing the Digital Economy
APEC Framework for Securing the Digital EconomyAPEC Framework for Securing the Digital Economy
APEC Framework for Securing the Digital Economy
ETDAofficialRegist
 
Cybersecurity for Real Estate & Construction
Cybersecurity for Real Estate & ConstructionCybersecurity for Real Estate & Construction
Cybersecurity for Real Estate & Construction
Aronson LLC
 
Img s position-paper_for_h2020
Img s position-paper_for_h2020Img s position-paper_for_h2020
Img s position-paper_for_h2020
Marco Manso
 

Ähnlich wie The risk analysis as a unified approach to satisfy GDPR, NIS Directive and ISO 27001 requirements (20)

Towards an innovative systemic approach of risk management
Towards an innovative systemic approach of risk managementTowards an innovative systemic approach of risk management
Towards an innovative systemic approach of risk management
 
Conference Paper at International Conference on Enterprise Information System...
Conference Paper at International Conference on Enterprise Information System...Conference Paper at International Conference on Enterprise Information System...
Conference Paper at International Conference on Enterprise Information System...
 
ITU-T Study Group 17 Introduction
ITU-T Study Group 17 IntroductionITU-T Study Group 17 Introduction
ITU-T Study Group 17 Introduction
 
Bl cybersecurity z_dooly
Bl cybersecurity z_doolyBl cybersecurity z_dooly
Bl cybersecurity z_dooly
 
ENISA - EU strategies for cyber incident response
ENISA - EU strategies for cyber incident responseENISA - EU strategies for cyber incident response
ENISA - EU strategies for cyber incident response
 
Ise viii-information and network security [10 is835]-solution
Ise viii-information and network security [10 is835]-solutionIse viii-information and network security [10 is835]-solution
Ise viii-information and network security [10 is835]-solution
 
Secure Use of Cloud Computing in the Finance Sector
Secure Use of Cloud Computing in the Finance SectorSecure Use of Cloud Computing in the Finance Sector
Secure Use of Cloud Computing in the Finance Sector
 
APEC Framework for Securing the Digital Economy
APEC Framework for Securing the Digital EconomyAPEC Framework for Securing the Digital Economy
APEC Framework for Securing the Digital Economy
 
SC7 Workshop 3: Enhancing cyber defence of cyber space systems
SC7 Workshop 3: Enhancing cyber defence of cyber space systemsSC7 Workshop 3: Enhancing cyber defence of cyber space systems
SC7 Workshop 3: Enhancing cyber defence of cyber space systems
 
Using cloud services: Compliance with the Security Requirements of the Spanis...
Using cloud services: Compliance with the Security Requirements of the Spanis...Using cloud services: Compliance with the Security Requirements of the Spanis...
Using cloud services: Compliance with the Security Requirements of the Spanis...
 
Khas bank isms 3 s
Khas bank isms 3 sKhas bank isms 3 s
Khas bank isms 3 s
 
OECD
OECDOECD
OECD
 
Using cloud services: Compliance with the Security Requirements of the Spanis...
Using cloud services: Compliance with the Security Requirements of the Spanis...Using cloud services: Compliance with the Security Requirements of the Spanis...
Using cloud services: Compliance with the Security Requirements of the Spanis...
 
Обзор требований ГОСТ Р 57580.1-2017 en-GB.pdf
Обзор требований ГОСТ Р 57580.1-2017 en-GB.pdfОбзор требований ГОСТ Р 57580.1-2017 en-GB.pdf
Обзор требований ГОСТ Р 57580.1-2017 en-GB.pdf
 
A Major Revision of the CISRCP Program
A Major Revision of the CISRCP ProgramA Major Revision of the CISRCP Program
A Major Revision of the CISRCP Program
 
Cybersecurity for Real Estate & Construction
Cybersecurity for Real Estate & ConstructionCybersecurity for Real Estate & Construction
Cybersecurity for Real Estate & Construction
 
Risk assessments and applying organisational controls for GDPR compliance
Risk assessments and applying organisational controls for GDPR complianceRisk assessments and applying organisational controls for GDPR compliance
Risk assessments and applying organisational controls for GDPR compliance
 
05 standards and general purpose regulations - impact on finance
05 standards and general purpose regulations - impact on finance05 standards and general purpose regulations - impact on finance
05 standards and general purpose regulations - impact on finance
 
Img s position-paper_for_h2020
Img s position-paper_for_h2020Img s position-paper_for_h2020
Img s position-paper_for_h2020
 
Appointing a Data Protection Officer under the GDPR
Appointing a Data Protection Officer under the GDPRAppointing a Data Protection Officer under the GDPR
Appointing a Data Protection Officer under the GDPR
 

Mehr von Francesco Ciclosi

La biometria come nuovo paradigma di autenticazione e identificazione
La biometria come nuovo paradigma di autenticazione e identificazioneLa biometria come nuovo paradigma di autenticazione e identificazione
La biometria come nuovo paradigma di autenticazione e identificazione
Francesco Ciclosi
 

Mehr von Francesco Ciclosi (20)

La biometria come nuovo paradigma di autenticazione e identificazione
La biometria come nuovo paradigma di autenticazione e identificazioneLa biometria come nuovo paradigma di autenticazione e identificazione
La biometria come nuovo paradigma di autenticazione e identificazione
 
MODULO E02 –> Scelte di consumo intertemporale
MODULO E02 –> Scelte di consumo intertemporaleMODULO E02 –> Scelte di consumo intertemporale
MODULO E02 –> Scelte di consumo intertemporale
 
La rappresentazione delle informazioni
La rappresentazione delle informazioniLa rappresentazione delle informazioni
La rappresentazione delle informazioni
 
MODULO IB04 –> La memoria di massa
MODULO IB04 –> La memoria di massaMODULO IB04 –> La memoria di massa
MODULO IB04 –> La memoria di massa
 
MODULO E01 –> Scelte d’investimento per un’impresa
MODULO E01 –> Scelte d’investimento per un’impresaMODULO E01 –> Scelte d’investimento per un’impresa
MODULO E01 –> Scelte d’investimento per un’impresa
 
MODULO IB03 –> La memoria principale
MODULO IB03 –> La memoria principaleMODULO IB03 –> La memoria principale
MODULO IB03 –> La memoria principale
 
MODULO IB02 –> I bit e la loro memorizzazione
MODULO IB02 –> I bit e la loro memorizzazioneMODULO IB02 –> I bit e la loro memorizzazione
MODULO IB02 –> I bit e la loro memorizzazione
 
MODULO IB01 –> Elementi di base
MODULO IB01 –> Elementi di baseMODULO IB01 –> Elementi di base
MODULO IB01 –> Elementi di base
 
MODULO 00 –> Presentazione del corso
MODULO 00 –> Presentazione del corsoMODULO 00 –> Presentazione del corso
MODULO 00 –> Presentazione del corso
 
MODULO 28 –> La Business Continuity Management
MODULO 28 –> La Business Continuity ManagementMODULO 28 –> La Business Continuity Management
MODULO 28 –> La Business Continuity Management
 
MODULO 27 –> Dai virus al malware
MODULO 27 –> Dai virus al malwareMODULO 27 –> Dai virus al malware
MODULO 27 –> Dai virus al malware
 
MODULO 26 –> Il controllo degli accessi
MODULO 26 –> Il controllo degli accessiMODULO 26 –> Il controllo degli accessi
MODULO 26 –> Il controllo degli accessi
 
MODULO 25 –> Fondamenti delle tecnologie per il web
MODULO 25 –> Fondamenti delle tecnologie per il webMODULO 25 –> Fondamenti delle tecnologie per il web
MODULO 25 –> Fondamenti delle tecnologie per il web
 
MODULO 24 –> I servizi di rete
MODULO 24 –> I servizi di reteMODULO 24 –> I servizi di rete
MODULO 24 –> I servizi di rete
 
MODULO 23 –> Le reti geografiche
MODULO 23 –> Le reti geograficheMODULO 23 –> Le reti geografiche
MODULO 23 –> Le reti geografiche
 
MODULO 22 –> Lo spazio degli indirizzi IP
MODULO 22 –> Lo spazio degli indirizzi IPMODULO 22 –> Lo spazio degli indirizzi IP
MODULO 22 –> Lo spazio degli indirizzi IP
 
MODULO 21 –> Le reti locali
MODULO 21 –> Le reti localiMODULO 21 –> Le reti locali
MODULO 21 –> Le reti locali
 
MODULO 20 –> Introduzione al TCP/IP
MODULO 20 –> Introduzione al TCP/IPMODULO 20 –> Introduzione al TCP/IP
MODULO 20 –> Introduzione al TCP/IP
 
MODULO 19 –> Fondamenti dell’infrastruttura di rete
MODULO 19 –> Fondamenti dell’infrastruttura di reteMODULO 19 –> Fondamenti dell’infrastruttura di rete
MODULO 19 –> Fondamenti dell’infrastruttura di rete
 
MODULO 18 –> Il sistema operativo
MODULO 18 –> Il sistema operativoMODULO 18 –> Il sistema operativo
MODULO 18 –> Il sistema operativo
 

Kürzlich hochgeladen

No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
Sheetaleventcompany
 
If this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New NigeriaIf this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New Nigeria
Kayode Fayemi
 
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
Delhi Call girls
 
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptxChiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
raffaeleoman
 
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Kayode Fayemi
 
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
Delhi Call girls
 

Kürzlich hochgeladen (20)

SaaStr Workshop Wednesday w/ Lucas Price, Yardstick
SaaStr Workshop Wednesday w/ Lucas Price, YardstickSaaStr Workshop Wednesday w/ Lucas Price, Yardstick
SaaStr Workshop Wednesday w/ Lucas Price, Yardstick
 
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
 
George Lever - eCommerce Day Chile 2024
George Lever - eCommerce Day Chile 2024George Lever - eCommerce Day Chile 2024
George Lever - eCommerce Day Chile 2024
 
Air breathing and respiratory adaptations in diver animals
Air breathing and respiratory adaptations in diver animalsAir breathing and respiratory adaptations in diver animals
Air breathing and respiratory adaptations in diver animals
 
Microsoft Copilot AI for Everyone - created by AI
Microsoft Copilot AI for Everyone - created by AIMicrosoft Copilot AI for Everyone - created by AI
Microsoft Copilot AI for Everyone - created by AI
 
If this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New NigeriaIf this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New Nigeria
 
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
 
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdfThe workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
 
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptxChiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
 
Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510
 
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
 
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
 
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
 
Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)
 
Presentation on Engagement in Book Clubs
Presentation on Engagement in Book ClubsPresentation on Engagement in Book Clubs
Presentation on Engagement in Book Clubs
 
Report Writing Webinar Training
Report Writing Webinar TrainingReport Writing Webinar Training
Report Writing Webinar Training
 
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara ServicesVVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
 
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024
 
ANCHORING SCRIPT FOR A CULTURAL EVENT.docx
ANCHORING SCRIPT FOR A CULTURAL EVENT.docxANCHORING SCRIPT FOR A CULTURAL EVENT.docx
ANCHORING SCRIPT FOR A CULTURAL EVENT.docx
 
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptxMohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptx
 

The risk analysis as a unified approach to satisfy GDPR, NIS Directive and ISO 27001 requirements

  • 1. The risk analysis as a unified approach to satisfy GDPR, NIS Directive and ISO 27001 requirements Francesco Ciclosi, University of Camerino 1
  • 2. © Francesco Ciclosi – June 2018 Summary • In the last years there are been many changes both in the Italian, and in the European regulatory framework in matter of cybersecurity and data protection – European regulatory framework (i.e.: GDPR, NIS Directive, Directive 2016/680, eIDAS Regulation) – Italian regulatory framework (i.e.: National strategic framework for security of cyberspace, National plan for cyber protection and cybersecurity, Minimum ICT Measures for Public Administration) • This presentation cover the aspects related to the integrated management of these topics 2
  • 3. © Francesco Ciclosi – June 2018 The minimum ICT measures for PA • In this document AgID has defined its own security controls derived from the CCSC control (also known as SANS 20) • The AgID circular n. 2/2017 requires that both the Italian public administration and the public service operators, as well as the publicly controlled companies adopt it by 31 December 2017 3
  • 4. © Francesco Ciclosi – June 2018 The ABSC organization • The ABSC are eight and are arranged in families • Each family is divided in a finer family of detailed measurement, and then decomposed into elementary measures • The families are the following: – ABSC 1: Inventory of authorized and unauthorized devices – ABSC 2: Inventory of authorized and unauthorized software – ABSC 3: Protect hardware and software configurations on mobile devices, laptops, workstations and servers – ABSC 4: Continuous assessment and correction of vulnerability – ABSC 5: Appropriate use of administrator privileges – ABSC 8: Defence against malware – ABSC 10: Security copies – ABSC 13: Data protection 4
  • 5. © Francesco Ciclosi – June 2018 An excerpt from the ABSC 13 family ABSC_ID# Description FNSC Min. Std. High 13 1 1 Carry out an analysis of the data to identify those with particular confidentiality requirements (relevant data) and in particular those to which cryptographic protection must be applied ID.AM-5    2 1 Use encryption systems for portable devices and systems that contain relevant information ID.AM-5, PR.DS-5   3 1 Use automatic tools on the perimeter of the network to block, limit or monitor in a timely manner, the traffic leaving your network, the use of unauthorized cryptography or access to sites that allow the exchange and the potential exfiltration of information ID.AM-3, PR.AC- 5, PR.DS-1, DE.AE-1  5
  • 6. © Francesco Ciclosi – June 2018 The ABSC level of security • The ABSC controls are also subdivided into three macro categories that correspond to the particular level of security achievable following the complete implementation of all the controls corresponding to the particular level in question • These levels are the following: – Minimum, this is the basic level of safety under which no organization can go down – Normal, this is an average level of security that represents a fair compromise between the preventive effectiveness of the measures chosen and their implementation costs – Ideal, this is a particularly high level of safety, even when handling critical information or providing critical services 6
  • 7. © Francesco Ciclosi – June 2018 Contextualization in the academic world • The academic world represent a particular challenge for the application of minimum ICT measures; in fact: 1. universities often do not directly manage all the resources that can be networked 2. access to the network is subject to a user- centered approval process and not on the device 3. the organizational structure of the Universities is complex, so it is difficult to identify who is responsible for the implementation of minimum measures 7
  • 8. © Francesco Ciclosi – June 2018 AgID vision for the academic world • The perimeter to be considered is not defined in absolute terms • It is necessary to analyze every specific reality, taking into account: – its peculiarities – the reference context in which it is inserted • It must be absolutely guaranteed the respect of all the necessary measures to protect the central part («core»), that is the area of maximum criticality • It is necessary to adopt an organizational model based on a pyramid of responsibility – this is useful in order to manage the organizational structure of the Universities, which is characterized by an ample level of autonomy 8
  • 9. © Francesco Ciclosi – June 2018 The ISO 27001 certification of Unicam • The University of Camerino, on behalf the CINFO has started since 2012 a certification process • In the last six year the University has successfully supported all periodic maintenance audits • In December 2017 Unicam has presented its unified approach to risk analysis and management that is at the base of the integration between: – Information security management system (ISMS) – Minimum ICT measures for Public Administration • This new approach represents the first step towards the modification of the scope of application in order to integrate the requirements of the Regulation (EU) 2016/679 into the ISMS 9
  • 10. © Francesco Ciclosi – June 2018 The CODAU Guidelines • The Italian Conference of the General Managers of University Administration issued the “Guidelines on privacy and protection of personal data in universities” • This document contain a mapping of the most important treatments in the university field • Unicam has chosen to use this mapping as a basis for: – the compilation of the register of treatments – the review of the scope (SoA) of Unicam’s ISMS – the execution of an assessment of the impact of the envisaged processing operations on the protection of personal data carried out by the controller 10
  • 11. © Francesco Ciclosi – June 2018 The types of treatment • The CODAU identifies (from an operational perspective) 33 types of treatments divided into the following macro-families: 1. main processing concerning students 2. main processing concerning employees or collaborators 3. transversal processing or connected to transversal activities 4. processing of personal data in the context of the provision of federated services • (such as EDUROAM, IDEM and SPID) 5. tracking of non-primary information • (such as the log data) 11
  • 12. © Francesco Ciclosi – June 2018 The Unicam Working Group (1/2) • On 29 September 2017 the University of Camerino set up a special working group for the application of minimum security measures • This group had the explicit task of: – carrying out the technical activities in order to propose the necessary measures – to produce the relevant documentation, where applicable and necessary • It is coordinate by the ISMS manager • It works both in a full and in a restricted configuration 12
  • 13. © Francesco Ciclosi – June 2018 The Unicam Working Group (2/2) • In the restricted configuration it was composed by: – Group coordinator and ISMS Manager (Ciclosi) – Network, Telephony and Help Desk Manager (Rappi) – Operating Systems and Hardware Sector Manager (Gentili) – Processing Infrastructure to support the activities of the Athenaeum Library System (Belfiore) • It produces some technical-organisational solution that are approved by both the General Manager and the Rector of the University 13
  • 14. © Francesco Ciclosi – June 2018 Integration between ISMS and ICT Measures • The implementation form of the “Minimum ICT measures for Public Administration” is used as a sort of index that refers the ISMS’s documents • Because this document is signed by both General Manager and Rector, it transform the ISMS in a strategic system of the University 14 ABSC_ID# Description Implementation modalities Level 13 8 1 Block traffic to and from url present in a blacklist. The University blocks all traffic directed to URLs included in a special blacklist. The detail of this implementation is described in the SGSI document called “PT - 102 - URL Filtering”. M
  • 15. © Francesco Ciclosi – June 2018 Changes to ISMS • Unicam has implemented: – 44 ABSC controls of minimum type – 43 ABSC controls of standard type – 3 ABSC controls of high type • Unicam has done many change at the ISMS: – 11 technical procedures are modified – 7 technical procedures are added – 6 operating instructions are added – 1 new type of document is added (the Athenaeum Regulation) – 3 system documents is modified 15
  • 16. © Francesco Ciclosi – June 2018 The European Security Framework (1/2) • Art. 14 NIS Directive • Art. 29 Directive (EU) 2016/680 • Art. 19 eIDAS Regulation • Art. 32 GDPR appropriate appropriate appropriateappropriate 16 The security measures must be:
  • 17. © Francesco Ciclosi – June 2018 The European Security Framework (2/2) • Art. 14 NIS Directive • Art. 29 Directive (EU) 2016/680 • Art. 19 eIDAS Regulation • Art. 32 GDPR to ensure a level of security appropriate to the risk To manage the risk posed to the security of the trust services to ensure a level of security appropriate to the risk to ensure a level of security appropriate to the risk 17 The security measures must:
  • 18. © Francesco Ciclosi – June 2018 Two different perspectives of risks • The risk referred in the General data protection regulation is different from that referred in the ISO/IEC 27001:2013 – Risk in GDPR is a risk related to the rights and freedom of natural person – Risk in ISO 27001 is operational an related to the possible consequences for data controller or data processor • To realize an unified approach that include DPIA within a risk management process used in ISMS, so it might be useful to assume a representation of the existing treatments, and mapping them to the business process 18
  • 19. © Francesco Ciclosi – June 2018 The modification of the SoA • Unicam has expanded its list of assets by redesigning its business processes • We have chosen to define for each type of treatment identified in the CODAU’s document a specific business process to which specific University services will correspond • These services will then be managed in the usual way by creating and valuing specific assets using the software tool PILAR • After that we have expanded the SoA 19 Macro family of CODAU processing Type of CODAU processing Unicam Business Process Unicam services Main processing concerning students Services to possible students Orientation services Service available at the URL orientamento.unicam.it Pre-registration services Service for conducting admission tests to degree programs Service for carrying out tests with a programmed number Services for registered students Career management services Esse3 service by CINECA Tutoring services Service available at the URL tutorato.unicam.it
  • 20. © Francesco Ciclosi – June 2018 Conclusion • The integration of the minimum ICT security measures for the PA within the Information Security Management System allowed us to: 1. to expand the strategic level of ISMS, that now are approved at the Athenaeum top management level 2. to expand the scope of the measures contained in the ISMS, that now are to the whole University 3. to improve the global protection of the organization, and to acquire a greater knowledge of the “University of Camerino system”, as well as to highlight the correlations between its elements 20
  • 21. © Francesco Ciclosi – June 2018 My contacts • linkedin – http://it.linkedin.com/pub/francesco-ciclosi/62/680/a06/ • facebook – https://www.facebook.com/francesco.ciclosi • twitter – @francyciclosi • www – http://docenti.unimc.it/f.ciclosi – http://www.francescociclosi.it 21