Weitere ähnliche Inhalte Ähnlich wie The risk analysis as a unified approach to satisfy GDPR, NIS Directive and ISO 27001 requirements (20) Mehr von Francesco Ciclosi (20) Kürzlich hochgeladen (20) The risk analysis as a unified approach to satisfy GDPR, NIS Directive and ISO 27001 requirements1. The risk analysis as a unified
approach to satisfy GDPR, NIS
Directive and ISO 27001 requirements
Francesco Ciclosi, University of Camerino
1
2. © Francesco Ciclosi – June 2018
Summary
• In the last years there are been many changes
both in the Italian, and in the European
regulatory framework in matter of cybersecurity
and data protection
– European regulatory framework (i.e.: GDPR, NIS
Directive, Directive 2016/680, eIDAS Regulation)
– Italian regulatory framework (i.e.: National strategic
framework for security of cyberspace, National plan
for cyber protection and cybersecurity, Minimum ICT
Measures for Public Administration)
• This presentation cover the aspects related to
the integrated management of these topics
2
3. © Francesco Ciclosi – June 2018
The minimum ICT measures for PA
• In this document AgID has defined its own
security controls derived from the CCSC
control (also known as SANS 20)
• The AgID circular n. 2/2017 requires that
both the Italian public administration and
the public service operators, as well as the
publicly controlled companies adopt it by
31 December 2017
3
4. © Francesco Ciclosi – June 2018
The ABSC organization
• The ABSC are eight and are arranged in families
• Each family is divided in a finer family of detailed
measurement, and then decomposed into elementary
measures
• The families are the following:
– ABSC 1: Inventory of authorized and unauthorized devices
– ABSC 2: Inventory of authorized and unauthorized software
– ABSC 3: Protect hardware and software configurations on
mobile devices, laptops, workstations and servers
– ABSC 4: Continuous assessment and correction of vulnerability
– ABSC 5: Appropriate use of administrator privileges
– ABSC 8: Defence against malware
– ABSC 10: Security copies
– ABSC 13: Data protection
4
5. © Francesco Ciclosi – June 2018
An excerpt from the ABSC 13 family
ABSC_ID# Description FNSC Min. Std. High
13
1 1
Carry out an analysis of the data to identify
those with particular confidentiality
requirements (relevant data) and in particular
those to which cryptographic protection must
be applied
ID.AM-5
2 1
Use encryption systems for portable devices
and systems that contain relevant information
ID.AM-5,
PR.DS-5
3 1
Use automatic tools on the perimeter of the
network to block, limit or monitor in a timely
manner, the traffic leaving your network, the
use of unauthorized cryptography or access to
sites that allow the exchange and the
potential exfiltration of information
ID.AM-3,
PR.AC-
5,
PR.DS-1,
DE.AE-1
5
6. © Francesco Ciclosi – June 2018
The ABSC level of security
• The ABSC controls are also subdivided into three
macro categories that correspond to the particular
level of security achievable following the complete
implementation of all the controls corresponding to
the particular level in question
• These levels are the following:
– Minimum, this is the basic level of safety under which
no organization can go down
– Normal, this is an average level of security that
represents a fair compromise between the preventive
effectiveness of the measures chosen and their
implementation costs
– Ideal, this is a particularly high level of safety, even
when handling critical information or providing critical
services
6
7. © Francesco Ciclosi – June 2018
Contextualization in the academic world
• The academic world represent a particular
challenge for the application of minimum ICT
measures; in fact:
1. universities often do not directly manage all the
resources that can be networked
2. access to the network is subject to a user-
centered approval process and not on the
device
3. the organizational structure of the Universities is
complex, so it is difficult to identify who is
responsible for the implementation of minimum
measures
7
8. © Francesco Ciclosi – June 2018
AgID vision for the academic world
• The perimeter to be considered is not defined in
absolute terms
• It is necessary to analyze every specific reality, taking
into account:
– its peculiarities
– the reference context in which it is inserted
• It must be absolutely guaranteed the respect of all the
necessary measures to protect the central part
(«core»), that is the area of maximum criticality
• It is necessary to adopt an organizational model
based on a pyramid of responsibility
– this is useful in order to manage the organizational
structure of the Universities, which is characterized by an
ample level of autonomy
8
9. © Francesco Ciclosi – June 2018
The ISO 27001 certification of Unicam
• The University of Camerino, on behalf the CINFO has
started since 2012 a certification process
• In the last six year the University has successfully
supported all periodic maintenance audits
• In December 2017 Unicam has presented its unified
approach to risk analysis and management that is at
the base of the integration between:
– Information security management system (ISMS)
– Minimum ICT measures for Public Administration
• This new approach represents the first step towards the
modification of the scope of application in order to
integrate the requirements of the Regulation (EU)
2016/679 into the ISMS
9
10. © Francesco Ciclosi – June 2018
The CODAU Guidelines
• The Italian Conference of the General Managers
of University Administration issued the
“Guidelines on privacy and protection of
personal data in universities”
• This document contain a mapping of the most
important treatments in the university field
• Unicam has chosen to use this mapping as a
basis for:
– the compilation of the register of treatments
– the review of the scope (SoA) of Unicam’s ISMS
– the execution of an assessment of the impact of the
envisaged processing operations on the protection of
personal data carried out by the controller
10
11. © Francesco Ciclosi – June 2018
The types of treatment
• The CODAU identifies (from an operational
perspective) 33 types of treatments divided into
the following macro-families:
1. main processing concerning students
2. main processing concerning employees or
collaborators
3. transversal processing or connected to transversal
activities
4. processing of personal data in the context of the
provision of federated services
• (such as EDUROAM, IDEM and SPID)
5. tracking of non-primary information
• (such as the log data)
11
12. © Francesco Ciclosi – June 2018
The Unicam Working Group (1/2)
• On 29 September 2017 the University of
Camerino set up a special working group for the
application of minimum security measures
• This group had the explicit task of:
– carrying out the technical activities in order to propose
the necessary measures
– to produce the relevant documentation, where
applicable and necessary
• It is coordinate by the ISMS manager
• It works both in a full and in a restricted
configuration
12
13. © Francesco Ciclosi – June 2018
The Unicam Working Group (2/2)
• In the restricted configuration it was composed
by:
– Group coordinator and ISMS Manager (Ciclosi)
– Network, Telephony and Help Desk Manager (Rappi)
– Operating Systems and Hardware Sector Manager
(Gentili)
– Processing Infrastructure to support the activities of
the Athenaeum Library System (Belfiore)
• It produces some technical-organisational
solution that are approved by both the General
Manager and the Rector of the University
13
14. © Francesco Ciclosi – June 2018
Integration between ISMS and ICT Measures
• The implementation form of the “Minimum ICT
measures for Public Administration” is used as
a sort of index that refers the ISMS’s
documents
• Because this document is signed by both
General Manager and Rector, it transform the
ISMS in a strategic system of the University
14
ABSC_ID# Description Implementation modalities Level
13 8 1
Block traffic to and from url present in
a blacklist.
The University blocks all traffic directed to URLs
included in a special blacklist. The detail of this
implementation is described in the SGSI
document called “PT - 102 - URL Filtering”.
M
15. © Francesco Ciclosi – June 2018
Changes to ISMS
• Unicam has implemented:
– 44 ABSC controls of minimum type
– 43 ABSC controls of standard type
– 3 ABSC controls of high type
• Unicam has done many change at the ISMS:
– 11 technical procedures are modified
– 7 technical procedures are added
– 6 operating instructions are added
– 1 new type of document is added (the Athenaeum
Regulation)
– 3 system documents is modified
15
16. © Francesco Ciclosi – June 2018
The European Security Framework (1/2)
• Art. 14 NIS
Directive
• Art. 29
Directive (EU)
2016/680
• Art. 19 eIDAS
Regulation
• Art. 32 GDPR
appropriate appropriate
appropriateappropriate
16
The security measures must be:
17. © Francesco Ciclosi – June 2018
The European Security Framework (2/2)
• Art. 14 NIS
Directive
• Art. 29
Directive (EU)
2016/680
• Art. 19 eIDAS
Regulation
• Art. 32 GDPR
to ensure a
level of
security
appropriate
to the risk
To manage
the risk
posed to the
security of
the trust
services
to ensure
a level of
security
appropriate
to the risk
to ensure
a level of
security
appropriate
to the risk
17
The security measures must:
18. © Francesco Ciclosi – June 2018
Two different perspectives of risks
• The risk referred in the General data protection
regulation is different from that referred in the
ISO/IEC 27001:2013
– Risk in GDPR is a risk related to the rights and
freedom of natural person
– Risk in ISO 27001 is operational an related to the
possible consequences for data controller or data
processor
• To realize an unified approach that include DPIA
within a risk management process used in ISMS,
so it might be useful to assume a representation
of the existing treatments, and mapping them to
the business process
18
19. © Francesco Ciclosi – June 2018
The modification of the SoA
• Unicam has expanded its list of assets by redesigning its
business processes
• We have chosen to define for each type of treatment identified in
the CODAU’s document a specific business process to which
specific University services will correspond
• These services will then be managed in the usual way by creating
and valuing specific assets using the software tool PILAR
• After that we have expanded the SoA
19
Macro family of
CODAU processing
Type of CODAU
processing
Unicam Business
Process
Unicam services
Main processing
concerning students
Services to possible
students
Orientation services
Service available at the URL
orientamento.unicam.it
Pre-registration services
Service for conducting admission tests
to degree programs
Service for carrying out tests with a
programmed number
Services for registered
students
Career management services Esse3 service by CINECA
Tutoring services
Service available at the URL
tutorato.unicam.it
20. © Francesco Ciclosi – June 2018
Conclusion
• The integration of the minimum ICT security
measures for the PA within the Information
Security Management System allowed us to:
1. to expand the strategic level of ISMS, that now are
approved at the Athenaeum top management level
2. to expand the scope of the measures contained in
the ISMS, that now are to the whole University
3. to improve the global protection of the organization,
and to acquire a greater knowledge of the “University
of Camerino system”, as well as to highlight the
correlations between its elements
20
21. © Francesco Ciclosi – June 2018
My contacts
• linkedin
– http://it.linkedin.com/pub/francesco-ciclosi/62/680/a06/
• facebook
– https://www.facebook.com/francesco.ciclosi
• twitter
– @francyciclosi
• www
– http://docenti.unimc.it/f.ciclosi
– http://www.francescociclosi.it
21