My talk at the annual IT day in 2016 (and the release of documents)

I was honored to give a talk at the annual IT day, a second time in a row. The IT day 2016; A date with a secure future - threats, opportunities and challenges (isl. UT-dagurinn 2016; Stefnumót við örugga framtíð - ógnir, tækifæri og áskoranir).

This is an annual event, which has been organized by the Ministry of Interior in Iceland. Other speakers at the conference included: the Director of the Data Protection Authority of Iceland, the Director of the Norwegian Data Protection Authority, the Director of the Post And Telecom Administration of Iceland, Lawyers from the Ministry of Interior in Iceland, the head of IT Security at the Data Protection Authority in Iceland and a member of Law Enforcement from the IT Forensic department of the Reykjavik Metropolitan Police.

I was thankful for the opportunity to be able to introduce and share some of the work I’ve been doing with the Ministry of the Interior in Iceland. This includes a draft of a contract annex, example risk assessment and risk treatment process and a very basic & simple risk assessment and risk treatment form.

Contract annex (draft)

As we found out by the follow up of some of the security vulnerabilities discovered in last years security assessment, some people make the assumption that when they outsource their IT systems to a hosting company, the hosting company will take care of IT security (installing security updates, notify them of potential breaches, perform vulnerability assessments, and etc.). The same goes for when people outsource or buy software solutions (e.g. web content management systems), they expect that a formal and secure software development process is followed, that they will be notified of security vulnerabilities as they get discovered and they expect to get security updates for free. As logical or illogical as those assumptions may be, this is not always the case.

The contract annex (draft) is intended to address these issues (and more). The contract annex spans eight pages and introduces various requirements on service providers, such as: implementing a security policy, assigning IT security responsibilities to employees, risk assessments, formal access control, security updates, vulnerability assessments, penetration testing, intrusion detection/prevention systems, incident management, internal auditing, collaboration with the government, non-disclosure agreements, training of employees and contractors in IT security, reporting requirements (e.g. of security breaches) and more.

The idea was to cover all the areas people assumed were already being done. If you’re interested, you can download the pdf of the contract annex and use Google translate for files to translate the content of the contract annex to your own language. While the main goal of this contract annex is to be used by government entities, it is accessible and downloadable for others who can go through the annex and use it as an inspiration for their own contracts / contract annex.

It’s worth mentioning that the controls listed in the contract annex can be very valuable in GDPR compliance related work.

Risk Assessment and risk treatment

A risk assessment is one of the cornerstones of information security. It is often overlooked and misunderstood. A risk assessment is the only realistic way to map out the risks your business faces, their probability, the potential impact they can have on your business and prioritize your risk treatment plans accordingly. Here you can find the Risk assessment and control implementation guidelines document, and here you can find the Risk assessment and risk treatment template document.

No photos

Unfortunately I didn’t take any photos, but my talk has been made available online (see the top of this blog post).

Written by Svavar Ingi Hermannsson (XxSiHxX) on December 1, 2016