Governing Information Security ROBERTO REALE, INNOVATION MANAGER 03/12/2019
Cyberspace
“… a consensual hallucination experienced daily by billions of legitimate operators, in every nation, by children being taught mathematical concepts... A graphic representation of data abstracted from the banks of every computer in the human system. Unthinkable complexity. Lines of light ranged in the nonspace of the mind, clusters and constellations of data. Like city lights, receding” (Gibson, 1966)
Domains of Cybersecurity
Strategic Model for the Italian Public Sector “security comprises activities for the regulation and governing of cybersecurity in the PA for assessment testing and CERT-PA as an operative tool by which to support the adoption of correct security levels at the Public Administration. All other aspects are also identified as come together to make the IT systems secure and reliable, as well as guidance and correlated instruments for compliance in respect of privacy� (2019 - 2021 Three-Year Plan)
Areas covered by Standardisation
Security feature provision — Sector/technology specific security features
Security assurance — Common Criteria initiative (ISO 15408)
Security threat sharing — CSIRTs (Computer Security Incident Response Teams) STIX/TAXII, CyBox, MISPs (Malware information Sharing Platform)
Organisational management for secure operations — ISO/IEC 27001
Strategic Focus Areas
Infrastructures and Centres — Secure the national internet network and data centres of the PA
Enabling actions — Protection of critical national applications, national threat repository, system-wide risk management
Enabling Technologies — Encryption, blockchain, biometric, and quantum technologies
Technologies to Protect — Industry 4.0, IoT, industrial control systems, and robots
Horizontal Actions —Training, awareness and certification projects
EU Strategy
Cybersecurity requirements for Operators of Essential Services (OES – essentially critical infrastructure companies) and digital service providers (DSPs)
Certification framework for digital products, services, and processes
The EU Cybersecurity Act made the European Network and Information Security Agency (ENISA) a permanent government agency and significantly expanded its role and responsibilities with respect to cybersecurity
Cybersecurity as a “high priority” field: the proposed cybersecurity budget for 2021-27 include €2 billion to fund “safeguarding the EU's digital economy, society and democracies through polling expertise, boosting EU's cybersecurity industry, financing state-of-theart cybersecurity equipment and infrastructure”
ENISA Guidelines
Technical Guidelines for the implementation of minimum security measures for Digital Service Providers
Mapping of OES [Operators of Essential Services] Security Requirements to Specific Sectors
Good practices on interdependencies between OES and DSPs
Guidelines on assessing DSPs and OES compliance to the NISD security requirements
NIS Cooperation Group Guidelines
Reference document on the identification of Operators of Essential Services
Reference document on security measures for Operators of Essential Services
Reference document on Incident Notification for Operators of Essential Services
Compendium on cyber security of election technology
Guidelines on notification of Operators of Essential Services incidents
Guidelines on notification of Digital Service Providers incidents
Cybersecurity Incident Taxonomy
Guidelines for the Member States on voluntary information exchange on cross-border dependencies
Risk assessment of 5G networks
DevSecOps
Security as Code
Automation
Everyone is responsible
Security added to all business processes (no silos)
Consumable Security Services (API)
Open Contribution & Collaboration
Nation-wide DevSecOps
roberto@reale.me