Because being CISO doesn’t makes you a ‘legal’ guy, and Legal is usually not aware of the InfoSec stuffs, we have to keep informed about the different regulation that applies to our business. Here, I’m adding all the ICT, Info-Security, Privacy, Continuity, Risk Law I know, with some possible references.
This list is not exhaustive and requires your participation to maintain it. Feel free to comment and add suggest other updates to complete and share with the InfoSec community.
Table Of Content
The new European Community (EC) laws governing data protection set to be implemented in the next two to three years will have a fundamental impact on the way that most organisations in European Union (EU) member states implement security policies and report breaches. The Network and Information Security (NIS) ‘cybersecurity’ directive is set to be finalized in 2015 depending on how long it takes for the EU Council and Parliament to agree on a final version. Member States will then need to immediately begin preparing for compliance and complete implementation by approximately the end of 2017. In addition, there is a separate plan to unify existing data protection regulations in force within the different EU countries under a single law – the General Data Protection Regulation (GDPR) – currently set to be finalised in early 2015, compliance with which will become mandatory in 2017. When finalised, the NIS Directive will impose new security and incident reporting requirements on a broader range of private sector companies. It will demand that ‘operators of critical infrastructures’ or ‘critical national infrastructure (CNI) market operators – which include those working in the energy, financial services, health and transport sectors, alongside public sector bodies – adopt appropriate steps to manage security risks and report serious incidents to a national competent authority, such as a computer emergency response team (CERT) which will represent a ‘single point of contact’ if not necessarily the only competent authority in each member state. The original framework proposed extending these security and reporting requirements to ‘key providers of information society services’ (app stores, cloud service providers, e-commerce platforms, Internet payment gateways, search engines and social networks, for example). This idea has since been put on hold following objections from various industry groups and after the European Parliament deemed it ‘disproportionate and unmanageable’ although these companies will be encouraged to voluntarily report incidents. Several aspects of the NIS Directive are aimed at member state governments themselves, requiring that they adopt a national NIS strategy, implement the aforementioned NIS competent authority and create a ‘cooperation mechanism’ to share security information and best practice across the European Union and circulate early warnings on security risks and incidents. The NIS Directive is now being finalized and is expected to be adopted by the EU government in the first half of 2015.
Current directive :
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
The new project :
GDPR proposes a single law for data protection to cover the entire EU in place of current data protection regulations which have ended up being implemented differently in each member state. It will extend to organisations operating in Europe irrespective of whether the data they handle is stored within the boundaries of the EU or not, broadening the definition of personal data to include email addresses, computer IP addresses and posts on social media sites. Besides proposals which mirror NIS Directive calls for bigger fines and the establishment of ‘one stop shop’ national authorities in each member state, the GDPR calls for specific regulations to govern the way that EU citizens’ personally identifiable information (PII) is handled. Those organisations must:
- Inform users of data breaches without undue delay (within 72 hours) after they become aware of it
- Give end users the right to request a copy of their PII in a portable format which can also be transmitted electronically from one processing system to another.
- Provide the right to erasure: the end user can request all PII be deleted if there are no legitimate grounds for retaining it.
- Obtain valid consent to collect PII, consent which can also be withdrawn.
- Obtain regulatory approval to transfer PII outside of the EEA to countries not approved as having adequate data protection measures in place.
- Appoint a data protection officer to ensure compliance (likely applicable to companies with more than 250 employees and/or those who process more than 5,000 data subjects within 12 months, and all public bodies).
- Publish contact information for the data controller. – Build data protection into business process, product and service development (Privacy by Design).
- Ref : http://ec.europa.eu/justice/data-protection/
- Press : http://www.consilium.europa.eu/en/press/press-releases/2015/06/15-jha-data-protection/
2) Informed consent for “cookies” and other devices
The new rules require Member States to ensure that users grant their consent before cookies (small text files stored in the user’s web browser) are stored and accessed in computers, smartphones or other device connected to the Internet. The Commission has encouraged the media and the advertising industry to develop codes of conduct to implement new user-friendly rules, given they comply with the legal requirements of the Directive.
Transferring your personal data outside the EU
3) US-EU Privacy Shield
The EU-U.S. Privacy Shield is based on the following principles:
- Strong obligations on companies handling data: under the new arrangement, the U.S. Department of Commerce will conduct regular updates and reviews of participating companies, to ensure that companies follow the rules they submitted themselves to. If companies do not comply in practice they face sanctions and removal from the list. The tightening of conditions for the onward transfers of data to third parties will guarantee the same level of protection in case of a transfer from a Privacy Shield company.
- Clear safeguards and transparency obligations on U.S. government access: The US has given the EU assurance that the access of public authorities for law enforcement and national security is subject to clear limitations, safeguards and oversight mechanisms. Everyone in the EU will, also for the first time, benefit from redress mechanisms in this area. The U.S. has ruled out indiscriminate mass surveillance on personal data transferred to the US under the EU-U.S. Privacy Shield arrangement. The Office of the Director of National Intelligence further clarified that bulk collection of data could only be used under specific preconditions and needs to be as targeted and focused as possible. It details the safeguards in place for the use of data under such exceptional circumstances. The U.S. Secretary of State has established a redress possibility in the area of national intelligence for Europeans through anOmbudsperson mechanism within the Department of State.
- Effective protection of individual rights: Any citizen who considers that their data has been misused under the Privacy Shield scheme will benefit from several accessible and affordable dispute resolution mechanisms. Ideally, the complaint will be resolved by the company itself; or free of charge Alternative Dispute resolution (ADR) solutions will be offered. Individuals can also go to the intenational Data Protection Authorities, who will work with the Federal Trade Commission to ensure that complaints by EU citizens are investigated and resolved. If a case is not resolved by any of the other means, as a last resort there will be an arbitration mechanism. Redress possibility in the area of national security for EU citizens’ will be handled by an Ombudsperson independent from the US intelligence services.
- Annual joint review mechanism: the mechanism will monitor the functioning of the Privacy Shield, including the commitments and assurance as regards access to data for law enforcement and national security purposes. The European Commission and the U.S. Department of Commerce will conduct the review and associate national intelligence experts from the U.S. and European Data Protection Authorities. The Commission will draw on all other sources of information available and will issue a public report to the European Parliament and the Council.
Source Reuters news : http://www.reuters.com/article/2015/08/06/eu-cybersecurity-idUSL5N10G45Q20150806
Internet firms to be subject to new cybersecurity rules in EU
Aug 6 Internet firms such as Cisco , Google and Amazon will be subject to a new EU cybersecurity law forcing them to adopt tough security measures and possibly report serious breaches to national authorities, according to a document seen by Reuters. The so-called Network and Information Security Directive has been stuck in talks between member states and EU lawmakers because of disagreements over whether to include digital platforms such as search engines, social networks, e-commerce sites and cloud computing providers. Members of the European Parliament want the law to only cover sectors they consider critical, such as energy, transport and finance.
But after months of negotiations, digital platforms will now fall under the law’s remit, albeit with less onerous security obligations, according to the document, which did not provide details of the obligations. The paper from Luxembourg, which holds the rotating European Union presidency, suggests adopting a lighter approach for digital service platforms which typically do not have direct links to physical infrastructure such as, for example, a nuclear power company.
Any firm meeting the law’s definition of a digital service platform — which is still under discussion — would automatically be covered to avoid member states taking different approaches and causing fragmentation across the 28-nation EU.
A cloud computing provider or any other digital firm providing a service for an infrastructure operator would be subject to the same rules applying to that operator, according to the document, which could still change in discussions after the summer.
Internet firms will also be subject to notification requirements in cases of security breaches, although there is no agreement yet on whether these should be mandatory or voluntary. The paper asks member states to express their preferences at a meeting in September, after which drafting of a full legal text will start.
Firms in the digital sphere oppose being included in the law’s scope. “We’re pleased to see digital service platforms subject to a different regime but we’re disappointed at the lack of recognition that it is the use of cloud that determines the security risk not the service itself,” said Chris Gow, Senior Manager, Government Affairs at Cisco.
The European Commission — the EU executive — and some member states reckon that because of the widespread use of Internet services and the number of businesses that rely on the web they should also be subject to security rules and reporting requirements.
Currently there is no pan-European cybersecurity law and only telecoms operators are subject to the incident-reporting requirements. (Editing by Mark Potter)
- Ref : https://ec.europa.eu/digital-agenda/en/cybersecurity
- Good to know – ENISA (European Union Agency for Network and Information Security): https://www.enisa.europa.eu/
The proposal for a Directive concerning measures to ensure a high common level of network and information security across the Union was put forward by the European Commission in 2013. Two years later, the Parliament and the Council have agreed on a set of measures to boost the overall level of cybersecurity in the EU.
The new rules will:
- improve cybersecurity capabilities in Member States
- improve Member States’ cooperation on cybersecurity
- require operators of essential services in the energy, transport, banking and healthcare sectors, and providers of key digital services like search engines and cloud computing, to take appropriate security measures and report incidents to the national authorities.
The NIS Directive provides legal measures to boost the overall level of cybersecurity in the EU by ensuring:
- Member States preparedness by requiring them to be appropriately equipped, e.g. via a Computer Security Incident Response Team (CSIRT) and a competent national NIS authority;
- cooperation among all the Member States, by setting up a cooperation group, in order to support and facilitate strategic cooperation and the exchange of information among Member States. They will also need to set a CSIRT Network, in order to promote swift and effective operational cooperation on specific cybersecurity incidents and sharing information about risks;
- a culture of security across sectors which are vital for our economy and society and moreover rely heavily on ICTs, such as energy, transport, water, banking, financial market infrastructures, healthcare and digital infrastructure. Businesses in these sectors that are identified by the Member States as operators of essential services will have to take appropriate security measures and to notify serious incidents to the relevant national authority. Also key digital service providers (search engines, cloud computing services and online marketplaces) will have to comply with the security and notification requirements under the new Directive.
6) Financial Sector
Orientations sur la sécurité des paiements sur internet ( ABE/GL/2014/12_Rev1 )
Public hearing on Guidelines on ICT risk assessment under SREP (EBA-CP-2016-14)
2. By country
- Cloud Computing – “Attentes prudentielles en matière de Cloud computing” – https://www.nbb.be/doc/cp/fr/ki/circ/pdf/nbb_2012_11fr.pdf
- Outsourcing, – “Circulaire PPB 2004/5 sur les saines pratiques de gestion en matière de sous-traitance par des établissements de crédit et des entreprises d’investissement” – https://www.nbb.be/doc/cp/fr/ki/circ/pdf/ppb_2004_5_circular.pdf
- BUSINESS CONTINUITY PLANNING/DISASTER RECOVERY PLANNING (BCP/DRP) – Loi du 22 mars 1993 relative au statut et au contrôle des établissements de crédit (en particulier l’article 20bis, § 3) PPB-2005/2 10.03.05 Saines pratiques de gestion visant à assurer la continuité des activités des institutions financières Comité de stabilité financière Recommandations, 20 octobre 2004 Bâle High-level principles for business continuity, août 2006 (Joint Forum)
- Lignes directrices de l’EBA sur la sécurité des paiements sur internet ( 20160525_nbb_2016_29)
Etablissements de credit, etablissements de paiement. etablissements de monnaie electronique, personnes morales exemptees sur la base des articles 48 et 105 de la loi du 21 decembre 2009, ainsi que les succursales beiges de ces etablissements qui relevent du droit d’un Etat non membre de l’Espace economique europeen (EEE). La circulaire est egalement portee a la conna1ssance des etablissements etablis en Belgique qui relevent du droit d’un Etat membre de l’EEE. La presente circulaire vise a transposer les lignes directrices de l’EBA du 19 decembre 2014 relatives a la securite des paiements par internet, dans le cadre prudentiel beige.
2) FSMA (ex CBFA)
- “Financial services via the Internet: Prudential requirements – 2009” – https://www.nbb.be/doc/cp/eng/ki/circ/pdf/cbfa_2009_17.pdf
“Circulaire concernant les saines pratiques de gestion visant à assurer la continuité des activités des institutions financières PPB 2005/2” – https://www.nbb.be/doc/cp/fr/bo/circ/pdf/ppb_2005_2.pdf
- Circular FSMA_2016_03 on sound “Management practices to ensure the business continuity” of regulated undertakings French – Dutch
3) Commission Protection de la Vie Privée / CPVP
- Web site : http://www.privacycommission.be/
Febelfin vzw/asbl (non-profit association) is the Belgian Financial Sector Federation. It tries to reconcile the interests of its members with those of the policy makers, supervisors, trade associations and pressure groups at the national and European level.
- Page : https://www.febelfin.be/en
- Page : https://www.cert.be
Belgian Cybercrime Center of Excellence … (No really active in 2015)
- Page : https://www.b-ccentre.be
7) FCCU (Federal Computer Crime Unit)
- E-Cops BE : https://www.ecops.be
1) Section 11 of the German Federal Data Protection Act (FDPA)
Since 2009, companies that engage service providers to process personal data must enter into a very specific data processing agreement. The FDPA sets forth various required provisions to be included in such an agreement. For example, the parties must agree that data processing operations will comply with the customer’s (data controller’s) instructions, that the customer will have audit rights that the processor will abide by, and that the processor must implement technical and organizational data security measures (TOMs) which must be specified in that agreement.
In practice, the foregoing requirements are often not followed in data processing agreements for several reasons:
- Service providers often deliver services globally pursuant to a standard format and master services agreement in order to save costs and to keep processes as operationally simple as possible. Service providers naturally dislike the legal concept of EU data privacy law according to which they must follow orders from their customers and where they lose flexibility as regards their TOMs.
- Service providers often entirely refuse to agree to FDPA compliant data processing agreements or they provide for a description of TOMs which is insufficient from the FDPAs perspective. For example, TOMs are described too broadly, or sometimes, the description of the TOMs merely paraphrases the text of the law.
- Because customers – as the data controllers – bear the burden of demonstrating compliance with the FDPA (and the burdens of enforcement penalties), service providers are less incentivized to proactively design and deliver their services and agreements pursuant to FDPA requirements.
Companies who are subject to German data privacy law, should put more focus on ensuring that the data processing agreements concluded with service providers fulfill all the requirements of the FDPA. They cannot avoid fines by merely arguing that the service provider was unwilling to enter into such an agreement. Indeed, companies must be willing to negotiate aggressively or, unfortunately, consider terminating negotiations should service providers fail to accommodate German legal requirements.
Service providers who are active in the German market should be thoughtful in further customizing their offerings from standard data processing agreements so that they may evolve with the developing enforcement regime. This will help the service providers prevent unnecessary back-and-forth negotiations with their German customers and will, in the end, increase their ability to compete in the German market.
- German Parliament’s IT-Security Act Covers Critical Infrastructure – http://dip21.bundestag.de/dip21/btd/18/040/1804096.pdf
1) Circulaire CSSF 14/597 (Data protection and governance)
Mise à jour de la circulaire CSSF 12/552 relative à l’administration centrale, la gouvernance interne et la gestion des risques
2) Loi du 25 juillet 2015
Relative à l’archivage électronique : http://www.cssf.lu/fileadmin/files/Lois_reglements/Legislation/Lois/L_250715_archivage.pdf
3) Règlement grand-ducal du 25 juillet 2015
portant exécution de l’article 4, paragraphe 1er de la loi du 25 juillet 2015 relative à l’archivage électronique : http://www.cssf.lu/fileadmin/files/Lois_reglements/Legislation/RG_NAT/RDG_250715_archivage.pdf
4) Règlement grand-ducal du 25 juillet 2015
relatif à la dématérialisation et à la conservation de documents : http://www.cssf.lu/fileadmin/files/Lois_reglements/Legislation/RG_NAT/RDG_250715_dematerialisation_conservation.pdf
Meldplicht datalekken 1 januari 2016 van kracht
Zowel private als publieke organisaties die persoonsgegevens verwerken zijn vanaf 1 januari 2016 verplicht om beveiligingsincidenten te melden die bijvoorbeeld leiden tot diefstal, verlies of misbruik van persoonsgegevens. Zo heeft de overheid vandaag via het Staatsblad bekendgemaakt.
De meldplicht datalekken wordt daarmee uitgebreid, aangezien die op dit moment alleen voor aanbieders van elektronische communicatienetwerken en -diensten geldt. Volgens de Rijksoverheid moet de meldplicht voor een betere bescherming van persoonsgegevens zorgen.
Verder kan het College bescherming persoonsgegevens (CBP) vanaf volgend jaar in meer gevallen een bestuurlijke boete opleggen aan overtreders van privacyregels. Het CBP mag nu alleen een bestuurlijke boete opleggen bij een overtreding van een administratief voorschrift, bijvoorbeeld de verplichting om de verwerking van persoonsgegevens te melden. Vanaf 1 januari is dat ook mogelijk bij schending van meer algemene verplichtingen die de wet stelt aan het gebruik en verwerken van persoonsgegevens.
Bijvoorbeeld als persoonsgegevens niet op een behoorlijke en zorgvuldige manier zijn verwerkt of langer worden bewaard dan noodzakelijk is, maar ook als de beveiliging niet deugt, het beheer van persoonsgegevens slecht is georganiseerd of gevoelige informatie over burgers zoals hun politieke voorkeur of levensovertuiging is misbruikt.
More info and details (in English) : http://www.dataprotectionreport.com/2015/06/breach-notice-becomes-law-in-the-netherlands-11-things-to-know/
The Code is a compendium of relevant Spanish legislation, focusing on topics such as national security, critical infrastructure security, telecommunications, cyber-crime, and data protection.
1) Circulaires FINMA
FINMA Circular Operational risk – Treatment of electronic client data – http://www.kpmg.com/CH/Documents/pub-20141008-finma-circular-2008-21-appendix-en.pdf
- Défaillances de sécurité importantes dans le domaine informatique
- Circulaire 2008/17 sur l’échange d’information entre les OAR et la FINMA
- Circulaire 2008/21 sur les risques opérationnels dans le secteur bancaire
2) Code Pénal Suisse
Art. 143 « Soustraction de données »
1 Celui qui, dans le dessein de se procurer ou de procurer à un tiers un enrichissement illégitime, aura soustrait, pour lui-même ou pour un tiers, des données enregistrées ou transmises électroniquement ou selon un mode similaire, qui ne lui étaient pas destinées et qui étaient spécialement protégées contre tout accès indu de sa part, sera puni d’une peine privative de liberté de cinq ans au plus ou d’une peine pécuniaire.
2 La soustraction de données commise au préjudice des proches ou des familiers ne sera poursuivie que sur plainte.
Art. 143bis « Accès indu à un système informatique »
1 Quiconque s’introduit sans droit, au moyen d’un dispositif de transmission de données, dans un système informatique appartenant à autrui et spécialement protégé contre tout accès de sa part est, sur plainte, puni d’une peine privative de liberté de trois ans au plus ou d’une peine pécuniaire.
2 Quiconque met en circulation ou rend accessible un mot de passe, un programme ou toute autre donnée dont il sait ou doit présumer qu’ils doivent être utilisés dans le but de commettre une infraction visée à l’al. 1 est puni d’une peine privative de liberté de trois ans au plus ou d’une peine pécuniaire.
3) Association des banquiers suisses
- Recommandations en matière de Business Continuity Management (BCM) (2007) – http://shop.sba.ch/11107_f.pdf (still to confirm if no newer version)
4) Loi fédérale sur la protection des données (art. 4, 6 et 7)
5) Ordonnance relative à la loi fédérale sur la protection des données (art. 20 et 21)
6) Convention sur la cybercriminalité
7) Préposé fédéral à la protection des données et à la transparence (PFPDT)
- Traitement des données personnelles dans le secteur privé
- Mesures techniques et organisationnelles de la protection des données
- La Communication de données à l’étranger en 24 questions
- Some extra info : http://www.swissbanking.org/fr/home/dossiers-link/regulierung.htm
Section “Safeguards for the privacy protection of client records and information;” – https://www.sec.gov/divisions/investment/advoverview.htm and https://www.law.cornell.edu/cfr/text/17/248.30
Privacy of Consumer Financial Information (Regulation S-P) – https://www.sec.gov/rules/final/34-42974.htm
2) US Bank Regulators Draft Rules For Financial Services Cybersecurity
Proposed standards will require financial firms to recover from any cyber-attack within two hours.
The Roskomnadzor Act
3. Industry specific – or generic topics
Some regulations are industry specific and not related to a specific country :
1) EBA Directive – security of internet payments across the EU
The European Banking Authority (EBA) published today its final Guidelines on the security of internet payments, which set the minimum security requirements that Payment Services Providers in the EU will be expected to implement by 1 August 2015. Concerned about the increase in frauds related to internet payments, the EBA decided that the implementation of a more secure framework for internet payments across the EU was needed. These Guidelines are based on the technical work carried out by the European Forum on the Security of Retail Payments (SecuRe Pay).
- Ref : http://www.eba.europa.eu
- Doc : http://www.eba.europa.eu/documents/10180/855014/EBA-CP-2014-31+%28CP+on+security+of+internet+payments%29.pdf
2) PCI DSS
The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle branded credit cards from the major card schemes including Visa, MasterCard, American Express, Discover, and JCB.
- Documents of reference : https://www.pcisecuritystandards.org/security_standards/documents.php
3) Bâle II
In the domain of Business Continuity & Resilience,
5) Intellectual Property
4. Company documents and policies
Don’t forget to assess your company policies and guidelines
- Information Security Policy – for the end users
- ICT Security Strategy
- IT Security Policy for IT department
- Remote access and teleworking
- Authentication and password management
- Change management
- Systems Protection and Patching
- ICT Continuity and recovery
- Information Security Incident Response
- Access management
- Monitoring and alerting
- Asset inventory, management and life cycle
- Outsourcing Policy
- Policy for the protection of privacy and the processing of personal data
- Physical security and access
- Data Classification and protection
- Staff recruitment, arrival, move and departure
- Business Continuity Management Policy
- Social Media Policy
- NDA (Non Disclosure Agreement)
- Code of conduct
Feel free to comment and add others to complete and share with us.