EU Cybercrime strategy proposal under fire

European Commission proposals for a strategy on cybercrime have come under fire even before they have even been released.

The Commission is due to present its plan for a European Strategy for Internet Security on Wednesday (23 January), but Digital Agenda Commissioner Neelie Kroes has already said that under the proposals, EU member states will be asked to guarantee minimum capabilities to respond adequately to threats.

According to media reports, the plans could include forcing all companies that store large amounts of data, such as search engines, social networks, e-commerce sites and cloud service providers, to report data breaches or face sanctions such as fines.

Currently, the European Union’s 27 member states have their own national laws on data breach notification for such companies, although telephone transport and utility companies are required to report any theft of sensitive information. There are also more limited security breach disclosure provisions in the draft Data Protection Regulation.

“Prompt reporting means competent national authorities can react quickly to incidents and minimise their impact. We’ll need to share critical information in a secure and confidential manner: within and between public and private sectors. CERTs and other competent bodies need to exchange regularly and rapidly, to warn and assist,” Kroes said when she outlined her plans last March.

Industry leaders warned that extending the scope of reporting mandates could harm businesses. The plan “could subject a wide array of industries to sweeping new regulation, and appears to mandate technology standards largely written by government, not industry,” Liam Benham of IBM Europe said in a statement.

Meanwhile, digital civil liberties group EDRi said that the draft proposal was “totally misguided” and “an attempt to militarise security in cyberspace.”

Kroes said last March that internet security cannot be left to the national security agencies. But EDRi said on Thursday that a directive “that encourages one single agency to acquire primacy in each member state would undermine the constitutional arrangements that various states currently have for separation of powers and accountability.”

“Instead of pulling together police forces, CERTs and service providers, ENISA seeks to set up a classified network of military and intelligence agencies. It is a tragedy that the European Union is now considering following this UK- and US-centric policy lead,” said the organisation.

EDRi also warned that extending the scope of data breach notification rules would give the managing agency access to “sufficient information from almost everyone online” adding that this would surely be in violation of the European Convention on Human Rights.

IDG News Service

BYOD: Make it Secure !

BYOD Challenges can be handled through right policies

Bring your own device(BYOD) is a revolution happening at the user end and taken the infrastructure out of the control of ‘Information managers’. While the debate is going on whether or not BYOD policies save organizations money or cost them, it is slowly emerging that these policies increase complexity while decreasing direct control over information resources. Information security suddenly becomes a prime challenge as the devices now owned by the individuals & used for personal information purposes and the segregation & privacy of work information posing difficult practical problems. A robust BYOD policy coupled with an effective strategy can, to a reasonable extent, help restore the control and ensure a smooth transition to the inevitable BYOD revolution.

A strong framework of information security and a supporting policy guidelines are absolutely critical to ensure a smooth transition. The issue becomes more critical in the absence of a clear regulation and require an ironclad policy that is enforced rigorously. Typical tasks that are expected to include in the policy are clearly defined information classification, access policy rules from personal devices, user profiling, locking on security devices/OS, loss of device protection and data recovery methods and also have provisions for remote wipe and remote application management capabilities, the right to confiscate and search devices and the right to dictate which applications are allowed and prohibited. For example, IBM banned access to Apple’s Siri application as well as access to Dropbox, for company-managed devices.

In the extremely nebulous legal landscape, it is highly imperative that these policies should be cleared through the legal team to make sure that language is adequate and that it will work in all applicable jurisdictions. From a legal perspective, it is mandatory to review all licenses for cloud-based applications to ensure that data is handled responsibly in those environments. Review of these agreements should follow the same review and approval process that would be normally used when considering outsourcing partnerships.

The security framework need to answer questions like heavy weight or light security; security at server level or client level; security at device level, application level or information level, and so on. Other issues that cannot be overlooked are like bandwidth, software licenses, data plans etc. Similarly, users’ concerns like confiscating their devices and accessing the personal information need to addressed. Providing a method to secure copies of personal information, as well as a way to protect other pieces of private information (e.g., nonwork text messages, email and instant message logs) will go a long way toward easing those concerns.

Issues arising out of people using unmanned devices (eg.a user does not wish to participate in the officially sanctioned BYOD programme) may represent even greater risk to businesses than those people willingly agreeing to follow the rules.

While an in place, alysts and experts caution the organizations on the importance of having a strong BYOD policy the fact is that many organizations do not pay enough attention to this key fact and simply add a few lines to their existing wireless policy in an attempt to cover their bases. While it’s highly recommended that the BYOD strategy be in line with the corporate mobility strategy, just tweaking the mobility policy to accommodate BYOD is not enough. A separate policy that covers all possible aspects of BYOD is a basic necessity.

A policy is only as good as the people who follow it. Implementing a pilot and revisiting policy guidelines help to understand the ever evolving challenges. Further, policy-making needs to be treated as an evolving process and not a one time exercise to meet routene compliace or adherence to company policies. It is also important to build policies by implementing technical controls like mobile application management (MAM) and mobile device management (MDM) applications. Where possible, enforcing device encryption and passwords will help reduce associated technical risks. Improving access management requirements, such as by mandating two-step or two-factor authentication, can further help reduce the risk of a lost device immediately leading to a data breach.

Developing Information Security Policy


Every organization is required to have an effective information security program which maps to its business drivers,  regulatory requirements and threat profile. Although organizations across the globe are increasingly recognizing the importance of information security for businesses, the complexity of issues involved in formulating an appropriate information security policy greatly vary from company to company.

 This may depend on multiple factors including the importance of business information, size of the company, type of operations and businesses the company involved in and the numbers and types of information and information systems they use. Developing a robust Information Security Policy is a crucial first step in the program.

While small organizations can quickly deploy information security policy to address their needs, for large organizations, developing a single policy document encompassing all users and resources and addressing the entire gamut of information security issues is a herculean task. Rather, a more effective approach would be to develop a suite of policy documents to cover all information security assets; each targeting specific audience and address relevant information security concerns. This approach would ensure easy maintainability of the policy and focus on specific requirements in terms of emerging threats and risk assessments.

 Why do we need Policy?

A security policy should fulfil many purposes. According to http://www.sans.org, it should: 

  • Protect people and information 
  • Set the rules for expected behaviour by users, system administrators, management, and security personnel 
  • Authorize security personnel to monitor, probe, and investigate 
  • Define and authorize the consequences of violation
  • Define the company consensus baseline stance on security 
  • Help minimize risk 
  • Help track compliance with regulations and legislation 

Basic steps in Developing Information Security Policy

  • Identify all assets that are required to be protected
  • Identify all threats and vulnerabilities and likeliness of threats happening
  • Identify the measures to safeguard the assets in a cost-effective manner
  • Identify the roles and responsibilities of various parties and communicate them
  • Monitor and review the process continuously for improvement.

ISO 27002 provides a comprehensive set of guidelines and controls comprising best practices in information security whereby it can be used as a basis to develop security policy.  ISO/IEC 27002 provides best practice recommendations on information security management for use by those responsible for initiating, implementing or maintaining information security management systems (ISMS). Information security is defined within the standard in the context of the C-I-A triad:

the preservation of confidentiality (ensuring that information is accessible only to those authorized to have access), integrity (safeguarding the accuracy and completeness of 
information and processing methods) and availability (ensuring that authorized users have access to information and associated assets when required).

Who is Responsible?

Today, many organizations have multiple pieces of  a security program in terms of policies, standards, firewalls, security team, IDS and so on  but the top management is not truly involved nor security has permeated throughout the organization. Rather all the responsibility has been delegated to a small security team responsible for securing the entire organization. This practice is because of a belief that security was just a technology issue.Information security governance is the responsibility of the board of directors and senior executives. It must be an integral and transparent part of enterprise governance and be aligned with the IT governance framework. To exercise effective enterprise and information security governance, boards and senior executives must have a clear understanding of what to expect from their enterprise’s information security programme. They need to know how to direct the implementation of an information security programme, how to evaluate their own status with regard to an existing security programme and how to decide the strategy and objectives of an effective security programme. (http://www.isaca.org)