Search results

Home / Search

Category:
Select
Select

11272 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Security Framework


    Answer:

    The EU GDPR does not require you to hold any certification in terms of security. Article 32 of the EU GDPR, however, requires you to implement “appropriate” technical and organizational measures to ensure : “ ongoing confidentiality, integrity, availability and resilience of processing systems and services”, “ability to restore the availability and access to personal data in a timely manner” (https://advisera.com/eugdpracademy/gdpr/security-of-processing/).

    You can use ISO 27001 as a suitable framework to protect your personal data. If you require more information on ISO 27001 and EU GDPR you can check out our article Does ISO 27001 implementation satisfy EU GDPR requirements? (https://advisera.com/27001academy/blog/2016/10/17/does-iso-27001-implementation-satisfy-eu-gdpr-requirements/) .

  • Pseudonymization


    Answer:

    First of all the pseudonymization “strength” depends on the data you want to protect, so it is a risk based approach - higher the risk to the data subject stronger the pseudonymization technique.

    Article 29 Working party refers to the following pseudonimyzation techniques as being most popular:
    · Encryption with secret key: in this case, the holder of the key can trivially re-identify each data subject through decryption of the dataset because the personal data are still contained in the dataset, albeit in an encrypted form. Assuming that a state-of-the-art encryption scheme was applied, decryption can only be possible with the knowledge of the k ey;
    · Hash function: this corresponds to a function which returns a fixed size output from an input of any size (the input may be a single attribute or a set of attributes) and cannot be reversed; this means that the reversal risk seen with encryption no longer exists. However, if the range of input values the hash function are known they can be replayed through the hash function in order to derive the correct value for a particular record. For instance, if a dataset was pseudonymised by hashing the national identification number, then this can be derived simply by hashing all possible input values and comparing the result with those values in the dataset. Hash functions are usually designed to be relatively fast to compute, and are subject to brute force attacks. Pre-computed tables can also be created to allow for the bulk reversal of a large set of hash values. The use of a salted-hash function (where a random value, known as the “salt”, is added to the attribute being hashed) can reduce the likelihood of deriving the input value but nevertheless, calculating the original attribute value hidden behind the result of a salted hash function may still be feasible with reasonable means;
    · Keyed-hash function with stored key: this corresponds to a particular hash function which uses a secret key as an additional input (this differs from a salted hash function as the salt is commonly not secret). A data controller can replay the function on the attribute using the secret key, but it is much more difficult for an attacker to replay the function without knowing the key as the number of possibilities to be tested is sufficiently large as to be impractical;
    • Deterministic encryption or keyed-hash function with deletion of the key: this technique may be equated to selecting a random number as a pseudonym for each attribute in the database and then deleting the correspondence table. This solution allows diminishing the risk of linkability between the personal data in the dataset and those relating to the same individual in another dataset where a different pseudonym is used. Considering a state-of-the-art algorithm, it will be computationally hard for an attacker to decrypt or replay the function, as it would imply testing every possible key, given that the key is not available;
    · Tokenization: this technique is typically applied in (even if it is not limited to) the financial sector to replace card ID numbers by values that have reduced usefulness for an attacker. It is derived from the previous ones being typically based on the application of one-way encryption mechanisms or the assignment, through an index function, of a sequence number or a randomly generated number that is not mathematically derived from the original data.

    You can check out Article 29 Working Party opinion here : https://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp216_en.pdf.

  • Aplicar ISO 27001 y OWASP

    He recibido la siguiente pregunta: En mi empresa el principal problema es que queremos aplicarlo la ISO 27001 con owasp para mejorar el aseguramiento de la seguridad en el proceso de desarrollo de aplicaiones web. no sabemos si es correcto o talvez aplciar otra ISO? Respuesta: Es correcto, puedes aplicar ISO 27001 con OWASP. El principal objetivo de ISO 27001 es la protección de la información, y para esto, el estándar usa la gestión de riesgos, que está compuesta por el análisis de riesgos y el tratamiento de riesgos. Por tanto, básicamente, para la protección de la información, tienes que identificar riesgos, y después tienes que tratarlos. Para el tratamiento de riesgos, ISO 27001 tiene el anexo A con 114 controles de seguridad, y existen controles específicos para el desarrollo software (en el dominio A.14), que pueden ser complementados con OWASP, que básicamente es un marco de trabajo para el desarrollo seguro. Este artículo sobre como integrar ISO 27001 con el ciclo de vida de desarrollo software te puede interesar: https://advisera.com/27001academy/how-to-integrate-iso-27001-controls-into-the-system-software-development-life-cycle-sdlc/

  • Quality vocabulary


    Answer:

    The actual term “product realization” is no longer used in the new standard. If you use an electronic version and search for the word product it never appears with the other one, “realisation” or “realization”. It’s a phrase that is still very used in the quality vocabulary.

    The following material will provide you information about the changes in standard:

    - free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
    - book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • ISO27001/002/005 and EU GDPR plus PCI-DS


    Answer: To be sure our toolkit can help you, you can take a look at its free demo at this link: https://advisera.com/27001academy/iso-27001-documentation-toolkit/

    Unfortunately we do not have a toolkit specific for PCI-DSS, but most of our templates can be adjusted to fulfill PCI-DSS requirements.

    These articles will provide you further explanation about ISO 2700 nd PCI-DSS:
    - PCI-DSS vs. ISO 27001 Part 1 – Similarities and Differences https://advisera.com/27001academy/knowledgebase/pci-dss/
    - PCI-DSS vs. ISO 27001 Part 2 – Implementation and Certification     https://advisera.com/27001academy/knowledgebase/pci-dss/

  • Mandatory documents for ISO 27001


    Answer: Sure. In the List of Documents file that comes with your toolkit you can find which documents are mandatory only for for ISO 27001.

    This article will provide you further explanation about mandatory documents for ISO 27001:
    - List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/

  • Organizing IT area

    Thanx a bunch, i didnt know where to start. Lucky for me i have top management support.. really appreciate your knowledge!!

  • Implementación de la ISO 22301

    He recibido la siguiente pregunta: Estoy especialmente interesando en el paquete de implementación de ISO 22301. Por favor quisiera saber los tiempos, recursos necesarios y mayores retos para la implementación del mismo. Adicionalmente, en qué momento debería contactar a la certificadora. Respuesta: El tiempo para la implementación de la ISO 22301 depende del tamaño de la organización, en cualquier caso, puedes usar esta herramienta gratuita para conocer una estimación sobre el tiempo que necesitas para implementar ISO 22301 en tu organización: https://advisera.com/27001academy/es/herramientas/calculador-gratuito-del-tiempo-de-implementacion-para-iso-27001-iso-22301/ Generalmente, el principal reto para la implementación es obtener el apoyo de la dirección, y este webinar gratuito te puede resultar útil: https://advisera.com/27001academy/es/webinar/iso-27001-benefits-how-to-obtain-management-support-free-webinar/ Con respecto a los recursos, puedes implementar este estándar por ti mismo, quiero decir, utilizando recursos propios, pero si compras nuestro paquete de doc umentos, tendrás también nuestro soporte para la implementación. Finalmente, puedes contactar con la entidad certificadora para la certificación en el momento que quieras, aunque habitualmente se suele contactar cuenta la implementación está llegando a su conclusión. Este artículo puede ayudarte a seleccionar la entidad certificadora : https://advisera.com/articles/how-to-choose-an-iso-certification-body/ Y aquí te puedes descargar nuestro paquete de documentos: https://advisera.com/27001academy/es/paquete-de-documentos-sobre-iso-22301/

  • External audit

    thanks

  • Management review


    I will be conducting audit checks on all three management systems on a monthly basis across the whole year with a view to recertifying every Jan/Feb/Mar.

    As the audit effectively takes place over the course of the whole year, when would you recommend the management review is scheduled? Is it sensible to conduct it only when the internal audit is complete? My concern with this approach is that with 2/3 management systems., the review meetings will stack-up at the end of the year when there is probably less chance of them taking place.

    Answer: ISO management standards give organizations freedom to define how they can approach the management review (the standards only require the reviews to be performed at planned intervals and the inputs and outputs to be covered).

    Considering your situation, you should consider to perform quarterly or semi-annual meetings, covering in each meeting all topics regarding data after the last meeting, or specific topics considering data from the last meeting where such topics where covered. The main point to consider is that between external audits you must ensure all topics required by the standards are covered.

    This approach will make easier for you to schedule the management reviews to dates where they will have more chance to be performed.

    This article will provide you further explanation about management review:
    - Why is management review important for ISO 27001 and ISO 22301? https://advisera.com/27001academy/blog/2014/03/03/why-is-management-review-important-for-iso-27001-and-iso-22301/
Page 811-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +