Infosec & Quality newsletter ENG (October 2024)

Index

01- Legislation: Cyber resilience act adopted

02- Standard: State of ISO/IEC 270xx - October 2024

03- Standard: State of ISO/IEC 270xx - Privacy - October 2024

04- Standard: ISO Survey 2023

05- Threats and Attacks: ENISA Threat Landscape 2024

06- Security measures: NIST, password changes and who is late to the news

07- Privacy: ISO/IEC 29100:2024 freely downloadable

08- Privacy: EDPB Guide on Legitimate Interest

09- Men Can Do It All (October 2024)

******************************************************

01- Legislation: Cyber resilience act adopted

The Council of the European Union has adopted "a new law on cybersecurity requirements for products with digital elements with a view to ensuring that products, such as connected home cameras, fridges, TVs, and toys, are safe before they are placed on the market (cyber resilience act)": https://www.consilium.europa.eu/en/press/press-releases/2024/10/10/cyber-resilience-act-council-adopts-new-law-on-security-requirements-for-digital-products/.

We will have to wait for its publication in the Official Journal of the European Union to study it. With the publication, the 3-year period for its implementation will start. However, I believe that we will also have to understand whether and what technical standards will be available.

I thank the Project:IN Lawyers newsletter, where I found the news.

******************************************************

02- Standard: Status of ISO/IEC 270xx standards - October 2024

The week of September 30, the annual meeting of the ISO/IEC JTC 1 SC 27 WG 1, i.e. the group that deals with drafting the standards of the "ISO/IEC 27001 family", was held.

This time I did not participate because the meeting was remote, from 11 pm to 3 am. From the reports I summarized what happened to the standards I’m interested in:

• ISO/IEC 27003, a guide to information security management systems (in essence, a guide to implement ISO/IEC 27001) remains in working draft status and therefore will be published in no less than 2 years; it must be said that the standard does not deal with information security controls and therefore the text based on ISO/IEC 27001:2013 is largely still valid for ISO/IEC 27001:2022;
• for ISO/IEC 27004, on measurements for information security, official work has begun, starting with the working draft and it is expected to be completed in 3 years; from the discussion made 6 months ago, no major changes seem to be expected, but anything can happen;
• ISO/IEC 27017, with controls for cloud services, goes into DIS and should therefore be published in less than a year.

Next meeting in March 2025 in presence in the USA. Fortunately with all the SC 27 WGs (so also the privacy one I talk about elsewhere).

******************************************************

03- Standard: Status on ISO/IEC 270xx privacy standards - October 2024

The week of September 30 was held the annual meeting of the ISO/IEC JTC 1 SC 27 WG 5, i.e. the group that deals with drafting ISO privacy standards, including ISO/IEC 27701.

I did not participate because the meeting was remote, from 11 pm to 3 am. From the reports I can summarize as follows for the standards I’m interested in:

• ISO/IEC 27701, on privacy management systems, passes into FDIS and therefore should be published in about 6 months; I will go into it in more detail below;
• ISO/IEC 27706, on the rules for certifying ISO/IEC 27701, passes into FDIS and therefore should be published in about 6 months; I think that the required audit days are too many and this will discourage too many organizations to adopt ISO/IEC 27701, but we will see;
• ISO/IEC 27018, with privacy controls for cloud services offered by data processors, passes into FDIS and therefore should be published in about 6 months;
• ISO/IEC 29151, on controls for data controllers, based on ISO/IEC 27002, passes into DIS and will be published in a year.

With regard to the future ISO/IEC 27701:

• it will be a stand alone standard an its implementation will not require ISO/IEC 27001 anymore;
• unfortunately, it has "privacy" and "information security" (introducing the concept of "security programme"), as if the protection of the confidentiality, integrity and availability of personal data is not an integral part of "privacy";
• it includes a list of technical controls (I don't know what else to call them) which is an inconsistent and incomplete selection of the ISO/IEC 27001 controls, chosen only because there were additional guidelines for their implementation in the previous ISO/IEC 27701, but there are fundamental controls without additional implementation guidelines and therefore not included (e.g. the control of privileged users);
• personally I would have preferred to wait 2 years more (we are now used to implement ISO/IEC 27701:2019 with ISO/IEC 27001:2022) than having this solution for the next 6 years or more.

Another topic of interest is that ISO/IEC JTC 1 wants to have a new "ad hog group" (AHG 9) for dealing with "consumer privacy". There will be two groups (SC 27 WG 5 and AHG 9) dealing with privacy and it is obviously absurd. We'll see what happens.

Next meeting in March 2025 in presence in the USA. Fortunately with all the SC 27 WGs

******************************************************

04- Standard: ISO Survey 2023

ISO Survey 2023, with the number of valid certificates to ISO management standards (including ISO 9001, ISO IEC 27001, ISO 20000-1, ISO 22301, ISO 28000): https://www.iso.org/the-iso-survey.html.

Note that there are about 850 thousand ISO 9001 certificates in the world, while ISO/IEC 27001 certificates are 50 thousand. A big difference (in my opinion, also due to the excessive number of days required by ISO/IEC 27006, but I have no evidence to support it).

******************************************************

05- Threats and Attacks: ENISA Threat Landscape 2024

European Union Agency for Cybersecurity (ENISA) Threat Landscape 2024: https://www.enisa.europa.eu/publications/enisa-threat-landscape-2024. IMHO, the most important part is in the end, where there are the suggested security measures (from page 110).

******************************************************

06- Security measures: NIST, password changes and who is late to the news

Claudio Sartor or pointed out to me few articles about the “new” NIST and Microsoft rules for passwords. One article is by Bruce Schneier: https://www.schneier.com/blog/archives/2024/09/nist-recommends-some-common-sense-password-rules.html.

However: this is old news. NIST publications already in 2017 said that changing passwords periodically is not recommended and on Microsoft the news is at least from 2019. I’ve written about them in the past.

Am I better than some gurus? Not at all and sometimes I’m aware of some news after some time.

My idea is this: there is a lot of talk about innovation, about what security will be like in 10 or 15 years, about what strategies to take, but I think that those who deal with security do not have the task of innovating, but of following those who want to innovate. At most, we can use tools invented by others (artificial intelligence, quantum computing when there ever will be, etc.).

We have chosen a subject that by its nature must follow (at most we can follow at a very short distance). Let's get over it.

And so, it is normal for gurus to arrive late on the news. I'm more worried about those who try to get too early on the news (like those who pestered us about GDPR and NIS2 before they were published, creating false alarms and, then, fatigue).

******************************************************

07- Privacy: ISO/IEC 29100:2024 freely downloadable

ISO/IEC 29100:2024 is freely available: https://standards.iso.org/ittf/PubliclyAvailableStandards/.

ISO/IEC 29100:2024 is entitled "Privacy framework" and contains ISO terminology for privacy standards, as well as principles and other useful guidance.

It is not a standard of requirements or guidelines, but it provides a basis for these and in fact the controls of ISO/IEC 27701, ISO/IEC 27017, ISO/IEC 27018 and probably others are organized according to the principles specified by ISO/IEC 29100:2024.

******************************************************

08- Privacy: EDPB Guide on Legitimate Interest

Chiara Ponti reported the publication of the "Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR": https://www.edpb.europa.eu/our-work-tools/documents/public-consultations/2024/guidelines-12024-processing-personal-data-based_en.

I haven't studied it yet.

Just a side note: the next time they tell me that in Italy the laws are written in an incomprehensible way, I will point out the title of this publication, which does not help at all to understand what it is about (while in the News, kindly, EDPB reports them as "Guidelines on the processing of personal data based on legitimate interest").

******************************************************

09- Men Can Do Everything (October 2024)

When children go to primary, parents must accompany and pick them up. With secondary school they can authorize them to go out independently and parents breathe a sigh of relief...

... except to realize that they return home at 2 pm and they are very hungry. And so parents have to find some solutions and the methods are numerous (cooking-on-the-fly).

When I can, I prefer to prepare something quick and whenever I meet some parents or grandparents I ask if they have valid recipes. So I thank Pietro's grandmother who this summer explained to me how to make pesto (it is easy, but I didn’t know how to do it).

Years ago I read the book "La cucina" (in Italian) by Imma Forino because it tells us how men, traditionally, cook, but only when they can devote themselves to it like Pepe Carvalho. The situation changes when it becomes a daily and repetitive task. In fact, I see that it is very tiring when I ask for advice from some men, who want to tell me how to make carbonara correctly (and with time available) or complicated dishes or with ingredients that are difficult to find, when I need quick and healthy solutions.

If anyone would like to give me suggestions, I thank them.

PS: I thank Pierfrancesco Maistrello o who has already sent me a good suggestion.

******************************************************

EONL