regulations

Cybersecurity Compliance Frameworks

/ bugejajoseph / Leave a comment
Photo by Markus Winkler on Pexels.com

Cybersecurity is a top priority for businesses of all sizes. Cybersecurity compliance frameworks offer a structured approach to managing cybersecurity risks, improving overall security posture, and potentially meeting regulatory requirements.

Here is a summary of some of the most popular frameworks:

  • NIST Cybersecurity Framework (CSF): Developed by the National Institute of Standards and Technology (NIST), the NIST CSF is a voluntary framework that emphasizes six core functions: Govern, Identify, Protect, Detect, Respond, and Recover. It provides a flexible and customizable approach that can be adapted to any organization’s specific needs. (https://www.nist.gov/cyberframework)
  • PCI DSS (Payment Card Industry Data Security Standard): This mandatory framework is enforced by the PCI Security Standards Council (PCI SSC) and applies to any organization that processes, stores or transmits cardholder data. It comprises a set of 12 core requirements, which are organized into six key control objectives. (https://www.pcisecuritystandards.org/)
  • HITRUST CSF (Health Information Trust Alliance Common Security Framework): Built on the NIST CSF foundation, HITRUST CSF specifically addresses the security needs of the healthcare industry. However, its applicability extends beyond healthcare. It incorporates HIPAA (Health Insurance Portability and Accountability Act) compliance requirements, making it a valuable tool for healthcare organizations. (https://hitrustalliance.net/hitrust-framework)
  • CIS Critical Security Controls (CIS Controls): Developed by the Center for Internet Security (CIS), CIS Controls are a prioritized set of actionable recommendations that address the most common cyber threats. Implementing these controls can significantly reduce risk and improve an organization’s overall security posture. (https://www.cisecurity.org/)
  • COBIT (Control Objectives for Information and Related Technology): This framework, developed by ISACA (Information Systems Audit and Control Association), focuses on aligning IT governance with business objectives. It provides a comprehensive framework for managing IT processes, ensuring alignment with strategic goals. (https://www.isaca.org/resources/cobit)
  • ISO 27001 (International Organization for Standardization): ISO 27001 is an internationally recognized standard that outlines the requirements for an Information Security Management System (ISMS). ISMS is a risk-based approach to managing an organization’s information security. Achieving ISO 27001 certification demonstrates that an organization has implemented best practices for information security and that its information assets are protected. (https://www.iso.org/standard/27001)

The best framework for your organization depends on several factors, including your industry, size, regulatory requirements, and security goals. Some organizations may benefit from implementing a single framework, while others may need to adopt a combination of frameworks to address their specific needs. By understanding and implementing a relevant cybersecurity compliance framework, your organization can significantly improve its security posture, reduce the risk of cyberattacks, and potentially achieve regulatory compliance.

EU Data Initiatives: Developments to Watch in 2024 and Beyond

/ bugejajoseph / Leave a comment

The European Union (EU) has been at the forefront of global efforts to protect privacy and personal data. Over the years, the EU has implemented several initiatives and regulations that aim to safeguard the privacy rights of its citizens. The International Association of Privacy Professionals (IAPP) has created a timeline of key dates for these EU regulations and initiatives, including those that are yet to be finalized.

Photo by freestocks.org on Pexels.com

Here are the key dates to watch out for the year 2024 and beyond:

  • February 17, 2024: The Digital Services Act (DSA), which aims to establish clear rules for online platforms and strengthen online consumer protection, will become applicable
  • Spring 2024: The AI Act is expected to be adopted
  • Mid-2024: The Data Act is expected to enter into force
  • October 18, 2024: The NIS2 directive will become applicable
  • January 17, 2025: The DORA regulation will become applicable

In conclusion, the EU’s data initiatives are set to undergo significant changes in the coming years with the implementation of regulations like the DSA, AI Act, Data Act, NIS2 directive, and DORA regulation. These initiatives aim to establish clear rules for online platforms, strengthen online consumer protection, facilitate data sharing, and more. It is crucial for organizations, including individuals, to stay up-to-date with these key dates to ensure compliance with the new regulations and to take advantage of the opportunities they present.

For a more detailed overview of the EU’s data initiatives and their key dates, check out the infographic created by the IAPP here.

The FTC wants to crack down on mass surveillance 

/ bugejajoseph / Leave a comment

The practice of gathering, analyzing, and profiting from data about individuals is known as commercial surveillance. Due to the volume of data gathered by some companies, individuals may be vulnerable to identity theft and hacking. Indeed, the dangers and stakes of errors, deception, manipulation, and other abuses have increased as a result of mass surveillance. The Federal Trade Commission (FTC) is seeking input from the general public on whether additional regulations are necessary to safeguard individuals’ privacy and personal data in the commercial surveillance economy.

Photo by Lianhao Qu on Unsplash.

I advise you to attend the open forum on September 8, 2022, particularly if you are a researcher focusing on the topic of privacy and security. Also, if you are developing your own system or perhaps planning your next research project, I highly recommend you look at some of the topics identified by the FTC as these are likely to affect the design of your project. Here are the topics mentioned: “Harms to Consumers”, “Harms to Children”, “Costs and Benefits”, “Regulations”, “Automated Systems”, “Discrimination”, “Consumer Consent”, “Notice, Transparency, and Disclosure”, “Remedies”, and “Obsolescence”. Pay particular attention to the topic “Automated Systems” if your system uses AI/ML technologies.

More information can be found here: https://www.ftc.gov/legal-library/browse/federal-register-notices/commercial-surveillance-data-security-rulemaking and https://www.ftc.gov/news-events/news/press-releases/2022/08/ftc-explores-rules-cracking-down-commercial-surveillance-lax-data-security-practices

Panel Discussion on the topic of Designing IoT Systems

/ bugejajoseph / Leave a comment

I was invited to participate in a panel discussion at Malmö University on Friday, April 8th. The topic of “Designing IoT Systems” was the one I was asked to speak about. There were representatives from Sony and Sigma Connectivity in the panel with me. Concerns about trustworthiness were a major topic of discussion during the session. 

Safety, security, privacy, reliability, and resilience tend to be identified by several researchers as the main trustworthiness concerns in the IoT domain. These concerns are there to ensure that systems function as intended in a variety of situations.

According to several academics, the most challenging aspects of designing trustworthy IoT systems are achieving privacy and security. From applications to devices, each layer of the Internet of Things has its own set of security risks and potential attacks. From a research perspective, a hot topic is that of building energy-efficient security, along with scalable and dynamic security architectures. Preserving data privacy in the IoT, on the other hand, is also particularly challenging. Existing IoT privacy mechanisms are often built for single services, and not necessarily for interdependent, dynamic, and heterogeneous services. Building new privacy preservation techniques for interdependent services is a hot topic, as is federated learning when it comes to data privacy.

Panel discussion on the topic of “Designing IoT Systems”

Finally, there are a number of standards that pertain to trustworthiness. ISO/IEC 30147 “Integration of trustworthiness in IoT lifecycle processes” and ISO/IEC 30149 “IoT trustworthiness principles” are two ISO/IEC standards.

If you want to collaborate with me or learn more about a specific topic that is related to my research topics, please send me an email.

Initiatives being brewed by governments to strengthen the IoT privacy and security

/ bugejajoseph / Leave a comment

Last week, I have been asked by several news reporters what can be done to have more secure and privacy-preserving smart home technologies. In this post, I focus on some of the more recent and upcoming regulations and initiatives that are affecting, and likely to affect it more in the future, the IoT world. Purposely, I exclude the EU GDPR  and its US counterpart the CCPA, as I will talk about those in a separate post.

  • The EU ePrivacy Regulation. This  EU regulation aims to ensure privacy in all electronic communications – including instant messaging apps and VoIP platforms, and machine-to-machine communications such as the IoT. Also, it carries an identical penalty regime for non-compliance as the GDPR.
  • The EU Cybersecurity Act. This establishes an EU-wide cybersecurity certification framework for digital products, services, and processes. This includes the IoT, cloud infrastructure and services, threat intelligence in the financial sector, electronic health records in healthcare, and qualified trust services.
  • The IoT Cybersecurity Improvement Act of 2020. This new US law establishes minimum security requirements for IoT devices owned or controlled by the federal government. Specifically, it requires any IoT devices purchased by the federal government to comply with the NIST standards and guidelines.

In the future, I will talk about some of the standards and best practice frameworks that can help organizations develop secure and privacy-preserving IoT technologies. Also, I will suggest some guidelines that consumers can adopt to secure their home devices.