Black Hat Sessions 2018 - Management session Management session Security Compliance & Certification by Miranda Chilvers, Petr and Dirk Jan
What is the best method to measure the security of your software? How do you benchmark the security of your organization? This all depends on clear frameworks, guidelines and standards.
In addition to the keynotes, we offered during the Black Hat Sessions 2018, a large number of lectures were given by prominent Dutch and international speakers in multiple technical and non-technical tracks. In the following paragraphs, you can read a brief report by Nick Wijnbeld, intern at Secura, about the Security Compliance & Certification session. During this session, new developments and three examples of standards were discussed: EBA, BSPA and ECSO. Here you will find the link to all brief reports and recordings.
Guideline for Cloud Service Providers by EBA
Miranda Chilvers, Supervisor Operational Risk at De Nederlandsche Bank (DNB), started with a presentation about the Guideline for Cloud Service Providers by the European Banking Authority (EBA).
The EBA is an independent EU Authority which works to ensure effective and consistent prudential regulation and supervision across the European banking sector. Its overall objectives are to maintain financial stability in the EU and to safeguard the integrity, efficiency and orderly functioning of the banking sector. More and more financial institutions use the Cloud but it is not regulated, according to the Dutch Central Bank. That is why the DNB has drawn up a guideline in cooperation with the EU. The EBA Recommendations clarify the EU-wide supervisory expectations if institutions intend to adopt cloud computing, so as to allow them to leverage the benefits of using cloud services, while ensuring that any related risks are adequately identified and managed.
Outline of the EBA Recommendations on cloud (1-7-2018). Source: https://www.blackhatsessions.com/presentaties/2018/BHS%202018%20-%20Security%20Compliance%20%20Certification.pdf
Baseline Security Product Assessment (BSPA) Scheme
In addition, Petr, developer of the BSPA scheme (AIVD), presented the Baseline Security Product Assessment (BSPA) from the AIVD. The AIVD tests and certifies products, however they cannot test everything. Therefore, there is the need to set up standards for organizations to certify their own products. The Baseline Security Product Assessment is such a standard. It is a lightweight test against which the product can be tested in a short period of time.
Dirk Jan van den Heuvel, Managing Director at Secura, ended this management stream with: The EU Cyber Security Act, a future EU law to certify products and to better inform users. It is the wish to set-up a meta scheme like for Energy Efficiency , according to Dirk Jan. Products need an indication about their respective security level. It is very useful to use a system that has already been approved. But we do not know if this is feasible, the most important thing is that there is a standard availible that the user can rely on.
It is the wish to set-up a meta scheme like for Energy Efficiency
At the moment, the European Cyber Security Organization (ECSO) is looking at the Cyber Security Act. The ECSO is a collaboration between 150 organizations, including Secura and the EU. The ECSO advises the EU on the cyber security act. The EU Cybersecurity Act is expected by the end of 2018 to arrange a stronger mandate for ENISA and to allow a EU Cybersecurity Certification Framework to be developed.
At Secura we expect (towards the future) for cyber security to be governed (more) by standards, compliance frameworks and certification in order to:
- Provide guidance and directions in fast changing landscape
- Communicate and proof security and quality level
- Common ground
- Provide Market Access
- Improve confidence level in security