Roberto Reale - Governing Information Security

1. Governing Information
Security
ROBERTO REALE, INNOVATION MANAGER
03/12/2019

2. Cyberspace
 “… a consensual hallucination
experienced daily by billions of
legitimate operators, in every nation,
by children being taught
mathematical concepts... A graphic
representation of data abstracted
from the banks of every computer in
the human system. Unthinkable
complexity. Lines of light ranged in
the non-space of the mind, clusters
and constellations of data. Like city
lights, receding” (Gibson, 1966)

3. Domains of Cybersecurity

4. Strategic Model for the Italian Public
Sector
“security comprises activities for the
regulation and governing of cybersecurity
in the PA for assessment testing and
CERT-PA as an operative tool by which to
support the adoption of correct security
levels at the Public Administration. All
other aspects are also identified as come
together to make the IT systems secure
and reliable, as well as guidance and
correlated instruments for compliance in
respect of privacy” (2019 - 2021 Three-
Year Plan)

5. Areas covered by Standardisation
 Security feature provision — Sector/technology specific security features
 Security assurance — Common Criteria initiative (ISO 15408)
 Security threat sharing — CSIRTs (Computer Security Incident Response
Teams) STIX/TAXII, CyBox, MISPs (Malware information Sharing Platform)
 Organisational management for secure operations — ISO/IEC 27001

6. Strategic Focus Areas
 Infrastructures and Centres — Secure
the national internet network and data
centres of the PA
 Enabling actions — Protection of critical
national applications, national threat
repository, system-wide risk
management
 Enabling Technologies — Encryption,
blockchain, biometric, and quantum
technologies
 Technologies to Protect — Industry 4.0,
IoT, industrial control systems, and
robots
 Horizontal Actions —Training,
awareness and certification projects

7. EU Strategy
 Cybersecurity requirements for Operators of Essential Services (OES –
essentially critical infrastructure companies) and digital service providers (DSPs)
 Certification framework for digital products, services, and processes
 The EU Cybersecurity Act made the European Network and Information
Security Agency (ENISA) a permanent government agency and significantly
expanded its role and responsibilities with respect to cybersecurity
 Cybersecurity as a “high priority” field: the proposed cybersecurity budget for
2021-27 include €2 billion to fund “safeguarding the EU's digital economy,
society and democracies through polling expertise, boosting EU's cybersecurity
industry, financing state-of-the-art cybersecurity equipment and infrastructure”

8. ENISA Guidelines
 Technical Guidelines for the implementation of minimum security
measures for Digital Service Providers
 Mapping of OES [Operators of Essential Services] Security Requirements to
Specific Sectors
 Good practices on interdependencies between OES and DSPs
 Guidelines on assessing DSPs and OES compliance to the NISD security
requirements

9. NIS Cooperation Group Guidelines
 Reference document on the identification of Operators of Essential Services
 Reference document on security measures for Operators of Essential Services
 Reference document on Incident Notification for Operators of Essential
Services
 Compendium on cyber security of election technology
 Guidelines on notification of Operators of Essential Services incidents
 Guidelines on notification of Digital Service Providers incidents
 Cybersecurity Incident Taxonomy
 Guidelines for the Member States on voluntary information exchange on cross-
border dependencies
 Risk assessment of 5G networks

10. DevSecOps
 Security as Code
 Automation
 Everyone is responsible
 Security added to all business processes (no silos)
 Consumable Security Services (API)
 Open Contribution & Collaboration
 Nation-wide DevSecOps

11. roberto@reale.me