richardk/iso27diy-corp
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

moved scratch file folder

Browse source
This commit is contained in:
Richard Kranendonk 2026-06-01 20:11:34 +02:00
parent b415f1110c
commit 5edd29361f
18 changed files with 22 additions and 26 deletions
Download patch file Download diff file Expand all files Collapse all files

6
marketing/content/Scratch file/Data classification - how to make labels stick.md Normal file
View file

@ -0,0 +1,6 @@
# Data classification: how to make labels stick?
Data travels; how to make labels stick?
Links to the [Privacy in ISO 27001](../../../Corpus/Standards/ISO27x/Privacy%20in%20ISO%2027001.md) issue of [Data Provenance](../../../Corpus/Standards/AVG/Data%20Provenance.md) .

9
marketing/content/Scratch file/Example of ISO 27001 mystique.md Normal file
View file

@ -0,0 +1,9 @@
# Example of ISO 27001 mystique
ISO 27001 is a framework, and you cannot successfully implement it by treating the text of the standard as a series of instructions to be followed in the order in which they were printed. If you try that, things will become very confusing very quickly.
For example, the requirement of having an information security policy is first (?) mentioned in [Chapter 5.1](../../Corpus/MoCs/ISO_27001_2022_5.1_MoC%20Leadership%20and%20commitment.md), "Leadership and commitment", where it says that top management must have it established, *together* with information security objectives. Then in [Chapter 5.2](../../../Corpus/Standards/ISO27x/OST/27001/EN/c-5.2-Policy.md), 'Policy', it states that these objectives form *part of* the information security policy, referencing forward to [Chapter 6.2](../../Corpus/MoCs/ISO_27001_2022_6.2_MoC%20Information%20security%20objectives%20and%20planning%20to%20achieve%20them.md), "Information security objectives and planning to achieve them", which demands that organizations should set objectives consistent with the policy. Of course there's also a corresponding Control called "Policies for information security" ([5.1](../../../Corpus/Standards/ISO27x/legacy/iso27DIY%20mk%20I/ISO_27002_2022_5.1_MoC%20Policies%20for%20information%20security.md)), which explains that there will be an information security policy at the highest level of the organization, including objectives "or the framework for setting objectives", and further "topic-specific policies as needed", which of course need their own objectives.
Programmers may love this kind of recursiveness when it's in coding exercises.

16
marketing/content/Scratch file/GRC software is geschreven voor domeindeskundigen.md Normal file
View file

@ -0,0 +1,16 @@
This note relates to the [ISO27DIY Business model](../../../Corpus/Standards/ISO27x/legacy/iso27DIY%20mk%20I/ISO27DIY%20Business%20model.md)
Probleem: de GRC software wordt aangekocht om een operationeel probleem van de compliance officer op te lossen.
De software komt meestal pas later (en wordt pas gevuld als de kennis van wat ISO is en van het proces er al is, als het jargon al is ingesleten)
Eerst komt de consultant uitleggen hoe ISO werkt en wordt hulp geboden bij Wat je Waar moet documenteren, en Hoe (denk aan de risico-identificatie en de stakeholder-analyse: wat is een in-scope risico, hoe verwoordt je het precies. Wat is een stakeholder, wat is zijn in-scope belang, etc.).
Dan ontstaat de documentatie, meestal in Excel en Word documenten.
Dan de realisering dat het onhandig is en niet schaalt.
Dan wordt software geselecteerd en geïmplementeerd.
Pas dan wordt de software daadwerkelijk gebruikt, en meestal door een deskundige staffunctionaris.
Inmiddels staat het dan zover af van de dagelijkse praktijk op de werkvloer, dat de heilige graal van security by design en in de haarvaten van de organisatie, niet gehaald kan worden.
Voor iedere (interne) audit is extra effort nodig om te graven in de operationele documentatie om de audit documentatie naar boven te krijgen.
Wat nu als je de documentatie kun genereren op het moment dat relevante feiten (identificatie en weging van risicos, keuze van maatregelen, bewaken van de implementatie, monitoren van de resultaten en bijsturen) plaatsvinden? Door ze voorafgaand aan een SCRUM, Team- of afdelingsoverleg of ontwerpmeeting te agenderen, en ze in de notulen te marken? Door operationele reports en logs te koppelen naar de ISO-administratie?

10
marketing/content/Scratch file/Hoe dwing je verantwoordelijkheid af.md Normal file
View file

@ -0,0 +1,10 @@
# Hoe dwing je verantwoordelijkheid af?
Een universiteit biedt onderzoeksafdelingen de mogelijkheid om vrijelijk hun applicaties en databases op te tuigen binnen hun eigen Kubernetes containers. Daarbij zijn ze zelf verantwoordelijk voor de informatiebeveiliging daarvan.
Het is vervolgens aan de IT afdeling om de containers te deployen. Daarbij ontdekken ze dat veel containers / applicaties / databases onveilig geconfigureerd zijn, oude versies van software met bekende kwetsbaarheden herbergen, etc.
Mijn stelling is dat er voor het succesvolle delegeren van de verantwoordelijk voor informatiebeveiliging in ieder geval nodig is: een prikkel om het ook goed te doen (bijv. niet in beheer nemen, kosten in rekening brengen, kwaliteit van de beveiliging als KPI van de afdeling), en kennis en resources het uit te voeren (of financiele middelen om het te laten doen).
Is er literatuur beschikbaar over deze kwestie? Zijn er andere succesvoorwaarden bekend?

290
marketing/content/Scratch file/Least privilege, need-to-know - principles vs practice.md Normal file
View file

@ -0,0 +1,290 @@
# Least privilege, need-to-know: principles vs practice
*Hypothesis: security frameworks promote least privilege and need-to-know for access control, while common dataclassification schemes and realworld practices frequently result in minimal or inconsistent protective measures until incidents or regulations force stricter controls.*
What is least privilege, need-to-know. and why is it important?
- The least privilege principle us defined as giving users only the access they need to perform their job, explicitly to reduce attack surface and limit damage if accounts are compromised.
- Excessive permissions and broad access are repeatedly identified as drivers of breaches in cloud environments, where overprivileged accounts magnify the blast radius of attacks, underscoring how leastprivilege is supposed to be a maximally conservative control principle, not a minimal one.
- Security organizations and vendors explicitly promote leastprivilege and needtoknow as foundational, proactive principles to minimize risk.
- Because of costeffective management, scalability, and operational efficiency, organizations choose to reserve stronger measures for only the highest sensitivity classes, and apply only baseline controls to the classes.
- Implementations often rely on subjective, userdriven decisions about how to classify information, which is acknowledged as inconsistent and prone to human error; this can lead to sensitive data being misclassified and not receiving appropriate protection until problems are discovered.
- Cloudsecurity analyses highlight misconfigurations and overly permissive identity and access management as primary causes of data breaches, showing that data is frequently more exposed than its intended classification or policy would suggest, especially when default or “internal” classifications are used with weak enforcement.
- Studies and policy critiques of government secrecy note pervasive overclassification of documents, which paradoxically strains controls and leads to mishandling and inconsistent protection because staff cannot realistically maintain highgrade measures for everything labeled sensitive.
- This dynamic supports the idea that classification is often used in a coarse, administrative way, with either overbroad “classified” labels or broad “internal/public” buckets, and the actual security measures tend to converge on what is minimally workable in practice rather than what the maxim of least privilege would prescribe.
- dataclassification guidance and breach analyses show that: lower classes are defined to warrant minimal controls, classification is inconsistently applied, and misconfigurations and overprivileged access remain dominant breach causes—together indicating that classification outcomes often default to minimal measures unless regulatory or incident pressure requires more.
*Hypothesis: the least privilege tends to be implemented more rigorously and systematically for technical/admin roles than for access to business information.*
- Modern Privileged Access Management (PAM) practices are explicitly built around leastprivilege: discover all privileged accounts, strip rights down to the minimum, enforce justintime elevation, and avoid privilege creep.
- Vendors and bestpractice guides describe mature patterns such as timebound admin elevation, granular rolebased admin roles, session recording, and centralized approval workflows, which directly optimize and monitor admin rights rather than leaving them broadly assigned.
## Persistent overprivilege for business data
- Datacentric security and DSPM literature repeatedly stresses that overprivileged access to business data (files, SaaS content, analytics datasets) is widespread, with the majority of granted permissions unused and many of them highrisk.[2]
- Case studies for SaaS data protection highlight “internal overexposure” as a primary issue: collaborative tools make it easy to share information widely, while security teams lack visibility to enforce “need to know” on everyday business documents, HR data, and customer information.[4][2]
## Indicators that least privilege is better enforced on IT/admin side
- PAM guidance calls least privilege “fundamental” and prescribes concrete control patterns (rolebased admin levels, justintime access, automatic revocation, monitoring) that are often implemented as dedicated tools and processes for admin accounts.[6][1][3]
- Insiderthreat and privilegerisk reports emphasize reducing privileged admin accounts and entitlement sprawl as key riskreduction goals, showing sustained focus and investment in tightening admin rights, especially in directories and infrastructure platforms.[7][8][9]
## Business information access lagging behind
- In contrast, protection of business information often reacts to discovered overexposure: organizations deploy DSPM or SaaS accessgovernance tools *because* they find that users can access far more data than they need, not because leastprivilege was consistently applied from the outset.[2][4]
- Guidance notes that collaboration platforms “lack capabilities” for teams to “properly protect” sensitive content, forcing retroactive cleanup of oversharing rather than proactive definition and enforcement of narrow, needtoknow scopes.[4]
## Overall pattern
- For admin/IT privileges, least privilege is operationalized via specialized tooling, distinct lifecycle processes, and strong monitoring, so the principle is closer to how it is stated in theory.[1][3][5][6]
- For access to business information, evidence of entitlement sprawl, unused permissions, and internal overexposure indicates that the effective norm is still broad access with minimal restriction, with least privilege applied selectively or after issues surface.[8][7][2][4]
Sources
[1] 10 Steps to Successful Privileged Access Management https://gotyto.com/thought-leadership/10-steps-to-successful-privileged-access-management/
[2] How DSPM Prevents Data Exposure from Overprivileged ... https://www.zscaler.com/blogs/product-insights/how-dspm-helps-prevent-data-exposure-overprivileged-access
[3] Privileged access management: Best practices, ... https://heimdalsecurity.com/blog/privileged-access-management-best-practices-implementation-and-tools/
[4] Data Access Controls for SaaS | Case Study: Vox Media https://www.docontrol.io/case-studies/vox-media
[5] PAM Lifecycle: In-depth Guide to Managing Privileged ... https://www.securden.com/blog/pam-lifecycle.html
[6] What is the Principle of Least Privilege? https://www.wallix.com/blogpost/what-is-the-principle-of-least-privilege-and-how-do-you-implement-it-2/
[7] The Business Risks of Excessive Privileged Access in ... https://www.lepide.com/blog/risks-of-excessive-privileged-access-in-active-directory/
[8] Insider Attacks Climb Sharply in 2024 Data Report https://www.cybersecurity-insiders.com/2024-insider-threat-report/
[9] 2024 Insider Threat Report: Key Risks and Cybersecurity ... https://cyberstrategyinstitute.com/2024-insider-threat-report-key-risks-and-cybersecurity-insights/
[10] How common is overly strict access to data in your org. https://www.reddit.com/r/datascience/comments/19aedoc/how_common_is_overly_strict_access_to_data_in/
# Google Gemini 1
*Hypothesis: “In cybersecurity we have the maxim least privilege, need to know, which translates as granting people the minimum of access rights needed for their job. Yet with data classification the result is often the minimum of measures, unless absolutely necessary”. Find supporting evidence for this claim.*
This hypothesis touches on a fundamental tension in cybersecurity: **Access Control** (which is restrictive by nature) versus **Data Classification** (which is often seen as an administrative burden).
While the principle of "Least Privilege" is a technical cornerstone enforced by systems, "Data Classification" relies heavily on human behavior and business costs, often leading to a "minimum viable effort" approach.
---
## 1. The Enforcement Gap
The primary reason for this discrepancy is how these two concepts are implemented.
- **Least Privilege (Restrictive):** This is often hard-coded into Identity and Access Management (IAM) systems. It is "fail-secure," meaning if you don't have the permission, you simply cannot perform the action.
- **Data Classification (Permissive):** Classification is often manual or semi-automated. Because over-classifying data (e.g., marking everything "Top Secret") creates massive operational friction and storage costs, organizations default to the lowest classification level unless a specific regulatory trigger (like PCI-DSS or GDPR) forces their hand.
## 2. Supporting Evidence for "Minimum Measures"
### The "Default to Public" Bias
Studies in organizational behavior suggest that employees view classification as a secondary task. According to various industry reports (such as the _Verizon Data Breach Investigations Report_), a significant portion of data breaches occur because sensitive data was stored in an unclassified or "General" folder. Organizations often apply the **minimum measure** of "Internal Use Only" to avoid the rigorous encryption and audit requirements of "Restricted" or "Confidential" tiers.
### Cost and Complexity of Controls
Data classification isn't just a label; its a commitment to a set of controls.
- **Storage Costs:** Highly classified data often requires expensive, redundant, and encrypted storage.
- Usability: Measures like Digital Rights Management (DRM) or strict Data Loss Prevention (DLP) rules can break workflows.
To maintain productivity, leadership often signs off on the "minimum necessary" classification to keep the business moving, effectively prioritizing availability over confidentiality.
### Compliance-Driven Security (The "Checklist" Mentality)
Many organizations treat data classification as a compliance checkbox rather than a security strategy.
- **Evidence:** In frameworks like ISO 27001, organizations are required to define classification levels. However, they often define them so broadly that the vast majority of data falls into a category with minimal protection.
- **The Result:** If a regulation doesn't specifically demand a measure (like per-file encryption), it is rarely implemented.
---
## 3. Comparing the Two Mindsets
|**Feature**|**Least Privilege (Access)**|**Data Classification (Protection)**|
|---|---|---|
|**Primary Goal**|Minimize the attack surface.|Categorize for handling.|
|**Default State**|Deny All.|Open/General (often).|
|**Friction Level**|High (but expected).|High (and often resisted).|
|**Implementation**|Technical/Automated.|Policy/Behavioral.|
---
## Summary of the Tension
The maxim "Least Privilege" is a **shield**, while Data Classification is often treated as a **filing system**. Because the latter requires constant manual effort and incurs operational costs, the "minimum of measures" becomes the path of least resistance. This creates a "security debt" where access is tight, but the data itself is poorly protected once an authorized user (or a compromised account) handles it.
# Google Gemini 2
Yes, your observation is supported by a significant "implementation gap" in modern cybersecurity. In short: **IT resources are protected by a "Shield" (Hard Enforcement), while Business Information is protected by a "Policy" (Soft Enforcement).**
The evidence for why "least privilege" is better implemented for IT admins compared to business data access boils down to three core drivers:
---
## 1. Technical Tooling: The PAM vs. Governance Gap
The industry has developed highly mature, automated tools for IT administration that do not yet have a seamless equivalent for everyday business data.
- **For IT Admins:** Tools like **Privileged Access Management (PAM)** (e.g., CyberArk, BeyondTrust) enable **Just-in-Time (JIT)** access. An IT admin has zero standing privileges; they must request "Domain Admin" rights for a specific window (e.g., 2 hours). Once the task is done, the system automatically strips the rights.
- **For Business Users:** Access to "Financial Projections" or "HR Records" usually relies on **Identity Governance and Administration (IGA)**. These are often static. Once a user is added to a "Finance" group, they stay there until a manual (and often "rubber-stamped") quarterly review happens. There is rarely a JIT system for reading a spreadsheet.
## 2. Risk Clarity: "Systemic" vs. "Incremental" Damage
Cybersecurity teams prioritize what they can clearly quantify.
- **IT Infrastructure (Systemic Risk):** A compromised admin account is an "extinction-level event" (e.g., ransomware deployment across the entire network). Because the **Blast Radius** is so high, management is willing to accept the friction of least privilege.
- **Business Data (Incremental Risk):** The theft of a single client list is damaging but rarely crashes the company's entire infrastructure. Because the damage feels "contained," organizations are less willing to slow down business operations with strict access hurdles.
## 3. The "Productivity Tax" and Culture
IT staff are culturally conditioned to work within restrictive environments (using "Service Accounts" or "Sudo"). Business users, however, often view security hurdles as an impediment to their primary job.
- **The Help Desk Effect:** Research shows that when IT restricts a business users access to a folder they _might_ need, the user calls the Help Desk immediately. To reduce ticket volume, Help Desks often default to "over-provisioning"—granting broader access than necessary just to ensure the user doesn't call back.
- **Admin Consistency:** IT admins are few in number and their roles are clearly defined (Network Admin, Database Admin). Business roles are fluid and "cross-functional," making it technically difficult to define what "least privilege" even looks like for a Marketing Manager who also assists with Product and Sales.
---
### Comparison Summary: The Implementation Gap
|**Feature**|**IT Admin Privileges**|**Business Data Access**|
|---|---|---|
|**Control Model**|**Zero Standing Privilege** (ZSP)|**Persistent Access** (Group-based)|
|**Enforcement**|Automated/Technical|Manual/Policy-based|
|**Auditability**|High (Session recording common)|Low (Hard to see who read what)|
|**Implementation**|**Mature** (PAM is a standard)|**Emerging** (Data Governance is often messy)|
---
## Conclusion
Your hypothesis is correct: "Least privilege" is a technical reality for IT admins because we have the tools to automate it. For business data, it remains an aspirational goal because it requires human judgment and manual classification—both of which naturally trend toward the "minimum of measures" to keep the business moving.
**Would you like me to look into "Zero Trust Data Access" (ZTDA) technologies, which are the industry's attempt to bring IT-level strictness to business document access?**
---
Hypothesis: *Can we also see the least privilege principle being better implemented when it comes to various levels of admin privileges for IT resources, vs access to business information?*
---
Yes, there is significant evidence that the **Least Privilege** principle is much more rigorously applied to **IT infrastructure and admin rights** than to **business data**.
The reason for this "implementation gap" is the difference between technical governance (managing _systems_) and cultural governance (managing _information_).
---
## 1. Technical Enforcement vs. Behavioral Expectation
IT resources are managed through **Privileged Access Management (PAM)** and **Identity & Access Management (IAM)** tools. These systems allow for "hard" enforcement.
- **IT Infrastructure (The Admin Level):** Removing "Local Admin" rights from laptops or "Domain Admin" from IT staff is a common, measurable goal. Tools can automatically rotate passwords and provide **Just-in-Time (JIT)** access. If an admin needs to change a server setting, they request access for one hour, and it is automatically revoked.
- **Business Information (The Data Level):** Access to "Financial Reports" or "Project Strategy" is much "fuzzier." Because business roles are fluid, managers often grant broad access ("Just give them access to the whole folder") to avoid slowing down work. There is rarely a JIT system for "reading a PDF."
---
## 2. The "Blast Radius" Metric
Security teams prioritize IT admin rights because the **Blast Radius** is objective and catastrophic.
- **IT Admin:** A compromised "Superuser" can take down the entire network, install ransomware globally, or delete backups. The risk is **Systemic**.
- **Business Data:** A compromised "Sales Manager" can steal customer lists. While damaging, it is rarely "existential" for the IT infrastructure. Therefore, companies invest heavily in PAM tools for admins while leaving business data in broad, "Internal Use Only" buckets.
### Comparison: Admin vs. Business Data
|**Feature**|**IT Admin Privileges**|**Business Information Access**|
|---|---|---|
|**Control Tool**|PAM (e.g., CyberArk, BeyondTrust)|Shared Drives, SharePoint, Teams|
|**Enforcement**|Hard (Access is blocked by default)|Soft (Access is often granted by peers/managers)|
|**Audit Frequency**|High (Often daily/weekly)|Low (Quarterly "Access Reviews" often rubber-stamped)|
|**Philosophy**|**Least Privilege** (Zero by default)|**Need to Know** (Often "Assume they need it")|
---
## 3. The "Rubber Stamp" Phenomenon
Evidence for your claim can be found in User Access Reviews (UAR).
In technical environments, engineers are used to justified access requests. However, in business departments, access reviews are often seen as an administrative chore.
> **Research Insight:** Studies show that business managers have a high rate of "Access Creep." When asked to review who has access to a folder, they often approve everyone "just in case" to avoid interrupting someone's work. In contrast, IT departments use automated scripts to prune unused admin accounts because an unused admin account is a massive, clear liability.
---
## 4. Supporting Your Claim
Your original hypothesis is supported by the fact that **Data Classification** (the "minimum measures" problem) is the weakest link. Even if an IT admin has "Least Privilege" over the server, if the data on that server is classified as "General" when it should be "Restricted," the technical controls on the admin are irrelevant—the data is already under-protected.
---
*Do we see a difference between implementation of access restrictions between document storage and SaaS solutions?*
---
There is a profound difference between the two, primarily driven by a shift from **"Centralized Governance"** to **"User-Led Decentralization."**
While traditional document storage often feels like a "Fortress," SaaS solutions frequently resemble a "Wild West." This shift reinforces your hypothesis: when the burden of security moves from the system (IT) to the user (Business), the "minimum of measures" usually wins.
---
## 1. Document Storage: The "Fortress" Model
In traditional environments (On-premise file shares, SharePoint), access is managed via **Hierarchical Permissions**.
- **Implementation:** IT or "Data Owners" set permissions at the folder level. These are often static and reviewed during annual audits.
- **The Least Privilege Reality:** It is easier to enforce here because the structure is rigid. If you aren't in the "Finance" group, you can't enter the "Finance" folder.
- **The Classification Fail:** Even in this rigid system, your "minimum measures" claim holds true: people often dump sensitive files into "General" folders simply because they don't want to deal with the permission request process to get into a restricted one.
## 2. SaaS Solutions: The "Liquid" Model
SaaS (Google Drive, Slack, Salesforce, Figma) introduces **Object-Level Sharing**, which shatters the traditional perimeter.
- **The "Link-Sharing" Trap:** SaaS thrives on speed. Most SaaS apps allow users to "Share with anyone with the link."1 This is the ultimate "minimum measure"—it bypasses least privilege entirely to ensure productivity isn't hindered.
- **SaaS Sprawl:** Because SaaS is decentralized, IT often loses visibility.2 Research indicates that up to **90% of SaaS applications in an enterprise are unmanaged** (Shadow IT).3 In these cases, there is _no_ least privilege; there is only "User Discretion."
- **Identity vs. Access:** In SaaS, identity is often managed (SSO), but _what_ that identity can do inside the app is often left to the user. A user might be granted "Editor" rights to a whole workspace because the "Viewer" role was too restrictive for a five-minute task, and the permission is never revoked.
---
## 3. Comparison of Implementation Gaps
|**Feature**|**Document Storage (Legacy)**|**SaaS Solutions (Modern)**|
|---|---|---|
|**Control Unit**|The Folder (Group-based)|The File/Object (User-based)|
|**Primary Risk**|"Access Creep" (Too many folders)|"Oversharing" (Public links/Guest access)|
|**Visibility**|High (IT can see the whole tree)|Low (Siloed within individual apps)|
|**Least Privilege**|Enforced by IT Admins|Delegated to end-users|
|**Classification**|Often ignored (Manual labeling)|Frequently non-existent|
---
## 4. Why SaaS Validates Your Hypothesis
SaaS environments prove your point that we default to the "minimum of measures" for the sake of necessity.
- **The Productivity Tax:** Implementing true "Least Privilege" in a tool like Slack or Teams (e.g., private channels for everything) is so administratively heavy that teams almost always opt for "Public Channels" by default.
- **The "Shadow" Effect:** When security measures (like classification or restricted access) become too burdensome in a corporate document store, users migrate data to a personal SaaS account (Dropbox/Gmail) to "just get the job done."
> **Key takeaway:** In SaaS, the "Least Privilege" principle is often sacrificed at the altar of **collaboration speed**.

6
marketing/content/Scratch file/Perverse prikkels in de normindustrie.md Normal file
View file

@ -0,0 +1,6 @@
# Perverse prikkels in de normindustrie
- Nodeloos complex geformuleerde norm, vereist consultants om hem begrijpbaar te maken
- Consultants zijn er niet bij gebaat om de eenvoud te laten zien (want minder uren)
- Bestaande software vereist diepgaande domeinkennis om het te implementeren en te bedienen. Wordt veelal verkocht via partner kanalen (ISO 27001 consultants).
- Certificerende Instanties doen het voorkomen dat ze objectief toetsen t.o.v. Een norm die maar op één manier kan worden uitgelegd, maar in de praktijk wil geen CI bekend staan als de strengste partij met het laagste slagingspercentage.

5
marketing/content/Scratch file/Privacy protection in Databases.md Normal file
View file

@ -0,0 +1,5 @@
# Privacy protection in Databases
[A deep dive into privacy-protecting databases by VentureBeat](https://venturebeat.com/business/a-deep-dive-into-privacy-protecting-databases/amp/)
[Differential privacy](https://en.wikipedia.org/wiki/Differential_privacy?wprov=sfti1)

4
marketing/content/Scratch file/Toegevoegde waarde van ISO27DIY.md Normal file
View file

@ -0,0 +1,4 @@
- Zorgen dat het managen van Infosec risicos een natuurlijk onderdeel wordt van alle activiteiten rond informatieverwerking.
- Bedrijven laten zien dat ze dit zelf kunnen. Ze doen het al voor een groot deel maar hebben nooit geleerd de administratie goed te voeren
- Een stuk software bieden waarmee ze de administratie zelf kunnen opzetten en gaandeweg leren hun informatierisicos norm-conform te beheersen.

17
marketing/content/Scratch file/Voordelen van processvolwassenheid.md Normal file
View file

@ -0,0 +1,17 @@
# Voordelen van processvolwassenheid
Het CMM (Capability Maturity Model) streeft naar hogere procesvolwassenheid omdat volwassener processen een aantal concrete voordelen opleveren:
**Voorspelbaarheid** — je weet wat een proces oplevert, hoe lang het duurt en wat het kost. Verrassingen nemen af naarmate processen herhaalbaarder worden.
**Beheersbaarheid** — je kunt bijsturen omdat je meet en begrijpt wat er gebeurt. Bij lage volwassenheid stuur je op gevoel of incident.
**Kwaliteitsborging** — hogere volwassenheid betekent dat kwaliteit ingebakken zit in het proces, niet afhankelijk is van de individuele medewerker die het uitvoert.
**Schaalbaarheid** — gedocumenteerde en herhaalbare processen zijn overdraagbaar en schaalbaar, onafhankelijk van sleutelpersonen.
**Continu verbeteren wordt mogelijk** — je kunt pas structureel verbeteren als je een baseline hebt. Zonder gedefinieerde processen verbeter je ad hoc, niet systematisch.
**Auditbaarheid** — je kunt aantonen wat je doet en hebt gedaan, wat essentieel is voor certificering, compliance en vertrouwen bij klanten of toezichthouders.
De ironie is dat dit vrijwel exact de drie peilers zijn die jij voor ISO 27001 beschrijft — risicomanagement (beheersbaarheid), continue verbetering, en borging (aantoonbaarheid). CMM en ISO 27001 adresseren in essentie hetzelfde probleem, alleen vanuit een andere invalshoek.

42
marketing/content/Scratch file/Weerbaarheid - bereid je voor op verstoring.md Normal file
View file

@ -0,0 +1,42 @@
# Weerbaarheid: bereid je voor op verstoring
*Engels: Planning for Disruption*
De digitale weerbaarheid van een organisatie is een belangrijke factor in de bedrijfszekerheid. Die weerbaarheid bereik je enerzijds door je te beschermen tegen dreigingen, en anderzijds door de capaciteiten te bouwen waarmee je adequaat kunt reageren op incidenten en kunt herstellen van een aanval of storing. Goed beleid voor digitale weerbaarheid is een verplichting vanuit onder andere de NIS 2 en de ISO 27001 / NEN 7510.
Dit document richt zich op het plannen voor, en het herstellen van, incidenten en verstoringen. Het beschrijft de vier bouwstenen om het opbouwen van weerbaarheid planmatig aan te pakken. Dit zijn:
- Business Impact Analyse
- Bedrijfscontinuïteitsplan
- Incident Response Plan (IRP)
- Herstelplan
Met de **Business Impact Analyse** (BIA) worden de kritische bedrijfsprocessen en hun kwetsbaarheid voor verstoringen in kaart gebracht. Hiermee wordt het belang van de verschillende systemen verduidelijkt voor de bedrijfsvoering, en kan de vertaalslag gemaakt worden naar prioriteiten voor het treffen van preventieve maatregelen (zoals noodvoorzieningen en alternatieve werkwijzen) en het uitvoeren van herstelwerkzaamheden. De BIA helpt ook om technische afdelingen en leveranciers hiervoor kaders te geven.
De BIA is daarmee een ijkpunt voor de andere componenten (het BCP, het IRP en het HP).
Het **Bedrijfscontinuïteitsplan** (BCP) richt zich op de continuïteit van essentiële processen tijdens verstoringen. Het beschrijft hoe de bedrijfsvoering doorgang kan vinden door de inzet van mensen, middelen en techniek, inclusief de toeleveringsketen. Een BCP beschrijft bijvoorbeeld de inzet van alternatieve locaties, tijdelijk personeel, noodapparatuur en alternatieve werkwijzen.
Het **Incident Response Plan** (IRP) adresseert de directe reacties op veiligheidsincidenten en dreigingen. Het bevat een stappenplan voor het detecteren, analyseren, beheersen en elimineren van gevaren en verstoringen
De focus van het **Herstelplan** (HP) is op werkzaamheden die de normale gang van zaken weer moeten herstellen. Het gaat dan om IT systemen en technische infrastructuur (servers, databases, netwerken en software), maar ook om het weer in gang zetten van de normale bedrijfsprocessen met de normale voorzieningen.
De verschillende plannen hoeven niet noodzakelijkerwijs als separate documenten met deze titels te bestaan zo worden de verschillende onderdelen vaak gecombineerd in een 'Uitwijk- en herstelplan' of een 'Calamiteitenplan'
---
**Engelse termen**
Business Impact Analyse (BIA)
Business Continuity Plan (BCP)
Incident Response Plan (IRP)
Disaster Recovery Plan (DRP)
**Metrics**
Kwantificeren hoe lang systemen uit de lucht mogen zijn, voordat de impact op de bedrijfsvoering onacceptabel wordt.
- Maximum tolerable period of disruption (MTPD) of business process
- Maximum Downtime (MTD) of assets
- Recovery Time Objectives (RTO) of processes; time for back to normal
- Recovery Point Objectives (RPO) of assets; acceptable data loss; the point in time that you wish to recover to
The BIA provides the business context and impact metrics that guide the creation of the BCP, IRP and DRP. It answers fundamental questions like "What happens to revenue if this system is down for 4 hours?" or "Which departments cannot function without this application?" This quantitative foundation ensures that technical recovery efforts align with business needs and that resources are allocated based on actual business impact rather than assumptions.
The BIA serves as a bridge between business stakeholders and technical teams, translating business requirements into actionable technical specifications across all three planning domains.

497
marketing/content/Scratch file/longlist.md Normal file
View file

@ -0,0 +1,497 @@
# Scratch file long list
---
**Wie IT ziet als een puinruimer, calculeert de schade al in.**
---
**Pantone colors**
These are the Pantone colors we chose for our Canvases.
Pink is for... yellow is for ... etc. You may notice they resemble the colors of 3M's Post-It notes.
This is no coincidence. We like the playfulness and open-world possibilities they can bring to business environments.
Just as our canvases do. They also introduce a certain playfulness - the possibility for discovery and exchange of ideas, in the stern world of risk management and compliance.
Inviting people to be creative with and develop ownership for the risks that come with being inventive.
+ Call to action
---
**Stukje: informatieveiligheid in projecten**
Denkend aan Control 5.8 - Information security in project management:
"To ensure information security risks related to projects and deliverables are effectively addressed in project management throughout the project life cycle".
https://www.ipma.nl/iso-voor-projectmanagement
---
**Keeping projects secure**
Risico's op 3 vlakken:
- Het op te leveren product (vanaf ontwerp via testen tot oplevering)
- De uitvoering van het project (incl de mensen en tooling)
- De overdracht aan en borging in de staande organisatie
Mind map van de risico's / kwetsbaarheden
Check ISO 27001 en NIST
---
**NIST CSF 2.0 GV.RR-01**
---
Organizational leadership takes responsibility for decisions associated with cybersecurity risks and establishes a culture that is risk-aware, behaves in an ethical manner, and promotes continuous improvement
---
**Gretzky:** I don't skate to where the risks are, I skate to where they gonna be
---
Accepting posts!
---
**Top Security Awareness startups you should follow**
https://voiceofciso.com/top-security-awareness-startups-you-should-follow/
---
**Takeaways of 2023 Data Breach Investigations Report (DBIR)**
https://www.verizon.com/business/resources/T547/reports/2023-data-breach-investigations-report-dbir.pdf?utm_source=danielmiessler.com&utm_medium=newsletter&utm_campaign=unsupervised-learning-newsletter-no-386
Takeaways:
1. Social engineering attacks are up, with Business Email Compromise and ransomware leading the charge.
2. Most breaches involve human error and external actors, and the primary motives are still financial.
3. Business Email Compromise (BEC) attacks have almost doubled and represent more than 50% of incidents in the Social Engineering pattern.
4. 74% of all breaches involve human error; 83% involve external actors.
5. Financial motives underlie 95% of breaches.
---
Miessler newsletter
---
**New SEC cyber rules will force ISMS**
New SEC cyber rules will force businesses to think beyond IT security | Security Info Watch
https://www.securityinfowatch.com/cybersecurity/article/53061276/new-sec-cyber-rules-will-force-businesses-to-think-beyond-it-security
---
**MEME:** If you could just.... Stop presenting your services catalog as a fit-gap analysis. That would be nice. I'm looking at you, MSP's!
---
**The problem with awareness campaigns**
They only deal with known risks
People are likely already aware
- They teach a reflex (don't click, pause for 5 secs)
- They train on answering the question
---
**Informatiebeveiliging blijft beperkt zolang we het een IT probleem maken**
Want:
Beperkt mandaat
Beperkte toolkit/comfort zone
Business pakt geen verantwoordelijkheid
Hoe dan wel?
1. Reken de business ook af op hun efforts rond informatieveiligheid (wel met duidelijke scoping van hun verantwoordelijkheden, instrumentarium en heldere rapportageverpichtingen)
2. Laat informatiebeveiliging bij IT, maar breng informatieveiligheid in de lijn (kijk welke onderdelen wel bij IT horen en welke daarvan dienend zijn aan de lijn, zoals monitoring en logging) - denkexperiment: named admin accounts: wie is waar verantwoordelijk voor en hoe bewaak je dat?
---
As long as security is not part of business OKR, it won't happen
---
Increase cyber resilience by empowering employees
---
**Solve your shadow IT Problem**
By acknowledging user agency (paradoxically)
---
**MEME:** I pity the fool who thinks shadow it can be
---
**Morgan Stanley betaalt 6,5 miljoen dollar wegens datalek door afgedankte servers - Security.NL**
https://www.security.nl/posting/818992/Morgan+Stanley+betaalt+6%2C5+miljoen+dollar+wegens+datalek+door+afgedankt?channel=rss
---
**Cybersecurity Is a Social, Policy, and Wicked Problem**
https://taosecurity.blogspot.com/2023/06/cybersecurity-is-social-policy-and.html
---
**Guarding Against the Insider Threat: Do Your Employees Pose the Greatest Risk? - Cyber Defense Magazine**
https://www.cyberdefensemagazine.com/guarding-against-the-insider-threat-do-your-employees-pose-the-greatest-risk/
---
**Employees breaking security policies just dangerous as being hacked, Kaspersky global study shows**
https://www.itsecurityguru.org/2023/11/22/employees-breaking-security-policies-just-dangerous-as-being-hacked-kaspersky-global-study-shows/?utm_source=rss&utm_medium=rss&utm_campaign=employees-breaking-security-policies-just-dangerous-as-being-hacked-kaspersky-global-study-shows
---
**Small Business Cybersecurity Hampered by Fear of Change, Judgement - Security Boulevard**
https://securityboulevard.com/2023/11/small-business-cybersecurity-hampered-by-fear-of-change-judgement/
---
**The drawbacks of using video training for your security awareness program - Security Boulevard**
https://securityboulevard.com/2023/11/the-drawbacks-of-using-video-training-for-your-security-awareness-program/
---
**How to deal with the risks of shadow it**
We'll have shadow it as long as we'll have Excel. Or any other tooling that work teams can use of which the control of functionality is not strictly centralized.
And that is essential to business otherwise we would lose all agility and opportunity for creativity.
Change + Agility = Shadow IT
Changes necessitates shadow IT
Shadow IT is here to stay and that's a good thing. But we have to deal with risks.
---
**Als een kind (filmpje)**
Dit is Inge
Inge kijkt een filmpje over IB
Want dat moet
Inge baalt er van, omdat ze wordt aangesproken alsof ze een kind is
Ondertussen klikt ze wat mails weg
Aan het eind van het filmpje krijgt ze een meerkeuzevraag.
Dit moet iedere week. Van de Security Officer. Die denkt dat ze hierdoor veiliger gaat werken.
---
**SIGRA Opleidingen Privacy & Informatieveiligheid | sigra**
https://www.sigra.nl/expertisecentrum-privacy-informatieveiligheid/opleidingen-privacy-informatieveiligheid
---
**People make the best exploits**
Quote from Mr Robot season 1
Link to Kevin Mitnick social engineering
---
**Content: voorbereiden op een NEN 7510 implementatie**
---
**CMM: hoe kom je van volwassenheidsniveau 0 naar 5?**
---
Wil je ook een IBB dat
---
**Integriteit wordt vaak vergeten**
Of alleen geïnterpreteerd als: door technische issues of outsider threats gecompromitteerd
Terwijl het vaak in het proces kan ontstaan, zie bijv zaaksysteem Zeeland of urenverantwoording Junis
---
**How do you involve your project team in managing risks?**
---
**Content: risico's in nieuwe projecten**
Hoort dit thuis onder IT, Kwaliteit of in de lijn?
De uitvoering van het risicomanagement moet een lijnverantwoordelijkheid zijn en in de managementcyclus geborgd worden.
De verantwoordelijkheid voor het instrument ligt wel bij de Kwaliteitsafdeling.
Moet je niet eerst al je processen beschrijven, vóór je dit gaat doen?
Nee, het is complementair. Procesbeschrijvingen leggen achteraf vast wat bekend is, en hoe de dingen zouden moeten gaan.
Vanuit een KS-bril zou je het liefst willen dat er bij een verandering in het werk, in systemen, of in de omgeving, eerst een analyse wordt uitgevoerd hoe het proces moet worden aangepast en wat daarbij de risico's zijn, en dat pas daarna het werk verandert.
De realiteit is dat het werk wordt aangepast, en pas in de volgende KS cyclus gekeken wordt hoe we de procesbeschrijving moeten aanpassen.
---
**Eigenaarschap in de business**
Verantwoordelijkheid en eigenaarschap in de business bereik je alleen, als het managen van risico's voor informatieveiligheid in de werkprocessen, onderdeel wordt van het algemene management proces.
Dat bereik je door managers verantwoordelijk te maken voor de performance op dat vlak, net zoals ze aangesproken worden op winst en verlies, personeelsmanagement en kwaliteit.
---
**Boek: houding in Workshop**
Ja leuk dat we dit doen, maar als wij het prioriteit vinden zegt een CISO, manager of directeur iets anders
1) is dus de attitude die door de methode veranderd wordt
2) overtuigen van de ander in AO, maar ook door onderbouwing met risico analyse
---
**Querying for hidden risks**
Earlier LinkedIn post on that subject
Plus Google questionnaire with McGyver
---
**faalkosten in de bouw - Corporatie branche**
https://www.google.com/search?q=faalkosten+in+de+bouw&ie=UTF-8&oe=UTF-8&hl=en-nl&client=safari
---
**ESG (Environmental, Social, and Governance)**
Employee participation is crucial to the success of ESG directives for several reasons (the canvas method can be a way to):
1. **Enhanced Implementation and Compliance**:
- Ownership and Accountability: When employees are actively involved, they are more likely to take ownership of ESG initiatives, ensuring better implementation and compliance.
- Ground-Level Insights: Employees often have valuable insights into operational aspects and can identify practical solutions to meet ESG goals effectively.
2. **Improved Sustainability Practices**:
- Environmental Initiatives: Employees can contribute to reducing waste, improving energy efficiency, and adopting sustainable practices in their daily operations.
- Social Contributions: Active participation in community engagement, volunteer programs, and diversity and inclusion efforts strengthens the social impact of the company.
3. **Enhanced Governance**:
- Ethical Behavior: Employee participation in governance practices, such as ethical training and whistleblowing mechanisms, helps uphold high standards of integrity and transparency.
- Feedback and Communication: Open channels for feedback enable employees to report on governance issues and suggest improvements, fostering a culture of continuous improvement.
4. **Increased Engagement and Morale**:
- Purpose and Motivation: When employees are part of ESG initiatives, they feel a sense of purpose and are more motivated, leading to higher job satisfaction and retention.
- Skill Development: Participation in ESG projects can provide employees with opportunities for skill development and career growth, further enhancing their engagement.
5. **Innovation and Competitive Advantage**:
- Creative Solutions: Engaged employees are more likely to propose innovative solutions for ESG challenges, giving the company a competitive edge.
- Brand Reputation: Companies with active employee participation in ESG are perceived more positively by customers, investors, and other stakeholders, enhancing their reputation and market position.
6. **Regulatory and Reporting Compliance**:
- Accurate Reporting: Employees who are aware and involved in ESG practices are better equipped to provide accurate data and insights for ESG reporting, ensuring compliance with regulatory requirements.
- Proactive Adaptation: Active participation helps the company stay ahead of regulatory changes and adapt proactively to new ESG-related laws and standards.
7. **Stakeholder Engagement**:
- Community Relations: Employees can act as ambassadors of the company's ESG initiatives in the community, strengthening relationships with external stakeholders.
- Investor Confidence: Demonstrating robust employee participation in ESG efforts can build confidence in the company's long-term sustainability and governance practices.
In summary, employee participation is vital for the successful execution and sustainability of ESG directives. It drives better implementation, fosters a culture of ethical behavior, enhances employee morale and engagement and contributes to the overall competitive advantage and reputation of the organization.
---
**Phishing awareness campaigns**
Wrongly named, because it's about being aware of one's own gullibility and/or onzorgvuldigheid
---
**Is that web tool safe?**
Just found this great tool through SANS Security Awareness Community
https://web.universiteitleiden.nl/assets/toolpicker/?lang=en
---
**Waarom werkt de implementatie van uw GRC Tooling zo slecht?**
gebrek aan volwassenheid
geen business risico's
"2 reasons why your GRC Tool implementation is failing"
SANS forum: maturity for SMEs
---
Announce FortMesa partnership
---
**Blogpost: Guidance for high-risk individuals on protecting your accounts and devices**
https://www.ncsc.gov.uk/collection/defending-democracy/guidance-for-high-risk-individuals
---
**RAM-systeem van de Belastingdienst**
https://www.nrc.nl/nieuws/2025/03/12/van-prostituees-tot-belgische-pensionados-in-het-privacyschendende-ram-systeem-van-de-belastingdienst-heerste-de-willekeur-a4886148
---
Mapgood en andere risico inventarisaties vergelijken met de CM voor blogpost
Er wordt veel gezocht op MAPGOOD
---
hockey protective gear laid out on the floor - Google Search
https://www.google.com/search?client=safari&sca_esv=d777291650d83160&hl=en-nl&channel=30&udm=2&fbs=ABzOT_CWdhQLP1FcmU5B0fn3xuWpA-dk4wpBWOGsoR7DG5zJBtmuEdhfywyzhendkLDnhcrGv0bvsF02PE9wAganQ-f1_Kd4P04qA1S-9-QK1sT3LFPxW3X361XTv82H1htWdFiwBZR9R_VbvGWkRViaCElk48nz55PwPeAVreb4dptjjtuT30PIHN2GvNJUTuypmttyCzXHSO6L-KCNAXWZ_7sIHaNMCpoQtKgLegQIExAB&biw=393&bih=656&dpr=3
---
Buying a security solution unprepared? You're probably in violation of ISO 27001 clause 8.1
---
On labeling email
https://www.reddit.com/r/ISO27001/s/kOPJtzxOtM
---
**'Eigenaarschap' is een populair begrip onder managers. Maar wat is het? En hoe krijg je het? - NRC**
https://www.nrc.nl/nieuws/2025/09/24/eigenaarschap-is-een-populair-begrip-onder-managers-maar-wat-is-het-en-hoe-krijg-je-het-a4907321
---
**Publish control sets for selected business processes (Gerard Blokdyk approach)**
- Reviewing GDPR Processing Agreements? These are the relevant ISO 27002 controls:
- Business Continuity Plan? Apply the following controls to stay compliant: These are the relevant ISO 27002 controls:
- etc.
- Writing a policy on Remote Working?
- Posture management?
- Vendor selection and due dilligence?
- Auditing HR security:
- Supporting remote work
- Supply Chain Security
- Secure Software Development
- Outsourcing development
- Preventing data breaches (termination of cloud services + configuration management)
- Checklist for Cloud Services agreement - 27002:2022 5.23 Information security for use of cloud services
#iso27001 #compliant_working <- this needs a better hashtag
---
Create a list of Weird hacker words:
- Burp attacks
- Smurf attacks
- Digital Dumpster Diving and google dorking.
---
Publish about Stop Ransomware
https://www.cisa.gov/stopransomware
---
NIST Seeks Information on Chinese Participation in the International Standards Development Process
https://www.nist.gov/news-events/news/2021/11/nist-seeks-information-chinese-participation-international-standards
---
Software risks in private equity buyouts | Synopsys
https://www.synopsys.com/blogs/software-security/software-risks-private-equity-buyouts/
---
How safe is it to use a Github Action contributed by a third party?
https://security.stackexchange.com/questions/256790/how-safe-is-it-to-use-a-github-action-contributed-by-a-third-party
---
# Content Scratch File
`Write to Express, not to Impress`
`Write like you Speak`
#TSW
[[Risk analysis is useless]]
[KuppingerColes practical implications of NIS2](bear://x-callback-url/open-note?id=4DC76555-BF6E-4B99-8260-EF99344D5F3F)
Seven Dimensions of Security Culture - see Obsidian note
- Illuminated by awareness
- The CISOs blind spot: Actual human behaviour
- What happens on the workfloor, stays on the workfloor
- Ransomware is the boogie man als je over bewustzijn en gedrag praat, begint men meestal over phishing links en ransomware. Maar het echte gevaar zit in de werkprocessen
- En hoeveel incidenten of bijna incident zijn er niet gemeld? Bij CM bespreek je dat in de geborgenheid van je eigen team
- Driehoek patiëntveiligheid, medewerkerveiligheid, informatieveiligheid
- De effectiviteit / het rendement van het ISMS vergroten
* Security: making it chefsache (met Gilbert van Z.)
* Cybersecurity requires behavioral change
* How CMIS works with ISO 27001
* Risk Management under ESG/CSRD - see [note](bear://x-callback-url/open-note?id=9EFE612A-3AE3-4AA5-B7EC-016573722C21)
* Working with multiple teams
* Integrating CMIS with existing management systems and frameworks
* Bridging the gap with non-technical departments
* Risk based vs control driven
* Build in Public/Indiehackers: I was going to build software and now its a set of PDFs
* Build in Public/Indiehackers: Restrictive domain names and pivoting
* My Risk, Your Control / Now its your risk / Bystander effect and IS
* Theory of Planned Behavior
* Pushing Security Management to the Left
* Security should be a basic hygiene factor in every team
* [Theory of Planned Behavior](https://en.wikipedia.org/wiki/Theory_of_planned_behavior)
* Twee blinde vlekken: de CISO maakt zich zorgen over de blinde vlek van de medewerkers (ze kennen de risicos niet), maar heeft zelf een blinde vlek voor risicos in de operatie.
“Het is voor mensen gemakkelijk kwetsbaarheden te veroorzaken waarvan wij niet op de hoogte zijn. Je moet een manier vinden om goede input te verzamelen, om te weten dat alles procesmatig OK is”. Marco Biekaert (?), Belastingdienst BCM:
Cyber from cybernetics, a scientific field studying systems with a feedback- and control-loop in which technology and human work together towards a goal.
# What is wrong in InfoSec?
* Mensen noemen risico en verwachten vervolgens dat iemand anders het oplost
* Informatie veiligheid is het probleem van de IT afdeling, Of: daar zorgt de IT afdeling toch voor
* De compliance afdeling is een beleidsfabriek
* Richtlijnen worden niet gevolgd omdat het risico veel lager wordt ingeschat of de middelen tussen de persoon en zijn doel staan: ze werken beperkend
* We weten dat het speelt maar toch niet bij ons
* Ja dat zeggen wij al jaren
Typical InfoSec awareness training
That guy from IT during your onboarding class:
#![](Coach%20Carr.jpg)
---
**Risk analysis is useless**
the cornerstone metrics for actuary modelers — the Annual Loss Expectancy and Annual Rate of Occurrence — with a high degree of accuracy is beyond the current capabilities -> are historical and says little about the future.
The traditional actuary models do not apply well to an environment where highly motivated, creative, and intelligent attackers are dynamically pursuing actions that cause insurable events.
The problem is with the nature of the threat. Cyber attackers escalate and adapt quickly, which undermines the historical-based models that insurance companies rely on. Attackers are continually shifting their maneuvers that identify victims, cause increasing loss, and rapidly shift to new areas of impact.
Denial of service attacks were once popular but were superseded by data breaches, which cause much more damage. Recently, attackers expanded their repertoire to include ransomware-style attacks that increased the insurable losses ever higher.
---
# Human Error Breaches Incidents
### NL Healthcare / Orthopedium
- Orthopedium: sinds software update kunnen de röntgenscanner en het EPD niet meer met elkaar overweg: het patiëntnummer moet opgezocht worden in het EPD en handmatig worden ingegeven in de software van de röntgenscanner
- Orthopedium: de werkstations in de OK starten heel traag op. De afdelingssecretaresse heeft de inloggegevens van alle artsen in haar agenda, en logt ze s ochtends alvast in. & de operatieploegen rouleren gedurende de dag over de OKs, maar loggen niet opnieuw in. De verrichtingen zijn daardoor gekoppeld aan de verkeerde arts. Dit wordt achteraf handmatig gecorrigeerd aan de hand van de planning van die dag.
### NZA
- NZA: de onbeheerde netwerkmap voor de vakantiefotos, waar iedereen met een NZA-account bij kon, werd al snel ontdekt als plek om gemakkelijk grote dossiers en bestanden met elkaar te delen. Meestal werden die daarna niet verwijderd.
### Prestige Data Breach
- [Prestige Data Breach](https://rkranendonk.medium.com/learning-points-from-the-prestige-data-breach-eac454b577d3)
- Slechte architectuur: manipulatie van tekstbestanden op een file systeem i.p.v. een robuuste database
- Publieke / te ruime toegang AWS Bucket door slechte configuratie of Free Tier (bijv. Miro)
- Niet toepassen encryptie
- Gegevens langer bewaren dan nodig
- Meer gegevens verwerken dan nodig
- In productie nemen van PoC oplossing
### Junis
- Versleuteld mailen werkt niet bij alle ketenpartners het beleid is om gegevens over kinderen en ouders alleen versleuteld naar de samenwerkingspartners te mailen. Bij sommige ontvangers werkte het ontsleutelen van de mail niet goed, door een afwijkende configuratie van de mailserver.
- Communicatie met ouders via WhatsApp want het lukt niet alle ouders om de speciale app te installeren
- Deurcodes pand worden aan ouders gegeven
- Sleutels worden meegegeven aan externe onderhoudsmonteurs
- Werken met beperkt aantal voorkeursleveranciers vergroot de afhankelijkheid
- Ontbrekende of onvolledige verantwoording subsidieaanvraag onder tijdsdruk
- Onvoorziene consequenties van eigen veranderingen en handelen voor andere afdelingen
- Onvoorziene consequenties van veranderingen en handelen andere afdelingen voor ons
- Minder mogelijkheden voor handmatig ingrijpen door toegenomen integratie
- Niet tijdige of incorrecte mutatie in AFAS betekent geen toegang tot de juiste informatie op Intranet voor medewerker cluster
- Verkeerde mdw/locatie in Quebble door onjuiste KP in AFAS/HR; kwaliteit roostering gaat omlaag
- Makkelijk bestellen zonder verder gedoe Verantwoordelijkheid correcte invoer verschuift: risico op foute invoer
- Kinderopvangtoeslag Problemen door ontbreken noodzakelijke kennis bij ouders
- Ondersteuning te weinig beschikbaar, onduidelijkheid waar je terecht moet (IT of FAB)
- Verzenden cadeaus gastouders door derden vraagt om verstrekking NAW-gegevens
- Indeling gegevens in verschillende bronsystemen matchen niet
- Gevoelige informatie publiceren op verkeerde plek op SharePoint (wegens onduidelijke structuur en ontbreken aan instructies
- Onvoldoende bewustzijn bij mdws over de toegankelijkheid van verschillende sites op Intranet en SharePoint
- Weekberichten worden niet opgeslagen in Groepssites, maar in Clustersites, waar ook gevoelige informatie kan staan zoals ontruimingsplannen
- PMers hebben privé telefoons en geen Office365 licentie. Hoe moeten ze Teams Chat gebruiken als WhatsApp niet mag? En communicatie met ouders kan ook niet via Teams.
- Alle medewerkers met privemail-adres in CC personeelsnieuwsbrief
- Gevoelige informatie wordt verstuurd naar privé adressen, bijv. in Weekbericht
- Op een telefoon kun je Teams openen zonder in te loggen  unlock telefoon is genoeg
- Gebruik beelden van kinderen niet mogelijk door niet aanleveren toestemmingsformulieren door PM'ers
- Werken met iPads: invullen formulieren online werkt n iet goed, dan maar mailen naar huisadres en terug.
- Zeer groot dienstverleners-landschap!
- Gevoelige info besprekingen op vergaderbordjes / Onderwerp bespreking uit Outlook kan gevoelige info bevatten
- PMer maakt WhatsApp groepje aan voor ouders niet alle ouders zijn er blij mij dat hun tel.nr. nu voor iedereen zichtbaar is
- Secretariaat: Kans op insluipers wegens ontbreken sluitronde door beveiligingsfirma
### Parnassia groep
- In EPD kan niet gezocht worden op BSN, daardoor wordt gezocht op andere kenmerken. Gevolg is dat patiënten dubbel worden ingeschreven, en behandelingen/afspraken aan de verkeerde patient gekoppeld worden

6
marketing/content/posts/ZZP/For Leadership/s02pxxnl - Toch een Cbw checklist.md
View file

@ -8,13 +8,9 @@ Deze checklist gaat niet over techniek, maar over management en beleid.
Het kost je een paar minuten, en dan weet je waar je staat, als op 1 juli 2026 de Cyberbeveiligingswet (Cbw) in werking treedt — en jij als bestuurder persoonlijk verantwoordelijk wordt voor informatiebeveiliging.
Als je na de checklist graag een uurtje wilt sparren over hoe nu verder, dan praat ik graag een uur met je.
— Cbw-compliance in 8 stappen — 5/5 \#managingsecurity \#Cbw \#NIS2
https://iso27diy.com/assets/cbw-checklist.html
---
— risicoanalyse en beveiligingsbeleid, incidentresponse, bedrijfscontinuïteit, leveranciersbeveiliging, systeembeveiliging, effectiviteitsbeoordeling, cyberhygiëne en opleiding, cryptografie, personeels- en toegangsbeheer, en authenticatie

2
marketing/content/posts/ZZP/For MSPs/Do you supply EU customers.md
View file

@ -15,4 +15,4 @@ They will check for the minimum measures listed in Art. 21(2):
You don't need to be certified. But you do need to be able to answer these questions — on paper, not just in your head. Have your answers ready!
You can find an interactive checklist [[on our site]]. If the checklist raises any questions on how to continue, I'm happy to spend an hour with you.
You can find an interactive checklist [on our site](https://iso27diy.com/assets/nis2-checklist.html). If the checklist raises any questions on how to continue, I'm happy to spend an hour with you.