diff --git a/AuditGlue/AuditGlue Workflows.md b/AuditGlue/AuditGlue Workflows.md index 4506bae..5eb2acd 100644 --- a/AuditGlue/AuditGlue Workflows.md +++ b/AuditGlue/AuditGlue Workflows.md @@ -1,5 +1,27 @@ # AuditGlue Workflows +## Interactie met de gebruiker (eerder opgesteld) + +1. Gebruiker kiest een Lesmodule uit menu +2. Content wordt getoond. Filmpje, tekst, afbeelding. +3. De gebruiker krijgt een ‘taak’. Hij/zij heeft de keuze die nu uit te voeren, of te parkeren in de persoonlijke Takenlijst[^1] (onderdeel van GRC). De taak bevat een verwijzing naar de content, zodat die later weer opgepakt kan worden. +4. De taak kan bestaan uit bijv: + 5. het uploaden van een document + 6. het invullen van een vragenlijst + 7. het vullen van een tabel (simpele spreadsheet met rij/kolom totalen bijv) +8. Wat de gebruiker toevoegt wordt opgeslagen in de GRC-module +9. De input van de gebruiker wordt gebruikt om nieuwe content te genereren, bijv. een beleidsdocument. Dit kan gebeuren met templates, logische regels, of LLM. +10. Gegenereerde content wordt ter controle aangeboden aan de gebruiker. Die moet daar wijzigingen in aan kunnen brengen en uiteindelijk de productie akkoord verklaren. +11. Na akkoord is er een wijziging in het ‘volwassenheidsniveau’ van het ISMS. Deze komt tot uitdrukking in het ‘Implementatie Dashboard’ (onderdeel van GRC). – kan dynamisch gegenereerd worden + +- [ ] Uitwerken: Er zit onderlinge afhankelijkheid in: soms kun je stap 3 pas nemen als je stap 1 gedaan. +- [ ] Volwassenheidsniveaus benoemen. + + +[^1]: in een latere versie kunnen taken toegewezen worden aan een andere gebruiker. + + + ## Volgen van een Session - gebruiker klikt uit het Sessions-menu een les aan diff --git a/AuditGlue/System alternative/Using AI to create policies.md b/AuditGlue/System alternative/Using AI to create policies.md index 4de8472..a353814 100644 --- a/AuditGlue/System alternative/Using AI to create policies.md +++ b/AuditGlue/System alternative/Using AI to create policies.md @@ -22,7 +22,7 @@ Examples: 4. develop interventions based on these differences **Threat analysis** -- do a threat analysis, see [Create a threat analysis chatbot](../../Corpus/Sparks/Create%20a%20threat%20analysis%20chatbot.md) +- do a threat analysis, see [Create a threat analysis chatbot](../../Corpus/Various/Create%20a%20threat%20analysis%20chatbot.md) **Policy drafting** diff --git a/Clients/Humankind/Calculatie Humankind uit opdracht 6 juni 2024.md b/Clients/Humankind/Calculatie Humankind uit opdracht 6 juni 2024.md index 3251d98..73c10c9 100644 --- a/Clients/Humankind/Calculatie Humankind uit opdracht 6 juni 2024.md +++ b/Clients/Humankind/Calculatie Humankind uit opdracht 6 juni 2024.md @@ -5,7 +5,7 @@ Uit [Opdracht Humankind 6 juni 2024](Opdracht%20Humankind%206%20juni%202024.md) | **DELIVERABLES** | | | | | -------------------------------------------------------------------------------------------------------- | --- | -------- | -------------- | | **Fase I. Randvoorwaarden** | | | | -| [Check op Basisveiligheid](../../Corpus/Sparks/Check%20op%20Basisveiligheid%20Humankind.md) | | Stelpost | € 15.000 | +| [Check op Basisveiligheid](Check%20op%20Basisveiligheid%20Humankind.md) | | Stelpost | € 15.000 | | [[Management Workshops Humankind\|Management Workshops (2x) ‘Sturen op Risico’s met de Canvas Methode’]] | | | € 2.400 | | [Vaststellen Leidende principes en doelen](Leidende%20principes%20en%20doelen%20Humankind.md) | 1 | € 1.100 | € 1.100 | | _Totaal (ex. Stelpost)_ | | | **_€ 18.500_** | diff --git a/Corpus/Sparks/Check op Basisveiligheid Humankind.md b/Clients/Humankind/Check op Basisveiligheid Humankind.md similarity index 95% rename from Corpus/Sparks/Check op Basisveiligheid Humankind.md rename to Clients/Humankind/Check op Basisveiligheid Humankind.md index ca231d4..ce4a59d 100644 --- a/Corpus/Sparks/Check op Basisveiligheid Humankind.md +++ b/Clients/Humankind/Check op Basisveiligheid Humankind.md @@ -2,7 +2,7 @@ Uit opdracht: "Bescherming tegen actuele *externe* dreigingen". -Dus een [Pentest](../../Clients/Humankind/Pentest%20Humankind.md). +Dus een [Pentest](Pentest%20Humankind.md). Het andere subject onder de kop "Voorzien in basisveiligheid" is: > Verzekering Beschikbaarheid: backups en noodvoorzieningen, calamiteitenplan diff --git a/Clients/Humankind/Opdracht Humankind 6 juni 2024.md b/Clients/Humankind/Opdracht Humankind 6 juni 2024.md index b756a23..c445200 100644 --- a/Clients/Humankind/Opdracht Humankind 6 juni 2024.md +++ b/Clients/Humankind/Opdracht Humankind 6 juni 2024.md @@ -14,7 +14,7 @@ Uitdagingen: ### Fase 1 – Randvoorwaarden scheppen voor ontwikkeling A. Voorzien in basisveiligheid door: -- [Check op Basisveiligheid](../../Corpus/Sparks/Check%20op%20Basisveiligheid%20Humankind.md) door een onafhankelijke Partij +- [Check op Basisveiligheid](Check%20op%20Basisveiligheid%20Humankind.md) door een onafhankelijke Partij - Bescherming tegen actuele externe dreigingen - [[Verzekering beschikbaarheid Humankind|Verzekering beschikbaarheid]]: - Backups en noodvoorzieningen diff --git a/Content Factory/Marketing voor ZZP werk/Posts/s01p02nl - Een beveiligingsrisico begint met een beslissing.md b/Content Factory/Marketing voor ZZP werk/Posts/s01p02nl - Een beveiligingsrisico begint met een beslissing.md index ca92bec..b8a9003 100644 --- a/Content Factory/Marketing voor ZZP werk/Posts/s01p02nl - Een beveiligingsrisico begint met een beslissing.md +++ b/Content Factory/Marketing voor ZZP werk/Posts/s01p02nl - Een beveiligingsrisico begint met een beslissing.md @@ -1,4 +1,4 @@ -`posted on 14 May 2026 10:15 CEST to LinkedIn personal stream` +`posted on 18 May 2026 10:15 CEST to LinkedIn personal stream` # Een beveiligingsrisico begint met een beslissing De meeste beveiligingsrisico's beginnen niet met een technisch probleem. Ze beginnen met een beslissing. diff --git a/Content Factory/Marketing voor ZZP werk/Posts/s01p03en - Security is a management issue.md b/Content Factory/Marketing voor ZZP werk/Posts/s01p03en - Security is a management issue.md new file mode 100644 index 0000000..e2f3e0a --- /dev/null +++ b/Content Factory/Marketing voor ZZP werk/Posts/s01p03en - Security is a management issue.md @@ -0,0 +1,18 @@ +`Posted on 15 May 2026 19:30 CEST to LinkedIn personal stream` +# Security isn't an IT problem, it's a management issue. + +That was the core of the previous two posts. The question remains: how do you embed that in your organization? + +Individual measures help, but in an organization that keeps moving, they quickly fall short. People leave, ways of working change, new tools are introduced, laws and regulations evolve. + +You need to establish a management process that makes risks visible, assigns ownership, and allows for corrections. ISO 27001 provides a framework for exactly that. + +ISO 27001 doesn't have the best reputation: unnecessary bureaucracy, paperwork overload, 14 sign-offs for every change. That's unfair. It's a framework you can tailor to your organization. At its core: managing risks, assigning ownership, and continuous improvement. Robust enough for corporates, flexible enough for smaller organizations. And you can reap the benefits without pursuing certification. + +Ask yourself: how has my organization made sure that information security doesn't depend on one person, one moment, or one department? + +I'd be curious to hear how that's arranged in your organization. Feel free to send me a message if you'd like to compare notes. + +— Security as an organizational challenge — 3/3 + +\#managingsecurity \#iso27001 \ No newline at end of file diff --git a/Content Factory/Marketing voor ZZP werk/Posts/s01p03nl - Security is geen IT-probleem, maar een managementvraagstuk.md b/Content Factory/Marketing voor ZZP werk/Posts/s01p03nl - Security is geen IT-probleem, maar een managementvraagstuk.md index b2dcbbe..e67e07c 100644 --- a/Content Factory/Marketing voor ZZP werk/Posts/s01p03nl - Security is geen IT-probleem, maar een managementvraagstuk.md +++ b/Content Factory/Marketing voor ZZP werk/Posts/s01p03nl - Security is geen IT-probleem, maar een managementvraagstuk.md @@ -1,7 +1,7 @@ -`posted on 15 May 2026 10:15 CEST to LinkedIn personal stream` +`posted on 19 May 2026 10:00 CEST to LinkedIn personal stream` # Security is geen IT-probleem, maar een managementvraagstuk. -Security is geen IT-probleem, maar een managementvraagstuk. Dat was de kern van de vorige twee posts. De vraag die overblijft: hoe borg je dat in je organisatie? +Dat was de kern van de vorige twee posts. De vraag die overblijft: hoe borg je dat in je organisatie? Losse maatregelen helpen, maar in een organisatie die blijft bewegen, schieten ze al snel tekort. Mensen vertrekken, werkwijzen veranderen, nieuwe tools worden geïntroduceerd, wet- en regelgeving verandert. @@ -15,4 +15,4 @@ Ik ben benieuwd hoe dat in jouw organisatie geregeld is. Stuur me gerust een ber — Security als managementvraagstuk — 3/3 -\#managingsecurity \ No newline at end of file +\#managingsecurity \#iso27001 \ No newline at end of file diff --git a/Content Factory/Scratch file/Example of ISO 27001 mystique.md b/Content Factory/Scratch file/Example of ISO 27001 mystique.md new file mode 100644 index 0000000..383e933 --- /dev/null +++ b/Content Factory/Scratch file/Example of ISO 27001 mystique.md @@ -0,0 +1,9 @@ +# Example of ISO 27001 mystique + +ISO 27001 is a framework, and you cannot successfully implement it by treating the text of the standard as a series of instructions to be followed in the order in which they were printed. If you try that, things will become very confusing very quickly. + +For example, the requirement of having an information security policy is first (?) mentioned in [Chapter 5.1](../../Corpus/MoCs/ISO_27001_2022_5.1_MoC%20Leadership%20and%20commitment.md), "Leadership and commitment", where it says that top management must have it established, *together* with information security objectives. Then in [Chapter 5.2](../../Corpus/Standards/ISO27x/OST/27001/EN/c-5.2-Policy.md), 'Policy', it states that these objectives form *part of* the information security policy, referencing forward to [Chapter 6.2](../../Corpus/MoCs/ISO_27001_2022_6.2_MoC%20Information%20security%20objectives%20and%20planning%20to%20achieve%20them.md), "Information security objectives and planning to achieve them", which demands that organizations should set objectives consistent with the policy. Of course there's also a corresponding Control called "Policies for information security" ([5.1](../../Corpus/Standards/ISO27x/legacy/iso27DIY%20mk%20I/ISO_27002_2022_5.1_MoC%20Policies%20for%20information%20security.md)), which explains that there will be an information security policy at the highest level of the organization, including objectives "or the framework for setting objectives", and further "topic-specific policies as needed", which of course need their own objectives. + +Programmers may love this kind of recursiveness when it's in coding exercises. + + diff --git a/Corpus/Sparks/GRC software is geschreven voor domeindeskundigen.md b/Content Factory/Scratch file/GRC software is geschreven voor domeindeskundigen.md similarity index 89% rename from Corpus/Sparks/GRC software is geschreven voor domeindeskundigen.md rename to Content Factory/Scratch file/GRC software is geschreven voor domeindeskundigen.md index 5cc3e5f..600591b 100644 --- a/Corpus/Sparks/GRC software is geschreven voor domeindeskundigen.md +++ b/Content Factory/Scratch file/GRC software is geschreven voor domeindeskundigen.md @@ -1,4 +1,4 @@ -This note relates to the [ISO27DIY Business model](../Standards/ISO27x/legacy/iso27DIY%20mk%20I/ISO27DIY%20Business%20model.md) +This note relates to the [ISO27DIY Business model](../../Corpus/Standards/ISO27x/legacy/iso27DIY%20mk%20I/ISO27DIY%20Business%20model.md) Probleem: de GRC software wordt aangekocht om een operationeel probleem van de compliance officer op te lossen. diff --git a/Content Factory/Scratch file/longlist.md b/Content Factory/Scratch file/longlist.md new file mode 100644 index 0000000..e69de29 diff --git a/Corpus/Literature notes/Agile Development for Application Security Managers.md b/Corpus/Literature notes/Agile Development for Application Security Managers.md index 2dd01c4..cf6cc72 100644 --- a/Corpus/Literature notes/Agile Development for Application Security Managers.md +++ b/Corpus/Literature notes/Agile Development for Application Security Managers.md @@ -12,7 +12,7 @@ It is moderately suitable for distribution to them in a company setting. - [ISO 27001 A.14.2.1 Secure development policy](../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A.14.2.1%20Secure%20development%20policy.md) Related: - - [DevSecOps and ISO 27k](../Sparks/DevSecOps%20and%20ISO%2027k.md) + - [DevSecOps and ISO 27k](../Various/Business%20processes/DevSecOps%20and%20ISO%2027k.md) # Achieving Application Security in Agile Weave security thinking into the Agile process. Adding it on later will be less secure, more costly and will probably achieve not enough attention because of release deadlines. diff --git a/Corpus/Literature notes/Assets, Vulnerabilities, Threats, Risks.md b/Corpus/Literature notes/Assets, Vulnerabilities, Threats, Risks.md index 59d3996..b6a14ae 100644 --- a/Corpus/Literature notes/Assets, Vulnerabilities, Threats, Risks.md +++ b/Corpus/Literature notes/Assets, Vulnerabilities, Threats, Risks.md @@ -8,7 +8,7 @@ A risk occurs when there's a chance of an asset being compromised, through the e Adapted from source: [Vigilant Software](https://www.vigilantsoftware.co.uk/blog/risk-terminology-understanding-assets-threats-and-vulnerabilities), retrieved December 8, 2021. -[Assets](../Sparks/Assets.md) +[About Assets](../Sparks/About%20Assets.md) [Vulnerability 1](../Sparks/Vulnerability%201.md) [Threat](Threat.md) [Risks](../Sparks/Risks.md) diff --git a/Corpus/Literature notes/BCP_Bedrijfscontinuïteitsplanning.md b/Corpus/Literature notes/BCP_Bedrijfscontinuïteitsplanning.md index 3a974e3..2e7f6b6 100644 --- a/Corpus/Literature notes/BCP_Bedrijfscontinuïteitsplanning.md +++ b/Corpus/Literature notes/BCP_Bedrijfscontinuïteitsplanning.md @@ -7,17 +7,17 @@ Producten: ## Literatuur - BCP.mindnode op iCloud > Best Practices -- evt. [CIS Critical Security Controls](../Sparks/CIS%20Critical%20Security%20Controls.md) als raamwerk +- evt. [CIS Controls](../Sparks/Information%20Security/CIS%20Controls.md) als raamwerk - ISO-22301-2019 'Business continuity management systems' en ISO-22313-2020 'Guidance on the use of ISO 22301' - [CISSP, Chapter 3](../Standards/CISSP/CISSP_OSG_Chapter_3.md) Bedrijfscontinuïteitsplanning is een continu proces, met als doel het implementeren en onderhouden van beleid, procedures en processen om de impact van verstoringen te beheersen. Met andere woorden: bedrijfscontinuïteitsplanning richt zich op de continuïteit van bedrijfsprocessen, zo nodig met andere middelen. -Belangrijke onderdelen van Bedrijfscontinuïteitsplanning zijn de Bedrijfsimpact Analyse ([BIA](../Sparks/Business%20Impact%20Analysis%20(BIA).md)) en het Herstelplan ('Disaster Recovery Plan' / [DRP](..//Disaster%20Recovery%20Planning.md)). +Belangrijke onderdelen van Bedrijfscontinuïteitsplanning zijn de Bedrijfsimpact Analyse ([BIA](../Sparks/ISMS/Business%20Impact%20Analysis%20(BIA).md)) en het Herstelplan ('Disaster Recovery Plan' / [DRP](..//Disaster%20Recovery%20Planning.md)). De BIA richt zich op het identificeren van de impact van verstoringen op de bedrijfsprocessen, en het Herstelplan richt zich op het herstel van de normale bedrijfsprocessen na een verstoring en de eventuele inzet van alternatieve middelen of werkwijzen . -Zie ook: [Het belang van een Bedrijfscontinuïteitsplan](../Sparks/Belang%20van%20een%20BCP.md) / [The importance of having a business continuity plan](../Sparks/Importance%20of%20a%20BCP.md). +Zie ook: [Het belang van een Bedrijfscontinuïteitsplan](../Sparks/ISMS/Belang%20van%20een%20BCP.md) / [The importance of having a business continuity plan](../Sparks/Importance%20of%20a%20BCP.md). ## Aanpak @@ -34,7 +34,7 @@ Het proces (Beleid) volgens welke dit hele plan tot stand komt en beoordeeld/her ## Analyse -Zie: [Business Impact Analysis (BIA)](../Sparks/Business%20Impact%20Analysis%20(BIA).md) +Zie: [Business Impact Analysis (BIA)](../Sparks/ISMS/Business%20Impact%20Analysis%20(BIA).md) Stappen: - Bepalen bedrijfskritische processen (prioriteiten bepalen) en informatie-assets diff --git a/Corpus/Sparks/Checklist for Insider Threat Prevention.md b/Corpus/Literature notes/Checklists Gerardus Blokdyk/Checklist for Insider Threat Prevention.md similarity index 100% rename from Corpus/Sparks/Checklist for Insider Threat Prevention.md rename to Corpus/Literature notes/Checklists Gerardus Blokdyk/Checklist for Insider Threat Prevention.md diff --git a/Corpus/Literature notes/Checklists Gerardus Blokdyk/Checklist for auditing DevOps IoT.md b/Corpus/Literature notes/Checklists Gerardus Blokdyk/Checklist for auditing DevOps IoT.md index 7c40864..ca1d694 100644 --- a/Corpus/Literature notes/Checklists Gerardus Blokdyk/Checklist for auditing DevOps IoT.md +++ b/Corpus/Literature notes/Checklists Gerardus Blokdyk/Checklist for auditing DevOps IoT.md @@ -10,7 +10,7 @@ Relevant ISO 27001 clauses/controls: Related: - [Operational Technology](../../Sparks/Operational%20Technology.md) -- [DevSecOps and ISO 27k](../../Sparks/DevSecOps%20and%20ISO%2027k.md) +- [DevSecOps and ISO 27k](../../Various/Business%20processes/DevSecOps%20and%20ISO%2027k.md) ## DevOps IoT: Ask This; diff --git a/Corpus/Literature notes/Checklists Gerardus Blokdyk/Checklist for security product vendors assessment.md b/Corpus/Literature notes/Checklists Gerardus Blokdyk/Checklist for security product vendors assessment.md index 3555bda..d36271f 100644 --- a/Corpus/Literature notes/Checklists Gerardus Blokdyk/Checklist for security product vendors assessment.md +++ b/Corpus/Literature notes/Checklists Gerardus Blokdyk/Checklist for security product vendors assessment.md @@ -10,7 +10,7 @@ Relevant ISO 27001 clauses/controls: - [ISO 27001 A 18 Compliance](../../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A%2018%20Compliance.md) Related: -- [Examples of vendor selection questionnaires](../../Sparks/Examples%20of%20vendor%20selection%20questionnaires.md) +- [Examples of vendor selection questionnaires](../../Sparks/Information%20Security/Examples%20of%20vendor%20selection%20questionnaires.md) # Assessing Security Product Vendors? Ask this: 1. When a faulty product is to be returned, what processes does the vendor have in place to ensure that no customer data exists on disks or storage before it is sent to one of return centers? diff --git a/Corpus/Sparks/Cyber Security Governance Principles.md b/Corpus/Literature notes/Cyber Security Governance Principles.md similarity index 70% rename from Corpus/Sparks/Cyber Security Governance Principles.md rename to Corpus/Literature notes/Cyber Security Governance Principles.md index 5082bd2..41c5cf9 100644 --- a/Corpus/Sparks/Cyber Security Governance Principles.md +++ b/Corpus/Literature notes/Cyber Security Governance Principles.md @@ -1,4 +1,6 @@ -[](Cyber%20Security%20Governance%20Principles.pdf) by the Australian Institute of Company Directors and the Cyber Security Cooperative Research Centre, november 2024 +# Cyber Security Governance Principles + +by the Australian Institute of Company Directors and the Cyber Security Cooperative Research Centre, november 2024. The document outlines five key principles for governing organizational cyber resilience: @@ -10,3 +12,4 @@ The document outlines five key principles for governing organizational cyber res For each principle the document outlines key points and identifies 'red flags' that indicate low quality or non existent governance. +![](Cyber%20Security%20Governance%20Principles.pdf) \ No newline at end of file diff --git a/Corpus/Sparks/Cyber Security Governance Principles.pdf b/Corpus/Literature notes/Cyber Security Governance Principles.pdf similarity index 100% rename from Corpus/Sparks/Cyber Security Governance Principles.pdf rename to Corpus/Literature notes/Cyber Security Governance Principles.pdf diff --git a/Corpus/Literature notes/Examples of TLP document classification for different industries.md b/Corpus/Literature notes/Examples of TLP document classification for different industries.md index 3102ffb..19dd18d 100644 --- a/Corpus/Literature notes/Examples of TLP document classification for different industries.md +++ b/Corpus/Literature notes/Examples of TLP document classification for different industries.md @@ -1,9 +1,9 @@ # Examples of TLP document classification for different industries -- [for information security](../Sparks/FIRST%20TLP%20labeled%20document%20examples%20for%20information%20security.md) -- [for a commercial services organization](../Sparks/FIRST%20TLP%20labeled%20document%20examples%20commercial.md) -- [for a childcare organization](../Sparks/FIRST%20TLP%20labeled%20document%20examples%20childcare.md) -- [for a hospital](../Sparks/FIRST%20TLP%20labeled%20document%20examples%20hospital.md) +- [for information security](../Sparks/ISMS/Data%20classification/FIRST%20TLP%20labeled%20document%20examples%20for%20information%20security.md) +- [for a commercial services organization](../Sparks/ISMS/Data%20classification/FIRST%20TLP%20labeled%20document%20examples%20commercial.md) +- [for a childcare organization](../Sparks/ISMS/Data%20classification/FIRST%20TLP%20labeled%20document%20examples%20childcare.md) +- [for a hospital](../Sparks/ISMS/Data%20classification/FIRST%20TLP%20labeled%20document%20examples%20hospital.md) - [for a national government organization](FIRST%20TLP%20labeled%20document%20examples%20national%20government.md) diff --git a/Corpus/Literature notes/Roles in Identity and Access Management (IAM).md b/Corpus/Literature notes/Roles in Identity and Access Management (IAM).md index 041da8a..ee59795 100644 --- a/Corpus/Literature notes/Roles in Identity and Access Management (IAM).md +++ b/Corpus/Literature notes/Roles in Identity and Access Management (IAM).md @@ -1,4 +1,4 @@ -See also: [Access Control Models](../Sparks/Access%20Control%20Models.md) +See also: [Access Control Models](../Sparks/ISMS/Access%20Control%20Models.md) ## Rollen in autorisatiebeheer diff --git a/Corpus/Literature notes/Roles in Information security management.md b/Corpus/Literature notes/Roles in Information security management.md index 74f832b..32cb0e5 100644 --- a/Corpus/Literature notes/Roles in Information security management.md +++ b/Corpus/Literature notes/Roles in Information security management.md @@ -10,10 +10,10 @@ For examples of defined roles, see: Related: - [Asset ownership](../Sparks/Asset%20ownership.md) -- [Control ownership](../Sparks/Control%20ownership.md) +- [Control ownership](../Sparks/ISMS/Control%20ownership.md) - [Risk ownership](../Sparks/Risk%20ownership.md) - [Segregation of Duties](Segregation%20of%20Duties.md) -- [Access Control Models](../Sparks/Access%20Control%20Models.md) +- [Access Control Models](../Sparks/ISMS/Access%20Control%20Models.md) **Roles according to CISSP (p. 23 ev.):** * Senior Manager: decides on policies, ultimately responsible. diff --git a/Corpus/Literature notes/Security Threat Modeling.md b/Corpus/Literature notes/Security Threat Modeling.md index d75259f..ffc2027 100644 --- a/Corpus/Literature notes/Security Threat Modeling.md +++ b/Corpus/Literature notes/Security Threat Modeling.md @@ -3,7 +3,7 @@ https://insights.sei.cmu.edu/blog/threat-modeling-12-available-methods/ Related: - - [Create a threat analysis chatbot](../Sparks/Create%20a%20threat%20analysis%20chatbot.md) + - [Create a threat analysis chatbot](../Various/Create%20a%20threat%20analysis%20chatbot.md) ![700](Threat%20scenario%20elements.jpeg) \ No newline at end of file diff --git a/Corpus/Literature notes/Seven Dimensions of Security Culture.md b/Corpus/Literature notes/Seven Dimensions of Security Culture.md index 48d4877..0d8421f 100644 --- a/Corpus/Literature notes/Seven Dimensions of Security Culture.md +++ b/Corpus/Literature notes/Seven Dimensions of Security Culture.md @@ -1,6 +1,4 @@ -https://research.knowbe4.com/security-culture-survey - -## The Seven Dimensions of Security Culture +# The Seven Dimensions of Security Culture The Security Culture Survey measures the sentiments of your users towards security in your organization – the psychological and social aspects that drive social behavior. Specifically, the SCS measures seven dimensions of security culture which include: @@ -8,7 +6,8 @@ The Security Culture Survey measures the sentiments of your users towards securi - **BEHAVIOR -** The actions and activities of employees that have direct or indirect impact on the security of the organization. - **COGNITION -** The employees’ understanding, knowledge and awareness of security issues and activities. - **COMMUNICATION -** The quality of communication channels to discuss security-related events, promote a sense of belonging, and provide support for security issues and incident reporting. - - **COMPLIANCE -** The knowledge of written security policies and the extent that employees follow them. - **NORMS -** Unwritten expectations regarding appropriate behaviors pertaining to usage of information technology in organizational context, perception of what practices are normal and unproblematic. -- **RESPONSIBILITY -** The employees’ perceived role as a critical factor in sustaining or endangering the security of the organization. \ No newline at end of file +- **RESPONSIBILITY -** The employees’ perceived role as a critical factor in sustaining or endangering the security of the organization. + +https://research.knowbe4.com/security-culture-survey \ No newline at end of file diff --git a/Corpus/Literature notes/Threat Catalogues.md b/Corpus/Literature notes/Threat Catalogues.md index b95afa6..d13daef 100644 --- a/Corpus/Literature notes/Threat Catalogues.md +++ b/Corpus/Literature notes/Threat Catalogues.md @@ -24,5 +24,5 @@ LINDDUN GO OWASP RISMAN -Data Maturity Models, zie [Data maturity model NL overheid](../Sparks/Data%20maturity%20model%20NL%20overheid.md) +Data Maturity Models, zie [Data maturity model NL overheid](../Sparks/Information%20Security/Data%20maturity%20model%20NL%20overheid.md) diff --git a/Corpus/MoCs/ISO_27002_2022_5.29_MoC Information security during disruption.md b/Corpus/MoCs/ISO_27002_2022_5.29_MoC Information security during disruption.md index df2b895..4cef55b 100644 --- a/Corpus/MoCs/ISO_27002_2022_5.29_MoC Information security during disruption.md +++ b/Corpus/MoCs/ISO_27002_2022_5.29_MoC Information security during disruption.md @@ -4,5 +4,5 @@ [[ISO_27002_2022_5.29_PE Information security during disruption \|Plain English]] ISO 27002:2013: 17.1.1, 17.1.2, 17.1.3 -[Business Impact Analysis (BIA)](../Sparks/Business%20Impact%20Analysis%20(BIA).md) +[Business Impact Analysis (BIA)](../Sparks/ISMS/Business%20Impact%20Analysis%20(BIA).md) diff --git a/Corpus/MoCs/ISO_27002_2022_5.30_MoC ICT readiness for business continuity.md b/Corpus/MoCs/ISO_27002_2022_5.30_MoC ICT readiness for business continuity.md index 30a4830..4634ada 100644 --- a/Corpus/MoCs/ISO_27002_2022_5.30_MoC ICT readiness for business continuity.md +++ b/Corpus/MoCs/ISO_27002_2022_5.30_MoC ICT readiness for business continuity.md @@ -7,6 +7,6 @@ ISO 27002:2013: n/a See also: - [BCP_Bedrijfscontinuïteitsplanning](../📚️%20Literature%20notes/BCP_Bedrijfscontinuïteitsplanning.md) -- [Business Impact Analysis (BIA)](../Sparks/Business%20Impact%20Analysis%20(BIA).md) -- [Disaster Recovery Planning](../Sparks/Disaster%20Recovery%20Planning.md) +- [Business Impact Analysis (BIA)](../Sparks/ISMS/Business%20Impact%20Analysis%20(BIA).md) +- [Disaster Recovery Planning](../Sparks/ISMS/Disaster%20Recovery%20Planning.md) diff --git a/Corpus/MoCs/ISO_27002_2022_5.9_MoC Inventory of information and other associated assets.md b/Corpus/MoCs/ISO_27002_2022_5.9_MoC Inventory of information and other associated assets.md index 4055ab2..ebd48c5 100644 --- a/Corpus/MoCs/ISO_27002_2022_5.9_MoC Inventory of information and other associated assets.md +++ b/Corpus/MoCs/ISO_27002_2022_5.9_MoC Inventory of information and other associated assets.md @@ -6,5 +6,5 @@ ISO 27002:2013: 08.1.1, 08.1.2 [Brontekst](../ISO-27002-OST/ISO27002-NL-2022/a-5.9-Inventarisatie-van-informatie-en-andere-gerelateerde-bedrijfsmiddelen.md) -The inventory serves as input for the [Business Impact Analysis (BIA)](../Sparks/Business%20Impact%20Analysis%20(BIA).md) +The inventory serves as input for the [Business Impact Analysis (BIA)](../Sparks/ISMS/Business%20Impact%20Analysis%20(BIA).md) [ISO_27001_2022_00_MoC Index EXT](ISO_27001_2022_00_MoC%20Index%20EXT.md) diff --git a/Corpus/MoCs/iso27DIY-MoC.md b/Corpus/MoCs/iso27DIY-MoC.md index dc06fd3..de7165b 100644 --- a/Corpus/MoCs/iso27DIY-MoC.md +++ b/Corpus/MoCs/iso27DIY-MoC.md @@ -33,10 +33,10 @@ tags: [UI ideas](AuditGlue/System%20alternative/iso27DIY%20UI%20ideas.md) ### Agents -[Create a proactive conversational agent](../Sparks/Create%20a%20proactive%20conversational%20agent.md) -[Create an interview agent](../Sparks/Create%20an%20interview%20agent.md) +[Create a proactive conversational agent](../Various/Create%20a%20proactive%20conversational%20agent.md) +[Create an interview agent](../Various/Create%20an%20interview%20agent.md) [Agent Design Intent Card](AuditGlue/System%20alternative/Agent%20Design%20Intent%20Card.md) -[Create a threat analysis chatbot](../Sparks/Create%20a%20threat%20analysis%20chatbot.md) +[Create a threat analysis chatbot](../Various/Create%20a%20threat%20analysis%20chatbot.md) [Instruct an LLM on available tools](../Sparks/Instruct%20an%20LLM%20on%20available%20tools.md) [LLM Prompt types](../Sparks/LLM%20Prompt%20types.md) @@ -44,14 +44,14 @@ tags: [ISO27DIY Videos list](../🧱%20Projects/iso27DIY%20mk%20I/ISO27DIY%20Videos%20list.md) ## Platform -[Design Document for ISO 27001 Certification Support Online Service](../Sparks/Design%20Document%20for%20ISO%2027001%20Certification%20Support%20Online%20Service.md) +[Design Document for ISO 27001 Certification Support Online Service](../Various/Design%20Document%20for%20ISO%2027001%20Certification%20Support%20Online%20Service.md) [Personae and Roles](../Sparks/Personae%20and%20Roles.md) [TypeDB structure for ISO27DIY](../Sparks/TypeDB%20structure%20for%20ISO27DIY.md) -[Client segregation](../Sparks/Client%20segregation.md) -[Building functionality in Supabase](../Sparks/Building%20functionality%20in%20Supabase.md) +[Client segregation in SaaS](../Sparks/Information%20Security/Client%20segregation%20in%20SaaS.md) +[Building functionality in Supabase](../Various/Building%20functionality%20in%20Supabase.md) [SupaBase edge functions portability](../Sparks/SupaBase%20edge%20functions%20portability.md) -[Connect LLM to Supabase to create content](../Sparks/Connect%20LLM%20to%20Supabase%20to%20create%20content.md) -[Deciding which functionality goes where](../Sparks/Deciding%20which%20functionality%20goes%20where.md) +[Connect LLM to Supabase to create content](../Various/Connect%20LLM%20to%20Supabase%20to%20create%20content.md) +[Application architecture](../Various/Application%20architecture.md) [iso27DYI architecture with LLM](AuditGlue/System%20alternative/iso27DYI%20architecture%20with%20LLM.md) [iso27DIY stack deployment](AuditGlue/System%20alternative/iso27DIY%20stack%20deployment.md) [SurveyJS](../Sparks/SurveyJS.md) diff --git a/Corpus/Sparks folder cleanup suggestions.md b/Corpus/Sparks folder cleanup suggestions.md index 20b0cb6..107c20b 100644 --- a/Corpus/Sparks folder cleanup suggestions.md +++ b/Corpus/Sparks folder cleanup suggestions.md @@ -16,7 +16,10 @@ Several notes also have zero frontmatter at all. **Step 1: Triage first, don't reorganize yet** -Before moving anything, do a first pass and tag each note with a simple `status` value in the frontmatter. I'd suggest three values: `promote` (ready or near-ready to move into the Corpus), `develop` (has substance but needs work), and `archive` (not ISO content, or irrelevant). This can be done quickly because most notes make it obvious within 10 seconds which bucket they're in. +Before moving anything, do a first pass and tag each note with a simple `status` value in the frontmatter. This can be done quickly because most notes make it obvious within 10 seconds which bucket they're in.I'd suggest three values: +- `promote` (ready or near-ready to move into the Corpus), +- `develop` (has substance but needs work), +- `archive` (not ISO content, or irrelevant). **Step 2: Separate non-ISO content** diff --git a/Corpus/Sparks/About iso27diy/About the Industry.md b/Corpus/Sparks/About iso27diy/About the Industry.md deleted file mode 100644 index f86ae5f..0000000 --- a/Corpus/Sparks/About iso27diy/About the Industry.md +++ /dev/null @@ -1,9 +0,0 @@ -This next part is about the iso 27001 industry and its actors. Correct the following text so that the proper terms are used. Expand with other actors and their roles if necessary. This is the text: - -- the standards organization develops the standard for a certain domain -- the certification bureau checks if the standard is properly implemented within the organization and issues a certificate -- Clients, regulatory bodies and other stakeholders of the organization demand the organization to be certified to proof adequate risk control within the domain -- the organization implements the standard to get certified -- the implementation consultant helps the organization to implement the standard -- the internal auditor checks if the standard is properly implemented within the organization -- The external auditor works for the certification bureau diff --git a/Corpus/Sparks/About iso27diy/About the flow.md b/Corpus/Sparks/About iso27diy/About the flow.md deleted file mode 100644 index da71468..0000000 --- a/Corpus/Sparks/About iso27diy/About the flow.md +++ /dev/null @@ -1,28 +0,0 @@ ---- -tags: -- project/iso27DIY/journey -- type/explainer ---- - -## Journey - -We’ll start with analyzing the context of where the ISMS will operate. We’ll look at your organization, it’s structure and processes, important stakeholders and internal and external developments. - -From that we’ll help you identify risks and opportunities, and define risk mitigating measures. - -Together we will create policies, procedures and guidelines, and control implementation plans. - -Gradually, we’ll work towards your first internal audit. - - -++ increased understanding -++ actually improving your security posture -We know that we need to get your organization along, so we’ll start with risks and opportunities that matter to your stakeholders. - -## Timeline -we will adapt to your pace, but we will actively coach you, like your sports watch would. - -## Interaction model - - -Work iteratively, you can always come back later \ No newline at end of file diff --git a/Corpus/Sparks/About iso27diy/Interactie met de gebruiker.md b/Corpus/Sparks/About iso27diy/Interactie met de gebruiker.md deleted file mode 100644 index 0580e7e..0000000 --- a/Corpus/Sparks/About iso27diy/Interactie met de gebruiker.md +++ /dev/null @@ -1,21 +0,0 @@ -# Interactie met de gebruiker - -1. Gebruiker kiest een Lesmodule uit menu -2. Content wordt getoond. Filmpje, tekst, afbeelding. -3. De gebruiker krijgt een ‘taak’. Hij/zij heeft de keuze die nu uit te voeren, of te parkeren in de persoonlijke Takenlijst[^1] (onderdeel van GRC). De taak bevat een verwijzing naar de content, zodat die later weer opgepakt kan worden. -4. De taak kan bestaan uit bijv: - 5. het uploaden van een document - 6. het invullen van een vragenlijst - 7. het vullen van een tabel (simpele spreadsheet met rij/kolom totalen bijv) -8. Wat de gebruiker toevoegt wordt opgeslagen in de GRC-module -9. De input van de gebruiker wordt gebruikt om nieuwe content te genereren, bijv. een beleidsdocument. Dit kan gebeuren met templates, logische regels, of LLM. -10. Gegenereerde content wordt ter controle aangeboden aan de gebruiker. Die moet daar wijzigingen in aan kunnen brengen en uiteindelijk de productie akkoord verklaren. -11. Na akkoord is er een wijziging in het ‘volwassenheidsniveau’ van het ISMS. Deze komt tot uitdrukking in het ‘Implementatie Dashboard’ (onderdeel van GRC). – kan dynamisch gegenereerd worden - -- [ ] Uitwerken: Er zit onderlinge afhankelijkheid in: soms kun je stap 3 pas nemen als je stap 1 gedaan. -- [ ] Volwassenheidsniveaus benoemen. - - -[^1]: in een latere versie kunnen taken toegewezen worden aan een andere gebruiker. - - diff --git a/Corpus/Sparks/About iso27diy/Ocean Sailing Metaphor.md b/Corpus/Sparks/About iso27diy/Ocean Sailing Metaphor.md deleted file mode 100644 index e94c11b..0000000 --- a/Corpus/Sparks/About iso27diy/Ocean Sailing Metaphor.md +++ /dev/null @@ -1,417 +0,0 @@ -# The Merchant Vessel's Voyage: An ISMS Implementation Story - -## **The Premise** - -You're the captain of a merchant trading vessel, transporting valuable cargo across established trade routes. Your mission: deliver precious goods safely to distant ports while building a reputation for reliability and security that will sustain your trading company for years to come. - ---- - -## **Episode 1: Charting the Destination** (Setting the Goals) - -Before leaving port, you gather your officers and backers around the navigation table. What defines success for this voyage? - -- **The cargo's safe arrival**: Your hold contains valuable spices, silk, medical herbs, fine instruments - goods that merchants await -- **The crew's safe return**: A ship without seasoned sailors is just expensive timber -- **Maintaining your reputation**: In the trading world, trust is currency -- **Regulatory compliance**: You must satisfy the Harbor Master's requirements and international maritime codes to operate legally -- **Sustainable operations**: This isn't a single voyage - you're building a trading enterprise - -You define your **scope**: Which routes will you sail? Which ports are included? What cargo types will you carry? - -Your **security objectives** become clear: confidentiality (cargo manifests and trade secrets), integrity (goods arrive uncontaminated and authentic), availability (reliable delivery schedules). - -You announce these goals to all stakeholders - the ship's owners, the crew, the merchants whose goods you carry. - ---- - -## **Episode 2: Reading the Waters** (External Issues) - -Before you can plan your route, you must understand the world through which you'll sail: - -- **Pirate activity**: Which waters are most dangerous? What are their tactics? Are they after cargo, ransom, or the ship itself? -- **Weather patterns**: Monsoon seasons, hurricane zones, fog-prone straits -- **Geopolitical tensions**: Which nations are at war? Where are trade embargoes? Which flags grant safe passage where? -- **Port regulations**: Different harbors have different requirements - quarantine rules, inspection protocols, docking fees -- **Competition**: Other trading companies, their routes, their security measures -- **Technology changes**: New navigation instruments, faster ships, encrypted communication methods between trading houses -- **Economic conditions**: Which goods are in demand? Where are prices best? - -You gather intelligence from: - -- Harbor masters' reports -- Returning captains' debriefings -- Maritime insurance underwriters -- Coastal watchtowers' signals -- Trading guild bulletins - -This **external context** shapes every decision you'll make. - ---- - -## **Episode 3: Knowing Your Vessel** (Internal Issues, Assets, Strengths & Weaknesses) - -Now you turn your attention inward. What are you working with? - -### **Your Assets to Protect:** - -- **The cargo** (your primary information assets): Spices in the forward hold, medicinal herbs requiring cool storage, sealed letters of credit, navigation charts showing profitable routes -- **The ship itself**: Hull integrity, sail condition, water-tightness of hatches -- **Your crew**: The navigator's expertise, the surgeon's knowledge, the carpenter's skills -- **Your reputation and relationships**: Trust with merchants, favorable insurance rates, preferential port access -- **Supporting systems**: The ship's boat (your backup), fresh water supplies, repair materials - -### **Strengths:** - -- Experienced first mate who's sailed these waters for 20 years -- Recently reinforced hull -- Disciplined crew with low turnover -- Strong relationships with key ports - -### **Weaknesses:** - -- The navigator is brilliant but aging, with no clear successor trained -- Your encryption methods for sensitive documents are known by former crew who now sail for competitors -- The starboard cargo hold has a persistent leak -- Only two crew members can operate the new navigational instruments -- Your emergency procedures exist mostly in the captain's head - -You conduct a thorough **inventory and assessment**: Who has access to what? Where are critical vulnerabilities? What depends on single points of failure? - ---- - -## **Episode 4: Mapping the Dangers** (Risk Assessment) - -With your destination set, external conditions understood, and internal capabilities assessed, you now systematically identify what could go wrong: - -### **Risk Identification:** - -- **Pirates in the Straits of Malacca**: High likelihood, severe impact (loss of cargo and possible crew) -- **Storm season in the South China Sea**: Medium likelihood, catastrophic impact -- **Crew illness/scurvy**: Medium likelihood, major impact on operations -- **Cargo contamination from hold leak**: High likelihood, moderate impact -- **Navigator incapacitation**: Low likelihood, severe impact -- **Insider threat** (disgruntled crew revealing routes to competitors): Low likelihood, moderate impact -- **Port authority seizure** due to paperwork errors: Medium likelihood, major impact -- **Fire in the cargo hold**: Low likelihood, catastrophic impact - -### **Risk Analysis:** - -For each risk, you assess: - -- **Likelihood**: Based on historical data (ships lost in these waters), current intelligence (pirate activity reports), ship conditions (that leaky hold) -- **Impact**: What happens if this occurs? Loss of cargo value? Crew lives? Ship itself? Reputation damage? -- **Existing controls**: What are you already doing? You have fire buckets, a daily inspection routine, experienced crew - -### **Risk Evaluation:** - -You plot these on a risk matrix with your officers. Which risks are acceptable for a merchant vessel? Your risk appetite is moderate - you're not running military secrets that require extreme measures, but you can't afford frequent losses either. - -You prioritize: High likelihood + high impact risks must be addressed immediately. Low likelihood + low impact risks you'll accept. - ---- - -## **Episode 5: Plotting the Course** (Risk Treatment - Identifying Measures) - -For each significant risk, you now decide your strategy: - -### **Avoid:** - -- **Don't sail during peak storm season**: Delay departure by three weeks -- **Avoid notorious pirate waters entirely**: Take the longer, safer route - -### **Reduce:** - -- **Pirate encounters**: Sail in convoy with other merchants, hire additional armed crew, reinforce the captain's cabin (where valuables are stored), establish communication signals between convoy ships -- **Cargo contamination**: Repair the hold leak, use sealed containers, implement daily inspection rounds -- **Navigation failure**: Train two junior officers in advanced navigation, maintain duplicate charts stored separately, establish position verification protocols -- **Fire**: Implement strict rules about open flames, station fire watch, conduct monthly fire drills, store water barrels strategically - -### **Transfer:** - -- **Cargo loss**: Purchase maritime insurance (though it's expensive and has limitations) -- **Crew injury**: Contract with a maritime medical service in major ports - -### **Accept:** - -- **Minor cargo spoilage**: Some loss of spice potency is inevitable over long voyages; build this into pricing -- **Wear on sails and rigging**: Routine deterioration; maintain replacement supplies - -You create a **Statement of Applicability** - essentially a ship's security manifest that lists all maritime security controls, which ones you're implementing, which you're not, and why. - ---- - -## **Episode 6: The Ship's Standing Orders** (Policies and Procedures) - -Now you formalize how your ship will operate. These aren't just the captain's whims - they're documented protocols that ensure consistency even when you're sleeping: - -### **Access Control Policy** ("Who Goes Where"): - -- **Cargo holds**: Only the quartermaster and captain have keys; entry logged in the ship's book -- **Captain's cabin** (sensitive documents): Captain only; first mate has sealed emergency key -- **Navigation room**: Navigator and trained officers only -- **Critical supplies** (medical stores, emergency rations): Surgeon and quartermaster access; usage logged - -### **Watch Standing Procedures** (Continuous Monitoring): - -- Four-hour watches with clear handoff protocols -- What to look for: other ships, weather changes, coastal landmarks -- How to sound alarms for different threats -- Night signal procedures - -### **Cargo Handling Protocols**: - -- Inspection upon loading (verify against manifest) -- Daily hold inspections (check for water, pests, shifting) -- Verification before unloading (ensure seals intact) -- Chain of custody documentation - -### **Emergency Response Procedures**: - -- **Fire**: Specific roles assigned, equipment locations, communication signals -- **Pirate attack**: Battle stations, valuable cargo disposal procedures (if necessary), surrender signals (if absolutely necessary) -- **Man overboard**: Stop signals, rescue boat launch, recovery procedures -- **Taking on water**: Damage assessment, pumping priorities, emergency port protocols - -### **Navigation Protocols**: - -- Position verification twice daily -- Cross-checking between celestial navigation and known landmarks -- Backup navigation methods -- How to handle disagreement between navigator and captain - -### **Communication Security**: - -- How to encode sensitive messages -- Which information can be shared in port -- Procedures when crew members depart -- How to verify identity of ships claiming to be friendly - -### **Maintenance Standards**: - -- Daily inspections (rigging, hull, pumps) -- Weekly maintenance (sail repairs, deck treatment) -- Monthly drills (fire, abandon ship, battle) -- Equipment testing schedules - -### **Crew Management**: - -- Hiring procedures (background checks with previous captains) -- Security training for new crew -- Disciplinary procedures -- Departure protocols (what they can take, what they must return) - -Each policy answers: **What** must be done, **Why** it matters, **Who** is responsible, **When** and **How** it's done, and **What to do if** something goes wrong. - ---- - -## **Episode 7: Casting Off** (Implementation) - -The planning is complete. Now comes the actual voyage - putting your measures into action: - -### **Pre-Departure:** - -- Reinforce the cargo hold (that leak must be fixed) -- Install the new secure storage in the captain's cabin -- Conduct security training for the crew on the new protocols -- Brief all hands on the voyage plan and their roles -- Load cargo with new inspection procedures -- Verify all equipment is aboard and functional - -### **Underway:** - -- The watch rotation begins according to standing orders -- Daily hold inspections reveal the repairs are holding -- You drill the crew on emergency procedures weekly -- Navigation protocols are followed - the junior officers are learning -- Access logs are maintained for all sensitive areas -- Incident reports are filed when protocols aren't followed (the cook accessed medical supplies without the surgeon present - why? turns out for a legitimate minor burn, but the procedure needs clarification) - -### **Continuous Adjustment:** - -- Three days out, you receive signals that pirates have been sighted ahead; you adjust course and increase watches -- A storm forces you to secure cargo differently than planned - you document the new method -- One crew member proves unreliable at watch; they're reassigned and additional training provided to their replacement - -Implementation means **living** the procedures daily, not just having them written down. - ---- - -## **Episode 8: Keeping the Ship Supplied** (Resources and Competence) - -A ship doesn't sail on good intentions. Throughout the voyage, you must ensure: - -### **Financial Resources:** - -- Budget for unexpected port fees -- Reserve funds for emergency repairs -- Insurance premiums -- Crew wages (security depends on crew loyalty) - -### **Human Resources:** - -- Adequate crew size for watch rotations -- Specialized skills: navigator, surgeon, carpenter, sailmaker -- Training time - you can't expect new crew to know complex procedures instantly -- Succession planning - you're actively training that junior navigator - -### **Physical Resources:** - -- Spare rigging and sails -- Repair materials (timber, pitch, nails) -- Security equipment (weapons, locks, sealing wax) -- Safety equipment (fire buckets, rescue lines, ship's boat) -- Extra supplies beyond minimum (because delays happen) - -### **Knowledge Resources:** - -- Navigation charts (and backups) -- Ship's library of maritime procedures -- Current intelligence from ports -- Documentation of your own procedures and lessons learned - -### **Time:** - -- Adequate voyage timeline (rushing leads to cutting security corners) -- Maintenance windows (you must occasionally heave-to for repairs) -- Training time during long passages -- Rest for crew (exhausted sailors make mistakes) - -You establish **competence requirements**: What must each role know? The first mate must be able to take command. The quartermaster must know cargo handling. All crew must know basic emergency procedures. - -You track **awareness**: Does everyone understand why these security measures matter? They'll follow procedures better if they understand they're protecting their own interests (cargo arrives = they get paid; ship is safe = they live). - ---- - -## **Episode 9: The Ship's Log** (Documentation) - -From the moment you leave port, you maintain meticulous records. In the maritime world, if it's not in the log, it didn't happen: - -### **The Master Log:** - -- Daily entries: position, weather, course, significant events -- All decisions and why they were made -- All incidents and how they were handled -- Changes to procedures - -### **Specialized Logs:** - -- **Cargo manifest**: What's aboard, where it's stored, condition checks -- **Watch log**: Who was on duty when, what they observed -- **Maintenance log**: Repairs, inspections, equipment status -- **Incident reports**: Anything unusual, even if minor -- **Training records**: Who's been trained on what procedures -- **Access logs**: Who entered sensitive areas when - -### **Charts and Plans:** - -- Navigation charts with your actual route (vs. planned) -- Cargo stowage plans -- Emergency evacuation plans -- Crew roster with roles and competencies - -### **Why This Matters:** - -- **Learning**: What worked? What didn't? Your next voyage will be safer -- **Accountability**: If something goes wrong, you can trace what happened -- **Compliance**: Port authorities and insurers require documentation -- **Continuity**: If you're incapacitated, your first mate needs to know everything -- **Evidence**: If crew or cargo disputes arise, you have records -- **Improvement**: You can't improve what you don't measure - -The ship's log is your organizational memory - it outlasts any single voyage. - ---- - -## **Episode 10: Harbor Master's Inspection** (Audit and Review) - -### **Internal Reviews (Ongoing):** - -Throughout the voyage, you conduct regular self-assessments: - -- **Daily bridge briefings**: What happened in the last 24 hours? What's ahead? Are procedures being followed? -- **Weekly officer meetings**: Deeper review of security effectiveness, crew morale, equipment status -- **Incident reviews**: Whenever something goes wrong (or almost goes wrong), you gather the relevant crew and analyze: What happened? Why? What will we do differently? -- **Monthly drills**: Testing emergency procedures and evaluating performance - -### **Port Audits (External):** - -When you reach port, several inspections occur: - -**Harbor Master's Security Inspection:** - -- Are your cargo manifests accurate? -- Are dangerous goods properly stored and documented? -- Does your crew have proper credentials? -- Are your safety and security measures adequate? -- Do you meet international maritime security codes? - -The Harbor Master is like your ISO 27001 auditor - they verify you're following established maritime security standards. - -**Cargo Survey:** - -- Merchants' representatives inspect their goods -- Verifying seals are intact -- Checking condition matches manifest -- This proves your controls worked (or reveals where they didn't) - -**Insurance Assessment:** - -- Your insurer may inspect to verify you followed security protocols -- This affects future premiums and coverage - -### **Post-Voyage Review (Management Review):** - -After reaching your destination, you conduct a comprehensive review with your officers and the ship's owners: - -**What Worked:** - -- The convoy strategy - no pirate encounters despite sailing through risky waters -- Junior navigator training - you now have backup capability -- Daily hold inspections caught problems early - -**What Didn't:** - -- The new watch rotation led to gaps in dawn coverage twice -- Access logging was inconsistently followed (people got busy) -- Fire drill times were too slow - crew needs more practice - -**Metrics Analysis:** - -- Incidents logged: 12 (down from 18 last voyage) -- Security procedure compliance: 94% (target was 95%) -- Cargo loss: 0.5% (within acceptable range) -- On-time arrival: 2 days early (good) -- Crew injuries: 1 minor (excellent) - -**Risk Reassessment:** - -- Are the risks you identified still accurate? -- Did new risks emerge? (You encountered fog banks that weren't in your initial assessment) -- Have external conditions changed? (Political tensions have eased in certain waters) -- Are your controls still appropriate? - -**Decisions for Next Voyage:** - -- Adjust watch rotation based on lessons learned -- Implement new access control procedure to improve compliance -- Conduct more frequent fire drills -- Update risk assessment to include fog navigation -- Invest in better equipment for certain controls - -### **Continuous Improvement:** - -The voyage doesn't truly end when you reach port. You've learned from this journey, updated your procedures, and you're already preparing for the next departure. The ship's standing orders are now revised - Version 2.0 - incorporating everything you've learned. - -You share lessons with other captains in your trading company. Best practices spread through the fleet. - -**ISO Certification Parallel:** This comprehensive review - with documented evidence from your logs, demonstrated effectiveness of controls, and commitment to continuous improvement - is what convinces the Harbor Master (auditor) to certify your ship as meeting international security standards. The certificate isn't the end goal; it's recognition that you operate a secure, reliable, continuously improving operation. - ---- - -## **The Journey Continues** - -Unlike a fortress that, once built, stands static, your merchant vessel is always in motion. The sea changes. Threats evolve. Crews turn over. New ports open. Technology advances. - -Your ISMS is the same - not a project with an end, but an operational discipline. The standing orders (policies) guide daily operations. The log (documentation) captures your organizational memory. The crew (your people) execute with competence and awareness. The inspections (audits) verify effectiveness. And the voyage (your business) continues, safer and more resilient because of the system you've built. - -**The ISO 27001 certificate is your Letter of Marque** - official recognition that your vessel meets the standards required to trade safely in international waters, protecting the valuable cargo (information) entrusted to your care. diff --git a/Corpus/Sparks/About iso27diy/iso27DYI - How this works.md b/Corpus/Sparks/About iso27diy/iso27DYI - How this works.md deleted file mode 100644 index 5bcb271..0000000 --- a/Corpus/Sparks/About iso27diy/iso27DYI - How this works.md +++ /dev/null @@ -1,37 +0,0 @@ -# iso27DYI: How this works - - -## Structure - -We've divided the ISMS implementation into a number of Episodes. - - -- setting the goals -- what's the lay of the land (relevant external issues) -- how's our equipe, our assets that need to be protected (internal issues, strengths and weaknesses) -- knowing the risks -- identifying measures to mitigate the risks -- creating the recipes (policies) for resilience in different areas / domains -- implementing the risk mitigating measures -- ensuring resources to implement and maintain everything -- all the while documenting stuff as we go allong -- audit and review how we're doing. - -For every element of the ISO 27001 you need to be able to tell the auditor: - -- what your method is for implementing the requirement -- how and when you monitor the results of your implementation -- how and when you evaluate the results and identify possible improvements -- when you are planning to implement these improvements -- who's involved and who's responsible for each of these steps. - -In ISO27DIY we deal with this by providing Policy Cards for every Clause and Control of the ISO 27001. - -There's always our Controls Library with everything in Plain English, support by our consultants. When the time is ready, you can plan a preliminiary audit. - -## Principles -- work with what you got - keep doing what you do but make it 'compliant' -- work iteratively - you can always come back later - -# Metadata -- which 'slots' this scene fills diff --git a/Corpus/Sparks/Access Control.md b/Corpus/Sparks/Access Control.md deleted file mode 100644 index 8e26979..0000000 --- a/Corpus/Sparks/Access Control.md +++ /dev/null @@ -1,13 +0,0 @@ -# Access Control - -While [authorization](../Standards/ISO27x/Authorization.md) is primarily concerned with establishing the policies and rules that dictate access (i.e. *what* a person or system is allowed to do), **access control** is the _system_ or _process_ that enforces those defined permissions. - -See: -- [Gedachten over rechtenstructuren](Gedachten%20over%20rechtenstructuren.md) -- [Authorization vs Access Control](Authorization%20vs%20Access%20Control.md) -- [Access Control Models](Access%20Control%20Models.md) -- [ISO 27001 A 9 Access control](../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A%209%20Access%20control.md) -- [a-5.15-Access-control](../Standards/ISO27x/OST/27002/EN/a-5.15-Access-control.md) - - - diff --git a/Corpus/Sparks/Artikel 39 Taken van de functionaris voor gegevensbescherming.md b/Corpus/Sparks/Artikel 39 Taken van de functionaris voor gegevensbescherming.md deleted file mode 100644 index d51c94b..0000000 --- a/Corpus/Sparks/Artikel 39 Taken van de functionaris voor gegevensbescherming.md +++ /dev/null @@ -1,2 +0,0 @@ -Zie ook: [DPOaaS offer Glownexus](../Literature%20notes/DPOaaS%20offer%20Glownexus.md) - diff --git a/Corpus/Sparks/Assembling a Project Team.md b/Corpus/Sparks/Assembling a Project Team.md deleted file mode 100644 index 58fc73c..0000000 --- a/Corpus/Sparks/Assembling a Project Team.md +++ /dev/null @@ -1 +0,0 @@ -... for the implementation. \ No newline at end of file diff --git a/Corpus/Sparks/Asset ownership policy of RUMC.md b/Corpus/Sparks/Asset ownership policy of RUMC.md deleted file mode 100644 index dad347a..0000000 --- a/Corpus/Sparks/Asset ownership policy of RUMC.md +++ /dev/null @@ -1,37 +0,0 @@ -Bron: mail Remco Landegge, Security Expert Radboud UMC, 2 december 2024 - -*Zie ook: [Risk ownership](Risk%20ownership.md)* - -Team Architectuur, Security, Compliance and Informatie analyse -Stafdienst Informatie Management - -Elke [vrijdag](canary:event?ts=755175605.00) in de even weken roostervrij. -Dit is het model wat wij gebruiken voor eigenaarschap binnen onze organisatie. Als je er iets van gebruikt dan alle verwijzingen naar Radboudumc verwijderen a.u.b. - -Heb ook nog even naar jouw canvas aanpak gekeken, dit is grotendeels hetzelfde als wij nu hanteren binnen onze eigen risico methodiek (die ook al bekend is op de afdelingen). Het denken in risico’s is voor ziekenhuizen geen onbekend terrein 😉 - -**4.2 Wie is de eigenaar van een bedrijfsmiddel/bedrijfsproces?** - -Het komt voor dat eigenaarschap van een bedrijfsmiddel en/of een bedrijfsproces onduidelijk is. In die gevallen kan het eigenaarschap van een bedrijfsproces/bedrijfsmiddel via het onderstaande schema worden bepaald. - -![](http://localhost:10054/images?f=image001-80.png&tok=9603CD8B-EF6E-4FCC-A7D0-8168F2D7D4C9) - -Bovenstaande figuur beschrijft vier situaties:  - -**_Situatie 1: Bedrijfsmiddel/bedrijfsproces_** **_binnen één organisatieonderdeel. (B1)_**  - -Wanneer een bedrijfsmiddel/bedrijfsproces binnen slechts één organisatieonderdeel (centrum, afdeling, ondersteunende dienst, instituut) wordt gebruikt, dan is het hoofd/directie van het organisatieonderdeel de eigenaar **(E1)**. In deze situatie gaat het voor de instituten alleen over de bedrijfsmiddelen en bedrijfsprocessen die zij binnen hun eigen organisatieonderdeel nodig hebben, het gaat [hier](canary:event?ts=754743605.00) niet om de bedrijfsmiddelen/bedrijfsprocessen die nodig zijn binnen de complete kerntaak.  - - -**_Situatie 2: Bedrijfsmiddel/bedrijfsproces_** **_binnen meerdere afdelingen of een afdeling en een centrum. (B2)_**  - -Wanneer een bedrijfsmiddel of bedrijfsproces door verschillende afdelingen of een afdeling en een centrum wordt gebruikt, dan is de directie van de kerntaak waarin het bedrijfsmiddel/bedrijfsproces wordt gebruikt de eigenaar **(E2)**. Om te borgen dat alle belanghebbenden binnen de afdeling en/of centrum zijn betrokken bij het nemen van besluiten over functionaliteiten, beveiliging en service niveaus stelt de eigenaar zich onafhankelijk en facilitair op.  - -**_Situatie 3: Bedrijfsmiddel/bedrijfsproces_** **_binnen meerdere instituten. (B3)_**  - -Wanneer een bedrijfsmiddel of bedrijfsproces binnen de verschillende kerntaken wordt gebruikt, bepalen de directies van de betrokken instituten wie de eigenaar is **(E3)**. Om te borgen dat alle belanghebbenden binnen de instituten zijn betrokken bij het nemen van besluiten over functionaliteiten, beveiliging en service niveaus stelt de eigenaar zich onafhankelijk en facilitair op.  - -**_Situatie 4: Bedrijfsmiddel/bedrijfsproces_** **_beslaan (zo goed als) alle Radboudumc onderdelen. (B4)_**  - -Wanneer een bedrijfsmiddel of bedrijfsproces binnen het gehele Radboudumc bestaat zonder dat eigenaarschap genomen wordt, dient primair bepaald te worden of het bedrijfsproces of bedrijfsmiddel wel nodig is. De drie instituutsdirecties en de directeuren van de ondersteunende diensten bepalen gezamenlijk of het bedrijfsmiddel/proces wel nodig is. Indien dat het geval is, wijst men in samenspraak een eigenaar aan **(E4)**. Indien men [hier](canary:event?ts=754743605.00) niet in samenspraak uitkomt, wijst de RvB een eigenaar aan **(E4)**.  - diff --git a/Corpus/Sparks/Asset ownership.md b/Corpus/Sparks/Asset ownership.md deleted file mode 100644 index 42d051b..0000000 --- a/Corpus/Sparks/Asset ownership.md +++ /dev/null @@ -1,10 +0,0 @@ - -See also: -- [Asset ownership policy of RUMC](Asset%20ownership%20policy%20of%20RUMC.md) -- [Risk ownership](Risk%20ownership.md) -- [Control ownership](Control%20ownership.md) - - -**ISO 27001 explicit mention of asset ownership:** -- A.8.1.2 Asset should have an owner -- A.9.2.5 Asset owners must periodically evaluate access rights diff --git a/Corpus/Sparks/Assets, Vulnerabilities, Threats, Risks.md b/Corpus/Sparks/Assets, Vulnerabilities, Threats, Risks.md deleted file mode 100644 index f5d289f..0000000 --- a/Corpus/Sparks/Assets, Vulnerabilities, Threats, Risks.md +++ /dev/null @@ -1,10 +0,0 @@ -* The relationship can be summarized as: A threat exploits an exposed vulnerability to damage an asset, which results in a risk to the organization. -* A risk can be seen as a theoretical threat scenario. If a risk "materializes," an anticipated or potential threat has actually taken place, exploiting a vulnerability and affecting an asset, which results in actual harm or loss. -* The relationship between assets, vulnerabilities, and threats is often called the Operations Security Triple. - -[Assets](Assets.md) -[Vulnerability 1](Vulnerability%201.md) -[Threat](../📚️%20Literature%20notes/Threat.md) -[Risks](Risks.md) - -See also: [](../Attachments/Certified%20Ethical%20Hacker%20Exam%20Guide%202021.pdf) diff --git a/Corpus/Sparks/Assets.md b/Corpus/Sparks/Assets.md deleted file mode 100644 index 074e5eb..0000000 --- a/Corpus/Sparks/Assets.md +++ /dev/null @@ -1,31 +0,0 @@ -See also: -- slide decks made for workshop sessions. Those for Kaliber, Nedap and Networking4AL are the most recent. - -An "information asset" refers to a valuable and meaningful piece of information that an organization or individual possesses, uses, or relies upon to achieve their objectives. Information assets can take various forms, including data, documents, intellectual property, proprietary knowledge, and more. They are considered valuable resources that contribute to decision-making, operational efficiency, innovation, and overall business success. Here are a few definitions of "information asset": - -1. **ISO/IEC 27000:2018** (Information Security Management Systems - Overview and Vocabulary): - "Information asset: Anything that has value to an organization (e.g. printed documents, electronic documents, intellectual property, personal data, knowledge of processes, physical items)." - -2. **NIST Special Publication 800-53** (Security and Privacy Controls for Federal Information Systems and Organizations): - "Information asset: Information and the information systems that process, store, and transmit that information." - -3. **The Data Management Body of Knowledge (DAMA-DMBOK)**: - "Information asset: A resource of value that an organization uses to understand, operate, and innovate." - -4. **The University of Texas at Austin - Information Security Office**: - "Information asset: Any knowledge that has potential value to an organization or an individual, including but not limited to business data, personal data, research data, proprietary data, and internal and external communications." - -5. **Gartner IT Glossary**: - "Information asset: A collection of information that is defined and managed as a standalone entity and is considered of value." - -In essence, an information asset is a piece of information that holds value and significance, whether for its role in decision-making, competitive advantage, regulatory compliance, research, or other organizational functions. Proper management, protection, and utilization of information assets are crucial to an organization's success and security. - -## Related: - -- [Assets, Vulnerabilities, Threats, Risks](Assets,%20Vulnerabilities,%20Threats,%20Risks.md) -- [Asset management in ISO 27001](../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A%208%20Asset%20management.md) -- [Asset lifecycle in the Defensive Security Handbook](../📚️%20Literature%20notes/Asset%20lifecycle.md) -- [Asset ownership](Asset%20ownership.md) -- [How to develop an Asset Inventory](How%20to%20develop%20an%20Asset%20Inventory.md) -- [Asset management in the Defensive Security Handbook](../Literature%20notes/Def_Sec_Handbook_Chapter_2.md) - diff --git a/Corpus/Sparks/Awareness.md b/Corpus/Sparks/Awareness.md deleted file mode 100644 index f729e60..0000000 --- a/Corpus/Sparks/Awareness.md +++ /dev/null @@ -1,2 +0,0 @@ -[Seven Dimensions of Security Culture](../Literature%20notes/Seven%20Dimensions%20of%20Security%20Culture.md) - diff --git a/Corpus/Sparks/Blurbs.md b/Corpus/Sparks/Blurbs.md deleted file mode 100644 index 4f7a14d..0000000 --- a/Corpus/Sparks/Blurbs.md +++ /dev/null @@ -1,77 +0,0 @@ -The ISO27DIY video series teaches you a workshop based approach for implementing an ISO 27001-compliant Information Security Management System (ISMS) in your own organization. The ISO27DIY video series will be available for free. - -These are the current blurbs on the different properties: -– see also [🧰 Resource portal](../Standards/ISO27x/legacy/iso27DIY%20mk%20I/🧰%20Resource%20portal.md) - -# ISO27DIY.com website -Main website via [Carrd.co](https://iso27diy.com): -> ISO27DIY offers a method for implementing an ISO 27001- compliant Information Security Management System (ISMS) in your organization. The ISO27DIY workshop video series will be available for free - -Description for bookmarks and search engine listings: -> Learn how to implement ISO 27001 yourself - -# Rent-a-DPO personal site -Personal site via [Carrd.co](https://rent-a-dpo.co): -> **Trust is Good, Secure is Better** -> -> Hi, I’m Richard Kranendonk. Since 2017 I’ve helped dozens of organizations, from local charities to internationals, to achieve and maintain their ISO 27001 certification, and to become and remain GDPR compliant. -> -> Building on 20+ years experience in implementing information technology and organizational change, I can help you design and execute your information security and data protection strategy. -> - -**Title:** Rent-a-DPO -**Description:** ISO 27001 information security management | GDPR data protection | Strategy and execution - -# Twitter -[iso27diy twitter bio](https://twitter.com/iso27diy): -🧰 Do ISO 27001 yourself 🔖 Get certified without hiring consultants ⚖️ Control your information security 🧘‍♀️ Make customers feel safe! - -@richardk twitter bio -Making the Internets safer by helping organizations protect their data | @ISO27DIY | ISO 27001 | GDPR | CISSP | ECPC-B | #buildinpublic #indiehacker #nocode - -**Proposed coming out tweet:** -It took me a burnout and a psycho boss to make the jump and start building my own service. I feel excited and scared at the same time. -#buildinpublic #indiehacker #nocode @thisiskp_ @IndieHackers @makerpad @NocodeHQ - - -# Revue -[Revue](https://www.getrevue.co/app/accounts/ISO27DIY/edit) -Newsletter issues description: ISO27DIY newsletter – Learn how to implement ISO 27001 yourself - -# Gumroad - -[Gumroad iso27diy profile](https://app.gumroad.com/iso27diy) -ISO27DIY – a method for implementing ISO 27001 in your organization. Get yourself certified. - -[Gumroad personal profile] -[Gumroad community introduction](https://community.gumroad.com/c/gumroad-introductions/making-the-jump) - -# Indie Hackers -[Indie Hackers profile](https://www.indiehackers.com/rkranendonk) -> Making the Internets safer, one ISO 27001 certification at a time 👷‍♂️ ISO27DYI workshop video series 🎬 AuditGlue documentation software 📑 - -[Introduction post:](https://www.indiehackers.com/post/making-the-jump-7ed124b1d1) - -> Hi, I’m Richard. I finally decided to make the jump and start building my own service. I feel excited and scared at the same time. -> -> I firmly believe that it’s essential that every organization is able to manage their Cybersecurity risks. Not only from a commercial standpoint – being a trustworthy service provider –, but also because safety of information is a requirement for personal freedom and the stability of our society. -> -> Organizations, especially smaller ones, should be able to acquire the necessary skills without needing to spend large amounts of cash on consultant fees and expensive software. -> -> So here’s what I’m building: -> -> 1. a series of YouTube videos, explaining how you can implement ISO 27001* in your organization yourself. -> 2. an accompanying membership portal, ISO27DIY.com offering support and additional resources (tooling, templates, example documents, etc.) -> 3. a place to create and collect all the necessary documentation to get your ISO 27001 certification: AuditGlue.com -> -> *) If you’re not familiar with ISO 27001, it’s an international standard for managing information security. Certification for this standard is increasingly becoming a knock-out criterium for vendor selection shortlists. -> -> I would really appreciate it if you’d sign up for my newsletter on ISO27DIY.com, even if it’s just for moral support ;-) - -Product motivation: -> Every organization should be able to manage their information security and achieve ISO 27001 certification, without the need for expensive software or consultants. - -# NoCodeHQ - -# Makerpad community - diff --git a/Corpus/Sparks/Bolt.new prompt.md b/Corpus/Sparks/Bolt.new prompt.md deleted file mode 100644 index 4e18ad9..0000000 --- a/Corpus/Sparks/Bolt.new prompt.md +++ /dev/null @@ -1,20 +0,0 @@ ---- -tags: - - prompting ---- -Create a website for iso27DYI.com. -Use this logo and this hero image. -The landing page must look like this: - -The subscription part will be handled by MailerLite.com. -I want a ‘hamburger menu’ in the top right. - -There is a blog page at iso27DYI.com/blog. - -The site will be hosted at Netlify.com - -Use the Hugo framework (see https://gohugo.io/). - -Do not create custom JavaScript unless absolutely necessary. - - diff --git a/Corpus/Sparks/Borging.md b/Corpus/Sparks/Borging.md deleted file mode 100644 index 5c496b5..0000000 --- a/Corpus/Sparks/Borging.md +++ /dev/null @@ -1,7 +0,0 @@ -Borging van security is idealiter in bestaande management systemen en sturcturen van de organisatie. -Dat moet breder zijn dan alleen medewerkers die direct betrokken zijn bij security of IT. - -Zo moet er een wedersijdse reflectie zijn tussen het functiehuis en de -profielen en de RBAC voor applicaties. -Bijv,: de inkoper mag niet de creditfacturen ter betaling stellen. Of: de medewerker van de Klantenservice die extra rechten nodig heeft in het CRM, dat moet ook te zien zijn in de functieomschrijving. - -En de management verantwoordelijkhden voor veilig werken opp de afdeling, moeten ook leiden tot performance evaluatie op dat punt, naast performance op personeel, klanten en financieen. \ No newline at end of file diff --git a/Corpus/Sparks/Business Impact Analysis (BIA).md b/Corpus/Sparks/Business Impact Analysis (BIA).md deleted file mode 100644 index 4d3b745..0000000 --- a/Corpus/Sparks/Business Impact Analysis (BIA).md +++ /dev/null @@ -1,22 +0,0 @@ -Business Impact Analysis (BIA) is an activity within the proces of Business Continuity Planning ([BCP](../📚️%20Literature%20notes/BCP_Bedrijfscontinuïteitsplanning.md)). - -The goal of a Business Impact Analysis (BIA) process is - -A Business Impact Analysis (BIA) examines the potential impacts of disruptions, such as financial losses, reputational damage, regulatory penalties, and operational continuity. -The outcomes help to prioritize business activities and resources to enable the resumption of product and service delivery after a (major) disruption[^1]. - -Guidelines and tooling: -- [Guidelines for business impact analysis ISO 22317](../Standards/ISO27x/ISO%2022317%20Guidelines%20for%20business%20impact%20analysis.md) -- [Assessing reputational risks](Assessing%20reputational%20risks.md) -- [BIA Workshop](../Standards/ISO27x/Implementation%20Products/BIA%20Workshop.md) -- [TLP impact matrix](../Literature%20notes/Traffic%20Light%20Protocol%20TLP.md) -- Afhankelijkheid tussen systemen/voorzieningen? - - Resource Breakdown Structure (RBS) - - Fishbone Diagram (Ishikawa/Cause and Effect): Useful for identifying root causes of dependencies and resource constraints in processes. - -ISO 27001 Controls: -- [5.29:](../MoCs/ISO_27002_2022_5.29_MoC%20Information%20security%20during%20disruption.md) Information security during disruption -- [5.30:](../MoCs/ISO_27002_2022_5.30_MoC%20ICT%20readiness%20for%20business%20continuity.md) ICT readiness for business continuity -- [5.9:](../MoCs/ISO_27002_2022_5.9_MoC%20Inventory%20of%20information%20and%20other%20associated%20assets.md) Inventory of information and other associated assets – regarding assets marked Critical on the Availability aspect - -[^1]: See [Disaster Recovery Planning](Disaster%20Recovery%20Planning.md) \ No newline at end of file diff --git a/Corpus/Sparks/CERT SG IRM.md b/Corpus/Sparks/CERT SG IRM.md deleted file mode 100644 index 80bd6a5..0000000 --- a/Corpus/Sparks/CERT SG IRM.md +++ /dev/null @@ -1 +0,0 @@ -[Repository](https://github.com/certsocietegenerale/IRM/tree/main) of Incident Response playbooks by CERT Societe Generale \ No newline at end of file diff --git a/Corpus/Sparks/Classification.md b/Corpus/Sparks/Classification.md deleted file mode 100644 index 0feb24d..0000000 --- a/Corpus/Sparks/Classification.md +++ /dev/null @@ -1,18 +0,0 @@ -**Definition:** -"A *data classification* identifies the value of the data to the organization. Classification labels, the method by which they are assigned, and the required protection associated with the different labels, are identified in a policy." -Source: [CISSP_OSG_Chapter_5](../Standards/CISSP/CISSP_OSG_Chapter_5.md#Defining%20data%20Classifications) - -Classification criteria should be risk based, for instance on potential damage to the organization, the privacy of individuals, national security, economic interests, or other critical concerns. - -See also: -[Datatags System](../Literature%20notes/Datatags%20System.md) -[Def_Sec_Handbook_Chapter_2](../Literature%20notes/Def_Sec_Handbook_Chapter_2.md#Information%20classification) -[ISO 27002:2022 NL A5.12](../Standards/ISO27x/OST/27002/NL/a-5.12-Classificeren-van-informatie.md) -[Designing an information management scheme](../Literature%20notes/Designing%20an%20information%20management%20scheme.md) -[Data classification examples from SANS forum](Data%20classification%20examples%20from%20SANS%20forum.md) -[Key Topics for a Classified Information Security Policy](Key%20Topics%20for%20a%20Classified%20Information%20Security%20Policy.md) -[Traffic Light Protocol (TLP)](../Literature%20notes/Traffic%20Light%20Protocol%20TLP.md) - -![](Informatie_classificatie_matrix.xlsx) - - diff --git a/Corpus/Sparks/Compliance.md b/Corpus/Sparks/Compliance.md deleted file mode 100644 index 3419804..0000000 --- a/Corpus/Sparks/Compliance.md +++ /dev/null @@ -1,3 +0,0 @@ -[CISSP_OSG_Chapter_4](../Standards/CISSP/CISSP_OSG_Chapter_4.md) -[Continuous Compliance products](Continuous%20Compliance%20products.md) -[ISO 27001 A 18 Compliance](../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A%2018%20Compliance.md) diff --git a/Corpus/Sparks/Context, Strategy, and Leadership/The ISMS in its context.md b/Corpus/Sparks/Context, Strategy, and Leadership/The ISMS in its context.md deleted file mode 100644 index 77acf90..0000000 --- a/Corpus/Sparks/Context, Strategy, and Leadership/The ISMS in its context.md +++ /dev/null @@ -1,7 +0,0 @@ -# The ISMS in its context - -The primary purpose of the ISMS is to Control information security risks, that may impede on the organization achieving its goals. - -The ISMS does not exist in a vacuum. It interacts with the internal and external context of the organization.  - -An effective ISMS relies on a relationship between / the interplay of organizational goals, its context, threats and risks to the CIA of information, and available resources. diff --git a/Corpus/Sparks/Continuous Compliance products.md b/Corpus/Sparks/Continuous Compliance products.md deleted file mode 100644 index 74e07ec..0000000 --- a/Corpus/Sparks/Continuous Compliance products.md +++ /dev/null @@ -1,7 +0,0 @@ -@mikepsecuritee @richardk @iso27diy @tugboatlogic @TrustVanta @DrataHQ @DrataHQ has an incredible product😎 -Tweet by @amanda_robs 22 nov 2021 - -@mikepsecuritee @richardk @iso27diy @tugboatlogic @TrustVanta @DrataHQ You might also want to check out @merkely_ 😇 -Tweet by @meekrosoft 23 nov 2021 - - diff --git a/Corpus/Sparks/Core concepts of Privacy.md b/Corpus/Sparks/Core concepts of Privacy.md deleted file mode 100644 index 246bcd3..0000000 --- a/Corpus/Sparks/Core concepts of Privacy.md +++ /dev/null @@ -1 +0,0 @@ -[Threat Modeling](../📚️%20Literature%20notes/Privacy%20Threat%20Modeling.md) diff --git a/Corpus/Sparks/Cracking passwords in 2024.md b/Corpus/Sparks/Cracking passwords in 2024.md deleted file mode 100644 index c9810bd..0000000 --- a/Corpus/Sparks/Cracking passwords in 2024.md +++ /dev/null @@ -1,9 +0,0 @@ -# Cracking passwords in 2024 - -![](Hive%20Systems%20Password%20Table%20-%202024_Dutch.png) - - -![](Hive%20Systems%20Password%20Table%20-%202024%20Square.png) - - - diff --git a/Corpus/Sparks/Definition of Asset.md b/Corpus/Sparks/Definition of Asset.md deleted file mode 100644 index 2efbe10..0000000 --- a/Corpus/Sparks/Definition of Asset.md +++ /dev/null @@ -1,10 +0,0 @@ - - - -“An asset is anything within an environment that should be protected. It is anything used in a business process or task. It can be a computer file, a network service, a system resource, a process, a program, a product, an IT infrastructure, a database, a hardware device, furniture, product recipes/ formulas, intellectual property, personnel, software, facilities, and so on. - -If an organization places any value on an item under its control and deems that item important enough to protect, it is labeled an asset for the purposes of risk management and analysis. The loss or disclosure of an asset could result in an overall security compromise, loss of productivity, reduction in profits, additional expenditures, discontinuation of the organization, and numerous intangible consequences.” - -— (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide by Mike Chapple, James Michael Stewart, et al. -https://amzn.eu/6EvlQju, P.64 - diff --git a/Corpus/Sparks/DevSecOps and ISO 27k.md b/Corpus/Sparks/DevSecOps and ISO 27k.md deleted file mode 100644 index 067ddd6..0000000 --- a/Corpus/Sparks/DevSecOps and ISO 27k.md +++ /dev/null @@ -1,7 +0,0 @@ -ISO 27001 seems to have a sort of outdated linear view of building and testing. -How do the controls fit in with DevSecOps? - -Related: -[ISO 27001 A.14.2.8 System security testing](../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A.14.2.8%20System%20security%20testing.md) -[ISO 27001 A.14.2.9 System acceptance testing](../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A.14.2.9%20System%20acceptance%20testing.md) -[Red, Blue, and Purple Teams](../Literature%20notes/Red,%20Blue,%20and%20Purple%20Teams.md) \ No newline at end of file diff --git a/Corpus/Sparks/Disaster Recovery Planning.md b/Corpus/Sparks/Disaster Recovery Planning.md deleted file mode 100644 index 7d1a1ed..0000000 --- a/Corpus/Sparks/Disaster Recovery Planning.md +++ /dev/null @@ -1,7 +0,0 @@ -See also: -- [a-5.30-ICT-readiness-for-business-continuity](../Standards/ISO27x/OST/27002/EN/a-5.30-ICT-readiness-for-business-continuity.md) -- [Business Continuity Planning (BCP)](../📚️%20Literature%20notes/BCP_Bedrijfscontinuïteitsplanning.md) -- [SANS Incident Response step 5 Recovery](../Standards/SANS/SANS%20Incident%20Response%20step%205%20Recovery.md) -- [Checklist for auditing Business Continuity and Disaster Recovery](../Literature%20notes/Checklists%20Gerardus%20Blokdyk/Checklist%20for%20auditing%20Business%20Continuity%20and%20Disaster%20Recovery.md) -- [CISSP_OSG_Chapter_18](../Standards/CISSP/CISSP_OSG_Chapter_18.md) -- [Def_Sec_Handbook_Chapter_6](../Literature%20notes/Def_Sec_Handbook_Chapter_6.md) diff --git a/Corpus/Sparks/Example of ISO 27001 mystique.md b/Corpus/Sparks/Example of ISO 27001 mystique.md deleted file mode 100644 index 44acdbb..0000000 --- a/Corpus/Sparks/Example of ISO 27001 mystique.md +++ /dev/null @@ -1,9 +0,0 @@ -# Example of ISO 27001 mystique - -ISO 27001 is a framework, and you cannot successfully implement it by treating the text of the standard as a series of instructions to be followed in the order in which they were printed. If you try that, things will become very confusing very quickly. - -For example, the requirement of having an information security policy is first (?) mentioned in [Chapter 5.1](../MoCs/ISO_27001_2022_5.1_MoC%20Leadership%20and%20commitment.md), "Leadership and commitment", where it says that top management must have it established, *together* with information security objectives. Then in [Chapter 5.2](../Standards/ISO27x/OST/27001/EN/c-5.2-Policy.md), 'Policy', it states that these objectives form *part of* the information security policy, referencing forward to [Chapter 6.2](../MoCs/ISO_27001_2022_6.2_MoC%20Information%20security%20objectives%20and%20planning%20to%20achieve%20them.md), "Information security objectives and planning to achieve them", which demands that organizations should set objectives consistent with the policy. Of course there's also a corresponding Control called "Policies for information security" ([5.1](../Standards/ISO27x/legacy/iso27DIY%20mk%20I/ISO_27002_2022_5.1_MoC%20Policies%20for%20information%20security.md)), which explains that there will be an information security policy at the highest level of the organization, including objectives "or the framework for setting objectives", and further "topic-specific policies as needed", which of course need their own objectives. - -Programmers may love this kind of recursiveness when it's in coding exercises. - - diff --git a/Corpus/Sparks/Examples of Proof for auditors.md b/Corpus/Sparks/Examples of Proof for auditors.md deleted file mode 100644 index 216eba3..0000000 --- a/Corpus/Sparks/Examples of Proof for auditors.md +++ /dev/null @@ -1,28 +0,0 @@ ---- -tags: - - project/iso27DIY ---- - - - -- [ISO_27002_2022_5.10_PE Acceptable use of information and other associated assets](../../../iso27DIY-gis/reference/Paraphrased/ISO27002-2022-EN/ISO_27002_2022_5.10_PE%20Acceptable%20use%20of%20information%20and%20other%20associated%20assets.md) -- [ISO_27002_2022_5.13_PE Labelling of information](../../../iso27DIY-gis/reference/Paraphrased/ISO27002-2022-EN/ISO_27002_2022_5.13_PE%20Labelling%20of%20information.md) -- [ISO_27002_2022_5.32_PE Intellectual property rights](../../../iso27DIY-gis/reference/Paraphrased/ISO27002-2022-EN/ISO_27002_2022_5.32_PE%20Intellectual%20property%20rights.md) -- [ISO_27002_2022_5.7_PE Threat intelligence](../../../iso27DIY-gis/reference/Paraphrased/ISO27002-2022-EN/ISO_27002_2022_5.7_PE%20Threat%20intelligence.md) -- [ISO_27002_2022_5.22_PE Monitoring, review and change management of supplier services](../iso27DIY-gis/reference/Paraphrased/ISO27002-2022-EN/ISO_27002_2022_5.22_PE%20Monitoring%2C%20review%20and%20change%20management%20of%20supplier%20services.md) -- [ISO_27002_2022_5.1_PE Policies for information security](../../../iso27DIY-gis/reference/Paraphrased/ISO27002-2022-EN/ISO_27002_2022_5.1_PE%20Policies%20for%20information%20security.md) -- [ISO_27002_2022_5.20_PE Addressing information security within supplier agreements](../../../iso27DIY-gis/reference/Paraphrased/ISO27002-2022-EN/ISO_27002_2022_5.20_PE%20Addressing%20information%20security%20within%20supplier%20agreements.md) -- [ISO_27002_2022_5.23_PE Information security for use of cloud services](../../../iso27DIY-gis/reference/Paraphrased/ISO27002-2022-EN/ISO_27002_2022_5.23_PE%20Information%20security%20for%20use%20of%20cloud%20services.md) -- [ISO_27002_2022_5.19_PE Information security in supplier relationships](../../../iso27DIY-gis/reference/Paraphrased/ISO27002-2022-EN/ISO_27002_2022_5.19_PE%20Information%20security%20in%20supplier%20relationships.md) -- [ISO_27002_2022_5.8_PE Information security in project management](../../../iso27DIY-gis/reference/Paraphrased/ISO27002-2022-EN/ISO_27002_2022_5.8_PE%20Information%20security%20in%20project%20management.md) -- [ISO_27002_2022_5.12_PE Classification of information](../../../iso27DIY-gis/reference/Paraphrased/ISO27002-2022-EN/ISO_27002_2022_5.12_PE%20Classification%20of%20information.md) -- [ISO_27002_2022_5.24_PE Information security incident management planning and preparation](../../../iso27DIY-gis/reference/Paraphrased/ISO27002-2022-EN/ISO_27002_2022_5.24_PE%20Information%20security%20incident%20management%20planning%20and%20preparation.md) -- [ISO_27002_2022_5.27_PE Learning from information security incidents](../../../iso27DIY-gis/reference/Paraphrased/ISO27002-2022-EN/ISO_27002_2022_5.27_PE%20Learning%20from%20information%20security%20incidents.md) -- [ISO_27002_2022_5.21_PE Managing information security in the ICT supply chain](../../../iso27DIY-gis/reference/Paraphrased/ISO27002-2022-EN/ISO_27002_2022_5.21_PE%20Managing%20information%20security%20in%20the%20ICT%20supply%20chain.md) -- [ISO_27002_2022_5.2_PE Information security roles and responsibilities](../../../iso27DIY-gis/reference/Paraphrased/ISO27002-2022-EN/ISO_27002_2022_5.2_PE%20Information%20security%20roles%20and%20responsibilities.md) -- [ISO_27002_2022_8.28_PE Secure coding](../../../iso27DIY-gis/reference/Paraphrased/ISO27002-2022-EN/ISO_27002_2022_8.28_PE%20Secure%20coding.md) -- [ISO_27002_2022_5.3_PE Segregation of duties](../../../iso27DIY-gis/reference/Paraphrased/ISO27002-2022-EN/ISO_27002_2022_5.3_PE%20Segregation%20of%20duties.md) -- [ISO_27002_2022_8.9_PE Configuration management](../../../iso27DIY-gis/reference/Paraphrased/ISO27002-2022-EN/ISO_27002_2022_8.9_PE%20Configuration%20management.md) -- [ISO_27002_2022_8.26_PE Application security requirements](../../../iso27DIY-gis/reference/Paraphrased/ISO27002-2022-EN/ISO_27002_2022_8.26_PE%20Application%20security%20requirements.md) -- [ISO 27x Control PE template](../Standards/ISO27x/legacy/iso27DIY%20mk%20I/📒%20Templates/ISO%2027x%20Control%20PE%20template.md) -- \ No newline at end of file diff --git a/Corpus/Sparks/Examples of vendor selection questionnaires.md b/Corpus/Sparks/Examples of vendor selection questionnaires.md deleted file mode 100644 index d525cea..0000000 --- a/Corpus/Sparks/Examples of vendor selection questionnaires.md +++ /dev/null @@ -1,5 +0,0 @@ -- [Dropbox](../Literature%20notes/Dropbox%20Supplier%20Security%20Requirements.md) -- [Google](https://vsaq-demo.withgoogle.com) - -Related: -- [Vendor security MoC](Vendor%20security%20MoC.md) \ No newline at end of file diff --git a/Corpus/Sparks/External audits.md b/Corpus/Sparks/External audits.md deleted file mode 100644 index 03614fd..0000000 --- a/Corpus/Sparks/External audits.md +++ /dev/null @@ -1,5 +0,0 @@ -Auditors verschillen -Wat de een genoeg vindt, vindt de ander onvoldoende. -Maar: je moet het erg bont maken om je certificering te verliezen. Je krijgt de kans te verbeteren/herstellen. - -En cynisch: je kiest je CI zelf, en een CI zal liever niet bekend willen staan als de CI met de laagste succes ratio. \ No newline at end of file diff --git a/Corpus/Sparks/Governance.md b/Corpus/Sparks/Governance.md deleted file mode 100644 index cfb69a8..0000000 --- a/Corpus/Sparks/Governance.md +++ /dev/null @@ -1,3 +0,0 @@ -[Cyber Security Governance Principles](Cyber%20Security%20Governance%20Principles.md) -[Data Governance](../📚️%20Literature%20notes/Data%20Governance.md) -[Checklist for auditing Data Governance](../Literature%20notes/Checklists%20Gerardus%20Blokdyk/Checklist%20for%20auditing%20Data%20Governance.md) diff --git a/Corpus/Sparks/AI Threat Modeling.md b/Corpus/Sparks/ISMS/AI Threat Modeling.md similarity index 63% rename from Corpus/Sparks/AI Threat Modeling.md rename to Corpus/Sparks/ISMS/AI Threat Modeling.md index 00fccd6..b5e57c9 100644 --- a/Corpus/Sparks/AI Threat Modeling.md +++ b/Corpus/Sparks/ISMS/AI Threat Modeling.md @@ -1,4 +1,6 @@ -[Create a threat analysis chatbot](Create%20a%20threat%20analysis%20chatbot.md) +# Using AI for Threat Modeling + +[Create a threat analysis chatbot](../../Various/Create%20a%20threat%20analysis%20chatbot.md) [PLOT4AI](https://plot4.ai) (Privacy Library Of Threats 4 Artificial Intelligence): A threat modeling library to help you build responsible AI diff --git a/Corpus/Sparks/About dealing with threats.md b/Corpus/Sparks/ISMS/About dealing with threats.md similarity index 99% rename from Corpus/Sparks/About dealing with threats.md rename to Corpus/Sparks/ISMS/About dealing with threats.md index 87b0208..2dc0a07 100644 --- a/Corpus/Sparks/About dealing with threats.md +++ b/Corpus/Sparks/ISMS/About dealing with threats.md @@ -1,4 +1,3 @@ - # About the connection between threat intelligence, analysis and modeling ### 🔄 Interplay Overview diff --git a/Corpus/Sparks/ISMS/About implementation and proof.md b/Corpus/Sparks/ISMS/About implementation and proof.md index c88dcc8..d6babc3 100644 --- a/Corpus/Sparks/ISMS/About implementation and proof.md +++ b/Corpus/Sparks/ISMS/About implementation and proof.md @@ -1,8 +1,4 @@ ---- -tags: -- project/iso27DIY -- type/explainer ---- +# About implementation and proof The auditor will require proof of the implementation of the ISMS and all it’s individual controls. Proper implementation means a control is risk-based, there’s a policy describing the why and how of it’s implementation, it’s results are monitored or measured, it’s effectiveness is evaluated, and possible improvements to the implementation of the control are identified. diff --git a/Corpus/Sparks/ISMS/About policies controls and risks.md b/Corpus/Sparks/ISMS/About policies controls and risks.md index 8950e72..6b2b424 100644 --- a/Corpus/Sparks/ISMS/About policies controls and risks.md +++ b/Corpus/Sparks/ISMS/About policies controls and risks.md @@ -1,11 +1,4 @@ ---- -tags: - - iso27001 - - policy - - control - - risk ---- - +# About policies, controls, and risks `Within a ISO 27001 compliant ISMS, is it possible to implement a control without having a policy for that control?` diff --git a/Corpus/Sparks/ISMS/About the Statement of Applicability.md b/Corpus/Sparks/ISMS/About the Statement of Applicability.md index 55948ae..8c7744c 100644 --- a/Corpus/Sparks/ISMS/About the Statement of Applicability.md +++ b/Corpus/Sparks/ISMS/About the Statement of Applicability.md @@ -1,9 +1,4 @@ ---- -tags: -- project/iso27DIY -- type/explainer ---- -## About the Statement of Applicability +# About the Statement of Applicability In essence, the Statement of Applicability shows the outcome of the risk treatment process ([6.1.3a](../../Corpus/Standards/MoCs/ISO_27001_2022_6.1.3_MoC%20Information%20security%20risk%20treatment.md)). It is usually presented as a table of Annex A controls, together with a short explanation for the selection *or* exclusion of each, and its implementation status. diff --git a/Corpus/Sparks/Access Control Models.md b/Corpus/Sparks/ISMS/Access Control Models.md similarity index 95% rename from Corpus/Sparks/Access Control Models.md rename to Corpus/Sparks/ISMS/Access Control Models.md index 1cb2241..2a42a18 100644 --- a/Corpus/Sparks/Access Control Models.md +++ b/Corpus/Sparks/ISMS/Access Control Models.md @@ -1,11 +1,11 @@ See also: - [Authorization vs Access Control](Authorization%20vs%20Access%20Control.md) -- [Identity and Access Management (IAM)](Identity%20and%20Access%20Management%20(IAM).md) -- [RBAC Access levels](../Literature%20notes/RBAC%20Access%20levels.md) -- [CRUD Matrices](CRUD%20Matrices.md) +- [Identity and Access Management (IAM)](../Identity%20and%20Access%20Management%20(IAM).md) +- [RBAC Access levels](../../Literature%20notes/RBAC%20Access%20levels.md) +- [CRUD Matrices](../Information%20Security/CRUD%20Matrices.md) -Source: [](../Attachments/Certified%20Ethical%20Hacker%20Exam%20Guide%202021.pdf) +Source: [](../../Attachments/Certified%20Ethical%20Hacker%20Exam%20Guide%202021.pdf) - Mandatory Access Control (MAC): - Every object gets a label diff --git a/Corpus/Sparks/Access Control in ISO 27001.md b/Corpus/Sparks/ISMS/Access Control in ISO 27001.md similarity index 100% rename from Corpus/Sparks/Access Control in ISO 27001.md rename to Corpus/Sparks/ISMS/Access Control in ISO 27001.md diff --git a/Corpus/Sparks/ISMS/Access Control.md b/Corpus/Sparks/ISMS/Access Control.md new file mode 100644 index 0000000..3601328 --- /dev/null +++ b/Corpus/Sparks/ISMS/Access Control.md @@ -0,0 +1,13 @@ +# Access Control + +While [authorization](../../Standards/ISO27x/Authorization.md) is primarily concerned with establishing the policies and rules that dictate access (i.e. *what* a person or system is allowed to do), **access control** is the _system_ or _process_ that enforces those defined permissions. + +See: +- [Gedachten over rechtenstructuren](../Information%20Security/Gedachten%20over%20rechtenstructuren.md) +- [Authorization vs Access Control](Authorization%20vs%20Access%20Control.md) +- [Access Control Models](Access%20Control%20Models.md) +- [ISO 27001 A 9 Access control](../../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A%209%20Access%20control.md) +- [a-5.15-Access-control](../../Standards/ISO27x/OST/27002/EN/a-5.15-Access-control.md) + + + diff --git a/Corpus/Sparks/Asset classes.png b/Corpus/Sparks/ISMS/Asset classes.png similarity index 100% rename from Corpus/Sparks/Asset classes.png rename to Corpus/Sparks/ISMS/Asset classes.png diff --git a/Corpus/Sparks/ISMS/Assets Ownership and Risk Overview.md b/Corpus/Sparks/ISMS/Assets Ownership and Risk Overview.md new file mode 100644 index 0000000..02be598 --- /dev/null +++ b/Corpus/Sparks/ISMS/Assets Ownership and Risk Overview.md @@ -0,0 +1,104 @@ +# Assets, Ownership, and Risk: Structured Overview + +## 1. Core Concept: What Is an Asset? + +An **information asset** is anything that has value to an organization. It can take many forms: + +- Printed or electronic documents +- Intellectual property and proprietary knowledge +- Personal data +- Knowledge of processes +- Physical items +- Information systems that process, store, or transmit information + +**Selected definitions:** + +| Source | Definition | +| ----------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| ISO/IEC 27000:2018 | Anything that has value to an organization (e.g. printed documents, electronic documents, intellectual property, personal data, knowledge of processes, physical items). | +| NIST SP 800-53 | Information and the information systems that process, store, and transmit that information. | +| DAMA-DMBOK | A resource of value that an organization uses to understand, operate, and innovate. | +| Gartner IT Glossary | A collection of information that is defined and managed as a standalone entity and is considered of value. | +| (ISC)² CISSP Official Study Guide (Chapple, Stewart et al., p.64) | Anything within an environment that should be protected — anything used in a business process or task. If an organization places any value on an item and deems it important enough to protect, it is labeled an asset for purposes of risk management and analysis. | + +**Examples of assets (CISSP):** computer files, network services, system resources, processes, programs, products, IT infrastructure, databases, hardware devices, furniture, product recipes/formulas, intellectual property, personnel, software, facilities. + +**Consequences of asset loss or disclosure:** +- Overall security compromise +- Loss of productivity +- Reduction in profits +- Additional expenditures +- Discontinuation of the organization +- Numerous intangible consequences + + +## 2. Assets in Relation to Vulnerabilities, Threats, and Risks + +The relationship between the four concepts can be summarized as: + +> A threat exploits an exposed vulnerability to damage an asset, which results in a risk to the organization. + +This relationship is known as the **Operations Security Triple** (assets, vulnerabilities, threats). + +**On risk materialization:** +A risk can be seen as a theoretical threat scenario. When a risk "materializes," an anticipated or potential threat has actually taken place — exploiting a vulnerability, affecting an asset, and resulting in actual harm or loss. + + +## 3. Asset Ownership + +### ISO 27001 Requirements + +ISO 27001 explicitly requires asset ownership in two controls: + +- **A.8.1.2** — Every asset should have an owner. +- **A.9.2.5** — Asset owners must periodically evaluate access rights. + +### Determining Ownership: The RUMC Model + +*The following model was shared by Remco Landegge, Security Expert Radboud UMC (2 December 2024). Remove all references to Radboudumc before reusing.* + +When asset or process ownership is unclear, it can be determined by mapping the situation to one of four scenarios: + + +![](../rumc-eigenaarschap.png) + + + +**Situation 1 (B1): Asset/process used within a single organizational unit** + +The head or director of that organizational unit is the owner **(E1)**. + +*Note: for institutes, this applies only to assets/processes needed within their own unit — not to those required for the complete core task.* + + +**Situation 2 (B2): Asset/process used across multiple departments, or a department and a centre** + +The director of the core task in which the asset/process is used is the owner **(E2)**. The owner operates independently and in a facilitating role, to ensure all stakeholders (across departments and/or centres) are involved in decisions about functionality, security, and service levels. + + +**Situation 3 (B3): Asset/process used across multiple institutes** + +The directors of the institutes involved jointly determine who the owner is **(E3)**. The owner operates independently and in a facilitating role to ensure stakeholder involvement across institutes. + + +**Situation 4 (B4): Asset/process spanning (virtually) all parts of the organization, with no owner claimed** + +First, determine whether the asset/process is actually needed. The three institute directors and directors of supporting services jointly decide **(E4)**. If no consensus is reached, the Board of Directors appoints an owner **(E4)**. + +--- + +## Notes on Linked Content + +The source files reference the following related notes in the vault: + +- [Vulnerability 1](../Vulnerability%201.md) +- [Threat](../../Literature%20notes/Threat.md) +- [Risks](../Risks.md) +- [Risk ownership](../Risk%20ownership.md) +- [Control ownership](Control%20ownership.md) +- [Asset lifecycle](../../Literature%20notes/Asset%20lifecycle.md) +- [How to develop an Asset Inventory](../How%20to%20develop%20an%20Asset%20Inventory.md) + + + ![Asset classes](Asset%20classes.png) + diff --git a/Corpus/Sparks/Authorization vs Access Control.md b/Corpus/Sparks/ISMS/Authorization vs Access Control.md similarity index 82% rename from Corpus/Sparks/Authorization vs Access Control.md rename to Corpus/Sparks/ISMS/Authorization vs Access Control.md index e4cf7ea..3de4934 100644 --- a/Corpus/Sparks/Authorization vs Access Control.md +++ b/Corpus/Sparks/ISMS/Authorization vs Access Control.md @@ -6,7 +6,7 @@ tags: # Authorization vs. Access Control -[Authorization](../Standards/ISO27x/Authorization.md) defines _what_ a user (or system) is allowed to do, [access control ](Access%20Control.md) is the _system_ or _process_ that enforces those defined permissions. +[Authorization](../../Standards/ISO27x/Authorization.md) defines _what_ a user (or system) is allowed to do, [access control ](Access%20Control.md) is the _system_ or _process_ that enforces those defined permissions. ## Authorization @@ -23,8 +23,8 @@ tags: - **What it is:** Access control is the **mechanism or system that enforces the authorization policies**. It's the technical implementation that actually grants or denies access to a resource based on the authorized permissions. - **The "How":** It answers the question, "How is the 'what' actually applied and managed?" - **Enforcement:** Access control is the act of putting those policies into practice. It involves: - - Checking a user's identity ([Authentication](../Standards/ISO27x/Authentication.md)). - - Consulting the pre-defined [Authorization](../Standards/ISO27x/Authorization.md)authorization rules. + - Checking a user's identity ([Authentication](../../Standards/ISO27x/Authentication.md)). + - Consulting the pre-defined [Authorization](../../Standards/ISO27x/Authorization.md)authorization rules. - Granting or denying access to specific resources (files, applications, data, network segments, physical locations, etc.) or actions (read, write, delete, execute). - **Examples:** - An Access Control List (ACL) on a file system that specifies which users or groups can read, write, or execute a particular file. diff --git a/Corpus/Sparks/Belang van een BCP.md b/Corpus/Sparks/ISMS/Belang van een BCP.md similarity index 100% rename from Corpus/Sparks/Belang van een BCP.md rename to Corpus/Sparks/ISMS/Belang van een BCP.md diff --git a/Corpus/Sparks/ISMS/Business Impact Analysis (BIA).md b/Corpus/Sparks/ISMS/Business Impact Analysis (BIA).md new file mode 100644 index 0000000..d82896f --- /dev/null +++ b/Corpus/Sparks/ISMS/Business Impact Analysis (BIA).md @@ -0,0 +1,24 @@ +# Business Impact Analysis (BIA) + +Business Impact Analysis (BIA) is an activity within the proces of Business Continuity Planning ([BCP](../📚️%20Literature%20notes/BCP_Bedrijfscontinuïteitsplanning.md)). + +The goal of a Business Impact Analysis (BIA) process is + +A Business Impact Analysis (BIA) examines the potential impacts of disruptions, such as financial losses, reputational damage, regulatory penalties, and operational continuity. +The outcomes help to prioritize business activities and resources to enable the resumption of product and service delivery after a (major) disruption[^1]. + +Guidelines and tooling: +- [Guidelines for business impact analysis ISO 22317](../../Standards/ISO27x/ISO%2022317%20Guidelines%20for%20business%20impact%20analysis.md) +- [Assessing reputational risks](../../Various/Assessing%20reputational%20risks.md) +- [BIA Workshop](../../Standards/ISO27x/Implementation%20Products/BIA%20Workshop.md) +- [TLP impact matrix](../../Literature%20notes/Traffic%20Light%20Protocol%20TLP.md) +- Afhankelijkheid tussen systemen/voorzieningen? + - Resource Breakdown Structure (RBS) + - Fishbone Diagram (Ishikawa/Cause and Effect): Useful for identifying root causes of dependencies and resource constraints in processes. + +ISO 27001 Controls: +- [5.29:](../../MoCs/ISO_27002_2022_5.29_MoC%20Information%20security%20during%20disruption.md) Information security during disruption +- [5.30:](../../MoCs/ISO_27002_2022_5.30_MoC%20ICT%20readiness%20for%20business%20continuity.md) ICT readiness for business continuity +- [5.9:](../../MoCs/ISO_27002_2022_5.9_MoC%20Inventory%20of%20information%20and%20other%20associated%20assets.md) Inventory of information and other associated assets – regarding assets marked Critical on the Availability aspect + +[^1]: See [Disaster Recovery Planning](Disaster%20Recovery%20Planning.md) \ No newline at end of file diff --git a/Corpus/Sparks/Challenges in auditing a one man company.md b/Corpus/Sparks/ISMS/Challenges in auditing a one man company.md similarity index 100% rename from Corpus/Sparks/Challenges in auditing a one man company.md rename to Corpus/Sparks/ISMS/Challenges in auditing a one man company.md diff --git a/Corpus/Sparks/Classificatie van risico's obv Oorzaken.md b/Corpus/Sparks/ISMS/Classificatie van risico's.md similarity index 97% rename from Corpus/Sparks/Classificatie van risico's obv Oorzaken.md rename to Corpus/Sparks/ISMS/Classificatie van risico's.md index 447dbcf..1d237e0 100644 --- a/Corpus/Sparks/Classificatie van risico's obv Oorzaken.md +++ b/Corpus/Sparks/ISMS/Classificatie van risico's.md @@ -1,4 +1,4 @@ -# Classificatie op basis van risico-oorzaken +# Classificatie van risico's Risico's kunnen worden ingedeeld in diverse categorieën, die elk een andere bron van gevaar vertegenwoordigen: diff --git a/Corpus/Sparks/Classifying Integrity.md b/Corpus/Sparks/ISMS/Classifying Integrity.md similarity index 81% rename from Corpus/Sparks/Classifying Integrity.md rename to Corpus/Sparks/ISMS/Classifying Integrity.md index 3a5b47a..d879754 100644 --- a/Corpus/Sparks/Classifying Integrity.md +++ b/Corpus/Sparks/ISMS/Classifying Integrity.md @@ -1,17 +1,8 @@ ---- -title: Classifying Integrity -source: https://www.perplexity.ai/search/351dee5b-0f9f-419b-bec2-381b6e285401 -author: - - "[[Perplexity AI]]" -published: -created: 2025-06-10 -description: What instruments do we have to classify the necessity of integrity of information? -tags: - - clippings ---- -See also: [Business Impact Analysis (BIA)](Business%20Impact%20Analysis%20(BIA).md), [A 8.2 Information Classification](../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A%208.2%20Information%20classification.md#ISO%2027001%20A%208.2%20Information%20classification) +# Classifying Integrity -Prompt: `In the field of information security, we identify and implement risk mitigating measures to safeguard the confidentiality, integrity, and availability of information. To establish levels of confidentiality, we use the instrument of data classification to establish levels of availability we can use business impact analysis. What instruments do we have to classify the necessity of integrity of information` +See also: [Business Impact Analysis (BIA)](Business%20Impact%20Analysis%20(BIA).md), [A 8.2 Information Classification](../../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A%208.2%20Information%20classification.md#ISO%2027001%20A%208.2%20Information%20classification) + +Prompt to Perplexity AI on 2025-06-10: `In the field of information security, we identify and implement risk mitigating measures to safeguard the confidentiality, integrity, and availability of information. To establish levels of confidentiality, we use the instrument of data classification to establish levels of availability we can use business impact analysis. What instruments do we have to classify the necessity of integrity of information` Sources: [dataguard](https://www.dataguard.com/blog/classifying-information/) diff --git a/Corpus/Sparks/Control ownership.md b/Corpus/Sparks/ISMS/Control ownership.md similarity index 73% rename from Corpus/Sparks/Control ownership.md rename to Corpus/Sparks/ISMS/Control ownership.md index 570d8ba..03798f7 100644 --- a/Corpus/Sparks/Control ownership.md +++ b/Corpus/Sparks/ISMS/Control ownership.md @@ -1,4 +1,6 @@ -See also [Risk ownership](Risk%20ownership.md), [Asset ownership](Asset%20ownership.md) +# Control ownership + +See also [Risk ownership](../Risk%20ownership.md), [Asset ownership](Asset%20ownership.md) Principe: > Control ownership can best be assigned to the individual or team that has both the resources and the skills to effectively implement the control. (And does not have conflicting interests) diff --git a/Corpus/Sparks/Data breach procedure.md b/Corpus/Sparks/ISMS/Data breach procedure.md similarity index 52% rename from Corpus/Sparks/Data breach procedure.md rename to Corpus/Sparks/ISMS/Data breach procedure.md index 4d4d536..7045421 100644 --- a/Corpus/Sparks/Data breach procedure.md +++ b/Corpus/Sparks/ISMS/Data breach procedure.md @@ -1,3 +1,5 @@ +# Data breach procedure + Previous work: - Post mortem Ultimaker LinkedIn Learning incident - Pixelpool Data breach procedure @@ -5,4 +7,4 @@ Previous work: Relevant ISO 27001 clauses/controls: -- [ISO 27001 A 16.1 Management of information security incidents and improvements](../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A%2016.1%20Management%20of%20information%20security%20incidents%20and%20improvements.md) +- [ISO 27001 A 16.1 Management of information security incidents and improvements](../../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A%2016.1%20Management%20of%20information%20security%20incidents%20and%20improvements.md) diff --git a/Corpus/Sparks/Data classification examples from SANS forum.md b/Corpus/Sparks/ISMS/Data classification/Data Classification.md similarity index 70% rename from Corpus/Sparks/Data classification examples from SANS forum.md rename to Corpus/Sparks/ISMS/Data classification/Data Classification.md index 5338819..9f01359 100644 --- a/Corpus/Sparks/Data classification examples from SANS forum.md +++ b/Corpus/Sparks/ISMS/Data classification/Data Classification.md @@ -1,3 +1,13 @@ +# Data Classification + +**Definition:** +"A *data classification* identifies the value of the data to the organization. Classification labels, the method by which they are assigned, and the required protection associated with the different labels, are identified in a policy." +Source: [CISSP_OSG_Chapter_5](../../../Standards/CISSP/CISSP_OSG_Chapter_5.md#Defining%20data%20Classifications) + +Classification criteria should be risk based, for instance on potential damage to the organization, the privacy of individuals, national security, economic interests, or other critical concerns. + +## Examples from SANS forum + Source: https://sth-community.sans.org/t/y4yt81n Retrieved: 2 september 2024 @@ -9,10 +19,10 @@ Confidential 2. Some risk - Internal 3. Significant risk - Confidential -1. Unrestricted -2. Restricted-External -3. Restricted-Internal -4. Confidential +4. Unrestricted +5. Restricted-External +6. Restricted-Internal +7. Confidential - Public - Internal @@ -35,8 +45,20 @@ Just before I left the Bank of England, we rebuilt our classification scheme -  One of the reasons for the move was that the UK government was looking to change their scheme to a traffic light system also, so we moved to where they were heading. - From a user perspective it is complex to figure out a classification. That's why some of our institutions reverse the process and start with the person and what they want to do. Leiden University has a tool picker that is publicly available, to help employees and students pick the correct tool (and indirectly the level of security and privacy that that tool offers). It does not solve the classification labeling problem if you have a single mandatory system in mind, but I can imagine that asking them about what goal they want to achieve makes it easier for employees to see classification as helpful and useful. -[https://web.universiteitleiden.nl/assets/toolpicker/?lang=en](https://web.universiteitleiden.nl/assets/toolpicker/?lang=en) \ No newline at end of file +[https://web.universiteitleiden.nl/assets/toolpicker/?lang=en](https://web.universiteitleiden.nl/assets/toolpicker/?lang=en) + +![](../../Informatie_classificatie_matrix.xlsx) + + +See also: +[Datatags System](../../../Literature%20notes/Datatags%20System.md) +[Def_Sec_Handbook_Chapter_2](../../../Literature%20notes/Def_Sec_Handbook_Chapter_2.md#Information%20classification) +[ISO 27002:2022 NL A5.12](../../../Standards/ISO27x/OST/27002/NL/a-5.12-Classificeren-van-informatie.md) +[Designing an information management scheme](../../../Literature%20notes/Designing%20an%20information%20management%20scheme.md) +[Key Topics for a policy on handling classified information](../../Key%20Topics%20for%20a%20policy%20on%20handling%20classified%20information.md) +[Traffic Light Protocol (TLP)](../../../Literature%20notes/Traffic%20Light%20Protocol%20TLP.md) + + diff --git a/Corpus/Sparks/FIRST TLP labeled document examples childcare.md b/Corpus/Sparks/ISMS/Data classification/FIRST TLP labeled document examples childcare.md similarity index 100% rename from Corpus/Sparks/FIRST TLP labeled document examples childcare.md rename to Corpus/Sparks/ISMS/Data classification/FIRST TLP labeled document examples childcare.md diff --git a/Corpus/Sparks/FIRST TLP labeled document examples commercial.md b/Corpus/Sparks/ISMS/Data classification/FIRST TLP labeled document examples commercial.md similarity index 100% rename from Corpus/Sparks/FIRST TLP labeled document examples commercial.md rename to Corpus/Sparks/ISMS/Data classification/FIRST TLP labeled document examples commercial.md diff --git a/Corpus/Sparks/FIRST TLP labeled document examples for information security.md b/Corpus/Sparks/ISMS/Data classification/FIRST TLP labeled document examples for information security.md similarity index 100% rename from Corpus/Sparks/FIRST TLP labeled document examples for information security.md rename to Corpus/Sparks/ISMS/Data classification/FIRST TLP labeled document examples for information security.md diff --git a/Corpus/Sparks/FIRST TLP labeled document examples hospital.md b/Corpus/Sparks/ISMS/Data classification/FIRST TLP labeled document examples hospital.md similarity index 100% rename from Corpus/Sparks/FIRST TLP labeled document examples hospital.md rename to Corpus/Sparks/ISMS/Data classification/FIRST TLP labeled document examples hospital.md diff --git a/Corpus/Sparks/ISMS/Disaster Recovery Planning.md b/Corpus/Sparks/ISMS/Disaster Recovery Planning.md new file mode 100644 index 0000000..3e74efa --- /dev/null +++ b/Corpus/Sparks/ISMS/Disaster Recovery Planning.md @@ -0,0 +1,9 @@ +# Disaster Recovery Planning + +See also: +- [a-5.30-ICT-readiness-for-business-continuity](../../Standards/ISO27x/OST/27002/EN/a-5.30-ICT-readiness-for-business-continuity.md) +- [Business Continuity Planning (BCP)](../📚️%20Literature%20notes/BCP_Bedrijfscontinuïteitsplanning.md) +- [SANS Incident Response step 5 Recovery](../../Standards/SANS/SANS%20Incident%20Response%20step%205%20Recovery.md) +- [Checklist for auditing Business Continuity and Disaster Recovery](../../Literature%20notes/Checklists%20Gerardus%20Blokdyk/Checklist%20for%20auditing%20Business%20Continuity%20and%20Disaster%20Recovery.md) +- [CISSP_OSG_Chapter_18](../../Standards/CISSP/CISSP_OSG_Chapter_18.md) +- [Def_Sec_Handbook_Chapter_6](../../Literature%20notes/Def_Sec_Handbook_Chapter_6.md) diff --git a/Corpus/Sparks/Context, Strategy, and Leadership/Sources for the Context sessions.md b/Corpus/Sparks/ISMS/Sources for the Context sessions.md similarity index 100% rename from Corpus/Sparks/Context, Strategy, and Leadership/Sources for the Context sessions.md rename to Corpus/Sparks/ISMS/Sources for the Context sessions.md diff --git a/Corpus/Sparks/Incident Response playbooks.md b/Corpus/Sparks/Incident Response playbooks.md new file mode 100644 index 0000000..23e1ef5 --- /dev/null +++ b/Corpus/Sparks/Incident Response playbooks.md @@ -0,0 +1,3 @@ +# Incident Response playbooks + +[Repository](https://github.com/certsocietegenerale/IRM/tree/main) of Incident Response playbooks by CERT Societe Generale \ No newline at end of file diff --git a/Corpus/Sparks/CIS Critical Security Controls.md b/Corpus/Sparks/Information Security/CIS Controls.md similarity index 97% rename from Corpus/Sparks/CIS Critical Security Controls.md rename to Corpus/Sparks/Information Security/CIS Controls.md index 425b564..c859b12 100644 --- a/Corpus/Sparks/CIS Critical Security Controls.md +++ b/Corpus/Sparks/Information Security/CIS Controls.md @@ -1,6 +1,8 @@ +# CIS Critical Security Controls + https://www.cisecurity.org/controls -Cyber attacks exploit bad cuyber hygiene +Cyber attacks exploit bad cyber hygiene CIS are security best practices for strengthening your security posture to defend agains top threats maps to lots of frameworks @@ -8,7 +10,7 @@ maps to lots of frameworks Safeguards are identified by attack patterns from the MITRE ATT&CK* framework we verified that the CIS Controls are effective at defending against 86% of the ATT&CK (sub-)techniques found in the ATT&CK framework. More importantly, the Controls are highly effective against the top five attack types found in industry threat data. -![](CleanShot%202024-10-08%20at%2016.10.32.png) +![](../CleanShot%202024-10-08%20at%2016.10.32.png) Source: CIS Community Defense Model version 2.0 @@ -29,10 +31,10 @@ IG3 assets contain sensitive information or functions that are subject to regula Safeguards selected for IG3 must abate targeted attacks from a sophisticated adversary and reduce the impact of zero-day attacks. -![](Asset%20classes.png) +![](../ISMS/Asset%20classes.png) Source: CIS Controls v8.1 PDF, pp 8-12 -![](CleanShot%202024-10-08%20at%2016.27.06.png) +![](../CleanShot%202024-10-08%20at%2016.27.06.png) List of the CIS Controls in v8, and how many Safeguards in each are applicable to each Implementation Group. [source](https://www.cisecurity.org/controls/implementation-groups) See CIS_Controls_Version_8.1_6_24_2024.xlsx for a table that shows all safeguards mapped to the three Implementation Groups. diff --git a/Corpus/Sparks/CRF-Threat-Taxonomy-v2024.pdf b/Corpus/Sparks/Information Security/CRF-Threat-Taxonomy-v2024.pdf similarity index 100% rename from Corpus/Sparks/CRF-Threat-Taxonomy-v2024.pdf rename to Corpus/Sparks/Information Security/CRF-Threat-Taxonomy-v2024.pdf diff --git a/Corpus/Sparks/CRUD Matrices.md b/Corpus/Sparks/Information Security/CRUD Matrices.md similarity index 92% rename from Corpus/Sparks/CRUD Matrices.md rename to Corpus/Sparks/Information Security/CRUD Matrices.md index aabf429..a1e1ba2 100644 --- a/Corpus/Sparks/CRUD Matrices.md +++ b/Corpus/Sparks/Information Security/CRUD Matrices.md @@ -1,8 +1,4 @@ ---- -tags: -- infosec -- type/explainer ---- +# CRUD Matrices A CRUD matrix defines what actions a user (or process) is allowed to perform on a certain object, typically a data entity such as a table or record in a database. @@ -33,7 +29,7 @@ In the form below, we can see which authorizations each role has for different o | Sales Rep | CRUD | R | RU | R | R | | Stock Manager | - | - | - | R | RU | -A CRUD matrix is a helpful tool for [Access Control Models](Access%20Control%20Models.md), and several well-known CRUD extensions have been introduced to address specific needs, for example: +A CRUD matrix is a helpful tool for [Access Control Models](../ISMS/Access%20Control%20Models.md), and several well-known CRUD extensions have been introduced to address specific needs, for example: ([source](https://en.wikipedia.org/wiki/Create,_read,_update_and_delete)) - **CRUDL (Create, Read, Update, Delete, List):** Adds a "List" operation to explicitly support retrieving collections of records, which is especially useful in applications where listing and searching are distinct from simple reading of single records. diff --git a/Corpus/Sparks/Client segregation.md b/Corpus/Sparks/Information Security/Client segregation in SaaS.md similarity index 97% rename from Corpus/Sparks/Client segregation.md rename to Corpus/Sparks/Information Security/Client segregation in SaaS.md index fdf462d..8f7bcc6 100644 --- a/Corpus/Sparks/Client segregation.md +++ b/Corpus/Sparks/Information Security/Client segregation in SaaS.md @@ -1,7 +1,5 @@ ---- -tags: - - project/iso27DIY ---- +# Architectural patterns for client segregation in SaaS systems + SaaS systems implement client segregation through several architectural patterns, each with distinct tradeoffs between security, efficiency, and complexity: ## Physical Segregation (Dedicated Infrastructure) diff --git a/Corpus/Sparks/Information Security/Cracking passwords in 2024.md b/Corpus/Sparks/Information Security/Cracking passwords in 2024.md new file mode 100644 index 0000000..3361c6e --- /dev/null +++ b/Corpus/Sparks/Information Security/Cracking passwords in 2024.md @@ -0,0 +1,9 @@ +# Cracking passwords in 2024 + +![](../Hive%20Systems%20Password%20Table%20-%202024_Dutch.png) + + +![](../Hive%20Systems%20Password%20Table%20-%202024%20Square.png) + + + diff --git a/Corpus/Sparks/Customer Managed Keys.md b/Corpus/Sparks/Information Security/Customer Managed Keys.md similarity index 95% rename from Corpus/Sparks/Customer Managed Keys.md rename to Corpus/Sparks/Information Security/Customer Managed Keys.md index daa71cf..8541469 100644 --- a/Corpus/Sparks/Customer Managed Keys.md +++ b/Corpus/Sparks/Information Security/Customer Managed Keys.md @@ -1,10 +1,12 @@ +# BYOK: Customer Managed Keys + Asked Gemini, 30 juni 2025. Prompt: `What is meant by 'Bring your own encryption key?` Related: -- [a-8.24-Use-of-cryptography](../Standards/ISO27x/OST/27002/EN/a-8.24-Use-of-cryptography.md) -# Customer Managed Keys +- [a-8.24-Use-of-cryptography](../../Standards/ISO27x/OST/27002/EN/a-8.24-Use-of-cryptography.md) + 'Bring Your Own Encryption Key' (BYOK), also sometimes referred to as 'Bring Your Own Encryption' (BYOE) or 'Customer Managed Keys' (CMK), is a cloud computing security model that allows organizations to use and manage their own encryption keys for data stored in cloud environments, rather than relying on the cloud service provider to generate and manage the keys. diff --git a/Corpus/Sparks/Data maturity model NL overheid.md b/Corpus/Sparks/Information Security/Data maturity model NL overheid.md similarity index 98% rename from Corpus/Sparks/Data maturity model NL overheid.md rename to Corpus/Sparks/Information Security/Data maturity model NL overheid.md index f5db857..f423a5d 100644 --- a/Corpus/Sparks/Data maturity model NL overheid.md +++ b/Corpus/Sparks/Information Security/Data maturity model NL overheid.md @@ -1,4 +1,5 @@ # Data maturity model NL overheid + Een data maturity model helpt Nederlandse overheidsorganisaties bij het beoordelen, verbeteren en volwassen maken van hun datamanagementpraktijken. Het model dient als een raamwerk om de huidige status van een organisatie op het gebied van data te beoordelen en verbeterplannen te identificeren. ### Elaboratie: diff --git a/Corpus/Sparks/Dealing with a reported application vulnerability Log4j.md b/Corpus/Sparks/Information Security/Dealing with a reported application vulnerability.md similarity index 71% rename from Corpus/Sparks/Dealing with a reported application vulnerability Log4j.md rename to Corpus/Sparks/Information Security/Dealing with a reported application vulnerability.md index 9ba0110..818899d 100644 --- a/Corpus/Sparks/Dealing with a reported application vulnerability Log4j.md +++ b/Corpus/Sparks/Information Security/Dealing with a reported application vulnerability.md @@ -1,3 +1,4 @@ +# Dealing with a reported application vulnerability # Context A vulnerability in a widely used open source library is published. @@ -32,16 +33,16 @@ Do an impact analyses and identify a treatment: ## Relevant ISO 27001 controls -The main control of interest here is [ISO 27001 A 12.6.1 Management of technical vulnerabilities](../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A%2012.6.1%20Management%20of%20technical%20vulnerabilities.md), which ensures timely awareness of vulnerabilities through [ISO 27001 A 6.1.4 Contact with special interest groups](../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A%206.1.4%20Contact%20with%20special%20interest%20groups.md), evaluation of an organization’s exposure, and having set [ISO 27001 A 16.1.1 Responsibilities and procedures](../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A%2016.1.1%20Responsibilities%20and%20procedures.md) to enable a quick and effective response. +The main control of interest here is [ISO 27001 A 12.6.1 Management of technical vulnerabilities](../../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A%2012.6.1%20Management%20of%20technical%20vulnerabilities.md), which ensures timely awareness of vulnerabilities through [ISO 27001 A 6.1.4 Contact with special interest groups](../../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A%206.1.4%20Contact%20with%20special%20interest%20groups.md), evaluation of an organization’s exposure, and having set [ISO 27001 A 16.1.1 Responsibilities and procedures](../../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A%2016.1.1%20Responsibilities%20and%20procedures.md) to enable a quick and effective response. Stopping the gap: - [[ISO 27001 A 13.1.1 Network controls]] - [[ISO 27001 A 13.1.2 Security of network services]] -- [ISO 27001 A 12.5.1 Installation of software on operational systems](../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A%2012.5.1%20Installation%20of%20software%20on%20operational%20systems.md) +- [ISO 27001 A 12.5.1 Installation of software on operational systems](../../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A%2012.5.1%20Installation%20of%20software%20on%20operational%20systems.md) Preventative measures: -- [ISO 27001 A 12.6.2 Restrictions on software installation](../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A%2012.6.2%20Restrictions%20on%20software%20installation.md) +- [ISO 27001 A 12.6.2 Restrictions on software installation](../../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A%2012.6.2%20Restrictions%20on%20software%20installation.md) - [[ISO 27001 A 14.1.1 Information security requirements analysis and specification]] - [[ISO 27001 14.2.1 Secure development policy]] - [[ISO 27001 A 14.2.7 Outsourced development]] -- [ISO 27001 A 18 Compliance](../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A%2018%20Compliance.md) of systems +- [ISO 27001 A 18 Compliance](../../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A%2018%20Compliance.md) of systems diff --git a/Corpus/Sparks/Examples of Risk Avoidance.md b/Corpus/Sparks/Information Security/Examples of Risk Avoidance.md similarity index 90% rename from Corpus/Sparks/Examples of Risk Avoidance.md rename to Corpus/Sparks/Information Security/Examples of Risk Avoidance.md index 9d5a6dc..17aee6c 100644 --- a/Corpus/Sparks/Examples of Risk Avoidance.md +++ b/Corpus/Sparks/Information Security/Examples of Risk Avoidance.md @@ -1,8 +1,10 @@ +# Examples of Risk Avoidance + *ChatGPT prompt: In risk management, risks can be assigned a treatment strategy. Generally this is a choice between mitigate, transfer, accept or avoid. Give me some examples of possible courses of actions for risks in the 'avoid' category.* *ChatGPT output, August 22, 2024:* -Certainly! When a risk is categorized under 'avoid,' it means taking steps to eliminate the possibility of the risk occurring. Here are some examples of possible courses of action for risks in the 'avoid' category: +When a risk is categorized under 'avoid,' it means taking steps to eliminate the possibility of the risk occurring. Here are some examples of possible courses of action for risks in the 'avoid' category: 1. **Changing the Project Scope:** - If a project involves a high-risk task, one can alter the project's scope to exclude that task altogether, thereby avoiding the risk. diff --git a/Corpus/Sparks/Information Security/Examples of vendor selection questionnaires.md b/Corpus/Sparks/Information Security/Examples of vendor selection questionnaires.md new file mode 100644 index 0000000..d9d70b4 --- /dev/null +++ b/Corpus/Sparks/Information Security/Examples of vendor selection questionnaires.md @@ -0,0 +1,7 @@ +# Examples of vendor selection questionnaires + +- [Dropbox](../../Literature%20notes/Dropbox%20Supplier%20Security%20Requirements.md) +- [Google](https://vsaq-demo.withgoogle.com) + +Related: +- [Vendor security MoC](../Vendor%20security%20MoC.md) \ No newline at end of file diff --git a/Corpus/Sparks/Gedachten over rechtenstructuren.md b/Corpus/Sparks/Information Security/Gedachten over rechtenstructuren.md similarity index 100% rename from Corpus/Sparks/Gedachten over rechtenstructuren.md rename to Corpus/Sparks/Information Security/Gedachten over rechtenstructuren.md diff --git a/Corpus/Sparks/Key Topics for a Classified Information Security Policy.md b/Corpus/Sparks/Key Topics for a policy on handling classified information.md similarity index 98% rename from Corpus/Sparks/Key Topics for a Classified Information Security Policy.md rename to Corpus/Sparks/Key Topics for a policy on handling classified information.md index 5150ea2..3a1211a 100644 --- a/Corpus/Sparks/Key Topics for a Classified Information Security Policy.md +++ b/Corpus/Sparks/Key Topics for a policy on handling classified information.md @@ -1,3 +1,5 @@ +# Key Topics for a policy on handling classified information + A comprehensive policy on handling classified information should address the following key topics to ensure its security and confidentiality: 1. Classification Levels and Criteria: diff --git a/Corpus/Sparks/Pasted image 20260514155842.png b/Corpus/Sparks/Pasted image 20260514155842.png new file mode 100644 index 0000000..93f7a4b Binary files /dev/null and b/Corpus/Sparks/Pasted image 20260514155842.png differ diff --git a/Corpus/Sparks/Cloud Service Approval Process.md b/Corpus/Sparks/Policy examples/Cloud Service Approval Process.md similarity index 100% rename from Corpus/Sparks/Cloud Service Approval Process.md rename to Corpus/Sparks/Policy examples/Cloud Service Approval Process.md diff --git a/Corpus/Sparks/Cloud Service Employee Guidelines.md b/Corpus/Sparks/Policy examples/Cloud Service Employee Guidelines.md similarity index 100% rename from Corpus/Sparks/Cloud Service Employee Guidelines.md rename to Corpus/Sparks/Policy examples/Cloud Service Employee Guidelines.md diff --git a/Corpus/Sparks/Cloud Service Risk Assessment Guide.md b/Corpus/Sparks/Policy examples/Cloud Service Risk Assessment Guide.md similarity index 100% rename from Corpus/Sparks/Cloud Service Risk Assessment Guide.md rename to Corpus/Sparks/Policy examples/Cloud Service Risk Assessment Guide.md diff --git a/Corpus/Sparks/Cloud Service Risk Mitigation Roadmap.md b/Corpus/Sparks/Policy examples/Cloud Service Risk Mitigation Roadmap.md similarity index 100% rename from Corpus/Sparks/Cloud Service Risk Mitigation Roadmap.md rename to Corpus/Sparks/Policy examples/Cloud Service Risk Mitigation Roadmap.md diff --git a/Corpus/Sparks/Product Journeys.md b/Corpus/Sparks/Product Journeys.md index 28594a3..bf37db5 100644 --- a/Corpus/Sparks/Product Journeys.md +++ b/Corpus/Sparks/Product Journeys.md @@ -2,5 +2,5 @@ tags: - business_process --- -[CICD pipeline components](CICD%20pipeline%20components.md) +[CICD pipeline components](../Various/Business%20processes/CICD%20pipeline%20components.md) diff --git a/Corpus/Sparks/Ransomware Playbook.md b/Corpus/Sparks/Ransomware Playbook.md index ba70f93..3ac0fc6 100644 --- a/Corpus/Sparks/Ransomware Playbook.md +++ b/Corpus/Sparks/Ransomware Playbook.md @@ -5,7 +5,7 @@ Also see: See also: - [a-5.30-ICT-readiness-for-business-continuity](../Standards/ISO27x/OST/27002/EN/a-5.30-ICT-readiness-for-business-continuity.md) - [BCP_Bedrijfscontinuïteitsplanning](../📚️%20Literature%20notes/BCP_Bedrijfscontinuïteitsplanning.md) -- [Disaster Recovery Planning](Disaster%20Recovery%20Planning.md) +- [Disaster Recovery Planning](ISMS/Disaster%20Recovery%20Planning.md) 3 Phases: - Prevention diff --git a/Corpus/Sparks/Risk analysis.md b/Corpus/Sparks/Risk analysis.md index 0b441ab..5e58344 100644 --- a/Corpus/Sparks/Risk analysis.md +++ b/Corpus/Sparks/Risk analysis.md @@ -5,7 +5,7 @@ aliases: See also under [Threat](../📚️%20Literature%20notes/Threat.md) [Open Group Risk Analysis Standard (O-RA)](https://pubs.opengroup.org/security/o-ra/) -[Open Group FAIR \ ISO 27005 Cookbook for Risk Assessment](FAIR%20ISO%2027005%20Cookbook.pdf) +[Open Group FAIR \ ISO 27005 Cookbook for Risk Assessment](../Standards/ISO27x/FAIR%20ISO%2027005%20Cookbook.pdf) [SURF Toolkit risicobeoordeling](SURF%20Toolkit%20risicobeoordeling.md) diff --git a/Corpus/Sparks/Risk inventories.md b/Corpus/Sparks/Risk inventories.md index 7dfe9eb..72f1a00 100644 --- a/Corpus/Sparks/Risk inventories.md +++ b/Corpus/Sparks/Risk inventories.md @@ -13,8 +13,8 @@ Zie ook: [SCF Risk Categories for Establishing a Risk Catalog](../Standards/other/SCF%20Risk%20Categories%20for%20Establishing%20a%20Risk%20Catalog.md) [SCF Threat Categories for Establishing a Threat Catalog](../Standards/other/SCF%20Threat%20Categories%20for%20Establishing%20a%20Threat%20Catalog.md) -[](Carnegie%20Mellon%20Taxonomy%20of%20Operational%20Cyber%20Security%20Risks%20Version%202.pdf) -[CRF Threat Taxonomy 2024](CRF-Threat-Taxonomy-v2024.pdf) +[](Taxonomy%20of%20Operational%20Cyber%20Security%20Risks.pdf) +[CRF Threat Taxonomy 2024](Information%20Security/CRF-Threat-Taxonomy-v2024.pdf) [Enisa Threat Taxonomy](https://www.enisa.europa.eu/topics/cyber-threats/threats-and-trends/enisa-threat-landscape/threat-taxonomy) [MITRE ATT&CK](https://attack.mitre.org) [MITRE D3FEND](https://d3fend.mitre.org) diff --git a/Corpus/Sparks/Risk ownership.md b/Corpus/Sparks/Risk ownership.md index 439815f..f30455e 100644 --- a/Corpus/Sparks/Risk ownership.md +++ b/Corpus/Sparks/Risk ownership.md @@ -1,6 +1,6 @@ # Risk Ownership -See also [Asset ownership](Asset%20ownership.md), [Control ownership](Control%20ownership.md) +See also [Asset ownership](Asset%20ownership.md), [Control ownership](ISMS/Control%20ownership.md) **ISO 27001 explicit mention of risk ownership:** - C 6.1.2 c2: Risks should have an owner diff --git a/Corpus/Sparks/Risk treatment.md b/Corpus/Sparks/Risk treatment.md index 8bf6c6d..e0f1e30 100644 --- a/Corpus/Sparks/Risk treatment.md +++ b/Corpus/Sparks/Risk treatment.md @@ -15,5 +15,5 @@ PMP Concepts ([source](https://www.pmlearningsolutions.com/blog/announcement-ppm * Transfer – shift the impact to a 3rd party * Mitigate – decrease the probability or impact -See also [Examples of Risk Avoidance](Examples%20of%20Risk%20Avoidance.md). +See also [Examples of Risk Avoidance](Information%20Security/Examples%20of%20Risk%20Avoidance.md). diff --git a/Corpus/Sparks/Risks.md b/Corpus/Sparks/Risks.md index 325adf2..d7aac35 100644 --- a/Corpus/Sparks/Risks.md +++ b/Corpus/Sparks/Risks.md @@ -7,7 +7,7 @@ See also slide decks made for workshop sessions. Those for Kaliber, Nedap and Networking4AL are the most recent. See also [Risk appetite 1](Risk%20appetite%201.md) -See also [Classificatie van risico's obv Oorzaken](Classificatie%20van%20risico's%20obv%20Oorzaken.md) +See also [Classificatie van risico's](ISMS/Classificatie%20van%20risico's.md) ## Definitions [Source](http://cybersecurity-materiality.com/) diff --git a/Corpus/Sparks/Roles and Responsibilities.md b/Corpus/Sparks/Roles and Responsibilities.md index b1c4370..a89bc3a 100644 --- a/Corpus/Sparks/Roles and Responsibilities.md +++ b/Corpus/Sparks/Roles and Responsibilities.md @@ -8,4 +8,4 @@ See also: # Ownership -See: [Asset ownership](Asset%20ownership.md), [Control ownership](Control%20ownership.md), [Risk ownership](Risk%20ownership.md) +See: [Asset ownership](Asset%20ownership.md), [Control ownership](ISMS/Control%20ownership.md), [Risk ownership](Risk%20ownership.md) diff --git a/Corpus/Sparks/Shadow IT risks.md b/Corpus/Sparks/Shadow IT risks.md index 2370ac7..204747f 100644 --- a/Corpus/Sparks/Shadow IT risks.md +++ b/Corpus/Sparks/Shadow IT risks.md @@ -1,9 +1,9 @@ See also: -- [Cloud Service Risk Mitigation Roadmap](Cloud%20Service%20Risk%20Mitigation%20Roadmap.md) +- [Cloud Service Risk Mitigation Roadmap](Policy%20examples/Cloud%20Service%20Risk%20Mitigation%20Roadmap.md) - [Shadow IT Policy for Responsible Technology Adoption](Shadow%20IT%20Policy%20for%20Responsible%20Technology%20Adoption.md) -- [Cloud Service Risk Assessment Guide](Cloud%20Service%20Risk%20Assessment%20Guide.md) -- [Cloud Service Approval Process](Cloud%20Service%20Approval%20Process.md) -- [Cloud Service Employee Guidelines](Cloud%20Service%20Employee%20Guidelines.md) +- [Cloud Service Risk Assessment Guide](Policy%20examples/Cloud%20Service%20Risk%20Assessment%20Guide.md) +- [Cloud Service Approval Process](Policy%20examples/Cloud%20Service%20Approval%20Process.md) +- [Cloud Service Employee Guidelines](Policy%20examples/Cloud%20Service%20Employee%20Guidelines.md) - [Surveys on Shadow IT usage](Surveys%20on%20Shadow%20IT%20usage.md) - [Dutch versions WiP](../../Clients/Humankind/Beleid%20voor%20Gebruik%20van%20SaaS%20HK.md) diff --git a/Corpus/Sparks/Sterke wachtwoorden in 2024.md b/Corpus/Sparks/Sterke wachtwoorden in 2024.md index 5f9c046..a3f08f1 100644 --- a/Corpus/Sparks/Sterke wachtwoorden in 2024.md +++ b/Corpus/Sparks/Sterke wachtwoorden in 2024.md @@ -1,6 +1,6 @@ # Sterke wachtwoorden in 2024 -[Cracking passwords in 2024](Cracking%20passwords%20in%202024.md), HOW MUCH TIME DOES IT TAKE? +[Cracking passwords in 2024](Information%20Security/Cracking%20passwords%20in%202024.md), HOW MUCH TIME DOES IT TAKE? **Three Random Words** [NCSC Three Random Words](https://www.ncsc.gov.uk/collection/top-tips-for-staying-secure-online/three-random-words) diff --git a/Corpus/Sparks/Sticky labels.md b/Corpus/Sparks/Sticky labels.md index 0ac314c..362dc5a 100644 --- a/Corpus/Sparks/Sticky labels.md +++ b/Corpus/Sparks/Sticky labels.md @@ -1,4 +1,4 @@ Data travels; how to make labels stick? -Links to the [Privacy 1](Privacy%201.md) issue of [Data Provenance](Data%20Provenance.md) . +Links to the [Privacy 1](Privacy%201.md) issue of [Data Provenance](../Standards/AVG/Data%20Provenance.md) . diff --git a/Corpus/Sparks/Carnegie Mellon Taxonomy of Operational Cyber Security Risks Version 2.pdf b/Corpus/Sparks/Taxonomy of Operational Cyber Security Risks.pdf similarity index 100% rename from Corpus/Sparks/Carnegie Mellon Taxonomy of Operational Cyber Security Risks Version 2.pdf rename to Corpus/Sparks/Taxonomy of Operational Cyber Security Risks.pdf diff --git a/Corpus/Sparks/Vendor security MoC.md b/Corpus/Sparks/Vendor security MoC.md index dcdea76..367cd5f 100644 --- a/Corpus/Sparks/Vendor security MoC.md +++ b/Corpus/Sparks/Vendor security MoC.md @@ -18,7 +18,7 @@ - [Contracting and Procurement](../Standards/CISSP/CISSP_OSG8_D1_C4.md) See also: -- [Examples of vendor selection questionnaires](Examples%20of%20vendor%20selection%20questionnaires.md) +- [Examples of vendor selection questionnaires](Information%20Security/Examples%20of%20vendor%20selection%20questionnaires.md) - [Draft Vendor and Product checklist](../Literature%20notes/Draft%20Vendor%20and%20Product%20checklist.md) - [Veiligheidseisen aan Leveranciers Junis](../../Clients/Junis/Veiligheidseisen%20aan%20Leveranciers%20Junis.md) - [Vulnerability Disclosure Policy](Vulnerability%20Disclosure%20Policy.md) diff --git a/Corpus/Sparks/Vibe Coding MoC.md b/Corpus/Sparks/Vibe Coding MoC.md index 4a8108f..4a895b0 100644 --- a/Corpus/Sparks/Vibe Coding MoC.md +++ b/Corpus/Sparks/Vibe Coding MoC.md @@ -7,6 +7,6 @@ tags: [The Ultimate Vibe Coding Guide](The%20Ultimate%20Vibe%20Coding%20Guide.md) [Vibe Coding Tips](Vibe%20Coding%20Tips.md) [Rules to get better code](Rules%20to%20get%20better%20code.md) -[Application Security for Vibe Coding](Application%20Security%20for%20Vibe%20Coding.md) +[Application Security for Vibe Coding](../Various/Application%20Security%20for%20Vibe%20Coding.md) https://quick-code-launch.lovable.app/ diff --git a/Corpus/Sparks/Vulnerability 1.md b/Corpus/Sparks/Vulnerability 1.md index 14b1365..93d1376 100644 --- a/Corpus/Sparks/Vulnerability 1.md +++ b/Corpus/Sparks/Vulnerability 1.md @@ -8,7 +8,7 @@ See also: - [Risks](..//Risks.md) - [Threat](../📚️%20Literature%20notes/Threat.md) - [Vulnerability Disclosure Policy](Vulnerability%20Disclosure%20Policy.md) -- [Dealing with a reported application vulnerability Log4j](Dealing%20with%20a%20reported%20application%20vulnerability%20Log4j.md) +- [Dealing with a reported application vulnerability](Information%20Security/Dealing%20with%20a%20reported%20application%20vulnerability.md) - [Software vulnerability databases](../Literature%20notes/Software%20vulnerability%20databases.md) - (https://www.google.nl/search?q=software+vulnerability+databases) - [API Endpoint Vulnerabilities](https://www.reblaze.com/blog/api-security/how-hackers-attack-your-mobile-apps-part-3-api-endpoint-vulnerabilities/) diff --git a/Corpus/Sparks/Vulnerability Disclosure Policy.md b/Corpus/Sparks/Vulnerability Disclosure Policy.md index 2a540db..e3d01b1 100644 --- a/Corpus/Sparks/Vulnerability Disclosure Policy.md +++ b/Corpus/Sparks/Vulnerability Disclosure Policy.md @@ -1,5 +1,5 @@ Having a permissive vulnerability disclosure policy (VDP) encourages security research, and is a key characteristic of a good, mature security program. It encourages transparency. For you as a vendor, it enhances [Vendor security MoC](Vendor%20security%20MoC.md) towards your customers. -As a customer, you may check for a VDP when creatingyour [Examples of vendor selection questionnaires](Examples%20of%20vendor%20selection%20questionnaires.md). +As a customer, you may check for a VDP when creatingyour [Examples of vendor selection questionnaires](Information%20Security/Examples%20of%20vendor%20selection%20questionnaires.md). diff --git a/Corpus/Sparks/rumc-eigenaarschap.png b/Corpus/Sparks/rumc-eigenaarschap.png new file mode 100644 index 0000000..0055e12 Binary files /dev/null and b/Corpus/Sparks/rumc-eigenaarschap.png differ diff --git a/Corpus/Sparks/AVG Rechtsgronden voor verwerking.md b/Corpus/Standards/AVG/AVG Rechtsgronden voor verwerking.md similarity index 86% rename from Corpus/Sparks/AVG Rechtsgronden voor verwerking.md rename to Corpus/Standards/AVG/AVG Rechtsgronden voor verwerking.md index 699afa5..659694b 100644 --- a/Corpus/Sparks/AVG Rechtsgronden voor verwerking.md +++ b/Corpus/Standards/AVG/AVG Rechtsgronden voor verwerking.md @@ -1,4 +1,4 @@ -Zie ook [AVG Rechtmatigheid van de verwerking](../Standards/AVG/AVG%20Rechtmatigheid%20van%20de%20verwerking.md) +Zie ook [AVG Rechtmatigheid van de verwerking](AVG%20Rechtmatigheid%20van%20de%20verwerking.md) Noodzakelijk voor de uitvoering van een contract, voorbeeld: naam en adres zijn nodig om de bestelde spullen te kunnen leveren. Maar let op “absoluut noodzakelijk”. diff --git a/Corpus/Sparks/Data Provenance.md b/Corpus/Standards/AVG/Data Provenance.md similarity index 100% rename from Corpus/Sparks/Data Provenance.md rename to Corpus/Standards/AVG/Data Provenance.md diff --git a/Corpus/Standards/ISO27x/Authorization.md b/Corpus/Standards/ISO27x/Authorization.md index 9bab89d..060c8ec 100644 --- a/Corpus/Standards/ISO27x/Authorization.md +++ b/Corpus/Standards/ISO27x/Authorization.md @@ -2,8 +2,8 @@ Authorization is the mechanism that determines the access level(s) of the subjects to the objects. See also: -- [Authorization vs Access Control](../../Sparks/Authorization%20vs%20Access%20Control.md) -- [Access Control Models](../../Sparks/Access%20Control%20Models.md) +- [Authorization vs Access Control](../../Sparks/ISMS/Authorization%20vs%20Access%20Control.md) +- [Access Control Models](../../Sparks/ISMS/Access%20Control%20Models.md) - [Authentication](Authentication.md) - [Identification](../../Sparks/Identification.md) - [CASSM Consumer Authentication Strength Maturity Model](../../Literature%20notes/CASSM%20Consumer%20Authentication%20Strength%20Maturity%20Model.md) diff --git a/Corpus/Sparks/FAIR ISO 27005 Cookbook.pdf b/Corpus/Standards/ISO27x/FAIR ISO 27005 Cookbook.pdf similarity index 100% rename from Corpus/Sparks/FAIR ISO 27005 Cookbook.pdf rename to Corpus/Standards/ISO27x/FAIR ISO 27005 Cookbook.pdf diff --git a/Corpus/Standards/ISO27x/ISO 27k standards overview.md b/Corpus/Standards/ISO27x/ISO 27k standards overview.md index cfe2395..3f4e3aa 100644 --- a/Corpus/Standards/ISO27x/ISO 27k standards overview.md +++ b/Corpus/Standards/ISO27x/ISO 27k standards overview.md @@ -26,7 +26,7 @@ NL brontekst: See also: - [Plain English ISO IEC 27002 2005 from Praxiom](https://www.praxiom.com/iso-17799-objectives.htm) -- [Changes in ISO 27001:2022 (table)](../../Sparks/Detailed%20comparison%20between%202017%20and%202022.md) +- [Changes in ISO 27001:2022 (table)](OST/27001/Detailed%20comparison%20between%202017%20and%202022.md) - [[ISO 27002 2022 What's New]] - [ISO_27001_2023_NL_Aanpassingen](OST/ISO_27001_2023_NL_Aanpassingen.md) - [Changes in ISO 27001_2022_Advisera](../../../../iso27DIY-gis/reference/Changes%20in%20ISO%2027001_2022_Advisera.md) diff --git a/Corpus/Standards/ISO27x/Implementation Products/BIA Workshop.md b/Corpus/Standards/ISO27x/Implementation Products/BIA Workshop.md index 62d444f..2ef04f9 100644 --- a/Corpus/Standards/ISO27x/Implementation Products/BIA Workshop.md +++ b/Corpus/Standards/ISO27x/Implementation Products/BIA Workshop.md @@ -7,7 +7,7 @@ Voorbeelden: [Verbeterlijst](Verbeterlijst%20Producten.md#BIA%20Workshop) Literature notes: -- [Business Impact Analysis (BIA)](../../../Sparks/Business%20Impact%20Analysis%20(BIA).md) +- [Business Impact Analysis (BIA)](../../../Sparks/ISMS/Business%20Impact%20Analysis%20(BIA).md) **Doel:** diff --git a/Corpus/Standards/ISO27x/Implementation Products/DRP Workshop.md b/Corpus/Standards/ISO27x/Implementation Products/DRP Workshop.md index 7573cdb..71f0314 100644 --- a/Corpus/Standards/ISO27x/Implementation Products/DRP Workshop.md +++ b/Corpus/Standards/ISO27x/Implementation Products/DRP Workshop.md @@ -5,7 +5,7 @@ Voorbeelden: - [BIA en DRP Sessies HK](../../../../Clients/Humankind/BIA%20en%20DRP%20Sessies%20HK.md) Literatuur: -- [Disaster Recovery Planning](../../../Sparks/Disaster%20Recovery%20Planning.md) +- [Disaster Recovery Planning](../../../Sparks/ISMS/Disaster%20Recovery%20Planning.md) Doelen: - RPO – Recovery Point Objective (assets) – acceptable data loss; the point in time that you wish to recover to (maar wellicht ook een maat voor hoe vaak je een noodvoorziening (als een print-out van een rooster) moet verversen) diff --git a/Corpus/Standards/ISO27x/MoC Roles and responsibilities in ISO 27001.md b/Corpus/Standards/ISO27x/MoC Roles and responsibilities in ISO 27001.md index 7e62e9d..801f19f 100644 --- a/Corpus/Standards/ISO27x/MoC Roles and responsibilities in ISO 27001.md +++ b/Corpus/Standards/ISO27x/MoC Roles and responsibilities in ISO 27001.md @@ -16,4 +16,4 @@ Older: - [Ideas on Risk Ownership](../../Sparks/Ideas%20on%20Risk%20Ownership.md) - [Asset ownership](../../Sparks/Asset%20ownership.md) - [Procuratieregeling](../../Various/Procuratieregeling.md) -- [Control ownership](../../Sparks/Control%20ownership.md) +- [Control ownership](../../Sparks/ISMS/Control%20ownership.md) diff --git a/Corpus/Sparks/Detailed comparison between 2017 and 2022.md b/Corpus/Standards/ISO27x/OST/27001/Detailed comparison between 2017 and 2022.md similarity index 99% rename from Corpus/Sparks/Detailed comparison between 2017 and 2022.md rename to Corpus/Standards/ISO27x/OST/27001/Detailed comparison between 2017 and 2022.md index 8621cad..773337d 100644 --- a/Corpus/Sparks/Detailed comparison between 2017 and 2022.md +++ b/Corpus/Standards/ISO27x/OST/27001/Detailed comparison between 2017 and 2022.md @@ -2,7 +2,7 @@ According to [Mark Bernard](https://www.linkedin.com/posts/markesbernard_the-changes-to-isoiec-27001-isms-are-not-activity-7344467878198329344-nZN7) , 28 juni 2025, "The changes to ISO/IEC 27001 ISMS are not straightforward. Some believe that the total number of controls was reduced; however, the truth is that new controls were added while existing controls were consolidated and streamlined." -![](iso27001_changes_table.jpeg) +![](../../../../Sparks/iso27001_changes_table.jpeg) ## New ISMS Control Objectives - ISO 27001:2022 CLAUSE 4 TO 10 diff --git a/Corpus/Standards/ISO27x/legacy/iso27DIY mk I/ISO 27001 benefits.md b/Corpus/Standards/ISO27x/legacy/iso27DIY mk I/ISO 27001 benefits.md index bc159ef..ee75836 100644 --- a/Corpus/Standards/ISO27x/legacy/iso27DIY mk I/ISO 27001 benefits.md +++ b/Corpus/Standards/ISO27x/legacy/iso27DIY mk I/ISO 27001 benefits.md @@ -2,7 +2,7 @@ - Easier sales - Accelerates your customer’s Purchase Decision Process ("Sell with Confidence. Worldwide.") - - Certification for this standard is increasingly becoming a knock-out criterium for [Examples of vendor selection questionnaires](../../../../Sparks/Examples%20of%20vendor%20selection%20questionnaires.md). + - Certification for this standard is increasingly becoming a knock-out criterium for [Examples of vendor selection questionnaires](../../../../Sparks/Information%20Security/Examples%20of%20vendor%20selection%20questionnaires.md). - Raises your infosec maturity level - Raise your [Maturity Models](../../../../📚️%20Literature%20notes/Maturity%20Models.md) from incident driven to improvement focussed - Continual improvement of security diff --git a/Corpus/Standards/ISO27x/legacy/iso27DIY mk I/ISO27DIY Business drivers.md b/Corpus/Standards/ISO27x/legacy/iso27DIY mk I/ISO27DIY Business drivers.md index e21ab7d..4011cb4 100644 --- a/Corpus/Standards/ISO27x/legacy/iso27DIY mk I/ISO27DIY Business drivers.md +++ b/Corpus/Standards/ISO27x/legacy/iso27DIY mk I/ISO27DIY Business drivers.md @@ -1,3 +1,3 @@ - [Perverse prikkels in de normindustrie](../../../../Sparks/Perverse%20prikkels%20in%20de%20normindustrie.md) -- [GRC software is geschreven voor domeindeskundigen](../../../../Sparks/GRC%20software%20is%20geschreven%20voor%20domeindeskundigen.md) +- [GRC software is geschreven voor domeindeskundigen](../../../../../Content%20Factory/Scratch%20file/GRC%20software%20is%20geschreven%20voor%20domeindeskundigen.md) - [Problems solved 1](../../../../Sparks/Problems%20solved%201.md) diff --git a/Corpus/Sparks/Application Security for Vibe Coding.md b/Corpus/Various/Application Security for Vibe Coding.md similarity index 97% rename from Corpus/Sparks/Application Security for Vibe Coding.md rename to Corpus/Various/Application Security for Vibe Coding.md index fa22b8f..2b36d8b 100644 --- a/Corpus/Sparks/Application Security for Vibe Coding.md +++ b/Corpus/Various/Application Security for Vibe Coding.md @@ -1,11 +1,3 @@ ---- -tags: - - project/iso27DIY - - dev - - appsec - - "#vibecoding" - - SupaBase ---- # Application Security for Vibe Coding **Suggested approaches** diff --git a/Corpus/Sparks/Deciding which functionality goes where.md b/Corpus/Various/Application architecture.md similarity index 96% rename from Corpus/Sparks/Deciding which functionality goes where.md rename to Corpus/Various/Application architecture.md index 11b2ee0..b3d23ec 100644 --- a/Corpus/Sparks/Deciding which functionality goes where.md +++ b/Corpus/Various/Application architecture.md @@ -1,13 +1,5 @@ ---- -tags: - - iso27DIY - - stack - - WeWeb - - SupaBase - - dev - - design ---- -# Deciding which functionality goes where + +# Application architecture – Deciding which functionality goes where Here’s a decision framework to help you choose the right approach for each piece of functionality: diff --git a/Corpus/Sparks/Assessing reputational risks.md b/Corpus/Various/Assessing reputational risks.md similarity index 96% rename from Corpus/Sparks/Assessing reputational risks.md rename to Corpus/Various/Assessing reputational risks.md index d015ab3..0270053 100644 --- a/Corpus/Sparks/Assessing reputational risks.md +++ b/Corpus/Various/Assessing reputational risks.md @@ -12,4 +12,4 @@ From a [LinkedIn post](https://www.linkedin.com/feed/update/urn:li:activity:7272 4. Identify levers: What actions (preemptive or reactive) are you able to take or plan? Probably only a handful. The good news is that your levers almost certainly mitigate >90% of the negative reputation outcomes. -![](Reputation%20Risk%20Analysis.jpeg) \ No newline at end of file +![](../Sparks/Reputation%20Risk%20Analysis.jpeg) \ No newline at end of file diff --git a/Corpus/Sparks/Auditors little helper.md b/Corpus/Various/Auditors little helper.md similarity index 100% rename from Corpus/Sparks/Auditors little helper.md rename to Corpus/Various/Auditors little helper.md diff --git a/Corpus/Sparks/Break-glass account.md b/Corpus/Various/Break-glass account.md similarity index 100% rename from Corpus/Sparks/Break-glass account.md rename to Corpus/Various/Break-glass account.md diff --git a/Corpus/Sparks/Bug bounty program.md b/Corpus/Various/Bug bounty program.md similarity index 100% rename from Corpus/Sparks/Bug bounty program.md rename to Corpus/Various/Bug bounty program.md diff --git a/Corpus/Sparks/Building functionality in Supabase.md b/Corpus/Various/Building functionality in Supabase.md similarity index 100% rename from Corpus/Sparks/Building functionality in Supabase.md rename to Corpus/Various/Building functionality in Supabase.md diff --git a/Corpus/Sparks/CICD pipeline components.md b/Corpus/Various/Business processes/CICD pipeline components.md similarity index 96% rename from Corpus/Sparks/CICD pipeline components.md rename to Corpus/Various/Business processes/CICD pipeline components.md index 5091d6e..8fce3de 100644 --- a/Corpus/Sparks/CICD pipeline components.md +++ b/Corpus/Various/Business processes/CICD pipeline components.md @@ -3,9 +3,9 @@ tags: - business_process --- Related: -- [8.25 Secure development life cycle](../Standards/ISO27x/OST/27002/EN/a-8.25-Secure-development-life-cycle.md) -- [8.28 Secure coding](../Standards/ISO27x/OST/27002/EN/a-8.28-Secure-coding.md) -- [8.29 Security testing in development and acceptance](../Standards/ISO27x/OST/27002/EN/a-8.29-Security-testing-in-development-and-acceptance.md) +- [8.25 Secure development life cycle](../../Standards/ISO27x/OST/27002/EN/a-8.25-Secure-development-life-cycle.md) +- [8.28 Secure coding](../../Standards/ISO27x/OST/27002/EN/a-8.28-Secure-coding.md) +- [8.29 Security testing in development and acceptance](../../Standards/ISO27x/OST/27002/EN/a-8.29-Security-testing-in-development-and-acceptance.md) # CI/CD pipeline components diff --git a/Corpus/Various/Business processes/DevSecOps and ISO 27k.md b/Corpus/Various/Business processes/DevSecOps and ISO 27k.md new file mode 100644 index 0000000..f6473b4 --- /dev/null +++ b/Corpus/Various/Business processes/DevSecOps and ISO 27k.md @@ -0,0 +1,7 @@ +ISO 27001 seems to have a sort of outdated linear view of building and testing. +How do the controls fit in with DevSecOps? + +Related: +[ISO 27001 A.14.2.8 System security testing](../../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A.14.2.8%20System%20security%20testing.md) +[ISO 27001 A.14.2.9 System acceptance testing](../../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A.14.2.9%20System%20acceptance%20testing.md) +[Red, Blue, and Purple Teams](../../Literature%20notes/Red,%20Blue,%20and%20Purple%20Teams.md) \ No newline at end of file diff --git a/Corpus/Various/Organizational Journeys.md b/Corpus/Various/Business processes/Organizational Journeys.md similarity index 100% rename from Corpus/Various/Organizational Journeys.md rename to Corpus/Various/Business processes/Organizational Journeys.md diff --git a/Corpus/Sparks/C4 model for software development/C1-example.png.avif b/Corpus/Various/C4 model for software development/C1-example.png.avif similarity index 100% rename from Corpus/Sparks/C4 model for software development/C1-example.png.avif rename to Corpus/Various/C4 model for software development/C1-example.png.avif diff --git a/Corpus/Sparks/C4 model for software development/C1-example2 1.png b/Corpus/Various/C4 model for software development/C1-example2 1.png similarity index 100% rename from Corpus/Sparks/C4 model for software development/C1-example2 1.png rename to Corpus/Various/C4 model for software development/C1-example2 1.png diff --git a/Corpus/Sparks/C4 model for software development/C2-example.png b/Corpus/Various/C4 model for software development/C2-example.png similarity index 100% rename from Corpus/Sparks/C4 model for software development/C2-example.png rename to Corpus/Various/C4 model for software development/C2-example.png diff --git a/Corpus/Sparks/C4 model for software development/C2-example2.png b/Corpus/Various/C4 model for software development/C2-example2.png similarity index 100% rename from Corpus/Sparks/C4 model for software development/C2-example2.png rename to Corpus/Various/C4 model for software development/C2-example2.png diff --git a/Corpus/Sparks/C4 model for software development/C3-example.png b/Corpus/Various/C4 model for software development/C3-example.png similarity index 100% rename from Corpus/Sparks/C4 model for software development/C3-example.png rename to Corpus/Various/C4 model for software development/C3-example.png diff --git a/Corpus/Sparks/C4 model for software development/C3-example2.png b/Corpus/Various/C4 model for software development/C3-example2.png similarity index 100% rename from Corpus/Sparks/C4 model for software development/C3-example2.png rename to Corpus/Various/C4 model for software development/C3-example2.png diff --git a/Corpus/Sparks/C4 model for software development/C4 model for software architecture.md b/Corpus/Various/C4 model for software development/C4 model for software architecture.md similarity index 100% rename from Corpus/Sparks/C4 model for software development/C4 model for software architecture.md rename to Corpus/Various/C4 model for software development/C4 model for software architecture.md diff --git a/Corpus/Sparks/C4 model for software development/C4-example.png b/Corpus/Various/C4 model for software development/C4-example.png similarity index 100% rename from Corpus/Sparks/C4 model for software development/C4-example.png rename to Corpus/Various/C4 model for software development/C4-example.png diff --git a/Corpus/Sparks/Connect LLM to Supabase to create content.md b/Corpus/Various/Connect LLM to Supabase to create content.md similarity index 100% rename from Corpus/Sparks/Connect LLM to Supabase to create content.md rename to Corpus/Various/Connect LLM to Supabase to create content.md diff --git a/Corpus/Sparks/Create a proactive conversational agent.md b/Corpus/Various/Create a proactive conversational agent.md similarity index 98% rename from Corpus/Sparks/Create a proactive conversational agent.md rename to Corpus/Various/Create a proactive conversational agent.md index 5af750b..ffb2fbd 100644 --- a/Corpus/Sparks/Create a proactive conversational agent.md +++ b/Corpus/Various/Create a proactive conversational agent.md @@ -74,8 +74,8 @@ Prompt: `elaborate on designing the slot configuration schema` Here's a detailed approach to designing a flexible slot configuration schema that can handle various conversation types and business requirements: ## Slot Configuration Database Schema -![](slot_config_schema.sql) -![](slot_config_erd.mermaid) +![](../Sparks/slot_config_schema.sql) +![](../Sparks/slot_config_erd.mermaid) This ERD shows the complete database schema for the conversational agent's slot configuration system. Here's a breakdown of the key relationships and design decisions: @@ -98,7 +98,7 @@ This ERD shows the complete database schema for the conversational agent's slot **slot_collection_attempts** provides detailed audit trail of user interactions for analytics and debugging Let me show you a Python implementation that demonstrates how to work with this schema: -![](slot_manager_implementation.py) +![](../Sparks/slot_manager_implementation.py) ### Key Design Features diff --git a/Corpus/Sparks/Create a threat analysis chatbot.md b/Corpus/Various/Create a threat analysis chatbot.md similarity index 100% rename from Corpus/Sparks/Create a threat analysis chatbot.md rename to Corpus/Various/Create a threat analysis chatbot.md diff --git a/Corpus/Sparks/Create an interview agent.md b/Corpus/Various/Create an interview agent.md similarity index 100% rename from Corpus/Sparks/Create an interview agent.md rename to Corpus/Various/Create an interview agent.md diff --git a/Corpus/Sparks/Design Document for ISO 27001 Certification Support Online Service.md b/Corpus/Various/Design Document for ISO 27001 Certification Support Online Service.md similarity index 100% rename from Corpus/Sparks/Design Document for ISO 27001 Certification Support Online Service.md rename to Corpus/Various/Design Document for ISO 27001 Certification Support Online Service.md diff --git a/Corpus/Sparks/Designing an Agent.md b/Corpus/Various/Designing an Agent.md similarity index 100% rename from Corpus/Sparks/Designing an Agent.md rename to Corpus/Various/Designing an Agent.md diff --git a/Corpus/Sparks/Design and Planning.md b/Corpus/Various/Designing and planning before coding.md similarity index 99% rename from Corpus/Sparks/Design and Planning.md rename to Corpus/Various/Designing and planning before coding.md index 33b8bf4..b3df226 100644 --- a/Corpus/Sparks/Design and Planning.md +++ b/Corpus/Various/Designing and planning before coding.md @@ -1,9 +1,4 @@ ---- -tags: - - project/iso27DIY - - dev - - design ---- +# Designing and planning before coding https://gemini.google.com/app/431233af439fce00 diff --git a/Corpus/Sparks/Elevator Pitch.md b/Corpus/Various/Elevator Pitch.md similarity index 90% rename from Corpus/Sparks/Elevator Pitch.md rename to Corpus/Various/Elevator Pitch.md index 4c50494..e9fe3f3 100644 --- a/Corpus/Sparks/Elevator Pitch.md +++ b/Corpus/Various/Elevator Pitch.md @@ -1,4 +1,5 @@ ## Elevator pitch + ISO27DIY is a method to implement information security management, and become ISO 27001 compliant, without the need for external consultants or expensive software. The ISO27DIY workshop series is freely available on YouTube, dramatically lowering the barrier for certification for small and medium enterprises to become ISO 27001 certified. Additional resources and support are available on the iso27diy.com website. @@ -10,4 +11,4 @@ Additional resources and support are available on the iso27diy.com website. * No need for external consultants or expensive software -See also [ISO27DIY benefits](ISO27DIY%20benefits.md) \ No newline at end of file +See also [ISO27DIY benefits](../Sparks/ISO27DIY%20benefits.md) \ No newline at end of file diff --git a/Corpus/Sparks/Example JSON file.md b/Corpus/Various/Example JSON file.md similarity index 100% rename from Corpus/Sparks/Example JSON file.md rename to Corpus/Various/Example JSON file.md diff --git a/Corpus/Various/Interne Audit Normity calculatie.numbers b/Corpus/Various/Interne Audit Normity calculatie.numbers deleted file mode 100644 index d6d8f39..0000000 Binary files a/Corpus/Various/Interne Audit Normity calculatie.numbers and /dev/null differ diff --git a/Corpus/Sparks/functional components of a RAG system.md b/Corpus/Various/functional components of a RAG system.md similarity index 100% rename from Corpus/Sparks/functional components of a RAG system.md rename to Corpus/Various/functional components of a RAG system.md