richardk/iso27diy-corp
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Cleaned up Literature folder

Browse source
This commit is contained in:
Richard Kranendonk 2026-05-18 12:48:01 +02:00
parent 73a6380034
commit fe5eda4e05
586 changed files with 53911 additions and 2475 deletions
Download patch file Download diff file Expand all files Collapse all files

114
Content Factory/Organize your notes with Claude Code.md Normal file
View file

@ -0,0 +1,114 @@
---
tags:
- prompting
- obsidian
- llm
---
# Organize your notes with Claude Code
Heres what Claude Code did for me:
- Researched best practices for note organization
- Suggested the most effective method tailored to my structure
- Tagged all my notes, created templates, added missing tags in two languages, and even built MOCs (Maps of Content)
``` markdown
## Instructions
You will analyze the provided knowledge base structure and notes to create an improved organizational system. Follow these steps:
### Phase 1: Analysis
First, examine the current structure inside `<analysis>` tags:
**Current Organization Assessment**
- Identify the organizational method (folders, tags, links, or combination)- Note any patterns in naming conventions- Assess the depth of folder hierarchy- Identify potential information silos or duplicated content- Check for orphaned notes or broken connections
**Content Type Classification**
- Categorize the types of notes present (reference, project, personal, etc.)- Identify recurring themes or topics- Note the average length and complexity of notes- Determine if notes follow atomic principles or contain multiple concepts
**Usage Pattern Recognition**
- Identify how notes connect to each other- Assess the current linking strategy- Determine primary use cases (research, projects, learning, etc.)
### Phase 2: Recommendations
Based on your analysis, provide detailed recommendations inside `<recommendations>` tags:
1. **Organizational Structure**
Choose the most appropriate primary method:
- **Flat structure with MOCs** (Maps of Content) for maximum flexibility
- **PARA method** (Projects, Areas, Resources, Archive) for action-oriented systems
- **Hybrid approach** combining minimal folders with extensive linking
- Justify your choice based on the user's content and patterns
2. **Note Architecture**
Recommend note types:
- **Atomic notes** for single concepts
- **MOC notes** for topic organization
- **Index notes** for navigation
- **Daily notes** for capturing fleeting thoughts
Provide templates for each recommended note type
3. **Metadata and Tagging System**
- Design a hierarchical tag structure using nested tags (e.g., #type/article, #status/draft)
- Recommend YAML frontmatter properties for enhanced organization
- Suggest tag categories: content type, status, topic, source
3. **Linking Strategy**
- Establish linking conventions
- Recommend when to use links vs. tags
- Suggest MOC creation triggers (e.g., when a topic has 5+ related notes)
3. **Search and Retrieval Optimization**
- Recommend naming conventions for better search
- Suggest Dataview queries for dynamic organization
- Provide search operators for efficient retrieval
### Phase 3: Implementation Plan
Provide a step-by-step migration plan inside `<implementation>` tags:
**Preparation Phase** (Week 1)
- Backup current vault
- Install recommended plugins
- Create folder structure and initial MOCs
**Migration Phase** (Weeks 2-3)
- Prioritize notes for migration- Update note formats and add metadata- Create connections and MOCs
**Optimization Phase** (Week 4)
- Review and refine the system- Create documentation for future reference- Establish maintenance routines
### Phase 4: Practical Examples
Inside `<examples>` tags, provide:
**Before and after** examples of note organization
**Sample MOC structure** with Dataview queries
**Template examples** for different note types
**Example tag hierarchy** specific to their content
### Important Principles to Apply:
- **Future-proof design**: Create a system that scales with growth
- **Low-friction capture**: Ensure quick note creation without complex categorization
- **Progressive organization**: Start simple, add complexity as needed
- **Cross-referencing**: Maximize connections between related concepts
- **Regular maintenance**: Include periodic review processes
Remember to:
- Prioritize findability over perfect categorization
- Design for the user's "worst day" when they're tired or rushed
- Balance structure with flexibility
- Incorporate both explicit (folders/tags) and implicit (links) organization
- Consider AI-assisted search capabilities in modern tools
Your final output should be practical, actionable, and tailored to the specific content and usage patterns identified in the user's current system.
```

6
Content Factory/Scratch file/Data classification - how to make labels stick.md Normal file
View file

@ -0,0 +1,6 @@
# Data classification: how to make labels stick?
Data travels; how to make labels stick?
Links to the [Privacy in ISO 27001](../../Corpus/Standards/ISO27x/Privacy%20in%20ISO%2027001.md) issue of [Data Provenance](../../Corpus/Standards/AVG/Data%20Provenance.md) .

10
Content Factory/Scratch file/Hoe dwing je verantwoordelijkheid af.md Normal file
View file

@ -0,0 +1,10 @@
# Hoe dwing je verantwoordelijkheid af?
Een universiteit biedt onderzoeksafdelingen de mogelijkheid om vrijelijk hun applicaties en databases op te tuigen binnen hun eigen Kubernetes containers. Daarbij zijn ze zelf verantwoordelijk voor de informatiebeveiliging daarvan.
Het is vervolgens aan de IT afdeling om de containers te deployen. Daarbij ontdekken ze dat veel containers / applicaties / databases onveilig geconfigureerd zijn, oude versies van software met bekende kwetsbaarheden herbergen, etc.
Mijn stelling is dat er voor het succesvolle delegeren van de verantwoordelijk voor informatiebeveiliging in ieder geval nodig is: een prikkel om het ook goed te doen (bijv. niet in beheer nemen, kosten in rekening brengen, kwaliteit van de beveiliging als KPI van de afdeling), en kennis en resources het uit te voeren (of financiele middelen om het te laten doen).
Is er literatuur beschikbaar over deze kwestie? Zijn er andere succesvoorwaarden bekend?

290
Content Factory/Scratch file/Least privilege, need-to-know - principles vs practice.md Normal file
View file

@ -0,0 +1,290 @@
# Least privilege, need-to-know: principles vs practice
*Hypothesis: security frameworks promote least privilege and need-to-know for access control, while common dataclassification schemes and realworld practices frequently result in minimal or inconsistent protective measures until incidents or regulations force stricter controls.*
What is least privilege, need-to-know. and why is it important?
- The least privilege principle us defined as giving users only the access they need to perform their job, explicitly to reduce attack surface and limit damage if accounts are compromised.
- Excessive permissions and broad access are repeatedly identified as drivers of breaches in cloud environments, where overprivileged accounts magnify the blast radius of attacks, underscoring how leastprivilege is supposed to be a maximally conservative control principle, not a minimal one.
- Security organizations and vendors explicitly promote leastprivilege and needtoknow as foundational, proactive principles to minimize risk.
- Because of costeffective management, scalability, and operational efficiency, organizations choose to reserve stronger measures for only the highest sensitivity classes, and apply only baseline controls to the classes.
- Implementations often rely on subjective, userdriven decisions about how to classify information, which is acknowledged as inconsistent and prone to human error; this can lead to sensitive data being misclassified and not receiving appropriate protection until problems are discovered.
- Cloudsecurity analyses highlight misconfigurations and overly permissive identity and access management as primary causes of data breaches, showing that data is frequently more exposed than its intended classification or policy would suggest, especially when default or “internal” classifications are used with weak enforcement.
- Studies and policy critiques of government secrecy note pervasive overclassification of documents, which paradoxically strains controls and leads to mishandling and inconsistent protection because staff cannot realistically maintain highgrade measures for everything labeled sensitive.
- This dynamic supports the idea that classification is often used in a coarse, administrative way, with either overbroad “classified” labels or broad “internal/public” buckets, and the actual security measures tend to converge on what is minimally workable in practice rather than what the maxim of least privilege would prescribe.
- dataclassification guidance and breach analyses show that: lower classes are defined to warrant minimal controls, classification is inconsistently applied, and misconfigurations and overprivileged access remain dominant breach causes—together indicating that classification outcomes often default to minimal measures unless regulatory or incident pressure requires more.
*Hypothesis: the least privilege tends to be implemented more rigorously and systematically for technical/admin roles than for access to business information.*
- Modern Privileged Access Management (PAM) practices are explicitly built around leastprivilege: discover all privileged accounts, strip rights down to the minimum, enforce justintime elevation, and avoid privilege creep.
- Vendors and bestpractice guides describe mature patterns such as timebound admin elevation, granular rolebased admin roles, session recording, and centralized approval workflows, which directly optimize and monitor admin rights rather than leaving them broadly assigned.
## Persistent overprivilege for business data
- Datacentric security and DSPM literature repeatedly stresses that overprivileged access to business data (files, SaaS content, analytics datasets) is widespread, with the majority of granted permissions unused and many of them highrisk.[2]
- Case studies for SaaS data protection highlight “internal overexposure” as a primary issue: collaborative tools make it easy to share information widely, while security teams lack visibility to enforce “need to know” on everyday business documents, HR data, and customer information.[4][2]
## Indicators that least privilege is better enforced on IT/admin side
- PAM guidance calls least privilege “fundamental” and prescribes concrete control patterns (rolebased admin levels, justintime access, automatic revocation, monitoring) that are often implemented as dedicated tools and processes for admin accounts.[6][1][3]
- Insiderthreat and privilegerisk reports emphasize reducing privileged admin accounts and entitlement sprawl as key riskreduction goals, showing sustained focus and investment in tightening admin rights, especially in directories and infrastructure platforms.[7][8][9]
## Business information access lagging behind
- In contrast, protection of business information often reacts to discovered overexposure: organizations deploy DSPM or SaaS accessgovernance tools *because* they find that users can access far more data than they need, not because leastprivilege was consistently applied from the outset.[2][4]
- Guidance notes that collaboration platforms “lack capabilities” for teams to “properly protect” sensitive content, forcing retroactive cleanup of oversharing rather than proactive definition and enforcement of narrow, needtoknow scopes.[4]
## Overall pattern
- For admin/IT privileges, least privilege is operationalized via specialized tooling, distinct lifecycle processes, and strong monitoring, so the principle is closer to how it is stated in theory.[1][3][5][6]
- For access to business information, evidence of entitlement sprawl, unused permissions, and internal overexposure indicates that the effective norm is still broad access with minimal restriction, with least privilege applied selectively or after issues surface.[8][7][2][4]
Sources
[1] 10 Steps to Successful Privileged Access Management https://gotyto.com/thought-leadership/10-steps-to-successful-privileged-access-management/
[2] How DSPM Prevents Data Exposure from Overprivileged ... https://www.zscaler.com/blogs/product-insights/how-dspm-helps-prevent-data-exposure-overprivileged-access
[3] Privileged access management: Best practices, ... https://heimdalsecurity.com/blog/privileged-access-management-best-practices-implementation-and-tools/
[4] Data Access Controls for SaaS | Case Study: Vox Media https://www.docontrol.io/case-studies/vox-media
[5] PAM Lifecycle: In-depth Guide to Managing Privileged ... https://www.securden.com/blog/pam-lifecycle.html
[6] What is the Principle of Least Privilege? https://www.wallix.com/blogpost/what-is-the-principle-of-least-privilege-and-how-do-you-implement-it-2/
[7] The Business Risks of Excessive Privileged Access in ... https://www.lepide.com/blog/risks-of-excessive-privileged-access-in-active-directory/
[8] Insider Attacks Climb Sharply in 2024 Data Report https://www.cybersecurity-insiders.com/2024-insider-threat-report/
[9] 2024 Insider Threat Report: Key Risks and Cybersecurity ... https://cyberstrategyinstitute.com/2024-insider-threat-report-key-risks-and-cybersecurity-insights/
[10] How common is overly strict access to data in your org. https://www.reddit.com/r/datascience/comments/19aedoc/how_common_is_overly_strict_access_to_data_in/
# Google Gemini 1
*Hypothesis: “In cybersecurity we have the maxim least privilege, need to know, which translates as granting people the minimum of access rights needed for their job. Yet with data classification the result is often the minimum of measures, unless absolutely necessary”. Find supporting evidence for this claim.*
This hypothesis touches on a fundamental tension in cybersecurity: **Access Control** (which is restrictive by nature) versus **Data Classification** (which is often seen as an administrative burden).
While the principle of "Least Privilege" is a technical cornerstone enforced by systems, "Data Classification" relies heavily on human behavior and business costs, often leading to a "minimum viable effort" approach.
---
## 1. The Enforcement Gap
The primary reason for this discrepancy is how these two concepts are implemented.
- **Least Privilege (Restrictive):** This is often hard-coded into Identity and Access Management (IAM) systems. It is "fail-secure," meaning if you don't have the permission, you simply cannot perform the action.
- **Data Classification (Permissive):** Classification is often manual or semi-automated. Because over-classifying data (e.g., marking everything "Top Secret") creates massive operational friction and storage costs, organizations default to the lowest classification level unless a specific regulatory trigger (like PCI-DSS or GDPR) forces their hand.
## 2. Supporting Evidence for "Minimum Measures"
### The "Default to Public" Bias
Studies in organizational behavior suggest that employees view classification as a secondary task. According to various industry reports (such as the _Verizon Data Breach Investigations Report_), a significant portion of data breaches occur because sensitive data was stored in an unclassified or "General" folder. Organizations often apply the **minimum measure** of "Internal Use Only" to avoid the rigorous encryption and audit requirements of "Restricted" or "Confidential" tiers.
### Cost and Complexity of Controls
Data classification isn't just a label; its a commitment to a set of controls.
- **Storage Costs:** Highly classified data often requires expensive, redundant, and encrypted storage.
- Usability: Measures like Digital Rights Management (DRM) or strict Data Loss Prevention (DLP) rules can break workflows.
To maintain productivity, leadership often signs off on the "minimum necessary" classification to keep the business moving, effectively prioritizing availability over confidentiality.
### Compliance-Driven Security (The "Checklist" Mentality)
Many organizations treat data classification as a compliance checkbox rather than a security strategy.
- **Evidence:** In frameworks like ISO 27001, organizations are required to define classification levels. However, they often define them so broadly that the vast majority of data falls into a category with minimal protection.
- **The Result:** If a regulation doesn't specifically demand a measure (like per-file encryption), it is rarely implemented.
---
## 3. Comparing the Two Mindsets
|**Feature**|**Least Privilege (Access)**|**Data Classification (Protection)**|
|---|---|---|
|**Primary Goal**|Minimize the attack surface.|Categorize for handling.|
|**Default State**|Deny All.|Open/General (often).|
|**Friction Level**|High (but expected).|High (and often resisted).|
|**Implementation**|Technical/Automated.|Policy/Behavioral.|
---
## Summary of the Tension
The maxim "Least Privilege" is a **shield**, while Data Classification is often treated as a **filing system**. Because the latter requires constant manual effort and incurs operational costs, the "minimum of measures" becomes the path of least resistance. This creates a "security debt" where access is tight, but the data itself is poorly protected once an authorized user (or a compromised account) handles it.
# Google Gemini 2
Yes, your observation is supported by a significant "implementation gap" in modern cybersecurity. In short: **IT resources are protected by a "Shield" (Hard Enforcement), while Business Information is protected by a "Policy" (Soft Enforcement).**
The evidence for why "least privilege" is better implemented for IT admins compared to business data access boils down to three core drivers:
---
## 1. Technical Tooling: The PAM vs. Governance Gap
The industry has developed highly mature, automated tools for IT administration that do not yet have a seamless equivalent for everyday business data.
- **For IT Admins:** Tools like **Privileged Access Management (PAM)** (e.g., CyberArk, BeyondTrust) enable **Just-in-Time (JIT)** access. An IT admin has zero standing privileges; they must request "Domain Admin" rights for a specific window (e.g., 2 hours). Once the task is done, the system automatically strips the rights.
- **For Business Users:** Access to "Financial Projections" or "HR Records" usually relies on **Identity Governance and Administration (IGA)**. These are often static. Once a user is added to a "Finance" group, they stay there until a manual (and often "rubber-stamped") quarterly review happens. There is rarely a JIT system for reading a spreadsheet.
## 2. Risk Clarity: "Systemic" vs. "Incremental" Damage
Cybersecurity teams prioritize what they can clearly quantify.
- **IT Infrastructure (Systemic Risk):** A compromised admin account is an "extinction-level event" (e.g., ransomware deployment across the entire network). Because the **Blast Radius** is so high, management is willing to accept the friction of least privilege.
- **Business Data (Incremental Risk):** The theft of a single client list is damaging but rarely crashes the company's entire infrastructure. Because the damage feels "contained," organizations are less willing to slow down business operations with strict access hurdles.
## 3. The "Productivity Tax" and Culture
IT staff are culturally conditioned to work within restrictive environments (using "Service Accounts" or "Sudo"). Business users, however, often view security hurdles as an impediment to their primary job.
- **The Help Desk Effect:** Research shows that when IT restricts a business users access to a folder they _might_ need, the user calls the Help Desk immediately. To reduce ticket volume, Help Desks often default to "over-provisioning"—granting broader access than necessary just to ensure the user doesn't call back.
- **Admin Consistency:** IT admins are few in number and their roles are clearly defined (Network Admin, Database Admin). Business roles are fluid and "cross-functional," making it technically difficult to define what "least privilege" even looks like for a Marketing Manager who also assists with Product and Sales.
---
### Comparison Summary: The Implementation Gap
|**Feature**|**IT Admin Privileges**|**Business Data Access**|
|---|---|---|
|**Control Model**|**Zero Standing Privilege** (ZSP)|**Persistent Access** (Group-based)|
|**Enforcement**|Automated/Technical|Manual/Policy-based|
|**Auditability**|High (Session recording common)|Low (Hard to see who read what)|
|**Implementation**|**Mature** (PAM is a standard)|**Emerging** (Data Governance is often messy)|
---
## Conclusion
Your hypothesis is correct: "Least privilege" is a technical reality for IT admins because we have the tools to automate it. For business data, it remains an aspirational goal because it requires human judgment and manual classification—both of which naturally trend toward the "minimum of measures" to keep the business moving.
**Would you like me to look into "Zero Trust Data Access" (ZTDA) technologies, which are the industry's attempt to bring IT-level strictness to business document access?**
---
Hypothesis: *Can we also see the least privilege principle being better implemented when it comes to various levels of admin privileges for IT resources, vs access to business information?*
---
Yes, there is significant evidence that the **Least Privilege** principle is much more rigorously applied to **IT infrastructure and admin rights** than to **business data**.
The reason for this "implementation gap" is the difference between technical governance (managing _systems_) and cultural governance (managing _information_).
---
## 1. Technical Enforcement vs. Behavioral Expectation
IT resources are managed through **Privileged Access Management (PAM)** and **Identity & Access Management (IAM)** tools. These systems allow for "hard" enforcement.
- **IT Infrastructure (The Admin Level):** Removing "Local Admin" rights from laptops or "Domain Admin" from IT staff is a common, measurable goal. Tools can automatically rotate passwords and provide **Just-in-Time (JIT)** access. If an admin needs to change a server setting, they request access for one hour, and it is automatically revoked.
- **Business Information (The Data Level):** Access to "Financial Reports" or "Project Strategy" is much "fuzzier." Because business roles are fluid, managers often grant broad access ("Just give them access to the whole folder") to avoid slowing down work. There is rarely a JIT system for "reading a PDF."
---
## 2. The "Blast Radius" Metric
Security teams prioritize IT admin rights because the **Blast Radius** is objective and catastrophic.
- **IT Admin:** A compromised "Superuser" can take down the entire network, install ransomware globally, or delete backups. The risk is **Systemic**.
- **Business Data:** A compromised "Sales Manager" can steal customer lists. While damaging, it is rarely "existential" for the IT infrastructure. Therefore, companies invest heavily in PAM tools for admins while leaving business data in broad, "Internal Use Only" buckets.
### Comparison: Admin vs. Business Data
|**Feature**|**IT Admin Privileges**|**Business Information Access**|
|---|---|---|
|**Control Tool**|PAM (e.g., CyberArk, BeyondTrust)|Shared Drives, SharePoint, Teams|
|**Enforcement**|Hard (Access is blocked by default)|Soft (Access is often granted by peers/managers)|
|**Audit Frequency**|High (Often daily/weekly)|Low (Quarterly "Access Reviews" often rubber-stamped)|
|**Philosophy**|**Least Privilege** (Zero by default)|**Need to Know** (Often "Assume they need it")|
---
## 3. The "Rubber Stamp" Phenomenon
Evidence for your claim can be found in User Access Reviews (UAR).
In technical environments, engineers are used to justified access requests. However, in business departments, access reviews are often seen as an administrative chore.
> **Research Insight:** Studies show that business managers have a high rate of "Access Creep." When asked to review who has access to a folder, they often approve everyone "just in case" to avoid interrupting someone's work. In contrast, IT departments use automated scripts to prune unused admin accounts because an unused admin account is a massive, clear liability.
---
## 4. Supporting Your Claim
Your original hypothesis is supported by the fact that **Data Classification** (the "minimum measures" problem) is the weakest link. Even if an IT admin has "Least Privilege" over the server, if the data on that server is classified as "General" when it should be "Restricted," the technical controls on the admin are irrelevant—the data is already under-protected.
---
*Do we see a difference between implementation of access restrictions between document storage and SaaS solutions?*
---
There is a profound difference between the two, primarily driven by a shift from **"Centralized Governance"** to **"User-Led Decentralization."**
While traditional document storage often feels like a "Fortress," SaaS solutions frequently resemble a "Wild West." This shift reinforces your hypothesis: when the burden of security moves from the system (IT) to the user (Business), the "minimum of measures" usually wins.
---
## 1. Document Storage: The "Fortress" Model
In traditional environments (On-premise file shares, SharePoint), access is managed via **Hierarchical Permissions**.
- **Implementation:** IT or "Data Owners" set permissions at the folder level. These are often static and reviewed during annual audits.
- **The Least Privilege Reality:** It is easier to enforce here because the structure is rigid. If you aren't in the "Finance" group, you can't enter the "Finance" folder.
- **The Classification Fail:** Even in this rigid system, your "minimum measures" claim holds true: people often dump sensitive files into "General" folders simply because they don't want to deal with the permission request process to get into a restricted one.
## 2. SaaS Solutions: The "Liquid" Model
SaaS (Google Drive, Slack, Salesforce, Figma) introduces **Object-Level Sharing**, which shatters the traditional perimeter.
- **The "Link-Sharing" Trap:** SaaS thrives on speed. Most SaaS apps allow users to "Share with anyone with the link."1 This is the ultimate "minimum measure"—it bypasses least privilege entirely to ensure productivity isn't hindered.
- **SaaS Sprawl:** Because SaaS is decentralized, IT often loses visibility.2 Research indicates that up to **90% of SaaS applications in an enterprise are unmanaged** (Shadow IT).3 In these cases, there is _no_ least privilege; there is only "User Discretion."
- **Identity vs. Access:** In SaaS, identity is often managed (SSO), but _what_ that identity can do inside the app is often left to the user. A user might be granted "Editor" rights to a whole workspace because the "Viewer" role was too restrictive for a five-minute task, and the permission is never revoked.
---
## 3. Comparison of Implementation Gaps
|**Feature**|**Document Storage (Legacy)**|**SaaS Solutions (Modern)**|
|---|---|---|
|**Control Unit**|The Folder (Group-based)|The File/Object (User-based)|
|**Primary Risk**|"Access Creep" (Too many folders)|"Oversharing" (Public links/Guest access)|
|**Visibility**|High (IT can see the whole tree)|Low (Siloed within individual apps)|
|**Least Privilege**|Enforced by IT Admins|Delegated to end-users|
|**Classification**|Often ignored (Manual labeling)|Frequently non-existent|
---
## 4. Why SaaS Validates Your Hypothesis
SaaS environments prove your point that we default to the "minimum of measures" for the sake of necessity.
- **The Productivity Tax:** Implementing true "Least Privilege" in a tool like Slack or Teams (e.g., private channels for everything) is so administratively heavy that teams almost always opt for "Public Channels" by default.
- **The "Shadow" Effect:** When security measures (like classification or restricted access) become too burdensome in a corporate document store, users migrate data to a personal SaaS account (Dropbox/Gmail) to "just get the job done."
> **Key takeaway:** In SaaS, the "Least Privilege" principle is often sacrificed at the altar of **collaboration speed**.

6
Content Factory/Scratch file/Perverse prikkels in de normindustrie.md Normal file
View file

@ -0,0 +1,6 @@
# Perverse prikkels in de normindustrie
- Nodeloos complex geformuleerde norm, vereist consultants om hem begrijpbaar te maken
- Consultants zijn er niet bij gebaat om de eenvoud te laten zien (want minder uren)
- Bestaande software vereist diepgaande domeinkennis om het te implementeren en te bedienen. Wordt veelal verkocht via partner kanalen (ISO 27001 consultants).
- Certificerende Instanties doen het voorkomen dat ze objectief toetsen t.o.v. Een norm die maar op één manier kan worden uitgelegd, maar in de praktijk wil geen CI bekend staan als de strengste partij met het laagste slagingspercentage.

5
Content Factory/Scratch file/Privacy protection in Databases.md Normal file
View file

@ -0,0 +1,5 @@
# Privacy protection in Databases
[A deep dive into privacy-protecting databases by VentureBeat](https://venturebeat.com/business/a-deep-dive-into-privacy-protecting-databases/amp/)
[Differential privacy](https://en.wikipedia.org/wiki/Differential_privacy?wprov=sfti1)

4
Content Factory/Scratch file/Toegevoegde waarde van ISO27DIY.md Normal file
View file

@ -0,0 +1,4 @@
- Zorgen dat het managen van Infosec risicos een natuurlijk onderdeel wordt van alle activiteiten rond informatieverwerking.
- Bedrijven laten zien dat ze dit zelf kunnen. Ze doen het al voor een groot deel maar hebben nooit geleerd de administratie goed te voeren
- Een stuk software bieden waarmee ze de administratie zelf kunnen opzetten en gaandeweg leren hun informatierisicos norm-conform te beheersen.

17
Content Factory/Scratch file/Voordelen van processvolwassenheid.md Normal file
View file

@ -0,0 +1,17 @@
# Voordelen van processvolwassenheid
Het CMM (Capability Maturity Model) streeft naar hogere procesvolwassenheid omdat volwassener processen een aantal concrete voordelen opleveren:
**Voorspelbaarheid** — je weet wat een proces oplevert, hoe lang het duurt en wat het kost. Verrassingen nemen af naarmate processen herhaalbaarder worden.
**Beheersbaarheid** — je kunt bijsturen omdat je meet en begrijpt wat er gebeurt. Bij lage volwassenheid stuur je op gevoel of incident.
**Kwaliteitsborging** — hogere volwassenheid betekent dat kwaliteit ingebakken zit in het proces, niet afhankelijk is van de individuele medewerker die het uitvoert.
**Schaalbaarheid** — gedocumenteerde en herhaalbare processen zijn overdraagbaar en schaalbaar, onafhankelijk van sleutelpersonen.
**Continu verbeteren wordt mogelijk** — je kunt pas structureel verbeteren als je een baseline hebt. Zonder gedefinieerde processen verbeter je ad hoc, niet systematisch.
**Auditbaarheid** — je kunt aantonen wat je doet en hebt gedaan, wat essentieel is voor certificering, compliance en vertrouwen bij klanten of toezichthouders.
De ironie is dat dit vrijwel exact de drie peilers zijn die jij voor ISO 27001 beschrijft — risicomanagement (beheersbaarheid), continue verbetering, en borging (aantoonbaarheid). CMM en ISO 27001 adresseren in essentie hetzelfde probleem, alleen vanuit een andere invalshoek.

42
Content Factory/Scratch file/Weerbaarheid - bereid je voor op verstoring.md Normal file
View file

@ -0,0 +1,42 @@
# Weerbaarheid: bereid je voor op verstoring
*Engels: Planning for Disruption*
De digitale weerbaarheid van een organisatie is een belangrijke factor in de bedrijfszekerheid. Die weerbaarheid bereik je enerzijds door je te beschermen tegen dreigingen, en anderzijds door de capaciteiten te bouwen waarmee je adequaat kunt reageren op incidenten en kunt herstellen van een aanval of storing. Goed beleid voor digitale weerbaarheid is een verplichting vanuit onder andere de NIS 2 en de ISO 27001 / NEN 7510.
Dit document richt zich op het plannen voor, en het herstellen van, incidenten en verstoringen. Het beschrijft de vier bouwstenen om het opbouwen van weerbaarheid planmatig aan te pakken. Dit zijn:
- Business Impact Analyse
- Bedrijfscontinuïteitsplan
- Incident Response Plan (IRP)
- Herstelplan
Met de **Business Impact Analyse** (BIA) worden de kritische bedrijfsprocessen en hun kwetsbaarheid voor verstoringen in kaart gebracht. Hiermee wordt het belang van de verschillende systemen verduidelijkt voor de bedrijfsvoering, en kan de vertaalslag gemaakt worden naar prioriteiten voor het treffen van preventieve maatregelen (zoals noodvoorzieningen en alternatieve werkwijzen) en het uitvoeren van herstelwerkzaamheden. De BIA helpt ook om technische afdelingen en leveranciers hiervoor kaders te geven.
De BIA is daarmee een ijkpunt voor de andere componenten (het BCP, het IRP en het HP).
Het **Bedrijfscontinuïteitsplan** (BCP) richt zich op de continuïteit van essentiële processen tijdens verstoringen. Het beschrijft hoe de bedrijfsvoering doorgang kan vinden door de inzet van mensen, middelen en techniek, inclusief de toeleveringsketen. Een BCP beschrijft bijvoorbeeld de inzet van alternatieve locaties, tijdelijk personeel, noodapparatuur en alternatieve werkwijzen.
Het **Incident Response Plan** (IRP) adresseert de directe reacties op veiligheidsincidenten en dreigingen. Het bevat een stappenplan voor het detecteren, analyseren, beheersen en elimineren van gevaren en verstoringen
De focus van het **Herstelplan** (HP) is op werkzaamheden die de normale gang van zaken weer moeten herstellen. Het gaat dan om IT systemen en technische infrastructuur (servers, databases, netwerken en software), maar ook om het weer in gang zetten van de normale bedrijfsprocessen met de normale voorzieningen.
De verschillende plannen hoeven niet noodzakelijkerwijs als separate documenten met deze titels te bestaan zo worden de verschillende onderdelen vaak gecombineerd in een 'Uitwijk- en herstelplan' of een 'Calamiteitenplan'
---
**Engelse termen**
Business Impact Analyse (BIA)
Business Continuity Plan (BCP)
Incident Response Plan (IRP)
Disaster Recovery Plan (DRP)
**Metrics**
Kwantificeren hoe lang systemen uit de lucht mogen zijn, voordat de impact op de bedrijfsvoering onacceptabel wordt.
- Maximum tolerable period of disruption (MTPD) of business process
- Maximum Downtime (MTD) of assets
- Recovery Time Objectives (RTO) of processes; time for back to normal
- Recovery Point Objectives (RPO) of assets; acceptable data loss; the point in time that you wish to recover to
The BIA provides the business context and impact metrics that guide the creation of the BCP, IRP and DRP. It answers fundamental questions like "What happens to revenue if this system is down for 4 hours?" or "Which departments cannot function without this application?" This quantitative foundation ensures that technical recovery efforts align with business needs and that resources are allocated based on actual business impact rather than assumptions.
The BIA serves as a bridge between business stakeholders and technical teams, translating business requirements into actionable technical specifications across all three planning domains.