The SDOs / SSOs you are working with at the moment
I'm working on different Standards Developing Organizations (SDOs) in France with the AFNOR national body and as well at the international scale with the ISO (TC3017 Blockchain and DLT system).
Your main field(s) of activity
I'm a distributed system engineer so I provide technical recomendations and contributions to help different organization to better figure out the business and technology challenges regarding nex technologies like Blockchain and Distributed Ledger system.
What ICT Challenges are you addressing in the ICT standardisation area?
I'm addressing a set of ICT standardisation areas regarding my activities (CyberSecurity, Distributed system (DLT/Blockchain) are part of them). Recent developments in the European Union - Cybersecurity, DLT/Blockchain policies/programs and most prominently the adoption of the EU Cybersecurity Act - continued to demonstrate the region’s focus on improving cybersecurity for which distributed system could be a powerful solution in the public and private sectors, while also providing practical guidance and tools to assist companies, regulators and their boards with cyber risk management.
On such motivations we have to address and push European innovators to provide solutions which can address all the identified problems related to data management, as the following ones:
- Lack of Written Internal Policies - Firm’s policies simply restated the Safeguards Rule, but did not include policies and procedures for the actual safeguards. Others had policies and procedures that still contained blank spaces to be filled in by the firms
- Electronic Communications - Policies and procedures did not address the inclusion of personal information in electronic communications. For example, the OCIE’s staff found firms that did not appear to have policies and procedures reasonably designed to prevent employees from regularly sending unencrypted emails containing this information.
- Unsecure Networks and code - Policies and procedures did not prohibit employees from internal bad behaviour.
How, if implemented will this make a difference in a specific context ?
All applications or systems has to perform a standard security checklist to maximize their safety as much as possible. Internal policies and procedures have to be build in existing or new companies. All employees during the execution of their respective works have a big part of responsibility. It's a global task not only dedicated to IT staff which is in charge to maintain the network or code the application/system.
Are there any best practices that you are aware of that put into practice these challenges described ?
- Follow an onboarding / offboarding checklist - This checklist should contain a list of all the steps you need to enforce when an employee, contractor, intern, etc… joins your company. A similar list can also be used when the someone is leaving your team
- Gamify security and train employees on a regular basis - Humans are the weakest links in the security chain. DevOps contribute to the security awareness of all the employees in a company. By explaining how an attacker could inﬁltrate your company, you will increase the awareness and thus minimize the chance of a hack. Don’t forget ﬁshing and spear-ﬁshing attacks. http://www.govtech.com/blogs/lohrmann-on-cybersecurity/Ten-Recommendatio... Security-Awareness-Programs.html
- Run Security tests on your code - Static Application Security Testing (SAST) is an easy and fast way to ﬁnd security vulnerabilities in your code. You can enforce SAST security checks in your CI, but be aware of the high number of false positives that can frustrate developers.
- Go hack yourself - If your company doesn’t have yet a structured security team, help create a multidisciplinary Red Team to stress your application and infrastructure.
What future actions or further specifications work would be necessary to undertake within an ICT Standards context?
The ICT standards have to express security policies and procedures to help industrials to execute them internaly. We have to strongly make a general standard procedure which will be after that more accurately defined. Standardization is a powerful way for regulator as well to push the adoption.