继续讨论第七类威胁:Non-compliance 不合规,Nc.3。
Non-compliance 不合规
见前文。
Nc.3 Insufficient cybersecurity risk management 网络安全风险管理不充分
A lack of proper cybersecurity risk management with specific attention to the interplay with privacy risks. A lack of proper cybersecurity risk management with specific attention to potential privacy consequences, or vice versa, privacy elements with cybersecurity implications (e.g. user data controls broadening the attack surface).
缺乏适当的网络安全风险管理,没有特别关注与隐私风险的相互作用。缺乏适当的网络安全风险管理,对潜在的隐私后果缺乏特别关注,或反之亦然,隐私因素对网络安全的影响(如用户数据控制扩大了攻击面)。
Criteria 辨识要素
-
Security process
安全过程- Is there an established process to manage security risks and identify the required countermeasures?
是否有管理安全风险和确定所需对策的既定过程?
- Is there an established process to manage security risks and identify the required countermeasures?
-
Security countermeasures
安全对策- Does the system incorporate the required countermeasures?
系统是否包含所需的对策?
- Does the system incorporate the required countermeasures?
-
Process and countermeasures based on best practices
基于最佳实践的流程和对策- Are the countermeasures aligned with industry standards and best practices?
对策是否符合行业标准和最佳实践?
- Are the countermeasures aligned with industry standards and best practices?
Examples 示例
-
No security assessment
未进行安全评估- No security assessment was performed of the software.
未对软件进行安全评估。
- No security assessment was performed of the software.
-
Operational security
运营安全- There are no processes in place to ensure software and services are kept up to date.
没有适当的流程来确保软件和服务保持最新。
- There are no processes in place to ensure software and services are kept up to date.
-
Lacking internal access control mechanisms
缺乏内部访问控制机制- The organization does not use appropriate access control mechanisms to limit access of employees to personal data.
组织没有使用适当的访问控制机制来限制员工对个人数据的访问。
- The organization does not use appropriate access control mechanisms to limit access of employees to personal data.
Impact 影响
-
Security contributes to privacy
安全性有助于保护隐私- The security of the system plays a crucial role in safeguarding the privacy of individuals whose data is processed. Personal data breaches can result in significant fines and reputational damage.
系统的安全性在保护数据处理人员的隐私方面发挥着至关重要的作用。个人数据泄露可能会导致巨额罚款和声誉损害。
- The security of the system plays a crucial role in safeguarding the privacy of individuals whose data is processed. Personal data breaches can result in significant fines and reputational damage.
Additional information 额外信息
-
STRIDE Threat Modeling
STRIDE威胁建模:- Consider complementary methods like security threat modeling.
考虑补充方法,如安全威胁建模。
- Consider complementary methods like security threat modeling.
-
Security standards
安全标准- Consider adhering to standards such as ISO27001 or the CIS Security Controls.
考虑遵守ISO27001或CIS安全控制等标准。
- Consider adhering to standards such as ISO27001 or the CIS Security Controls.