TISAX®, an information security mechanism in the automotive industry Based on the standard ISO 27001 and adapted to the requirements of the automotive field, the TISAX® (Trusted Information Security Assessment Exchange) mechanism was developed by the VDA (Verband der Automobilindustrie, the German automotive industry association) in partnership with an association of European automotive manufacturers, called the European Network Exchange (ENX). The TISAX® security audit mechanism allows the mutual acceptance of information security assessments (carried out by trusted and certified third parties) in the automotive industry and provides a common… Read More >>
Move on, there’s nothing to see! or why “security by obscurity” is not a solution We don’t know what’s hidden in the obscurity. David Lynch At the end of the 19th century, Auguste Kerckhoffs published the principles of military cryptography [01]. In this document (accessible on the Web for free), we learn that an encryption system can be known by the enemy and its security must be based on the non-disclosure (and unlimited change) of the keys used to configure the system. Appendix B1 of the RGS (Référentiel Général de Sécurité that is General Security… Read More >>
Management of privileged accounts: 5 key recommendations to protect your Information System The administration of the information system (IS) of companies and organizations are based on privileged accounts. Privileged accounts rely on the trust placed in their users. Whether internal or external administrators, privileged users have the power to make substantial changes to the IS and therefore have a heavy responsibility concerning the IT security; they have the power to take actions that may harm the company or organization for which they operate. Users with privileged access are able to install and… Read More >>
A compliant but also effective solution Having no problems is the biggest problem of all. Taiichi ÔNO For at least ten years now, I have been telling prospects, students, employees, etc. that a security evaluation can be interpreted as an assessment of effectiveness in relation to security objectives. In other words, an evaluation (in the field of IT security) seeks to demonstrate that a product (or system) meets defined objectives in a compliant and effective manner. The day after my eldest daughter’s birthday, barely recovered from… Read More >>
Should you outsource the administration of the Information System? As mentioned in some of my articles ([01], [02]), IT security is not an option and must be a strategic focus for any organization. Indeed, in my opinion, IT security is both essential and fundamental in order to, among other things, protect the information assets of an organization. Now, let’s focus only on outsourcing the administration of a network or part of a network. Indeed, due to a lack of human or financial resources, the executive committee of an organization… Read More >>
PAM should not exclude SAP Before starting to play a board game, it’s customary to read the game rules. As part of an outsourcing service, it is also very important to establish the “rules of the game” between parties. In [01], the ANSSI (French National Cybersecurity Agency) states that, when using managed services, security should not be incompatible with outsourcing. For an organization whose IS administration is handled by a service provider, the inherent risks are generally related to the loss of control of the… Read More >>
The Cleanroom concept for a safe and secure administration A bastion is a military structure projecting outward from the wall of a fortress. In computer science, we can extrapolate the term “bastion” to a host deliberately exposed to an external, not trusted, network. In general, the purpose of a “cyber bastion host” is to protect a network or part of a network from external threats; it is therefore the most exposed element, the one that is most likely to be attacked . If a bastion “falls down”, the whole… Read More >>
Security is not an obstacle I hurry to laugh at everything, for fear of having to cry about it. Pierre DAC There are three main areas of information systems security (ISS): awareness, physical security and information technology (implementation ways). About awareness, here is a small selection of sentences I have already heard over the past twenty years (unfortunately, this is not an exhaustive list): Security is useless and expensive! There’s nothing secret about what we do. It’s complicated! You’re frankly paranoid… Regarding the complexity of… Read More >>
Once upon a time in Cyberland If the fool warns of a risk, run away. Teke proverb In [01], I mentioned that the risk can be internal to the organization you are managing/administrating/supervising. I had vaguely in mind (but without really quoting it) the Trojan Horse story, which is one of the greatest war tricks, you will agree. Now, let us look at the case of a user with high rights, acting clumsily and, of course, involuntarily. Before starting, it should be noted that any resemblance… Read More >>
Continuous authentication in Cyberia Security is a matter of compromise, a balance between confidentiality and convenience, control and efficiency. While it would be easy to restrict access to an Information System in order to protect sensitive business data, it would become impossible to make it a tool for productivity and growth, especially at a time when openness and collaboration are taken for granted. At the same time, the strict control and monitoring of “power” users has become of crucial importance given the recent cases… Read More >>