[Global_industry_committee] EC consultation on risk management and breach reporting

Colin Watson colin.watson at owasp.org
Sun Aug 5 13:50:35 UTC 2012


Thanks for that.

I'll send an email to the leaders list to gauge support.


On 2 August 2012 08:11,  <marco.m.morana at gmail.com> wrote:
> Colin,
> Thanks for sharing. This seems also aligned with the proposed new EU data privacy framework that includes a provisions (article 31 and 32) for data breach notification of EU citizen confidential and private data to the supervisory authority http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML.  A more general analysis of impact of this is included herein(*). I think would be a good idea to respond as OWASP and provide guidelines for CISO around data breach notifications in different countries in compliance with different regulations (e.g. EU, APAC privacy frameworks, SB 1386 etc)
> Regards
> Marco
> http://blog.security-breaches.com/2012/06/29/towards_a_new_personal_data_breach_notification_framework_in_the_eu/
> On 1 Aug 2012, at 18:35, Colin Watson <colin.watson at owasp.org> wrote:
>> GIC members
>> The European Commission has published a consultation document called
>> "Improving Network and Information Security (NIS) in the EU" but
>> essentially relating to future risk management and breach reporting
>> requirements. Currently in the EU only telecomms companies and ISPs
>> are subject to breach reporting.
>>   Background information
>>   http://ec.europa.eu/information_society/digital-agenda/actions/infosec-consultation/docs/Background-document.pdf
>>   Consultation
>>     As PDF
>>     http://ec.europa.eu/yourvoice/ipm/forms/formpdf/securitystrategy2en.pdf
>>     As online form
>>     http://ec.europa.eu/yourvoice/ipm/forms/dispatch?form=securitystrategy2
>> Some of the questions appear to be a good fit for OWASP to respond to,
>> for example:
>> ---------------------------------------------------
>>   3.9. Information exchange between private companies and between the
>> public and private sector on incidents, threats and risks is key to
>> share best practices, build capabilities, develop trend analysis ,
>> manage risks effectively or reduce the impacts of incidents. What are
>> the most effective ways to facilitate such exchanges at EU level
>> (please explain)?
>>   3.16. Everybody (business, consumers and governments) should ensure
>> a minimum level of protection against cyber threats. Do you agree?
>>   3.17. Which actions can be reasonably be expected to be taken
>> respectively by business, consumers and governments to better protect
>> themselves on-line?
>>   3.18. It is key to empower consumers and help them identify
>> companies with good levels of cyber security protection. Which is the
>> best way to achieve this objective?
>>       - Stimulate the development of industry-led standards at EU level [or]
>>       - Give guidance at EU level to enable consumers to
>> differentiate good security products and services [or]
>>       - Define compulsory security standards for goods and services
>> at EU level [or]
>>       - Other
>>   3.19. If you chose other [in 3.18], please specify
>>   3.22. People driving a car are required to take security measures
>> to protect themselves and others.Do you consider that people using the
>> Internet should also be subject to security obligations? If yes, which
>> ones?
>>   3.23. It is important to ensure security throughout the supply
>> chain. Which is the most effective way to encourage all actors in the
>> value chain (e.g. product manufacturers, software developers and
>> Internet companies) to invest in security solutions at an appropriate
>> level?
>>   4.1.7. Would you in principle be favourable to the introduction of
>> a regulatory requirement to manage NIS risks?
>> ---------------------------------------------------
>> And perhaps some US experience of breach reporting would be useful input.
>> Do you think OWASP should submit a response? If so I'd like to float
>> the idea on the Leaders list to see who might run with it. It will
>> take more than one person. Responses have to be submitted by 15
>> October 2012.
>> Colin
>> _______________________________________________
>> Global_industry_committee mailing list
>> Global_industry_committee at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/global_industry_committee

More information about the Global_industry_committee mailing list