Author: skalex73

IT Governance

EU Regulation 2024/1689 on AI: Scope, Prohibitions and Obligations

skalex73

On 12 July 2024, the AI ​​Act, EU Reg. 2024/1689, was published: https://eur-lex.europa.eu/eli/reg/2024/1689/oj

There are 144 pages in the Official Journal of the European Union.

I haven’t finished reading the whole document yet but I will try to summarize the main topics useful for Companies that are thinking of introducing and using AI technologies:

  • Chapter I outlines the scope and exclusions (eg. for personal purposes but there are also exceptions);
  • Chapter II indicates the prohibited systems;
  • Chapter III establishes which are the high-risk systems and the activities that Producers and Deployers must carry out to make them available;
  • Chapter IV concerns the information that suppliers of all AI systems must provide;
  • Chapter V concerns AI models for general purposes: in this case there are obligations to be foreseen.

In the next article I will try to give a brief guide of some professional figures and skills to be excpected for a good management of systems based on artificial intelligence.

IT Governance

Understanding IT Governance Processes and Policies

skalex73

In today’s technology-driven world, effective IT governance processes and policies play a crucial role in ensuring the optimal management, utilization, and security of information technology within organizations. With the increasing complexity and interconnectedness of IT systems, businesses must establish robust governance frameworks to align IT activities with business goals, mitigate risks, and ensure compliance. In this blog post, we will delve into the fundamentals of IT governance, explore key processes and policies, and highlight their significance in promoting organizational success.

What is IT Governance?

IT governance encompasses the frameworks, processes, and policies that enable organizations to make informed decisions regarding IT investments, resource allocation, risk management, and performance measurement. It provides a structured approach for aligning IT strategies with business objectives, optimizing IT resources, and ensuring the delivery of value to stakeholders.

Key IT Governance Processes

  1. Strategic Alignment: Strategic alignment ensures that IT initiatives are closely aligned with the organization’s overall business strategy. It involves establishing mechanisms to identify business requirements, defining IT goals, and developing plans that align IT projects and investments with strategic objectives.
  2. IT Risk Management: IT risk management involves identifying, assessing, and mitigating risks associated with IT systems and infrastructure. This process helps organizations safeguard sensitive information, protect against cybersecurity threats, and ensure business continuity by implementing appropriate controls, policies, and procedures.
  3. Resource Management: Effective resource management focuses on optimizing the allocation and utilization of IT resources such as hardware, software, and personnel. This process ensures that resources are allocated efficiently, projects are adequately staffed, and IT assets are managed and maintained to maximize their value.
  4. Performance Measurement: Performance measurement involves defining key performance indicators (KPIs) to assess the effectiveness and efficiency of IT operations. Regular monitoring and measurement of KPIs provide insights into IT performance, enabling organizations to identify areas for improvement, optimize processes, and drive innovation.

Key IT Governance Policies

  1. IT Security Policy: An IT security policy outlines guidelines and practices for safeguarding sensitive information, preventing unauthorized access, and maintaining data integrity. It covers areas such as data encryption, access controls, incident response, and employee awareness training to ensure a secure IT environment.
  2. Data Privacy Policy: A data privacy policy defines how an organization collects, handles, and protects personal and sensitive information in compliance with applicable data protection regulations. It addresses issues such as consent, data retention, data transfer, and individual rights, fostering trust and transparency with customers and stakeholders.
  3. IT Service Management Policy: An IT service management policy establishes standards and procedures for delivering IT services to internal users and external customers. It covers areas such as service level agreements (SLAs), incident management, problem management, and change management, ensuring consistent and reliable IT service delivery.
  4. IT Procurement Policy: An IT procurement policy sets guidelines for acquiring IT hardware, software, and services. It ensures that procurement processes are transparent, competitive, and aligned with organizational needs, while also considering factors such as vendor evaluation, contract negotiation, and compliance with licensing requirements.

Benefits of Effective IT Governance

Implementing robust IT governance processes and policies offers several benefits to organizations, including:

  1. Enhanced Decision Making: IT governance provides a framework for informed decision making, enabling organizations to prioritize IT investments, allocate resources effectively, and align IT initiatives with business goals.
  2. Risk Mitigation: By implementing risk management practices and security policies, IT governance helps organizations identify and mitigate IT-related risks, safeguard sensitive information, and protect against cyber threats.
  3. Increased Operational Efficiency: Well-defined processes and policies streamline IT operations, optimize resource allocation, and improve overall efficiency, resulting in cost savings and enhanced productivity.
  4. Regulatory Compliance: IT governance ensures adherence to industry-specific regulations and data protection laws, mitigating legal and financial

An effective IT Governance organization structure

An effective IT governance organization structure is crucial for ensuring the successful implementation and management of IT governance practices within an organization. While specific structures may vary depending on the organization’s size, industry, and complexity, here is a typical framework for an IT governance organization structure:

  1. IT Governance Steering Committee: The IT Governance Steering Committee serves as the highest-level governing body responsible for overseeing and guiding IT governance initiatives. It is typically composed of senior executives, such as the Chief Information Officer (CIO), Chief Technology Officer (CTO), Chief Financial Officer (CFO), and other relevant stakeholders. The committee sets the strategic direction, establishes policies, and ensures that IT governance aligns with business objectives.
  2. IT Governance Office/Group: The IT Governance Office or Group operates as the central coordinating body for IT governance activities. It facilitates the development, implementation, and ongoing monitoring of IT governance processes and policies. The office/group is responsible for providing guidance, ensuring compliance, and promoting awareness and understanding of IT governance across the organization. It may also assist in measuring and reporting IT governance performance.
  3. IT Governance Subcommittees: These subcommittees focus on specific areas of IT governance and report to the IT Governance Steering Committee. Examples of subcommittees include:a. IT Risk Management Subcommittee: Responsible for identifying, assessing, and managing IT risks throughout the organization. It establishes risk management frameworks, defines risk appetite, and ensures appropriate controls are in place.b. IT Security Subcommittee: Deals with information security, cybersecurity, and data protection. It establishes security policies, oversees security audits, and ensures compliance with relevant regulations and standards.c. IT Strategy and Alignment Subcommittee: Focuses on aligning IT strategies with business objectives. It oversees IT planning processes, investment prioritization, and the evaluation of technology trends and innovation.d. IT Performance Measurement Subcommittee: Responsible for defining and monitoring key performance indicators (KPIs) related to IT governance. It ensures the collection of relevant data, conducts performance assessments, and provides insights for continuous improvement.
  4. IT Governance Champions/Representatives: These individuals or teams serve as ambassadors for IT governance within different departments or business units. They facilitate the implementation of governance practices, act as a point of contact for governance-related issues, and promote awareness and compliance at the operational level.
  5. IT Governance Working Groups: These groups consist of subject matter experts and stakeholders from various areas of the organization. They collaborate on specific IT governance initiatives, projects, or process improvements. Working groups contribute to the development and implementation of governance policies, frameworks, and best practices.
  6. IT Governance Liaison: A designated liaison between the IT governance organization and other key business functions, such as legal, compliance, and audit. This role ensures effective communication, coordination, and collaboration between IT governance and these functions to address regulatory requirements and maintain alignment.

It is important to note that the structure described above can be tailored to fit the specific needs and characteristics of each organization. The size and complexity of the organization, industry regulations, and corporate culture all influence the structure and composition of the IT governance organization.

Business Continuity, IT Governance

ISO 22301: new version of Business Continuity Management Systems standard

skalex73

The new version of ISO 22301 has come out, the standard with the requirements for certify a management system for business continuity.

The correct title is: “ISO 22301: 2019 – Security and resilience – Business continuity management systems – Requirements“:
https://www.iso.org/standard/75106.html.

Senza categoria

The best cybersecurity products

skalex73

In this post, we look into the newest cybersecurity products from the top category and review the useful impact of it. We try to figure out how cutting-edge cybersecurity tool deals against the newest threats, hopefully helping you to make good technology buying decisions.

Cloud Defender – Best for cloud security

This software is made with the advancement of cloud technology. This software provides the user-friendly tools that support local cybersecurity professional to inspect and monitor their cloud security system. It highlights the potential threats. The best thing is, it can also be used in SaaS model and holding the advanced cybersecurity functions.

Bricata – Best for Intrusion detection

Bricata is popular among the cybersecurity professionals. It has the ability to offer advanced IPS/IDS defense system including multiple detection engines that make your network secure from harm. It is considered as a core because of the ability of to launching threat hunts based system.

Confense Triage – Phishing defense

Confense Triange integrates almost every corporate email system and helps users to generate reports for suspected phishing. Triage is still developing, but even now characterizes one of the most advanced defenses against phishing. Therefore, it got the distinctive position among other software. It deploys as an on-premises virtual appliance that is used to protect the system.

Blu Vector – Best for Network Security

The primary job of cybersecurity professional is to maintain a secure network. Blu Vector is considered as the best software for securing your network by detecting the loopholes. It hunts the potential threats and performs as per the machine speed. Also, it has the machine learning capabilities, so it works smarter. Moreover, it has the ability to learn the depth of each network and implement security measures into it. Its algorithm detection system has the sense to secure the network environment.

Balbix – Best for Vulnerability Management

Balbix has proved itself as a better software for cybersecurity. It has the ability to detect and analyze vulnerable existing in a system and network. Cybersecurity professionals can get support from this software for measuring the kinds of data, how many users interact with it and other important factors that may cause of inconvenience for your working framework. Then it matches each vulnerability with potentials threat feed and forecasts the probability of an upcoming breach.

Security, WAF

WAF: 2018 Gartner Magic Quadrant

skalex73

In this article we’re going to show where Gartner placed the vendors in 2018 Magic Quadrant for Web Application Firewalls (WAF).

  • Leaders: Imperva, Akamai
  • Challengers: F5, Cloudfare, Fortinet, Barracuda Networks, Citrix
  • Niche players: Amazon Web Service, Ergon Informatik, Microsoft, Instart and Rohde & Schwarz Cybersecurity
  • Visionaries: Oracle, Radware

At link https://www.consulthink.it/en/waf-solutions-in-comparison-2018-gartner-magic-quadrant-for-waf/ you can find an interesting comparison of the above-mentioned technologies relative to their strengths and weaknesses.

I tried to summarize them in the following table:

[table id=6 /]

Security, WAF

Web Application Firewall (WAF)

skalex73

WAF: what is it and what is it for?

A web application firewall (WAF) is an application firewall for HTTP applications. WAF can protect companies against web attacks such as SQLInjection , Cross-Site Scripting (XSS), session hijacking and buffer overflows, which traditional network devices (e.g. firewalls) and other intrusion detection systems (IDS) and intrusion prevention systems (IPS) may not be capable of doing.

How many types are there?

WAFs may come in the form of an appliance, server pluginor filterand may be customized to an application. The effort to perform this customization can be significant and needs to be maintained as the application is modified.

Network based

This kind of WAF is usually hardware-based and can reduce latency because they are installed on premise via a dedicated appliance, as close to the application as possible. The biggest drawback for this type of WAF product is cost as there’s both an up-front capital expenditure as well as ongoing operational costs for maintenance.

Host based

It may be fully integrated into the application code itself. The benefits of a host-based WAF implementation include lower cost and increased customization options. Host-based WAFs can be a challenge to manage because they require application libraries and depend upon local server resources to run effectively. Therefore, more staff resources, including that of developers, system analysts and devops, may be required.

Cloud-hosted

It offer a low-cost solution for organizations that want a turnkey product that requires minimal resources for implementation and management. Cloud WAFs are easy to deploy, are available on a subscription basis and often require only a simple DNS or proxy change to redirect application traffic. The drawback is that it can be challenging to place responsibility for filtering an organization’s web application traffic with a third-party provider: indeed the strategy allows applications to be protected across a broad spectrum of hosting locations using similar policies to protect against application layer attacks. Additionally, these third-parties have the latest threat intelligence and can help identify and block the latest application security threats.

GDPR, Privacy

Criteria for GDPR certification

skalex73

The European Data Protection Board (EDPB) has published the draft (“public consultation version”) of the “Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation 2016/679“: GDPR Guidelines

We are still far from having the certification criteria with regard to the GDPR. These are the criteria for evaluating the certification criteria.

In short, they are meta-criteria.

GDPR, Privacy

Privacy Sweep 2018: Guarantors analysis on the GDPR implementation

skalex73

The “Privacy Sweep 2018” is an international survey dedicated to the accountability concept introduced in Europe also by the GDPR.
The survey examined the measures that the Data Controller or Processor have taken to guarantee and demonstrate compliance with data protection standards and regulations.
The Italian Guarantor has published a summary of the results (Italian article): Sweep 2018

Regions and Autonomous Districts were selected in Italy, as well as their respective subsidiaries.

The results are not particularly surprising and provide an indication of the points considered most important by the Guarantors authorities.

 

Security

Cybersecurity Act

skalex73

In December an agreement was reached for the European regulation called the “Cybersecurity act“.
This regulation is important because:

  • entrusts ENISA with a more operational role, in particular as regards incident management
  • introduces the European certification scheme for IT products and services

On this topic, I point out this article entitled Cybersecurity Act, ecco cosa ci aspetta dopo la Direttiva NIS

Today some are in force, but based on different schemes; in particular in Italy the common criteria are used (ISO / IEC 15408), while in other countries other requirements have been introduced.

It would be interesting to have conducted an analysis on these schemes.

IT Governance

IT Governance – The Business Case

skalex73

All analysts agree at present that probably the biggest risk and worrying to Top Management today is failing to align IT to real business needs and a failure to deliver value to the business. It is being recognized that IT has a pivotal role to play in improving corporate governance practices, because critical business processes are usually automated and directors rely on information provided by IT systems for their decision making.

CIO’s must balance among many competing priorities:

  • Maximize return: improve business results, grow revenue and earnings, cash flow, reduced cost-of-operation
  • Increase agility: enable the business organization and operations to adapt to changing business needs
  • Mitigate risk: ensure security and continuity of internal business operations, while minimizing exposure to external risk factor
  • Improve performance: improve business operations performance end-to-end
    across the enterprise, Increase customer and employee satisfaction

What is IT Governance?
IT governance is the formal process (decision rights framework & mechanisms) of defining the strategy (vision, value proposition , resource commitments , change management) of the IT organization and overseeing its execution (aligned with the enterprise strategy, including other key asset strategies) to achieve the goals of the enterprise translating them into aligned, tactical and operational  plans , implementing closed-loop monitoring & control and guaranteeing accountability & regulatory compliance.

Why is IT Governance important?
IT Governance has become very topical for a number of reasons:

  • Management’s awareness of IT related risks has increased.
  • There is a focus on IT costs in all organisations.
  • It’s mandatory to address decision-making accountability and definition of user and provider
    relationships
  • There is a growing realization that more management commitment is needed to improve the management and control of IT activities
  • Enables an integrated approach to meeting external legal and regulatory
    requirements

IT Governance covers the culture, organisation, policies and practices that provide this kind of oversight and transparency of IT. IT Governance is part of a wider Corporate Governance activity but with its own specific focus.

The benefits of good IT risk management, oversight and clear communication not only reduce the cost and damage caused by IT failures but also engenders greater trust, teamwork and confidence in the use of IT itself and the people trusted with IT service.

What does IT Governance cover?
IT Governance spans the culture, organisation, policy and practices that provide for IT management and control across five key areas:

  • Alignment : provide for strategic direction of IT and the alignment of IT and the business with respect to services and projects.
  • Value Delivery : confirm that the IT/Business organisation is designed to drive maximum business value from IT. Oversee the delivery of value by IT to the business, and assess ROI.
  • Risk Management : ascertain that processes are in place to ensure that risks have been adequately managed. Include assessment of the risk aspects of IT investments.
  • Resource Management : provide high-level direction for sourcing and use of IT resources. Oversee the aggregate funding of IT at enterprise level. Ensure there is an adequate IT capability and infrastructure to support current and expected future business requirements.
  • Performance Measurement : verify strategic compliance (i.e. achievement of strategic IT objectives). Review the measurement of IT performance and the contribution of IT to the business (i.e. delivery of promised business)

Critical factor of IT Governance

  • Clarity of Purpose
  • Senior Management Commitment
  • Management of Business Change
  • Focus, execute and enforce
  • Measure achievable targets and expectations
  • Don’t over-engineer IT Governance
  • Evolution not revolution

How to implement IT Governance