软件项目风险减轻采用的方法_法律与 络安全：减轻法律风险的八种方法

软件项目风险减轻采用的方法

The European Union’s General Data Protection Regulation (GDPR) has transformed the way data is treated, as businesses around the world are avoiding the additional costs of managing different data regimes. Comparable laws giving local residents more control over their data are now starting to come into effect in other countries. For example, the California Consumer Privacy Act (CCPA) gives their residents the power to demand the deletion of information.

吨他欧盟的通用数据保护条例 (GDPR)已经改变了数据的方式进行处理，为世界各地的企业都避免了管理不同的数据制度的额外费用。 使当地居民对其数据有更多控制权的可比法律现在在其他国家开始生效。 例如，《 加州消费者隐私法案》 (CCPA)赋予其居民要求删除信息的权力。

Different kinds of legal risk

不同种类的法律风险

Regulatory compliance is not the only challenge. Litigation poses a serious threat to organizations, especially in cases where customers, employees or business partners suffer actual financial losses — for example, in the case of criminals taking advantage of poor security to steal credit card information. The phrase ‘actual financial losses’ can also refer to a drop in a company’s share price. This was the case, for example, when Yahoo shareholders brought a class action lawsuit after the company’s market value dropped as a result of criminals taking advantage of poor security to steal sensitive data. Yahoo settled for USD 80 million in early 2018.

法规遵从并不是唯一的挑战。 诉讼对组织构成严重威胁，尤其是在客户，员工或业务合作伙伴遭受实际财务损失的情况下，例如，在犯罪分子利用安全性差的优势窃取信用卡信息的情况下。 短语“实际财务损失”也可以指公司股价的下跌。 例如，当雅虎股东因犯罪分子利用不良安全性窃取敏感数据而导致公司市值下跌之后， 雅虎股东提起了集体诉讼。 雅虎于2018年初以8000万美元和解。

It is essential, in terms of mitigating the risk of fines or litigation, that organizations are able to demonstrate that their services are safe and that they are taking reasonable care to protect the data of their customers and business partners. In the event of a data breach due to inadequate protection measures, some legal systems view unkept promises made to customers about safeguarding their data as tantamount to engaging in unfair and deceptive practices. In 2017, the US health insurance company Anthem settled a class action lawsuit for USD 115 million over a breach that had compromised the personal information of nearly 79 million people.

就减轻罚款或诉讼的风险而言，组织能够证明其服务是安全的，并且他们正在采取合理的措施保护其客户和业务合作伙伴的数据至关重要。 如果由于保护措施不足而导致数据泄露，一些法律系统将对客户做出的关于保护其数据的未明承诺， 等同于采取不公平和欺骗性的做法 。 2017年，美国健康保险公司Anthem以1.15亿美元的价格解决了一起集体诉讼 ，该泄露事件已损害近7900万人的个人信息。

It is important to seek out good advice, not least because not knowing the law has never worked as a defence for failing to comply. Fortunately, international standards, which are based on global best practices identified by the consensus of the world’s leading experts, provide invaluable help and support. There are more than 40 standards that comprise the ISO/IEC 27000 family of information security management standards. This family provides requirements and supporting guidance for establishing, implementing, maintaining and the continual improvement of an information security management system. These can be used to provide guidance and support to an organization to address the information security and privacy protection requirements of GDPR to help them achieve compliance, for example.

重要的是要寻求好的建议，尤其是因为不知道法律从来没有作为不遵守法律的辩护。 幸运的是，基于世界领先专家共识所确定的全球最佳实践的国际标准提供了宝贵的帮助和支持。 构成ISO / IEC 27000信息安全管理标准系列的标准超过40种。 该系列为建立，实施，维护和持续改进信息安全管理系统提供要求和支持指南。 例如，这些可用于为组织提供指导和支持，以解决GDPR的信息安全和隐私保护要求，以帮助他们实现合规性。

Here are eight things organizations can do to help satisfy the most stringent legal regulations with the help of IEC and ISO standards.

在IEC和ISO标准的帮助下，组织可以采取八项措施来满足最严格的法律法规。

1. Establish an information management security system (ISMS)

1.建立信息管理安全系统(ISMS)

The ISMS requirements described in the ISO/IEC 27001 defines a cyber risk management-based approach to managing people, processes, services and technology. Using ISO/IEC 27001, helps organizations to manage their information security risks, including threats, vulnerabilities and impacts, as well as designing controls to protect the confidentiality, integrity and availability of data and for regulating access to critical information systems and networks. It emphasizes the importance of the ISO/IEC 27001 risk management process taking account of legal, regulatory and contractual requirements. (See point 8)

ISO / IEC 27001中描述的ISMS要求定义了一种基于 络风险管理的方法来管理人员，流程，服务和技术。 使用ISO / IEC 27001 ，可以帮助组织管理其信息安全风险，包括威胁，漏洞和影响，以及设计控件以保护数据的机密性，完整性和可用性，并控制对关键信息系统和 络的访问。 它强调了考虑法律，法规和合同要求的ISO / IEC 27001风险管理流程的重要性。 (见第8点)

2. Commission an independent audit

In terms of mitigating cyber risk, the first step every organization should take is to implement the ISMS standard ISO/IEC 27001 and then commission an independent ISMS certification audit to ensure compliance with the requirements of ISO/IEC 27001. An ISMS certification will help organizations demonstrate their cyber-risk approach has considered local and international laws and regulations. ISO/IEC 27001. ISO/IEC 27014, which offers support on the governance of information security, recommends such an approach. Other standards in the family that support the implementation of ISO/IEC 27001 include: ISO/IEC 27005, which provides guidance on information risk management; and ISO/IEC 27004, which suggests metrics for evaluating the effectiveness and performance of information security systems.

The aim of an ISMS certification audit is to verify that the organization has considered and assessed the cyber-risks it faces and that they have implemented an effective and appropriate set of controls to mitigate these risks, this includes both information security and privacy protection controls. This certification audit should verify that the organization has taken account of all business, contractual, legal and regulatory requirements (e.g. GDPR) in its risk assessment. ISO/IEC 27014 provides guidance on establishing an information security governance framework to ensure that the organization is properly addressing is internal governance requirements in compliance with external rules and regulations.

3. Keep an accurate data inventory

3.保持准确的数据清单

It is impossible to manage risk effectively or to comply with regulations about access and portability, without the implementation of an effective set of controls. For example, an organization should have an accurate inventory of data and network assets. ISO/IEC 27002 is a code of practice which is a collection of such information security controls with guidelines for implementing these controls, for example, for identifying information assets, defining appropriate protection responsibilities and maintaining an inventory that is up-to-date, consistent and aligned with an organization’s other inventories. ISO/IEC 27002 is a baseline control set supporting ISO/IEC 27001 and the mitigation of cyber risk.

如果没有一套有效的控制措施，就不可能有效地管理风险或遵守有关访问和可移植性的法规。 例如，组织应具有准确的数据和 络资产清单。 ISO / IEC 27002是一种操作规范，是此类信息安全控件的集合，其中包含用于实施这些控件的指南，例如，用于标识信息资产，定义适当的保护职责并维护最新，一致的清单。并与组织的其他清单保持一致。 ISO / IEC 27002是支持ISO / IEC 27001和减轻 络风险的基准控制集。

4. Implement a Privacy Information Management System (PIMS)

4.实施隐私信息管理系统(PIMS)

ISO/IEC 27701 is an extension to ISO/IEC 27001 that provides a comprehensive set of operational controls for implementing, maintaining and continually improving a PIMS, including privacy processing controls. Implementing ISO/IEC 27701 and ISO/IEC 27001 helps to meet the EU GDPR’s requirement for “appropriate technical and organizational measures”. It maps its recommendations to the GDPR (Annex D).

ISO / IEC 27701是ISO / IEC 27001的扩展，它提供了一套全面的操作控件，用于实施，维护和持续改进PIMS，包括隐私处理控件。 实施ISO / IEC 27701和ISO / IEC 27001有助于满足欧盟GDPR对“适当的技术和组织措施”的要求。 它将其建议映射到GDPR(附件D)。

5. Facilitate portability and implement a data minimization process

5.促进可移植性并实施数据最小化过程

The GDPR gives individuals the right to access their data and find out how it is being used. ISO/IEC 19941 provides support to organizations who need to enable their customers to move their data or applications between non-cloud and cloud services, as well as between cloud services. Another important requirement of the GDPR is “data minimization”, which means keeping data that can identify individuals for no longer than necessary. ISO/IEC 27018, a code of practice for protection of personally identifiable information (PII) in public clouds, contains important advice for the secure erasure of temporary files within a specified, documented period, a complementary standard is ISO/IEC 27017 which addresses the information security in the cloud. Another standard, currently under development, ISO/IEC 27555 will provide guidelines on establishing a PII deletion concept in organizations.

GDPR赋予个人访问其数据并查明其使用方式的权利。 ISO / IEC 19941为需要使客户在非云服务和云服务之间以及云服务之间移动数据或应用程序的组织提供支持。 GDPR的另一个重要要求是“数据最小化”，这意味着保留可以识别个人身份的数据的时间不再必要。 ISO / IEC 27018是保护公共云中个人身份信息(PII)的行为准则，其中包含有关在规定的有记录的期限内安全擦除临时文件的重要建议，ISO / IEC 27017是补充标准，涉及云中的信息安全。 当前正在开发的另一个标准ISO / IEC 27555将提供有关在组织中建立PII删除概念的指南。

6. Implement an incident response plan

6.实施事件响应计划

An incident response plan is important in terms of mitigating the risk of litigation. It also helps to ensure that the breach notification requirements of the GDPR (72 hours) and of any other relevant laws or regulations are respected. The two-part ISO/IEC 27035 presents principles of incident management and a complete guide to planning and preparing for incident response.

事件响应计划对于降低诉讼风险很重要。 它还有助于确保遵守GDPR(72小时)和任何其他相关法律或法规的违规通知要求。 ISO / IEC 27035分为两部分，介绍了事件管理的原理以及规划和准备事件响应的完整指南。

7. Don’t forget supplier relationships in your security strategy

7.不要忘记您的安全策略中的供应商关系

It is vital that an organization’s legal risk mitigation strategy takes into account third-party relationships, which take the security practices of the vendor into their own risk profiles. This was the case, for example, with the US retail giant, Target, after hackers used the network credentials of a heating, ventilation and air-conditioning company to steal personal data from tens of millions of credit and debit cards. Target has paid USD 18.5 million to settle multi-state claims, as well as another settlement of USD 10 million following a class action lawsuit in addition to compensation of up to USD 10,000 to customers who have suffered directly from the data breach. The four-part standard ISO/IEC 27036 provides guidance on supplier relationships, including supply chain and cloud service security.

组织的法律风险缓解策略必须考虑到第三方关系，这将供应商的安全实践纳入其自己的风险状况，这一点至关重要。 例如，美国零售业巨头塔吉特(Target)就是这种情况，黑客利用供暖，通风和空调公司的 络凭据从数千万张信用卡和借记卡中窃取了个人数据。 Target已支付1,850万美元来解决多州索赔 ，并在集体诉讼后又支付了1,000万美元，另外还向直接遭受数据泄露侵害的客户提供了最高10,000美元的赔偿。 ISO / IEC 27036标准分为四部分，提供了有关供应商关系的指南，包括供应链和云服务安全性。

8. Take out cyber-insurance

8.参加 络保险

Organizations are strongly advised to have adequate cyber-insurance in place to cover any operational or legal costs, including possible fines, related to serious breaches. ISO/IEC 27102 provides guidelines on cyber-insurance to cover potential financial losses. The standard looks at the kind of losses covered and what measures need to be on place to satisfy the insurance providers. ISO/IEC 27102 notes that an ISMS “can provide the insured and insurer with data, information and documentation that can be used in cyber-insurance policy inception, cyber-insurance policy renewal and throughout the lifetime of that cyber-insurance policy”.

强烈建议组织具有足够的 络保险，以支付与严重违规有关的任何运营或法律成本，包括可能的罚款。 ISO / IEC 27102提供了有关 络保险的准则，以弥补潜在的财务损失。 该标准着眼于所涵盖的损失种类以及需要采取哪些措施来使保险提供者满意。 ISO / IEC 27102指出，ISMS“可以为被保险人和保险人提供可以在 络保险保单开始， 络保险保单更新以及整个 络保险保单的整个生命周期中使用的数据，信息和文档”。

翻译自: https://medium.com/swlh/the-law-and-cybersecurity-eight-ways-to-help-mitigate-legal-risks-cd1242f6ef25

软件项目风险减轻采用的方法

文章知识点与官方知识档案匹配，可进一步学习相关知识算法技能树首页概览34483 人正在系统学习中 相关资源：欧赔小工具(转化欧赔的工具)_欧赔转换工具,欧赔转换亚盘分析软件…