Are All 27000-1 Certifications Created Equal?

Say you have to outsource the storage of your corporate data.

Say you have to assess the quality of a couple of (apparently) both “good looking” potential suppliers that give you both access housing/cloud services.

Say both of them are “ISO 27000-1 Certified”.

Which are you going to choose?

Answer: ask to see the “perimeter” that has been certified.

In other words: advertising on the corporate website or wherever else that a company is “ISO 27000-1 compliant” doesn’t always means that the WHOLE company actually is.

Maybe the certification has been obtained for the data-centre only, or just for a small part of the infrastructure, or – say – for the financial departement.

Thus, a fair use of the “label” would be a statement like this: “we are ISO 27000-1 certified for X,Y,Z” instead of a simpler (and deceptive) “we’ve got the ISO 27000-1”.

Next time, ask first.

The (defunct) Data Retention Directive Still Causes Harm

Notwithstanding the Data Retention Directive has been bashed by the EUCJ Ruling, there is a wide agreement on the fact that its national implementation might still be valid if not in contrast with the main Data Protection Directive.

Just yet, neither the Italian Parliament nor the Data Protection Authority ran the “stress test”, thus leaving ISPs into a void of uncertainty.

Furthermore, the news is new as today, there is a case where the actual providing of Internet access whose contract terminated back in 2010 has been challenged in court by the former customer. Under the Italian Supreme Court jurisprudence, in this case it is the ISP who must provide the evidence that the agreement has been fulfilled. But, guess what? Under the strict (and wrong) interpretation of the Data Retention Directive this ISP deleted the log files and now has problem in supporting its defense.

True, keeping the traffic data for legitimate purposes (such as legal defense) is allowed by the Data Protection Directive.

True, the Data Retention Directive can be interpreted as an exception that doesn’t overrule the Data Protection Directive.

True, an ISP has more than a chance (in theory) to successfully support its choice of keeping the traffic data for legal defense purposes even exceeding the mandatory term seth forth by the DRD.

But all this means fighting an all-round legal battle, explaining to the Court that the traffic data have been legally retained and are, thus, valid evidence, standing against a possible Data Protection Authority investigation, and so on.

To put it short: a waste of time, money and resources, that could be spared if only the Powers-that-be had dedicated a fraction of their time to solve this riddle, instead of toying with this Internet Bill of Right nonsense.

 

Our Digital Health And Electronic Money. IT Security Gets Tough

Let’s say the truth: IT security is just a bubble that no “serious” manager cares of. There is no possible explanation for the fact that today we keep talking about the very same things I’ve heard back in the early nineties, sold by somebody who wants to re-invent the wheel. But the indirect Paypal attack against Apple targeted at the upcoming Applepay platform and the spin put on the health-related application ? might change the situation: a (very)personal computing device allowing to manage the two most critical things of a (Western) human kind: health and money.

Can a company really afford to market software pre-release as “final” just to meet a marketing-set deadline? Or lure people into trusting a payment platform, risking to become liable in case of problems caused by a poorly implemented security?

It is really (still) possible to discharge any liability with a “simple” contract and put the barrel on the users’ shoulder when serious issues are involved?

IT companies should carefully think about it before entering into a sector where people aren’t so keen in just waiting for the next fix or hardware upgrade. They might be dead or bankrupted, in the meantime.

Apple’s New Security Policy: Just a PR Stunt?

Apple announced not to be able anymore to hack into IOS8-based devices because of its “privacy-by-design” development strategy. Thank to this choice, according to Tim Cook, quoted by The Washington Post,

it’s not technically feasible for us to respond to government warrants for the extraction of this data from devices in their possession running iOS 8.

Since the fantasy of both lawyers and judges knows no limit, I wouldn’t be surprised to hear, in the next future, about some claim for “contributory criminal activity” filed against Apple based on the deliberate choice of giving “unbreakable weapons” to terrorist, paedophiles and copyright infringers.

When this scenario will become real, it will be interesting to see whether Apple remains stuck into his “libertarian” position risking a trial for contempt of the court, or negotiates over its users with the powers-that-be.

Then, and only then, we will be able to check if this “privacy commitment” was a genuine attitude or just the next marketing trick.

Net-Threats: How To Lie With Statistics, Again

Another example of how a non-statistical-based research is turned by poorly informed journalists into “scientific truth”. Net-Threats is a survey collecting the opinions of a certain number of “experts”: as its authors clearly state:

Since the data are based on a non-random sample, the results are not projectable to any population other than the individuals expressing their points of view in this sample. The respondents’ remarks reflect their personal positions and are not the positions of their employers; the descriptions of their leadership roles help identify their background and the locus of their expertise.

But this part of the survey – that nobody but the concerned people will ever read – is missed in the ? poor journalistic account of the news and the readers will be given the wrong idea that the figures quoted are for real and that the findings are “true”.

By the way, as in the other “statistical” research about the value of personal data, I’ve written about, the findings of this survey might even be acceptable. But there is no need to beef it up with figures and percentage show off that give the general reader a wrong information.

But in this case, the culprit is the journalist.