BSA GLOBAL CYBERSECURITY FRAMEWORK

Similar documents
engagement will not only ensure the best possible law, but will also promote the law s successful implementation.

FACT SHEET: Ransomware and HIPAA

JOINT EXPLANATORY STATEMENT TO ACCOMPANY THE CYBERSECURITY ACT OF 2015

GLOBAL BUSINESS DIALOGUE ON ELECTRONIC COMMERCE CYBER SECURITY AND CYBER CRIME SEPTEMBER 26, CEO EDS Corporation

THE WHITE HOUSE Office of the Press Secretary

Senate Committee on Commerce, Science, and Transportation March 19, 2015, Hearing Examining the Evolving Cyber Insurance Marketplace

RE: ITI Comments on Korea s Proposed Bill for the Development of Cloud Computing and Protection of Users

M E M O R A N D U M. Definitions

Strategic Priorities for the Cooperation against Cybercrime in the Eastern Partnership Region

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

How To Protect Your Computer From Attack

ITI Cybersecurity Principles for Industry and Government

7.0 Information Security Protections The aggregation and analysis of large collections of data and the development

Legislative Proposals for the Maryland Commission on Cyber Security Innovation and Excellence

COMPLIANCE ALERT 10-12

Prepared testimony of W. Joseph Majka Head of Fraud Control and Investigations Visa Inc.

Securing Internet Payments across Europe. Guidelines for Detecting and Preventing Fraud

April 28, Ms. Hada Flowers Regulatory Secretariat Division General Services Administration 1800 F Street, NW, 2 nd Floor Washington, DC

Diane Honeycutt National Institute of Standards and Technology (NIST) 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899

1851 (d) RULE OF CONSTRUCTION. Nothing in this section shall be construed to (1) require a State to report data under subsection

what your business needs to do about the new HIPAA rules

Mitigating and managing cyber risk: ten issues to consider

COMMUNIQUÉ ON PRINCIPLES FOR INTERNET POLICY-MAKING OECD HIGH LEVEL MEETING ON THE INTERNET ECONOMY,

4/21/2015. Jim Reavis CEO, Cloud Security Alliance. Cloud Security Alliance, Agenda

RE: Comments on Vietnam s Draft Law on Information Security, version 2.22

Towards defining priorities for cybersecurity research in Horizon 2020's work programme Contributions from the Working Group on Secure ICT

Dean C. Garfield President & CEO, Information Technology Industry Council (ITI) Committee on Energy and Commerce

HIPAA and the HITECH Act Privacy and Security of Health Information in 2009

Comments on CBRC Draft Regulations Affecting Technology Purchases. 14 September 2015

Privacy in the Cloud A Microsoft Perspective

Cybersecurity Information Sharing Legislation Protecting Cyber Networks Act (PCNA) National Cybersecurity Protection Advancement (NCPA) Act

CSR Breach Reporting Service Frequently Asked Questions

COMMENTS OF THE TELECOMMUNICATIONS INDUSTRY ASSOCIATION

Business Conduct, Compliance and Ethics Program. important

An Overview of Cybersecurity and Cybercrime in Taiwan

Information Protection Framework: Data Security Compliance and Today s Healthcare Industry

HIPAA In The Workplace. What Every Employee Should Know and Remember

FINAL May Guideline on Security Systems for Safeguarding Customer Information

No. 33 February 19, The President

CYBERSECURITY IN FINANCIAL SERVICES POINT OF VIEW CHALLENGE 1 REGULATORY COMPLIANCE ACROSS GEOGRAPHIES

RESPONSIBLE CARE SECURITY CODE OF MANAGEMENT PRACTICES

RE: ITI s Comments on Korea s Revised Proposed Bill for the Development of Cloud Computing and Protection of Users

Big Data, Big Risk, Big Rewards. Hussein Syed

STRATEGIC OBJECTIVE 2.4 OVERCOME GLOBAL SECURITY CHALLENGES THROUGH DIPLOMATIC ENGAGEMENT AND DEVELOPMENT COOPERATION

Actions and Recommendations (A/R) Summary

Securing Critical Information Assets: A Business Case for Managed Security Services

Special Report The HITECH Act

Cloud Computing: Legal Risks and Best Practices

What are you trying to secure against Cyber Attack?

Key Cyber Risks at the ERP Level

How To Write An Article On The European Cyberspace Policy And Security Strategy

more dangerous. One way that private entities may defend against cyber attacks is by

(U) Appendix E: Case for Developing an International Cybersecurity Policy Framework

FEDERAL IDENTITY THEFT TASK FORCE. On May 10, 2006, the President signed an Executive Order establishing an Identity Theft

NATIONAL CYBERSECURITY STRATEGIES: AUSTRALIA AND CANADA

Protecting betting integrity

Texas Medical Records Privacy Act

II. Types of Restrictions on the Free Flow of Information on the Internet (Question 1)

In an age where so many businesses and systems are reliant on computer systems,

National Cyber Security Policy -2013

CLIENT UPDATE CRITICAL INFRASTRUCTURE CYBERSECURITY: U.S. GOVERNMENT RESPONSE AND IMPLICATIONS

How To Respond To The Nti'S Request For Comment On Big Data And Privacy

Middle Class Economics: Cybersecurity Updated August 7, 2015

DIGITALEUROPE and European Services Forum (ESF) response to the Draft Supervision Rules on Insurance Institutions Adopting Digitalised Operations

Cybersecurity and Data Breach: Mitigating Risk and How Government Policymakers Approach These Critical Issues

How to Protect Intellectual Property While Offshore Outsourcing?

Cyber Security Recommendations October 29, 2002

Billing Code: 3510-EA

1. Do particular business sectors or company types lack sufficient incentives to make cybersecurity investments more than others? If so, why?

One Hundred Thirteenth Congress of the United States of America

Executive Order 13636: The Healthcare Sector and the Cybersecurity Framework. September 23, 2014

Cybersecurity for Meaningful Use FRHA Annual Summit "Setting the Health Care Table: Politics, Economics, Health" November 20-22, 2013

Testimony of. Wm. Douglas Johnson. American Bankers Association. Subcommittee on Information Technology

Cloud Cyber Incident Sharing Center (CISC) Jim Reavis CEO, Cloud Security Alliance

Issue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager

MOTORCAR PARTS OF AMERICA, INC. CODE OF BUSINESS CONDUCT AND ETHICS ADOPTED EFFECTIVE JANUARY 15, 2015

APEC General Elements of Effective Voluntary Corporate Compliance Programs

THE DIGITAL AGE THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND OFFICERS


Cybersecurity y Managing g the Risks

Solving for the Future: Addressing Major Societal Challenges Through Innovative Technology and Cloud Computing

A COMPREHENSIVE INTER-AMERICAN CYBERSECURITY STRATEGY: A MULTIDIMENSIONAL AND MULTIDISCIPLINARY APPROACH TO CREATING A CULTURE OF CYBERSECURITY

White Paper on Financial Institution Vendor Management

Use & Disclosure of Protected Health Information by Business Associates

S. ll IN THE SENATE OF THE UNITED STATES A BILL

The Dow Chemical Company. statement for the record. David E. Kepler. before

BUSINESS ASSOCIATE AGREEMENT. Business Associate. Business Associate shall mean.

HHS Finalizes HIPAA Privacy and Data Security Rules, Including Stricter Rules for Breaches of Unsecured PHI

Our vision. A company where the best people want to work.

Services. Cybersecurity. Capgemini & Sogeti. Guiding enterprises and government through digital transformation while keeping them secure

Cyber-Security Risk- IP Theft and Data Breaches Protecting your Crown Jewels Internally and with Your Key Third Parties

Cyber Security Strategy for Germany

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

BREACH NOTIFICATION FOR UNSECURED PROTECTED HEALTH INFORMATION

HIPAA OMNIBUS RULE: EXPANDED COMPLIANCE REQUIREMENTS

protection rights are limited. protection rights are limited.

5581/16 AD/NC/ra DGE 2

UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14

Transcription:

2010 BSA GLOBAL CYBERSECURITY FRAMEWORK

BSA GLOBAL CYBERSECURITY FRAMEWORK Over the last 20 years, consumers, businesses and governments 1 around the world have moved online to conduct business, and access and share information. This shift to a digital world has revolutionized personal interactions, education, commerce, government, healthcare, communications, science, entertainment and the arts, etc. It has delivered unprecedented efficiencies, and it will continue to yield immense benefits to our global society. However, as opportunities expand, so do the number of risks. Consumers, businesses and governments face a variety of online threats, which can undermine trust in the digital environment the single greatest platform for commerce and sharing information. Protecting cyberspace is a shared responsibility. No single entity or group of stakeholders can address the problem alone and no individual or group is without responsibility for playing a part in cybersecurity. The technology industry, consumers, businesses and governments must all take steps to secure their own systems and to collaborate with each other to define and implement comprehensive cybersecurity policies and technologies. Cybersecurity is not just about protecting against current threats. It also yields the benefit of enabling greater and more sophisticated uses of the digital environment. Cybersecurity gives individuals, companies and governments greater confidence that they can operate in this environment and can entrust it with valuable assets and information. Governments around the world have a multifaceted role to play in cybersecurity, including: Protecting their information systems. Working with the private sector to protect the digital infrastructure. Investigating, pursuing and prosecuting cybercriminals. Currently, too few governments are sufficiently policing cyberspace, and few have put in place needed policies to effectively contribute to global cybersecurity. Significant opportunities exist to work globally and collaboratively to improve cybersecurity. No country can address cybersecurity risks in isolation. The Business Software Alliance (BSA) Global Cybersecurity Framework is a comprehensive roadmap to build an integrated and functioning global policy response to cybersecurity. 1 For the purposes of this document, the term "governments" includes the European Union institutions. - 1 -

Guiding Cybersecurity Principles To help governments build and implement comprehensive and workable plans that function at the national and global levels, BSA has established the following set of guiding principles: Trust cybersecurity policy should enhance the confidence of consumers, businesses and governments in the confidentiality, integrity and availability of the online environment. Innovation cybersecurity is a fast-paced race, in which we must stay ahead of cybercriminals who adapt constantly. Cybersecurity policy should maximize the ability of organizations to develop and adopt the widest possible choice of cutting edge cybersecurity solutions. A risk-based approach consumers, businesses and government agencies seek to protect a wide spectrum of targets against a wide variety of cyber threats. Cybersecurity policy should enable them to implement the security measures that are most appropriate to mitigating the specific risks they face. International standards industry-led, internationally accepted standards 2 underpin the global information technology (IT) ecosystem and spur the development and use of innovative and secure technologies. Cybersecurity policy should preserve the role of international standards. Global policy convergence cybersecurity policy must recognize the borderless nature of the Internet, of the global economy and of cyber threats. As a result, governments should cooperate to ensure their national cybersecurity policy frameworks integrate with global approaches and practices. A 12-Point Roadmap for Global Cybersecurity To help governments implement the guiding principles listed above, BSA has developed a specific 12-point roadmap to guide policy and enforcement efforts. This roadmap is focused on helping governments develop strong, workable policies to improve cybersecurity at a national level, while at the same time contributing to, and integrating with, an international framework for global cybersecurity. This roadmap includes the following key efforts. Deter and punish cybercrime 1. Governments should enact strong laws against cybercrime: Ratify, and adopt laws to implement, the Council of Europe Cybercrime Convention. Countries that are not ready or able to ratify the Convention should look to alternative resources, such as BSA s model cybercrime law, to modernize and harmonize their domestic laws. 2 For the purposes of this document, the term "standards" means a specification with the following characteristics: 1. It is developed through an open, consensus-based process; 2. It is publicly available without cost or for a reasonable fee to any interested party; 3. Any patent rights necessary to implement the standard are available to all implementers on reasonable and non-discriminatory (RAND) terms, either with or without payment of a reasonable royalty or fee; and 4. It should be in sufficient detail to enable a complete understanding of its scope and purpose and to enable competing implementations by multiple vendors. - 2 -

Laws need to be regularly updated to address all aspects of modern cybercriminal activity. Laws need to provide deterrent criminal penalties and civil damages. 2. Governments need to make fighting cybercrime a priority by efficiently and effectively enforcing cybercrime laws, including allocating adequate resources to enforce cybercrime laws: Sufficient numbers of dedicated investigators, prosecutors and judges. Law enforcement personnel need to be trained about sophisticated cybercrime. Law enforcement also needs adequate equipment to conduct investigations. 3. Cybercrime rings often span the globe. Law enforcement action must also take place across borders: Law enforcement agencies need to build networks of relationships with their counterparts in other countries and regions. Adopt a risk-based approach to cyber threats Consumers, businesses and government agencies seek to protect a wide spectrum of targets against a wide variety of cyber threats. A fundamental principle of effective security protection is that not all targets require the same level of protection, and not all threats present the same risk. Cybersecurity policy should therefore enable consumers, businesses and government agencies to implement the security measures that are most appropriate to mitigating the specific risk they face. 4. Governments should preserve the contribution of industry-led, internationally accepted standards to global cybersecurity: These standards not only underpin the global IT ecosystem, but they greatly contribute to cybersecurity by spurring the development and use of innovative and secure technologies. Governments should permit the use of cybersecurity technologies according to internationally accepted, private sector developed standards, and the use of various solutions and approaches to cybersecurity. Governments should not mandate compliance with country-specific cybersecurity standards, in particular standards developed by government agencies. Such mandates may cut off their country s access to the most innovative, cost-effective and valuable security technologies offered on the global marketplace, as well as inhibit their domestic industry from competing on equal terms with their foreign competitors. For example, governments should not require or mandate proprietary cryptographic algorithms or artificially limit the strength of encryption, but should accept publicly available, peerreviewed algorithms. 5. Governments should maintain a policy of technology neutrality when they develop cybersecurity policies and laws: Governments should not prohibit or require the acquisition or deployment of specific products or technologies, including specific hardware or software. Technology-neutral policies are fundamental to effective cybersecurity protection because they ensure that individuals and organizations can deploy the security measures that are necessary to mitigate the specific cyber risks they face. - 3 -

6. Governments should lead by example in implementing risk-based security measures (people, process and technology) to protect their computers, networks and systems. 7. Governments should partner with industry to develop strategies to strengthen cybersecurity and privacy through improved use of reliable and risk-based online identity management, authentication and access control solutions: Unreliable identity, authentication and access controls are one of the major factors facilitating successful cyber attacks. Any strategy to improve the use of reliable electronic identities must respect privacy. Greater use of identity, authentication and access controls solutions that offer levels of protection commensurate with risk would protect privacy and foster cybersecurity. Inform and protect consumers 8. Governments need to educate the public home users, children and small businesses in particular about cyber hygiene, safe and ethical computing: This includes education about software piracy, because many risks to the public come from the use of pirated software. Governments should tap industry resources for such efforts because industry and the IT industry in particular have developed a great deal of educational cybersecurity material, have marketing expertise and have established channels to communicate with the public. 9. If governments are considering whether they should create legal frameworks about data protection and privacy, they should consider whether requirements would be appropriate to protect personally identifiable information against unauthorized access and disclosure. Such data security frameworks should take inspiration from existing best practices, such as: How public and private organizations develop, implement, maintain and enforce administrative, technical and physical safeguards of personally identifiable information. If such requirements are instituted, they should be reasonable and appropriate to the size and complexity of the entity, the nature and scope of its activities and proportional to the likelihood and severity of the potential harm. 10. If governments are considering whether they should create legal frameworks to require that public and private organizations notify security breaches of sensitive consumer data, they should consider the following recommendations based on existing best practices: Limit such breach notification requirements to situations where there is a significant risk of personally identifiable information being used to cause harm. Provide that notification is not required if the PII has been rendered unusable, unreadable or indecipherable to an unauthorized third party through the use of practices or methods such as encryption, redaction, access controls and other such mechanisms which are widely accepted as effective industry practices or industry standards. Provide for government enforcement and preclude liability to third parties. Be flexible enough to take into account the great variety of business arrangements as well as the risks confronted within specific industry or market segments. - 4 -

Build capacity to prevent and respond to cyber incidents 11. Governments should build capacity to facilitate the sharing of cybersecurity information among companies and between the government and private sector (e.g. actionable threat information, response plans, etc.) Information sharing can enhance the protection of critical information infrastructure, most of which is owned and operated by the private sector: Governments should facilitate this information sharing by supporting the creation of public, private and joint capabilities. This includes both human and technical resources, as well as appropriate legal protections against anti-trust claims, disclosure requirements, etc. Governments should promote the development and adoption of industry best practices on information sharing. Governments should address any policy or legal barriers that may inhibit information sharing. However, information sharing must be voluntary. Any obligation to share data would run against the need for organizations to comply with incompatible legal requirements (such as privacy laws, wherever they are applicable), and protect their confidential information, that of their customers, trade secrets, their intellectual property, etc. 12. Governments should support cybersecurity innovation through education and research and development (R&D): Governments should support the development and generalization of cybersecurity curricula in university-level IT education. Government support of cybersecurity R&D helps meet the future technological needs of each country s infrastructure, as well as help each country develops its IT industry. Governments should support cybersecurity R&D through public funding of basic and long term research. They should limit their involvement in applied R&D to circumstances where the technological solution that is sought is not commercially available, and its absence creates a measurable security gap thus focusing government resources on long-term need. Governments should also consider creating incentives that encourage the private sector to conduct cybersecurity R&D. - 5 -

BSA Worldwide Headquarters 1150 18th Street, N.W. Suite 700 Washington, DC 20036 USA Phone: +1.202.872.5500 Fax: +1.202.872.5501

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information