3. Information Security
“Information Security is the process of establishing the required
reliability of information systems in terms of confidentiality, availability
and integrity as well as the establishment, maintenance and
monitoring of a coherent package of accompanying measures.”
4. BIR:2012
baseline informatiebeveiliging rijksoverheid
❖ Dutch Government
❖ Departmentally confidential
& privacy risk class II.
❖ ISO:27001/2 + Extensions
❖ ± 300 requirements
❖ Comply or Explain
0 10 20 30 40 50 60
Security Policy
Organization of information security
Mgt of assets
Personal Security
Physical security
Mgt of comm. and operational processes
Access Security
Acquisition, maint. and dev.
Incident Mgt
Business Continuity Mgt
Compliance
ISO R
5. How do Microsoft Online Services comply
❖ KPMG report in Microsofts Trust Center
❖ Office 365, 91% of the BIR controls are either covered by
certifications or assurance standards or are not in scope.
❖ https://www.microsoft.com/en-us/TrustCenter/Compliance/bir-2012
❖ Real life scenario – SPO2 based DMS:
3 ‘explains’ out of 179 applicable requirements
61%
37%
2%
comply
not relevant
explain
6. Risk strategy
❖ Data exfiltration
❖ Data deletion
❖ Malicious insider
❖ Accout breach
❖ Elevation of privilege
❖ Password cracking
❖ Data spillage
❖ Phishing / whaling
❖ Spoofing
8. Wrap-up
❖ Baseline provides extensive guidance,
not only for government.
❖ Microsoft Office 365 and Azure provide
good coverage of requirements.
❖ Secure Score is a handy tool, but:
❖ there’s more to it.
❖ There’s more coming up !
9. Thank you for your attention
Any questions ?
We take our time for you at our booth
Richard.Fransen@KBenP.nl