https://ai-auditingframework.blogspot.com/2019/06/when-it-comes-to-explaining-ai.html
UK NSCS publishes Secure systems design guidance and security paper
Nice and concise read.. Their comments on their antipatterns are good.
https://www.ncsc.gov.uk/blog-post/secure-systems-design–new-guidance-now-available
Cyber security design principles
1. Establish the context before designing a system
2. Making compromise difficult
3. Making disruption difficult
4. Making compromise detection easier
5. Reducing the impact of compromise
Antipatterns
Anti-pattern 1: ‘Browse-up’ for administration
Anti-pattern 2: Management bypass
Anti-pattern 3: Back-to-back firewalls
Anti-pattern 4: Building an ‘on-prem’ solution in the cloud
Anti-pattern 5: Uncontrolled and unobserved third party access
Anti-pattern 6: The un-patchable system
HHS Clarifies HIPAA Liability Around Third-Party Health Apps
Interesting article that tries to summarize some of the latest HHS guidance. Includes “If the individual’s app – chosen by an individual to receive the individual’s requested ePHI – was not provided by or on behalf of the covered entity (and, thus, does not create, receive, transmit, or maintain ePHI on its behalf), the covered entity would not be liable under the HIPAA Rules for any subsequent use or disclosure of the requested ePHI received by the app,” officials explained.
https://healthitsecurity.com/news/hhs-clarifies-hipaa-liability-around-third-party-health-apps
New HHS Fact Sheet On Direct Liability of Business Associates under HIPAA
CNIL Privacy Impact Assessment Knowledge Bases
https://www.cnil.fr/sites/default/files/atoms/files/cnil-pia-3-en-knowledgebases.pdf
I keep going back to this resource, as it has a good set of examples for privacy risks.
But it also has a long catalog of technical and organizational measures (TOM).
Privacymail.info – analyzing trackers in newsletters
is a public, free, research servcie that is analyzing user tracking in the context of newsletters.
HHS and HIPAA – Caveats on HHS web site content!
On the HHS web site, HHS links to the NIST SP 800 -52 Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations
But https://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html?language=es
is linking to an OUTDATED (local copy) version of NIST 800-52 from back in 2005. The effective version (from 2014) is at https://csrc.nist.gov/publications/detail/sp/800-52/rev-1/final
Changes are a little bit explained here: https://www.nist.gov/news-events/news/2014/04/nist-revises-guide-use-transport-layer-security-tls-networks
However, there is also a new draft version – with IMPORTANT COMMENTS at
https://csrc.nist.gov/publications/detail/sp/800-52/rev-2/draft
HHS (HIPAA): Man-in-the-Middle Attacks and “HTTPS Inspection Products” (April 2017)
https://www.hhs.gov/sites/default/files/april-2017-ocr-cyber-awareness-newsletter.pdf
” Covered entities and business associates using HTTPS interception products or considering their use should consider the risks presented to their electronic PHI transmitted over HTTPS, and intercepted with an HTTPS interception products, as part of their risk analysis, particularly considering the pros and cons discussed by the US-CERT alerts, and the increased vulnerability to malicious third-party MITM attacks.
In addition to reviewing recommendations from US-CERT, covered entities and business associates should also review recommendations from the National Institute of Standards and Technology (NIST) for securing end-to-end communications, especially regarding the configuration, use and updating of TLS/SSL implementations. OCR’s Guidance to Render Unsecured PHI Unusable, Unreadable, or Indecipherable to Unauthorized Individuals references NIST SP-800 series publications to describe the valid encryption processes to use to ensure that electronically transmitted PHI is not unsecured. “