NCCoE NIST Cybersecurity Practice Guide, Mobile Device Security: Cloud and Hybrid Builds
was released on February 21, 2019. For ease of use, the draft guide is available to download or read in volumes:
- SP 1800-4a: Executive Summary
- SP 1800-4b: Approach, Architecture, and Security Characteristics
- SP 1800-4c: How-To Guides
https://www.nccoe.nist.gov/projects/building-blocks/mobile-device-security/cloud-hybrid
HealthIT.gov – How Can You Protect and Secure Health Information When Using a Mobile Device?
Spanish DPA (AEPD): Analysis of Information Flows in Android – Tools for compliance with Accountability
The objectives of the study focus on:
- Defining the context and conceptual framework of the detection of the personal data communications in applications executed on an Android operating system.
- Demonstrating the elevated risk in the mobile application environment of leaks of personal data and the need to carry out an evaluation of data flows
- Studying the existing techniques for the detection and analysis of personal information flows in Android Applications.
https://www.aepd.es/media/estudios/estudio-flujos-informacion-android-en.pdf
Big Data Analytics for central banks
The use of big data analytics and artificial intelligence in central banking.
Proceedings of the IFC – Bank Indonesia International Workshop and Seminar on Big Data in Bali, 23-26 July 2018.
https://www.bis.org/ifc/publ/ifcb50.htm
CNIL fines SERGIC 400,000 EUR (web site vulnerability)
Very interesting case, that needs some closer analysis.
The fine is about 0.9% of SERGIC’s annual turnover in 2017.
During the on-line audit of September 7, 2018, CNIL agents retrieved files accessible from URLs composed as follows:
https: //www.crm.sergic .com / documents / upload / eresa / X.pdf
– where by changing X you could access another persons’s file.
SERGIC tries to argue that they shouldn’t have done that, etc.. – to no avail. CNIL observes that exploiting vulnerability does not require any particular technical expertise in computer science. CNIL also consider that the use of a script does not require any advanced skills to exploit this vulnerability.
(Should be good week-end reading.)
https://www.legifrance.gouv.fr/affichCnil.do?id=CNILTEXT000038552658
EDPS: Guidelines on the protection of personal data processed through web services provided by EU institutions (Nov 2016)
https://edps.europa.eu/sites/edp/files/publication/16-11-07_guidelines_web_services_en.pdf
incl. also interesting links to other EU papers (e.g. on cloud)
Sadly from Nov 2016, so with GDPR in mind, but not in force, yet.
Covered technologies include
Cookies
Scripts (such e.g. JavaScript code) and components (such as browsers plugins) to be executed on the client side.
Web caching mechanisms
HTML5 local storage
“Device fingerprinting”
“Canvas fingerprinting” and “Evercookies”
Web beacons
Algorithmic bias detection and mitigation: Best practices and policies to reduce consumer harms
https://www.brookings.edu/research/algorithmic-bias-detection-and-mitigation-best-practices-and-policies-to-reduce-consumer-harms/
Very nice summary paper on AI and AI bias, which covers many examples, including the Amazon AI recruitment tool bias case.
ICO releases interim report for AI guidance project
https://ico.org.uk/media/2615039/project-explain-20190603.pdf
Includes a very nice summary of GDPR expectations on AI