Image from Pixabay |
A young family member had been in need of a new laptop for some time. You know how it goes: the device goes everywhere, the bag isn’t always handled gently, and the water bottle turns out not to be entirely leak-proof. The situation became increasingly dire: large parts of the screen had stopped working. So what do you do? You go to the store or order a new laptop online.
It
certainly hurts financially, but the process usually goes smoothly. Order
before midnight, receive it tomorrow (that’s how it works in the Netherlands).
If you're lucky, the package is neatly delivered to your door (and not dumped
in the trash bin — but that’s a story for another time).
Things are
quite different at a government organization. If you need to replace laptops
for tens of thousands of employees or require new software, you can’t just go
to the local store or a webshop. No, you have to initiate a European tender.
That’s a complex process where you must describe what you want in functional
terms. You’re not allowed to specify a brand — instead, you must list desired
specifications: screen size, storage capacity, amount of RAM, that sort of
thing. The tender document also includes many other requirements that the
product, maintenance, and supplier must meet. If a supplier cannot answer ‘yes’
to even one requirement, they’re out. The winner is the supplier who meets all
conditions and offers the lowest price. You, as the buyer, have no influence
over who that is or what product they offer.
Our team is
responsible for security, continuity, and privacy. From these perspectives, we
want to influence the ICT products and services being procured. In the past,
requirements that didn’t directly relate to functionality were given a dreadful
label: non-functionals. I understand the term — these requirements don’t
directly concern what the product should do and thus don’t contribute to the
requested functionality. But honestly, how would you feel if your input were
labeled non-functional?
We came up
with a solution. We created a document that bundles all the requirements we
want to impose on procurement processes from our area of responsibility. And
the proud title of that document is: Security Functionals Requirements (SFR).
Because you know what? Security matters. Often, security actually enables
things that wouldn’t be possible otherwise. Or would you want to bank online if
it weren’t properly secured?
The SFR is
based on the BIO document — the Baseline Information Security for Dutch government.
That’s our mandatory framework, so it makes sense to use it as a starting
point: if we use a product that doesn’t comply with BIO, then we as an
organization don’t comply either. We’ve also added our own expertise, for
example, on topics not yet addressed in BIO, such as quantum computing, which
poses a serious threat to the security of our data. In other areas, we’ve
included insights based on our field experience.
Our
procurement officers, who formally guide such processes, naturally have
opinions about the requirements. Coordination with them — including legal
advisors — is therefore important. All in all, we now have a solid generic
document that must be used for every ICT procurement process. It’s up to the
involved architect to determine which SFR requirements are relevant for a
specific tender. Often, someone from our team is also involved to support the
project manager with advice and expertise.
You
understand that this is not a case of ‘ordered today, delivered tomorrow’. But
that was already true before the SFR existed. A European tender is inherently a
bureaucratic exercise that requires due diligence. Fortunately, things are much
easier for you as a consumer. Of course, even without the SFR, you’ll ensure
that the product meets your security requirements. Right?
And in the big bad world…
- Security awareness is no longer enough; employees must become resilient.
- AI
providers should also have their security in order. [GERMAN]
- These cybercriminals have stolen an extraordinary amount of data.
- North Korea mainly steals cryptocurrencies.
- Hospital
staff must keep their curiosity in check. [DUTCH]
- Personal data has been leaked via ChatGPT in Australia.
- European chat control is on hold for now. [DUTCH]
- WhatsApp
and Threema have now also spoken out against chat control. [GERMAN]
- Belgian banks are making young people cyber resilient with a game. A board game. [DUTCH]
- Your Android device will no longer receive monthly security updates by default.
- WhatsApp is being used to spread malware.
No comments:
Post a Comment