Samenvatting
Summary Quiz 2 - International Technology Law
- Instelling
- Vrije Universiteit Amsterdam (VU)
Complete summary of mandatory literature and lecture notes (week 5-7) for quiz 2.
[Meer zien]Voorbeeld 4 van de 43 pagina's
Voorbeeld 4 van de 43 pagina's
In winkelwagengesponsord bericht van onze partner
Voorbeeld van de inhoud
Summary Quiz 2Lecture week 5 (Guest lecture EY)
Security is a lack of risk? Not a great de nition though.
CIA triad
- C: con dentiality (data leakage)
- I: integrity (cyber security)
- A: availability (insider threat)
Cyber risk = likelihood x impact.
DDOS cyber attack = distributed denial of service. This attack is when the attacker oods a
server with internet tra c to prevent users accessing the required network (structure).
Ransomware attacks = steals data so that the organisation can no longer access it and require
said organisation to pay ransom (bitcoin is often used as the payment method as it provides the
attackers with anonymity).
Cyber Risk Management
”A threat without a corresponding vulnerability does not pose a risk, nor does a vulnerability
without a corresponding threat”.
Threat: insider threat, phishing, malware, Zero Day.
Vulnerability: patching delay, unaware employees, unprotected endpoints, 3rd party IT security.
Threat + vulnerability = incident.
90% of incidents is due to human error. For example, through the method of phishing, employees
could leak information to hackers.
Types of information security risks
- Un-reported information security incidents
- Lack of security in mobile device
- Physical security breach
- Social engineering
- Suspicious email
- Vulnerable password
- Malware
- Unsafe internet sur ng
Risk treatment
4 options to address risks:
1. Mitigate (e.g. require employees to use strong passwords)
2. Transfer (hire an insurance company)
3. Accept (because there are so many risks, you may need to accept some of them)
4. Avoidance (e.g. if an organisation uses an outdated server)
2 new legal frameworks
DORA (regulation)
- Focus on organizations in the nancial industry
- Focused on ICT governance, risk, resilience and ICT outsourcing
- Prescriptive on procedures, controls
- Enhanced testing and focus on stress testing continuity and security
- Focus on concentration risk and incident reporting/communications
fi fi ffi fi fi fl
, - DORA builds on the NIS directive and addresses possible overlaps via a lex specialis
exemption
NIS2 (directive, provisional agreement)
- Focus on national level, EU level and international level and applies to more variety of industries
- Baseline for cybersecurity risk management and reporting obligations and focus on network
security and information security of essential & important services.
- Focuses on many authoritive entities such as the CISRT, ENISA and the commission
- Focuses on aligning policies, authorative process of cyber security on a national level
Main di erences:
- DORA (Organizations) vs NIS2 (National, EU, international level)
- DORA (Financial organization) vs NIS2 (Diverse industries)
- DORA (wide range of topics operational resilience) vs NIS2 (more on network and information
security)
- DORA (More speci c controls and activities) vs NIS2 (more general, quickly covers testing etc)
- DORA (focus on implementing controls and activities) vs NIS2 (focus on aligning national
policies and national/EU authorities)
Dealing with cyber attacks is just the tip of the iceberg
- Accurately map the organization’s cybersecurity and privacy posture
- Recognize technology, security and privacy challenges when they happen
- Enable organizations to take action on emerging threats, on a technical, process and people
level
- Resilience: bounce back when hit, and continue the business
4 building blocks of personal data according to the GDPR:
1. “Any information”
2. “Relating to”
3. “An identi ed or indenti able”
4. “Natural person”
GDPR:
- The GDPR regulates the processing of personal data (‘any information relating to an identi ed
or an identi able natural person’)
- Processing is de ned as ‘any operation performed on personal data’
- Stricter requirements for special categories of personal data
ff fi fi fi fi fi fi
, - Di erent roles:
Controller (companies like FB and Twitter): an organisation or individual who is in charge of
deciding how data on the subjects is processed and why. FB and Twitter collect and determine
how they use the personal information users provide when creating accounts and posting
content.
Processor: an organisation or an individual that processes the personal data on behalf of the
controller
GDPR principles:
- Be lawful and fair + transparent to the data subject
- Purposes should be explicit and legitimate
- Data should be relevant and adequate, limit data collection to what is necessary
- De ne a period of time for storage data
- Security and con dentiality
- Accountability: adopt policies and implement appropriate measures to ensure personal data is
secured throughout the entire data lifecycle
The GPDR is vague in regard to what measures organizations should take, because technological
and organizational best practices are constantly changing.
Where does the GDPR apply:
Thus:
- When a legal entity is established in Europe;
- When any other form of an establishment exists in Europe (website/representative/equipment);
- When an organizations o ers goods/services to citizens in Europe (language/currency/
reference to EU customers);
- When an organization monitors the behavior of citizens in Europe (tracking of EU citizens on the
internet);
Potential risks
Enterprise risks:
- Business risks ( nancial loss)
- Reputation risks (reputational/brand damage)
- Operational risks (business disruption / unreliable data)
fffi fi fi ff
, - Legal risks (litigation / breach of contract)
- Compliance risks (supervisory authority investigation)
- Regulatory risks (new laws / changes to existing laws)
Data protection risk: risks to individuals from data processing
- Data protection laws
- Rights and freedoms of individuals
De nition of AI according to the amended AI Act:
“means a machine-based system that is designed to operate with varying levels of autonomy and
that can, for explicit or implicit objectives, generate outputs such as predictions,
recommendations, or decisions that in uence physical or virtual environments…”
Issues with AI:
- Black Box problem (unclear how the model operates due to complexity)
- Data problem (even if PII is anonymized or removed, sensitive personal information can be
deduced from big data or extracted from a trained mode)
- Bias problem (models can recreate and amplify unfairness that is included in data -> lack of
diversity awareness in the development process can lead to discriminatory outcomes)
Where does the AIA apply
Arti cial Intelligence Act wants to ensure and facilitate:
- AI systems are safe and respectful
- Legal certainty to facilitate investment and innovation in AI
- Governance and e ective enforcement
- Development of single market for lawful, safe and trustworthy AI systems
- Risk based approach to facilitate the use of certain (lower risk) AI applications
7 pillars of trustworthy AI:
1. Accountability:
- Consider and document any tradeo s when implementing requirement
- Ensure that mechanisms are in place for redressing any negatives
2. Human agency and oversight:
- Perform a fundamental rights impact assessment where risks exists
- Design systems that support individual, informed choices
3. Transparency:
- The decisions or outputs of the AI must be explainable to the user
- These decisions should be communicated to humans interacting with the system
4. Privacy and data governance:
- Ensure that data is protected and privacy preserved when creating AI
- Data going in and out of the AI should be of good quality
5. Societal and environmental wellbeing:
- Determine how the Ais system entire supply chain is sustainable and friendly
- Assess how the AI impacts the individuals but also society at large
6. Diversity, non discrimination, fairness:
- Ascertain that data going into and out of the AI is fair and unbiased
- The AI should be accessible and universally designed for humans
7. Technical robustness and safety:
- Consider resiliency to attach and implement security measure
- Implement a fallback plan and general safety to increase reliability
Key Takeaways
1. While, security professionals are hard to nd, cybersecurity is a hot topic and new EU
regulations require organisations to step up their security game.
2. Privacy regulations set requirements for organisations on how to process personal data
3. To have a sustainable application of ethics it is important to make it business as
usual: integrate it across the development lifecycle and the ways of working of organizations.
Investments in training and up-skilling would be needed as this is a new and exciting eld!
fifi
ff fffl fi fi
Voordelen van het kopen van samenvattingen bij Stuvia op een rij:
Verzekerd van kwaliteit door reviews
Stuvia-klanten hebben meer dan 700.000 samenvattingen beoordeeld. Zo weet je zeker dat je de beste documenten koopt!
Snel en makkelijk kopen
Je betaalt supersnel en eenmalig met iDeal, creditcard of Stuvia-tegoed voor de samenvatting. Zonder lidmaatschap.
Focus op de essentie
Samenvattingen worden geschreven voor en door anderen. Daarom zijn de samenvattingen altijd betrouwbaar en actueel. Zo kom je snel tot de kern!
Veelgestelde vragen
Wat krijg ik als ik dit document koop?
Je krijgt een PDF, die direct beschikbaar is na je aankoop. Het gekochte document is altijd, overal en oneindig toegankelijk via je profiel.
Tevredenheidsgarantie: hoe werkt dat?
Onze tevredenheidsgarantie zorgt ervoor dat je altijd een studiedocument vindt dat goed bij je past. Je vult een formulier in en onze klantenservice regelt de rest.
Van wie koop ik deze samenvatting?
Stuvia is een marktplaats, je koop dit document dus niet van ons, maar van verkoper NC304. Stuvia faciliteert de betaling aan de verkoper.
Zit ik meteen vast aan een abonnement?
Nee, je koopt alleen deze samenvatting voor €40,49. Je zit daarna nergens aan vast.
Is Stuvia te vertrouwen?
4,6 sterren op Google & Trustpilot (+1000 reviews)
Afgelopen 30 dagen zijn er 67474 samenvattingen verkocht
Opgericht in 2010, al 14 jaar dé plek om samenvattingen te kopen