Multifaceted security cooperation
vrijdag 18 maart 2016 Join the Manifesto?!
Cooperation is key to keeping your digital and connected systems and services secure. Cooperation within your supply chain, with your security service provider, public-private cooperation, etc. In the Netherlands this comes (almost) naturally, although there is certainly room for improvement.
Cooperation between you and the so-called ethical hacker community may also be beneficial to you. It is in your interest to know about vulnerabilities in your IT systems as soon as possible, so you can act to resolve the vulnerability, preferably before it is exploited. But some guidelines are necessary for this kind of cooperation to ensure that you have the opportunity to take care of the vulnerability in a controlled way and the reporter has less chance to be prosecuted for helping you improve your security. These guidelines are referred to as Coordinated Vulnerability Disclosure, or Responsible Disclosure.
CIO Platform Nederland has embraced this initiative and has translated the prior documentation of SURFnet that was made for the higher education and research community, to a format that is more suited to businesses and governmental organisations. We’ve had these translated into English and made them available to use by any interested party. Please find the policy and procedure document here and the implementation guide here. The Dutch government has put Coordinated Vulnerability Disclosure on the agenda of the Presidency of the European Union. CIO Platform Nederland and Rabobank have joined initiatives to promote the adoption of Coordinated Vulnerability Disclosure among businesses in Europe. To do this a Manifesto was developed which we encourage representatives of European businesses to come and sign during the EU high-level event on May 12th and 13th in Amsterdam. You can find the introduction to the Manifesto here and the text of the Manifesto here.
If you are interested in joining the Manifesto please send your contact details to vulnerability.disclosure@ncsc.nl.
If you have any questions about the topic of Coordinated Vulnerability Disclosure or the documents, please contact Ronald Verbeek.