Cybersecurity Quality System Paradigm (Part 1)

04 November 2019

by Costanza Matteuzzi & Aldo Pedico

We have undertaken writing this article to illustrate our idea of coining a new definition of Quality System. Remaining in the corporate organizational context, until today, we have associated the canonical definition of Quality with internal processes up to their certification (for example: ISO 9001). With the technological evolution and the risks that derive from it, on the one hand, and the enactment of recent European laws, on the other, the definition of Quality System requires a revision: conceptual (mentality), methodology (procedures), technology (products) and technical (activities or modes of intervention).

Our revision imposes the adaptation, in whole or in part, of the current way of approaching personal and business information processing systems, achieving an adjustment to current and increasingly complex needs. Here, we wanted to demonstrate our new assertion by illustrating and applying the new concepts. This assertion, as described in the following paragraphs, enriches the Quality System with the Cybersecurity value; this value is assigned a position of absolute and of primary importance, to the point of conferring a new and more adequate axiom: Cybersecurity Quality System.

This article will be published in two parts; the second part will be published next week. 

The European Union lacks the power to legislate directly in criminal matters. In this specific area pursuant to the provisions of article 25 of the Italian Constitution, which crystallizes the principle of the absolute reserve of law, the relationship between the internal and the European legal system takes on particular characteristics. However, the role of the Union in the field of criminal law is far from marginal, indicating the merit of legal assets to be protected, and also, revealing the need for the application of penalties in case of injury to the former, tending to harmonize the regulations between each Member State and between sources of European and domestic law.

Therefore, it is not surprising that there are structural additions to the incriminating rules such as to widen the scope or not of the criminally relevant, or an effort to interpret the laws in force in a manner consistent with Community law. In essence, this confirms that the internal order must be inspired by the European Union to achieve common goals, equal for all States. 

Company & Personal Needs

To respond to global challenges and adequately address terrorism, organized crime and general attacks since 2009, the European Commission has felt the need to review the regulatory complex and to adopt new security best practices, combining the latter with the exchange of information and the coherence of shared data. Therefore, the adoption of a legal instrument that has the purpose of making those who treat the data of another subject responsible is not surprising. The GDPR is, in fact, one of the practical expressions of the Action Plan for the implementation of the Stockholm Program, whose aims have been reported in the Communication from the Commission to the European Parliament and the Council on 29 April 2010.

“The main aim of the Union’s action in this sector for the coming years is “to bring the citizens’ Europe forward” by giving them the means to exercise their rights and take full advantage of European integration. (…) The objective of this action plan is to achieve these priorities at European and global level, ensuring that the citizens benefit from the progress made in the area of freedom, security and justice so that the Union can look to the future and give a clear and adequate response to European and global challenges.”

In particular, some fundamental actions are highlighted in the Annex, in the section “Information flow management”:

  • Communication relating to the general situation of the collection and exchange of
  • information;
  • Legislative proposal on a common EU method for the use of reservation code data for the purpose of contrast;
  • Communication on the transfer of data to third countries;
  • Evaluation report on the application of Directive 2006/24 / EC on data retention, followed if necessary by a revision proposal;
  • Communication on the European information exchange model, followed by an action plan;
  • Communication on greater traceability of users of prepaid communication services for law enforcement purposes

Here the Union tends to organise a strategic program for the exchange of information which presupposes an overview of the current systems for collecting, processing and sharing data, which is accompanied by a thorough assessment of their usefulness, efficiency and effectiveness, proportionality and observance of the right to life respect.

Requirements: Laws, Regulations & Standards

Therefore, it is in this perspective that, in addition to the European Regulation n. 679/2016 for the protection of individuals with regard to the processing of personal data, also Directive n.2016/943/CE implemented in Italian law with Legislative Decree No. 63/2018, which concerns the protection of confidential know-how and confidential business information (c.d. trade secrets); The Directive 2016/1148 (NIS Directive (*1) ) implemented with Legislative Decree N. 65/2018 on measures for a common high level of security of networks and information systems in the European Union.

Finally, the European Regulation n. 1807/2018, which dictates the general rules for the free circulation of non-personal data in the European Union. It is precisely through the concise and certainly not an exhaustive analysis of these rules that it is possible to think of a company as a unit that aims to develop coherent and complete information systems, aimed at a whole quality model company asset.

Implications

Every person’s life is now imbued with the use of data processing technology. More and more frequently, even in the car or in line at the counter, you have the habit of sending messages, emails and managing personal and company data. This practice is symptomatic on the one hand of the agility with which it is now possible to manage even large amounts of data and, on the other hand, of how scarce the attention and security that are adopted in managing these flows are.

So that there is then a guarantee of security and data protection, it is essential that the company defines a strategy to safeguard data (personal and otherwise), one or more procedures for their treatment and then adopt a policy of compliance with the rules both legal (e.g. Reg. EU n.679/2016, Legislative Decree n.231/01, Legislative Decree No. 14/2019) and technical (e.g. ISO/IEC 27001: 2017, ISO/IEC 25023 for software quality, ISO/IEC 25024 for data quality, ISO/IEC 29100 evaluation techniques for PII protection, i.e., Personal Identifiable Information* (2).

The European Regulation n. 1025/2012, in turn, clarifies that the main objective of standardization consists of defining voluntary technical or qualitative specifications to which current or future products, production processes or services can conform. Therefore, adhering to a qualitative standard allows to protect and preserve the rights of a company, such as reputation or know-how, and also maintain certification over time and where the existence of certain requirements indicates the seriousness and efficiency of the product entered or of the service rendered on the market towards the competitors.

The Regulation n. 1025/2012 does not fail to highlight the importance of the use of Information and Communication Technologies (ICT) to accelerate the decision-making process of the standardization bodies and, specularly to what was previously said, it is opportune to identify a nucleus of legal values that must be safeguarded, first of all, data and information. The development of digital technologies in business processes (e.g. mobile technology, social media, machine-to-machine, cloud computing, data analytics, …) requires a Business Management System adapted to the needs of all “stakeholders” (financiers, employees, customers, suppliers, local administrations, state institutions).

This is also confirmed by the request by the Public Administrations for a growing demonstration of the requirements voluntarily acquired by the company that underwent consensual quality checks. This brings with it the need to provide SLAs (Service Legal Agreements) or contractual clauses that are suitable to guarantee minimum essential levels for the provision and guarantee of a service.

On the other hand, the company will need to have a 231 model that takes into account what is established in the art. 24/b, “Computer crimes and unlawful data processing”; this demonstrates that the incorrect management of the data that could result from a failure to comply with the GDPR regulation, but also of all the other rules indicated above, can entail the responsibility of the body for the fulfillment of the predicate crimes mentioned therein and consequently lead to in fines or sometimes disqualification.

An adequate organizational model must, however, consider that the criminal assumptions that can be made through the use of IT systems are manifold. Just think of an entity that intends to participate in tenders: a valid 231 model will have to take into consideration the risk deriving from the management of the top management that, to obtain the victory of a service contract, for example, make use of cybercriminals. A corollary of what has been said is the EU Regulation n. 881/2019 which espouses the ultimate goal of building trust in network security and information by adopting a general system of standards and a Central Authority, ENISA, which controls the level of cybersecurity of products, services and of the processes.

* (1) Connotation to the development of a progressively operationalizing strategy in the sense anchoring the high-level strategic objectives to the common policies in the Atlantic and European context, think of ENISA but also ESA. The same is developing better also in the strategic document of national space policy and in the document of a strategic vision for space. All of this fits into that security framework better defined as a “perimeter” by the executive of Prof. Avv. Giuseppe Conte, which sees a public-private partnership increasingly as a protagonist, ensuring the necessary resilience of critical infrastructures.

* (2) It also mentions for completeness: 2017 COSO ERM – Committee Of Sponsoring Organizations Enterprise Risk Management integrating with strategy and performance – which dictates the international guidelines on risk management.

About the authors: Costanza Matteuzzi is a lawyer, expert in employment law, GDPR and cyber law and Aldo Pedico is project manager/ consultant GDPR and Cybersecurity Act.

The authors would like to thank Dr. Andrea Canepa Magistrate at the Court of Como, Dr. Giorgio Gaetani Engineer in Turin, Dr. Silvestro Marascio Marshal of the Carabinieri in Rome.

Leave a Reply

Your email address will not be published. Required fields are marked *