INFORMATION SECURITY PORTAL
Below is links to guidelines regarding certain areas concerning information security and privacy.
The Swedish Social Insurance Agency have made an analysis of the use of cloud services, e.g. risks and how to move forward.
The guide is for companies and what to think about/what needs to be handled regarding their business and GDPR. The guide is in Swedish.
The European Union is also supplying a guide/checklist for GDPR which is in English.
KLASSA is a self-assessment tool that helps you with information classification of your business systems and data storage. The tool is created for SKL (Sweden's Municipalities and Regions) members; municipalities, county councils and regions. Only members can create organizations and store their information in KLASSA. For other organizations that wish to use KLASSA, the open version is available.
The obective of the document is to provide secure authentication services to web applications, by:
• Tying an system identity to an individual user by the use of a credential
• Providing reasonable authentication controls as per the application’s risk
• Denying access to attackers who use various methods to attack the authentication system
Safeguarding data using encryption (HIPAA Security Conference 2014).
Due to the information leakage that occurred in connection with the outsourcing of IT operations at the Swedish Transport Agency, SKR (Sweden's Municipalities and Regions) has produced information in support of municipalities and regions regarding outsourcing.
Discovering vulnerabilities is important, but being able to estimate the associated risk to the business is just as important. Early in the life cycle, one may identify security concerns in the architecture or design by using threat modeling. Later, one may find security issues using code review or penetration testing. Or problems may not be discovered until the application is in production and is actually compromised.
SKR (Sweden's Municipalities and Regions) has developed guidelines that help municipalities and regions analyze issues of law and security for cloud services.
To decide whether your organization should use cloud services, you need to analyze a number of aspects. This is to ensure that the cloud service is suitable for the business and the information to be managed. What needs to be analyzed is the legal conditions and security of the information.
eSam members run development initiatives in collaboration to facilitate individuals and companies in various life events and to facilitate members' own digital transformation and efficiency.
eSam brings together skills in complex and common areas to provide, for example, guidance and other support that create benefits for members.
eSam's legal expert group produced a legal statement on clearing and cloud services in the fall of 2018. In the statement, they describe their interpretation of the applicable law on the matter. In September 2019, the group of experts supplemented the statement with a clarification.
Information from OWASP about how to block Brute Force Attacks.
Companies can reduce the probability of a data breach and thus reduce the risk of fines in the future, if they chose to use encryption of personal data. The processing of personal data is naturally associated with a certain degree of risk. Especially nowadays, where cyber-attacks are nearly unavoidable for companies above a given size.
The challenge we all face is that cyber attackers have developed sophisticated and effective methods to brute force (automated guessing) passwords. An important step to protecting yourself is to use strong passwords. Typically, this is done by creating complex passwords; however, these can be hard to remember, confusing, and difficult to type. Instead, we recommend you use passphrases--a series of random words or a sentence.
This is a guide (in Swedish) from the Swedish Security Service ("Säkerhetspolisen") addressing work with controlling, directing or designing information security within the framework for security protection. The purpose of the guidance
is to clarify the provisions of Chapter 3 and 4 of the Security Service Regulations (PMFS 2019: 2) on security protection. The purpose is to increase knowledge about information security in general as well as create a guide about how security measures in the field of information security can be designed to provide information assets adequate security protection.
CERT.SE's Incident Management process is based on parts of other incident management processes, such as SANS and NIST's. The parts that CERT.SE, as incident manager, primarily works with are: Identify, Limit and Prevent.
The process is first and foremost for CERT.SE's own work on incident management, but is made available here for other organizations to use for information purposes.