Risk and Vulnerability Analyses at NAV
Case
NAV has a large application portfolio that spans over 40 years. Many of the systems contain personal information, including special categories of personal data (formerly called sensitive information).
To comply with new regulations and updated security and privacy laws, it is crucial for NAV to constantly have a good overview of its own threat landscape.
This is what twoday has delivered
twoday has provided several application-level risk analyses to ensure that NAV has adequate security controls in place and awareness of its vulnerabilities. Recognized methodologies such as the NIST Risk Management Framework were employed. Threat modeling was conducted in collaboration with application architects and lead developers during the process.
With a focus on security
In addition to risk assessments, twoday has provided consulting on how to best ensure the security of NAV's data and users. NAV is undergoing significant changes, including a transition to DevOps, greater flexibility in equipment and workplace choices, and the availability of software in the public cloud. Additionally, there are ongoing modernization efforts within the IT landscape. This requires innovative thinking and new expertise to understand how these changes impact the threat landscape and risk management.
This has been crucial for NAV to comply with the Privacy Principles dictated in the Personal Data Act. One of NAV's many responsibilities is to have a complete overview of its processing and storage of personal information.
Privacy Impact Assessment
twoday has also contributed to several Privacy Impact Assessments (PIA) to meet the new requirements of the GDPR. This is what the GDPR calls Data Protection Impact Assessment (DPIA), which all data controllers are required to perform when they have systems processing personal data.
Our role has been both as a facilitator for the entire process and as an active contributor, especially related to risk assessments and identification of measures. In this work, twoday has collaborated closely with product owners and NAV's Data Protection Officer.
Training of employees
twoday has also provided courses in general security. The focus here was to increase the understanding of secure development among NAV's developers and the threats their systems face. The course covered OWASP Top 10 vulnerabilities, OWASP Application Security Verification Standard, and OWASP Testing Guide. On the last day of the course, developers had the opportunity to act as attackers on a vulnerable web application and see what can happen if security is not integrated into the solution's design.
Results
- Highlighted areas requiring increased security
- Delivered reports as a basis for strategic security planning
- Increased security focus among developers and product owners
- Mapped that all data usage complies with laws and regulations
- Assisted with methods for data minimization in storage
- Assisted with possible solutions for increased infrastructure security
- Mapped risks associated with changes in data flow in new infrastructure