Security companies, among other ‘leaky’ gemeentesites must submit to a thorough audit, do not meet standards and are not monitored on their expertise. The industry calls for standards.
In contrast to, for example, Germany having security companies in the Netherlands do not meet specific requirements, even if they work for the goverment. Security companies find that fellow companies, however, are not always competent enough and therefore call on to standards, it is evident from a tour of Tweakers.net along different companies. “Everyone in the Netherlands a securitybedrijf up. The companies can do what they want, without them by an independent party to be checked”, says Henk-Jan Angerman of SecWatch. He comes to his own words ‘too many’ security companies who are not so closely linked with the quality of their work. Thus, according to him, for that he is an audit of a co-worker should check, in which there are visible stitches are dropped.
A dangerous situation, also Hans Kortekaas of SurfPlan. “The level of security companies should be jacked up. The government or the industry would have a leading role in the erection of certain standards, where each securitybedrijf eventually must comply. How, for example, an audit is carried out and how often? The standards are required to have clear boundaries, so that all of the basic principle are the same.”
Currently checks government service Logius or gemeentesites in a safe way DigiD offer. In case of an emergency, the service can be withdrawn. For the rest of the website is the church, however, solely responsible. Although there are security guidelines and checklists for government sites exist, there are no rules for the party that the sites of such control subjects. Kortekaas: “The control of the chain is lost. There must be attention to the companies that perform audits, or they do have the expertise. No one checks if they are a penetratietest well run, and those who do. That would, in theory, even criminals.”
Standards for security companies that, for example, municipalities work absence, indeed, confirms the public service for digital security, Govcert request opposite Tweakers.net. Mark Koek, Fox-IT regrets this: “There is in this market, no quality standard is present. This can also companies who only have a single tool to use, perform an audit. They check not on advanced security leaks”. Cake got to say that recently a security report of a municipality under the eyes, where the external party, several important procedures on the head saw. That situation would even with a second opinion not always they can be prevented. “Companies that are a second opinion in behalf of the municipality performing, may not have the appropriate knowledge.”
Cake find making any assumptions is not a bad idea. All of which, according to him, is difficult to achieve; the standard guard is, according to him, continuously subject to changes. Kortekaas and Angerman as a response to Germany. There already exist certain requirements for companies that work for the goverment. Thus the Bundesamt für Sicherheit in der Informationstechnik companies of certain software to use. Also, there are many available security which security companies can meet. Although not all of them are mandatory, in practice, many recipients of them to control anyway handling.
The security companies do their call once earlier this year, several ict-related incidents with regard to the government took place. So was a hacker, the Dutch ssl authority DigiNotar and knew this hundreds of falsified certificates. DigiNotar kept the house quiet for a long time and it turned out that the security at the Beverwijkse company in more ways than not was in order. Recently appeared dozens of gemeentesites susceptible to different hackaanvallen data, allowing data from citizens and officials on the street could get. If response want to the parliament a so-called ‘ict-fire’ set up.