CCIN: DATA, SYSTEMS AND NETWORK SECURITY
CCIN : Data Security, the Main Legal Obligation
Law 1.165 of December 23, 1993, as amended, underscores the vital importance of protecting and securing personal data, as stipulated in Article 17:
“The data controller or their representative is required to implement appropriate technical and organizational measures to safeguard personal information against accidental or unlawful destruction, accidental loss, alteration, dissemination, or unauthorized access. This is particularly crucial when processing involves the transmission of information over a network, as well as against any other form of unlawful processing.”
Data Cybersecurity: Serious Consequences in the Event of an Incident
Given the numerous recent incidents such as hacking and illegal collection and publication of personal information, sometimes affecting tens of millions of people, the issue of securing personal information is increasingly sensitive among the general public. For instance:
- One million Ameli login credentials were found for sale on the Dark Web in 2022.
- A data leak of 33 million people occurred following a cyberattack against Viamedis and Almerys in January 2024.
- The hacking of Pôle Emploi resulted in the data of 10 million users being put up for sale.
Data Security in Monaco: A National Issue
Serious incidents of this nature are widespread, affecting everyone. Even the Principality of Monaco, which aims to be a pioneer in this field, is not immune. For over 20 years, the Security Conference has convened, bringing together more than 3,000 participants annually to address and master the numerous cybersecurity challenges faced in Monaco and globally.
As noted by cybersecurity specialists, cyberattacks raise the responsibility of private or public organizations whose users, customers, and prospects become victims. Such incidents can have severe consequences, including the outright closure of a company.
Of course, the level of security required by Monegasque law also depends on the nature of the personal data.
Current Law 1.165 includes specific and stringent provisions concerning personal data related to health, professional secrecy, and defense secrecy.
Securing Data, Systems, and Networks: The 12 Labors of Hercules of the CCIN
According to Monegasque law, “the measures implemented must ensure an adequate level of security considering the risks posed by the processing and the nature of the data to be protected.”
These measures, outlined by the CCIN in a document humorously named “the 12 Labors of Hercules,“ highlight the complexity of implementation for companies, individuals, or organizations not specializing in this field.
The non-exhaustive data security measures recommended by the CCIN include:
1. Mapping of general system and access procedures
Map the security of the computer system, inventory privileged access accounts, implement security procedures for incoming and outgoing personnel, and keep all its provisions up to date.
2. Control of access to public networks
Limit and control access to unsecured networks such as the Internet and public Wi-Fi networks, in particular for portable equipment (phones, tablets, laptops) and in public places and transport.
3. User Authentication
Establish strict and secure authentication policies, particularly in terms of user account and password management, and list these procedures.
4. Securing equipment
Implement centralized deployment management to update all connected equipmenttés, secure all nomadic equipment by VPN (Virtual Private Network) and data media by encryption (USB keys, portable hard drives, DVDs, etc.).
5. Securing the internal network
Systematization of secure applications and protocols (two-factor authentication (2FA), biometrics, firewall, VPN, partitioned WIFI, SSH, SFTP, SMTPS, HTTPS, AD, LDAP, etc.) and isolate workstations/servers containing sensitive data or vital to the business.
6. Securing Internet access
Setting up secure gateways with the Internet, in particular VPNs, mastering the installation of software on equipment and blocking sites that are particularly sensitive to hacking and phishing attempts.
7. Monitoring of IT systems
Implementation of IT monitoring policies on all systems and networks (e-mail included), alert procedures in the event of an incident, logging of events and their responses.
8. Securing network administration
Segregation of administrator accounts from unprotected public networks, highly secure remote accessIt is.
9. Physical security measures
Control of access to physical equipment and their premises: security by locking, badge, biometrics, etc.
10. Securing devices and printed media
Securing access to printers (obligatory physical presence, passwords), protection of storage media and printed matter, destruction by shredding if necessary.
11. Incident response procedures
Implementation of blocking, backup and restoration plans for systems, alert chains and action plans in cas of necessity.
12. Dissemination of data security best practices
Creation of security charters, data protection training, collection of adherence to security policies from all those concerned, periodic audits of knowledge, protocols and uses.