One of the biggest components in successfully managing your cybersecurity programs is a strong risk management plan. In order to successfully mitigate risks, they must be prioritized based on their overall effect on the organization. The major keys to reducing the impact of any risk to a project are to recognize, prioritize, and control. [...]
While the GDPR focuses on the rights of the data subjects and the obligations of relevant actors in processing activities, the NIS Directive concerns the national critical infrastructure of Member States and focuses on the main economic sectors.
The first EU-wide legislation on cybersecurity, the Directive on Security of Network and Information Systems (the ‘NIS Directive’), entered into force in 2016 after 3 years of negotiations. It marked a step-change in cybersecurity as for the first time a common approach to increase the level of security of network and information systems across the Union was established. This law, therefore, constitutes the primary anchor for the EU cybersecurity architecture.
The reasoning behind the directive is quite understandable: we have entered an era where cybersecurity – or lack thereof – concerns us all.
NIS Directive applies to organizations that deliver essential services within the EU. It divides them into two categories: Operators of Essential Services (OES) and Digital Service Providers (DSP). The member states are responsible for determining which businesses are in scope. In general, organizations that focus on energy, transport, financial infrastructure, healthcare, water, and digital infrastructure are classified as OES. Online marketplaces, cloud computing services, and search engines are classified as DSP, although that category is not defined as explicitly as the former.
Compliance is mandatory!
Regardless of how your organization is categorized, your responsibilities remain the same. The directive identifies two primary obligations.
To fulfill these requirements, you must follow several aspects:
1. Vulnerability scanning
In order to comply with the NIS Directive, you must have advanced vulnerability scanning systems and tools that are capable of identifying security risks proactively.
2. Vulnerability management
The capabilities to run accurate processes of identifying, evaluating, treating, and reporting on security vulnerabilities in your systems and the software that runs on them is another issue you have to put in place in a coherent environment.
3. Incident management
Superior incident management capabilities should be in place, allowing you to minimize the impact of cybersecurity attacks and restore services as fast as possible.
4. Reporting
Your organization must adopt procedures for incident reporting to ensure that significant cybersecurity incidents are reported to CERT-RO in legal time.
5. Real-time incident simulations
To demonstrate compliance, you must regularly carry out real-time incident simulations and keep a record.
6. Logging data
An OES or DSP must have a record of logging data that will allow authorities to assess the security of your networks and information systems.
7. Technical and compliance security audits.
Finally, there is vital to keep all security audit results for future references in an easy accessing, coherent and filtering way.
The chain is important.
Nonetheless, as an OES or a DSP, you are likely to possess a complex supply chain. When hundreds of third-party suppliers all interface with your network and information systems, your threat landscape increases commensurately. In order to meet the demands of the NIS Directive, you will have to be able to mitigate the risks involved in your supply chain and propagate your cybersecurity standards throughout your entire value network.
Centraleyezer – the power tool for a clean NIS Directive compliance.
The message behind the NIS Directive is clear: implementing an effective cybersecurity framework is an essential part of doing business in our times. When that many people rely on your services, the infrastructure that makes those services possible must be secure against threats – both from without and within.
At SANDLINE we developed one of the most powerful tools designed to lift the burden of NIS compliance: CENTRALEYEZER!
We assist you to develop all the steps, all the requirements. We have vast experience in public entities, organizations, and service providers.
Just remember, NIS directive is mandatory and it is by far not an easy task to implement.
Do it CENTRALEYEZERED with SANDLINE!
From the time computing systems were first able to store large amounts of data, individuals with no right to that data have accessed it. When connectivity and breaches were rare, ...
