eBook - ePub
Network and Information Systems (NIS) Regulations - A pocket guide for digital service providers
Alan Calder
This is a test
Share book
- 61 pages
- English
- ePUB (mobile friendly)
- Available on iOS & Android
eBook - ePub
Network and Information Systems (NIS) Regulations - A pocket guide for digital service providers
Alan Calder
Book details
Book preview
Table of contents
Citations
About This Book
This pocket guide is a primer for any DSPs (digital service providers) that needs to comply with the NIS Regulations, and explores who they are, and why the NIS Regulations are different for them.
An introduction to the new NIS Regulations 2018 that bring the EU's NIS Directive and Implementing Regulation into UK law.
This guide outlines the key requirements, details exactly which digital service providers are within scope, and explains how the security objectives from ENISA's Technical Guidelines and international standards can help DSPs achieve compliance.
This guide will help you:
- Clarify how to identify if you are within the scope of the NIS Regulations
- Gain an insight into the NIS Directive
- Unravel the key definitions, authorities and points of contact
- Understand the benefits of a good cyber resilience plan
Your essential guide to understanding the NIS Regulations ā buy this book today and get the help and guidance you need.
Frequently asked questions
How do I cancel my subscription?
Can/how do I download books?
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
What is the difference between the pricing plans?
Both plans give you full access to the library and all of Perlegoās features. The only differences are the price and subscription period: With the annual plan youāll save around 30% compared to 12 months on the monthly plan.
What is Perlego?
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, weāve got you covered! Learn more here.
Do you support text-to-speech?
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Is Network and Information Systems (NIS) Regulations - A pocket guide for digital service providers an online PDF/ePUB?
Yes, you can access Network and Information Systems (NIS) Regulations - A pocket guide for digital service providers by Alan Calder in PDF and/or ePUB format, as well as other popular books in Computer Science & Cyber Security. We have over one million books available in our catalogue for you to explore.
Information
CHAPTER 4: IMPLEMENTING CYBER RESILIENCE
Cyber resilience is a blend of cyber security, incident response and business continuity. An effective cyber resilience framework can protect an organisation from the majority of attacks and incidents, while also maximising its durability when an incident does occur. The principle behind cyber resilience is that an organisation can do a great deal to prevent incidents or mitigate their impact, but incidents remain inevitable. This is one good reason for the Implementing Regulation to mandate business continuity, which defines it as āthe capability of an organisation to maintain or as appropriate restore the delivery of services at acceptable predefined levels following a disruptive incidentā (Article 3).
As the technology to commit cyber crime becomes more accessible and the number of vulnerabilities that any organisation might be subject to increases, cyber attacks become more certain. This assumption is supported by statistics: according to a 2018 UK government survey,30 43% of all UK businesses had suffered at least one breach or cyber attack in the previous 12 months, which was higher among medium-sized (64%) and large firms (72%) ā and this is despite a significant increase in cyber security investment.
For organisations that do suffer an incident, such as a cyber attack, it is critical that they have processes in place to respond to the incident, reduce its impact and quickly recover to business as usual. This requires a comprehensive framework that considers people, processes and technology ā people, after all, are critical to security and to ensuring that processes and technologies are applied correctly and consistently, which is, of course, why the Directive requires both technical and organisational measures.
Common principles across various cyber resilience frameworks include that the project must be led from the top of the organisation, and must be capable of continually adapting to new threats and changing environments. These are characteristics of any successful, ongoing business project, and cyber resilience should be treated in much the same way.
Your organisation could develop a cyber resilience capability by simply going through the guidance and references provided by one of these frameworks, but this is likely to result in an inconsistent and disorganised set of processes without a larger appreciation for how they fit into the organisation. A successful project must take a more considered, holistic approach.
ISO standards ā especially ISO 27001 (information security) and ISO 22301 (business continuity) ā provide specifications for management systems that can be integrated to provide an effective framework for cyber resilience, incorporating further guidance from standards such as ISO 27002 and ISO 27035.
However, helpful as these standards may be, they are not designed for compliance with the NIS Directive, NIS Regulations, Implementing Regulation or any other piece of legislation. Rather, they are intended to provide guidance on good practice to protect information and information systems (the ISO 27000 family), and help organisations survive and quickly recover from incidents (ISO 22301). As such, any organisation using these standards to any degree still needs to ensure that it has taken all steps necessary to achieve, maintain and prove compliance with the law.
ISO 27001 and ISO 27002
ISO 27001 is the international standard for information security management, and provides a structured approach to protecting an organisationās information assets. Meanwhile, ISO 27002 ā the ācode of practiceā ā provides comprehensive implementation guidance that builds on ISO 27001.
Like other ISO management system standards, ISO 27001 recognises that there are a number of core functions that any management system must rely upon and builds onto them. This makes information security part of the way the organisation operates, rather than simply being a side concern. This also takes the organisationās business environment and obligations into account, ensuring that the ISMS is relevant to the organisation.
The first step to ensure top management commitment: the organisation must both direct and support the ISMS from the very top, which might be the board or senior management, and includes taking accountability for the success of the project. This ensures that the ISMS can be operated in line with the organisationās wider business objectives while providing evidence that information security is a topic to be taken very seriously. It also ensures that the ISMS meets all of the requirements your organisation may face.
ISO 27001 advocates taking a risk management approach to information security, in line with Recital 44 of the Directive:
A culture of risk management, involving risk assessment and the implementation of security measures appropriate to the risks faced, should be promoted and developed through appropriate regulatory requirements and voluntary industry practices.
In other words, the organisation should decide how to mitigate its risk on the basis of an informed assessment ā that is, based on the risks it actually faces.
Once again, this exists within a larger framework that takes the organisationās business environment into account. ISO 27001ās risk management process is kept deliberately open to allow the organisation to use whatever methodology is already familiar or appropriate to the business. Rather than prescribing a method in detail, it simply sets out a more general process that can be adopted by most existing risk management methodologies.
Clause 6.1 of ISO 27001 requires the organisationās risk assessment process to:
ā¢ Define both risk acceptance criteria and criteria for conducting a risk assessment;
ā¢ Produce āconsistent, valid and comparable resultsā;
ā¢ Identify risks associated with the loss of confidentiality, integrity and availability of information assets;
ā¢ Analyse each risk to identify the likelihood of it occurring and the potential impact if it does occur; and
ā¢ Evaluate the risks against the organisationās risk acceptance criteria to decide upon appropriate responses.
The output of a risk assessment will be a risk treatment plan that describes how the organisation will treat the risks it has identified. For the most part, this will involve applying controls. Such controls can fulfil a range of functions, but they generally fall into one of three categories:
1. Preventive
Preventive controls are intended to prevent risks from occurring or to reduce their likelihood. For instance, a rigorous patching programme reduces the amount of time that applications are vulnerable to exploitation, which in turn reduces the likelihood that an attacker will be able to take advantage of them.
2. Detective
Detective controls identify events and incidents, allowing the organisation to take steps to prevent an incident from occurring, gather forensic evidence for later action or react to reduce the impact of an ...