eBook - ePub

Network and Information Systems (NIS) Regulations - A pocket guide for digital service providers

Name: Network and Information Systems (NIS) Regulations - A pocket guide for digital service providers
Author: Alan Calder

Alan Calder

Partager le livre

61 pages
English
ePUB (adapté aux mobiles)
Disponible sur iOS et Android

eBook - ePub

Network and Information Systems (NIS) Regulations - A pocket guide for digital service providers

Alan Calder

Détails du livre

Aperçu du livre

Table des matières

Citations

À propos de ce livre

This pocket guide is a primer for any DSPs (digital service providers) that needs to comply with the NIS Regulations, and explores who they are, and why the NIS Regulations are different for them.

An introduction to the new NIS Regulations 2018 that bring the EU's NIS Directive and Implementing Regulation into UK law.

This guide outlines the key requirements, details exactly which digital service providers are within scope, and explains how the security objectives from ENISA's Technical Guidelines and international standards can help DSPs achieve compliance.

This guide will help you:

Clarify how to identify if you are within the scope of the NIS Regulations
Gain an insight into the NIS Directive
Unravel the key definitions, authorities and points of contact
Understand the benefits of a good cyber resilience plan

Your essential guide to understanding the NIS Regulations – buy this book today and get the help and guidance you need.

Foire aux questions

Comment puis-je résilier mon abonnement ?

Il vous suffit de vous rendre dans la section compte dans paramètres et de cliquer sur « Résilier l’abonnement ». C’est aussi simple que cela ! Une fois que vous aurez résilié votre abonnement, il restera actif pour le reste de la période pour laquelle vous avez payé. Découvrez-en plus ici.

Puis-je / comment puis-je télécharger des livres ?

Pour le moment, tous nos livres en format ePub adaptés aux mobiles peuvent être téléchargés via l’application. La plupart de nos PDF sont également disponibles en téléchargement et les autres seront téléchargeables très prochainement. Découvrez-en plus ici.

Quelle est la différence entre les formules tarifaires ?

Les deux abonnements vous donnent un accès complet à la bibliothèque et à toutes les fonctionnalités de Perlego. Les seules différences sont les tarifs ainsi que la période d’abonnement : avec l’abonnement annuel, vous économiserez environ 30 % par rapport à 12 mois d’abonnement mensuel.

Qu’est-ce que Perlego ?

Nous sommes un service d’abonnement à des ouvrages universitaires en ligne, où vous pouvez accéder à toute une bibliothèque pour un prix inférieur à celui d’un seul livre par mois. Avec plus d’un million de livres sur plus de 1 000 sujets, nous avons ce qu’il vous faut ! Découvrez-en plus ici.

Prenez-vous en charge la synthèse vocale ?

Recherchez le symbole Écouter sur votre prochain livre pour voir si vous pouvez l’écouter. L’outil Écouter lit le texte à haute voix pour vous, en surlignant le passage qui est en cours de lecture. Vous pouvez le mettre sur pause, l’accélérer ou le ralentir. Découvrez-en plus ici.

Est-ce que Network and Information Systems (NIS) Regulations - A pocket guide for digital service providers est un PDF/ePUB en ligne ?

Oui, vous pouvez accéder à Network and Information Systems (NIS) Regulations - A pocket guide for digital service providers par Alan Calder en format PDF et/ou ePUB ainsi qu’à d’autres livres populaires dans Informatique et Cybersécurité. Nous disposons de plus d’un million d’ouvrages à découvrir dans notre catalogue.

Informations

Éditeur

ITGP

Année

2018

ISBN

9781787780507

Sujet

Informatique

Sous-sujet

Cybersécurité

CHAPTER 4: IMPLEMENTING CYBER RESILIENCE

Cyber resilience is a blend of cyber security, incident response and business continuity. An effective cyber resilience framework can protect an organisation from the majority of attacks and incidents, while also maximising its durability when an incident does occur. The principle behind cyber resilience is that an organisation can do a great deal to prevent incidents or mitigate their impact, but incidents remain inevitable. This is one good reason for the Implementing Regulation to mandate business continuity, which defines it as “the capability of an organisation to maintain or as appropriate restore the delivery of services at acceptable predefined levels following a disruptive incident” (Article 3).

As the technology to commit cyber crime becomes more accessible and the number of vulnerabilities that any organisation might be subject to increases, cyber attacks become more certain. This assumption is supported by statistics: according to a 2018 UK government survey,³⁰ 43% of all UK businesses had suffered at least one breach or cyber attack in the previous 12 months, which was higher among medium-sized (64%) and large firms (72%) – and this is despite a significant increase in cyber security investment.

For organisations that do suffer an incident, such as a cyber attack, it is critical that they have processes in place to respond to the incident, reduce its impact and quickly recover to business as usual. This requires a comprehensive framework that considers people, processes and technology – people, after all, are critical to security and to ensuring that processes and technologies are applied correctly and consistently, which is, of course, why the Directive requires both technical and organisational measures.

Common principles across various cyber resilience frameworks include that the project must be led from the top of the organisation, and must be capable of continually adapting to new threats and changing environments. These are characteristics of any successful, ongoing business project, and cyber resilience should be treated in much the same way.

Your organisation could develop a cyber resilience capability by simply going through the guidance and references provided by one of these frameworks, but this is likely to result in an inconsistent and disorganised set of processes without a larger appreciation for how they fit into the organisation. A successful project must take a more considered, holistic approach.

ISO standards – especially ISO 27001 (information security) and ISO 22301 (business continuity) – provide specifications for management systems that can be integrated to provide an effective framework for cyber resilience, incorporating further guidance from standards such as ISO 27002 and ISO 27035.

However, helpful as these standards may be, they are not designed for compliance with the NIS Directive, NIS Regulations, Implementing Regulation or any other piece of legislation. Rather, they are intended to provide guidance on good practice to protect information and information systems (the ISO 27000 family), and help organisations survive and quickly recover from incidents (ISO 22301). As such, any organisation using these standards to any degree still needs to ensure that it has taken all steps necessary to achieve, maintain and prove compliance with the law.

ISO 27001 and ISO 27002

ISO 27001 is the international standard for information security management, and provides a structured approach to protecting an organisation’s information assets. Meanwhile, ISO 27002 – the ‘code of practice’ – provides comprehensive implementation guidance that builds on ISO 27001.

Like other ISO management system standards, ISO 27001 recognises that there are a number of core functions that any management system must rely upon and builds onto them. This makes information security part of the way the organisation operates, rather than simply being a side concern. This also takes the organisation’s business environment and obligations into account, ensuring that the ISMS is relevant to the organisation.

The first step to ensure top management commitment: the organisation must both direct and support the ISMS from the very top, which might be the board or senior management, and includes taking accountability for the success of the project. This ensures that the ISMS can be operated in line with the organisation’s wider business objectives while providing evidence that information security is a topic to be taken very seriously. It also ensures that the ISMS meets all of the requirements your organisation may face.

ISO 27001 advocates taking a risk management approach to information security, in line with Recital 44 of the Directive:

A culture of risk management, involving risk assessment and the implementation of security measures appropriate to the risks faced, should be promoted and developed through appropriate regulatory requirements and voluntary industry practices.

In other words, the organisation should decide how to mitigate its risk on the basis of an informed assessment – that is, based on the risks it actually faces.

Once again, this exists within a larger framework that takes the organisation’s business environment into account. ISO 27001’s risk management process is kept deliberately open to allow the organisation to use whatever methodology is already familiar or appropriate to the business. Rather than prescribing a method in detail, it simply sets out a more general process that can be adopted by most existing risk management methodologies.

Clause 6.1 of ISO 27001 requires the organisation’s risk assessment process to:

• Define both risk acceptance criteria and criteria for conducting a risk assessment;

• Produce “consistent, valid and comparable results”;

• Identify risks associated with the loss of confidentiality, integrity and availability of information assets;

• Analyse each risk to identify the likelihood of it occurring and the potential impact if it does occur; and

• Evaluate the risks against the organisation’s risk acceptance criteria to decide upon appropriate responses.

The output of a risk assessment will be a risk treatment plan that describes how the organisation will treat the risks it has identified. For the most part, this will involve applying controls. Such controls can fulfil a range of functions, but they generally fall into one of three categories:

1. Preventive

Preventive controls are intended to prevent risks from occurring or to reduce their likelihood. For instance, a rigorous patching programme reduces the amount of time that applications are vulnerable to exploitation, which in turn reduces the likelihood that an attacker will be able to take advantage of them.

2. Detective

Detective controls identify events and incidents, allowing the organisation to take steps to prevent an incident from occurring, gather forensic evidence for later action or react to reduce the impact of an ...