eBook - ePub
Network and Information Systems (NIS) Regulations - A pocket guide for digital service providers
Alan Calder
This is a test
Partager le livre
- 61 pages
- English
- ePUB (adapté aux mobiles)
- Disponible sur iOS et Android
eBook - ePub
Network and Information Systems (NIS) Regulations - A pocket guide for digital service providers
Alan Calder
DĂ©tails du livre
Aperçu du livre
Table des matiĂšres
Citations
Ă propos de ce livre
This pocket guide is a primer for any DSPs (digital service providers) that needs to comply with the NIS Regulations, and explores who they are, and why the NIS Regulations are different for them.
An introduction to the new NIS Regulations 2018 that bring the EU's NIS Directive and Implementing Regulation into UK law.
This guide outlines the key requirements, details exactly which digital service providers are within scope, and explains how the security objectives from ENISA's Technical Guidelines and international standards can help DSPs achieve compliance.
This guide will help you:
- Clarify how to identify if you are within the scope of the NIS Regulations
- Gain an insight into the NIS Directive
- Unravel the key definitions, authorities and points of contact
- Understand the benefits of a good cyber resilience plan
Your essential guide to understanding the NIS Regulations â buy this book today and get the help and guidance you need.
Foire aux questions
Comment puis-je résilier mon abonnement ?
Il vous suffit de vous rendre dans la section compte dans paramĂštres et de cliquer sur « RĂ©silier lâabonnement ». Câest aussi simple que cela ! Une fois que vous aurez rĂ©siliĂ© votre abonnement, il restera actif pour le reste de la pĂ©riode pour laquelle vous avez payĂ©. DĂ©couvrez-en plus ici.
Puis-je / comment puis-je télécharger des livres ?
Pour le moment, tous nos livres en format ePub adaptĂ©s aux mobiles peuvent ĂȘtre tĂ©lĂ©chargĂ©s via lâapplication. La plupart de nos PDF sont Ă©galement disponibles en tĂ©lĂ©chargement et les autres seront tĂ©lĂ©chargeables trĂšs prochainement. DĂ©couvrez-en plus ici.
Quelle est la différence entre les formules tarifaires ?
Les deux abonnements vous donnent un accĂšs complet Ă la bibliothĂšque et Ă toutes les fonctionnalitĂ©s de Perlego. Les seules diffĂ©rences sont les tarifs ainsi que la pĂ©riode dâabonnement : avec lâabonnement annuel, vous Ă©conomiserez environ 30 % par rapport Ă 12 mois dâabonnement mensuel.
Quâest-ce que Perlego ?
Nous sommes un service dâabonnement Ă des ouvrages universitaires en ligne, oĂč vous pouvez accĂ©der Ă toute une bibliothĂšque pour un prix infĂ©rieur Ă celui dâun seul livre par mois. Avec plus dâun million de livres sur plus de 1 000 sujets, nous avons ce quâil vous faut ! DĂ©couvrez-en plus ici.
Prenez-vous en charge la synthÚse vocale ?
Recherchez le symbole Ăcouter sur votre prochain livre pour voir si vous pouvez lâĂ©couter. Lâoutil Ăcouter lit le texte Ă haute voix pour vous, en surlignant le passage qui est en cours de lecture. Vous pouvez le mettre sur pause, lâaccĂ©lĂ©rer ou le ralentir. DĂ©couvrez-en plus ici.
Est-ce que Network and Information Systems (NIS) Regulations - A pocket guide for digital service providers est un PDF/ePUB en ligne ?
Oui, vous pouvez accĂ©der Ă Network and Information Systems (NIS) Regulations - A pocket guide for digital service providers par Alan Calder en format PDF et/ou ePUB ainsi quâĂ dâautres livres populaires dans Informatique et CybersĂ©curitĂ©. Nous disposons de plus dâun million dâouvrages Ă dĂ©couvrir dans notre catalogue.
Informations
Sujet
InformatiqueSous-sujet
CybersécuritéCHAPTER 4: IMPLEMENTING CYBER RESILIENCE
Cyber resilience is a blend of cyber security, incident response and business continuity. An effective cyber resilience framework can protect an organisation from the majority of attacks and incidents, while also maximising its durability when an incident does occur. The principle behind cyber resilience is that an organisation can do a great deal to prevent incidents or mitigate their impact, but incidents remain inevitable. This is one good reason for the Implementing Regulation to mandate business continuity, which defines it as âthe capability of an organisation to maintain or as appropriate restore the delivery of services at acceptable predefined levels following a disruptive incidentâ (Article 3).
As the technology to commit cyber crime becomes more accessible and the number of vulnerabilities that any organisation might be subject to increases, cyber attacks become more certain. This assumption is supported by statistics: according to a 2018 UK government survey,30 43% of all UK businesses had suffered at least one breach or cyber attack in the previous 12 months, which was higher among medium-sized (64%) and large firms (72%) â and this is despite a significant increase in cyber security investment.
For organisations that do suffer an incident, such as a cyber attack, it is critical that they have processes in place to respond to the incident, reduce its impact and quickly recover to business as usual. This requires a comprehensive framework that considers people, processes and technology â people, after all, are critical to security and to ensuring that processes and technologies are applied correctly and consistently, which is, of course, why the Directive requires both technical and organisational measures.
Common principles across various cyber resilience frameworks include that the project must be led from the top of the organisation, and must be capable of continually adapting to new threats and changing environments. These are characteristics of any successful, ongoing business project, and cyber resilience should be treated in much the same way.
Your organisation could develop a cyber resilience capability by simply going through the guidance and references provided by one of these frameworks, but this is likely to result in an inconsistent and disorganised set of processes without a larger appreciation for how they fit into the organisation. A successful project must take a more considered, holistic approach.
ISO standards â especially ISO 27001 (information security) and ISO 22301 (business continuity) â provide specifications for management systems that can be integrated to provide an effective framework for cyber resilience, incorporating further guidance from standards such as ISO 27002 and ISO 27035.
However, helpful as these standards may be, they are not designed for compliance with the NIS Directive, NIS Regulations, Implementing Regulation or any other piece of legislation. Rather, they are intended to provide guidance on good practice to protect information and information systems (the ISO 27000 family), and help organisations survive and quickly recover from incidents (ISO 22301). As such, any organisation using these standards to any degree still needs to ensure that it has taken all steps necessary to achieve, maintain and prove compliance with the law.
ISO 27001 and ISO 27002
ISO 27001 is the international standard for information security management, and provides a structured approach to protecting an organisationâs information assets. Meanwhile, ISO 27002 â the âcode of practiceâ â provides comprehensive implementation guidance that builds on ISO 27001.
Like other ISO management system standards, ISO 27001 recognises that there are a number of core functions that any management system must rely upon and builds onto them. This makes information security part of the way the organisation operates, rather than simply being a side concern. This also takes the organisationâs business environment and obligations into account, ensuring that the ISMS is relevant to the organisation.
The first step to ensure top management commitment: the organisation must both direct and support the ISMS from the very top, which might be the board or senior management, and includes taking accountability for the success of the project. This ensures that the ISMS can be operated in line with the organisationâs wider business objectives while providing evidence that information security is a topic to be taken very seriously. It also ensures that the ISMS meets all of the requirements your organisation may face.
ISO 27001 advocates taking a risk management approach to information security, in line with Recital 44 of the Directive:
A culture of risk management, involving risk assessment and the implementation of security measures appropriate to the risks faced, should be promoted and developed through appropriate regulatory requirements and voluntary industry practices.
In other words, the organisation should decide how to mitigate its risk on the basis of an informed assessment â that is, based on the risks it actually faces.
Once again, this exists within a larger framework that takes the organisationâs business environment into account. ISO 27001âs risk management process is kept deliberately open to allow the organisation to use whatever methodology is already familiar or appropriate to the business. Rather than prescribing a method in detail, it simply sets out a more general process that can be adopted by most existing risk management methodologies.
Clause 6.1 of ISO 27001 requires the organisationâs risk assessment process to:
âą Define both risk acceptance criteria and criteria for conducting a risk assessment;
âą Produce âconsistent, valid and comparable resultsâ;
âą Identify risks associated with the loss of confidentiality, integrity and availability of information assets;
âą Analyse each risk to identify the likelihood of it occurring and the potential impact if it does occur; and
âą Evaluate the risks against the organisationâs risk acceptance criteria to decide upon appropriate responses.
The output of a risk assessment will be a risk treatment plan that describes how the organisation will treat the risks it has identified. For the most part, this will involve applying controls. Such controls can fulfil a range of functions, but they generally fall into one of three categories:
1. Preventive
Preventive controls are intended to prevent risks from occurring or to reduce their likelihood. For instance, a rigorous patching programme reduces the amount of time that applications are vulnerable to exploitation, which in turn reduces the likelihood that an attacker will be able to take advantage of them.
2. Detective
Detective controls identify events and incidents, allowing the organisation to take steps to prevent an incident from occurring, gather forensic evidence for later action or react to reduce the impact of an ...