AbleToTrain by Willing & Able

NIS Directive – Step-by-step Guide for companies – part 3

The first step in developing the cybersecurity rules specified by NIS

So, to comply with the NIS Directive, you should begin with the governance section. It’s a time-consuming procedure with several phases that we’ll outline below.


Step 1-Ensuring information security management

This step involves another seven smaller steps, as follows:

1.1 Risk analysis and assessment

Here you should work out the following:

  • A security risk assessment A study of the security risks of the networks and computer systems that assure the provision of important services must be performed and updated on a regular basis. You begin by identifying the crucial IT systems and equipment that support the delivery of the important service, as well as the major hazards.

  • Risk management in terms of security. For the provision of critical services, you’ll need to develop a risk management technique that reflects the risk assessment process, as well as the criteria for analysis, acceptance, and risk reduction.

  • security risk assessment. You will need to do an analysis with references to:

  1. new cyber security threats;

  1. recently discovered weaknesses;

  1. loss of effectiveness of security measures;

  1. changes in the risk situation caused by changes in the architecture of networks and information systems;

  1. any other changes in the risk situation.

The result of the risk assessment will be documented in the organizational risk register.

1.2 Implementation of security plans and a security policy

Here is what you should deal with:

  • policy on security. You must create, maintain, and execute a network and information systems security policy, as well as an information security management system, to assure the provision of vital services.

  • You must offer a security governance description that includes all of the information security management system’s (SMSI) unique security policies, such as the security accreditation process, security audit, cryptography, security maintenance, incident handling, and so on.

  • security policy implementation. You must write a report on the network and information systems security policy for delivering essential services (PONIS) and its implementing papers. The risk inventory, the security status of the networks and information systems, and the security activities planned and carried out must all be detailed in the report.

1.3 Security accreditation

Accreditation is required for your company’s computer networks and systems, as well as management components. As a result, you should be aware of the following information regarding security accreditation:

  • It is a formal decision taken by the high level management of the company.

  • certifies that any residual risk has been identified and accepted at managerial level;

  • certifies the process of identifying security risks and how to implement the necessary protection measures.

  • It is valid for a maximum of one year.

In addition, you should have a so-called security accreditation map that includes:

  • risk analysis and security objectives;

  • procedures and security measures are applied;

  • security audit reports;

  • conformity assessment reports;

  • residual risks and the reasons justifying their acceptance.

In addition, you should think about whether you need to examine the security accreditation validation in the following situations:

  • annual;

  • Whenever a development event/process is identified that changes the context described in the accreditation process,

  • whenever the configuration of computer networks and systems or applications changes significantly.

Basically, you have the obligation to renew the approval as soon as it is no longer valid.

1.4 Establishment of security indicators

At this point, you must construct a set of assessment indicators that will allow you to analyze compliance with the networks and information systems that deliver critical services (PONIS).

For example, you can refer to:

  • risk management performance;

  • keeping resources safe;

  • users’ access rights;

  • authentication of access to resources;

  • resource management.

But be cautious! You must provide the valuation technique and, if appropriate, the margin of uncertainty in the value of each indicator.

If an indication differs considerably from the prior evaluation, you must determine and explain why.

1.5 Verification of compliance with information security and security audit

Are your organization’s networks and information systems (SNIS) up to date? This is the major question that your company’s IT professionals should be able to answer at this point. However, senior management must first carry out a method for assessing SNIS compliance, which is based on ARNIS (analysis of security risks of networks and information systems, a document prepared by companies which identifies the critical elements underlying the provision of essential services and the main risks are identified in order to manage and reduce them).

The security structure or team created by the company’s highest level management has responsibility for this operation. It will come to a conclusion with a conformity assessment report.

A security audit will also be prepared at this point, which will result in an audit report.

The audit was performed:

  • at least once every 2 years;

  • only by computer security auditors for the audit of computer networks and systems, certified by ANSRSI and with a valid certificate at the date of completion of RASNIS.

1.6 Testing and evaluating the security of computer networks and systems

The testing and assessment procedure will include verifying the operational systems based on meticulous planning, with the goal of minimizing the danger of interrupting important services.

You must specifically detect and prevent any vulnerabilities in computer networks and systems, whether they are software (applications) or hardware (hardware) (network infrastructure, computer systems).

Finally, a test and assessment report for the security of your networks and computer systems will be required.

1.7 User awareness and training

Your own staff might potentially cause vulnerabilities in your IT systems. As a result, you must give them the tools they require in order for them to be aware of the many sorts of cyber security dangers and the required countermeasures.

All workers will need to be informed about cybersecurity, and personnel who utilize computer networks and systems will need to be trained.

1.8 Asset management

All assets, IT processes, systems, and components of your company’s networks and IT systems should be inventoried (listed) and classified. You’ll also need it in order to apply updates and fixes. It will also enable you to establish which aspects of computer networks and systems are affected by new security problems, if applicable.

You’ll also need to devise a system for labeling and classifying data and information according to its sensitivity. It is critical to ensure that the data and information are handled correctly.

Step 2-Where can you expect a cyber attack? Ecosystem mapping

The natural or legal people with whom your business has relationships can be a risk element for systems and networks, whether they function inside, as employees, or are workers of your firm, such as software service providers or organizations to whom you have outsourced specific services. on your own computer.

As a result, the laws transposing the NIS Directive’s implementing regulations require you to create an “ecosystem map.” It’s essentially a list of recognized possible hazards and their weighting in terms of delivering your company’s core services. Relationships with ecosystem stakeholders, both internal and external, such as but not limited to suppliers-particularly those with access to the management of the company’s vital assets-constitute risks.

For the elaboration of the lists, you will consider 4 major parameters:

  • maturity. What are the technical capabilities of cybersecurity stakeholders?

  • trust. Can you assume that the intentions of your stakeholders are reliable?

  • access level. What are the access rights of stakeholders to computer networks and systems?

  • addiction. To what extent is the relationship with stakeholders critical to my work?

Step 3-Establish ecosystem relationships

You’ll also need to build and implement a method for building ecosystem interactions, which is related to step 2. Interconnections (external relations) between their own networks and computers and third-party systems will be included. In general, security needs for components of networks and computer systems run by other parties must be considered.

You must ensure that your vendors implement suitable security measures through service level agreements (SLAs) and/or audit methods. It will compile and maintain a list of service-level agreements and/or audit procedures to achieve this aim.

It’s not simple to comply with network and information system security regulations. It takes time, human resources to oversee the entire process, and financial resources to implement the security plan.

However, you should not consider this a brand-new problem. European legislation frequently corresponds with numerous international norms, such as the GDPR. In this scenario, we can discuss the ISO/IEC 27001 Information Security Management System standard, which is the most essential worldwide information security standard that an IT organization may have, as well as other options.

You can also enlist the help of information security experts to take you through the process of ensuring that your firm complies with the law and is prepared to cope with any cyber threats.