Page 60 - Cyber Defense eMagazine January 2024
P. 60

The new regulatory framework, will also deliver:

               •  Harmonisation  of  the  implementation  of  the  Directive  across  Europe,  with  more  precise
                   regulations.
               •  Stronger overall security,  with strict and proportional  criteria depending on the categorisation  of
                   the given organisation, between essential or important entities.
               •  Increased responsibility and powers of supervision, control, and sanction for the Member States
                   to ensure proper implementation of these measures.
               •  A delegation of this responsibility to businesses, who must manage their own risks.




            The question  businesses  therefore  now face is how to meet these compliance  challenges  quickly and
            with minimal disruption.

            This  is  frustrated  by  the  fact  that  currently,  no  binding  measures  have  yet  been  taken  (other  than
            notification  of contact persons,  incident  reporting  procedures  and the potential sharing  of information).
            The Member States are currently in the process of transposing the directive at national level.


            However, there are elements that must be considered, based on NIS 1.

               •  A governance policy must be in place to ensure adequate risk management. This needs to include
                   audit, risk analysis, security indicators, accreditation, and mapping.
               •  The  consideration  of  key  protection  elements  in  relation  to  security  policies  linked  to  the
                   architecture itself: this needs to account for administration,  access, and maintenance.
               •  Appropriate  and reinforced  detection measures,  as well as incident  response and management
                   measures, must be in place to maintain business continuity in a crisis should a cyber attack occur.



            NIS 2 considers these areas, but there is a delay for details at European and national level, particularly
            in terms of integration with other legislation.

            However, it is possible to translate these demands into a workable strategy to begin now. There are five
            pillars to consider:

               •  Identifying and protecting the risks
               •  Protecting data and sensitive information
               •  Investing in or strengthening cybersecurity technologies
               •  Implementing incident management and CSIRT notification measures
               •  Training and awareness-raising  for employees



            Primarily,  it is essential  to develop,  enhance  or maintain  complete  visibility  of the information  system.
            This means an inventory and mapping of all assets and user behaviours on the network.





            Cyber Defense eMagazine – January 2024 Edition                                                                                                                                                                                                          60
            Copyright © 2024, Cyber Defense Magazine. All rights reserved worldwide.
   55   56   57   58   59   60   61   62   63   64   65