What is the NIS Directive?
The Networks and Information Systems (NIS) Directive stands as the inaugural EU-wide legislation dedicated to cyber security. Its primary objective is to establish a consistent standard of security across all member states within Europe. This legislation plays a crucial role in safeguarding European businesses and Operators of Essential Services (OES) from potential severe threats. Failure to address such threats could lead to substantial harm to the UK economy, as exemplified by the 2017 WannaCry attack on the NHS. During this incident, hackers encrypted data on computer systems, demanding payment in exchange for file access. Although the NIS Directive was implemented a year later, its earlier adoption could have thwarted the WannaCry attack.
What is the NCSC Cyber Assessment Framework?
The National Cyber Security Centre has introduced the Cyber Assessment Framework (CAF) to assist businesses in adhering to the NIS Directive. This framework provides cybersecurity industry businesses with a tool to assess their compliance with NIS legislation.
This framework consists of the following 4 objectives:
Objective A: Managing Security Risk
A1 Governance – Establishing policies and processes governing the organization’s approach to network and information system security.
A2 Risk Management – Identifying, assessing, and understanding security risks, along with establishing an organizational approach to risk management.
A3 Asset Management – Determining and understanding all systems and services essential for maintaining or supporting essential functions.
A4 Supply Chain – Understanding and managing security risks to networks and information systems arising from external supplier dependencies.
Objective B: Protecting Against Cyber Attack
B1 Service Protection Policies and Processes – Defining and communicating organizational policies and processes to secure systems and data supporting essential functions.
B2 Identity and Access Control – Understanding, documenting, and controlling access to networks and information systems supporting essential functions.
B3 Data Security – Protecting stored or transmitted data from actions that may impact essential functions adversely.
B4 System Security – Safeguarding critical network and information systems from cyber attacks.
B5 Resilient Networks and Systems – Building resilience against cyber attacks.
B6 Staff Awareness and Training – Supporting staff appropriately to ensure a positive contribution to the cybersecurity of essential functions.
Objective C: Detecting Cybersecurity Events
C1 Security Monitoring – Monitoring to detect potential security problems and assess the effectiveness of existing security measures.
C2 Proactive Security Event Discovery – Detecting anomalous events in relevant network and information systems.
Objective D: Minimizing the Impact of Cybersecurity Incidents
D1 Response and Recovery Planning – Establishing incident management and mitigation processes.
D2 Lessons Learned – Learning from incidents and implementing lessons to enhance the resilience of essential functions.
Guided by the Cyber Assessment Framework, the NIS Directive brings structure to Operators of Essential Services, facilitating their journey toward maximum security. They are required to conduct comprehensive assessments of their existing security systems, identify gaps in NIS guidelines, and implement improvement plans to eliminate vulnerabilities to potential attacks.
ERS Consultancy Ltd is ready to assist your organizations in navigating the complexities of the NIS Directive and the NCSC Cyber Assessment Framework. Our expert team can guide you through comprehensive assessments, gap analysis against the framework’s objectives, and the development of tailored improvement plans. By leveraging our services, you can enhance your organization’s security posture, ensuring compliance with the NIS legislation and fortifying your defenses against potential cyber threats.
