In December 2020 the European Commission published a proposal to repeal the current NIS Directive (European Directive on Network and Information Systems) and to replace it with a new Directive: the so-called NIS-2 Directive. This post will give an update on the status of negotiations of NIS-2, and will outline the aspects we already know and don’t know about the upcoming Directive’s final form.
GRC: Be Connected! – Information Security Management
23 maart 2021 – Cyber Security Coalition
GRC: Be Connected! about information security management
Information security must be managed in a neatly structured way. This is the subject of the fifth GRC: Be Connected! webinar, including some views on popular ‘frameworks’ as CISM, NIST an ISO 27001.
For the first speaker, Marc Vael, CISO at ESKO (‘The real strategic value of CISM’), three certifications structured his career and his approach to information security management: (ISC)2’s CISSP (in 1994), C-CISO (2004) and in particular ISACA’s CISM (2007). Starting out in a world without specific security-focused courses, he embarked on his path to becoming a CISO by self-analysis: what do I like to do? Studying applied economics, he loved IT. Through continuous (self-)study, and a series of jobs (development, quality assurance, auditing…) he leveraged his certifications into his rich career to date. His use of CISM’s structured approach insures an alignment between ‘what you do’ and the goals of your organization. At ESKO, his information security management covers six aspects: security governance/risk, security business support, security operations, IT compliance, security innovation (important!) and security incidents. Some final advice? Keep abreast with threats and the changing world of cyber security; stick a CISO mind map to the wall to remember the many facets of your role; and live by the CISO success formula (4C x 3I x 2S x 0, as explained in the presentation).
A different approach is taken by Taco Mulder, CISO at CHU-UVC Brugmann-HUDERF, as determined by the infrastructure in his care: hospitals (‘Practical implementation of security in critical infrastructures’). His business risks pertain to patients, employees and hospitals; with required protection of data both in IT systems and on paper! And yes, hospitals are hot targets for attacks due to the nature and value of the data involved (attackers deem hospitals to be more willing to pay a stiff ransom when literally vital data are unavailable through malicious encryption). Taco Mulder takes it from the top down (from top management) through Cobit 2019 design factors, working his way down through all layers to all stakeholders in the hospitals. The framework he applies is the NIST framework, appropriate for critical infrastructures. Of critical importance is the RACI model (Responsible, Accountable, Consulted, Informed) in order to be clear about where responsibility resides, complemented by the certainty that everybody everywhere is on par regarding security understanding. Next is risk management in all its aspects, requiring among others plenty of walking around and talking to people; tackling security needs in a sensible (and affordable) way and establishing cooperation (e.g. between IT and HR). Finally, it is a matter of instigating and maintaining an information security programme. With yet another vital final piece of advice: start immediately with an incident response programme, now!
An intriguing question: how to move hospitals from putting safety ahead of security, of Covid ahead of Cobit? Explain the added value of security and Cobit, make a solid business case for security! And interesting: yes, Taco Mulder prefers to combine the roles of CISO and DPO!
The third speaker, Gaël Hachez, Director Cyber & Privacy Department of PwC Belgium, highlights a clear trend in Belgium at both large and small(er) companies towards a ISO 27001 certification (‘Why and how implement an information security management system’). Clearly, even smaller companies see 27001 certification as a less onerous way of fulfilling more stringent security requirements. Indeed, large companies are increasingly demanding proof of solid security postures throughout more segments of ‘chains’, causing a ripple down effect. Actually, companies don’t need to follow a standard for their security, but a standard does provide structure and helps you not to neglect important aspects. Also, standards may be obligatory (e.g., CMM-C for companies aspiring to do business with the US DoDefense).
As a result, this presentation rather took on the format of a tutorial on how to get a 27001 certification, discussing the many steps and potential pitfalls. Starting with an absolute cornerstone: do appoint an ‘owner’. Further down the line, expect the asset inventory to provide most (or at least many) choking points. Risk management must be discussed with top management and yes, they probably will (initially) demand ‘no risk’ without a price tag. Pay attention to the ‘statement of applicability’, as it is a must for certification. Do invest in awareness training. It will take many steps before you actually get to putting your information security management system into operation. Get through the certification process and understand that probably there will yet deficiencies. This is acceptable, provided there is a roadmap for continuous improvement. And here a final piece of advice as well: smash the company siloes and integrate multiple risk assessments into one assessment.
Ransomware – today’s universal cyberworry – is but one aspect of a crime: cyber extortion. Orange Cyberdefense provides some insights into this scourge, based on its ‘Security Navigator 2022’-report.
The Cyber Security Coalition and top cybersecurity trainer SANS Institute joined forces to provide specially needed insights and recommendations on successful cloud security, as well as how to handle cyber security in these times of war.
It is easy to drown in the sea of dire warnings about the danger of AI, in particular to our privacy. The main point is that AI in good trust is possible, but requires solid, long term and well-structured approaches. This session of the Privacy focus group offers some crucial insights and welcome examples.
On computer security day we pay tribute to Ada Lovelace, the forgotten mother of the computer. Often described as the first computer programmer — before computers were even invented — Ada was a real visionary. Imagine what she might have achieved had Babbage actually built his “computer” and she hadn’t died at the age of 36.