With the deadline for the implementation of the Network and Information Security (NIS) Directive fast approaching, the Cyber Assessment Framework about to be published will provide important further guidance for organisations on how they can ensure compliance.
The European Union’s (EU) Network and Information Security (NIS) Directive aims to raise the overall level of security (including cyber security) across the EU.
Incidents such as the WannaCry ransomware attack which affected UK NHS trusts last year and a number of attacks on energy networks and utilities elsewhere in the world have highlighted the growing threat to network and information systems.
Attacks on essential services pose a risk of significant damage and disruption to the UK’s infrastructure and economy.
Against a backdrop of rising threats, the NIS looks to bring a greater degree of scrutiny and accountability to policies, procedures and practices employed by organisations in protecting their systems and their data.
Businesses covered by NIS will have to ensure they have appropriate security measures in place to protect networks and data against cyber security incidents. They will also need to report serious incidents to regulators. In turn regulators will be required to share information on critical security incidents at a national level with the UK also sharing threat information with national authorities across the EU. It is expected that this level of coordinated threat information share will strengthen the ability for national authorities to pre-empt, manage and minimise the impact of security breaches to national infrastructure.
WHO IS AFFECTED?
The legislation targets “operators of essential services” (OES) across sectors including energy, water, healthcare and transport along with digital service providers (DSPs) such as cloud computing providers and search engines.
Whether an organisation falls within the scope of NIS depends on its size. The thresholds for energy sector firms for example is 250,000+ customers, and for water firms 200,000+. Although it is not entirely clear whether organisations falling outside of the threshold and who share platforms and infrastructure in the exchange of operational data will fall within the scope of NIS. This will be a role for the assigned Competent Authority (CA) for each sector (most likely government department or regulator) to determine as part of translating NIS to their respective sectors. CA’s will be given powers under legislation to assign OES status to companies they deem should comply with NIS in the interest of protecting the national infrastructure even if those companies do not meet the qualifying criteria under NIS.
It is also important for businesses which may reach these limits in the years ahead to be aware of the NIS requirements.
The OES is expected to conduct a business impact analysis and risk assessment to identify the systems and business processes that could impact operations in the event of a disaster or security breach.
Determining which systems are in scope is the responsibility of the OES to decide in conjunction with the relevant CA for their sector.
The maximum financial penalty for non-compliance – including failure to cooperate with the relevant CA, report an incident or failure to implement appropriate security measures is (a) £17 million, (b) double jeopardy rule including fines under other legislations where the breach applies (for example, 4% of global turnover or £20m (whichever is greater) under the General Data Protection Regulation (GDPR)) and an investigation to the OES’s conduct by the regulator and other national security authorities.
WHAT ARE THE KEY OBJECTIVES OF NIS?
NIS aims to ensure four main objectives are met:
- Managing security risk – appropriate organisational structures, policies, and processes to understand, assess and systematically manage security risks to the network and information systems supporting essential services.
- Protecting against cyber-attack – security measures to protect essential services and systems.
- Detecting cyber security events – security defences remain effective and to detect cyber security events affecting, or with the potential to affect, essential services.
- Minimising the impact of cyber security incidents – including the restoration of essential services where necessary.
The NIS will come into effect on 9th May 2018 and will continue to apply in the UK and Northern Ireland post-Brexit. From May 2018 the respective sector CA’s will apply NIS into their sectors by also taking account of sector specific security requirements. It is expected that the CA’s will announce companies falling under the OES status by November 2018 and thereby giving a further period for OES’s to implement changes to comply with NIS. These timescales remain tight given the extent of changes that OES’s may need to make to comply with NIS.
The NIS Cyber Assessment Framework, which is due to be published by the National Cyber Security Centre by the end of April 2018, will provide a systematic method for assessing the extent to which OES are achieving the outcomes specified by the 14 NIS principles.
These principles cover areas including Governance; Risk and Asset Management; Supply Chain; Identity and Access Control; Data & System Security; Staff Awareness and Training; Security Monitoring and Response and Recovery Planning.
HOW SHOULD ORGANISATIONS PREPARE?
An effective approach to cyber security starts with establishing an effective organisational risk management regime.
This includes addressing areas such as network security; managing user privileges; staff training and awareness; incident management; malware prevention; system monitoring, threat detection and having robust policies and procedures in place on home and mobile working.
Organisations which have continued to develop their information Security Management System (ISMS) against a standard such as ISO 27001 will be in a good position to develop it further to meet NIS compliance. This is because their ISMS will have already have analysed risks against their network and information systems, implemented controls to minimise those risks and aligned with business objectives.
Businesses and organisations can also benefit from information security strategies which ensure they comply with the requirements of both NIS and GDPR.
While their focus is different – with NIS targeting operators of essential services and the GDPR concerned with protecting personal data – both require organisations to adopt risk-based security measures as well as report incidents in case of breaches.
GEMSERV AND NIS
We have extensive experience of helping businesses and organisations address information and data security requirements. We work with a range of large and small clients spanning many sectors, including, health, transport, energy and e-commerce in the private, public and not-for-profit sectors.
Over the past few years we have been following the development of the NIS Directive and providing our input on how we see the Directive developing, including assessing the impact on CNI. Our approach to managing the impact on of compliance programmes centres around taking a risk-based approach. This means we focus on reaching the balance between ensuring our clients’ commercial and operating model is retained where possible whilst complying in full with legislation and compliance requirements.
Our experience across a range of standards and legislations including, ISO 27001, Cyber Essentials Plus, ISO 22301, Data Protection and combined with our industry experience, provide us with deep insight into drawing value for business when implementing compliance programmes.