Security of Network and Information Systems (NIS) Regulation
Security of Network and Information Systems (NIS) Regulation
Working with you to successfully navigate NIS Regulations compliance
IMPROVING CYBER RESILIENCE IN CRITICAL NATIONAL INFRASTRUCTURE (CNI)
In May 2018, after a long period of consultation with businesses, the UK and other EU nations adopted the EU Network and Information Systems Directive aimed at providing direction and governance for the companies that deliver essential services to defend against, and also report in a structured way about cyber-attacks. This has become UK Law (referred to as the NIS Regulations) and therefore encourages companies who provide infrastructure and essential services to:
- Adopt the 14 high level security principles
- Be aware of the penalty framework
- Maintain an incident response framework including reporting to any relevant authorities anything that could be considered as a Breach and an Incident
WHO DO THE NIS REGULATIONS APPLY TO?
There are two classes of organisations that the regulations have been designed for:
- Operators of Essential Services (OES)
- Digital Service Providers (DSP)
If your company provides any CNI such as, but not limited to, Energy (either upstream or downstream), Water, Financial services, transportation services or healthcare then the NIS Regulations apply to you. This is due to the fact that organisations such as these have been identified as extremely attractive targets for cyber (or a blended including cyber) attack.
The UK Government has confirmed that this adoption (and its subsequent requirements and recommendations) was not affected by the exit from the EU.
WHAT DOES IT MEAN?
Article 14 of the Directive outlines 14 key security principles that come under four (4) high-level objectives. To assist organisations in self-assessing against this, the UK National Cyber Security Centre has released a cyber assessment framework (CAF) which allows them to determine level of compliance and provide evidence to the relevant Competent Authority (CA) to demonstrate that level.
The risks of non-compliance can be both reputational due to operational disruption (which may lead to other issues such a Class Actions from users affected by those disruptions) as well as financial (possible fines up to £17million).
The 14 Security Principles
Objective A – Managing Security Risk
Appropriate organisations structures, policies and processes are in place to allow the organisation to fully understand, assess and systematically manage network and information system security risk.
- A1 – Governance
- A2 – Risk Management
- A3 – Asset Management
- A4 – Supply Chain
Objective B – Protecting Against Cyber Attack
Ensuring proportionate security measures are in place to protect services and systems.
- B1 – Service Protection Policies and Processes
- B2 – Identity and Access Control
- B3 – Data Security
- B4 – System Security
- B5 – Resilient Networks and Systems
- B6 – Staff Awareness and Training
Objective C – Detecting Cyber Security Events
Ensuring that the organisations have the relevant capabilities to ensure that security defences are effective and can detect cyber security issues.
- C1 – Security Monitoring
- C2 – Proactive Security Event Discovery
Objective D – Minimising the Impact of Cyber Security Incidents
Ensuring that the organisations have the relevant capabilities to minimise the impact of a cyber security incident.
- D1 – Response and Recovery Planning
- D2 – Lessons Learned
How to comply and how Siker can help:
As a provider of security assessments and advisory services combined with accredited training, Siker is uniquely placed to assist you with your compliance discussions. In particular, our range of consultancy, assessment and training products can help to:
- Enhance your identification and understanding of your cyber risks
- Improve resilience
- Detect and respond
- Assist in training Incident Handlers
Objective A1 – Governance
Our consultants can help with the creation of a Cyber Security Management System (CSMS) which includes your ICS environments. In addition, Siker can help you to understand and create your ICS focused Continuity Plan which will compliment your normal site BCP.
Objective A2 – Risk Management
Siker are proud of their ability to help organisation in fully understanding their risks and risk profile. Using services such as our Open Source Exposure Analysis we can identify where risks can be reduced.
Objective A4 – Supply Chain Assurance
The adoption of the legislation places the responsibility onto you for identifying and remediating the security risks in your supply chain (where possible) where this may reduce or harm the services you deliver. We can help organisations with:
- Provision of Cyber Essentials services to your SME companies within your supply chain
- Understand your supply chain and the risk to your systems
Objective B6 – Staff Training and Awareness
One of the best ways to reduce the chance of these attacks being successful is to create a culture within the organisation that empowers staff to identify and report any suspicious activity. This, of course, only works if there is a good understanding of what ‘normal’ activity looks like!
It is recommended that staff attend regular awareness sessions to ensure they are kept up to date with policy changes, procedure updates, etc. These can either be via a computer-based training environment or delivered during face to face sessions. Additionally, the relevant training can be provided to those that need it as part of their role. We can help organisation with:
- Designing and developing role-based skills and competency frameworks
- GCT-accredited training courses
- Skills gap analysis
Objective D1 – Response and Recovery Planning
Siker are in a position to assist with the creation of specific continuity plans and processes as well as conduct exercises to test teams in their response.
For further information on how we can help, get in touch with our experts to discuss how we can assist.
Registered office and postal address
Whiteleaf Business Centre,
11 Little Balmer,
+44 (0)20 3441 7642
We have a regional office located in: Edinburgh, UK
Siker Ltd is registered in England & Wales
Company Registration Number No. 11208267