Governance and the state of it now
The first country in the world that has implemented laws and not directives concerning protecting critical infrastructure were the United Arab Emirates.
We in the Netherlands already have the Bill on Notification of data leaks(Wetsvoorstel Meldplicht datalekken en uitbreiding bestuurlijke boetebevoegdheid Cbp, the Bill). The Bill introduces a duty for data controllers in the Netherlands to notify a breach of security measures protecting personal data to the Dutch Data Protection Authority (College bescherming persoonsgegevens, CBP). In addition, fines for violations of the Dutch Data Protection Act (Wet bescherming persoonsgegevens, DPA) will significantly increase. Failure to comply with the rules may lead to fines of up to € 810,000 or 10% of the company’s net annual turnover.
Over the past few years, the European Commission has adopted a series of measures to raise Europe’s preparedness to ward off cyber incidents. The NIS Directive is the first piece of EU-wide legislation on cyber security.
The Directive on security of network and information systems (the NIS Directive) was adopted by the European Parliament on 6 July 2016. European Commission Vice-President Andrus Ansip, responsible for the Digital Single Market, and Commissioner Günther H. Oettinger, have issued a statement at this occasion. The Directive will enter into force in August 2016. Member States will have 21 months to transpose the Directive into their national laws and 6 months more to identify operators of essential services.
According to the definition given by Homeland Security
Critical infrastructure is the backbone of our nation’s economy, security and health. We know it as the power we use in our homes, the water we drink, the transportation that moves us, and the communication systems we rely on to stay in touch with friends and family.
Critical infrastructure are the assets, systems, and networks, whether physical or virtual, so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof
The recent security outbreaks have concerned government representatives in Germany . According to new German Cyber security Law the objectives are to protect the infrastructure which particularly will have impact on providers of critical infrastructures.
They will be required to implement and maintain appropriate minimum organizational and technical security standards in order to ensure the proper operation and permanent availability of those infrastructures and to report significant IT security incidents
According to the National Law Review the draft will have the following impact:
Operators of critical infrastructure must:
The biggest concern is of course is how the risk mitigation actions taken will reflect the other standards that are applicable on these industries. Most of the components that are used are made for availability and are fit for purpose and not with security in mind.
That’s why we would opt in a tactical layer in the organisation that will operate between strategical and operational layer representing the business and the it .
How will this risk mitigation help your organization you might ask? The tactical layer will have oversight of all the components and the way the interfaces need to operate and they can map the risks that are involved with remote . So when investigations are taken place in which the BSI ( German Security Service), will look at what measurements have been taken by the organization. Or the procedures that need to be followed during a data breach here in the Netherlands.
For this you will need an accurate architectural overview which barriers you have in place .
An overview that can show if the current controls are viable and inline with up to date procedures and policies over systems and services used with the special mambo jambo statements we like to use..
Anyone still believe that by changing passwords ( passwords are dead according to Bill Gates in 2004) and phishing mail recognition will help the mitigating risk that still get through even we have patch management, malware monitoring ,network perimeter defenses, secure configuration, device controls. What we see is that they have not done their homework on innovation as we can see time after time and are still using defense mechanisms that are older than your team that handles your business it operations.
By adding this new layer your risks can become mitigated start with bringing in reports on hardware and software currently in use and then look at what vulnerabilities can become an operational risk.
We use the Togaf 9 methodology in alignment with the Barrier Based Risk Management Method to assign the risk mitigation roadmap that you will need to address the Governance , Risk and Compliancy imperatives. Also it will help to bridge the gaps currently and historically grown between business and operations.
And you will be able to expand this into your knowledge transfer strategy since the shortage of professionals will explode soon and that means that the internal business processes need to be easily transferable and documented and not in the minds of the people handling your business processes.
We will talk about risk concerning cyber security so you can see if it gets the right priority and resources in the organization, and especially that it is aligned with the business strategy and is enabling the business transformation while mitigating the risks concerning remote access, third party access, and data leakage.
For these critical infrastructure and cyber security risks we will join the CGE Barrier Based Risk Management Network Event 2016 .
The CGE Barrier Based Risk Management Network Event will focus on three basic questions:
So if you are interested in mitigating risks , become compliant and keep control over who is doing what when and how on your assets and data join us!
Have a look it might work out for your organization too!
Enterprise architect for P@ssport