2016 02-14-nis directive-overview isc2 chapter
-
Upload
isc2-hellenic -
Category
Government & Nonprofit
-
view
195 -
download
0
Transcript of 2016 02-14-nis directive-overview isc2 chapter
01/03/2016
1
European Union Agency for Network and Information Security
Panagiotis TRIMINTZIOS, ENISA(ISC)2 | 24 Feb 2016 | Athens
2
Who knows ENISA?
Who can spell ENISA’s full name?
EU Agency for Network and Information Security (after 2013)
Who knows what ENISA does?
Who knows what is an EU Agency?
Name another EU Agency:
Why is ENISA in Greece?
What is a CSIRT?
Computer Security Incident Response Team (== CERT)
01/03/2016
2
3
Full name: Directive concerning the measures for a high common level of security of network and information systems across the Union
Supports the Cybersecurity Strategy of the EU
Negotiations concluded: 18th Dec 2015
To be published in the OJoEU: April-May 2016
Several implementing acts will follow…
Transpose into national law: after 21 months (=by early 2018)
4
Network and information systemA. Electronic communication networks
B. Devices or groups of devices performing automated processing of digital data
C. Digital data stored, processed, retrieved or transmitted by A or B
Security of ‘..’ ability to resist any action of compromise - Availability,
- Authenticity,
- Integrity, or
- Confidentiality of the above
Presentation Title | Speaker Name
01/03/2016
3
5
All EU MS obliged to:
Have a National NIS Strategy
Designate National Competent Authorities, and SPoC and CSIRTs
Cooperation in between EU MS
Strategic : Cooperation Group
Operational: CSIRT/CERT Network
Establishment of Security and Notification requirements to:
Operators of essential services
Digital service providers
6
All EU MS obliged: to have a National NIS Strategy
Objectives and priorities
Governance framework- List of related actors
Preparedness, response and recovery measures- Including public-private cooperation
Education, awareness, exercises and trainings
R&D
National risk assessment plan
01/03/2016
4
7
All EU MS obliged to: designate National Competent Authorities, and SPoC and CSIRTs
National Competent Authorities for NIS (one or many)
- Monitor the implementation of the Directive, penalties, audits etc.
- Cooperation with Law Enforcement and Data Protection authorities
Single Point of Contact - As liaison on cross-border issues and EU-level cooperation
CSIRT(s) to cover the sectors in the Directive
8
Strategic: Cooperation Group
Representatives from MS, European Commission and ENISA
Exchange of good practices, strategic decisions on exercises, examine annual incident reports, resolve cross-border harmonization issues.
Operational: CSIRT/CERT Network
CSIRTs from MS, CERT-EU and ENISA (secretariat)
Exchange operational information, upon request coordinated response, resolve cross-border incidents, early warnings, NIS Exercises
01/03/2016
5
9
Establishment of Security and Incident Notification
requirements to:
Operators of essential services
Digital service providers
10
Operators of essential services thatProvide a service essential for critical societal and economic activities
Use/depend on network and information systems
Incidents on their network and information systems would have significant disruptive effects on their services
Digital service providers
Excluded from this Directive:- Providers of public e-communication services
- Trust service providers
- Hardware manufacturers/Software developers
- Social networks
- Any micro (<10) or small (<50) enterprise
Presentation Title | Speaker Name
01/03/2016
6
11
Energy: electricity, oil, gas, ..
Transport: air, rail, water, road, ..
Banking/finance: credit institutions, trading venues, ..
Health: healthcare providers, hospitals, clinics, …
Drinking water supply/distribution
Digital infrastructures: IXPs, DNS providers, TLDs
To be identified by MS 6 months after the national law is in force.
12
Providers of the following digital services:
Online marketplaces
Online search engines
Cloud computing services
01/03/2016
7
13
Technical and operational Security Measures are taken preventive and in order to minimise the impact of NIS incidents, e.g.
- Security of systems and facilities
- Incident management
- BCM
- Monitoring, auditing and testing
- Compliance with international standards
Compliance assessment by Competent Authorities- Documented NIS security policies
- Proof of effectiveness of security policy implementation, e.g. audit results
- Binding instructions to remedy NIS security findings
14
Incident Notification requirements:
to notify without undue delay the Competent Authority or CSIRT on incidents with significant impact
Annual reports of incidents to the Cooperation Group
Cooperation with other actors when needed: LE, DPA, etc
Examples impact criteria include:
Number of users affected, duration of incident (unavailability of service), geographical scope, redundant/alternative providers
Could be different for different sectors… (no of patients, cargo volume etc.)