Scribd
Upload
26 views38 pages

Security Policies Les 6 Frameworks en Standaardisatie Thomas More

Uploaded by

star-nick-wars
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
26 views38 pages

Security Policies Les 6 Frameworks en Standaardisatie Thomas More

Uploaded by

star-nick-wars
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 38

Frameworks &

standards
# Frameworks
#Standards
#Compliance
#Laws
#Directives
My day-to-day job

Information Security consultant @ Infosentry


Part of the Cronos Groep

• DPO
• ISO27001
• Assessment of companies
The work of a DPO

• Register of processing activities


• Giving advice on the processing of personal data to controllers, processors and
employees who are performing the processing
• monitor compliance with the GDPR
• Answering data subject requests
• ...
Frameworks &
Standards
CIA triad
The absolute basis
Framework
Provides a structure for requirements it can help explain how an organization
should assess, operate, monitor, review, maintain and/or improve. (set of
principles providing guidance)

NIST CSF: 108 Subcategories, which are outcome-driven statements that provide
considerations for creating or improving a cybersecurity program.
• does not mandate how an organization must achieve those outcomes!

Frameworks:
• NIST CSF
• CIS V8 Controls
• COBIT
• Cyberfundamentals
Standard

• Standards provide standardization of best practices


• Concrete measures you can comply with
• Little to no context towards the bigger picture.

Standards for security measures:


• IEC 62443 (Industrial automation and control systems)
• FIPS (Requirements for cryptography)
• NIST SP 800-53
• ISO27001 ISMS
• SOC2 type 2 (American ISO27001)
• ISO27701 PIMS
Conceptual framework for network
connectivity
Standards within this framework:
- IEEE 802.3 physical and data-link layer
specifications for Ethernet.
- RFC 9293 TCP standard
- RFC 959 FTP standard
- …
NIST CSF - Functions
Identify
• developing an organizational understanding to managing cybersecurity risk to systems,
people, assets, data, and capabilities.

Protect
• Develop and implement security measures to protect key business processes.

Detect
• Develop and implement measures to detect security incidents

Respond
• Perform actions in the event of a security incident to reduce the impact

Recover
• Develop and implement measures to recover the consequences of a security incident
How to implement NIST CSF?
Informative reference, a starting point for implementing practices to achieve the
Framework's desired outcomes
Let’s discuss
The company "Hospitalshare" wants to be ISO certified:
Collect and share medicine delivery data by pharmaceutical companies and
other distributors to hospitals.

How would you implement 8.10 Information deletion?


• Purpose: prevent unnecessary exposure of sensitive information.

How would you implement 8.11 Data masking?


• Purpose: protect sensitive data while still allowing the data to be used for
testing, development, or other purposes.

How would you implement 8.12 Data Leakage Prevention within a company?
• Purpose: To detect and prevent the unauthorized disclosure and extraction of
information by individuals or systems.
Framework & standards
interchangeable?
In theory: no
In practice: yes

More and more frameworks and


standards are becoming
intertwined
Using different
Standards &
Frameworks
Why would you use different
frameworks or standards?
Organizational, technical, OT, ...

Organizational – ISO27001 (International), SOC2 type 2 (America)


Technical – CIS v8
Operational Technology – SP800-82, IEC 62443
Software engineering – ISO 90003
Environment – ISO14001, EMAS
Quality – ISO9001

Based on your location, infrastructure, stakeholder requirements, …


Domains of ISO27001:2013

Organization
Human
Asset
resource
Physical management
security Cryptography
security
Information
security
Incident Access
management policy control System acq.,
Supplier
relationships dev. and maint.

Business Communic.
Compliance Operations
continuity security
security
management
Project
management
How does a project work?

Assessment
• Depending on the organisation 1 day – 5 days
• How mature the organisation at this point in time
• Roadmap where are the highest risks what must be tackled first

Implementation
• Depending on the organisation 6 months to +1 year
• Perform all tasks of the roadmap
• Help the business push all changes through the whole organisation

Certification
• Assist during audits
• Provide further follow-up
Why do
companies use
standards?
Drivers

Manage Avoid Make a


Gain insights commercial
continuity damage difference
Limit risks

Financial Reputational Operational Limit Strategic


risks risks risks impact
Majority of hacks could be
prevented

Most frameworks provide guidance


- Patch management
- Malware & antivirus
- Disk encryption
- Access controls
- ...
Who develops
Standards &
Frameworks?
Development frameworks

Security frameworks are developed by:


• Government agencies
• U.S. National Institute of Standards and Technology (NIST)

• Industry consortiums
• Payment Card Industry (PCI)

• Independent organizations
• MITRE
• Lockheed Martin
Development Standards

The development of a new standard starts with a proposal. Companies,


governments, federations, sectors, NGOs, consumer organisations ... anyone can
submit a proposal. This is done at CEN, ISO or NBN.

Belgian standards
• NBN
European standards
• CEN
International standards
• ISO
• IEC
• ...
Wrap up on frameworks &
standards
Take security measures based on your risks.

Confidentiality, integrity and availability. The three most important concepts


within information security.

Plan, Do, Check, Act to ensure continuous improvement


NIS2 Directive
Compliance vs Laws and
regulations
Compliance:
• Refers to following the rules or requirements set forth by standards,
frameworks, laws, regulations, or other authorities.

Laws and regulations


• Are legally enforceable rules or requirements that organizations and/or
individuals are required to follow.
• GDPR (For companies in scope)
• NIS2 (For companies in scope)
• ...
NIS2 Directive

NIS = Network and Information Systems


Directive = legislative act that sets out a goal that all EU countries must
achieve

NIS1 Directive (July 2016, conversion to Belgian law in April 2019)


• Operators of essential services (OESs)
• Relevant digital service providers (RDSPs)

Problems with NIS1


• Scope of the application of OESs and DSPs unclear
• Coverage of the sectors was found to be too limited
• No requirements for supply chain / ecosystem
• Lack of enforcement
• No cooperation between member states
• Different levels of maturity between member states
NIS2 Directive – scope

Large-size entity: more than 250 employees or net revenue of more than €50 million
and
a balance sheet total of more than €43 million

Medium-size entity: more than 50 employees or an annual turnover of more than €10
million

Default definition of Essential Entities and Important Entities:


• Essential Entities (EE): Large-size entities in sectors Annex 1
• Important Entities (IE): Medium-size entities in sectors Annex 1 and entities in
sectors Annex 2

However, exceptions are possible!


NIS2 Directive - scope
Scope insight

ICT service management (B2B)


Managed service providers:
• Provides services related to the installation, management, operation or maintenance of ICT
products, networks, infrastructure, applications or any other network and information
systems, via assistance or active administration carried out either on customers’ premises
or remotely

Managed security service provider:


• A managed service provider that carries out or provides assistance for activities relating to
cybersecurity risk management
NIS2 Directive - requirements

Governance
• Cybersecurity risk management measures must be taken and approved by management
• Members of management bodies are required to follow training on cybersecurity risk management
practices

Cyber security risk management measures


• Risk analysis and security policies
• Incident handling procedures
• Business continuity and crisis management
• Supply chain security
• Security in the acquisition, development and maintenance (including vulnerability response and
disclosure)
• Policies and procedures to assess the effectiveness of cybersecurity measures
• Basic cyber hygiene practices and cyber security training
• Policies and procedures on cryptography and encryption
• Security aspects regarding personnel, access policies and asset management
• Multifactor authentication
• Secure emergency communications systems within the entity
Self assessment of your
Cybersecurity risk management
measures
Essential entities
Using the Cyberfundamentals Framework
• Every year self-assessment based on the Cyfun level essential* (verified by an approved (by CCB)
and accredited (by BELAC) Conformity assessment body (CAB)) and a full evaluation every three
years.
• (*unless, the entity can prove based on its risk-assessment that the level important would be
sufficient).
Using the ISO27001 norm
• Obtain an ISO27001 certification given by an approved (by CCB) and accredited (by BELAC) CAB.

Important entities
perform regular self-assessment of their Cybersecurity risk management measures but without a
mandatory verification and full evaluation by an approved and accredited CAB.
Voluntary use of:
• Cyberfundamentals Framework
• ISO 27001 certification

*All information on this slide is in the CCB’s proposal for the implementation of the national NIS2
Directive and could be subject to change
Any more
questions

You might also like