Blogs 1 and 2 have armed us with a better understanding of the regulatory standards the NIS Directive will demand of regulated organisations and the potential legislative and financial impacts of falling foul of compliance.
The attention of OESs and DSPs should therefore start to shift on how to start building a NIS compliant cyber security posture and risk management program.
What will it take to be compliant with the NIS Directive?
The Directive requires OES and DSP to be able to demonstrate that they have applied appropriate and proportional technical and organisational measures by implementing an organisational cyber resilience programme.
Article 19 of the Directive states that:
Member states should encourage the use of European or internationally accepted standards and specifications relevant to the security of network and information systems.
In support of the DCMS and its implementation of the NIS Directive, the National Cyber Security Centre (NCSC) has published 14 proposed cyber security objectives and principles for securing essential services. Objective A sets out to ensure OESs and DSPs put:
Appropriate organisational structures, policies, and processes in place to understand, assess and systematically manage security risks to the network and information systems supporting essential services
And specifically relates to “Supply Chain” and third party suppliers of outsourced services, suggesting that:
The organisation understands and manages security risks to networks and information systems supporting the delivery of essential services that arise as a result of dependencies on external suppliers. This includes ensuring that appropriate measures are employed where 3rd party services are used.
There are two relevant international standards that set out best practice approach: ISO/IEC 27001:2003, the international standard for an information security management system (ISMS), and ISO 22301:2012, the international standard for a business continuity management system (BCMS).
Using these standards as guidance will give you a documented cyber resilience program that will protect your information systems and network from the majority of threats and support a swift recovery if and when an incident occurs.
You’re only as Strong as your Weakest Link
The NIS Directive raises the stakes for the management of cyber security and risk assurance in organisations in the UK, and across Europe.
Like GDPR, the Directive brings a greater degree of scrutiny and accountability to the policies, procedures and practices employed by organisations in protecting their systems and data. It is therefore essential that the implications of the NIS Directive and Third Party cyber security risk are not only understood, but also then managed at board-level.
We recommend a best practice approach to achieving NIS Directive compliance that should incorporate a comprehensive cyber resilience programme including:
- Registering and reviewing the contractual terms of all Third Party suppliers
– Detail WHO has WHAT access to WHICH systems and data, and WHY (this will help drive subsequent remediative decisions and actions)
– Ensure all existing and new supplier agreements require compliance with the Directive and subsequent enactments
- Robust cyber security defences, which are tested and proved
– Periodic or event-triggered risk assessments of your entire supplier base
– Detailed onsite investigation and evaluation of security controls deployed by your third party IT suppliers in situ
- Proactive and preventative measures across your IT and data supply chain
– Continuous monitoring of the threat landscape and emerging risk factors
– Screening and pre-assessment of potential new service providers and Third Party technology partners
- Tools and systems to effectively deal with and report incidents and data breaches
– Automated processes and workflows
– Cloud-based information and evidence sharing platforms
That’s where DVV Solutions can help. With over 18 years of experience as a specialist provider of Cyber Security, Third Party Supplier Risk and Governance, Risk & Compliance (GRC) solutions we understand what it takes to build a complete understanding of Third Party risk throughout your organisation. We work with you to:
- Scrutinise your Third Party relationships – service by service, supplier by supplier
- Identify and evaluate real risks and emerging threats
- Develop and manage your risk exposure, cyber strategy and data protection strategies
- Establish and mature your Third Party Risk Management
- Ensure regulatory compliance with standards including NIS, GDPR and PCI, and
- Provide clear and concise guidance that illustrates the impact and value of your IT security investments
Talk to DVV Solutions
We’d be pleased to hear from you and help find the most effective way to achieve optimal security and NIS compliance throughout your data supply chain.
Call Us: +44 (0) 161 476 8700
Contact Us: Complete our online contact form