Beltug

Getting to grips with the NIS and security regulations. Takeaways from the N-sight of 16 June 2020


Although the EU Network and Information Security directive (NIS Directive) was transposed into Belgian law and became applicable on 3 May 2019, there is still little awareness about it and its requirements. And it is just one of the many security regulations surrounding organisations. There are plenty more texts relevant to security, including the ENISA guidelines and recommendations, and ISO standards, to name just two.

 

The challenges these create are many and complex. First, you need to get to grips with all relevant regulations, rules and best practices. But then, how do you implement them in your organisation? How do you compile all the information in a comprehensive and comprehensible policy? And how do you ensure adoption of the policy by your company’s staff?

 

We had a look at some of these elements in this online session.

 

The presentations from this X-change, and a link to the recording of the event, are available for our members (after log-in). Takeaways will be published soon.

 

 

The role of the National CSIRT (CCB) in incident notification and security measures

 

Valéry Vander Geeten, Legal Officer, DPO and Project Manager NIS, Centre for Cyber Security Belgium, opened the afternoon by stating that increasing the knowledge around the NIS directive is very important and a work in progress.  The CCB is the national authority for the NIS, the national SPOC (single point of contact) and the national CSIRT (slides 10 and 11).

 

He started by explaining 'incident notification', which becomes mandatory as soon as a DSP or an OES is identified as such (by the relevant authority). All incidents affecting IT systems on which an essential service depends, need to be formally reported on the NIS notification platform. The platform is now live, Valéry shared, and impacted companies will receive their onboarding credentials. For financial institutions, the process is slightly different (slide 5). These fall under the supervision of the National Bank.

 

Operators can also voluntarily report incidents. The notification guide (when, how, timing, etc.) is available on the CERT website, in Dutch and French.

 

So what is an incident with an obviously substantial impact:

 

Overall, the general obligations of the OES are to ensure

(slide 15)

 

The security measures are to be adopted within one year after an OES is defined as accountable under the NIS.  A first internal audit then needs to be performed within three months, followed by an external audit after another 24 months.

 

This means an OES needs to prove its compliance with the regulations and adopt a policy for the security of its information systems and networks (PSI) related to the provision of its essential services. The requirements include:

 

Most companies already have existing security measures and policies, that meet e.g. the ISO/IEC 27001 standards (slide 18). It is up to the operator to demonstrate the adequacy, proportionality and effectiveness of its security measures (under the control of the sectoral inspection services and the external auditors/certification auditors).

 

For DSPs, the EU-harmonised rules apply, so there is no specific role for the CCB. For this group (cloud services providers, online market places and search engines), the law says:

 

"NIS Act Digital service providers shall identify the risks to the security of the networks and information systems they use to provide the services referred to in Annex II in the Union and shall take the necessary and proportionate technical and organisational measures to manage them.

These measures shall ensure, in the light of the state of knowledge, a level of network and information system security appropriate to the existing risk and shall take into account the following elements:

 

Digital service providers shall also take measures to avoid incidents affecting the security of their networks and information systems, and to minimise the impact of such incidents on the services listed in Annex II to this Act that are offered in the European Union, in order to ensure the continuity of these services." (Slide 21)

 

 

Case: FISP - Federal Information Security Policies: Approach, constraints and lessons learned

 

Our next speaker was Daniel Letecheur, CISO - DPO, Federal Public Service Strategy and Support (FPS BOSA).  FPS BOSA assists the federal government and supports the federal institutions in various areas: IT, HR, organisational control and integrity policy, budget, accounting and public procurement contracts.

 

 

BOSA chose to follow the ISO standards for its Federal Information Security Policy (FISP). This FISP is

 

It is up to each FPS to decide whether it wants to follow this FISP, making the latter more of a guideline than a real policy.

 

Daniel provided a breakdown of the FISP, with the key elements for general classification of information, privacy and information security (slide 5). CISOs, DPOs and the CCB, amongst others, were all involved in the drafting process for the FISP.

 

These guidelines will now be distributed across the various departments of the federal governments. This will make it possible to streamline the security approach across the federal government. To meet the needs of the different IT departments, a cloud decision matrix will be added to it.

 

At BOSA itself, the existing security policies have now been formalised, based on the work done for FISP. By writing policies down from the start – even when they are not perfect – they can be fixed along the way. Daniel shared BOSA's own security approach, based on good risk governance (slide 11).
 

 

Beltug NIS Questionnaire

 

Our final speaker was JP Bernaerts, External DPO & Data Protection Advisor at DPOffice and author of the recently published Beltug NIS questionnaire.

 

The questionnaire is focussed on DSPs as defined in the NIS Directive (slide 5). These only fall under the Belgian Act (Art. 3) when:

 

The NIS Directive defines a number of requirements for the member states and for the organisations that are subject to the directive.

 

A focused questionnaire can help you get a clear picture of how your current or new digital service provider measures up against the requirements. It can also be an excellent means for proving accountability.

 

After this introduction, Jean-Pierre walked us through the questionnaire - starting at minute 52 in the recording (linked above, after log-in).

 

 

 

 

 

 

 

 

 




 

Dear visitor,

Access to more information about this topic and/or to download the paper is easy and fast, but exclusively for Beltug members (just login to get access).

Beltug gathers a lot of information. Here you find the advantages of Beltug membership

The Beltug Team

Click here to login