ابزارهای Low-Code و No-Code: راهکاری نوین برای ساخت نرم افزار های داخلی سازمان بدون نیاز به کدنویسی
August 26, 2024
We decipher the process of NIS2 compliance for you and give you practical instructions on what you can do now to prepare yourself in the best possible way for the legal requirements for the NIS2 Directive in Germany that will come in October 2024.
You will see that it is worthwhile to tackle the issue of NIS2 now. This way, you will not be under time pressure after the NIS-2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG) comes into force. Proactivity pays off for you. Multiple. You will see.
A short recap: What does the NIS2 Directive require of companies and who does it affect?
– Risk management measures (risk analysis, security concepts including strategy for dealing with security incidents, backup and crisis management, supply chain security, MFA, cryptography, encryption)
– Reporting obligations (early warning within 24 hours after a security incident becomes known)
– Assumption of responsibility/duties on the part of management/board of directors (approving and monitoring risk management measures, participation in security training, personal liability)
– Companies from 18 different sectors with 50 or more employees and a turnover of 10 million euros are subject to the regulation if they are considered “essential” and “important” companies. Some are to be regulated regardless of their size (e.g. digital infrastructure, public administration, qualified trust services, TLD registries, DNS services).
How to prepare for NIS2 step by step
1. Check carefully whether you are affected (directly or indirectly)
Determine whether you fall within the scope of application according to the current state of the draft law. If so, follow steps 2 to 11. Tip: Check carefully whether you are directly or indirectly affected: The directive requires those affected to consider the supply chain. If you are a supplier to affected institutions or companies, you can expect that you will also be subject to requirements regarding IT security measures.
2. Risk Management: Identify, Evaluate, Mitigate Security Risks
Risk management in IT refers to the process in which companies identify, assess and mitigate the risks that threaten their IT systems. The aim is to prevent or minimise possible damage caused by security breaches or data loss by taking appropriate measures. In the context of the NIS2 Directive, companies are required to take a holistic approach to risk management. This must include the adoption of appropriate technical, operational and organisational measures to ensure the integrity of the IT systems. This strengthens an organization’s ability to effectively address security risks and limit the impact of security incidents. Now check your risk management measures according to § 30 BSIG-E and mark them as follows: Completed / Started / Planned / Irrelevant.
3. Security analysis: Determine the current status quo for IT security
A security analysis to determine the current status quo of IT security includes a comprehensive examination and evaluation of all systems, applications and data that are relevant to your company’s business activities. The security analysis is used to identify potential security gaps and derive improvement measures to increase resilience to cyberattacks.
You should include the following points in the analysis:
– the security policies and procedures in place
– the configuration of the network infrastructure
– the effectiveness of antivirus programs and other endpoint protection solutions (anchor P5)
– the timeliness of software patches and the presence of vulnerabilities in the IT environment
– Security awareness training for employees
– Incident response and incident recovery processes
4. Close security gaps, regularly!
Security audits and pentests are snapshots. But the framework conditions are constantly changing. That’s why you should set up permanent vulnerability management. With the right software for automated vulnerability scanning and pentesting, this can be done quickly and easily: and at the same time, you can optimize the security status of your IT in the long term.
5. Rely on advanced endpoint protection solutions
NIS2 requires proactive protection against ransomware. Take a look at your existing endpoint protection solutions. Are they still up to date? Set an integrated security architecture with analysis and automation functions, i.e. systems for automatic intrusion detection (SzA). They improve transparency and create security through automation and thus also a control instance for technology and people.
6. Access Management: Protect Privileged Accounts
Restrict access to admin accounts and change admin passwords regularly. This is important because when cybercriminals exploit privileged accounts, it can disrupt your business operations and infiltrate networks and systems.
7. Embrace Zero Trust
Zero Trust means: Don’t trust anyone. In practice, this means that you have to check every single data flow for trustworthiness. Due to digitalization, multiple cloud infrastructures and remote work, the traditional, perimeter-based architectures and mechanisms no longer work.
A zero trust approach is a data-centric approach with multiple lines of defense: technical (strong authentication methods, threat analysis to validate access attempts, segmenting the network into micro-segments) and organizational (security awareness measures). Supply chain security and security awareness play a role here, but we deliberately look at it separately.
8. Secure the supply chain
Review the security measures and agreements with your suppliers/partners/customers and adjust them if necessary. When it comes to software, you rely on those that follow the security-by-design approach. Also think about non-technical measures (e.g. access controls).
9. Train your employees
Through security awareness training, you create awareness of IT risks among employees. This can help to detect cyber attacks (e.g. through phishing emails) at an early stage.
10. Make provisions for emergencies
They must ensure that critical systems can be maintained even in the event of an attack. Therefore, take measures for business continuity management. These include backup management, disaster recovery, crisis management and emergency concepts (including contacts who take immediate action in the event of an emergency). If required, the BSI Service Center can also be reached free of charge on Tel. 0800 274 1000).
11. Plan appropriate security budgets
Now that you know what’s in store for you, you’ve probably already realized that you should adjust or at least rethink your security budgets. Not only the upcoming measures of the NIS2 regulation, but also the constantly increasing threat situation require appropriate expenditure on IT security measures. The BSI recommendation: Invest at least 20% of your IT expenditure in cyber security.
Bonus Tip
Security is and remains a complex topic. Therefore, choose the right (manufacturer-independent) consultants and service providers wisely. If necessary, rely on managed security services for all areas in which you do not have sufficient know-how and resources.
Source: https://enginsight.com/
