Laws and regulations governing cybersecurity

ℹ️

• There are many reasons for the introduction and implementation of cybersecurity. The most common include, for example, negative economic consequences in the case of a successful cyberattack where sensitive data are stolen. A successful cyberattack can also compromise an organisation’s own operations and functioning, for example, by restricting access to computer systems or data through ransomware. Another reason for the introduction of cybersecurity may also the loss of credibility of an attacked organisation.
• Currently, the most important document of the European Union related to the issue of cybersecurity is DIRECTIVE (EU) 2016/1148 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL, of 6 July 2016, concerning measures for a high common level of security of network and information systems across the European Union.
• The Information Security Management System (ISMS) is a set of rules designed to maintain the confidentiality, integrity and availability of information by applying a risk management process and providing assurance to stakeholders that risks are being adequately managed.
• The ISMS solution requires a systemic and comprehensive approach, respecting the principles and elements of the entire cybersecurity lifecycle. The ISMS management system is based on the Deming cycle, or on the PDCA (Plan-Do-Check-Act) cycle too.
• The PDCA cycle is one of the basic management principles based on the gradual improvement of the quality of processes, services, data, products, etc. thanks to the constant repetition of its four basic activities: Plan-Do-Check-Act.
• The value of risk is most often expressed as a function affected by impact, threat and vulnerability. For example, the following function can be used for self-assessment of risk:

Risk = impact * threat * vulnerability

• A security policy is a set of policies and rules that determine how to ensure the protection of assets.
• Defining organisational security and especially anchoring cyber or ICT security within the already functioning structures of an organisation is of the utmost importance for the possible management of cyber threats or attacks.
• An asset is anything that has a certain value for a person, organisation or state.
• An ancillary asset is a technical asset, employees and suppliers involved in the operation, development, administration or security of the information and communication system.
• A primary asset is information or a service processed or provided by an information and communication system.
• Business Continuity Management (BCM) is a process based on identifying key elements (systems and processes) in an organisation and then setting up processes and procedures to ensure continuity or renewal of these elements, at a predefined level at which it will still be possible to perform basic tasks of the organisation.

🗝️

KEY WORDS TO REMEMBER                                                                                    

• NIS directive
• ISMS
• PDCA
• Threat
• Risk
• Impact
• Vulnerability
• Security policy
• Asset
• Physical security
• Business Continuity Management

❓

KNOWLEDGE CHECK QUESTIONS                                                                                                                                                                                                                       

• Define ISMS.
• What is the PDCA cycle, and how does it apply?
• What components can be included in physical security?
• What is: Business Continuity Management?
• Define threat.
• Define risk.
• Define impact.
• Define vulnerability.
• Define asset.
• What assets do we recognise, and what everything is an asset?