Since the implementation of the General Data Protection Regulation (GDPR) on 25 May 2018, organizations and even private citizens have globally begun to re-assess what it means to ‘take security seriously’ and to better understand the massive difference between security and privacy.
What you may not be familiar with is the Network and Information Systems Directive (NIS Directive), which is a part of the EU standard for some Critical National Infrastructure (CNI). Whilst not all CNI are required to be compliant with this directive, (These industries include financial firms due to their existing compliance regulations being judged as sufficient.) the NIS Directive is a great starting point for organizations to review their security measures.
Even if you are not required to align with NIS Directive, this directive covers the foundations of security that can be applicable to a variety of situations. Best of all, it consists of publicly available information, including the UK National Cyber Security Centre’s (NCSC) Cyber Assessment Framework (CAF).
How many terms and conditions or privacy policies have you read and truly felt like you understood each element afterward? I often consider frameworks in a similar mindset. Referencing security principles, that might be even further unfamiliar territory.
On more than one occasion, my role as the security specialist was to go through a framework with teams and put the different requirements into plain language by offering almost a translation. The benefit? Following our collaboration, not only did each team/department feel empowered to make the required alterations, but also the negative connotations had been removed, thus allowing each of them to take action. Simply put, we created a secure culture that allowed members to build better solutions.
Leveraging existing knowledge effectively
Let’s look at the Centre for Internet Security, or CIS controls, (Read more…)