Governments across Europe recognised that with increased interconnectiveness a cyber incident can affect multiple entities spanning across a number of countries. Moreover, impact and frequency of cyber attacks is at all-time high with recent examples including:
- 2017 WannaCry ransomware attack
- 2016 attacks on US water utilities
- 2015 attack on Ukraine’s electricity network
In order to manage cyber risk, the European Union introduced the Network and Information Systems (NIS) Directive which requires all Member States to protect their critical national infrastructure by implementing cyber security legislation.
Each Member State is required to set their own rules on financial penalties and must take the necessary measures to ensure that they are implemented. For example, in the UK fines, can be up to £17 million.
And yes, in case you are wondering, the UK government has confirmed that the Directive will apply irrespective of Brexit (the NIS Regulations come into effect before the UK leaves the EU).
Who does the NIS Directive apply to?
The law applies to:
- Operators of Essential Services that are established in the EU
- Digital Service Providers that offer services to persons within the EU
The sectors affected by the NIS Directive are:
- Health (hospitals, private clinics)
- Energy (gas, oil, electricity)
- Transport (rail, road, maritime, air)
- Digital infrastructure and service providers (e.g. DNS service providers)
- Financial Services (only in certain Member States e.g. Germany)
NIS Directive objectives
In the UK the NIS Regulations will be implemented in the form of outcome-focused principles rather than prescriptive rules.
National Cyber Security Centre (NCSC) is the UK single point of contact for the legislation. They published top level objectives with underlying security principles.
- A1. Governance
- A2. Risk management
- A3. Asset management
- A4. Supply chain
- B1. Service protection policies and processes
- B2. Identity and access control
- B3. Data security
- B4. System security
- B5. Resilient networks and systems
- B6. Staff awareness
- C1. Security monitoring
- C2. Proactive security event discovery
- D1. Response and recovery planning
- D2. Lessons learned
Table view of principles and related guidance is also available on the NCSC website.
Cyber Assessment Framework
The implementation of the NIS Directive can only be successful if Competent Authorities can adequately assess the cyber security of organisations is scope. To assist with this, NCSC developed the Cyber Assessment Framework (CAF).
The Framework is based on the 14 outcomes-based principles of the NIS Regulations outlined above. Adherence to each principle is determined based on how well associated outcomes are met. See below for an example:
Each outcome is assessed based upon Indicators of Good Practice (IGPs), which are statements that can either be true or false for a particular organisation.
If your organisation is in the scope of the NIS Directive, it is useful to conduct an initial self-assessment using the CAF described above as an starting point of reference. Remember, formal self-assessment will be required by your Competent Authority, so it is better not to delay this crucial step.
Establishing an early dialogue with the Competent Authority is essential as this will not only help you establish the scope of the assessment (critical assets), but also allow you to receive additional guidance from them.
Initial self-assessment will most probably highlight some gaps. It is important to outline a plan to address these gaps and share it with your Competent Authority. Make sure you keep incident response in mind at all times. The process has to be well-defined to allow you report NIS-specific incidents to your Competent Authority within 72 hours.
Remediate the findings in the agreed time frames and monitor on-going compliance and potential changes in requirements, maintaining the dialogue with the Competent Authority.
I remember conducting a detailed security assessment using the CSET (Cybersecurity Evaluation Tool) developed by the US Department of Homeland Security for UK and US gas and electricity generation and distribution networks. The question set contained around 1200 weighted and prioritised questions and resulted in a very detailed report.
Was it useful?
The main learning was that tracking every grain of sand is no longer effective after a certain threshold.
The value add, however, came from going deeper into specific controls and almost treating it as an audit where a certain category is graded lower if none or insufficient evidence was provided. Sometimes this is the only way to provide an insight into how security is being managed across the estate.
What’s apparent in some companies – especially in financial services – is that they conduct experiments often using impressive technology. But have they made it into a standard and consistently rolled it out across the organisation? The answer is often ‘no’. Especially if the company is geographically distributed.
I’ve done a lot of assessments and benchmarking exercises against NIST CSF, ISO 27001, ISF IRAM2 and other standards since that CSET engagement and developed a set of questions that cover the areas of the NIST Cybersecurity Framework.
I felt the need to streamline the process and developed a tool to represent the scores nicely and help benchmark against the industry. I usually propose a tailor-made questionnaire that would include 50-100 suitable questions from the bank. From my experience in these assessments, the answers are not binary. Yes, a capability might be present but the real questions are:
- How is it implemented?
- How consistently it is being rolled out?
- Can you actually show me the evidence?
So it’s very much about seeking the facts.
As I’ve mentioned, the process might not be the most pleasant for the parties involved but it is the one that delivers the most value for the leadership.
What about maturity?
I usually map the scores to the CMMI (Capability Maturity Model Integration) levels of:
- Quantitatively managed and
But I also consider NIST Cybersecurity framework implementation tiers that are not strictly considered as maturity levels, rather the higher tiers point to a more complete implementation of CSF standards. They go through Tiers 1-4 from Partial through to Risk Informed, Repeatable and finally Adaptive.
The key here is not just the ultimate score but the relation of the score to the coverage across the estate.
When there is a need to quickly determine where a company is standing in terms of the maturity of its security programme, I developed the below questionnaire which can be useful in this endeavour.
|1.||Information security policy|
|1.1||Is there an information security policy that is appropriate to the purpose of the organisation, gives a framework for setting objectives, and demonstrates commitment to meeting requirements and for continual improvement?|
|1.2||Is the policy documented and communicated to employees within the organisation and available to interested parties, as appropriate?|
|1.3||Is there an established ISMS policy that is ensuring the integration of the information security management system requirements into the organisation’s processes?|
|2.||Information security risk assessment and treatment|
|2.1||Has an information security risk assessment process been defined and applied?|
|2.2||Is there an information security risk treatment process to select appropriate risk treatment options for the results of the information security risk assessment, and are controls determined to implement the risk treatment option chosen?|
|3.||Planning and measuring|
|3.1||Are measurable information security objectives and targets established, documented and communicated throughout the organisation?|
|3.2||Does the organisation determine what needs to be done, when and by whom, in setting its objectives?|
|4.1||Does the organisation conduct internal audits at planned intervals to provide information on whether the information security management system conforms to requirements?|
|5.1||Does the leadership undertake a periodic review of the information security processes and controls, and ISMS?|
|6.||Corrective action and continual improvement|
|6.1||Does the organisation react to the nonconformity and continually improve the suitability, adequacy and effectiveness of the information security management system?|
|7.1||What security laws and data protection legislation apply to the organisation?|
Download the full Questionnaire (with instructions)
Image courtesy Pong / FreeDigitalPhotos.net
Have you seen security controls being implemented just to comply with legal and regulatory requirements? Just like this fence. I’m sure it will pass all the audits: it is functioning as designed, it blocks the path (at least on paper) and it has a bright yellow colour just as specified in the documentation. But is it fit for purpose?
It turns out that many security problems arise from this eager drive to comply: if the regulator needs a fence – it will be added!
Sometimes controls are introduced later, when the project is well passed the design stage. It might be the case that they just don’t align with the real world anymore.
Safety measures, unfortunately, are no exception. The solution may be poorly designed, but more often, safety requirements are included later on with the implementation not fit for purpose.
Same holds for privacy as well. Privacy professionals encourage to adopt the Privacy by Design principle. Is it considered on the image below?
Interview with Jitender Arora – Information Security & Risk Executive (Financial Services)
Could you please start by telling us about your background?
I am a Computer Science and Engineering graduate, with Masters Degree in Consultancy Management. I had been a very technical, hands-on person from the very beginning of my career. I spent the first two years building firewalls, proxy servers and hardening UNIX servers. After few years, I was presented with an opportunity to move into information security and risk. At the time, I was working for Wipro Technologiesand they were building a Security Consultancy Practice, which would be front-ending with their customers, and working on the projects. The organisation was recruiting for this practice from other parts of the organisation so I decided to move into this new practice which proved to be a very exciting and challenging assignment. That’s where my journey in terms of “information security and risk”started from. Later, I had leadership roles in organisations like Adobe Systems and Agilent Technologies. I moved to the UK around 8 years ago, and that’s when my journey began working in the financial services sector.
What do you do now?
Around four years ago, I decided to quit my job and start my own small consulting firm with two friends I had met at RBS. We did a good job for two years, and build a good profitable business. Unfortunately, due to some unavoidable circumstance the partnership didn’t work out and we decided to amicably part ways. After that, I didn’t want to jump into the first thing that came along, and so I focused on my independent journey as Interim Executive in leading business transformation and change programs that address governance, risk and compliance problems faced by my client organisations. My engagements are outcome oriented to deliver the specific outcome for the client organisation. Over the last 3 or 4 years, I have built a strong reputation of being an outcome-oriented management consultant.
You are a very well known speaker within the industry. What made you decide to engage in this sort of activities as well?
It was not an intentional choice. I was once having a conversation with my best mate, Javvad Malik, around the need for new speakers at conferences who are able to present a different point of view. In a way, Javvad encouraged (or should I say pushed, Thank You Jav) me to go ahead and speak at conferences. At that point, I wasn’t too keen on it because I have always felt anxious about speaking in a public forum. Additionally, English is not my first language, which represented another barrier. But I decided to face my fear, and just go along with it. When I actually started speaking, I received an encouraging response from the audience and attendees liked my take on topics which they said provided a unique perspective. Being a very pragmatic consultant, I usually have a different point of view, as opposed to being a paranoid view. I approach security & risk problems and issues as a business person which provides a different perspective, so that’s where I think I got some good recognition from the market, especially in the speaking circuit. I believe speaking engagements not only present an opportunity for building your own personal brand but also helps sharpen your selling and marketing skills. The way you approach people, build their perception of you, sell yourself and your ideas, it’s a very good skill to have which is not generally taught in school or at university. Now, I encourage my colleagues and professionals to speak at events.
Returning to what you were saying about being an outcome oriented consultant, could you please elaborate on how changes can be implemented within organisations when these changes involve people and their behaviour? How do you address the people aspect of security?
As a security professional, when you implement a new security control, you are usually changing the way people are operating. A very simple example would be when implementing a control in terms of how people access production system. So if you go into an organisation in which their practices have been acceptable for the past 10 years, and you suddenly tell them that they can no longer follow same practice, you are, in a way, taking a privilege away from them and they will react accordingly. The analogy that I usually use for this is if I suddenly tell my son, who normally watches 1 hour of T.V. a day for the past several years, that he cannot watch it without taking permission every time and not more than 30mins from now on. He will not like it and will most likely rebel and show his displeasure.
As security professionals we try to change the process, and we want to introduce a certain level of governance on top of it. It’s very important to manage the people aspect of implementing such changes for security. You need to get people on your side before you actually implement these controls. It is a lot about socialising, and communicating, which brings me back to the point on selling and marketing. You have to package, sell and market these changes by conveying the message that “even though we are taking this privilege away from you by implementing these controls, we are going to give you something in return: We will guarantee that you run your business in a compliant manner and do not get audit findings or regulatory issues in which you will have to invest to address them”. So returning to the original example, it’s about establishing a secure way of accessing production systems which, although might be different from existing methods and might involve a little extra work, will ensure that everybody can continue to do their job while being compliant. We will create a robust production access environment: “So let’s be proactive and address this situation together before someone else comes and asks us to fix it.”
There are some of security professionals who scare the clients and users as a strategy for avoiding unwanted behaviour, by telling them, for example, that they might even risk getting fired. What is your opinion on this approach?
If you scare people too much, they will be scared as long as you are in front of them, but the behaviour won’t change. The objective should be to change the behaviour, and when we say “behaviour”, we are referring to the way people operate on a day-to-day basis. Make sure that they don’t see this as a temporary situation, but as a routine. A very simple example for this would be physical security guards. We have security guards in all the office buildings who are standing on the side, observing people, looking for individuals who may seem malicious or suspicious. But they don’t intimidate people around them. You might even be able to approach them for directions and they will kindly answer if they can help. But the moment they detect somebody suspicious, they will intervene. Now let’s imagine that instead of having these friendly security personnel, we had big bouncers who are aggressive. Would you feel okay approaching them? Sometimes security in our context operates like those big nightclub bouncers, because it is intimidating. So business people stop inviting you as a security professional to their business initiatives because they see security as the big intimidating bouncer: as a problem. For them, if you bring security in, you are bringing a problem in. That needs to change, and it largely depends on relationships and how you manage those relationships, how you come across in your meetings with them, and what they main message of your proposition is: “we are not taking anything away from you, we are going to help implementing new controls that will allow you to run your business in a secure and compliant manner meeting legal and regulatory obligations.”So it’s a trade-off and it’s a lot about perception, so the scaring tactic I don’t think works for too long.
You have come up with a way of selling all of your services to the executives and they understand the value of them. What about the actual people who use the service?
I think of executives as the same as the end-users, so the methods I use to sell security doesn’t change at for different levels. It’s the way you deliver message and what message you deliver has to be adapted for different levels. Business executives will normally focus on how you are going to solve the problems that will allow the business to address the compliance issues and meet regulatory requirements. They are the ones that get chased around by the auditors and the regulators. But for the end-users, compliance is not their problem. They never get to own or see these auditing issues. From their perspective, they have a business to do, a server to manage, an infrastructure to run, they want to operate the way they have done so far. So if bringing in new security controls doesn’t mean making life difficult, they are happy to participate. As a security professional, that’s the message that you can give: “we are not here to make your life difficult, but to make sure you have the right tools to do your job effectively in a secure and compliant manner.”
As a preliminary step to implementation, would you have to first understand what it is people normally do on a day-to-day basis?
Absolutely. The very first thing I like to do is to see these users or consumers of these controls as my key stakeholders. One thing I always do in any of these change programmes is approach stakeholders including user groups in their working environment, and make them feel comfortable. Ask them, listen to them and understand what their problems are. What is it that they like that they would like to keep, and what they don’t like that they would like to have changed, and what is it that they might have seen somewhere else and might be a good thing to include as part of this change. Key benefit from being in listening mode is that people become part of the journey because they have largely contributed to the creation and design of these new controls. The key to success is to approach any change from human psychological perspective and engaging them by asking, listening and taking their feedback on board. Another thing that I always make sure to do is to fix the things they don’t like in the existing environment. Listen to people; understand what they like, what they don’t like, make sure you can fix their problems, and if they want something else, try to help them get it: get them on your side. Make them feel like they are part of this journey and also give them credit for their contribution to the success.
Let’s imagine that a security manager decides to implement a security policy in any given company. Let’s say that they take a standard framework like, say, ISO 27001, they tweak it a bit and apply it into the company’s environment. Do you see any potential problems with this?
Frameworks are a good start. But what lots of organisations do is that they lift the framework as is and if you look at the policies in most of them, there is not much difference. But if you think of different types of organisations like the financial services, investment banking, or law firms, you have many different environments: you have different drivers and they come with a very different set of challenges. A lot of professionals, who write policies, do so in isolation. They don’t spend time understanding how a specific organisation carries out its business. An interesting question would be, once a policy is written, whom do you want to be the target audience? Is the policy being written by security people, to be interpreted by security people? Or is a policy being written by security people, to be understood by security people, when in reality it is supposed to be meant for business people? In one of my previous engagements, I had security experts writing the policy, and I then hired a technical writer to review, proof-read and rewrite the policy. The end products between the policy written by the security experts and by the technical writer were completely different: the latter was much more understandable by the business community. We don’t realise that, unless an external person comes along and starts asking questions –“oh, what do you mean by this?”- that the language is not easily understandable for everyone. So I believe that every organisation should hire competent technical writers to translate their security policy, standards and guidance from specialised security jargon into a language that is understandable for business people.
So once your policy is written in understandable terms for everyone, how do you make people read it and comply?
The first thing I do in any organisation is that I visit their homepage and type in “information security”. If the policy doesn’t come up as the first search result, something is wrong. If people can’t find the security policy, how can you expect them to read it? How can you expect them to comply?
Another thing that I have done in few organisations is to conduct a simple survey, by asking three simple questions to business community:
- Do you know that we have an information security department?
- Do you know services this department has to offer?
- Do you know how to contact them if you need it?
It’s very eye-opening and you get lots of strange responses from the business people. Many times they do not know how to contact the security department or what services they provide. If they don’t know you exist, how can they possibly approach you? We can have a fantastic policy embedded in some website, but nobody is looking at it nor reading it.
Another problem is that security policies are long documents: They are not exciting, they are not novels. So I wouldn’t expect business people to read each and every bit and understand it. The probability to succeed can increase if you can provide them a platform where they are able to search when they need to and know where to go and look for answers when they need it. And this touches the point of approachability and availability of the policy and guidance.
But lets focus on the policy itself. How many policies do we have in a typical regulated organisation that we expect employees to read and comply with? E.g. security, anti-money laundering, acceptable use, expenses, travel and anti-bribery policy etc: it’s a huge list. Think about how long it takes an individual to read those policies, understand, remember and follow them. We’re human, it’s not possible. What’s important is that on a day-to-day basis there are some aspects that you need to demonstrate and follow as a normal business user and whenever in doubt go and seek answers. I like to refer to this as “acceptable behaviour”, not only in terms of privacy and security but overall behaviour.
You can take key messages from all of your relevant policies, and communicate them in friendly, simplistic and interesting terms linking it back to acceptable behaviour. It’s not the computer-based training (CBT) that can change human behaviour, but human-to-human interaction. It’s about helping people understand how to do what they do on a day-to-day basis, how to make their daily life easier and making the information accessible if they need to know more.
To wrap it up, you have mentioned previously that it is important to build a good security culture within the organisation. How do you define a good security culture?
A good analogy for this would be our behaviour regarding airport security, what we know we can do and what not to do, as well as reporting anything that may look suspicious. We are generally aware of our surroundings, especially when we are in an unknown territory. This is very natural to us in the physical world where we can see, hear and touch things in our surroundings. The challenge now is that we are spending so much of our time in this virtual world, where our senses can’t be used in the same way. We have to ask ourselves what key risk indicators in this virtual world are. How should we conduct ourselves in this virtual world? This is the kind of awareness that needs to be built into people’s behaviour. I think this journey should start from earlier stages in life, when people are being schooled. When I was in school, when I was growing up, my parents used to tell me: don’t talk to strangers, don’t accept anything from strangers, don’t give away your personal information to people you don’t know well, and so on. It’s an advice on how to conduct yourself safely in the physical world. Now, those messages have to change. You need to build a culture into the newer generations who are now and will be spending so much of their time in the virtual world. The definition of stranger in the virtual world is different from that in the physical world. The definition of “acceptable behaviour”in this virtual world has to be different from physical world. The definition of those risk indicators haven’t changed. One cannot expect behaviour to change on the first day a person joins the workforce, because by that time, behaviours are already formed.
The moment people become security aware, they become security advocates who can help spread this awareness on behalf of the security department. The organisations have to start a chain-reaction by making a few people security-aware and sending the message across the organisation. Everybody becomes self-aware at some point and starts thinking on his/her own about what is right and wrong. But this doesn’t happen because of computer-based training or policies. It is the change in human behaviour that is required in the long-term.
Thank you Jitender
Information systems audit do’s:
1. The main goal of an audit is not to find weak controls or policy violations, but to help a company mitigate its risks and achieve compliance.
2. Remember that an audit strengthens a discipline within a company.
3. An auditor is responsible for making sure that risks in weak areas don’t materialize, so he makes appropriate observations and comments.
4. Beware of flattery and concealment.
5. Replace opinions with facts and evidences.
6. Invest in improving communication skills.
7. When you finish interviewing someone, always give them a brief summary of the current situation (e.g. your observations: good and/or bad) if possible.
8. Do not add any photo/video materials or document copies to your final report.
9. Create good report templates in advance.
Information systems audit don’ts:
1. Don’t criticize.
2. Don’t argue.
3. Don’t use professional or specialized jargon.
4. Don’t say that you understand if you actually don’t.
5. Don’t try to guess.
6. Don’t use tests that can potentially cause incidents.
7. Don’t write only negative observations in your final report.
Image courtesy of Michal Marcol / FreeDigitalPhotos.net