William De Angelis EU Cybersecurity strategy N.I.S. Directive C.I.L.E. compliance guidance.

Slides:



Advertisements
Présentations similaires
La norme Iso26000 La norme ISO définit comment les organisations peuvent et doivent contribuer au développement durable. Elle est publiée depuis.
Advertisements

Synthèse de structure d'entreprise SAP Best Practices.
Gestion des déplacements professionnels SAP Best Practices.
Put these phrases into 4 categories, and decide on a title for each category. There may be more than one possible answer! boire de l’eau manger des fruits.
SECURITY OF SUPPLY Georges Bouchard GDF SUEZ European Gas Forum 2010 – Madrid, 19th February 2010.
PIPE SUPPORTS 1 Pipe supports inside the compression station and pumping stations AUGUST 2014.
FTS November 2007 European Aviation Safety Agency Fuel Tank Safety Training November 23, 2007 EASA presentation.
IP Multicast Text available on
1 ISO/TC 176/SC 2/N1282 ISO 9001:2008 to ISO 9001:2015 Summary of Changes.
Update on Edge BI pricing January ©2011 SAP AG. All rights reserved.2 Confidential What you told us about the new Edge BI pricing Full Web Intelligence.
UNEP / ICCA Workshop TEMA June DG and GHS Classification System.
The Basis of the Servqual Model The Gaps The Key Service Dimensions Causes & Solutions to Gaps.
Cours sur l'organisation et la mise en œuvre d'une infrastructure réglementaire nationale chargé du contrôle des sources de rayonnements.
Résumé /07/2004 THALES NAVAL FRANCE - Projet FIRST.
Business Case Title Company name
Principaux besoins de l’industrie aéronautique Le 26 mars 2014,
a Council of Europe update for the
Reference Document Document de référence
Les Projets Européens Caroline Angeli
Infinitive There are 3 groups of REGULAR verbs in French: verbs ending with -ER = 1st group verbs ending with -IR = 2nd group verbs ending with -RE = 3rd.
La mise en oeuvre du Plan d’Investissement pour l’Europe
Work: ISA8895 Implementation Section: Interoperability Chapter: B2O
Evaluation et Gestion de la Performance au CERN
CENTRES RÉGIONAUX DU WIGOS RELEVANT DE L’OMM
0 © 2013 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms.
2ème partie – mise en oeuvre
Samples for evaluation from All Charts & Templates Packs for PowerPoint © All-PPT-Templates.comPersonal Use Only – not for distribution. All Rights Reserved.
FinancER LE SECTEUR DU CAJOU
Reflective verbs or Pronominal verbs
Quantum Computer A New Era of Future Computing Ahmed WAFDI ??????
Séminaire du Conseil Académique
Theme One Speaking Questions
Approvisionnement et Traitement Campagne CPS 2015 Qu’avons-nous appris Approvisionnement et Traitement Campagne CPS 2015 Qu’avons-nous appris? Tchad.
NFPA-12 Edition 2005 What “IMPACT” will the changes to NFPA-12 have on the design and installation of a CO 2 system?
About INTEGRA The Integrated community, probation and prison services radicalisation prevention approach strives to improve the transition process between.
Copyright 2007 – Biz/ed Globalisation.
- 20/02/ TTM key success factor 1 : Work in a project team …. So we must work in a team ! Mark & sales Technology NTW, IT & Device Implementation.
REVISED JUDGING CRITERION: UNDERSTANDING LIVELIHOODS.
Setting SMART Objectives Training. ©SHRM Introduction Of all the functions involved in management, planning is the most important. As the old saying.
Leadership Styles Mrs. Keith Main Types of Leadership Styles 1.The Autocratic or Authoritarian Leader 2.The Democratic or Participative Leader.
Procurement Essentials Training Module 10: Specialist Requirement 1.
1 ISO/TC 176/SC 2/N1219 ISO 9001:2015 Revision overview - General users July 2014.
Le soir Objectifs: Talking about what you do in the evening
La famille ER conjugaison
A few comments, from the trenches…
Restoration efforts required for achieving the objectives of the Birds and Habitats Directives Expert Group on Reporting under the Nature Directives –
IOSA (IATA Operational Safety Audit)
Révision – Phrases Importantes
Forum national sur l’IMT de 2004.
POLITIQUES EN FAVEUR DES JEUNES
Definition Division of labour (or specialisation) takes place when a worker specialises in producing a good or a part of a good.
Le programme de gestion des actifs de la Nouvelle-Écosse
« Pro-poor » regulation for small towns water supply services : Lessons learned from Chad, Mali and Niger experiences Context Household revenus are around.
Shop Stewards Pour parler correctement des Délégués de Service au sein du Syndicat du BIT, il faut d’abord se pencher sur le texte de définition dans les.
By:- Israr K. Raja Islamabad, Pakistan. Supply Chain Activities those Affect the Financial Performance Supply chain managers make decisions and use organizational.
WRITING A PROS AND CONS ESSAY. Instructions 1. Begin your essay by introducing your topic Explaining that you are exploring the advantages and disadvantages.
SMEs IN MOROCCO. Summary ❖ What is an SME in Morocco ? ❖ Available supports of SMEs in our country ❖ International supports for Moroccan SMEs ❖ Case Study.
MESURE DE RESULTATS DES IRR
GBSN 2018 Annual Conference Contingency Factors of Corporate Entrepreneurship in Traditional and Modern Sectors: The Case of Morocco Brahim Allali, PhD.
Microsoft Azure Quelles protections des données à l'heure du Cloud ?
1 Sensitivity Analysis Introduction to Sensitivity Analysis Introduction to Sensitivity Analysis Graphical Sensitivity Analysis Graphical Sensitivity Analysis.
Laboratory Information Management Systems (LIMS) Lindy A. Brigham Div of Plant Pathology and Microbiology Department of Plant Sciences PLS 595D Regulatory.
Les négatifs et l’interrogation
3rd February, 2016 Alstom Controlling. © ALSTOM All rights reserved. Information contained in this document is indicative only. No representation.
Reporting on national biodiversity strategies,
Survol de l’application de la loi
Survol de l’application de la loi
Félicien Moukambi 1er juin 2019
EDHEC OPEN INNOVATION - Season 9 - Company LOGO Business Case Title.
IMPROVING PF’s M&E APPROACH AND LEARNING STRATEGY Sylvain N’CHO M&E Manager IPA-Cote d’Ivoire.
Transcription de la présentation:

William De Angelis EU Cybersecurity strategy N.I.S. Directive C.I.L.E. compliance guidance

Directive vs Regulation EU Directive: (Ex N.I.S.) Applicable to all Member States Sets certain aims, requirements and concrete results that must be achieved in every Member State Sets a process for it to be implemented by Member States National authorities must create or adapt their legislation to meet these aims by the date specified in each given Directive EU Regulation: (Ex : G.D.P.R) Immediately applicable and enforceable by law in all Member States As good practice, Member States issue national legislation that defines the competent national authorities, inspection and sanctions on the subject matter.

Common level of network and information systems security Improving national cyber security capabilities Increasing cooperation between EU member states “Appropriate and proportionate” security measures (OSE and DSP) OSE : operators of essential services DSP : Digital service providers

Quel Agenda ?

OSE : Operators of Essential Services The Directive deems the following sectors essential: Energy (electricity, oil and gas) Transport (air, rail, water and road) Banking (credit institutions) Financial market infrastructures (trading venues and central counterparties) Health (healthcare providers) Water (drinking water suppliers and distributors)

The directive : 27 articles et 75 Recitals Article 1 : Champ d’application « Adoption d’une stratégie nationale », coopération internationale et centres de réponses aux incidents… Article 2 : Traitement des données à caractère personnel (95/46 --> GDPR) Article 3 : Harmonisation minimale, chaque état membre est libre de faire plus que la « Baseline » définie par la directive  Article 4 : Définitions Article 5 : Identification des opérateurs de services essentiels Article 6 : Effet disruptif important Article 7 : Stratégie nationale en matière de sécurité des réseaux et des SI Article 8 : Autorités nationales compétentes et point de contact unique Article 9 : Centres de réponse aux incidents (CSIRT) Articles 10 ...13 : Coopération nationale, réseau CSIRT, coopération internationale Article 14 : Exigences de sécurité et notification d'incidents Article 15 : Mise en œuvre et exécution Article 19 : ... règles sur les sanctions … .... Article 21 …. encourager l'utilisation de normes ... …. Considérant 54 : …service en nuage, adaptation des contrats dans le respect des exigences de la présente directive

Art 14 Security requirements and incident notification Member States shall ensure that operators of essential services take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems which they use in their operations. Having regard to the state of the art, those measures shall ensure a level of security of network and information systems appropriate to the risk posed. Notify, without undue delay, the competent authority (Notifications shall include information enabling the competent authority or the CSIRT to determine any cross-border impact of the incident. Notification shall not make the notifying party subject to increased liability).

Art 15 Implementation and enforcement 1. Member States shall ensure that the competent authorities have the necessary powers and means to assess the compliance of operators of essential services with their obligations under Article 14 and the effects thereof on the security of network and information systems.

Belgium Ecosystem NIS Cooperation Group OSE Autorité nationale CSRIT Incident Audit OSE CRCW Certification Accréditation Computer Emergency Response Team (CERT) Computer Security Incident Response team (CSIRT) Incident Notification to CSIRT national (CCB) External audit every 3 year OSE : operators of essential services identified by CCB

Article 19 Standardisation Encourage the use of European or internationally accepted standards and specifications relevant to the security of network and information systems. Article 21 Penalties applicable to infringements of national provisions adopted pursuant to this Directive and shall take all measures necessary to ensure that they are implemented. The penalties provided for shall be effective, proportionate and dissuasive.

4) Standard et norme : ISO27001 Source : NIS Cooperation Group members. Building upon answers provided by the Member States ENISA’s questionnaire, the Group acknowledged that Member States may wish to use different sources or control frameworks for security measures from European or International standards (e.g. ISO 27.000)6 to existing or new sets of security measures (e.g. France’s cybersecurity measures for OES, Germany’s IT-Grundschutz, Spain’s National Security Framework, etc.). 6 Article 19 of the NIS Directive “Encourage the use of European and internationally accepted standards and specifications relevant to the security of Network and Information Systems”.

ISO 27002:2013 control blocks 114 Exigences de sécurité Art14.2 Art14.2 : les OSE prennent les mesures appropriées en vue de prévenir les incidents qui compromettent la SRI utilisés pour la fourniture de ces services essentiels ou d'en limiter l'impact, en vue d'assurer la continuité de ces services.

NIS Implementation

Enterprise Information Enterprise Arhitecture Business Process Enterprise Information Security Information Services Applications IT Security Infrastructure © Copyright ICTC.EU 2017

Protect the Crown Jewel ! BPMN Modelisation ARIS Business process Information Services Applications Infrastructure

Risk assessment tool MONARC. Actif primaire AP : Service RH Coté utilisateur Actifs secondaires Actifs transversaux

Questions ?

Source : https://eur-lex.europa.eu/legal- content/FR/TXT/PDF/?uri=CELEX:32016L1148&from=FR https://circabc.europa.eu/sd/a/c5748d89-82a9-4a40-bd51- 44292329ed99/reference_document_security_measures_OES(0).pdf https://www.enisa.europa.eu/topics/critical-information- infrastructures-and-services/cii/nis-directive https://www.ccb.belgium.be/fr/actualité/cadre-pour-la-sécurité-des- réseaux-et-des-systèmes-dinformation-pour-la-sécurité-0 https://www.europa.eu/rapid/press-release_MEMO-18-3651_en.pdf https://www.cases.lu/monarc.html https://securitymadein.lu/tools/monarc/