NIS2 is a regulatory legal act of the European Union aimed at strengthening the level of cybersecurity in critical sectors. The document builds upon the provisions of the original NIS Directive and introduces more stringent requirements in the areas of risk management, mandatory incident reporting, and supply chain security. More information about the NIS2 requirements can be found in the article at the following link.
Risk analysis
A properly conducted risk analysis is a fundamental element in achieving compliance with NIS2. One of the essential steps within this process is the identification of an organization’s primary and supporting assets.
The Axence nVision® Inventory module has been designed to address this requirement. It enables fast and efficient asset inventory processes. The module supports the classification of both physical assets, such as hardware and network infrastructure components, as well as intangible assets, including information sets.
Maintaining an asset inventory makes it possible to accurately identify risks affecting assets, including components of the IT infrastructure. The risk analysis process represents one of the core requirements of NIS2 and serves as the foundation for the implementation of an integrated information security management system. The principles of risk analysis are described in ISO 27005, among other standards.
According to ISO 27005, assets (resources) are categorized into primary assets and supporting assets:
Primary assets:
- Processes
- Business activities
- Information
Supporting assets:
- Hardware
- Software
- Network
- Personnel
- Site
- Organization’s structure
It should be noted that ISO 27001 and related standards are not the only frameworks applicable to risk analysis. Guidelines published by NIST or NSC may also be used. Regardless of the selected methodology, maintaining a comprehensive asset inventory and assessing the impact of specific risks on those assets remains a critical requirement.
Incident management
NIS2 places significant emphasis on this aspect of cybersecurity. Cyberattacks and data leaks are occurring with increasing frequency; as a result, incident management has been given priority within the new regulatory framework.
- To establish a proper incident management process, ISO standards can once again be applied. In this context, ISO 27035 is relevant, as it defines and describes the incident management process.
Definition of an event and an incident
- Information security event—an occurrence indicating a potential breach of information security or a possible failure of security controls.
- Information security incident—an event that may cause harm to an organization’s assets or compromise its operations.
An incident may affect one or more information security attributes (confidentiality, integrity, availability).
According to ISO 27035, the incident management process consists of five phases:
- Plan and prepare
- Detect and report
- Assess and decide
- Respond
- Learn lessons
The initial step in determining whether a situation constitutes an incident is the detection of an event. The subsequent step involves classifying the incident (phase three: assess and decide) and, where necessary, assigning it to the appropriate team or IT staff member responsible for incident handling.
The Axence nVision® platform enables the detection of events originating from multiple sources, including:
- anomalies identified in the operation of network devices
- anomalies detected through computer or server performance monitoring
- software installation activities
- hardware changes
- event log entries associated with a specific identifier
- user attempts to bypass locking mechanisms
- connection of removable media
Such an event may automatically trigger the sending of an email to the HelpDesk, resulting in the creation of a corresponding notification within the system. Following an appropriate analysis of this notification, the reported event may then be classified as an incident.
NIS establishes an obligation to report significant incidents to the relevant CSIRT.
Significant incident
An incident is considered significant if:
a) it has caused, or is capable of causing, serious operational disruption to services or financial losses for the affected entity;
b) it has affected, or is capable of affecting, other natural or legal persons by causing substantial material or non-material damage.
Significant incidents, together with their status and associated reports, must be reported to the appropriate Computer Security Incident Response Team (CSIRT).
Incident reporting timelines to the CSIRT
a) without undue delay and, in any case, within 24 hours of becoming aware of a significant incident—an early warning, which, where applicable, shall indicate whether the significant incident is suspected to have been caused by unlawful or malicious acts or whether it may have cross-border consequences;
b) without undue delay and, in any case, within 72 hours of becoming aware of a significant incident—an incident notification, which, where applicable, shall update the information referred to in point (a) and provide an initial assessment of the significant incident, including its severity and impact, as well as, where available, indicators of compromise.
The role of the HelpDesk module in the incident management process
In general, all modules may support the incident management process through their capability to detect events that may, or may not, constitute incidents. One module that plays a particularly important role in the risk management process is the HelpDesk module, which enables the following activities:
- registration of events and incidents
- rapid response to and resolution of issues
- classification and assessment of incidents
- task assignment and incident escalation
- progress tracking and reporting
- record keeping and documentation of lessons learned for future improvement
Cybersecurity training
Cybercriminals have long recognized that even the most advanced systems and technologies are ineffective if employees are not aware of existing threats. This understanding is also reflected in the approach taken by EU lawmakers. For this reason, NIS2 introduces an explicit obligation to provide cybersecurity training for employees, with particular emphasis on social engineering and phishing attacks.
What does NIS2 state regarding education?
Essential and important entities are expected to implement a broad set of basic cyber hygiene practices, including zero-trust principles, regular software updates, device configuration, network segmentation, identity and access management, and user awareness measures. In addition, such entities should organize cybersecurity training for their personnel and raise awareness of cyber threats, phishing, and social engineering techniques.
Training requirements are addressed across multiple standards, directives, and regulatory frameworks, including ISO, NIST, NSC, and the NCS Act. A distinctive element of NIS2 is the explicit identification of threats associated with phishing and social engineering techniques, reflecting the significant increase in the frequency of such attacks in recent years.
The knowledge base available within the HelpDesk module provides a centralized location where organizations can make educational materials available to enhance employees’ cybersecurity awareness. Administrators are able to publish training articles, graphical materials, and images, as well as include links—for example, to video content that further develops cybersecurity knowledge among staff. Additionally, announcements distributed through the HelpDesk module can be used to inform users about specific types of social engineering attacks.
Additional NIS2 requirements and related standards
NIS2 encompasses a broad set of additional standards and regulatory requirements that must be addressed, including the following areas:
1. Business continuity, including backup and disaster recovery management and crisis management
The Network module, one of the components of the Axence nVision® platform, helps prevent costly service disruptions. It detects anomalies in device operation and monitors performance parameters of critical devices. In addition, server room conditions can be protected through real-time monitoring of environmental factors such as temperature and humidity.
2. Supply chain security, including security aspects of relationships between each entity and its direct suppliers or service providers
Within the Inventory module of the Axence nVision® platform, a register of hardware and software suppliers can be maintained. This contributes to improved supply chain security. Proper asset inventory, combined with information about the manufacturer of a specific solution, supports effective supplier tracking and facilitates supply chain risk assessment.
3. Security in the acquisition, development, and maintenance of networks and IT systems, including vulnerability management and disclosure
The Axence nVision® platform enables analysis of assets recorded in the Inventory module, which constitutes a prerequisite for effective technical vulnerability management.
4. Policies and procedures for the use of cryptography and, where appropriate, encryption
The DataGuard module within Axence nVision® supports remote encryption of hard drives and other connected storage media using BitLocker.
5. Personnel security, access control policies, and asset management
The Inventory module of the Axence nVision® platform enables monitoring of access to information systems and supports the management of both primary and supporting assets.
