As the fateful date of 17 October 2024 approaches, ANSSI is continuing its work to adapt and implement the requirements of the NIS2 Directive in the French context. Without waiting for the details of the new obligations and compliance monitoring processes that will be put in place by the legislator, the essential and important entities in the many sectors covered by the European directive must take the lead.
Articles 20 and 21 of NIS 2 set out a series of measures with which companies and public authorities will have to comply. They cover the implementation of an information security governance system, the deployment of technical protection measures and the establishment of a system for dealing with security incidents.
Security governance
In terms of governanceIn order to master information security, a number of essential projects need to be put in place, which have a cross-functional impact on the entire organisation.
- Definition of roles and responsibilities, in particular through the appointment of a safety officer, ideally reporting to general management
- Establishment of a body of security policies, processes and procedures, the centrepiece of which is the Information Systems Security Policy (ISSP)
- Mapping of the information system in terms of activities and services, and identification of support assets (servers, networks, applications, etc.)
- Mapping of service providers and suppliers, a prerequisite for monitoring their level of security
- Implementation of safety risk management, through regular risk analyses, with acceptance of residual risks by senior management
- Regular audits to verify the effectiveness of security measures and compliance with applicable regulations
- Taking safety into account in HR management, with particular attention to employee training and awareness, and the proper management of arrivals and departures
Technical protection measures
These organisational measures are essential, but remain insufficient if they are not complemented by robust technical protection measures.
- Maintaining systems in secure conditions, by implementing security monitoring and vulnerability management processes
- Controlling physical access to premises, with the deployment of modern access control and alarm systems
- Securing the architecture of the information system, with specific attention paid to interconnections with third-party networks, and to partitioning according to the sensitivity of the different zones
- Secure remote access and administration by deploying multi-factor authentication, and bastions management
- Deployment of malicious code protection solutions in different layers: EDR, IDS, IPS, WAF
- Hardening of configurations, with the aim of reducing the attack surface as much as possible, while ensuring that systems and applications are easy to use
- Secure identity and access management, based on the principle of least privilege, which requires strict management of authorisations and regular reviews.
- Implementation of measures for business continuity and recovery, based on reliable backups, ideally offline
Handling incidents
Because there is no such thing as zero risk, and because attackers are constantly innovating, security incidents are bound to happen. That's why it's vital to have a solid capability for handling security incidents.
- Incident detection, essentially through the deployment of a SIEM, operated by an SOC, possibly outsourced
- Responding to incidents, either by setting up an in-house CERT or by working with a specialist partner
- Cyber crisis management, by defining managerial and operational processes and organising regular exercises
Naturally, this compliance work is made easier by using trusted service providers, ideally qualified by ANSSI.