Assessment Frameworks for NIS Directive Compliance

According to the NIS Directive, Member States should adopt a common set of baseline security requirements to ensure a minimum level of harmonized security measures across the EU and enhance the overall level of security of operators providing essential services (OES) and digital service providers (DSP). The NIS Directive sets three primary objectives:

• to improve the national information security capabilities of the Member States;
• to build mutual cooperation at the EU level; and
• to promote a culture of risk management and incident reporting among actors (OES and DSP) of importance for the maintenance of key economic and societal activities in the Union.

As part of the NIS series, we have already provided an overview of the Directive, and we have examined in detail the security requirements for DSPs and OES. To assist organizations in meeting compliance with the Directive, the European Union Agency for Cybersecurity (ENISA) and the UK’s National Cyber Security Center (NCSC) have developed assessment frameworks.

ENISA’s Guidelines on Assessing DSP and OES Compliance

According to the NIS Directive Articles 14, 15 and 16, one of the key objectives is to introduce appropriate security measures for OES as well as for the DSP to achieve a common level of information security within the EU network and information systems. Information security audits and self–assessment/ management exercises are the two major enablers to achieve this objective.

The main objective of the ENISA guidelines is to facilitate National Competent Authorities (NCA) conducting audits and to assist DSP and OES across all EU Member States in complying with the requirements of the NIS Directive in the effort to achieve a baseline security level. The objective of the guidelines is achieved by:

1. Proposing the information security audit and self-assessment/management frameworks that can be applied by DSP and OES with regard to the NIS Directive security requirements.
2. Mapping those frameworks per domain of applicability (i.e. in DSP, OES business environments or both).
3. Presenting recommendations to the NCA on how to handle, manage and process the information collected during audits performed on OES.

The key outcome of the guidelines is a set of questions and supporting information that NCA can use to assess OES compliance as well as a set of questions for DSP to perform security self-assessments against the NIS security requirements.

The ENISA guidelines present the steps of an information security audit process for OES compliance as well as of a self-assessment/management framework for the DSP security against the security requirements set by the NIS Directive. In addition, they provide an analysis of the most relevant information security standards and frameworks, such as ISO/IEC 27001 and NIST SP 800-30, to support OES and DSP in practicing the above exercises in the most tailored and efficient manner.

This necessity derives from the fact that there are numerous frameworks developed for specific industries and sectors, incorporating different regulatory compliance goals and varying degrees of complexity and scale. Therefore, the mapping of information security audit and self-assessment/management frameworks for DSP and OES will ensure the cultural coverage of both sectoral and cross sectors (e.g. as energy, transport, drinking water and distribution, banking and financial market infrastructures, healthcare and digital infrastructure) as defined in ANNEX II of the NIS Directive.

The ENISA guidelines can be applied as the baseline for building an information security program to manage risk and reduce vulnerabilities and to define and prioritize the tasks required to enhance security into IT-security risk-based environments.

NCSC Cyber Assessment Framework

The NCSC Cyber Assessment Framework (CAF) provides a systematic and comprehensive approach to assessing the extent to which cyber risks to essential functions are being managed by the organization responsible. It is intended to be used either by the responsible organization itself as a self-assessment tool or by an independent external entity, possibly a regulator, like an NCA, or a suitably qualified organization acting on behalf of a regulator.

The CAF collection is aimed at helping an organization achieve and demonstrate an appropriate level of cyber resilience in relation to certain specified essential functions performed by that organization. The NCSC cyber security and resilience principles provide the foundations of the CAF. The 14 principles are written in terms of outcomes, i.e. specification of what needs to be achieved rather than a checklist of what needs to be done. The CAF adds additional levels of detail to the top-level principles, including a collection of structured sets of Indicators of Good Practice (IGPs).

The CAF has been developed to meet the following set of requirements:

1. Provide a suitable framework to assist in carrying out cyber resilience assessments.
2. Maintain the outcome-focused approach of the NCSC cybersecurity and resilience principles and discourage assessments being carried out as tick-box exercises.
3. Be compatible with the use of appropriate existing cybersecurity guidance and standards.
4. Enable the identification of effective cybersecurity and resilience improvement activities.
5. Exist in a common core version which is sector-agnostic.
6. Be extensible to accommodate sector-specific elements as may be required.
7. Enable the setting of meaningful target security levels for organizations to achieve, possibly reflecting a regulator view of appropriate and proportionate security.
8. Be as straightforward and cost-effective to apply as possible.

It is important to recognize that the intent is not to produce an all-encompassing cybersecurity “to do” list. The NCSC intends the principles and guidance to be used in the following way by organizations performing essential functions:

• Understand the principles and why they are important. Interpret the principles for the organization.
• Compare the outcomes described in the principles to the organization’s current practices. Use the guidance to inform the comparison.
• Identify shortcomings. Understand the seriousness of shortcomings using organizational context and prioritize.
• Implement prioritized remediation. Use the guidance to inform remediation activities.

An assessment of the extent to which an organization is meeting a principle is accomplished by assessing all the contributing outcomes for that principle. In order to inform assessments at the level of contributing outcomes:

• Each contributing outcome is associated with a set of indicators of good practice (IGPs), and
• using the relevant IGPs, the circumstances under which the contributing outcome is judged ‘achieved,’ ’not achieved’ or (in some cases) ‘partially achieved’ are described.

For each contributing outcome, the relevant IGPs have been arranged into table format. The resulting tables, referred to as IGP tables, constitute the basic building blocks of the CAF. In this way, each principle is associated with several IGP tables, one table per contributing outcome. The following table summarizes the key points relating to the purpose and nature of the indicators included in the CAF IGP tables.

How Tripwire Can Help

Tripwire can help organizations to meet the NIS Directive objectives and security requirements with a variety of solutions. Tripwire Enterprise is a security configuration management solution that allows for real-time detection of threats, anomalies and suspicious changes while providing visibility into the organization’s security state. Fortra VM is a proactive, risk-based vulnerability management solution that is crucial to any cybersecurity portfolio.  With its robust feature set, Fortra VM assesses and prioritizes your system weaknesses and creates easily understood reporting for efficient and effective remediation. Finally, Tripwire LogCenter ensures all data is captured and retained, highlighting critical events and reducing unnecessary noise. 

You can read more in this series here: 

How to Achieve Compliance with NIS Directive 

NIS Directive: Who are the Operators of Essential Services (OES)? 

Who Are the Digital Service Providers (DSP) under the NIS Directive?