| 26. BCS
03 Network and Information Security | |
|---|
| Network and Information Security (NIS) Directive: | | 1. Compliance with NIS is achieved by the Business Continuity Manager using the Business Continuity Management Service. | | 2. Network and Information Security objectives include:- | | (1) To ensure that bespoke application services do not stop and cannot be stopped. | | (2) To ensure that no single point of failure exists in any infrastructure. | | (3) To replicate equipment so the effect of a hardware failure cannot be detected by a person using a bespoke application service. | | (3) To be comfortable that business continuity is adequate to survive any hurracane, tsunami, tornado, fire, flood, gas leak or smoke. | | (3) To ensure that bespoke application services contnue when electrical power is down, when water mains are not working and when fuel shortages make travel not practical. | | (3) To be certain that in the event of a pandemic that prevents people from coming together, bespoke application services will continue without any major issues. | | (3) To build an environment that can survive a sustained distributed denial of service (DDOS) attack. |
| 2. Glossary of Terms: | | BCM means Business Continuity Manager as the person responsible. | | BCMS means Business Continuity Management Service as the documentation application that makes it all happen. | | BCS means Business Continuity Standard as ISO 22301 and associated family of standards. | | CSIRT means Computer Security Incident Response Team. | | DSP means Digital Service Provider. | | NCA means National Competent Authority (like Information Commissioners Office). | | OoES means Operator of Essential Service. | | SPoC means Single Point of Contact. |
| 3. Operator of Essential Service: | | 1. NIS only applies to operators of essential services as:- | | Energy sector: gas, oil and electricity. | | Transport sector: airlines, ports, ferries, roads and rail. | | Financial services sector: banks and investment exchanges. | | Water sector: distribution for human consumption. | | Health sector: health and social care, public and private. | | Digital service provider sector: online markets, search engines, app store. | | 2. Telecoms is exempt only in that specialist directives cover the Telecom market sector and it would be illogical to operate more than one overlapping directive. | | 3. It is hard to identify a market sector that excludes a financial component that is covered by the directive. A manufacturing company may be exempt as they are not an operator of and essential service, but the shareholders of the company may direct the company to comply for perfectly sound business reasons. |
| 4. Digital Service Provider: | | 1. A digital service provided to any cusomer in Europe is subject to the regulation. The service provider may be outside Europe, but when a European language and European currency is offered, then the service is aimed at Europeans and conformance is mandated. | | 2. An exception is granted to a company with less than 50 employees and annual revenues of less than 10 million Euros. Every business shall be fragmented by customer projects and skill specialisations into federated companies with less than 50 direct employees and with less than 10 million Euro revenue. No federated company shall ever put itself at risk of needing to notify NCA and the public of any business continuity incident. Digital services must be provided by a large federation of small companies with the agility to rapidly change to match evolving legal obligations - risk is increased as company size increases. Every company has a structure and culture that can be rapidy fragmented into more than one federated company and the original company disolved of all assets - long term stability is based on a large number of small companies. |
| 5. Preparation: | | 1. Take technical and organisational measures to manage the risks posed to the security of networks and information systems. | | 2. Provide infomation needed to assess the security of netowrks and information systems including security policies. | | 3. Provide evidence of effective implementation of security policies such as the results of security audits. | | 4. Execute binding instructions received by the NCA to remedy the operations. | | 5. Remedy any failure to fulful the requirements set out in the NIS directive. | | 6. Designate a representative in the EU when not established in the EU but offering services within the EU. | | 7. Notify any incident having significant or substancial impact to the NCA or to the CSIRT without undue delay. | | 8. Notify impact of incident if OoES relies on a third-party. | | 9. Inform the public about individual incidents if required by the NCA or CSIRT. |
| 6. Threat Analysis: | | 1. Malware: a generic term for downloaded software with malicious intent. | | 2. Worms: that copy themselves between drives and emails to spread malware. | | 3. Trojans: an inocent looking program that contains malicious malware. | | 4. Web Attack: redirecting users to malicious web sites to cause malware to be downloaded. | | 5. Web Injection Attack: feeding malware into vulnerable servers to spread malware to others. | | 6. Botnet: an infected web site that will cause malware to be downloaded. | | 7. Phishing: email attack using fake identities to download malware. | | * SOLUTION: STOP DOWNLOADING PROGRAMS, DATA AND EMAILS to any local computer, tablet or phone. |
| Document Control. | | 1. Document Title: Business Continuity: Network and Information Security. | | 4. Description: Business Continuity: Network and Information Security. | | 3. Keywords: Business Continuity: Network and Information Security. | | 6. Privacy: Shared with approved people for the benefit of humanity. | | 7. Page: 162603. | | 8. Edition: 1.1. | | 9. Issued: 2 Jan 2018. |
|
|