<img height="1" width="1" src="https://www.facebook.com/tr?id=1046809342117480&amp;ev=PageView &amp;noscript=1">

VSEC Blog: IT Security Channel News brought to you by Infinigate UK

Share the Infinigate UK Blog on LinkedIn Share the Infinigate UK Blog on Twitter Share the Infinigate UK Blog on Facebook Share the Infinigate UK Blog on Google+ Share the Infinigate UK Blog via Email

4 Areas where the GDPR, NIS, Cyber Essentials & Minimum Cybersecurity Standard Overlap

Posted: 27 September 2018

4-Compliance-Areas-Overlap-GDPR-NIS-Directive-Minimum-Cybersecurity-Standard-Cyber-Essentials-02

For anyone who works in IT or compliance, you will be more than aware that the year 2018, has been seen more than its fair share of new regulations and updates to industry standards. This year alone we have seen the introduction or update of:

  • GDPR (General Data Protection Regulation).
  • NIS (Network and Information Security) directive.
  • Cyber Essentials.
  • The Minimum Cybersecurity Standard.
  • SWIFT.
  • PCI-DSS (Payment Card Industry Data Security Standard).

...to mention just a few.

For those who are unfortunate enough to be in industries or organisations who need to comply with more than one of the above, the effort to satisfy the needs of one without compromising another can be a trickier challenge.

Where this is the case, ISACA (Information Systems Audit and Control Association) recommends that organisations get smart and look for common elements which can be achieved through implementation of a single control.

The term "killing two birds with one stone" comes to mind.

But where to start?

In this blog post, we have compared the GDPR, NIS directive, Cyber Essentials and the Minimum Cybersecurity Standard and found 4 common areas which you can use to begin your integrated compliance journey.

 

1. Strong Authentication

Each of the four vary on specifics but do agree on one thing; where there is an authentication point, the use of a username and password will not suffice and represents an unjustifiable risk.

We are all used to the idea of multi-factor authentication through the use of the technology in our everyday lives and the commercial banking industry is a great example of this.

To take this one step further, NIST (National Institute of Standards and Technology) recommends that multi-factor authentication should be the norm and not just in the pursuit of compliance or a certification.

 

2. Boundary Security

Whether your boundary is a network or a specified device, such as a laptop or mobile device, preventing unauthorised access and connections to that device is a cornerstone of cybersecurity, most often optimised by the firewall.

Network boundaries, virtual networks and devices should all have physical/software firewalls, and antivirus software to prevent known attack vectors; this will provide at least a minimum security level required our four comparative regulations/standards.

 

3. Incident Response

In a sign of a maturing cybersecurity world, our four regulations/standards all include provisions for incident response planning and execution.

An acknowledgement to the IT security mantra is that nothing is guaranteed and a breach is always possible.

In the event of a breach, organisations are now expected to have a rehearsed plan to react in a way which warns the affected, minimises the impact and returns the organisation to an operational state as soon as possible.

 

4. Continuity Planning

Where things go dramatically wrong, continuity planning should help to return things back to normal with minimal impact.

Why do the regulations and standards care about an organisation's ability to bounce back?

Well, because the IT elements of organisations have become highly relied upon. Particularly in the case of the NIS directive which affects operators of essential services such as utility providers; and digital service providers such as online marketplaces and search engines.

Our reliance on such services have created a position of vulnerability which can be seen when there is an electricity outage for a lengthy period of time.

Continuity planning should include high levels of availability through redundancy, backups and secondary operational sites.

Data Protection for Life GDPR Data Processing

Chris Payne Senior Technical Consultant, Infinigate UK
Posted by: Chris Payne
Senior Technical Consultant, Infinigate UK
Share via:
    

Subscribe to VSEC Blog Updates

Terms and Conditions:
  • When completing this form, you are indicating your consent for this processing activity. By doing this you are providing Infinigate UK with lawful consent to process your submitted personal data for one or both of the marketing purposes below:
    • We will use your details to send you blog updates.
    • We will match your answers to areas of interest which believe you have and may send you additional marketing materials related to those areas.
  • We will keep your personal data for nine months, upon which we will delete your personal data unless you have consented to further processing or we have legitimate interests to retain it. You are free to withdraw your consent at any time by contacting our marketing department or using one of our unsubscribe links in our communications.
  • In some cases where you indicate consent for supplying you with additional promotional marketing material, we will share your personal data with one of our reseller partners, should your areas of interest match a solution or service they provide. We instruct all our reseller partners to communicate this data transfer with data subject affected.
  • Your personal data is stored in a marketing automation solution database, access to this is limited to authorised users and all necessary steps to ensure data security is maintained.

For further information about this form, your rights under the General Data Protection Regulation or how to exercise them, please contact Infinigate's marketing department here.

Popular Posts