The Network and Information Systems regulations are to be updated to include MSPs and outsourcers, following a spate of supply chain attacks
Security professionals have welcomed the UK government’s proposed steps to improve security standards in the UK through legislation to protect users of managed IT services, by imposing new rules on these service providers. This may interest you : How Managed IT Services Help With Business Formation?.
Consultations on the proposals were launched by the Ministry of Digital, Culture, Media and Sport (DCMS) on Wednesday 19 January, amid the Prime Minister’s Question. It comes after a torrid year for IT security teams, with a spike in cyberattacks at all levels, and after the £2.6 billion National Cyber Strategy published in December 2021.
The government is now working on a series of updates to the 2018 Information Systems and Networks (NIS) regulations, which were originally designed to protect the security of critical national infrastructure (CNI) providers, in this case, utilities, transportation, health care. and communications – backed by millions of pounds in fines for non-compliance.
This regulation will expand in scope to cover managed service providers (MSPs) and specialized online and digital service providers, including managed security services, workplace services, and general IT outsourcing.
Julia Lopez, minister of state for media, data and digital infrastructure, said: “Cyber attacks are often possible because criminals and adversary states cynically exploit vulnerabilities in the digital supply chain of businesses and outsourced IT services that can be repaired or patched.
“The plans we’re announcing today will help protect critical services and our broader economy from cyber threats. Every organization in the UK must take their cyber resilience seriously as we strive to grow, innovate and protect people online. It’s not an optional addition,” Lopez said.
Such companies in the future will be required to conduct a more thorough risk assessment and implement “reasonable and proportionate security measures” to protect their networks. They will also be mandated to report critical incidents; to have a dynamic and executable recovery plan; and to be able to demonstrate their compliance with the Information Commissioner’s Office (ICO). The new law will also give the government the authority to verify future NIS regulations by updating their scope if necessary.
All relevant costs incurred by the regulator to enforce the new regulations will be transferred from the taxpayer to the organization, namely the MSP, which is covered by the law, which the government says will create a more flexible financial system and reduce the burden of general taxation.
DCMS says its own research has found only 12% of UK organizations are currently reviewing the cyber risks their direct suppliers may face, and only 5% are taking steps to address vulnerabilities in their wider supply chains.
National Cyber Security Center (NCSC) technical director Ian Levy said: “I welcome this proposed NIS regulatory update, which will help improve the UK’s overall cybersecurity resilience. These measures will ensure that cybersecurity risks are well managed by the organizations and people they rely on.”
Tim Mackey, principal security strategist at Synopsys Cybersecurity Research Centre, adds: “Most modern organizations are, in fact, distributed operations where online storefronts, payment processing, inventory management, and even staff management occur using third-party services for even the smallest. from business.
“Because the management of these services is often outside the realm of business expertise, it is not uncommon to find businesses using MSP as an outsourced digital service provider. Extending NIS regulations to include MSPs will help small businesses achieve higher levels of cyber resilience, where the recent Log4Shell vulnerability illustrates that cyber resilience is a function of how well the software supply chain is understood.
“Unfortunately, few organizations review cybersecurity risks in their live software supply chains. By requiring large companies to report all cyberattacks they experience, the proposed NIS regulations effectively encourage risk assessment in the software supply chain because software risk is a business risk,” he said.
Oliver Smith, cyber litigation attorney at Keystone Law, also voiced his support for the NIS expansion: “The law has recognized threats to critical services, such as water, electricity, and transportation, but recent cyber attacks, such as the Colonial Pipeline attack in the US where the gas pipeline that supplies 45% of the East Coast’s oil was closed, illustrates the vulnerability of critical service companies to computer systems.
“While these companies are covered by regulation and proactive oversight by ICOs to ensure they maintain high standards of physical and cyber security, the outsourcing companies that many use to manage their computer networks are not yet regulated. This law change will bring the outsourcing company under ICO regulations.
“Given that these outsourced companies can be responsible for hundreds of enterprise IT services, any compromise of their security could have a major impact on the services provided by that client company and result in many different services being interrupted at the same time. This could be from a criminal ransomware attack or from state-sponsored cyber terrorism.
“The new law will also require greater reporting of attack attempts to include failed attempts and low-level attacks and disruptions to services. This will allow ICOs to spot risks early before they lead to serious disruption to critical services,” said Smith.
The government says additional legislation is needed to improve overall security and, to this end, has launched separate consultations covering proposed powers for the UK Cybersecurity Council – the new professional regulator for cyber ‘trafficking’ – around security qualifications and certifications. This may interest you : Tech Tip: Managed Services Insure Against Murphy’s Law.
It said that as the UK technology sector continues to develop, more people are attracted to cybersecurity careers, and it can be difficult for organizations – whether hiring or contracting – to know what skills and qualifications are desired.
The UK Cyber Security Council was formed last year to address this issue by spearheading the creation of new professional standards and accreditations, bringing cyberspace in line with other established professions such as accounting or engineering.
The new proposal will give him the ability to define and identify cyber job titles and link them to existing qualifications and certifications. Future cyber pros will have to meet board-specific competency standards across various security specialties before they can use certain job titles. Also on the table is a List of official Practitioners, such as those in the medical and legal professions, establishing security pros who are recognized as ethical, suitably qualified, or senior.
DCMS says this will make it easier for employers to identify exactly what skills they need to recruit, and provide candidates and existing cyber pros with further clarity on career paths.
Simon Hepburn, CEO of the UK Cybersecurity Council, said: “The UK Cybersecurity Council is pleased that this proposal recognizes the central role of our cyber workforce which will help define and recognize the role of cyber jobs and map them to existing certifications and qualifications.
“We look forward to engaging and contributing to this important government consultation and will encourage all key stakeholders to participate as well.”
Read more on Regulatory compliance and standard requirements
NIS security regulations proving effective, but more work to do
Dutch businesses not yet implementing NIS Directive
EU gathers momentum in cyber security legislation and cooperation
CNI providers face hefty fines for cyber security failings
Regardless of the purpose of a security policy, one cannot completely ignore any of the three main requirementsâ€”confidentiality, integrity, and availabilityâ€”which are mutually supportive. For example, confidentiality is required to protect passwords.
What are the top cyber security challenges?
Here are the top cybersecurity challenges that the healthcare industry needs to be aware of: See the article : Cary Area Chamber hosts ribbon cutting for StratusComm-Managed IT Services.
- Malware and ransomware. …
- Data breach. …
- Insider threats. …
- Distributed denial of service (DDoS) attacks. …
- Cloud threat. …
- Phishing attack.
What are the security issues in information security?
Information Security Threats can be many such as Software attacks, intellectual property theft, identity theft, equipment or information theft, sabotage, and information extortion.
What are the types of security problems? Malware is malicious software such as spyware, ransomware, viruses, and worms. Malware is activated when a user clicks on a malicious link or attachment, leading to the installation of malicious software. Cisco reports that the malware, once activated, can: Block access to key network components (ransomware)
What is meant by information security?
Information security is a set of practices designed to keep personal data secure from unauthorized access and alteration during storage or transmission from one place to another. … Used to protect data from misuse, disclosure, destruction, modification and tampering.
What are the 3 principles of information security? The CIA triad refers to an information security model consisting of three main components: confidentiality, integrity, and availability.
What is information security with example?
Information Security is basically the practice of preventing unauthorized access, use, disclosure, tampering, modification, inspection, recording, or destruction of information. Information can be physical or electronic.
How do you explain information security?
The term ‘information security’ means protecting information and information systems from unauthorized access, use, disclosure, tampering, modification or destruction in order to provide integrity, confidentiality and availability.
What is information security and examples?
Information security is a field of information technology that focuses on the protection of information. … For example, pass or code for building access, user ID and password for network logins, and fingerprint or retina scanners when security needs to be advanced.
Why is information security?
Why is Information Security Important? … Solid Infosec reduces the risk of attacks in information technology systems, implements security controls to prevent unauthorized access to sensitive data, prevents service disruptions through cyber attacks such as denial of service (DoS attacks), and more.
What is Information Security & explain its need?
What is Information Security? Information security ensures good data management. It involves the use of technology, protocols, systems, and administrative measures to protect the confidentiality, integrity, and availability of information.
Why is information security so important?
It protects the organization’s ability to function. It enables secure operation of applications implemented on an organization’s IT systems. It protects the data the organization collects and uses. It protects the technology the organization uses.
What are the five security risk methodologies?
Given a particular risk, there are five strategies available to security decision makers to reduce risk: avoidance, abatement, deployment, transfer and acceptance.
What is the methodology for conducting an information security risk assessment? There are two main methods of conducting a risk assessment: quantitative and qualitative.
What is security risk and its types?
We usually think of computer viruses, but there are several types of bad software that can pose a computer security risk, including viruses, worms, ransomware, spyware, and Trojan horses. Misconfiguration of computer products and unsafe computing habits also pose risks.
What are security risks?
Definition of security risk 1: someone who can damage an organization by providing information to an adversary or competitor. 2: someone or something that endangers the safety of Packages left unattended will be considered a security risk.
What is security threats and its types?
Information Security Threats can be many such as Software attacks, intellectual property theft, identity theft, equipment or information theft, sabotage, and information extortion. … Software attack means attack by Viruses, Worms, Trojan Horses etc.
What are the different risk assessment methodologies?
There are two main types of risk assessment methodologies: quantitative and qualitative.
What six steps are common to most risk assessments methodologies?
It uses a six-step process that includes identifying hazards, assessing risks, analyzing risk control measures, making control decisions, implementing risk controls, and monitoring and reviewing.
How many risk assessment methods are there?
In the following sections four risk mapping methods will be discussed: Quantitative risk assessment (QRA), Event Tree Analysis (ETA), Risk matrix approach (RMA) and Indicator-based approach (IBA).
Which three of the following are included in supply chain risk?
Disruptive events that have occurred over the past few years fall into three broad categories of supply chain risks: Natural, Man-made and Economic Disasters.
Which of the following is an example of supply chain risk? Which of the following is an example of supply chain risk? Changes in product availability due to fire at the supplier. Which of the following is NOT a reason for the increased interest in supply chains?
What is included in supply chain risk?
External supply chain risk supply risk â€” caused by disruption to the flow of products, whether raw materials or spare parts, in your supply chain. environmental risks â€” from outside the supply chain; usually related to economic, social, governmental, and climatic factors, including the threat of terrorism.
What is supply chain risks?
In the general paper the authors define supply chain risk as “the likelihood and effect of a mismatch between supply and demand” .
What are the 4 types of risks in the supply chain?
Most of the risks that can disrupt your operations fall into four broad categories: economic, environmental, political and ethical.
Generally the key aspects of Supply Chain management are Purchasing (sourcing), Planning (scheduling) and Logistics (shipping).
What are the 3 types of supply chain strategies?
Supply chain management operates at three levels: strategic, tactical, and operational.
What are the 3 basic supply chain?
There are three main streams of supply chain management: product flow, information flow, and financial flow.