- David Polách
CSF2 is intended as a general tool - it is intended to improve the level of cybersecurity for organizations ranging from small public schools to large corporations. The CSF2 concept is based on 6 key "features" that are intended to encompass the entire topic of cybersecurity in organizations.
- govern
- identify
- protect
- detect
- respond
- recover
These functions are then divided into categories and subcategories. Compared to the previous version, a new feature is the introduction of the 'govern' function, which covers topics such as the context of the organisation, roles and responsibilities, policies and supply chain management.
When studying the CSF2 documents, you can't help but feel that much of what is contained in this concept is not too different from existing regulations such as ISO 27001 or the NIS2 directive and the resulting draft law on cybersecurity. NIS2/New Cybersecurity Act, ISO 27001 and CFS2 are very similar - so it is possible to say with exaggeration that if an organisation has implemented the requirements of one of these regulations, it will have met 30-90% of the requirements of the others.
The level of compliance is determined by the degree of implementation (for instance, a higher or lower level of obligations under the NZkb) and the overall cybersecurity posture. Consequently, when implementing one of these regulations, the organization will gain a better understanding of what to anticipate when implementing others, resulting in reduced time and financial costs for the organization.
All these regulations are interconnected through a risk-based approach. Identifying assets, their vulnerabilities, threats, and subsequent risk mitigation are the foundational building blocks of each.
In practical application of risk management-related concepts, such as in creating business continuity plans (BCP), we can say it's common sense transferred onto paper.
If CFS2, ISO 27001 and NIS2/NZkb are so similar, what 5 areas do they all require and should every organisation address?
1) Identification of assets
- Every organisation that uses ICT equipment to provide its services is dependent on it - typically hardware and software (these are the organisation's assets in the area of cyber and information security). To successfully ensure information security, it is important to keep records of these assets.
2) Threats & Vulnerabilities
- By their nature, assets are exposed to various threats that can be realised through vulnerabilities. A service laptop with no antivirus and an encrypted disk that an employee can take home and whose work account has administrator privileges is simply not ideal. Monitoring threats and minimizing vulnerabilities is one of the goals of cybersecurity. The goal is to reduce the risk associated with the asset.
3) Incident management
- If a cyber security incident occurs, it's a good idea to have steps in place on how to proceed. Simple, step-by-step procedures, printed out - so that they can be handled in a stressful situation where not a single computer can be turned on.
4) Business continuity
- The aim of the organisation is to ensure the provision of services - be it business or public administration. For when multiple things go wrong at the same time, it is important to have plans in place (e.g. contingency plans) to help organisations clarify how to survive the coming days and weeks so that they are able to resume operations as soon as possible and with minimal damage.
5) Documentation
- And finally - documentation, documentation, documentation. The above things need to be described. Most importantly, documentation is essential to the functioning of your organization - if procedures are only in the heads of employees, you run the risk of them not being available when an employee gets sick or leaves. You will need the documentation during audits - whether you want to get certification or avoid a fine from NUKIB.
