10 security requirements to implement under NIS2

Plantvision, together with WithSecure, recently held a webinar on the topic "Cybersecurity - how is NIS2 affecting Life Science companies & what applies.". The purpose of the webinar was to go deeper into the new directive and help the participants to interpret the 72-page directive text in order to give an overall picture of the most important parts, what the 10 security requirements were and how companies should think - and act - in order to stay ahead of the competition. The new directive NIS2 specifies 10 security requirements that you need to implement in your organization.

What are these security requirements and what security measures can be taken to meet these requirements?

The following safety requirements can be found in Article 21 (2) of the Directive text:

1. Policy on risk analysis and security of information systems

A risk-based and systematic approach to information security facilitates long-term efforts and ensures that you prioritize the mitigation of security risks that may have the greatest likelihood and impact on your business.

Do you currently conduct risk analyses that take into account information security risks?
Do you appoint risk owners to mitigate these risks?
Does your management team drive the decision-making on which risks need to be mitigated and allocate adequate resources for safety work?
Do you have policies and standard operating procedures that clearly show what you need to do to meet the security requirements of stakeholders?

2. Incident management process and incident reporting within 24h, 72h and 1 month

The incident management process has many moving parts and it needs to be very clear to ensure that incidents are reported to the right communication channel, that the right department handles it, that escalation and prioritization is done and that action is taken within a reasonable timeframe to reduce the consequences of the incident. Other things that are good to investigate are how good the technical detection capability of the organization is; what log sources exist, what tools are available on Location, who reviews the results of the tools, etc.

Do you have an incident management process that addresses these incident reporting requirements?
Who is responsible for deciding which incidents need to be reported, which parties are involved, who should report and write the incident report?

3. Crisis management, business continuity management, business continuity and backup.

A business needs to prepare for worst-case scenarios. These scenarios can be documented in a business continuity plan. To maintain continuity, you need to identify which systems are business-critical to maintain operations. In both parts, you need to conduct exercises to find gaps and practice your ability to act when disruptions occur, or when an attacker has entered your system.

Have you done a Business Impact Analysis?
Do you have a business continuity plan on Location and carry out crisis exercises on a regular basis?
Have you set up recovery plans for your business-critical systems, and performed technical recovery tests on your backups?

4. Supply chain security

Your suppliers become your business-critical partners as soon as they provide IT operations or business-critical applications to you. This also means that you will be indirectly affected if your supplier has poor security - unfortunately, this is often discovered when it is too late to do anything about it. Therefore, make sure you identify which suppliers house your most important assets and verify that they take security seriously.

What security requirements have you set for your suppliers?
Have you followed up with your suppliers to ensure that they comply with these security requirements?

5. Secure development and vulnerability management (self-developed and purchased)

It is a well-known myth that all software contains bugs and potential vulnerabilities; they just need to be discovered by curious individuals. This means that you need to be proactive in reducing the number of vulnerabilities in the first place, and have an established process for dealing with vulnerabilities once they are identified and fixed within a reasonable period of time.

If you develop your own software, how does your development process ensure secure development?
When you buy applications (e.g. SaaS), do you require them to work with secure development?

6. Internal audits and penetration tests

It's very easy to be complacent or to overestimate your level of security if you haven't asked someone to check whether this is true in reality. In fact, it is only during internal audits and penetration tests that you discover your security gaps - the alternative is that an attacker does it instead.

Do you conduct internal audits with a focus on information/IT security?
Do you hire an external party to conduct penetration tests on your main applications and products, or do you do it yourself?

7. Training on cybersecurity and cyber hygiene

Employees need to know where to report security incidents, which is why password managers are useful,

the risks involved in sharing company information on social media and how to manage company information (storing, sending, etc.). It is also important to implement basic security measures first, before tackling the more complex ones.

Do you train your employees on how to create good passwords and how to use password managers?
How do you work to build a safety culture in your organization?
How does the patch management process currently work and what software and hardware is covered?

8. encryption and encryption algorithm policy

Encryption algorithms and hash functions, which have no known vulnerabilities, should be used and their use needs to be made clear.

Have you defined the encryption algorithms to be used in software (either developed or purchased)?
Have you also made it clear which encryption algorithms are banned from use or need to be phased out?

9. Personnel security, access control and asset management

Depending on the sensitivity of the job role, it may be important to carry out pre-employment background checks on staff. Examples include criminal record checks (criminal history), credit checks (financial problems) or reference checks and verification of academic credentials (some professional roles may not even be practiced if you lack these). Access control is about regulating how employees gain access to various systems through documented approval and only in relation to their professional role, as well as removing permissions when the person leaves. Asset management is about keeping track of where the organization's crown jewels are located and which systems are affected (because it is these systems that you need to protect first).

What background checks are carried out when recruiting staff?
Is the granting of access to user accounts done through a formal process where access has to be approved?
What are your key assets and where have you documented this?

10. Multi-factor authentication, encrypted video conferencing systems and encrypted emergency communication systems.

Multi-factor authentication should be turned on, where practical, as it is a basic security measure to have on Location. Using encrypted communication, in general, is good because there is no reason to send company information over an unencrypted channel.

What mechanisms do you currently use for multi-factor authentication?
What are your primary communication channels today when employees are working together?
Do you have redundancy to continue communicating if these communication channels are down?

As these ten security requirements, and the Directive as a whole, show, there are efforts required for a company to conduct its business in accordance with NIS2. Starting with an inventory, risk management process, incident reporting process, defining management responsibilities and roles, oversight and sanctions, is a good start.

Plantvision and WithSecure can of course help you implement or improve all these points and of course everything related to NIS2.

Kristina Eneling
Senior Expert Consultant QM Plantvision
Tel: +46 8 56859539
Mail: kristina.eneling@plantvision.se

Albert Koubov Gonzalez
Security & Risk Management Consultant WithSecure™
Mail: plantvision@withsecure.com

Kaka	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Analytics" category.
cookielawinfo-checkbox-necessary	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Necessary" category.
CookieLawInfoConsent	1 year	CookieYes sets this cookie to record the default button state of the corresponding category and the status of CCPA. It works only in coordination with the primary cookie.
elementor	fist	The website's WordPress theme uses this cookie. It allows the website owner to implement or change the website's content in real-time.
viewed_cookie_policy	1 year	The GDPR Cookie Consent plugin sets the cookie to store whether or not the user has consented to use cookies. It does not store any personal data.

Kaka	Duration	Description
VISITOR_INFO1_LIVE	5 months 27 days	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	fist	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	fist	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt.innertube::nextId	fist	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	fist	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Kaka	Duration	Description
_ga	1 year 1 month 4 days	Google Analytics sets this cookie to calculate visitor, session and campaign data and track site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_*	1 year 1 month 4 days	Google Analytics sets this cookie to store and count page views.
_gcl_au	3 months	Google Tag Manager sets the cookie to experiment advertisement efficiency of websites using their services.
CONSENT	2 years	YouTube sets this cookie via embedded YouTube videos and registers anonymous statistical data.