member state must implement in national legislation before 17 October 2024. The focus is on risk management, so national legislation and the organisations it regulates must follow a risk- based approach to cybersecurity, which aligns with current standards and best practices in the area. Taking a risk-based approach means that small organisations with few custom- ers will not be covered by the NIS 2 regulation unless service failure may have large consequences for at least one of their customers. It is, therefore, important for all DH companies to perform a risk analysis, which must include an impact analysis of service failure to all their customers. The directive also defines a scheme of fines for non-compli- ance, like the heavy fines in the GDPR, and it explicitly iden- tifies the board’s responsibility to ensure that the board has sufficient cybersecurity expertise to implement a robust risk management framework for the organisation. Moreover, the board is responsible for ensuring that top management has the necessary cybersecurity expertise to implement the cyber- security strategies and frameworks defined by the board and to oversee the development of required cybersecurity exper- tise throughout the organisation. If the board fails to fulfil this responsibility, individual board members may be held person- ally liable for the consequences of a cyber-attack.
Security Goals
To understand and discuss the security of systems, it is impor- tant to identify the security goals the system is designed to meet. Standard security properties include Confidentiality, In- tegrity, and Availability, often known as the CIA Triad. These properties often relate to data stored on or exchanged be- tween computers, but focusing exclusively on these properties fails to address security issues in the context of the organisa- tion, e.g., supporting the long-term strategic goals or the day- to-day business of the operation. An organisation operating a DH infrastructure must achieve at least three goals: correctly and reliably collecting data nec- essary to bill their customers, protecting this customer data from unauthorized access, and monitoring and regulating their network according to a standard control loop. What are the respective security properties required to achieve each of these goals? We look at each of these goals and show how the relative im- portance of the three security properties changes for the three high-level security goals.
23 www.dbdh.dk
Made with FlippingBook - Online magazine maker