Professional Documents
Culture Documents
European Cybersecurity Implementation Overview Res Eng 0814
European Cybersecurity Implementation Overview Res Eng 0814
Implementation: Overview
About ISACA®
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008 USA
Phone: +1.847.253.1545
With more than 115,000 constituents in 180 countries, ISACA (www.isaca.org) helps business
Fax: +1.847.253.1443
and IT leaders build trust in, and value from, information and information systems. Established
Email: info@isaca.org in 1969, ISACA is the trusted source of knowledge, standards, networking, and career
Web site: www.isaca.org development for information systems audit, assurance, security, risk, privacy and governance
professionals. ISACA offers the Cybersecurity Nexus™, a comprehensive set of resources for
Provide feedback:
cybersecurity professionals, and COBIT®, a business framework that helps enterprises govern
www.isaca.org/EU-cyber-implementation
and manage their information and technology. ISACA also advances and validates business-
Participate in the ISACA critical skills and knowledge through the globally respected Certified Information Systems
Knowledge Center: Auditor ® (CISA®), Certified Information Security Manager ® (CISM ®), Certified in the Governance
www.isaca.org/knowledge-center
of Enterprise IT® (CGEIT®) and Certified in Risk and Information Systems Control™ (CRISC™)
Follow ISACA on Twitter: credentials. The association has more than 200 chapters worldwide.
https://twitter.com/ISACANews
© 2014 ISACA. All Rights Reserved. Personal Copy of: Mr. Ivan Pajovic, CISM 2
European Cybersecurity Implementation: Overview
ACKNOWLEDGEMENTS
Development Team Ramses Gallego Jamie Pasfield
CISM, CGEIT, CCSK, CISSP, SCPM, CGEIT, ITIL V3, MSP, PRINCE2,
Rolf M. von Roessing
Six Sigma Black Belt, Pfizer, UK
CISA, CISM, CGEIT, CISSP, FBCI,
Dell, Spain, Vice President Ivan Sanchez Lopez
Forfa AG, Switzerland, Lead Developer
Theresa Grafenstine CISA, CISM, ISO 27001 LA, CISSP,
Vilius Benetis Ph.D.
CISA, CGEIT, CRISC, CGAP, CGMA, CIA, CPA, DHL Global Forwarding & Freight, Germany
CISA, CRISC,
US House of Representatives, USA, Vice President
NRDCS, Lithuania
Christos K. Dimitriadis Ph.D.
Vittal R. Raj Cybersecurity Task Force
CISA, CISM, CGEIT, CRISC, CFE, CIA, CISSP, FCA,
CISA, CISM, CRISC, Eddie Schwartz
Kumar & Raj, India, Vice President
INTRALOT S.A., Greece CISA, CISM, CISSP, MCSE, PMP,
Tony Hayes USA, Chairman
Ivo Ivanovs
CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA,
CISA, CISM, MCSE, Manuel Aceves
Queensland Government, Australia, Past International
Ernst & Young Baltic SIA, Latvia CISA, CISM, CGEIT, CRISC, CISSP, FCITSM,
President
Samuel Linares Cerberian Consulting, SA de CV, Mexico
Gregory T. Grocholski
CISA, CISM, CGEIT, CRISC, CISSP, GICSP, Sanjay Bahl
CISA,
Industrial Cybersecurity Center (CCI), Spain CISM, CIPP,
The Dow Chemical Co., USA, Past International President
Charlie McMurdie India
Debbie A. Lew
PricewaterhouseCoopers, UK Neil Patrick Barlow
CISA, CRISC,
Andreas Teuscher CISA, CISM, CRISC, CISSP,
Ernst & Young LLP, USA, Director
CISA, CGEIT, CRISC, IntercontinentalExchange, Inc. NYSE, UK
Frank K.M. Yam
Sick AG, Germany Brent Conran
CISA, CIA, FHKCS, FHKIoD,
CISA, CISM, CISSP,
Focus Strategic Group Inc., Hong Kong, Director
USA
Expert Reviewers
Alexander Zapata Lenis
Jesper Hansen Derek Grocke
CISA, CGEIT, CRISC, ITIL, PMP,
HAMBS, Australia
CISM, CRISC, CISSP, ESL, Grupo Cynthus S.A. de C.V., Mexico, Director
PFA Pension, Denmark Samuel Linares
CISA, CISM, CGEIT, CRISC, CISSP, GICSP,
Martins Kalkis Knowledge Board Industrial Cybersecurity Center (CCI), Spain
CISM,
Steven A. Babb
Latvian Mobile Telephone, Latvia Marc Sachs
CGEIT, CRISC, ITIL
Verizon, USA
Aare Reintam Vodafone, UK, Chairman
CISA,
Rosemary M. Amato
Estonian Information System Authority, Estonia
CISA, CMA, CPA,
Andrea Rigoni Deloitte Touche Tohmatsu Ltd., The Netherlands
Intellium Ltd., UK
Neil Patrick Barlow
Marc Vael Ph.D. CISA, CISM, CRISC, CISSP,
CISA, CISM, CGEIT, CRISC, CISSP, IntercontinentalExchange, Inc. NYSE, UK
Valuendo, Belgium
Charlie Blanchard
CISA, CISM, CRISC, CIPP/US, CIPP/E, CISSP, FBCS, ACA,
ISACA Board of Directors Amgen Inc., USA
Robert E Stroud Sushil Chatterji
CGEIT, CRISC, CGEIT,
CA, USA, International President Edutech Enterprises, Singapore
Steven A. Babb Phil J. Lageschulte
CGEIT, CRISC, ITIL, CGEIT, CPA,
Vodafone, UK, Vice President KPMG LLP, USA
Garry J. Barnes Anthony P. Noble
CISA, CISM, CGEIT, CRISC, CISA,
BAE Systems Detica, Australia, Vice President Viacom, USA
Robert A. Clyde
CISM,
Adaptive Computing, USA, Vice President
© 2014 ISACA. All Rights Reserved. Personal Copy of: Mr. Ivan Pajovic, CISM 3
European Cybersecurity Implementation: Overview
© 2014 ISACA. All Rights Reserved. Personal Copy of: Mr. Ivan Pajovic, CISM 4
European Cybersecurity Implementation: Overview
This paper is the overview of the ISACA European existing laws, standards and other guidance. This overview
Cybersecurity Implementation Series of papers that paper is complemented by three detailed papers that focus
addresses cybersecurity implementation from a European on risk guidance, resilience and assurance in cybersecurity.
perspective, including the European Union (EU)1 and The series Assurance paper also is complemented by a
its associated countries.2 European Cybersecurity separate generic Audit Programme paper. Figure 2 shows
Implementation: Overview provides a high-level overview the structure of the series within the context of the ISACA
of implementing cybersecurity good practice in line with security publications.
FIGURE
European Cybersecurity
Implementation: Audit
Programme
1
The European Union (EU) includes the 28 member states, e.g., France, The Netherlands and Spain, and any of their territories outside of Europe.
2
Associated countries are linked to the EU by treaties or other agreements. Therefore, part of their cybersecurity policy and strategy may be aligned with EU guidance.
Examples of associated countries include the British Channel Islands, Liechtenstein and Switzerland.
© 2014 ISACA. All Rights Reserved. Personal Copy of: Mr. Ivan Pajovic, CISM 5
European Cybersecurity Implementation: Overview
FIGURE
European
Target Audience
Cybersecurity
Implementation CxO/Senior Chief Information Information/
Management Officer (CIO)/IT Cybersecurity Auditor/
Series Papers
(Business) Management Practitioner Reviewer
Overview
Risk Guidance
Resilience
Assurance
Audit Programme
The European cybersecurity laws and regulations are usually more stringent for industry sectors that are regulated
or classified as critical infrastructure than for unregulated industries. However, the presence of legal provisions or
regulations is not the only cybersecurity driver. Some industry sectors have experienced a higher rate of cybercrime,
cyberwarfare or industrial espionage than others.
© 2014 ISACA. All Rights Reserved. Personal Copy of: Mr. Ivan Pajovic, CISM 6
European Cybersecurity Implementation: Overview
Figure 4 shows some of the industry sectors that can benefit particularly from specific papers in the
European Cybersecurity Implementation Series. This list is by no means exhaustive, but provides
suggestions for recommended reading.
FIGURE
Risk Guidance/
Resilience/ Audit
Overview Assurance3 Programme4
Public
Telecommunications
5
Finance and Insurance
Health care
Critical
Infrastructures
Automotive
IT service providers 6
Audit
Consulting
3
Use this guidance in collaboration with national institutions and their individual guidance on cybersecurity.
4
The Audit Programme paper is for practitioners or specialists tasked with performing reviews or audits.
5
Financial institutions and insurers should also refer to their specific industry sector regulation, e.g., Basel III.
6
IT service providers should review their client base for any inherited regulatory requirements. For the risk, resilience and assurance
requirements and potential audits, these providers should also refer to ISAE 3402 and national implementations. respectively.
© 2014 ISACA. All Rights Reserved. Personal Copy of: Mr. Ivan Pajovic, CISM 7
European Cybersecurity Implementation: Overview
7
See http://www.enisa.europa.eu for details.
8
Available at http://ec.europa.eu/information_society/newsroom/cf/dae/document.cfm?doc_id=1667.
9
ENISA provides an overview of national strategies at https://www.enisa.europa.eu/activities/Resilience-and-CIIP/national-cyber-security-strategies-ncsss/national-cyber-security-strategies-in-the-world.
10
European Commission, “Joint Communication to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions—Cybersecurity Strategy of
the European Union: An Open, Safe and Secure Cyberspace,” Brussels, 2 July 2013, p. 3, http://ec.europa.eu/information_society/newsroom/cf/dae/document.cfm?doc_id=1667
11
ISACA, “Cybersecurity Glossary,” 2014, http://www.isaca.org/Knowledge-Center/Documents/Glossary/Cybersecurity_Fundamentals_glossary.pdf
12
ISACA, Transforming Cybersecurity, USA, 2013, p. 11, www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Transforming-Cybersecurity-Using-COBIT-5.aspx
© 2014 ISACA. All Rights Reserved. Personal Copy of: Mr. Ivan Pajovic, CISM 8
European Cybersecurity Implementation: Overview
Enterprises should distinguish between standard (lower-level) information security and cybersecurity; the difference is in
the scope, motive, opportunity and method of the attack (see figure 5). Cybersecurity should focus on APTs to enable a
clear and targeted set of cybersecurity measures and actions. This is shown in figure 5.
FIGURE
5 Cyberattack Taxonomy13
State-sponsored
APT
Espionage and
Weaponization
Insiders
Personal Gain
Intelligence
Gathering
Risk
Hackers
Data Initial
Money Exfiltration Exploitation
APT
Life Cycle
Script Kiddies
Privilege Command
Escalation and Control
Amusement/
Experimentation/
Nuisance
Attacker Resources/Sophistication
1980s/1990s 2012
➢ BrainBoot/Morris Worm ➢ Concept Macro Virus ➢ Anna Kournikova ➢ SQL Slammer ➢ MyDoom ➢ Storm botnet ➢ Aurora ➢ WikiLeaks ➢ SpyEye/Zeus
➢ Polymorphic Viruses ➢ Melissa ➢ Sircam ➢ Blaster ➢ Netsky ➢ Koobface ➢ Mariposa ➢ Anonymous ➢ Duqu
➢ Michelangelo ➢ “I Love You” ➢ Code Red and Nimda ➢ Sobig ➢ Sasser ➢ Conflicker ➢ Stuxnet ➢ LulzSec ➢ Flame
FIGURE
Political
For the ISACA European Cybersecurity
Implementation Series, the EU and ISACA
cybersecurity definitions are used jointly, to
integrate all relevant aspects of cybersecurity.
Adding a multi-dimensional view, such as Environmental Economic
PESTLE14, is useful to better understand the
potential impacts of cyber threats and risk. Low to Medium
1 Level Attacks
2
Figure 6 shows the difference between the 3 (Infosec)
4
areas covered by cybersecurity and the areas 5
covered by traditional information security.
APT Attacks
(Cybersec)
Technical Social
13
ISACA, Responding to Targeted Cyberattacks, USA, 2013, www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Responding-to-Targeted-Cyberattacks.aspx
14
PESTLE analysis is a detailed view of an enterprise‘s Political, Economic, Social, Technical, Legal and Environmental environment. For more information, see www.pestleanalysis.com.
© 2014 ISACA. All Rights Reserved. Personal Copy of: Mr. Ivan Pajovic, CISM 9
European Cybersecurity Implementation: Overview
In addition to the cybersecurity scope that is described Regardless of any agreed-upon definition of cybersecurity,
in the definitions and its focus on certain kinds of threats, the task remains unchanged: organisations should
risk and attacks, cybersecurity should be placed within the delineate the boundaries between standard information
internationally agreed-upon threat levels that are declared security and cybersecurity. The former is often subject
by nation states or supranational bodies. Figure 7 shows to budget and resource restrictions; the latter faces
these threat levels and the types of cyberattacks, based on highly intelligent attackers with motive, opportunity and
their required effort and sophistication. The red rectangle often formidable skills. These facts should be taken into
denotes the type of attack and threat level usually covered consideration when adopting an enterprise definition of
by cybersecurity, whereas, the remaining area is covered by cybersecurity.
information security.
FIGURE
HIGH Cyberwarfare
Directed APT
EFFORT/SOPHISTICATION
Spear phishing
Zero-day/
complex
exploits
Simple
malware attacks
15
Op cit ISACA, Transforming Cybersecurity
© 2014 ISACA. All Rights Reserved. Personal Copy of: Mr. Ivan Pajovic, CISM 10
European Cybersecurity Implementation: Overview
16
Op cit European Commission
17
For more information, see ISACA´s Advanced Persistent Threat Awareness Study Results (2014) at www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Advanced-Persistent-
Threats-Awareness-Study-Results.aspx.
© 2014 ISACA. All Rights Reserved. Personal Copy of: Mr. Ivan Pajovic, CISM 11
European Cybersecurity Implementation: Overview
Despite the fact that cybercrime is a known fact, many An important starting point is the realisation that
European countries are only now beginning to undertake statements about cyberattacks should begin with ‘when’
national threat and risk assessments. Similarly, the rather than ‘if’. The very real threats cannot be ignored,
potential for cyberwarfare that is directed at nation states nor can they be accepted, given the growing body of
in Europe has been recognised but rarely quantified. At knowledge and planned regulation. Enterprises should
this point in time, much of the intelligence available in work to integrate cybersecurity as a cross-functional
the public domain has been contributed by industry18 or discipline that integrates with the following:
independent associations and groupings.19 Although • Information security
European law enforcement has collected data and
information on crime and criminal acts, co-ordinated • Traditional corporate security, including physical
efforts will take more time to reach the planned level. • ERM
• IT service continuity management (ITSCM) and
CONSEQUENCES FOR CYBERSECURITY business continuity management (BCM)
18
See information security, cybercrime and cybersecurity surveys that are published by international consulting firms and vendors, such as the following:
• “Special Eurobarometer 390 Cyber Security Report,” July 2012, at http://ec.europa.eu/public_opinion/archives/ebs/ebs_390_en.pdf
• “Special Eurobarometer 404 Cyber Security Report,” November 2013, at http://ec.europa.eu/public_opinion/archives/ebs/ebs_404_en.pdf
• “2013 Information Security Breaches Survey Technical Report,” Department for Business Innovation & Skills, at www.gov.uk/government/uploads/system/uploads/attachment_data/file/200455/
bis-13-p184-2013-information-security-breaches-survey-technical-report.pdf
• Symantec, “2013 Cost of Data Breach Study: Global Analysis,” May 2013, conducted by Ponemon Institute LLC, www4.symantec.com/mktginfo/whitepaper/053013_GL_NA_WP_Ponemon-
2013-Cost-of-a-Data-Breach-Report_daiNA_cta72382.pdf
• CERT Division of the Software Engineering Institute (SEI) studies at www.cert.org/cybersecurity-engineering/publications/index.cfm
19
Examples include ISACA and other industry associations.
20
For example, see the LÜKEX exercise in Germany, which was the scenario of a widespread cyberattack on selected critical infrastructures, www.bbk.bund.de/SharedDocs/Pressemitteilungen/BBK/
DE/2011/PM_Luekex_2011_IT_Sicherheit_auf_Pruefstand.html (in German).
© 2014 ISACA. All Rights Reserved. Personal Copy of: Mr. Ivan Pajovic, CISM 12
European Cybersecurity Implementation: Overview
8
REQUIREMENTS Goals Cascade21
In the European context, legislative and regulatory
requirements for cybersecurity apply to many enterprises.
These requirements need to be included in the compliance
framework by applying a goals cascade in a top-down Stakeholders Drivers
(Environment, Technology Evolution, ...)
manner, as shown in figure 8. The top level—stakeholder
drivers—includes strategic imperatives, such as those
Influence
expressed in the Digital Agenda for Europe 14 cybersecurity
actions, and any subsequent legislation or regulation. Stakeholders Needs
Enterprises need to adopt these rules and translate them into
Benefits Risk Resource
elements of the business case. Realisation Optimisation Optimisation
European requirements further influence the enterprise by
addressing one of the three dimensions depicted in the goals Cascade to
cascade: benefits realisation, risk optimisation or resource
optimisation. In practice, cybersecurity most often addresses Enterprise Goals
risk. However, many cybersecurity requirements have a value
dimension (e.g., reputation) and a resource implication (e.g., Cascade to
skills and specialisations).
For example, the implementation of a national cybersecurity IT-related Goals
law may appear to be a purely compliance-driven exercise at
first sight. When analysing the enterprise, senior management
Cascade to
will likely realise the benefits of implementing the new
requirements in terms of customer confidence, reputation
and—most importantly—a more favourable position with Enablers Goals
regard to cyberattacks and threats.
Source: COBIT 5, ISACA, USA, 2012, figure 4
Enterprises translate stakeholder-driven requirements into
enterprise goals, and then drill down into the corresponding
IT goals. The Enabler Goals in figure 8 refer to the seven
categories of enablers, which are the practical tool set Typically, external requirements address the compliance
provided in the COBIT 5® framework and broadly defined and risk dimensions of the GRC triad. They invariably
as anything that can help to achieve the objectives of the represent ‘must have’ items on the senior management
enterprise. agenda and provide a compelling business case.
21
The goals cascade is from COBIT® 5, an internationally recognised framework for governance, risk management and compliance (GRC) in IT and related technologies.
It is freely available at www.isaca.org/cobit.
© 2014 ISACA. All Rights Reserved. Personal Copy of: Mr. Ivan Pajovic, CISM 13
European Cybersecurity Implementation: Overview
22
n example standard is ISO 27032, which provides informal guidance on cybersecurity. Likewise, the lead standards ISO 27001 and ISO 22301 provide specifications on information security
A
management systems and business continuity management systems, respectively.
23
For examples, see “Special Eurobarometer 390 Cyber Security Report,” July 2012, at http://ec.europa.eu/public_opinion/archives/ebs/ebs_390_en.pdf, and “Special Eurobarometer 404 Cyber Security
Report,” November 2013, at http://ec.europa.eu/public_opinion/archives/ebs/ebs_404_en.pdf.
24
For information about the EUROPOL European Cybercrime Centre, see https://www.europol.europa.eu/ec3.
25
For an example, see “UNDOC Comprehensive Study on Cybercrime,” February 2013, at www.unodc.org/documents/organized-crime/UNODC_CCPCJ_EG.4_2013/CYBERCRIME_STUDY_210213.pdf.
26
For an example, see “Cyber Crime Originates in Europe: Statistics and Trend Report,” 4 August 2013, at http://www.pymnts.com/uncategorized/2013/cyber-crime-originates-in-europe-statistics-and-
trends-report/.
27
Some of these surveys are commissioned by government agencies. For an example, see “2013 Information Security Breaches Survey Technical Report,” Department for Business Innovation & Skills,
at www.gov.uk/government/uploads/system/uploads/attachment_data/file/200455/bis-13-p184-2013-information-security-breaches-survey-technical-report.pdf.
28
Symantec, “2013 Cost of Data Breach Study: Global Analysis,” May 2013, conducted by Ponemon Institute LLC, at www4.symantec.com/mktginfo/whitepaper/053013_GL_NA_WP_Ponemon-2013-
Cost-of-a-Data-Breach-Report_daiNA_cta72382.pdf.
29
For an example, see “2013 Information Security Breaches Survey Executive Summary,” Department for Business Innovation & Skills, at www.pwc.co.uk/assets/pdf/cyber-security-2013-exec-summary.
pdf.
30
Many CERT studies are available at www.cert.org/cybersecurity-engineering/publications/index.cfm.
© 2014 ISACA. All Rights Reserved. Personal Copy of: Mr. Ivan Pajovic, CISM 14
European Cybersecurity Implementation: Overview
31
As examples, consider the Zurich Insurance Group (2011) and Swisscom (2013) incidents, which both relate to lost or stolen backup tapes containing sensitive data.
32
As an example, consider the Snapchat vulnerability (2013), which was discovered on iPhones, and the subsequent drop in market value that Snapchat experienced.
© 2014 ISACA. All Rights Reserved. Personal Copy of: Mr. Ivan Pajovic, CISM 15
European Cybersecurity Implementation: Overview
The COBIT 5 framework offers useful insights on substantiating and demonstrating business value as part of good
governance and management, and enterprises can use the goals cascade to demonstrate the benefits of cybersecurity.
Other frameworks33 and standards provide additional guidance on how to demonstrate the business value of
cybersecurity. When presenting the business case, experts and cybersecurity practitioners should ensure that they
address all aspects of the GRC triad and the goals cascade and possibly include the consequences for having the
balanced scorecard (BSC) and other measurement instruments in place.
It should further be noted that cybersecurity is not just about defending the enterprise and its information assets. In many
cases, restructuring parts or all of an enterprise IT environment in the course of strengthening cybersecurity is also an
opportunity for streamlining and optimising IT.
Cybersecurity Governance
Governance over cybersecurity has a much wider scope • First pillar—Definition and categorisation of critical
than governance over information security, due to the infrastructures, and critical infrastructure protection
multiple facets of cybercrime and cyberwarfare. The plans and measures
cybersecurity governance framework covers enterprise • Second pillar—Digital Agenda for Europe and
security, social elements and technology. associated initiatives, including legislation and
regulation
Enterprises should first assess and review their existing • Third pillar—European cybercrime centre, similar
governance arrangements, starting from the top of the national institutions, and support for enterprises
house enterprise, i.e., corporate governance, and moving
through IT and related technologies to any existing DETERMINE THE BUSINESS IMPACT
governance arrangements in security. This step often The potential financial and non-financial impact and
reveals that a significant part of the enterprise is already consequences of cybercrime and cyberwarfare should
regulated by binding provisions in legal, regulatory or be the basis for cybersecurity governance provisions and
compliance requirements. In many European states, arrangements. This impact determines the objectives and
governance is subject to binding external requirements in the extent of governance that is needed for the enterprise.
a number of areas, for example: In practice, larger enterprises are more likely to establish
fairly detailed governance, whereas SMEs might choose to
• Data protection and privacy be more informal in defining and describing governance.
• Financial controls and the related internal control
system, including financial reporting In most European countries, cybersecurity is closely related
• Government or state provisions on sensitive to BCM35 and ITSCM.36 Both of these disciplines are
information (e.g., official secrets) named in official sources37 as being associated with good
• Data custody and third-party processing cybersecurity. Practitioners should adopt these disciplines
to ensure alignment with emerging political and market
Enterprises that are aligning their cybersecurity trends.
governance with national and international arrangements
should also mirror the following three pillar approach34 Analysing and substantiating the potential business impact
that is being implemented across Europe: is dependent on tried and tested practical methods and
techniques, which are described in more detail in the
Managing Cybersecurity Risk section in this paper.
33
any organisations in Europe use ITIL® (IT Infrastructure Library) V3 to design, maintain and control their IT service management processes, including those relating to security. If ITIL, COBIT 5 or
M
both are used, further details are available in the Val IT framework, a legacy ISACA product now included in the overall COBIT series.
34
For an example outline of this approach, see Houdart, Jean-Baptiste, “EU Cybersecurity Policy: A Model for Global Governance,” atlantic-community.org, 6 February 2013, http://www.atlantic-
community.org/-/eu-cybersecurity-policy-a-model-for-global-governance.
35
Formally described in ISO 22301 and ISO 22313 standards, with informal guidance in the Business Continuity Institute Good Practice Guidelines 2013 Global Edition: A Guide to Global Good
Practice in Business Continuity
36
Formally described in ISO 27031 and ISO 24762 standards (for disaster recovery service providers)
37
The concepts of continuity, resilience and related standards are integrated in many EU-level and national recommendations or draft statutes.
© 2014 ISACA. All Rights Reserved. Personal Copy of: Mr. Ivan Pajovic, CISM 16
European Cybersecurity Implementation: Overview
38
More detail about how to implement cybersecurity governance based on the enabler model is given in ISACA’s Transforming Cybersecurity (2013) publication.
© 2014 ISACA. All Rights Reserved. Personal Copy of: Mr. Ivan Pajovic, CISM 17
European Cybersecurity Implementation: Overview
The other enablers can help enterprises in implementing practical governance steps rather than just providing written
guidance, which still needs to be reflected in daily business. Using the enabler-based approach ensures that the
underlying ideas and objectives of good cybersecurity governance are fully implemented and that no disconnect exists
between senior management thinking and the day-to-day business.
In enabler-based governance, enterprises should look for the potential manifestations of cybersecurity risk—whether it is
through events, near misses or unusual systems behaviour—before implementing a solution. Existing security solutions
should be systematically analysed and categorised to determine their effectiveness and value.
39
ee the ENISA guidebook on national cybersecurity strategies: European Network and Information Security Agency (ENISA), National Cyber Security Strategies Practical Guide on Development
S
and Execution, Greece, December 2012.
40
See http://www.enisa.europa.eu/activities/risk-management/current-risk/risk-management-inventory/glossary.
41
See European Network and Information Security Agency (ENISA), National Cyber Security Strategies Practical Guide on Development and Execution, Greece, December 2012.
42
An overview from a European point of view is given in the “ENISA Threat Landscape 2013,“at http://www.enisa.europa.eu/activities/risk-management/evolving-threat-environment/enisa-threat-
landscape-2013-overview-of-current-and-emerging-cyber-threats.
43
Business Continuity Institute, Good Practice Guidelines 2013 Global Edition: A Guide to Global Good Practice in Business Continuity, England, 2013, www.thebci.org/index.php/resources/the-
good-practice-guidelines
© 2014 ISACA. All Rights Reserved. Personal Copy of: Mr. Ivan Pajovic, CISM 18
European Cybersecurity Implementation: Overview
Enterprises should also include and consider the national For practical implementation purposes, further detail is
context(s) in which they are conducting business. Impacts provided in the European Cybersecurity Implementation:
may vary widely across member states of the EU, which Risk Guidance paper in this series and in additional
is reflected in the national cybersecurity strategies. recognised sources.45
The risk that is associated with various kinds of Based on the risk profile and available treatment options,
cybercrime and cyberwarfare is often seen as an the residual risk should be assessed for financial
extension of general information security risk. Practical and non-financial consequences of cybercrime and
implementation steps include risk identification, in-depth cyberwarfare. Enterprises should include the business
analysis and an assessment of the potential impact. In case and available information on the investment and
Europe, scenario-based approaches are sometimes operational expenditure that is associated with various
preferred over ‘pure’ risk catalogues. However, most EU options in a cybersecurity strategy. Typically, this
governments begin with an all-hazards approach and information will lead to a number of available options that
provide specific scenarios for the most likely types of vary in cost, complexity and residual risk:
attack or acts of war. • Minimalist—Reduce cybersecurity actions and
In terms of practical cybersecurity implementation, investment to a minimum while tolerating a
this means that enterprises should adapt their own comparatively high level of residual risk.
risk identification and analysis process to the national • Balanced—Opt for a more comprehensive
approach, including the all-hazards assessment (if cybersecurity investment and a moderate level of
available) and the specific scenarios provided by each residual risk.
government. • Conservative—Aim for a precautionary,
comparatively high, cybersecurity investment with
RISK TREATMENT little or no tolerance for residual risk.
All cybersecurity-related risk that was identified in the In most European states, several areas of risk are
previous step should be categorised by possible risk governed by law or by regulation, for example, data
treatment, which includes prevention, partial or full privacy, specific protection of mail traffic (traditional
transfer, mitigation or formal risk acceptance. In many and electronic), and data/identity theft. Enterprises that
instances, cybersecurity will need to be event-driven, i.e., are implementing cybersecurity in the European context
based on mitigation rather than full prevention. should be conscious of the fact that risk relating to these
and other regulated areas should not be accepted as part
of residual risk.
44
pecifically, the business impace analysis (BIA) approach recommended in ISO 22301 and ISO 22313. Details on practical BIA implementation are available through secondary literature (see the
S
Risk Guidance paper in this series).
45
For examples, see COBIT® 5 for Risk, ISO 31000 on generic risk management and ISO 27005 on information security risk assessment.
© 2014 ISACA. All Rights Reserved. Personal Copy of: Mr. Ivan Pajovic, CISM 19
European Cybersecurity Implementation: Overview
46
For example, see the ENISA portal on CIIP and resilience at http://www.enisa.europa.eu/activities/Resilience-and-CIIP.
47
A vast amount of publicly available information from a European perspective is available. See, for example, www.enisa.europa.eu/activities/Resilience-and-CIIP/networks-and-services-resilience/
cloud-computinghttp://en.wikipedia.org/wiki/Cloud_Security_Alliance.
48
See the portal at www.enisa.europa.eu/activities/Resilience-and-CIIP/critical-infrastructure-and-services/scada-industrial-control-systems. Further information is available from ISACA at www.
isaca.org
49
See ISACA‘s Transforming Cybersecurity publication for an in-depth discussion on management views and motivations, at www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/
Pages/Transforming-Cybersecurity-Using-COBIT-5.aspx.
50
See, for esample, Baud et al. (2014), at www.lexology.com/library/detail.aspx?g=1f872876-3d23-44e7-a8f1-92a9be8d080b, for an overview of selected EU member states.
© 2014 ISACA. All Rights Reserved. Personal Copy of: Mr. Ivan Pajovic, CISM 20
European Cybersecurity Implementation: Overview
FIGURE
Total Exploit
Employees Availability Attack
Probability
Attractiveness
of Target
In Europe, systemic concepts in cybersecurity are often found in management systems or life cycle concepts. Examples
include the traditional plan-do-check-act (PDCA) cycle53 and the life cycle around BCM and ITSCM. Enterprises that are
implementing cybersecurity should embed their related programmes into existing management systems. It is particularly
important to align the cybersecurity system of processes, actions and controls with the surrounding (or underlying)
information security management system (ISMS).
52
he underlying thoughts are outlined in ISACA’s Business Model for Information Security (BMIS) at www.isaca.org/bmis. Enterprises should note that the legacy BMIS has been incorporated into
T
COBIT 5.
53
The plan-do-check-act (PDCA) (or Deming) cycle is present in most major standards and series of standards, such as ISO 27000 and ISO 22301. The business continuity and IT service continuity
© 2014 ISACA. All Rights Reserved. Personal Copy of: Mr. Ivan Pajovic, CISM 21
European Cybersecurity Implementation: Overview
Cybersecurity Assurance
Enterprises should establish and maintain reasonable assurance over their cybersecurity activities and initiatives for
GRC. Providing cybersecurity assurance involves the system of enterprise internal controls and the organisational and
logical structures that support the functioning of these controls. Enterprises should implement the following three pillars
of assurance for cybersecurity:
• Organise and structure cybersecurity assurance along three lines of defence
• Define and evolve the cybersecurity control system
• Provide assessments, audits and forensic/investigative capabilities
Further details are given in the European Cybersecurity Implementation: Assurance paper in this series.
© 2014 ISACA. All Rights Reserved. Personal Copy of: Mr. Ivan Pajovic, CISM 22
European Cybersecurity Implementation: Overview
54
Principles, policies and frameworks link directly to the first enabler in the COBIT 5 assurance model. See figure 9.
55
See COBIT® 5 for Assurance for details on control architecture and control design.
56
An example of a cybersecurity audit programme is provided in the European Cybersecurity Implementation: Audit Programme paper in this series, which can be found at www.isaca.org/EU-
cyber-implementation
57
There is an ongoing debate on mandatory incident reporting and intervention by public authorities in many European countries.
© 2014 ISACA. All Rights Reserved. Personal Copy of: Mr. Ivan Pajovic, CISM 23
European Cybersecurity Implementation: Overview
58
Details for each of these actions can be found at http://ec.europa.eu/digital-agenda/en/pillar-iii-trust-security/ or by following the link attached to each listed action.
59
Digital Agenda for Europe is at http://ec.europa.eu/digital-agenda/en/
© 2014 ISACA. All Rights Reserved. Personal Copy of: Mr. Ivan Pajovic, CISM 24
European Cybersecurity Implementation: Overview
European Commission, “Joint Communication to the European Parliament, the Council, the
European Economic and Social Committee and the Committee of the Regions—Cybersecurity
Strategy of the European Union: An Open, Safe and Secure Cyberspace,” Brussels, 2 July
2013,
http://ec.europa.eu/information_society/newsroom/cf/dae/document.cfm?doc_id=1667
European Network and Information Security Agency (ENISA), National Cyber Security
Strategies Practical Guide on Development and Execution, Greece, December 2012
International Auditing and Assurance Standards Board, ISAE 3402 Standard for Reporting
on Controls at Service Organizations
© 2014 ISACA. All Rights Reserved. Personal Copy of: Mr. Ivan Pajovic, CISM 25
European Cybersecurity Implementation: Overview
© 2014 ISACA. All Rights Reserved. Personal Copy of: Mr. Ivan Pajovic, CISM 26