Cu mai bine de 2 ani în urmă scriam pe un ton acid despre Strategia de securitate cibernetică a României.

Înclin să cred că evenimentele legate de scandalul NSA vor face ca “NIS Directive”, propusă în februarie  2013,  să fie aprobată foate curînd. Este foarte probabil ca anul 2014 să ne prindă cu ea în vigoare. Pînă atunci cîteva elemente de referinţă din această directivă, şi mai puţine comentarii din partea mea.

To that end, this Directive:
(a) lays down obligations for all Member States concerning the prevention, the handling of and the response to risks and incidents affecting networks and information systems;
(b) creates a cooperation mechanism between Member States in order to ensure a uniform application of this Directive within the Union and, where necessary, a coordinated and efficient handling of and response to risks and incidents affecting network and information systems;
(c) establishes security requirements for market operators and public administrations

For the purpose of this Directive, the following definitions shall apply:
(1) „network and information system” means:
(a) an electronic communications network within the meaning of Directive 2002/21/EC, and
(b) any device or group of inter-connected or related devices, one or more of which, pursuant to a program, perform automatic processing of computer data, as well as (c) computer data stored, processed, retrieved or transmitted by elements covered under point (a) and (b) for the purposes of their operation, use, protection and maintenance.
(2) „security” means the ability of a network and information system to resist, at a given level of confidence, accident or malicious action that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted data or the related services offered by or accessible via that network and information system;
(3) „risk” means any circumstance or event having a potential adverse effect on security;
(4) „incident” means any circumstance or event having an actual adverse effect on security;

Each Member State shall adopt a national NIS strategy defining the strategic objectives and concrete policy and regulatory measures to achieve and maintain a high level of network and information security. The national NIS strategy shall address in particular the following issues:
(a) The definition of the objectives and priorities of the strategy based on an up-to-date risk and incident analysis;
(b) A governance framework to achieve the strategy objectives and priorities, including a clear definition of the roles and responsibilities of the government bodies and the other relevant actors;
(c) The identification of the general measures on preparedness, response and recovery, including cooperation mechanisms between the public and private sectors;
(d) An indication of the education, awareness raising and training programmes;
(e) Research and development plans and a description of how these plans reflect the identified priorities.
2. The national NIS strategy shall include a national NIS cooperation plan complying at least with the following requirements
(a) A risk assessment plan to identify risks and assess the impacts of potential incidents;
(b) The definition of the roles and responsibilities of the various actors involved in the implementation of the plan;
(c) The definition of cooperation and communication processes ensuring prevention, detection, response, repair and recovery, and modulated according to the alert level;
(d) A roadmap for NIS exercises and training to reinforce, validate, and test the plan. Lessons learned to be documented and incorporated into updates to the plan.

Se face referire şi la CERT naţionale. Capitolul IV al Directivei are în vedere SECURITY OF THE NETWORKS AND INFORMATION SYSTEMS OF PUBLIC ADMINISTRATIONS AND MARKET OPERATORS:

To ensure convergent implementation of Article 14(1), Member States shall encourage the use of standards and/or specifications relevant to networks and information security.

Articolul 14 se referă la Security requirements and incident notification:

Member States shall ensure that public administrations and market operators take appropriate technical and organisational measures to manage the risks posed to the security of the networks and information systems which they control and use in their operations. Having regard to the state of the art, these measures shall guarantee a level of security appropriate to the risk presented. In particular, measures shall be taken to prevent and minimise the impact of incidents affecting their network and information system on the core services they provide and thus ensure the continuity of the services underpinned by those networks and information systems.