ENISA has updated their National Cyber Security Strategy Good Practice Guide. The first document was issued back in 2012 and the new version shows just how much has changed since then.
NCSS Good Practice Guide Updated By ENISA
The European Union Agency for Network and Information Security (ENISA) has published an updated version of the NCSS Good Practice Guide which aims to support the effort of EU member states to develop and update their National Cyber Security Strategies (NCSS).
The first guide was published back in 2012 when the cyber security landscape was quite different. The organization closely monitors the security incidents and the approaches that the EU member states use to mitigate large-scale attacks.
Here is an excerpt of the executive summary of the document:
To meet current and emerging cyber security threats, EU Member States need to constantly develop and adapt their cyber security strategies. National cyber security strategies (NCSS) are the main documents of nation states to set strategic principles, guidelines, and objectives and in some cases specific measures in order to mitigate risk associated with cyber security. Following a high-level top-down approach, NCSS set the strategic direction for subsequent actions.
ENISA’s Recommendations on designing and developing NCSS
The guide provides useful and practical recommendations to the relevant private and public stakeholders on developing, implementing and maintaining a cyber security strategy. The agency helps the interested parties to the define the areas of importance. A very important step in the whole process is to help the EU Member States to develop, evaluate and upgrade their National cyber security strategy (NCSS).
As per the document the following NCSS lifecycle is implemented:
- Developing the strategy
- Executing the strategy
- Evaluating the strategy
- Maintaining the strategy
When it comes to the implementation of the national strategies there are a few objectives that must be considered:
- Development of national cyber contingency plans
- Protection of critical information infrastructure
- Organization of the cyber security exercises
- Establishment of baseline security measures
- Establishment of incident reporting mechanism
- Raising user awareness of cyber security issues
- Stengthening training and educational programmes
- Establishment of incident response capabilities
- Adressing cyber crime
- Engaging in international cooperation
- Establishing a public-private partnership
- Balancing security with privacy and data protection
- Institionalization of the cooperation between public agencies
- Fostering R&D in cyber security
- Providing incentives for the private sector to invest in security measures
ENISA Identified The Major Challenges In The NCSS Implementation
ENISA has identified several primary challenges that are member states face during the development and implementation of their NCSS:
- Establish effective cooperation between public stakeholders – This was named one of the primary challenges that the stakeholders reported
- Establish trust between public and private stakeholders – Many countries have named trust issues between public and private stakeholders as one of the main obstacles in
the implementation of core objectives, such as establishing baseline and security requirements, incident reporting
or establishing public private partnerships
- Ensure adequate of resources – Some of the cyber security public authorities named the lack of funding and financial resources as a problem for the execution of measures
- Promote a common approach and awareness for privacy and data protection
countries, which NCSS is focused around business and growth for digital business.
- The implementation of vulnerability and risk analysis
the focus was set too broad and the approach was focusing on an integral risk management, which proved to be
too challenging as well as resource and finance intensive
ENISA’s NCSS Evaluation
ENISA has also dedicated a chapter in which they evaluate the NCSS issued by the EU member states. The organization has outlined in detail their evaluation approach and their key performance indicators. ENISA has categorized the results according to a three degree scale based on the objective implementation of the NCSS.
Based on the identified challenges ENISA has issued several recommendations that should be adopted into the relevant NCSS strategies made by the EU member states.
- Inclusion of the NIS Directive provisions into the NCSS
- Prioritization of certain sectors
- Integration of the CIIP with the NCSS and the national emergency management structures
- Extendng the scope of international cooperation beyond international exercises
- Creating a common understanding of concepts and terminology
- Approaching and involving stakeholders at an early development stage
- Gaining additional situational awareness
- Developing requirements and measures per critical sector
- Enhancing capabilities of public and private actors
For more detailed information you can access the document from ENISA’s website.