Falcon Invoice Discounting: Unlock Your Business Potential
Eu 2016 114 - 8
1. Sensitivity: Confidential
KRITIS
(Directive EU 2016/114- 1148)
A way
forward
Note from the editors: “KRITIS” sounds German, as it is German word for ‘critical’. Germany has taken the lead in implementing the new European Directive.
2. Sensitivity: Confidential
Where does it
applies on
„Critical infrastructures are organizational and physical
structures and facilities of such vital importance to a nation’s
society and economy that their failure or degradation would
result in sustained supply shortages, significant disruption of
public safety and security, or other dramatic consequence“
Source: UP KRITIS Public-Private Partnership for Critical Infrastructure Protection
4. Sensitivity: Confidential
Where does it
based on
„ Directive (EU) 2016/1148 (NIS Directive) “
Source: UP KRITIS Public-Private Partnership for Critical Infrastructure Protection
6. Sensitivity: Confidential
SoA
# area Description of Statement of
Applicability
Related standards,
audit framework
documents
Vulnerability-Management What is the handling of
known weak points like?
Presentation of processes
and derived measures.
SANS Institute
OWASP top 10
ISO 27002
ISO 31000
Risk assessment
Recommendations
Periodically Iterative
Process description,
Patch-Management Concept of measures for
patch management at DL.
ITIL Process definition
(may be tooling’)
Systemhärtung [hardening]
The Contractor undertakes to
harden the systems it
supplies in order to minimise
the impact
Identify collection of
tools, techniques, and
Best Practises to
reduce vulnerability
Company wide;
Fernzugang für
Drittanbieter
Remote access from third
parties to the network of the
Principal
Anforderungen an die
Softwareentwicklungsproz
esse
The software development
processes of the contractor
must be designed in such a …
Einsatz der
kryptographischen
Lösungen
In order to ensure that no
obsolete cryptographic
solutions known to be …
Dokumentation The service provider shall
regularly document the
processes mentioned in this
list (process manual).
ISO 27000 , ISMS Define structure
Define document
process flow, access
management, user
profiles
… … … …
7. Sensitivity: Confidential
Go with the
flow
SoW
Contract
Project
set up
SoA
landscape
Risk assessment
Implementing
Statement of Work
In scope, out of scope, high level
planning (and budget covenant
Rules of Engagement,
communication, project organisation
Statement of Applicability
Infrastructure, IT /network, civil
constructions
Risk based approach
Roll-out, roll-in
audit
9. Sensitivity: Confidential
Solution SoA
ISO 2700x
NIST
ISO 31000
ITIL
OWASP
ISO 15408
EU 2016/114
EU 2016/1148
ISO 21827
ISO 22301
ISO 27031
UP KRITIS Public-Private Partnership for Critical
Infrastructure Protection
KRITIS V
FIPS 140
IEC 62443 “Security for Industrial Process
Measurement and Control – Network and System
Security”,
10. Sensitivity: Confidential
Foundation
(Tooling)
1
• Register of Vendors
• Cross referencing supplies (hardware, IT components, plc’s,
• Cross referencing with configuration data (key identifiers per
item)
• Cross referenced with maintenance management
• Service level management /contract (y/n), gold, silver, less…
Inventory of all items (grouped, individually, types, locations,
stock/warehouse, unique identifier, vendor.
Risk based approach, again.
What components are strategic in your organisation, or production chain
Cross references are key
What if Vendors is not operational anymore: what items are impacted?
What if a key item is running out of life cycle? Alternative product? Alternative Supplier?
In case of quality issue of item? Where are those items located in our Organisation / Production facility
What components are strategic in your organisation, or production chain
11. Sensitivity: Confidential
Foundation
(Tooling)
2
• Register of Software, and applications
• Cross referencing supplier
• Cross referencing with configuration data (key identifiers per
Software, tool, application)
• Patch management, configuration item db
• Latest/active version
• Swift recovery
• Cross referenced with maintenance or service level
management