Skip to 0 minutes and 16 secondsNetwork and information systems and the essential services they support play a vital role in society. From ensuring the supply of electricity and water to the provision of healthcare and passenger and freight transport. Their reliability and security are essential to everyday activities. These systems are susceptible disruption through single points of failure. Attacks against these systems could cause significant damage to infrastructure, economy or result in substantial financial loss. As we've seen from numerous cybersecurity instance such as a 2017 one acquire ransomware attack network in Information Systems are an attractive target for impactful malicious attacks and the frequency of these attacks is on the rise.

Skip to 0 minutes and 52 secondsExample scenarios include malware infection, denial of service, hacker infiltration, an insider threat, an inability to view status of the network or operating system, emergency patching or antivirus. The EU recognized that any cybersecurity incident could affect the number of member states and in 2013 they put forward a proposal to improve the EU's preparedness for a cyber attack. This proposal became the directive on the security of networks and information systems in August 2016. The NIS directive aims to raise levels of the overall security and resilience of network and information systems across the EU and provides legal grounding for public consultation which ensures the members have in place a national framework so they are equipped to manage cyber security incidents.

Skip to 1 minute and 36 secondsThis includes a national cybersecurity strategy a computer security instant response team and a national NIS competent authority. Co-operation group among member states exist to support and facilitate strategic cooperation and the exchange of information.

Skip to 1 minute and 53 secondsThis ensures that organizations within vital sectors: utilities, health care, transport and digital infrastructure for instance, which arrive heavily on information networks are identified by each member states as operators of essential services, or OES, who are required to notify serious incidents to the relevant national authority. The participation of industry is therefore crucial in the implementation of the directive. The national cybersecurity center doesn't have a regulatory role in NIS, but it does

Skip to 2 minutes and 22 secondssupport the NIS directive in three ways: it acts as a single point of contact for engagement with EU partners on NIS, co-ordinating request for action or information and submitting annual incident statistics. It governs the computer security incident response team. Instances are believed to be reportable under the NIS, must be reported to the appropriate CA. Where they are identified or suspected of having a cybersecurity aspect the operator is also strongly encouraged to contact the NCSC for advice and support as appropriate. It also acts as a technical authority outside of cybersecurity. The NCSC supports OAS and CAS with cybersecurity advice and guidance and acts as a source of technical expertise.

Skip to 3 minutes and 1 secondWhile it is not possible to devise an effective set of prescriptive rules for good cybersecurity it has been possible for the NCSC to develop a set of principles as a guide to cybersecurity decision-making to implement the NIS directive. After a shake-up in European data protection law, the general data protection regulation, GDPR, has now come into effect. This legislation affects everyone and controls what a company can and can't do the users data. GDPR is something that's affected the way the whole world thinks about the use and storage of personal data but what exactly is GDPR and what does it mean for us. Its implementation gives everybody control over the way the companies gather, store and use our information.

Skip to 3 minutes and 43 secondsAs smartphones and tablets became commonplace old data protection laws became outdated as nearly every aspect of our lives is now a digital representation. Personal data is any data that could identify you. It could be anything from a person's contact details to their banking, health data, political opinions, IP address and even their sexual orientation is made available in their online life. Under GDPR companies have an awful obligation to demonstrate why they need to store our information, how will be used and that it will be stored securely. Users must give consent to allow companies to store their data and the companies in turn need to be able to prove your consent when storing your data on their systems.

Skip to 4 minutes and 19 secondsThey also need to be more transparent when requesting to store our data, many less pre-filled online forms and the Terms of Use have to be explained in clear and simplified manner giving you more control over your data. If a company security is breached and your data stolen the company is responsible for notifying you of the breach to allow you to update your security. Users also have the right of access to their data which must be supplied in a common format for download. Alongside your right of access is your right to be forgotten, a request to accompany can be made have your personal data erased from their systems.

Skip to 4 minutes and 50 secondsThis however is not absolute you won't be able to fully erase every record of yourself online, as sectors such as government agencies and hospitals for example are immune to this righ. GDPR doesn't only apply to EU countries either it has a worldwide spread as organizations outside of Europe who store the data of EU citizens are also affected. Likewise any company that uses services within the EU to provide data processing or storage for instance also need to adhere to the GDPR policies. If GDPR is ignored there could be massive financial penalties, up to 20 million euro fine or 4% of the company's annual turnover whichever is greater.

Skip to 5 minutes and 28 secondsIf a Silicon Valley giant were to breach GDPR rules, they could be facing a very serious fine.

International legislation

Before we look at the international legislation in detail, it is worth mentioning some of the answers you should have added for the previous task.

In terms of the Computer Misuse Act, some of the challenges include:

  • Need to prove intent
  • Tracing those responsible
  • Damage limitation

In terms of the Data Protection Act, sensitive information is mostly related to:

  • Ethnic background
  • Political opinions
  • Religious beliefs
  • Health
  • Sexual health
  • Criminal records

Moving on to international legislation in the EU, there are two pieces of major legislation around data: the Network and Information Systems (NIS) Directive and the General Data Protection Register (GDPR).

Network and Information Systems (NIS) Directive

The Network and Information Systems (NIS) Directive is the first piece of EU-wide legislation on cyber security, which provide legal measures to enhance the level of cyber security in the EU. Actually, the NIS Directive ensures three things:

  1. The member states have in place a national framework so that they are equipped to manage cyber security incidents and oversee the application of the directive.

    This includes a National Cyber Security Strategy, a Computer Security Incident Response Team (CSIRT), and a national NIS competent authority, or competent authorities.

  2. There exists a cooperation group among member states to support and facilitate strategic cooperation and the exchange of information.

    The member states will also need to participate in a CSIRT network to promote swift and effective operational cooperation on specific network and information system security incidents, as well as sharing information about risks.

  3. Organisation within vital sectors which rely heavily on information networks. For example, utilities, healthcare, transport and digital infrastructure sectors are identified by each member state as operators of essential services (OES).

    Those OES will have to take appropriate and proportionate security measures to manage risks to their network and information systems, and they will be required to notify serious incidents to the relevant national authority. The participation of industry is therefore crucial in the implementation of the directive.

GDPR

The General Data Protection Register (GDPR) was introduced to unify the regulation and legislation related to data protection within the EU.

GDPR was adopted in April 2016 but it is actually effective from May 2018. It intends to replace the 1995 Data Protection Directive 95/46/EC.

Privacy Shield

From July 2016, there has been an agreement between the EU and US allowing for the transfer of personal data from the EU to the US. This is to protect the rights of anyone in the EU whose personal data is transferred to the US​, bringing legal clarity for businesses relying on transatlantic data transfers.​

The Privacy Shield ensures the following principles:​

  • Strong obligations on companies handling data​
  • US Department of Commerce will conduct regular updates and reviews​
  • Tightening of conditions for the transfer of data to third parties​
  • Clear safeguards and transparency obligations on US government access with redress mechanisms​
  • Effective protection of individual rights​
  • Annual joint review mechanism​

Your task

In your own words, explain what GDPR is and how it could help to protect data and enhance security of information.


Share this video:

This video is from the free online course:

Cyber Security in the Software Development Life Cycle

Coventry University