Europe is poised to tackle cybersecurity headfirst with initiatives that are growing in strength and support. In 2013, the Cybersecurity Strategy for the European Union and the Commission Proposal for a Directive on Network and Information Security presented legal measures and provided incentives aimed at increasing the security of Europe’s online environment. These efforts are supported by theEuropean Network and Information Security Agency (ENISA), as well as by the Computer Emergency Response Team for the EU institutions (CERT-EU).
As part of ISACA’s holistic Cybersecurity Nexus (CSX), ISACA is addressing the need for cybersecurity guidance in Europe by releasing the European Cybersecurity Implementation Series of white papers and an audit program, which includes:
- European Cybersecurity Implementation: Overview
- European Cybersecurity Implementation: Risk
- European Cybersecurity Implementation: Resilience
- European Cybersecurity Implementation: Assurance
- European Cybersecurity Audit/Assurance Program
The white papers address cybersecurity in the context of European Union (EU) laws, regulations and best practice, with a focus on using the COBIT 5 framework and related materials. They provide practical implementation guidance that is aligned with ENISA, European requirements and good practices.
The overview outlines how cybersecurity is discussed and directed in the European context, including institutions, organisations and recognized best practices. In some aspects, this is different from what might be expected in a U.S. setting or other geographies, given that there are 28 EU member states and several associated countries. As a result, there are EU level cybersecurity recommendations as well as national strategies, laws and regulations to be taken into account. This overview paper is designed to provide orientation and set the scene for more detailed aspects discussed in the risk, resilience and assurance papers.
Cybersecurity creates a multitude of new risks, many of which are part of the cultural, social and technical context of security. The risk paper in the series therefore addresses typical European perspectives on cybersecurity risk, including those that may be unique to one or more countries within the Union. In line with the COBIT 5 lens concept, the risk paper further provides a drill-down on using the available COBIT 5 cybersecurity materials in a targeted manner.
Resilience is one of the primary, but often neglected, aspects of cybersecurity. In Europe, resilience thinking is an important element of cybersecurity, both in the business and in the technical sense. The resilience paper within the cybersecurity series addresses the European view on creating, maintaining and improving resilience through various steps of a life cycle. It also covers European and national laws, regulations and best practices in creating cybersecurity resilience.
With the advent of a directional and declared EU cybersecurity strategy and digital agenda, many cybersecurity initiatives are beginning to produce results, often set down as legal, regulatory or industry requirements. In terms of cybersecurity governance and management, it is important to provide robust assurance over cybersecurity arrangements, including auditable evidence and processes. The assurance paper within the cybersecurity series offers insights on how to set up, maintain and uphold the requisite level of assurance in the EU and associated countries. The paper makes use of tried and tested COBIT 5 concepts and the underlying control universe and applies these to the EU landscape.
The ISACA European Cybersecurity Implementation Series is a living set of documents. In the near future, additional helpful tools will be released. These include a matching and mapping tabular paper for quick reference purposes throughout the 28 member states, as well as so-called country files providing subject matter expert advice on cybersecurity details in many European countries.
Rolf von Roessing, CISA, CISM, CGEIT
President, Forfa AG
Past International Vice President, ISACA
He will discuss “Responding to Cyberattacks” and “COBIT 5 for Security” at ISACA’s 2014 EuroCACS/ISRM Conference taking place 28 September – 1 October in Barcelona, Spain. For more information about the conference and to register, visitwww.isaca.org/eucacs-isrm2014.