<h1><spanclass="title-org">Instantly See Your Top 10 Cybersecurity Risks</h1>
<pstyle="max-width: 800px; margin: 0 auto 2rem;">RiskLM’s intuitive AI platform makes complex cyber risk assessments accessible to everyone, not just experts. Automatic analysis, generate compliant reports (NIS2, ISO, NIST, GDPR+), save time, reduce consultant costs, and ensure continuous security effortlessly.</p>
<p><b>Download our free white paper showing exactly how Risklet pinpoints critical vulnerabilities for NIS2 compliance and recommends cost-effective controls.</b></p>
RiskLM’s intuitive AI platform makes complex cyber risk assessments accessible to everyone, not just experts. Automatic analysis, generate compliant reports (NIS2, ISO, NIST, GDPR+), save time, reduce consultant costs, and ensure continuous security effortlessly.
Download our free white paper showing exactly how Risklet pinpoints critical vulnerabilities for NIS2 compliance and recommends cost-effective controls.
Cybersecurity regulations often prescribe key duty of care measures that organizations must implement. Below are ten fundamental areas to address for robust cyber resilience.
<pclass="text-xs text-gray-500 mt-3 mb-3 italic">Article 21 paragraph 2 sub a: policy on risk analysis and security of information systems</p>
<pclass="mb-3 text-gray-700 leading-relaxed">Performing a risk analysis is the first step in improving the cyber resilience of your company or organization. It is an essential first step in gaining the necessary insights. A risk analysis reveals which risks are the most serious and where security measures are most needed.</p>
<pclass="mb-3 text-gray-700 leading-relaxed">A risk analysis policy plan describes how your organization performs risk analyses. This plan helps you systematically and purposefully improve your digital security. Every organization is unique, with different processes and risks. However, there are some elements that often recur in a risk analysis policy. Use these as a guideline when drafting your policy document:</p>
<li>Purpose and scope: Define the purpose and scope of your risk analysis. The scope determines which internal stakeholders are involved.</li>
<li>Frequency: Determine how often you will perform risk assessments. This may be a requirement for certification or contractual obligations. If not, perform a risk assessment annually.</li>
<li>Roles and responsibilities: Define who is responsible for conducting the risk analysis.</li>
<li>Decision outcomes: Identify and analyze risks. There are four options for analyzed risks: accept, resolve, transfer, and stop. Set risk acceptance criteria in advance to avoid discussions during the analysis.</li>
<li>Effectiveness and revision: Test and revise the policy plan periodically. Take into account changes such as new systems, processes, threat assessments and current threats.</li>
</ul>
<h3class="text-lg font-semibold mt-4 mb-2 text-primary">Making a risk analysis</h3>
<pclass="mb-3 text-gray-700 leading-relaxed">Digital threats can pose major risks to your organization's services. It is therefore important to be well prepared. Further information on creating a risk analysis can be found in general risk management guidance.</p>
<pclass="text-xs text-gray-500 mt-3 mb-3 italic">Article 21 paragraph 2 sub i: security aspects regarding personnel, access policy and asset management</p>
<pclass="mb-3 text-gray-700 leading-relaxed">Organizations that take their cybersecurity seriously pay attention to security aspects of personnel, access policies and asset management (hardware and software). Who has access to which information and with which rights? By taking these security aspects seriously and implementing appropriate measures, you improve cybersecurity and increase the resilience of your network and information systems.</p>
<pclass="mb-3 text-gray-700 leading-relaxed">An organization’s workforce is the first line of defense against cyberattacks. Employees play a critical role in maintaining the security of systems and data. It is essential that an organization ensures that employees understand and can apply their cybersecurity responsibilities in their work through appropriate education or training. These responsibilities can vary by role.</p>
<h4class="text-md font-semibold mt-3 mb-1 text-dark-text">Procedures for new employees, job or role changes and termination of employment</h4>
<pclass="mb-3 text-gray-700 leading-relaxed">Access to systems and networks often depends on the role or function within the organization. NIS2-relevant organizations must have procedures for initiating, terminating, or changing access to business units. These procedures must be documented and maintained.</p>
<li>Assigning Roles and Rights: Provide insight and management of employees who are assigned new roles and rights.</li>
<li>Revoking Roles and Rights: Make it clear and manageable which employees lose their roles and rights.</li>
<li>Change Roles and Rights: Keep track of which employees have changes to their roles and rights.</li>
</ul>
<pclass="mb-3 text-sm text-gray-600 italic border-l-4 border-accent pl-3 py-1 bg-light-accent/30">Consider key principles such as managing access to data and services for more information.</p>
<pclass="mb-3 text-gray-700 leading-relaxed">An effective way to limit risks is to screen the reliability of employees before they are hired. Screening involves an employer requesting information about an applicant or employee to assess their reliability. A well-known example of this is requesting a Certificate of Good Conduct (or equivalent background check). For certain positions of trust, screening might be mandatory. Data protection authorities provide more information about the procedures and regulations surrounding screening.</p>
<pclass="mb-3 text-gray-700 leading-relaxed">A good access policy is essential to ensure the availability, integrity and confidentiality of your network and information systems. This policy determines who has access to which systems and with which roles and rights. Due to the dynamics of new employees, departing employees and job changes, careful administration of access rights is necessary.</p>
<li>Only authorized employees can grant access.</li>
<li>Access is only granted to users for whom it is relevant.</li>
<li>Access is granted for the required period.</li>
<li>Specific rights are issued according to the principle of least privilege and a rights matrix.</li>
<li>When access is granted to external parties (such as suppliers or IT service providers), clear agreements are made about access and security requirements.</li>
<li>There is a procedure for adjusting access rights in the event of job changes or departures.</li>
<li>Granted access rights are kept in a register.</li>
<li>Logging is applied to access rights management to know who granted and received which rights and when.</li>
</ul>
<pclass="mb-3 text-sm text-gray-600 italic border-l-4 border-accent pl-3 py-1 bg-light-accent/30">Guidance on organizing identity and access management is crucial. This includes physical access security as well as digital identity.</p>
<h4class="text-md font-semibold mt-3 mb-1 text-dark-text">Continuous attention to cyber awareness</h4>
<pclass="mb-3 text-gray-700 leading-relaxed">Most cyber incidents are caused by human error. Cybercriminals cleverly exploit common human vulnerabilities. Awareness of cyber risks is therefore very important for preventing incidents. Ensure continuous attention to cyber awareness.</p>
<pclass="mb-1 text-gray-700 leading-relaxed">User accounts with elevated privileges, such as admin accounts and system accounts, have access to sensitive information and can change system settings. Restrict access to these accounts to those who really need it. Make sure that:</p>
<pclass="mb-3 text-gray-700 leading-relaxed">Use strong authentication methods to verify the identity of individuals requesting access. Multi-factor authentication contributes to the cybersecurity of your systems and data. For access to higher classified systems, you can impose additional requirements, such as longer passwords or logging in via a specific network.</p>
<pclass="mb-3 text-gray-700 leading-relaxed">Before you can manage assets, you first need to gain insight into them. By identifying which matters are crucial to your organization and service provision, you can take the right measures to protect these interests. Examples of important assets are customer data, production methods, employee data, financial data and the reputation of your organization.</p>
<pclass="mb-3 text-sm text-gray-600 italic border-l-4 border-accent pl-3 py-1 bg-light-accent/30">Practical tools and guidance can help organizations map their critical assets at a tactical level. This mapping can then be used for risk analysis and to identify technical assets needing protection at the network and information systems level.</p>
<h4class="text-md font-semibold mt-3 mb-1 text-dark-text">Asset management consists of a number of steps</h4>
<pclass="mb-3 text-gray-700 leading-relaxed">Inventory of Assets: Asset management begins with inventory. This involves keeping a record of all the material, such as hardware, software, and the data that these assets contain. This inventory helps identify and manage potential vulnerabilities. NIS2-relevant organizations must also have procedures in place for the secure disposal of assets at the end of their life to prevent data from falling into the wrong hands.</p>
<pclass="mb-3 text-gray-700 leading-relaxed">Classification of Sensitive Information: Define and document a classification for sensitive information. This allows you to link the right authorization and have better visibility on who has access to this information. For the degree of confidentiality (e.g. public, for internal distribution only or confidential), use classifications derived from relevant legislation, international agreements or internationally accepted strategies for information exchange, such as the Traffic Light Protocol (TLP).</p>
<h4class="text-md font-semibold mt-3 mb-1 text-dark-text">Asset management and network and information security</h4>
<pclass="mb-3 text-gray-700 leading-relaxed">Ensure proper management of assets throughout their lifecycle: from acquisition, use, storage, transport to disposal. Provide all assets with a classification level to determine the required availability, integrity and confidentiality. This is also called the 'BIV classification' (or CIA in English - Confidentiality, Integrity, Availability). Based on this classification, you determine the appropriate measures for digital resilience.</p>
<pclass="mb-3 text-gray-700 leading-relaxed">The policy should also address the safe use, storage, transportation, and disposal of assets. Equipment, hardware, software, and data should only be transferred to off-site locations after approval by authorized personnel. Determine in advance who within the organization is responsible for which steps.</p>
<h4class="text-md font-semibold mt-3 mb-1 text-dark-text">Effectiveness and revision</h4>
<pclass="mb-3 text-gray-700 leading-relaxed">Personnel and access policies and asset management should be tested, reviewed and revised periodically. Take into account changes within the organization and current risks. Include the test results in the revised policy documents.</p>
<pclass="text-xs text-gray-500 mt-3 mb-3 italic">Article 21 paragraph 2 sub c: business continuity, such as backup management and contingency plans, and crisis management</p>
<pclass="mb-3 text-gray-700 leading-relaxed">Long-term outages of primary business processes are unacceptable for most companies. A business continuity plan (BCP) helps you be resilient to unexpected events such as power outages, cyber incidents and attacks. With a BCP, you can minimize the impact of disruptions on business operations.</p>
<h3class="text-lg font-semibold mt-4 mb-2 text-dark-text">Create a BCP in 4 steps</h3>
<pclass="mb-3 text-gray-700 leading-relaxed">A BCP is a document that describes how a company deals with serious disruptions or calamities. The goal is to protect personnel, vital processes and primary business processes and to ensure that they continue to function during and after an incident. It contains procedures and instructions to remain operational during a serious disruption. The content of a BCP can differ per organization, but here we focus on digital business processes. Without IT and OT systems, many business processes come to a standstill, so cybersecurity plays an important role in a BCP.</p>
<li>Step 1 - Risk analysis as a starting point: The basis of a BCP is a risk analysis. This helps to identify vital and primary processes and to estimate the impact of long-term failure. Refer to risk analysis guidance for a concrete step-by-step plan.</li>
<li>Step 2 - BCP Framework: With the risk analysis, you have laid the foundation for your business continuity plan. You now know which disruptions you want to focus on and which business areas require attention. A BCP usually contains the following components: Purpose and Scope (Consider outage scenarios such as power outages, extreme weather, location access, and cyber crises), Activation and Deactivation (Describe when the BCP comes into effect and when it can be deactivated again), Incident Response Plan (Describe the roles, tasks and responsibilities of involved employees and service providers. An incident response plan is a key component), Internal and External Communication (Map the main contacts and communication channels and describe the mandatory communication with competent authorities), Effectiveness and Review (Periodically test and review the BCP for effectiveness and adapt it in the event of changes in the organization or threat assessment).</li>
<li>Step 3 - Backup or Redundancy Plan: A backup plan describes how often you make backups, where you store them, and when you test them. A redundancy plan describes which additional components or systems you use to replace failed systems.</li>
<li>Step 4 - Contingency and Recovery Plan: A disaster recovery plan, also known as a Disaster Recovery Plan (DRP), describes procedures for using fallback and disaster recovery facilities and returning to normal. It focuses on restoring IT processes and describes the procedure for dealing with disruptions to networks, servers, and devices.</li>
<pclass="mb-3 text-gray-700 leading-relaxed">The consequences of disruptions, failures, data leaks or cyber attacks can be serious. That is why it is crucial to respond adequately to an incident to limit negative consequences. An Incident Response Plan (IRP) helps your organization with this.</p>
<h3class="text-lg font-semibold mt-4 mb-2 text-dark-text">Create an Incident Response Plan</h3>
<pclass="mb-3 text-gray-700 leading-relaxed">Incident response is the process of management and mitigation that you go through when an incident occurs. It is better to plan your actions in advance, without time pressure. An Incident Response Plan (IRP) ensures that coordinated action can be taken during an incident.</p>
<pclass="mb-3 text-gray-700 leading-relaxed">The plan contains instructions to help employees detect security incidents, respond to them and recover from potential damage. This is essential in the event of disruptions, data leaks or digital attacks. The goal is to respond quickly, calmly and adequately to limit damage and minimize recovery efforts.</p>
<pclass="mb-3 text-sm text-gray-600 italic border-l-4 border-accent pl-3 py-1 bg-light-accent/30">For more guidance on where to start with incident response, consult cybersecurity best practices and frameworks.</p>
<pclass="text-xs text-gray-500 mt-3 mb-3 italic">Article 21 paragraph 2 sub g: basic cyber hygiene practices and cyber security training</p>
<pclass="mb-3 text-gray-700 leading-relaxed">To increase your organization’s cyber resilience, you start with a risk assessment. An important next step is to implement basic cyber hygiene practices. Training employees to adhere to these basic practices is essential to your organization’s resilience.</p>
<li>According to cybersecurity guidelines (like NIS2), employees must be trained in cybersecurity. They must recognize cyberthreats and know how to respond. Encourage safe behavior to prevent damage from infected USB sticks, weak passwords or phishing emails.</li>
<li>Before you can create a cyber hygiene policy, it is important to define the basic principles. Cyber hygiene means that an organization adheres to the basic principles of cyber security. By incorporating these practices into the cyber security policy, you ensure that all employees adhere to the same agreements.</li>
</ul>
<h3class="text-lg font-semibold mt-4 mb-2 text-dark-text">Training for employees</h3>
<pclass="mb-3 text-gray-700 leading-relaxed">Cyber-aware employees are essential for your organization. Many cyber incidents are caused by human error. There are several ways to make employees aware of cybersecurity, such as awareness programs, onboarding courses and e-learning. Offer cybersecurity training, organize awareness campaigns and hold cyber crisis exercises. This helps employees act safely and prevent threats. Well-trained employees are the key to a safe working environment.</p>
<pclass="mb-3 text-gray-700 leading-relaxed">Develop a program that makes every employee aware of cyber risks and promotes safe behavior. Consider training that covers practical and effective topics, such as:</p>
<pclass="mb-3 text-gray-700 leading-relaxed">Employees must be aware of basic cyber hygiene agreements. Continuous attention to awareness programs and training is essential. Ensure that all employees know where and how to report potential incidents, which contacts to approach and where to find additional information.</p>
<pclass="mb-3 text-sm text-gray-600 italic border-l-4 border-accent pl-3 py-1 bg-light-accent/30">Further reading on promoting safe digital behavior of employees can be found in resources discussing cybersecurity awareness beyond standard e-learning.</p>
<pclass="text-xs text-gray-500 mt-3 mb-3 italic">Article 21 paragraph 2 sub e: security in the acquisition, development and maintenance of network and information systems, including the response to and disclosure of vulnerabilities</p>
<pclass="mb-3 text-gray-700 leading-relaxed">Many companies and organizations depend on network and information systems for their primary business processes. If you do not have access to these systems or if information becomes public, this can have major consequences for the organization.</p>
<h3class="text-lg font-semibold mt-4 mb-2 text-dark-text">Policies and Procedures</h3>
<pclass="mb-3 text-gray-700 leading-relaxed">Policy and procedures for network and information systems ensure that appropriate measures are taken. The basis for this policy is risk analyses that are translated into risk management decisions.</p>
<pclass="mb-3 text-sm text-gray-600 italic border-l-4 border-accent pl-3 py-1 bg-light-accent/30">Consult guidance on how to manage effective information security.</p>
<h3class="text-lg font-semibold mt-4 mb-2 text-dark-text">Network and Information Systems Policy</h3>
<pclass="mb-3 text-gray-700 leading-relaxed">According to cybersecurity guidelines, an organization must have a policy for the security of acquiring, developing and maintaining the network, as well as for dealing with vulnerabilities. Here are some important topics:</p>
<pclass="mb-3 text-gray-700 leading-relaxed">An organization must have a policy for the design of the corporate network and the security measures applied. Monitoring is crucial to detect and address unwanted activities. Document and keep the network architecture up to date. In addition, measures must be taken to protect the corporate network from unwanted external traffic, such as firewalls or data diodes. Make policy choices about allowing managed devices or 'Bring Your Own Device' (BYOD).</p>
<pclass="mb-3 text-gray-700 leading-relaxed">Apply network segmentation to prevent viruses or attackers from spreading within the corporate network. Separate important information and systems and protect the network from unauthorized software and use of corporate devices. General guidance on protecting systems, applications, and devices is relevant here.</p>
<pclass="mb-3 text-gray-700 leading-relaxed">A good configuration management policy is essential for the correct configuration of corporate networks, systems, hardware and software. Make sure that default passwords of new routers are always changed and unnecessary options are disabled. This process, known as 'hardening', helps to disable unnecessary functions. Technical security guides often offer resources on hardening and configuration management useful for various organizations.</p>
<pclass="mb-3 text-gray-700 leading-relaxed">Change management describes how an organization deals with implementing and monitoring changes, repairs and maintenance. A consistent procedure is crucial. The change management process should include at least the following points:</p>
<ulclass="list-disc pl-6 mb-3 space-y-1 text-gray-700"><li>Request for the change</li><li>Potential risks and impact of the change</li><li>Criteria for Prioritizing Changes and Requirements for Testing</li><li>Requirements for rollbacks</li><li>Logging of the changes</li></ul>
<pclass="mb-3 text-gray-700 leading-relaxed">A secure network provides protection against external attacks and leaks from within. Consider carefully when configuring your network, NAS devices, routers, and firewalls.</p>
<pclass="mb-3 text-gray-700 leading-relaxed">To minimize vulnerabilities, it is important to install security updates (patches) as soon as possible. This is a basic principle of safe digital entrepreneurship. Security updates improve software and close security holes, which increases digital resilience. In the patch management policy, you describe under which conditions security updates are installed. Which systems do you update immediately and which can wait? Test patches before installation in a test environment and check them for integrity and reliability. Follow the change management process when implementing patches. Note: Hardware and software products in your network may be End-of-Life (EoL), meaning they are no longer patched. Have a policy in place for dealing with EoL products. A sample patch policy template can serve as a basis. Also, gain insight into risks of legacy systems.</p>
<pclass="mb-3 text-gray-700 leading-relaxed">Every day new vulnerabilities are discovered in software. As an organization you want to be aware of security holes in the software you use. That is why it is important to monitor these vulnerabilities. You can keep track of this yourself for the products you have purchased from suppliers. Support for this can come from security advisories from relevant cybersecurity authorities and information sharing communities. There should be a procedure to assess the impact of a vulnerability on the organization and to take mitigating measures. As part of vulnerability management, you can create a policy for coordinated vulnerability disclosure (CVD) or responsible disclosure. Refer to guidance on improving vulnerability management.</p>
<h4class="text-md font-semibold mt-3 mb-1 text-dark-text">Secure Development Life Cycle</h4>
<pclass="mb-3 text-gray-700 leading-relaxed">The Secure Development Life Cycle (SDLC) policy aims to ensure that software and systems are developed in a secure manner. Security must be an integral part of every development phase. This means that the development environment is secured and that software and systems are tested for vulnerabilities at an early stage, an approach known as security by design. It is also advisable to apply the principles of secure coding during the development phase.</p>
<pclass="mb-3 text-gray-700 leading-relaxed">During the procurement process, new vulnerabilities or incorrectly configured systems can be introduced into the organization. Therefore, organizations should pay attention to cybersecurity in their tender or procurement process to reduce risks at an early stage. Consider: Including security requirements in the 'program of requirements', Security Update Guarantee, A manual or training on the correct configuration settings. Guidance on mapping direct suppliers can be helpful.</p>
<pclass="mb-3 text-gray-700 leading-relaxed">Operational Technology (OT) encompasses a variety of systems used to manage operational processes in the physical world, such as controlling and monitoring industrial equipment. OT equipment, such as robots, security cameras and cash register systems, plays a crucial role in various industries, including manufacturing, chemicals, water boards, transportation and energy. Risks of Internet Connection: OT systems are increasingly connected to the internet, which facilitates remote management. However, this accessibility also brings risks. Insufficient security measures can give unauthorized persons the opportunity to abuse and gain access to your OT systems. If your business process relies heavily on OT, ICS or SCADA, run a security check for process automation to assess the status of your OT security. Get started improving your OT or ICS security right away. Relevant guidance on securing OT/IACS is available.</p>
<h3class="text-lg font-semibold mt-4 mb-2 text-dark-text">Map your network</h3>
<pclass="mb-3 text-gray-700 leading-relaxed">After creating a policy for network and information system security, it is important to map your network. Only by knowing and understanding your network can you take the right measures to improve digital resilience. Follow these steps to map your network:</p>
<li>Create a view of your network with all IT assets, including IoT devices.</li>
<li>Map out the purpose of the different systems.</li>
<li>Determine which network and information systems depend on each other.</li>
<li>Zoom in on the systems in your network.</li>
<li>Process details of each system and device, such as the OS version.</li>
<li>Identify physical threats to your network.</li>
<li>Assess where important information resides within your network.</li>
<li>Map the information flows between network components.</li>
</ul>
<pclass="mb-3 text-gray-700 leading-relaxed">By following these steps, you will gain a clear picture of your network and be able to assess whether it complies with your organization's network security policy.</p>
<pclass="mb-3 text-sm text-gray-600 italic border-l-4 border-accent pl-3 py-1 bg-light-accent/30">Further information on maintaining security controls can be beneficial.</p>
<pclass="text-xs text-gray-500 mt-3 mb-3 italic">Article 21 paragraph 2 sub d: the security of the supply chain, including security-related aspects relating to the relationships between each entity and its direct suppliers or service providers</p>
<pclass="mb-3 text-gray-700 leading-relaxed">Companies often depend on the products or services of suppliers. Digital connections between companies increase this dependency; a security breach at one organisation can have major consequences for the connected organisations. That is why the NIS2 directive (and similar regulations) requires relevant companies to take measures to secure the supply chain.</p>
<h3class="text-lg font-semibold mt-4 mb-2 text-dark-text">Risks in the chain</h3>
<pclass="mb-3 text-gray-700 leading-relaxed">There are significant differences in digital resilience between companies, sectors and chains. Even if your own digital resilience is in order, you run risks if your supplier or IT service provider is vulnerable to cyber risks. This can jeopardize the availability, confidentiality and integrity of your business processes and information. That is why supplier risks must be included in the risk analysis and risk management decision-making.</p>
<h4class="text-md font-semibold mt-3 mb-1 text-dark-text">Examples of Digital Supply Chain Risks</h4>
<pclass="mb-1 text-gray-700 leading-relaxed">Here are three scenarios that could impact your business:</p>
<li>A supplier that is relevant to the proper functioning of your network and information systems no longer delivers due to a digital attack.</li>
<li>Your IT service provider has been hacked, which may give the attacker access to your systems.</li>
<li>A critical vulnerability has been discovered in a product or service you use.</li>
</ul>
<pclass="mb-3 text-sm text-gray-600 italic border-l-4 border-accent pl-3 py-1 bg-light-accent/30">Major cyber incidents, such as the one affecting the port of Rotterdam in 2017, highlight the severe impact of supply chain vulnerabilities.</p>
<pclass="mb-3 text-gray-700 leading-relaxed">Gaining visibility and control over cybersecurity risks in the supply chain is not easy. For a strong cybersecure chain, you need to establish a policy that maps dependencies with direct suppliers and service providers. Also focus on the IT supply chain to limit potential risks. As a NIS2-relevant organization, you are responsible for identifying and limiting risks, including those arising from the supply chain. Make good agreements to keep track of the risks and limit them to an acceptable level where necessary.</p>
<pclass="mb-3 text-sm text-gray-600 italic border-l-4 border-accent pl-3 py-1 bg-light-accent/30">Guidance is available on how to map direct suppliers and how to strengthen supplier resilience.</p>
<li>How to evaluate and revise this periodically.</li>
</ul>
<pclass="mb-1 text-gray-700 leading-relaxed">When purchasing services or products from suppliers, cybersecurity guidelines require insight into the following matters:</p>
<pclass="text-xs text-gray-500 mt-3 mb-3 italic">Article 21 paragraph 2 sub h: policy and procedures regarding the use of cryptography and, where applicable, encryption</p>
<pclass="mb-3 text-gray-700 leading-relaxed">Cryptography is the technique of encrypting or decrypting data so that only authorized persons can read the data. It forms the basis for protecting the confidentiality and integrity of your company data and assets. Encryption is a cryptographic method of scrambling data based on a cryptographic algorithm.</p>
<pclass="mb-3 text-gray-700 leading-relaxed">The purpose of cryptography and encryption policies and procedures is to ensure the confidentiality, integrity, non-repudiation, authenticity, and authentication of data. In a policy document, you describe the techniques and measures you have implemented to protect the confidentiality and integrity of information.</p>
<h4class="text-md font-semibold mt-3 mb-1 text-dark-text">Parts of the policy document</h4>
<li>Configuration Management: Use only approved encryption standards across the organization. Policy should specify a minimum key length per asset and standard.</li>
<li>Required Encryption Standard: Based on the risk analysis and asset classification, the requirements for the encryption standard per security level must be determined.</li>
<li>Required Key Length: The recommended key length depends on the encryption standard chosen. Consult the documentation of the encryption standard used for advice.</li>
<li>Key Management: Policies for the entire lifecycle of cryptographic keys are essential. These include procedures, roles and responsibilities for: Generating and distributing keys, Destroying or withdrawing keys, Archiving keys, Backuping keys, Logging key management activities, The issuance and acquisition of certificates, if applicable.</li>
</ul>
<h4class="text-md font-semibold mt-3 mb-1 text-dark-text">Effectiveness and revision</h4>
<pclass="mb-3 text-gray-700 leading-relaxed">The cryptography policy should be periodically tested and revised, taking into account changes in the organization and current risks. The test results should be included in the revised version of the policy document.</p>
<pclass="mb-3 text-sm text-gray-600 italic border-l-4 border-accent pl-3 py-1 bg-light-accent/30">General information about what encryption is can provide foundational knowledge.</p>
<pclass="text-xs text-gray-500 mt-3 mb-3 italic">Article 21 paragraph 2 sub j: where appropriate, the use of multi-factor authentication or continuous authentication solutions, secure voice, video and text communications and secure emergency communications systems within the entity</p>
<pclass="mb-3 text-gray-700 leading-relaxed">For secure business processes, it is essential that users, devices, and other assets are authenticated with multiple factors of authentication (MFA) or continuous authentication mechanisms to access the organization's networks and information systems.</p>
<h3class="text-lg font-semibold mt-4 mb-2 text-dark-text">Classification of assets</h3>
<pclass="mb-3 text-gray-700 leading-relaxed">The level and strength of authentication must match the classification of the assets to which access is granted. You inventoried this classification in the risk analysis. Additional authentication prevents an attacker from gaining access to an account by guessing the password or finding it out via, for example, social engineering or phishing.</p>
<h3class="text-lg font-semibold mt-4 mb-2 text-dark-text">What is MFA?</h3>
<pclass="mb-3 text-gray-700 leading-relaxed">Multi-factor authentication (MFA) requires the use of two or more different factors to verify your identity or authority. These factors may include:</p>
<li>Something you know: For example, a password or a personal identification number.</li>
<li>Something you have: For example, a cryptographic identification device or tokens.</li>
<li>Something you are: For example, biometric data such as an iris scan or handprint.</li>
</ul>
<pclass="mb-3 text-gray-700 leading-relaxed">An example of MFA is a password combined with a token. Another example is using a fingerprint combined with a one-time code that you receive on another device.</p>
<pclass="mb-3 text-sm text-gray-600 italic border-l-4 border-accent pl-3 py-1 bg-light-accent/30">Understand the benefits of using Two-Factor Authentication (2FA) or MFA.</p>
<pclass="mb-3 text-gray-700 leading-relaxed">Although 2FA, two-step verification, and MFA are technically different, they are all used to make access to accounts and digital systems more secure. If you are considering using an MFA method, tips for choosing and using an MFA application can be helpful.</p>
<pclass="mb-3 text-gray-700 leading-relaxed">For secure communication, an organization can use a Virtual Private Network (VPN). A VPN makes it possible to set up a secure connection between two devices over an existing network, such as the internet. This connection, a VPN tunnel, encrypts the data traffic. You can purchase a VPN as a service or set up a VPN server yourself.</p>
<pclass="text-xs text-gray-500 mt-3 mb-3 italic">Article 21 paragraph 2 sub f: policies and procedures to assess the effectiveness of cybersecurity risk management measures</p>
<pclass="mb-3 text-gray-700 leading-relaxed">Assessing the effectiveness of cybersecurity measures is essential. It helps manage risk, ensures compliance with legislation such as the NIS2 directive (and similar), and identifies areas for improvement. This process builds stakeholder confidence and enables adaptation to emerging threats.</p>
<h3class="text-lg font-semibold mt-4 mb-2 text-dark-text">Start with a risk analysis</h3>
<pclass="mb-3 text-gray-700 leading-relaxed">Performing a risk analysis is the first step to increase the digital resilience of your organization. This analysis identifies the existing risks, after which you can determine and implement the necessary measures. As a second step, you implement these control measures where necessary. After implementation, it is crucial to know whether the measures are effective and cover the intended risks. This requires structured and systematic testing, which must be included in the organization's policy. One of the ways to test the effectiveness of measures is via a security test.</p>
<h3class="text-lg font-semibold mt-4 mb-2 text-dark-text">Policy to assess effectiveness</h3>
<pclass="mb-1 text-gray-700 leading-relaxed">The policy for assessing the effectiveness of measures varies from organization to organization, depending on the measures taken previously and specific processes. Here are some elements that are often included in this policy:</p>
<li>Purpose and Scope: Define the objectives of the testing and evaluation. The objective should include whether the appropriate measures have been taken to keep the risks within acceptance criteria and whether applicable regulations are met. Determine the scope of the test based on these objectives.</li>
<li>Frequency: Include the frequency of the assessment in the policy. Several security frameworks, such as ISO 27001, require annual audits. If there is no specific frequency requirement, determine the frequency based on a risk management assessment.</li>
<li>Methods of Testing: Testing can be done via audits, risk analyses, pentests, code reviews or security scans. Choose the most suitable form of testing based on the purpose and scope of the test.</li>
<li>Roles: Determine which function will be responsible for the assessment. This can be done by an internal or external party, but ensure that the party is independent for an impartial assessment.</li>
<li>Outcomes: Describe how the outcomes are reported and to whom. For independence, it is advisable to report to the board or management. Use the outcomes as input for updating the risk analysis.</li>
</ul>
<pclass="mb-3 text-gray-700 leading-relaxed">The policy plan for testing the effectiveness of measures must be periodically tested and revised, taking into account changes in the organization and new risks. Include points for improvement in the revised version of the policy plan.</p>
<h3class="text-lg font-semibold mt-4 mb-2 text-dark-text">How do you perform a security test?</h3>
<pclass="mb-1 text-gray-700 leading-relaxed">General guidance on performing security tests usually involves the following steps:</p>
<li>Determine the goal: Define what you want to achieve with the security test.</li>
<li>Determine the means: Determine the testing method and scope in an assignment description.</li>
<li>Take control of the implementation: Make clear agreements with the external party that carries out the test.</li>
<li>Secure the improvements: Evaluate the results, discuss and secure the points for improvement. Use the results as input for the next risk analysis.</li>
</ul>
</div>
</div>
</div>
</div>
</section>
<!--Insights Section -->
<sectionclass="insights">
<h2>Latest Insights & Updates</h2>
<divclass="insights-grid">
<!-- Insight 1 -->
<divclass="insight-card">
<h5>NEVER OTHERS POST WORDPRESS</h5>
<h3>Night Colors</h4>
<pstyle="color: #888; margin: 0.5rem 0;">A. Verdasse • January 29, 2018</p>
<h3class="text-xl font-semibold text-dark-text mb-2 group-hover:text-primary transition-colors">Unlock a Business-Focused View of Cyber Risk</h3>
<pclass="text-sm text-gray-500 mb-3">Risklet Insights Team • October 2024</p>
<pclass="text-gray-600 text-sm flex-grow">Move beyond disruptive IT audits. Our approach delivers a strategic overview, translating technical risks into clear business impacts, quickly and efficiently.</p>
<pclass="text-sm text-gray-500 mb-3">Risklet Insights Team • October 2024</p>
<pclass="text-gray-600 text-sm flex-grow">Receive unbiased analysis focused solely on your benefit. We don't sell other products, ensuring our advice on mitigating key risks is purely for your business continuity.</p>
Risklet uses an advanced AI platform to analyze your cybersecurity posture, identify key risks, and generate compliant reports. It simplifies complex assessments, making them accessible and actionable.
We offer flexible pricing plans including monthly subscriptions, one-time reports, and comprehensive annual packages. Check our Pricing section for detailed information on each plan.
Support options vary by plan, ranging from email support for basic plans to priority phone and email support for our Pro users. We are committed to helping you succeed.
Take control of your cybersecurity risk and compliance. Risklet provides the tools and insights you need to protect your assets and build a resilient organization.
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
