NSM (Norwegian National Security Authority) has published the Basic Principles for ICT Security. A framework that’s considered best practice for basic safety mechanisms that most Norwegian companies should have in place. They have also published several basic principles. We believe that the most important document among these is Basic Principles for Safety Management (GFS), as it forms the basis for all other safety work and sets the proper context for the business.
The recognised Cybersecurity Framework (CSF) has established an industry standard for sorting measures that use five overall categories based on the measure’s purpose. In the NSM basic principles for ICT security, they adapted this approach but stuck to four categories which are perhaps just as good. In the image below, we see the categories compared, where Respond and Recover from CSF have been merged by NSM:
In GFS, NSM continues to build on the classification of measures that has established itself in the industry. This is a useful sorting of measures because it gives us an understanding of the purpose of the measures and an overall understanding of the sequence of barriers: The premise for the security work is laid in step 1, where you identify and map what you have of value that needs protection. If the protective measures fail and the attacker gets into the network, we need the ability to detect them. If we do not detect and handle it in time, we must be able to handle an escalating incident and restore data and functionality after the damage has occurred.
NSM uses this division for both GFS and ICT security. The former naturally has a higher level of abstraction. It is the subject of this article; the GFS framework with Diri support is illustrated in the figure at the top of the article.
ISO27005 is the industry standard for risk management of information security, and the experienced security expert quickly sees that the activities in GFS are closely linked to the workflow in ISO27005. This suits us in Diri well with our ISO27005 support. We do not describe the requirements from NSM in detail, but we discuss how you can meet the needs by using Diri. We refer to NSM’s original document to see the requirements in full.
Internal and external requirements can be, for example, state requirements, legal requirements, contract requirements and the like, which later lay down guidelines for risk management. You can answer this with Diri as part of the overall risk and value assessments. You can answer and map out what leads to safety in the former. Once this is done, turning them into unwanted incidents and risks is much easier. The valuation in Diri also helps you map which laws and regulations apply to you.
In Diri, you will find a work process that easily helps you map your most essential systems and which information values are managed. Diri also helps you value and prioritise these.
Threats are closely linked to risk. In Diri, you work on the basis that risk is when a threat exploits a vulnerability and causes an incident. This event entails at least one consequence for the company. Diri has ready-made libraries of threat actors, attack methods and unwanted events that you can choose from.
When you work with Diri, we work with risk analysis. There can be many inputs to vulnerability analysis, such as findings from technical tools or deviations from best practices. The advantage of Diri is that you can systematise your findings, map security mechanisms and decide what they mean in terms of business risk.
In Diri, one scenario consists of a cause (threat exploits vulnerability), an unwanted event and accompanying consequences for your values. You can choose from already existing scenarios in Diri or add your own. Diri has predefined libraries for you, but you can add your own if you wish.
By mapping the ICT system portfolio in Diri, you will also map your dependencies on suppliers and other businesses. In Diri, you can work systematically with your dependencies. Although it is not part of the requirement from NSM, in Diri, we are working on a module to map dependencies internally in the company.
By working with risk in Diri, you also work with consequences. These are derived from asking what can happen if an unwanted event occurs. Diri allows you to choose which values may be affected and assess based on several risk criteria. In several cases, an undesirable event could lead to several consequences, and you can easily solve that with the many-to-many links in Diri.
When you have identified values, threats and vulnerabilities in Diri, you assess how likely the various causes will occur and the severity of the consequences. Preventive measures are linked to causes, and consequence-reducing measures are linked to outcomes. The risk picture is updated as existing measures are added, and new ones are proposed. Diri helps you sort the measures into different types and classes. You get a unique overview in the Diri measures matrix.
Certain measures will affect several risks, and Diri allows you to link one-to-many relationships. This gives you a unique opportunity to make cost-effectiveness assessments in Diri. When you have found the measures with a good cost-benefit and acceptable risk, you set the person responsible for the measure and the deadline in Diri. The measure is then added to the measure overview, which makes it easy to follow up on the implementation status.
In Diri, you only pay for a license and create as many users as you need, regardless of cost.
You use Diri to assign responsibilities and tasks within the security organisation in Diri. You get transparency in the organisation, insight into the security work and the risk picture based on the assessments. When employees join risk assessments, Diri helps with the pedagogy and training around thinking about safety. You also get insight into the progress of the security work and the need for resources.
All standards for establishing a management system (ISMS) recommend risk management as the central component; with NSM Safety Management, it is point no. 1. For large companies, Diri will be the system they need to risk management alongside the introduction of ISO requirements. For smaller companies, Diri will be sufficient as a management system to keep track of the most important security mechanisms. The difference from traditional ISMS thinking is that in Diri, the requirements must be linked to the risk picture to be prioritised. Certain parts of ISMSet, such as policy and guidelines, are outside of Diri.
Diri helps you with the training of employees and with sound risk management. The relevant scenarios for practice will also be easy to find in the workshop shelter. The course and training itself will be outside of Diri.
With Diri, you ensure that it is easy to carry out security audits. You already have an overview of critical systems, the risk picture and the status of measures in Diri. This provides transparency and lowers the requirement for in-house competence to carry out audits of the security situation. You can build the year wheel for information security into the task overview in Diri. Follow-up of audit findings is entered, linked to the correct object and tracked in Diri. The documentation requirement is primarily covered in the Diri dashboard and the reports that can be printed.
Fortunately for you, Diri has built-in reporting at the very core of the tool: All collected data can be reported, but Diri already collects the most important data for you and presents this using various statistical tools. Diri gives you the status of measures, changes in the risk picture resulting from risk assessments and internal audits, room for improvement and a good basis for investment. But mainly, Diri gives you traceability and an easy way to track goal achievement. New tasks and measures arising from management’s review can be documented, assigned and tracked in Diri.
Diri is primarily a tool for risk management and not incident management. Incident management is outside Diri’s scope, but the tool can help you get an overview of which measures must be introduced to prepare for incident management. In addition, you will be able to uncover the need for incident handling capacity in risk assessments. After handling completion, incidents should be linked to systems, and the risk with associated measures should be entered in Diri for traceability.
This article was written by Gaute Wangen and was first published in 2021.