CISO2CISO.COM & CYBER SECURITY GROUP

CYBERSECURITY HANDBOOK – Best practices for the protection and resilience of network and information systems – Ministry of Digital Governance – Greece

THIS HANDBOOK WAS DEVELOPED BY THE NATIONAL CYBER SECURITY AUTHORITY OF GREECE – MINISTRY OF DIGITAL GOVERNANCE – DIRECTORATE FOR CYBER SECURITY STRATEGIC PLANNING – DEPARTMENT FOR REQUIREMENTS AND SECURITY ARCHITECTURE.

PREFACE
As information and communication technologies create a world of everincreasing complexity in interconnected systems and devices, the public debate on cybersecurity and privacy issues is constantly at the forefront, highlighting the need to strengthen the protection and resilience of these systems from the constantly evolving threats of modern cyberspace.
At such a time, the National Cybersecurity Authority of Greece offers a cybersecurity handbook containing best practices in technical and organizational risk management measures and addressed to public sector organizations as well as medium and large private enterprises.
This handbook is mainly addressed to:
a) the information security and IT organizational units of ministries, other public administration entities1
, as well as medium and large private sector enterprises,
b) chief information security officers (CISOs), data protection officers (DPOs), as well as other executives who deal with the cybersecurity of network and information systems of public and private sector
organizations.
In addition, specific categories of professionals, such as software engineers, will find useful specialized content, such as chapter 9 “Web Application Security”, while simultaneously teleworking employees of the
above organizations are expected to find useful content in chapter 10 “Teleworking”.
Finally, this handbook, although being a text containing practical instructions, is at the same time addressed to the cybersecurity research community, as well as to people who are generally interested in studying one of the most modern and fascinating scientific fields of our time.
The handbook’s contents are organized as follows:
Part A: it’s the handbook’s introductory part. Security architectures for modern IT systems are briefly described, as well as the basic steps for organizations for the establishment of a comprehensive information security management system based on risk assessment.
Part B: it’s the main body of the handbook. A set of best practices in technical and organizational protection controls is developed, based on the defense-in-depth architecture, which are divided into eighteen (18) chapters that correspond to equivalent security control families. Each chapter adheres to the following structure:

  1. General description of the control.
  2. Description of the risks that arise by non-implementation of the control
    and the ways in which the attackers may take advantage of its absence

A table containing specialized protection measures (sub-controls), i.e. focused actions for the implementation of the control in specific functions and types of systems.
In total, the handbook includes 183 sub-controls, which are organized into two categories:
α) basic sub-controls, indicated by the symbol ►. These measures are considered fundamental to the security of information systems and should be implemented by every entity in order to protect against
common types of attacks. Their non-implementation implies a high risk for the confidentiality, integrity and availability of corporate services and data. Organizations should, at least gradually, implement them
and if this is not feasible, they should deploy equivalent risk mitigation measures.
β) enhanced sub-controls, indicated by the symbol ►. These measures are recommended for organizations that operate critical systems and high value services, the breaching of which could result in disruption of important government services, massive leakage of citizens’ personal data, financial damage, and loss of public trust in an entity’s reputation.
The specific measures are aimed at protecting against advanced threats and achieving resilience of the systems in case of cyber attack. Their implementation should be based on a prior risk assessment as
well as the determination of the residual risk to the information systems after their deployment.
The National Cyber SecurityAuthority of the Ministry of Digital Government aspires to provide a comprehensible and practical guide for enhancing the security of network and information systems of both public and private sector entities. It is pointed out that the handbook is based on well-known
and internationally recognized standards and guidelines. Its purpose is to improve the ability of organizations to adequately counter modern threats, to respond to cyber-attacks with the least possible impact, and to protect critical systems, their services, and the operational and personal data they
provide and process.

Leave a Reply

Your email address will not be published.