Article 2Security elements
1.
Security of systems and facilities referred to in F1regulation 12(2)(c)(i) of the NIS Regulations means the security of network and information systems and of their physical environment and shall include the following elements:
(a)
the systematic management of network and information systems, which means a mapping of information systems and the establishment of a set of appropriate policies on managing information security, including risk analysis, human resources, security of operations, security architecture, secure data and system life cycle management and where applicable, encryption and its management;
(b)
physical and environmental security, which means the availability of a set of measures to protect the security of F2RDSPs' network and information systems from damage using an all-hazards risk-based approach, addressing for instance system failure, human error, malicious action or natural phenomena;
(c)
the security of supplies, which means the establishment and maintenance of appropriate policies in order to ensure the accessibility and where applicable the traceability of critical supplies used in the provision of the services;
(d)
the access controls to network and information systems, which means the availability of a set of measures to ensure that the physical and logical access to network and information systems, including administrative security of network and information systems, is authorised and restricted based on business and security requirements.
2.
With regard to incident handling referred to in F3regulation 12(2)(c)(ii) of the NIS Regulations, the measures taken by the F4RDSP shall include:
(a)
detection processes and procedures maintained and tested to ensure timely and adequate awareness of anomalous events;
(b)
processes and policies on reporting incidents and identifying weaknesses and vulnerabilities in their information systems;
(c)
a response in accordance with established procedures and reporting the results of the measure taken;
(d)
an assessment of the incident's severity, documenting knowledge from incident analysis and collection of relevant information which may serve as evidence and support a continuous improvement process.
3.
Business continuity management referred to in F5regulation 12(2)(c)(iii) of the NIS Regulations means the capability of an organisation to maintain or as appropriate restore the delivery of services at acceptable predefined levels following a disruptive incident and shall include:
(a)
the establishment and the use of contingency plans based on a business impact analysis for ensuring the continuity of the services provided by F2RDSPs which shall be assessed and tested on a regular basis for example, through exercises;
(b)
disaster recovery capabilities which shall be assessed and tested on a regular basis for example, through exercises.
4.
The monitoring, auditing and testing referred to in F6regulation 12(2)(c)(iv) of the NIS Regulations shall include the establishment and maintenance of policies on:
(a)
the conducting of a planned sequence of observations or measurements to assess whether network and information systems are operating as intended;
(b)
inspection and verification to check whether a standard or set of guidelines is being followed, records are accurate, and efficiency and effectiveness targets are being met;
(c)
a process intended to reveal flaws in the security mechanisms of a network and information system that protect data and maintain functionality as intended. Such process shall include technical processes and personnel involved in the operation flow.
5.
6.
F2RDSPs shall ensure that they have adequate documentation available to enable the competent authority to verify compliance with the security elements set out in paragraphs 1, 2, 3, 4 and 5.