Information security means ensuring the business continues, making sure that everything goes smoothly and proceeds well. The question is, why are there technical security, firewalls, antivirus. Why do we need to secure the terminating equipment, workstations, and cloud services, whatsoever It is important to understand the concepts of security.
Information security is organization policies which also encompasses information in non-digital/electrical form. ICT security solutions and management are technical solutions to ensure the confidentiality, integrity, and availability of the data and cyber security management is technical, functional, and management procedure which ensure the continuity of the ICT dependent functions.
In the risk management process, it is like real life, individual valuables. Nobody wants to share health data, family data, wage and so on. On the other hand, personal data, financial stuff, customer information etc. are important assets and like real-life people the organization will not want to share its valuables.
There is an international side of cyber security. Many industries create global level requirements and security criteria like PCI-DSS, HIPAA. Also, there are some standards like COBIT, NIST, ISO 27XXX.
The institutions are working on several regulations in EU. It is a continous process. Some of them are:
Cyber resilience Act
Cyber resilience Act
Common cyber security criteria for vendors and resellers of digital products and services. They must create conditions for the development of secure products with digital elements by ensuring that the hardware and software products are places on the market with fewer vulnerabilities and ensure that manufacturers take security seriously throughout a product’s lifecycle. CRA concerns mainly hardware and software developers.
Focuses on especially critical infrastructure. Energy, transport, banking, health, water, digital infrastructure. It strengthens the cross-border cooperation with a net work of for example the CSIRTs.
Focuses on increasing cyber resilience in EU. Scope expands to new sectors and organizations depending on how crucial they are for the economy and society. Will not apply national security, parliament, public security etc. Includes all medium and large companies. It enters into force in 2024 and sanction is 10M€.
There are several regulations in Finland as well.
Laki söhköinen viestinnän palvelusta
Finally, it is important to recognize the own cyber domain, prioritizing the important assets, knowing the data processing in whole chain of services, risk assessment and change control. At that point, the regulations are compelling and instructive for organizations and security professionals