12 new national NIS2 framework versions published! Read more ->
Cyberday back to normal - related blog
MIL1 requirements
a. Network protections are implemented, at least in an ad hoc manner
b. The organization’s IT systems are separated from OT systems through segmentation, either through physical means or logical means, at least in an ad hoc manner
MIL2 requirements
c. Network protections are defined and enforced for selected asset types according to asset risk and priority (for example, internal assets, perimeter assets, assets connected to the organization’s Wi-Fi, cloud assets, remote access, and externally owned devices)
d. Assets that are important to the delivery of the function are logically or physically segmented into distinct security zones based on asset cybersecurity requirements
e. Network protections incorporate the principles of least privilege and least functionality
f. Network protections include monitoring, analysis, and control of network traffic for selected security zones (for example, firewalls, allowlisting, intrusion detection and prevention systems (IDPS))
g. Web traffic and email are monitored, analyzed, and controlled (for example, malicious link blocking, suspicious download blocking, email authentication techniques, IP address blocking)
MIL3 requirements
h. All assets are segmented into distinct security zones based on cybersecurity requirements
i. Separate networks are implemented, where warranted, that logically or physically segment assets into security zones with independent authentication
j. OT systems are operationally independent from IT systems so that OT operations can be sustained during an outage of IT systems
k. Device connections to the network are controlled to ensure that only authorized devices can connect (for example, network access control (NAC))
l. The cybersecurity architecture enables the isolation of compromised assets
Cyber criminals can exploit configuration errors or technical vulnerabilities in applications, firewalls, or networks to access our information.
An organization must use defense-in-depth technologies to protect against, detect, and respond to cyber-attacks. The techniques should be suitable for controlling physical, logical and administrative controls.
An owner is defined for an organization's networks. The owner is responsible for planning the structure of the network and documenting it.
Separate network areas are used in network design as needed. Domain areas can be defined by e.g.:
Separation can be implemented either with physically separate networks or with logically separate networks.
Tietoliikenneverkon vyöhykkeistäminen ja suodatussäännöstöt on toteutettava monitasoisen suojaamisen periaatteen mukaisesti.
Tietoliikenneverkon jakaminen ko. turvallisuusluokan sisällä erillisille verkkoalueille (vyöhykkeet ja segmentit) voi tarkoittaa esimerkiksi tietojen suojaamisen näkökulmasta tarkoituksenmukaista työasema- ja palvelinerottelua, kattaen myös mahdolliset hankekohtaiset erottelutarpeet.
Vaatimus voidaan täyttää alla mainituilla toimenpiteillä:
The data processing environment is separated from public data networks and other environments with a lower security level in a sufficiently safe manner.
Separation of data systems is one of the most effective factors in protecting confidential information. The goal of separation is to delimit the processing environment of confidential information into a manageable entity, and in particular to be able to limit the processing of confidential information to sufficiently secure environments only. Separation of environments can be implemented, for example, with the help of a firewall solution.
The organization must have a strategy for developing and maintaining a cyber security architecture.
The strategy must match the organization's cyber security program and the organization's architecture.
The architecture must include:
.png)
