A small organization – 35 people – they are challenged to cope with requirements from two complementary pieces of European legislation: the NIS Directive (concerning critical infrastructure, rather reactive by nature) and the European Cybersecurity Act (e.g. security by design, rather proactive). This means an effective integration of standards (e.g. 27K family) with technical standards and best practices, while translating all of this in everyday real life security measures. Including the need for relevant audits and monitoring.
The presentation provides a concise and clear overview of this sector of the Internet ecology, indicating the role and position of an organization as DNS Belgium. Kristof Tuyteleers provided quite some insights into how his organization tackles its challenges, internally and as a member of a collaborative European centre (with Tuyteleers chairing its Security working group). He stresses the use of a statement of applicability to map standards on needs, and points out the need for ways to monitor the effectiveness of it all (by combining audit results, KPIs, statistics, etc.).
However, “I’m still missing some real security testing!” Also, some more sector specific guidance would be welcome, including clear ‘do’s’ and don’ts’. With European colleagues, he authored a very helpful ‘security maturity model’ to evaluate the security posture of an organization. But also, he emphasized that “we need the cooperation of all of you” to implement secure services, as e.g. DNSSEC!
