KIRAS Security Research

2017

GENESIS - Guideline für Behörden und KMU-Anbieter strategischer Services zur risiko-orientierten  Implementierung der NIS-Richtlinie

The aim of this initiative is to develop a risk management framework for the SMEs affected by the NIS Directive. The goal of this framework is to meet both, the requirements of the NIS directive, and the results of the current national legislative process.

In recent years, the number of cyber-attacks on enterprises has increased drastically and attackers have shifted their focus more and more towards critical infrastructures. Due to their role as crucial utility providers, incidents within critical infrastructures have far-reaching impacts on society. In order to prevent such incidents and to provide protective measures, the European Parliament has issued the directive on security of network and information systems (NIS Directive) in 2016, which will become Austrian law in 2018 as the "Cybersicherheitsgesetz". The NIS Directive addresses operators of essential services from selected sectors of critical infrastructures as well as digital service providers and thus affects small and medium-sized enterprises (SMEs) to a large amount. However, it is often difficult for SMEs to implement the comprehensive action catalogues specified in the standardized security and risk management frameworks covered by the NIS Directive.

The project GENESIS aims to develop a risk management framework for the SMEs affected by the NIS Directive. The goal of this framework is to meet both, the requirements of the NIS Directive, and the results of the current national legislative process. Therefore, a guideline is derived from recognized standards and best practices from the fields of risk management, information security and cybersecurity management. In particular, the risk management framework focusses on modularity, practice orientation and cost-efficiency, as well as individual applicability both for the authorities as well as for SMEs from different areas. Additionally, the project aims to formulate the risk management framework in such a way that a resource-efficient monitoring and audit can be carried out by the "NIS authority", which will be installed in the future.

Therefore, the main outcome of the GENESIS project is a flexible and cost-effective risk management framework for SMEs, which implements the requirements of the NIS Directive and the "Cybersicherheitsgesetz". Based on this framework, an application guideline is derived supporting organizations of different size and from different areas to implement the risk management framework. A third core result of the project is a catalogue defining audit objects and their minimum security requirements.

The primary audience of the study resulting from the project is both critical infrastructure operators and public authorities. On the one hand, the results will support a cost-efficient, modular and individual implementation of the NIS Directive for SMEs. On the other hand, a clear definition of minimum security requirements as guidance and verification for authorities and SMEs will be provided. The long-term goal of GENESIS is to achieve a sustainable increase of the security level within critical infrastructures of different size in Austria. 

ProjektleiterIn
Dr. Stefan Schauer 

Name und Institut/Unternehmen 
AIT – Austrian Institute of Technology GmbH 

Auflistung der weiteren Projekt- bzw. KooperationspartnerInnen   
Bundeskanzleramt 
Kontakt: DI Franz Vock

Bundesministerium für Inneres 
Kontakt: MR Kurt Hager, BA, MA   

Bundesministerium für Landesverteidigung und Sport 
Kontakt: MR Hannes Baumgartner, BA, MA, MSc 

Energieinstitut an der Johannes Kepler Universität Linz 
Kontakt: Dr. Johannes Reichl 

ProjektleiterIn 
DI Dr. Stefan Schauer
Lakeside B10a
9020 Klagenfurt 

Tel/Fax  Tel:   050550-4055 
Mobil: 0664 825 14 55 
Fax:   050550-4190 
E-Mail: stefan.schauer@ait.ac.at 
WWW: www.ait.ac.at 

print