How does your municipality deal with the mandatory requirements of the BIO, the Baseline Information Security for the Government? Our experience shows that most municipalities minimally comply with the BIO just to ‘tick the box’. However, this leaves your organization vulnerable to ransomware and other digital attacks. Such an attack can cause significant damage. Read here how to properly set up your information security and how Secura can assist with this.
BIO for Municipalities: A Fill-in Exercise or Truly Safe?
16 January 2023 |
Author(s):
Bram Blaauwendraad - Security Consultant
Additional Requirements
Since January 1, 2020, municipalities in the Netherlands have been required to comply with the BIO. This framework applies to all government organizations and mandates more than a hundred additional information security requirements on top of the ISO/IEC 27002 measures, depending on the so-called basic security level (BBN 1, 2, or 3) that the organization needs to meet. The BIO follows the 'apply-or-explain' principle, where all standards must be met unless the organization has a justified reason not to.
Our experience shows that while organizations often comply with the BIO in practice, they are not actually secure. The BIO is implemented with minimal fulfillment just to 'tick the box.' For example, logging is collected, but not acted upon, and many policy documents remain merely on paper. This is somewhat understandable, as compliance with the BIO is a legal requirement, but there is no external certification obligation as of yet. Additionally, implementation naturally involves financial costs.
Digital Security
The BIO requirement, however, has a good reason behind it. The number and complexity of digital attacks have significantly increased in recent years. Ransomware attacks are becoming commonplace, and successful attacks due to insufficient digital resilience of municipalities can lead to negative media attention, as seen with municipalities like Antwerp, Buren, and even legal consequences in the case of Hof van Twente (hacked with the password "welkom2020").
Besides, 'complying with the BIO' also signifies good stewardship, and it can show stakeholders that digital security is taken seriously. The challenge, therefore, is to comply with the BIO as a byproduct of a sound information security policy, which is also pragmatically designed to have enough support within the organization.
People, Process, and Technology
How do you implement the BIO pragmatically and not just as a compliance obligation? In Secura's view, this can be achieved by critically examining people, processes, and technology:
- People: Awareness training should not be a burden to staff but can turn them into a weapon in the digital battle;
- Process: Policies and processes should provide insight and control over information security;
- Technology: Security measures and research should enhance the digital resilience of the organization.
As an independent cybersecurity expert, Secura can assist you with all aspects of both the ISO/IEC 27002 and the additional BIO measures to make maturity transparent and help effectively implement them.
BIO Topics |
Secura Services |
---|---|
Organization Policy |
To establish where your organization stands, Secura begins with a Security Maturity Assessment. Unlike the VNG's GAP analysis, which only tests the additional BIO measures, Secura evaluates maturity against both the additional BIO measures and the (mandatory) ISO/IEC 27002 measures in a single comprehensive report, supported by charts. Afterwards, Secura can offer support in setting up the remaining parts of the BIO through implementation support. Note: The BIO is currently based on the 2013 version of ISO/IEC 27002, but this will be updated soon. Secura can also assess the organization against ISO27002:2022 to prevent extra work and costs in the future. |
Risk Assessment |
As per the BIO, information security depends on risk management to ensure the proper protection of information and information systems within the organization's context and objectives. A comprehensive risk analysis must be performed, taking into account the organization's context, unique profile, and risk tolerance. Secura offers support through Risk Assessments at every stage of the risk assessment process: from the risk assessment method to analyzing the risks and prioritizing the outcomes. |
Awareness and Behavior Focused on Learning, Motivating, and Facilitating |
The human factor is essential in protecting your organization and digital assets. In practice, we often see that staff knowledge does not equate to awareness due to various factors. Secura provides a security awareness and behavior change program and related services and training to increase your employees' cyber resilience. We focus not only on awareness (knowledge), but also on increasing motivation and better facilitating your organization. |
Technical Security |
Attackers often exploit technical vulnerabilities, both to gain entry and to cause maximum damage. By periodically having your network, systems, and applications professionally examined, vulnerabilities can be identified and proactively addressed. Ransomware is one of the biggest threats that keep municipalities awake at night. The first step is to map the environment, which is done through Threat Modeling. Physical security of the environment can also be considered. Subsequently, external scans are conducted, followed by application reviews and internal penetration tests. During these tests, special attention can be given to aspects such as backups and vulnerability to ransomware, taking into account the tactics, techniques, and procedures (TTPs) of modern ransomware groups. All of this is carried out by Security Specialists from Secura's Public Market Group, who are familiar with the unique challenges of the public sector. |
Preventing and Healing
Secura focuses on independently assessing and advising on information security. However, cybersecurity is a complex and dynamic field, and attackers sometimes manage to break in despite efforts. Therefore, you should always consider this scenario, following the so-called ‘assume breach’ principle. At such moments, it is vital that an organization has sufficient detection capacity, as well as security experts available 24/7 to minimize the impact of a successful attack and prevent damage.
Therefore, Secura collaborates with Eye Security, a leading service provider in the field of cybersecurity, specializing in monitoring, insurance, and incident response. Eye Security provides a complete solution to protect your systems and networks and neutralizes a cyber attack within four hours.
The services of Eye Security and Secura complement each other, enabling municipalities to cover a large part of their BIO challenges when both companies are engaged together. That's why we like to say to all municipalities: welcome to 2023!
For more information about Eye's services for municipalities, please visit here.