FAQs About NIS2.0
FAQs About NIS2.0
-
What is NIS 2.0?
The European Parliament and the Council of the European Union issued the Directive measures for a high common level of cybersecurity across the Union in December 2022, adjusting the legal framework of cyber security across the Union. The Directive aims to eliminate differences and conflicts among EU member states, further enhances the regulatory and collaborative requirements for addressing cybersecurity risks in many ways, not only setting minimum rules for cyber and information security risk response, but also setting out the required responses to security incidents, information security in the supply chain, vulnerability detection and encryption, and establishes mechanisms for cooperation between the authorities of each Member State.
-
What are the core contents of NIS 2.0?
●The NIS2 Directive expands the sectors and types of Essential Entities and Important Entities to include Providers of public electronic communications networks, Data centre service providers, Waste water and waste management, manufacturing of critical products, Postal and courier services and Public administration. The rules also cover the health insurance sector more broadly, including medical research and development and the manufacture of pharmaceutical products.
●The NIS2 directive strengthens the cyber security risk management requirements that the entity must comply with. Under the NIS Directive, entities must take appropriate and proportionate techniques and measures to manage cyber security risks and prevent and minimize the impact of potential incidents. The NIS Directive lists a number of priority measures, including incident response and crisis management, vulnerability handling and disclosure, policies and procedures to assess the effectiveness of cybersecurity risk management measures, and cybersecurity hygiene and training.
●The Directive clarifies incident reporting obligations and provides more precise provisions on reporting, content and implementation to help strengthen information sharing and cooperation in cyber crisis management at the national and EU levels. The NIS2 directive uses a hierarchical approach to standardize the reporting process.
●The regulatory measures and law enforcement requirements for national authorities have become stricter, and the list of administrative penalties has become stricter, including fines for violations of cyber security management and reporting obligations.
-
As a customer of Huawei Cloud, what is required of me under Article 21 of NIS 2.0?
Article 21 of NIS 2.0 specifies that Member States shall ensure that essential and important entities take appropriate and proportionate technical, operational and organizational measures to manage the risks posed to the security of network and information systems which those entities use for their operations or for the provision of their services, and to prevent or minimize the impact of incidents on recipients of their services and on other services, and shall include at least the following:
(a) Policies on risk analysis and information system security;
(b) Incident handling;
(c) Business continuity, such as backup management and disaster recovery, and crisis management;
(d) Supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers;
(e) Security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure;
(f) Policies and procedures to assess the effectiveness of cybersecurity risk-management measures;
(g) Basic cyber hygiene practices and cybersecurity training;
(h) Policies and procedures regarding the use of cryptography and, where appropriate, encryption;
(i) Human resources security, access control policies and asset management;
(j) The use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate.
As a cloud service provider, HUAWEI CLOUD is to assist and support customers in meeting the security requirements for essential or important entities specified in Article 21 of NIS 2.0
As a cloud service provider, HUAWEI CLOUD is to assist and support customers in meeting the security requirements for essential or important entities specified in Article 21 of NIS 2.0
活动对象:华为云电销客户及渠道伙伴客户可参与消费满送活动,其他客户参与前请咨询客户经理
活动时间: 2020年8月12日-2020年9月11日
活动期间,华为云用户通过活动页面购买云服务,或使用上云礼包优惠券在华为云官网新购云服务,累计新购实付付费金额达到一定额度,可兑换相应的实物礼品。活动优惠券可在本活动页面中“上云礼包”等方式获取,在华为云官网直接购买(未使用年中云钜惠活动优惠券)或参与其他活动的订单付费金额不计入统计范围内;
-
(a) Policies on risk analysis and information system security
● According to ISO 27001, HUAWEI CLOUD has built a perfect information security management system and formulated the overall information security strategy of HUAWEI CLOUD. It clarifies the structure and responsibilities of information security management organization, the management methods of information security system files and the key directions and objectives of information security.
● The cybersecurity management policies and procedures are reviewed at least once a year and updated as needed to reflect changes in business objectives or risk environments by Huawei Cloud. Huawei Cloud has a dedicated audit team that regularly evaluates the compliance and effectiveness of strategies, procedures, supporting measures and indicators.
-
(b) Incident handling;
● In line with customer compliance requirements, HUAWEI CLOUD has developed a sound incident management process. This process clearly defines the roles and responsibilities for each activity during the incident management process. The priority of incidents is divided and defined according to the response time and solution time for each priority of incident, which is defined according to the degree of impact and scope. HUAWEI CLOUD has a 24/7 professional security incident response team responsible for real-time monitoring and notification. The team follows standard criteria for response and resolution time, and can quickly detect, demarcate, isolate, and recover from major events. Incidents are escalated and communicated according to their real-time status.
● HUAWEI CLOUD Eye Service (CES) provides users with a three-dimensional monitoring platform for flexible cloud servers, bandwidth, and other resources. It can help users to quickly access warnings regarding cloud resources and take corresponding measures. At the same time, HUAWEI CLOUD can also provide an Anti-DDoS service, Web Application Firewall (WAF), Database Security Service (DBSS), and Cloud Trace Services (CTS) to help users accurately and effectively implement comprehensive protection against traffic-based attacks and application level and data-level attacks, as well as reviewing and auditing incidents.
-
(c) Business continuity, such as backup management and disaster recovery, and crisis management;
● To provide customers with continuous and stable cloud services, HUAWEI CLOUD has developed a business continuity management system that meets its own business characteristics and has obtained the ISO 22301 certification. Based on the requirements of this system framework, HUAWEI CLOUD periodically analyzes service impact, identifies key services, and determines the recovery objectives and minimum recovery levels of key services. When identifying key services, the impact of service interruption on customers is considered as an important criterion for determining key services. If customers need HUAWEI CLOUD's participation in their business continuity plans, HUAWEI CLOUD will actively cooperate.
● If customers need to back up service data, software, and system images, Huawei Cloud provides multiple products and services with different priorities. For example, customers can use Cloud Backup and Recovery (CBR) to back up cloud servers, disks, file services, off-cloud and VMware virtual environments. Data can be restored to any backup point when data is unavailable due to virus intrusion, accidental deletion, or software/hardware fault. Customers can use the snapshot function of Elastic Volume Service (EVS) to restore data to the snapshot point in time when data is lost. Huawei Cloud also provides Image Management Service (IMS). Customers can use to back up cloud server instances and use the backup images to restore cloud server instances when the software environment of the instances is faulty. Customers can use the versioning function of Object Storage Service (OBS) to back up in-cloud documents, disks, and servers.
-
(d) Supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers;
● HUAWEI CLOUD provides the HUAWEI CLOUD User Agreement and HUAWEI CLOUD Service Level Agreement, which specifies the service content and service level provided by HUAWEI CLOUD, and the responsibilities of HUAWEI CLOUD.
● Huawei Cloud has established a formal procurement audit process. Huawei Cloud requires sign contracts, service agreements, and non-disclosure agreements with suppliers before conducting on-site work. The contract and service agreement specify the responsibilities and obligations of both parties, and clarify the cyber security requirements, service content, and service level that the supplier should meet. In addition, the non-disclosure agreements restrict clauses that violate confidentiality. The Legal Department of Huawei Cloud reviews and updates the NDA every year to ensure that the NDA can continuously meet business requirements on supplier management.
-
(e) Security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure;
● HUAWEI CLOUD has developed a complete project management approach and is CCM5/ CMMI, ISO 9001:2000 and PMI framework-based practices which have enabled successful project implementations over the world by qualified project and project management professionals. Huawei Cloud and related cloud services comply with the security and privacy design principles and norms, laws and regulations. Threats are analyzed according to business scenarios, data flow diagrams and networking models in the security requirements analysis and design phase. When a threat is identified, the design engineer will formulate mitigation measures according to the reduction library and the security design library and complete the corresponding security design. All threat mitigation measures will eventually be converted into security requirements and security functions, and according to the company's test case library, will be used to complete the design of security test cases, to ensure successful implementation, and ultimately ensure the security of products and services.
● For vulnerabilities that may affect customer service, Huawei Cloud will disclose the vulnerabilities to customers by the Saudi Arabia business service support team, including vulnerability details, vulnerability principle analysis, vulnerability impact scope, vulnerability prevention measures, and vulnerability resolution methods.
-
(f) Policies and procedures to assess the effectiveness of cybersecurity risk-management measures;
● HUAWEI CLOUD will arrange special personnel to actively cooperate with the audit requirements initiated by customers. The customer's rights and interests in auditing and supervising HUAWEI CLOUD will be promised in the agreement signed with the customer according to the actual situation.
● Huawei Cloud regularly hires independent third parties to provide external audit and verification services. These evaluators perform regular security assessment and compliance audits or checks. (E.g. SOC, ISO standards, PCIDSS audit) to assess the security, integrity, confidentiality, and availability of information and resources for an independent assessment of risk management content/processes. Huawei Cloud will report the survey results and recommendations to the top management. Management review and follow up on rectification.
-
(g) Basic cyber hygiene practices and cybersecurity training;
Huawei Cloud has established a series of cyber security training and learning mechanisms to ensure that employees' information security awareness meets Huawei requirements. Employees are required to continuously learn cyber security knowledge and understand related policies and regulations. Carry out various cyber security publicity activities for all employees, including cyber security community operation, publicity of typical cyber security cases, cyber security activity week, and cyber security animations, to raise cybersecurity awareness company-wide, avoid non-compliance risks, and ensure normal business operations.
-
(h) Policies and procedures regarding the use of cryptography and, where appropriate, encryption;
● Huawei Cloud formulates and implements cryptographic algorithm application specifications. This document describes how to select secure encryption algorithms and the rules for using secure encryption algorithms. It also provides guidance on the correct use of cryptographic algorithms with application examples. Huawei Cloud uses the AES encryption method widely used in the industry to encrypt data on the platform, and uses the high-version TLS encryption protocol to secure data during the transmission processes, ensuring data confidentiality in different states. Digital signatures and timestamps prevent requests from being tampered with and protect against replay attacks.
● Huawei Cloud provides the Data Encryption Workshop (DEW) for customers. The DEW key management function enables you to centrally manage keys throughout the lifecycle. Without authorization, no one except the customer cannot obtain a key to decrypt data, ensuring data security on the cloud. The DEW uses a hierarchical key management mechanism to facilitate key rotation at each layer. Huawei Cloud uses the hardware security module (HSM) to create and manage keys for customers. HSM has FIPS140-2 (level 2 and level 3) mainstream international security certification, helping users meet data compliance requirements and prevent intrusion and tampering. Even HUAWEI CLOUD O&M personnel cannot steal customer root keys. DEW allows customers to import their own keys as CMKs for unified management, facilitating seamless integration and interconnection with customers' existing services.
-
(i) Human resources security, access control policies and asset management;
● Cybersecurity in Human Resources: Huawei Cloud has established personnel information security management regulations, which specify hierarchical information security management requirements, and specify the cyber security responsibilities. The employment agreement signed between the employee and the company contains confidentiality clauses, which clearly state the employee's cybersecurity responsibilities to ensure that the confidentiality clauses to be followed are confirmed before onboarding. Huawei Cloud employees must sign the resignation confidentiality commitment letter to confirm their ongoing information security responsibilities.
● Access Control: Huawei Cloud has established comprehensive physical security and environmental safety protection measures, strategies, and procedures. The Huawei Cloud information security environment is managed by zones, and physical environment facilities are defined for each zone (including access control, security post, video surveillance, etc.) and different requirements for equipment access control (including photography equipment, storage media, etc.). At the same time, the data transfer policies and access control policies between zones have been formulated and implemented.
● Asset Management: Huawei Cloud uses the Cloud Asset Management system to monitor the inventory and maintenance status of Huawei Cloud information assets recorded on the asset management platform in real time, classify, monitor, and manage information assets, and generate an asset list for each asset. Huawei Cloud has formulated asset management procedures, which specify the classification and grading methods of information assets and the authorization rules that should be followed for various types of assets. In addition, Huawei Cloud has established information asset confidentiality management requirements, which specify the confidentiality measures that Huawei Cloud should take for information assets at different levels, and standardize the use of assets to ensure that the company's assets are properly protected and shared.
● Host Security Service (HSS) of Huawei Cloud provides a unified management interface for customers to query and manage cloud services. It is the security manager of servers and provides asset management functions for customers, including manages and analyzes security asset information, such as accounts, ports, processes, web directories, and software.
-
(j) The use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate.
● Identity and Access Management: Huawei Cloud implements role-based access control and permission management for internal personnel, restricting personnel with different positions and responsibilities to only perform specific operations on authorized targets. Ensure that personnel do not gain unauthorized access through minimal privilege assignment and strict behavioral auditing. Huawei Cloud does not allow O&M personnel to access customers' systems and data without authorization. When O&M personnel access the Huawei Cloud management network to centrally manage the system, they need to use employee IDs and two-factor authentication, such as USB keys and Smart Cards. Huawei Cloud administrators must pass two-factor authentication before accessing the management plane through bastion hosts. All operations are logged and sent to the centralized log audit system in a timely manner. Strong log audit is supported on bastion hosts to ensure that O&M personnel can locate operations on target hosts. Huawei Cloud adopts strict security O&M regulations and processes to ensure remote O&M security with customer authorization. Centralized O&M management and auditing is achieved through VPNs and bastion hosts that are deployed in Huawei Cloud data centers. External and internal network O&M personnel perform all local and remote O&M operations on networks and devices such as servers in a centralized manner, which ensures unified management of O&M account authentication, authorization, access and auditing.
HUAWEI CLOUD provides Identity and Access Management (IAM) for customers to manage their accounts that use cloud resources. Customers can use IAM to perform role-based fine-grained permission control. The administrator can assign permissions for cloud resources to users based on their responsibilities and set security policies for users to access the cloud service system, for example, setting an access control list (ACL), to prevent malicious access from untrusted networks. Customers should establish a user access management mechanism to restrict and supervise the access to the system based on the least privilege principle.
● Communication security: HUAWEI CLOUD has formulated relevant security management regulations, defined information transmission policies and processes, and defined detailed control requirements.
In the scenario where data is transmitted between customers and servers and between servers of the Huawei Cloud via common information channels, data in transit is protected as follows:
1. Virtual private network (VPN): VPN is used to establish a secure encrypted communication channel that complies with industry standards between a remote network and a tenant VPC. Currently, Huawei Cloud uses IPsec VPN together with Internet Key Exchange (IKE) to encrypt the data transport channel and ensure transport security.
2. Application layer TLS and certificate management: Huawei Cloud supports data transmission in REST and Highway modes.
In addition, Both REST and Highway modes support TLS 1.2 for data in transit encryption and X. 509 certificate-based identity authentication of destination websites. Uses the high-version TLS encryption protocol to secure data during the transmission processes, ensuring data confidentiality in different states. Digital signatures and timestamps prevent requests from being tampered with and protect against replay attacks.
● Customers can use services such as Virtual Private Network (VPN) and Direct Connect (DC) provided by HUAWEI CLOUD to ensure service interconnection and data transmission security between different regions.
Currently, the VPN service uses Huawei professional devices to virtualize private networks on the Internet based on IKE and IPsec. Secure and secure encrypted transmission channels are established between the local data center and Huawei Cloud VPCs and between VPCs in different regions of Huawei Cloud. Direct Connect (DC) builds dedicated encrypted transmission channels between local data centers and Huawei Cloud VPCs based on carriers' multiple types of private line networks. Private lines are physically isolated from each other, meeting higher security and stability requirements. For data in transmission, when customers provide Web site services through the Internet, they can use certificate management services provided by the Huawei Cloud United Global Well-known Certificate Service Provider. By applying for and configuring certificates for Web sites, the trusted identity authentication of Web sites and secure transmission based on encryption protocols are realized. Customers can also purchase certificates on third-party platforms by themselves.