Under the Network and Information System Security Act (NISG), since July 2019 operators of critical infrastructure services have to prove on a regular basis that adequate and reasonable security precautions have been taken with regard to network and information systems. This proof is provided through an audit by an official qualified body (QuaSte). Since November 2020, Limes Security has been a recognized testing body according to the NISG and is allowed to perform both as organizational and technical tests.
Are you looking for a reliable partner for NIS audits?
Limes Security is a Qualified Body (QuaSte) according to NISG and is allowed to perform both organizational and technical audits.
Limes Security has many years of experience in different areas of information security, especially in the field of audits. In particular, the projects carried out at large industrial companies, energy suppliers and in the medical environment enable Limes Security to carry out NIS audits appropriately and efficiently, but also with the necessary caution. The auditing process applied has been successfully proven in many projects and has been successfully approved by the authorities.
Decades of experience in OT and critical infrastructures
Organizational and technical audits from a single source
Support starting with the system description
Why Limes Security?
When initiating a NIS audit, basic organizational issues are clarified:
- Procedures are coordinated
- Contact persons and communication guidelines are defined
- Non-disclosure agreements are signed
- A secure data exchange mechanism is defined (Limes Security operates a secure data exchange platform)
Throughout the lifecycle of the project, strict rules regarding need-to-know and least-privilege principles are applied to all information obtained in the context of the project’s relationship with the client.
The planning phase is initiated with a kick-off meeting in which organizational and technical issues are addressed. From an organizational perspective, a timeline is agreed upon, required stakeholders are identified, and deadlines are set.
From a technical perspective, we will review documentation such as system descriptions, network diagrams, and flowcharts, discuss testing activities, and identify the processes, components, and resources involved.
The system description and system boundaries are considered as a key input in the planning process. A workshop can be held for this purpose, with the goal of jointly identifying and describing the system boundaries.
During the actual examination of the measures, it will be determined whether they are effective, suitable, adequate, appropriate to the risk, and take into account the technological state of the art. There are different types of tests, depending on the subject matter and scope. For example, for technical audits, there are segmentation tests and accessibility analyses, vulnerability analyses, penetration testing and hardening analyses. For organizational audits, there are document reviews, interviews, and inspection of systems. The assessment is independent, objective and reasonable and follows the requirements of the authority.
Reporting is done throughout the project. A preliminary draft is sent to you and provides an opportunity to clarify any uncertainties, explain compensatory measures that have not been taken into account, and discuss assessments. The final report is submitted in a secure way and contains an assessment or summary by Limes Security, a statement by the BwD, a description of the audited areas, the approach and the evaluation of the security measures.
An optional additional report contains a summary of the identified accumulated risk as a management summary, a detailed list of the identified vulnerabilities with evaluation as well as suggestions for improvement or concrete measures that can minimize the respective risk.
Fortunately, this is not for you to decide. If you have been classified as an Operator of a critical infrastructure service, then you have been notified by the BMI.
We often encounter the assumption that identified operators of essential services have three years after notification to implement the required measures. However, the time period refers to the minimum interval that must be observed in order to PROVE that the required measures have been implemented. In fact, the implementation of the measures must already have taken place; a review by the BMI is possible at any time.
Evidence of the implementation of the measures must include organizational and technical audit components. This means that an audit approach á la ISO 27001 audit, which is based on documentation and interviews, is not sufficient. The effectiveness of measures must be demonstrated by suitable technical audit activities. Depending on the subject and scope of the audit, this ranges from segmentation tests to vulnerability analyses to determine the patch and configuration status to penetration tests. Here we bring the necessary experience, especially in critical or fragile environments.
The scope of an NIS audit is defined by the system boundaries of the service concerned. Typically, a service spans multiple services, infrastructure, software, staff, processes and data. The responsibility to document the system boundaries of the essential service lies with the operator.
However, we find that defining the system boundaries is often a problem for operators. We therefore provide support as early as the preparation of the system description and the boundaries of the service during workshops. The system description in combination with the scope of testing provide the basis for an effort estimate or price determination.