Cybersecurity, the circular of the National Agency, is in force. Now take action

The document provides that PAs will replace the solutions of suppliers linked to Russia that may not be able to "provide services and updates to their products", following the conflict in Ukraine. Comastri, Tinexta Cyber: "Recommendations must be put into practice in a strategic way" 29 Apr 2022 F. Me.

PAs are called upon to diversify IT security technology products and services, to counter the increase in risks caused by the current context of the international crisis, which arose after the outbreak of the conflict in Ukraine. These are the provisions of the circular of the Agency of the National Cybersecurity Agency relating to Article 29 paragraph 3 of Legislative Decree 21 March 2022, n. 21 (“Urgent measures to counter the economic and humanitarian effects of the Ukrainian crisis”). Published in the Gazette on April 26, the Acn circular envisages that administrations replace the solutions of suppliers linked to Russia, as these same suppliers may not be able to “provide services and updates to their products' '. In detail, mention should be made of the products of Kaspersky Lab, Group IB of Positive Technologies. Six recommendations for PAs contained in the document signed by the director of the Agency, Roberto Baldoni: 1. survey the products and services indicated in the circular and analyze "the impact of their updates on operations, such as the necessary maintenance times", 2. Identify new services and products and evaluate them, considering whether they are compatible with their assets and the "complexity of operational management of the existing support structures", 3. Dealing with the definition, sharing and communication of migration plans, 4. Validate the ways to execute the migration plan "on significant test assets, making sure to proceed with the migration of services and products on the most critical assets only after the validation of some migrations and with the help of short-term recovery plans deadline in order to ensure the necessary operational continuity ”, explains the circular. It is also clarified that the migration plan "must ensure that the protection function guaranteed by the instruments subject to diversification is at no time interrupted", 5. Conducting analysis and validation of the functions and integrations of the new products and services chosen, "ensuring the application of rules and security configurations proportionate to high risk scenarios". These include multi-factor authentication for each privileged access, activate only necessary functions and adopt zero-trust principles, 6. Ensure monitoring and auditing of new products, with the provision of adequate support for updates and revisions of configurations. Take action immediately Cybersecurity companies are asking to take action immediately. "Also in relation to the unprecedented challenges caused by the conflict in Ukraine, the National Cybersecurity Agency, with the circular just published, expands the number of suppliers whose products and services will be rapidly diversified by the Public Administrations - comments Marco Comastri, CEO of Tinexta Cyber - Nonetheless, he recommends that they promptly adopt all the appropriate measures and practices for the management of IT services and cyber risk. But, for public bodies, how to quickly move from theory to practice? In fact, it is not a question of simply replacing one product with another, perhaps with an exclusively reactive capacity in the event of malicious attempts, but an approach is needed that leads to the definition of a preventive cybersecurity strategy. With this in mind, also for the correct allocation of investments, the first step is to accurately assess the critical areas ". "It is a complex and delicate process that requires an accurate migration plan to achieve the desired level of risk mitigation, optimizing time and resources. To implement it, skills and overall cyber vision skills are needed - Comastri underlines - It is therefore necessary to act urgently but without frenzy and to resort to an advisory activity that allows both the correct preliminary assessment of the real vulnerabilities of the IT security perimeter and the identification and customization - in relation to the peculiarities of the various administrative contexts - of the most suitable solutions for the level of compliance with European technological standards, integration with other systems in use in the organization and compliance with Community and national regulations ".