A Risk Management Framework for Compliance of Regulated Services

by Nicolas Mayer

ABSTRACT: A strong emphasis is placed today on the security of business processes and on the management of information security risks. This tendency can be seen in numerous emerging regulations imposing a risk-based approach for some processes of critical economic sectors. In the Telecommunications sector, the EU Directive 2009/140/EC introduces Article 13a about security and integrity of networks and services. This article states that Member States shall ensure that providers of public communications networks “take appropriate technical and organizational measures to appropriately manage the risks posed to security of networks and services”. The same approach applies for processes managed by the so-called operators of essential services as de-fined in the EU Directive 2016/1148.

As part of the adoption of these two EU Directives at the national level in Luxem-bourg, we have developed a project aiming at adapting and facilitating security risk management in regulated sectors. To do so, the project is composed of two parts. The first one consists in the development of a model-based approach and a tool to support the adoption of these regulations by regulated entities at the national level. We have especially extended ArchiMate, an Enterprise Architecture modelling language, with the appropriate concepts coming from the risk management domain. We have then integrated all of the different models into TISRIM, a risk management tool developed in-house. TISRIM is the tool recommended to the regulated entities of the Telecom-munications sector by our National Regulatory Authority (NRA) and is currently extended to support additional regulations and standards.

The second one is the development of a framework to analyse the data collected by the NRA through this approach. The framework is currently composed of 10 meas-urements for regulated entities and 11 measurements to analyse the sector as a whole. This set of measurements is currently extended to take into account systemic risks, i.e. the cascading effect of security risks caused by dependencies between processes.

Nicolas Mayer is Senior Research & Technology Associate at the IT for Innovative Services (ITIS) department of the Luxembourg Institute of Science and Technology (LIST). He graduated in 2004 a M.Sc. degree in Computer Science from the University Henri Poincaré (UHP) of Nancy (France) and in 2009 a PhD Degree from the University of Namur, Belgium. Today, he is Principal Investigator of research and industrial projects in the field of Information Security, Risk Management, IT compliance and Enterprise Architecture Modelling.