A new approach for implementation the eu nis directive in romanian institutions – information security manager training program

No Thumbnail Available
Journal Title
Journal ISSN
Volume Title
As part of the EU Cybersecurity strategy the European Commission proposed the EU Network and Information Security Directive. The NIS (Network Information Security) Directive (see EU 2016/1148) is the first piece of EU-wide cybersecurity legislation. The goal is to enhance cybersecurity across the EU. Romania has some legislation about information security and cybersecurity such as Decision no. 271/2013 for the approval of the Cyber Security Strategy of Romania and the National Action Plan on the Implementation of the National Cyber Security System published at 25 March 2013. In this context, the NIS Directive successfully complements the legislative framework in the field of cyber security. The Information Security Manager training program represents a part of strategy to implement NIS Directive in Romanian institutions, because it is very important to institutions has a qualified human resource to implement this Directive. In this context, National Institute for Research and Development in Informatics (ICI - Bucharest) develops, through Lifelong Learning Centre, the CISO program focused on specialization in information security. The Information Security Manager training program addresses people who design, develop and manage the security of organizational information and who have experience in areas such as Information Security Governance, Information Risk Management, Development of the information security program, Information security program management and Incident management. The competencies obtained after graduating from the training program are: • Establishment of strategy and management in the field of information security, harmonized with the strategy of the organization, • Planning, designing, implementing and evaluating the information security management system based on risks and requirements • Designing the organization's security measures in accordance with the risk analysis of information security • Integrate information security requirements at the organization level set out in third-party contracts and activities and so on. The program consists of 6 training modules, with a duration of about 40 hours, with a weekly distribution, but accessible according to the student's needs. Each module contains a theoretical, interactive module that uses game-based self-learning methods, interactive phrases puzzles, and an application part with problem-solving methods based on scenarios the student needs to solve. These training modules are: • Module I – Information security – basic concepts • Module II – Information security Management system (ISMS. Designing • Module III – Risk Management • Module IV – Designing security measures for implementing the ISMS • Module V - Information security Management system. Implementing • Module VI - Monitoring, evaluation, improvement of ISMS. In the future we intend to certify this course at national level and to align with the national occupational standards on information security management system.