On the website Basisbeveiliging.nl professionals can see whether organizations have their basic digital security in order. Maps show the status of each target group with traffic light colors. Initiator Elger Jonker and Geert-Jan van de Ven, director of Centrum Informatiebeveiliging en Privacybescherming (CIP), discuss their common goal and the developments. This article is an adaptation of an interview on the website of CIP, which financially supports Basisbeveiliging.nl.
Both Basisbeveiliging.nl and CIP were not created to impose obligations or lecture government organizations. Both parties favor transparency and want to entice organizations to act quickly on imperfections. Jonker: "Of course it is a great goal for an organization to color green on Basisbeveiliging.nl. But a fall back to orange or even red is quite possible. Especially if an upgrade has taken place or a new project has been started. Preventing this is expensive, unrealistic and not at all necessary. The important thing is to stay in control at all times so that relapse is temporary." Van de Ven: "Actually, the ultimate goal is for all government organizations to have their digital security in order such that Basisbeveiliging.nl is superfluous. But it won't go that far; the signal function and attention to the actual state of affairs will always remain necessary."
By now, BasicSecurity.com maps some 10,000 organizations. All this information comes from public sources. When a map turns almost completely green, risks are added. Not to bully, but to raise the bar. Basisbeveiliging.nl does take into account planned security updates from major vendors such as Microsoft. Because government organizations have no influence on these, they are not judged negatively on them. Jonker: "Last year we awarded 100 organizations a 'baseline cybersecurity certificate': they were green for at least a day during the test period. Next year we are going to visualize the developments that organizations are going through. Sometimes they have done a lot of work without changing color yet, and we want to make that transparent."
The target audience of BasicSecurity.com is precisely not only information security specialists. Administrators can also use it to check whether reality matches the internal reports they receive. A purchaser can see whether the service provider is up to date. Suppliers can check whether they still meet the set (basic) requirements. For citizens, it is interesting to see whether a government organization handles online security and privacy well and carefully, such as the placement of tracking cookies. Van de Ven: "Regularly there is a discrepancy between the management report, where filters have gone over, and the actual digital security. I advise administrators to use the results on Basisbeveiliging.nl as a tool in discussion with the CISO. This input provides other nourishment and, moreover, it provides a picture that is public and therefore anyone can view."
Jonker: "What we can learn from well-performing organizations, for example the 3 largest banks, is that cleaning up (old) domains makes a huge difference. Many organizations have dozens, sometimes more than 100 domains active, many of which are no longer relevant and nobody knows who the product owner is or was." Van de Ven: "Within your organization, put the focus on resilience instead of the perfect score and make conscious choices when it comes to information security. A large government organization that processes special personal data needs to deal with digital security risks differently than your neighborhood elementary school. As long as you can explain the priorities set."
Read the full article on the CIP website (link to other website).
Also review the Cybersecurity Act (Cbw) as an implementation of the NIS2.
