On the website Basisbeveiliging.nl, professionals can assess whether organisations have their fundamental digital security measures in order. The site features maps that indicate the status of each target group using traffic light colours. In this article, initiator Elger Jonker and Geert-Jan van de Ven, director of the Information Security and Privacy Protection Centre (Centrum Informatiebeveiliging en Privacybescherming in Dutch, abbreviated CIP), discuss their shared goals and recent developments. This article is an adaptation of an interview on the website of CIP, which financially supports Basisbeveiliging.nl.
The common goal of both parties
Neither Basisbeveiliging.nl nor CIP were established to impose obligations or lecture government organisations. Instead, both advocate for transparency and encourage organisations to act quickly on their imperfections. Jonker states, “Achieving a green status on Basisbeveiliging.nl is a significant goal for any organisation. However, it is possible to revert to an orange or even red status, especially after an upgrade or the initiation of a new project. Preventing such setbacks can be costly, unrealistic, and unnecessary. The key is to stay on top of things to ensure that any regression is only temporary.” Van de Ven adds, “Ultimately, the goal is for all government organisations to reach a level of digital security that makes Basisbeveiliging.nl obsolete. However, this will not happen soon, as the need for a signal function and attention to the actual state of affairs will always remain.”
Developments at Basisbeveiliging.nl
Basisbeveiliging.nl is currently mapping approximately 10,000 organisations using information obtained from public records. When a map nearly turns completely green, it indicates that risks have been identified. This is not intended to intimidate but to raise awareness and improve standards. Basisbeveiliging.nl also considers planned security updates from major vendors like Microsoft when evaluating organisations. Since government organisations cannot influence these updates, they are not judged negatively. “Last year, we awarded ‘Baseline Cybersecurity Certificates’ to 100 organisations that achieved a green status for at least one day during the testing period. In the coming year, we plan to visualise their progress. Sometimes, organisations may have made significant improvements without their colour changing. We aim to make that progress transparent.”
Basisbeveiliging.nl: for whom?
Basisbeveiliging.nl’s target audience extends beyond IT Security Specialists. Directors can utilise it to verify whether the reality aligns with the internal reports they receive. Buyers can assess whether their service providers are up to date. Suppliers can confirm if they still meet the (basic) requirements. For citizens, it is valuable to evaluate whether a government organisation manages online security and privacy appropriately, such as the placement of tracking cookies. Van de Ven states, “There is often a discrepancy between the management report, which is filtered down, and the actual digital security. I advise administrators to use the results on Basisbeveiliging.nl as a discussion tool with the Chief Information Security Officer (CISO). This input provides valuable insights and presents a public image that anyone can access.”
Jonker: “One key takeaway from successful organisations, the three largest banks, for instance, is that cleaning up outdated domains can make a significant difference. Many organisations have dozens, and sometimes even over a hundred, active domains, many of which are no longer relevant. Often, no one knows who the product owner is or was.” Van de Ven: “Within your organisation, prioritise resilience over the pursuit of a perfect score, and make deliberate choices regarding information security. A large government agency that processes sensitive personal data should address digital security risks differently from a local primary school. As long as you can explain the priorities you have set, your approach will be valid.”
More information
- Visit the CIP website for the full interview with Elger and Geert-Jan (in Dutch).
- Also, visit the web page about the Cyber Security Act, which implements the NIS2 directive (currently only in Dutch.
