Tilsynsmetodikk og måling av informasjonssikkerhet i finans- og kraftsektoren

This report presents a comparative study of the regulatory authorities within the Norwegian, Danish, Swedish and British finance and energy sector. The study is part of the ”Critical Information Infrastructure Protection Project” (BAS5), and it has been conducted to provide an overview of the supervisory process carried out by the proper authorities in the finance and energy sector, as well as experiences related to supervisory controls. Furthermore, this study provides an identification of the coarse features of legal acts, methodology used in regulatory and supervisory activities, and the use of performance measuring such as metrics and indicators in relations to research needs. The research, based on interviews and literary searches, revealed that the statutory framework concerning information security and supervisory methodology employed by the proper authorities varies both between sectors and countries. Compared to UK, Sweden, Finland and Denmark; it seems like Norway has put more emphasis on strong regulation of information security compared to the other countries. Furthermore, the study reveals that quantitative indicators or metrics are not applied, however there seems to be a potential for developing metrics to follow up compliance to law trends.