As part of its Cyber Security Strategy, the Cabinet Office recently published a call for evidence on an organisational standard that best meets the requirements for effective cyber risk management.
The aim of the consultation is to research and pick one preferred organisational standard for the private sector to protect against:
"low-end methods of compromise such as phishing and social engineering, malware and viruses."
The Government is aware that it cannot protect against all risks and aims at a code of standards that would be applicable to all businesses alike helping them to protect themselves from cyber security threats. The Government will endorse the selected standard as a "best practice" standard.
The consultation document provides that the standard sought should encompass an independent audit and assurance framework and be (or have potential to be) recognised or aligned internationally. The Cabinet Office wants to specifically hear about the suggested auditable requirements for the following technical and nontechnical controls:
a. The governance of cyber security across the legal entity including dependencies upon other organisations.
b. The understanding of cyber security risks based upon the likelihood of the low-end methods of compromise exploiting vulnerabilities and causing business impacts.
c. The selection of controls to mitigate cyber security risks using an appropriate mix of awareness, preventative, detective and recovery controls across the physical, personnel and technical security functions.
d. The selection of controls should cover at least the following areas as described at reference b:
i. Network security
ii. Malware prevention
iii. Secure configuration of information systems
iv. Monitoring
v. Removable media
vi. Home and mobile working
vii. Managing user privileges
viii. User education and awareness
ix. Incident management
e. Monitoring of the threat landscape and the effectiveness of the controls against that landscape.
f. The ability to react to changes in understanding of cyber security risks.
g. Reporting cyber security performance and incidents to the organisation’s owners, customers, information owners and regulatory authorities, in a structured manner that enables monitoring of cyber security trends across industry and identification of root causes of incidents.
Organisations that are interested in contributing should express their interest by Monday 8 April 2013, with the final date for submitting the evidence being 14 October 2013. Guidance regarding submissions will be published by Tuesday 30 April 2013.
If you intend to participate in the consultation and would like to have a discussion with a member of our Data Security team, please email antonis.patrikios@ffw.com
Published by Dominika Kupczyk and Antonis Patrikios
"low-end methods of compromise such as phishing and social engineering, malware and viruses."
The Government is aware that it cannot protect against all risks and aims at a code of standards that would be applicable to all businesses alike helping them to protect themselves from cyber security threats. The Government will endorse the selected standard as a "best practice" standard.
The consultation document provides that the standard sought should encompass an independent audit and assurance framework and be (or have potential to be) recognised or aligned internationally. The Cabinet Office wants to specifically hear about the suggested auditable requirements for the following technical and nontechnical controls:
a. The governance of cyber security across the legal entity including dependencies upon other organisations.
b. The understanding of cyber security risks based upon the likelihood of the low-end methods of compromise exploiting vulnerabilities and causing business impacts.
c. The selection of controls to mitigate cyber security risks using an appropriate mix of awareness, preventative, detective and recovery controls across the physical, personnel and technical security functions.
d. The selection of controls should cover at least the following areas as described at reference b:
i. Network security
ii. Malware prevention
iii. Secure configuration of information systems
iv. Monitoring
v. Removable media
vi. Home and mobile working
vii. Managing user privileges
viii. User education and awareness
ix. Incident management
e. Monitoring of the threat landscape and the effectiveness of the controls against that landscape.
f. The ability to react to changes in understanding of cyber security risks.
g. Reporting cyber security performance and incidents to the organisation’s owners, customers, information owners and regulatory authorities, in a structured manner that enables monitoring of cyber security trends across industry and identification of root causes of incidents.
Organisations that are interested in contributing should express their interest by Monday 8 April 2013, with the final date for submitting the evidence being 14 October 2013. Guidance regarding submissions will be published by Tuesday 30 April 2013.
If you intend to participate in the consultation and would like to have a discussion with a member of our Data Security team, please email antonis.patrikios@ffw.com
Published by Dominika Kupczyk and Antonis Patrikios