Department for Business, Innovation and Skills 1 Victoria Street London SW1H 0ET. 7 th May Dear Sir or Madam,

Transcription

1 Department for Business, Innovation and Skills 1 Victoria Street London SW1H 0ET 7 th May 2014 Dear Sir or Madam, The Federation of Small Businesses (FSB) welcomes the opportunity to respond to this consultation on the Cyber Essentials Scheme: Proposed assurance framework. The FSB is the UK s leading business organisation. It exists to protect and promote the interests of the selfemployed and all those who run their own business. The FSB is non-party political, and with around 200,000 members, it is also the largest organisation representing small and medium sized businesses in the UK. Small businesses make up 99.3 per cent of all businesses in the UK, and make a huge contribution to the UK economy. They contribute 51 per cent of the GDP and employ 58 per cent of the private sector workforce. We trust that you will find our comments helpful and that our comments will be taken into consideration. Yours faithfully, Ann Swain Chair, FSB Home Affairs Committee

2 Cyber Essentials Scheme: Proposed assurance framework P a g e

3 FSB response to the Cyber Essentials Scheme: Proposed assurance framework The FSB welcomes this consultation by BIS on the assurance framework for the Cyber Essentials Scheme. We strongly support a robust security standard for businesses that will minimise the risks of suffering cyber attacks. The FSB supports businesses utilising the many benefits of ICT for business efficiency and the internet as a route to market. 1 However, the benefits come with a number of associated risks: The existing research suggests that cyber security is a significant risk for many small businesses. FSB research (published in 2012) found that a third of our members had been the subject of cyber crime. 2 The FSB found that the average cost to an individual business, of being a victim of cyber crime, can be up to PwC, in its 2013 Information Security Breaches Survey found that 63% of small businesses were subject to an unauthorised external attack. The worst security breach due to such unauthorised external attacks cost the affected business between 35,000 and 65, A robust formal standard, which all businesses can rely on when judging how best to enhance their online security, is a sensible measure. It complements the work the FSB carries out promoting cyber security to our members. Further, it will help the market in cyber security products and services mature, enabling those trying to negotiate that make better choices. However, we do have concerns with the assurance framework relating to three areas: Identifying risks; Effective understanding of relative costs and benefits by individual businesses; and The uncertainty surrounding non-technical factors such as people. Our primary concern with the Cyber Essentials Scheme is how to establish and implement security controls without first identifying the assets, vulnerabilities and threats an organisation has or faces. Capturing these components allows an organisation to assess its cyber security posture in terms of impact and likelihood i.e. to calculate their risks. In turn the cost-benefit can be determined. Consequently, one question that arises, which the framework does not address sufficiently, is how much might an organisation be willing to spend on a firewall if the impact and likelihood of a breach is not calculated? How much do they spend on purchasing, implementing, monitoring and supporting the security controls defined? A parallel may be 1 Intellect and FSB (2013). The Digital Imperative. 2 FSB (2012). Cyber security and fraud: the impact on small business. 3 Ibid. 4 PwC (2013). Information Security Breaches Survey; technical report. 3 P a g e

4 drawn with houses and insurance i.e. how much will a homeowner spend on protecting their house and its contents if they don t know the value of the house or its contents? We appreciate these are generic security controls but it is possible that important assets requiring protection could be overlooked. The human factor is also a major consideration. An organisation is only as strong as its weakest link. Any scheme should acknowledge this reality. Below we address the issues set out in the draft assurance framework document, which invited questions from stakeholders and that we consider most relevant to our members. Question 1: The three tiers: We would welcome comments on both the assessment proposed for each tier and views as to any existing qualifications that might demonstrate competence to carry out such assessments. The three tier proposal seems sensible. It will allow organisations of all sizes and complexity to obtain some level of assurance that basic cyber security controls have been implemented. The key is the verification of these controls and ongoing support and maintenance. As organisations grow or evolve, these controls need to be maintained and remain operational. We would urge BIS to consider introducing some form of requirement to submit formal evidence to verify the implementation, ongoing support, updating and monitoring of the security controls. Gold and Silver: Due to the penetration testing requirements for the gold and silver tiers the assessors should require a formal penetration testing qualification. The CREST certification could provide this. However, other bodies and organisations should be considered and evaluated to maintain an open and transparent forum, as already conducted to select the preferred cyber security standards. The assessors should also have a combination of industry experience, academic and professional qualifications outside the sphere of penetration testing, as detailed in the bronze response to this question. There can be a tendency by organisations to over-rely on penetration testing. This can create a false sense of security. Although penetration testing has its place in protecting an organisation in terms of helping identify vulnerabilities in a system, it comes with its own issues, weaknesses and concerns. A complete picture of an organisation s security stance and position needs to be understood so controls can be implemented and managed correctly. An ongoing improvement process should also be encouraged for the gold tier standard. An organisation should demonstrate continued improvement along the lines of the Capability Maturity Model (CMM). Bronze: We believe this is the tier small businesses will focus on until such time as a procurement contract (either with government or customer) requires the silver or gold tier. Because this will probably be the starting point, a good foundation needs to be established. Again, we would recommend an assessor should have a combination of academic and professional qualifications with industry experience. As a guide, we would suggest an IT/security degree, the Certified Information Systems Security Professional (CISSP) qualification and a minimum of 5 years experience in the cyber/it security sector. An assessor needs to be suitably qualified so organisations have a level of confidence/assurance in the cyber essentials scheme. 4 P a g e

5 We believe that all three tiers should adapt the Plan, Do, Check and Act (PDCA) process. Question 2: The scope of assessment of an organisation s IT: Ideally all enterprise IT within an organisation should implement the essential cyber controls for that organisation to be able to protect itself against low level (commodity threat) capabilities. However many organisations are hugely complicated, geographically dispersed and span national boundaries. Should the organisation be able to define the scope of the assessment or should all of its enterprise IT be included? The scope should at least include the critical assets of the organisation. If these assets were compromised this would have the greatest impact, in terms of ongoing operations, legal implications, financial loss, financial penalties, business loss and/ or reputational damage. On this basis the critical assets would need to be identified and documented, this would be a component of a security risk assessment. However, this is outside of the scope of the cyber essentials scheme. The whole enterprise would need to be considered because, as already stated, an organisation is only as strong as its weakest link. If a holistic organisation wide approach were not taken, threat actors would target areas with poor or weak protection mechanisms as the method of entry to the organisation. Small businesses tend not to be geographically dispersed or span national boundaries. Therefore, the entire organisation should implement the essential cyber security controls. Question 3: The duration of certification: Organisations will not want to have to be reassessed too frequently, but the nature of IT systems is such that they can evolve and change. What is the most appropriate reassessment period for each tier? Due to the changing, evolving and complex sphere of IT, a balanced approach is required to protect organisations while at the same time maintaining the integrity of the cyber essentials scheme. Gold and Silver: The organisation should be reassessed on a yearly basis with possible spot checks to encourage organisations to maintain the required security controls originally assessed. A yearly penetration test conducted within and outside the organisation should also be considered. The organisation would need to implement, maintain and/or update the required security controls as and when changes occur in the infrastructure. Bronze: The organisation should be reassessed every two years. We believe this should provide a balanced approach between confidence and organisational intrusion, in terms of performing the assessment. However, changes to the infrastructure should require the necessary security controls to be implemented, maintained and/or updated to meet the cyber essential scheme. Question 4: Qualifications: What qualifications do you believe would provide evidence of competence to certify at a particular tier? Gold and Silver: As detailed in the three tiers response, a formal penetration testing qualification would be something we support. We also recommend that an assessor have a combination of academic and 5 P a g e

6 professional qualifications with industry experience. As a guide, an IT/security degree, the Certified Information Systems Security Professional (CISSP) qualification and a minimum of 5 years experience in the cyber/it security sector. Bronze: As detailed in the three tiers response. We would recommend an assessor have a combination of academic and professional qualifications with industry experience. As a guide, an IT/security degree, the Certified Information Systems Security Professional (CISSP) qualification and a minimum of 5 years experience in the cyber/it security sector. An assessor needs to be suitably qualified and have a level of experience with small businesses so organisations have a level of confidence/assurance of the cyber essentials scheme. For further information please contact: Richard Hyde at the following address: Richard.hyde@fsb.org.uk 6 P a g e