Department for Business, Innovation and Skills 1 Victoria Street London SW1H 0ET. 7 th May Dear Sir or Madam,

Size: px
Start display at page:

Download "Department for Business, Innovation and Skills 1 Victoria Street London SW1H 0ET. 7 th May 2014. Dear Sir or Madam,"

Transcription

1 Department for Business, Innovation and Skills 1 Victoria Street London SW1H 0ET 7 th May 2014 Dear Sir or Madam, The Federation of Small Businesses (FSB) welcomes the opportunity to respond to this consultation on the Cyber Essentials Scheme: Proposed assurance framework. The FSB is the UK s leading business organisation. It exists to protect and promote the interests of the selfemployed and all those who run their own business. The FSB is non-party political, and with around 200,000 members, it is also the largest organisation representing small and medium sized businesses in the UK. Small businesses make up 99.3 per cent of all businesses in the UK, and make a huge contribution to the UK economy. They contribute 51 per cent of the GDP and employ 58 per cent of the private sector workforce. We trust that you will find our comments helpful and that our comments will be taken into consideration. Yours faithfully, Ann Swain Chair, FSB Home Affairs Committee

2 Cyber Essentials Scheme: Proposed assurance framework P a g e

3 FSB response to the Cyber Essentials Scheme: Proposed assurance framework The FSB welcomes this consultation by BIS on the assurance framework for the Cyber Essentials Scheme. We strongly support a robust security standard for businesses that will minimise the risks of suffering cyber attacks. The FSB supports businesses utilising the many benefits of ICT for business efficiency and the internet as a route to market. 1 However, the benefits come with a number of associated risks: The existing research suggests that cyber security is a significant risk for many small businesses. FSB research (published in 2012) found that a third of our members had been the subject of cyber crime. 2 The FSB found that the average cost to an individual business, of being a victim of cyber crime, can be up to PwC, in its 2013 Information Security Breaches Survey found that 63% of small businesses were subject to an unauthorised external attack. The worst security breach due to such unauthorised external attacks cost the affected business between 35,000 and 65, A robust formal standard, which all businesses can rely on when judging how best to enhance their online security, is a sensible measure. It complements the work the FSB carries out promoting cyber security to our members. Further, it will help the market in cyber security products and services mature, enabling those trying to negotiate that make better choices. However, we do have concerns with the assurance framework relating to three areas: Identifying risks; Effective understanding of relative costs and benefits by individual businesses; and The uncertainty surrounding non-technical factors such as people. Our primary concern with the Cyber Essentials Scheme is how to establish and implement security controls without first identifying the assets, vulnerabilities and threats an organisation has or faces. Capturing these components allows an organisation to assess its cyber security posture in terms of impact and likelihood i.e. to calculate their risks. In turn the cost-benefit can be determined. Consequently, one question that arises, which the framework does not address sufficiently, is how much might an organisation be willing to spend on a firewall if the impact and likelihood of a breach is not calculated? How much do they spend on purchasing, implementing, monitoring and supporting the security controls defined? A parallel may be 1 Intellect and FSB (2013). The Digital Imperative. 2 FSB (2012). Cyber security and fraud: the impact on small business. 3 Ibid. 4 PwC (2013). Information Security Breaches Survey; technical report. 3 P a g e

4 drawn with houses and insurance i.e. how much will a homeowner spend on protecting their house and its contents if they don t know the value of the house or its contents? We appreciate these are generic security controls but it is possible that important assets requiring protection could be overlooked. The human factor is also a major consideration. An organisation is only as strong as its weakest link. Any scheme should acknowledge this reality. Below we address the issues set out in the draft assurance framework document, which invited questions from stakeholders and that we consider most relevant to our members. Question 1: The three tiers: We would welcome comments on both the assessment proposed for each tier and views as to any existing qualifications that might demonstrate competence to carry out such assessments. The three tier proposal seems sensible. It will allow organisations of all sizes and complexity to obtain some level of assurance that basic cyber security controls have been implemented. The key is the verification of these controls and ongoing support and maintenance. As organisations grow or evolve, these controls need to be maintained and remain operational. We would urge BIS to consider introducing some form of requirement to submit formal evidence to verify the implementation, ongoing support, updating and monitoring of the security controls. Gold and Silver: Due to the penetration testing requirements for the gold and silver tiers the assessors should require a formal penetration testing qualification. The CREST certification could provide this. However, other bodies and organisations should be considered and evaluated to maintain an open and transparent forum, as already conducted to select the preferred cyber security standards. The assessors should also have a combination of industry experience, academic and professional qualifications outside the sphere of penetration testing, as detailed in the bronze response to this question. There can be a tendency by organisations to over-rely on penetration testing. This can create a false sense of security. Although penetration testing has its place in protecting an organisation in terms of helping identify vulnerabilities in a system, it comes with its own issues, weaknesses and concerns. A complete picture of an organisation s security stance and position needs to be understood so controls can be implemented and managed correctly. An ongoing improvement process should also be encouraged for the gold tier standard. An organisation should demonstrate continued improvement along the lines of the Capability Maturity Model (CMM). Bronze: We believe this is the tier small businesses will focus on until such time as a procurement contract (either with government or customer) requires the silver or gold tier. Because this will probably be the starting point, a good foundation needs to be established. Again, we would recommend an assessor should have a combination of academic and professional qualifications with industry experience. As a guide, we would suggest an IT/security degree, the Certified Information Systems Security Professional (CISSP) qualification and a minimum of 5 years experience in the cyber/it security sector. An assessor needs to be suitably qualified so organisations have a level of confidence/assurance in the cyber essentials scheme. 4 P a g e

5 We believe that all three tiers should adapt the Plan, Do, Check and Act (PDCA) process. Question 2: The scope of assessment of an organisation s IT: Ideally all enterprise IT within an organisation should implement the essential cyber controls for that organisation to be able to protect itself against low level (commodity threat) capabilities. However many organisations are hugely complicated, geographically dispersed and span national boundaries. Should the organisation be able to define the scope of the assessment or should all of its enterprise IT be included? The scope should at least include the critical assets of the organisation. If these assets were compromised this would have the greatest impact, in terms of ongoing operations, legal implications, financial loss, financial penalties, business loss and/ or reputational damage. On this basis the critical assets would need to be identified and documented, this would be a component of a security risk assessment. However, this is outside of the scope of the cyber essentials scheme. The whole enterprise would need to be considered because, as already stated, an organisation is only as strong as its weakest link. If a holistic organisation wide approach were not taken, threat actors would target areas with poor or weak protection mechanisms as the method of entry to the organisation. Small businesses tend not to be geographically dispersed or span national boundaries. Therefore, the entire organisation should implement the essential cyber security controls. Question 3: The duration of certification: Organisations will not want to have to be reassessed too frequently, but the nature of IT systems is such that they can evolve and change. What is the most appropriate reassessment period for each tier? Due to the changing, evolving and complex sphere of IT, a balanced approach is required to protect organisations while at the same time maintaining the integrity of the cyber essentials scheme. Gold and Silver: The organisation should be reassessed on a yearly basis with possible spot checks to encourage organisations to maintain the required security controls originally assessed. A yearly penetration test conducted within and outside the organisation should also be considered. The organisation would need to implement, maintain and/or update the required security controls as and when changes occur in the infrastructure. Bronze: The organisation should be reassessed every two years. We believe this should provide a balanced approach between confidence and organisational intrusion, in terms of performing the assessment. However, changes to the infrastructure should require the necessary security controls to be implemented, maintained and/or updated to meet the cyber essential scheme. Question 4: Qualifications: What qualifications do you believe would provide evidence of competence to certify at a particular tier? Gold and Silver: As detailed in the three tiers response, a formal penetration testing qualification would be something we support. We also recommend that an assessor have a combination of academic and 5 P a g e

6 professional qualifications with industry experience. As a guide, an IT/security degree, the Certified Information Systems Security Professional (CISSP) qualification and a minimum of 5 years experience in the cyber/it security sector. Bronze: As detailed in the three tiers response. We would recommend an assessor have a combination of academic and professional qualifications with industry experience. As a guide, an IT/security degree, the Certified Information Systems Security Professional (CISSP) qualification and a minimum of 5 years experience in the cyber/it security sector. An assessor needs to be suitably qualified and have a level of experience with small businesses so organisations have a level of confidence/assurance of the cyber essentials scheme. For further information please contact: Richard Hyde at the following address: 6 P a g e

Cyber Essentials Scheme

Cyber Essentials Scheme Cyber Essentials Scheme Assurance Framework January 2015 December 2013 Contents Introduction... 3 Change from June 2014 version... 3 Overview... 4 Stage Definitions... 5 Stage 1 Cyber Essentials: verified

More information

Cyber Essentials Scheme. Summary

Cyber Essentials Scheme. Summary Cyber Essentials Scheme Summary June 2014 Introduction... 3 Background... 4 Scope... 4 Assurance Framework... 5 Next steps... 6 Questions about the scheme?... 7 2 Introduction The Cyber Essentials scheme

More information

Resilience and Cyber Essentials

Resilience and Cyber Essentials Resilience and Cyber Essentials Richard Bach Assistant Director Cyber Security Talk outline Why Cyber Essentials: the Policy context What is Cyber Essentials: Scheme background How the Scheme works: accreditation,

More information

Cyber Essentials Scheme. Protect your business from cyber threats and gain valuable certification

Cyber Essentials Scheme. Protect your business from cyber threats and gain valuable certification Cyber Essentials Scheme Protect your business from cyber threats and gain valuable certification Why you need it Cybercrime appears in the news on an almost daily basis - but it s not just the large and

More information

Small businesses: What you need to know about cyber security

Small businesses: What you need to know about cyber security Small businesses: What you need to know about cyber security March 2015 Contents page What you need to know about cyber security... 3 Why you need to know about cyber security... 4 Getting the basics right...

More information

CBEST FAQ February 2015

CBEST FAQ February 2015 CBEST Frequently Asked Questions: February 2015 At this time, the UK Financial Authorities have only made CBEST available to firms and FMIs which they consider to be core to the UK financial system. Those

More information

Western Australian Auditor General s Report. Information Systems Audit Report

Western Australian Auditor General s Report. Information Systems Audit Report Western Australian Auditor General s Report Information Systems Audit Report Report 10 June 2012 Auditor General s Overview The Information Systems Audit Report is tabled each year by my Office. It summarises

More information

A Guide to the Cyber Essentials Scheme

A Guide to the Cyber Essentials Scheme A Guide to the Cyber Essentials Scheme Published by: CREST Tel: 0845 686-5542 Email: admin@crest-approved.org Web: http://www.crest-approved.org/ Principal Author Jane Frankland, Managing Director, Jane

More information

How small and medium-sized enterprises can formulate an information security management system

How small and medium-sized enterprises can formulate an information security management system How small and medium-sized enterprises can formulate an information security management system Royal Holloway Information Security Thesis Series Information security for SMEs Vadim Gordas, MSc (RHUL) and

More information

Committees Date: Subject: Public Report of: For Information Summary

Committees Date: Subject: Public Report of: For Information Summary Committees Audit & Risk Management Committee Finance Committee Subject: Cyber Security Risks Report of: Chamberlain Date: 17 September 2015 22 September 2015 Public For Information Summary Cyber security

More information

Cyber Essentials Scheme

Cyber Essentials Scheme Cyber Essentials Scheme Requirements for basic technical protection from cyber attacks June 2014 December 2013 Contents Contents... 2 Introduction... 3 Who should use this document?... 3 What can these

More information

Cyber Security Organisational Standards. Guidance

Cyber Security Organisational Standards. Guidance Cyber Security Organisational Standards Guidance April 2013 Contents Contents...2 Overview...3 Background...4 Definitions...5 Presentation and Layout...6 Submissions Guidance...7 Acceptance Criteria...8

More information

Small businesses: What you need to know about cyber security

Small businesses: What you need to know about cyber security Small businesses: What you need to know about cyber security Contents Why you need to know about cyber security... 3 Understanding the risks to your business... 4 How you can manage the risks... 5 Planning

More information

CESG CIR SCHEME AND CREST CSIR SCHEME FREQUENTLY ASKED QUESTIONS

CESG CIR SCHEME AND CREST CSIR SCHEME FREQUENTLY ASKED QUESTIONS CESG CIR SCHEME AND CREST CSIR SCHEME FREQUENTLY ASKED QUESTIONS QUESTION General What is the Cyber Security Incident Response (CSIR) Scheme? What is the Cyber Incident Response (CIR) scheme? Why have

More information

Cyber Defence Capability Assessment Tool (CDCAT ) Improving cyber security preparedness through risk and vulnerability analysis

Cyber Defence Capability Assessment Tool (CDCAT ) Improving cyber security preparedness through risk and vulnerability analysis Cyber Defence Capability Assessment Tool (CDCAT ) Improving cyber security preparedness through risk and vulnerability analysis An analogue approach to a digital world What foundations is CDCAT built on?

More information

INFORMATION SECURITY TESTING

INFORMATION SECURITY TESTING INFORMATION SECURITY TESTING SERVICE DESCRIPTION Penetration testing identifies potential weaknesses in a technical infrastructure and provides a level of assurance in the security of that infrastructure.

More information

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft Cyber Security and Privacy Services Working in partnership with you to protect your organisation from cyber security threats and data theft 2 Cyber Security and Privacy Services What drives your security

More information

www.pwc.co.uk Cyber security Building confidence in your digital future

www.pwc.co.uk Cyber security Building confidence in your digital future www.pwc.co.uk Cyber security Building confidence in your digital future November 2013 Contents 1 Confidence in your digital future 2 Our point of view 3 Building confidence 4 Our services Confidence in

More information

Threat Intelligence. Benefits for the enterprise

Threat Intelligence. Benefits for the enterprise Benefits for the enterprise Contents Introduction Threat intelligence: a maturing defence differentiator Understanding the types of threat intelligence: from the generic to the specific Deriving value

More information

A practical guide to IT security

A practical guide to IT security Data protection A practical guide to IT security Ideal for the small business The Data Protection Act states that appropriate technical and organisational measures shall be taken against unauthorised or

More information

WHAT YOU NEED TO KNOW ABOUT CYBER SECURITY

WHAT YOU NEED TO KNOW ABOUT CYBER SECURITY SMALL BUSINESSES WHAT YOU NEED TO KNOW ABOUT CYBER SECURITY ONE CLICK CAN CHANGE EVERYTHING SMALL BUSINESSES My reputation was ruined by malicious emails ONE CLICK CAN CHANGE EVERYTHING Cybercrime comes

More information

93% of large organisations and 76% of small businesses

93% of large organisations and 76% of small businesses innersecurity INFORMATION SECURITY Information Security Services 93% of large organisations and 76% of small businesses suffered security breaches in the last year. * Cyber attackers were the main cause.

More information

Cyber Security Strategy

Cyber Security Strategy NEW ZEALAND S Cyber Security Strategy 2015 A secure, resilient and prosperous online New Zealand Ministerial Foreword The internet and technology have become a fundamental element in our lives. We use

More information

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility CYBER SECURITY AND RISK MANAGEMENT An Executive level responsibility Cyberspace poses risks as well as opportunities Cyber security risks are a constantly evolving threat to an organisation s ability to

More information

This Unit is a mandatory Unit within the National Progression Award in Cyber Security at SCQF 6.

This Unit is a mandatory Unit within the National Progression Award in Cyber Security at SCQF 6. National Unit specification General information Unit code: H9E2 46 Superclass: CC Publication date: September 2015 Source: Scottish Qualifications Authority Version: 02 Unit purpose The purpose of this

More information

Cyber Security - What Would a Breach Really Mean for your Business?

Cyber Security - What Would a Breach Really Mean for your Business? Cyber Security - What Would a Breach Really Mean for your Business? August 2014 v1.0 As the internet has become increasingly important across every aspect of business, the risks posed by breaches to cyber

More information

PCI White Paper Series. Compliance driven security

PCI White Paper Series. Compliance driven security PCI White Paper Series Compliance driven security Table of contents Compliance driven security... 3 The threat... 3 The solution... 3 Why comply?... 3 The threat... 3 Benefits... 3 Efficiencies... 4 Meeting

More information

Procurement Policy Note Use of Cyber Essentials Scheme certification

Procurement Policy Note Use of Cyber Essentials Scheme certification Procurement Policy Note Use of Cyber Essentials Scheme certification Action Note 09/14 25 September 2014 Issue 1. Government is taking steps to further reduce the levels of cyber security risk in its supply

More information

Corporate Security in 2016.

Corporate Security in 2016. Corporate Security in 2016. A QA Report Study Highlights According to ThreatMetrix, businesses in the UK are at greater risk of cybercrime than any other country in the world. In a recent survey carried

More information

HMG Security Policy Framework

HMG Security Policy Framework HMG Security Policy Framework Security Policy Framework 3 Foreword Sir Jeremy Heywood, Cabinet Secretary Chair of the Official Committee on Security (SO) As Cabinet Secretary, I have a good overview of

More information

CBEST/STAR Threat Intelligence

CBEST/STAR Threat Intelligence CBEST/STAR Threat Intelligence Systemically-important financial institutions that form part of the UK s Critical National Infrastructure need to remain resilient to cyber attack. To help them achieve this,

More information

Australian Government Cyber Security Review

Australian Government Cyber Security Review Australian Government Cyber Security Review The Cisco Response Today, governments are almost universally pursuing a development and modernisation agenda to nurture their society into the digital age, and

More information

Procuring Penetration Testing Services

Procuring Penetration Testing Services Procuring Penetration Testing Services Introduction Organisations like yours have the evolving task of securing complex IT environments whilst delivering their business and brand objectives. The threat

More information

CYBER SECURITY Audit, Test & Compliance

CYBER SECURITY Audit, Test & Compliance www.thalescyberassurance.com CYBER SECURITY Audit, Test & Compliance 02 The Threat 03 About Thales 03 Our Approach 04 Cyber Consulting 05 Vulnerability Assessment 06 Penetration Testing 07 Holistic Audit

More information

Aberdeen City Council IT Security (Network and perimeter)

Aberdeen City Council IT Security (Network and perimeter) Aberdeen City Council IT Security (Network and perimeter) Internal Audit Report 2014/2015 for Aberdeen City Council August 2014 Internal Audit KPIs Target Dates Actual Dates Red/Amber/Green Commentary

More information

Cyber Crime ACC Crime

Cyber Crime ACC Crime AGENDA ITEM 10 STRATEGIC POLICING AND CRIME BOARD 3 rd December 2013 Cyber Crime ACC Crime PURPOSE OF REPORT 1. The purpose of this report is to provide members of the Strategic Police and Crime Board

More information

www.pwc.nl/cybersecurity Cyber security Building confidence in your digital future

www.pwc.nl/cybersecurity Cyber security Building confidence in your digital future www.pwc.nl/cybersecurity Cyber security Building confidence in your digital future 2015 Contents 1 Confidence in your digital future 2 Our point of view 3 Building confidence 4 Our services Confidence

More information

Cyber security Building confidence in your digital future

Cyber security Building confidence in your digital future www.pwc.co.uk/cyber Cyber security Building confidence in your digital future We provide a range of integrated cyber security services, helping you protect what matters Building confidence in your digital

More information

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist, CISSP @TheGrantBrown

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist, CISSP @TheGrantBrown Cyber Resilience Implementing the Right Strategy Grant Brown specialist, CISSP @TheGrantBrown 1 2 Network + Technology + Customers = $$ 3 Perfect Storm? 1) Increase in Bandwidth (extended reach) 2) Available

More information

CESG Certified Professional

CESG Certified Professional CESG Certified Professional Verify your skills and competence in information assurance Now open to cyber security professionals working in UK industry CONTENTS 1. Introduction 2. IA in Context: Why Professionalism

More information

Course 4202: Fraud Awareness and Cyber Security Workshop (3 days)

Course 4202: Fraud Awareness and Cyber Security Workshop (3 days) Course introduction It is vital to ensure that your business is protected against the threats of fraud and cyber crime and that operational risk processes are in place. This three-day course provides an

More information

FSB response to BIS consultation on duty to report on payment practices and policies

FSB response to BIS consultation on duty to report on payment practices and policies Business Finance and Tax Spur 1, 3rd floor Department for Business, Innovation and Skills 1 Victoria Street London SW1H 0ET latepayment@bis.gsi.gov.uk 10 February 2015 Dear Sir / Madam FSB response to

More information

ESKISP6054.01 Conduct security testing, under supervision

ESKISP6054.01 Conduct security testing, under supervision Overview This standard covers the competencies required to conduct security testing under supervision. In order to contribute to the determination of the level of resilience of an information system to

More information

A HELPING HAND TO PROTECT YOUR REPUTATION

A HELPING HAND TO PROTECT YOUR REPUTATION OVERVIEW SECURITY SOLUTIONS A HELPING HAND TO PROTECT YOUR REPUTATION CONTENTS INFORMATION SECURITY MATTERS 01 TAKE NOTE! 02 LAYERS OF PROTECTION 04 ON GUARD WITH OPTUS 05 THREE STEPS TO SECURITY PROTECTION

More information

Is your business at risk? DO YOU NEED TO KNOW?

Is your business at risk? DO YOU NEED TO KNOW? Is your business at risk? DO YOU NEED TO KNOW? Do you need Penetration Testing? The main issues our clients have faced in the operational running of the business Client-side attacks Another growing security

More information

Security Testing for Web Applications and Network Resources. (Banking).

Security Testing for Web Applications and Network Resources. (Banking). 2011 Security Testing for Web Applications and Network Resources (Banking). The Client, a UK based bank offering secure, online payment and banking services to its customers. The client wanted to assess

More information

ESKISP6053.01 Assist security testing, under supervision

ESKISP6053.01 Assist security testing, under supervision Overview This standard covers the competencies required to assist security testing under supervision. In order to contribute to the determination of the level of resilience of an information system to

More information

Level 5 Diploma in Managing the Supply Chain (QCF) Qualification Specification

Level 5 Diploma in Managing the Supply Chain (QCF) Qualification Specification Level 5 Diploma in Managing the Supply Chain (QCF) Qualification Specification Created: May 2012 Version: 1.0 Accreditation Number: 600/5605/8 Qualification Start Date: 1 st June 2012 Qualification Last

More information

The Information Commissioner s Office response to HM Treasury s Call for Evidence on Data Sharing and Open Data in Banking

The Information Commissioner s Office response to HM Treasury s Call for Evidence on Data Sharing and Open Data in Banking The Information Commissioner s Office response to HM Treasury s Call for Evidence on Data Sharing and Open Data in Banking The Information Commissioner has responsibility for promoting and enforcing the

More information

A Risk Management Standard

A Risk Management Standard A Risk Management Standard Introduction This Risk Management Standard is the result of work by a team drawn from the major risk management organisations in the UK, including the Institute of Risk management

More information

National Approach to Information Assurance 2014-2017

National Approach to Information Assurance 2014-2017 Document Name File Name National Approach to Information Assurance 2014-2017 National Approach to Information Assurance v1.doc Author David Critchley, Dave Jamieson Authorisation PIAB and IMBA Signed version

More information

THE HUMAN COMPONENT OF CYBER SECURITY

THE HUMAN COMPONENT OF CYBER SECURITY cybersecurity.thalesgroup.com.au People, with their preference to minimise their own inconvenience, their predictability, apathy and general naivety about the potential impacts of their actions, are the

More information

Business Case. for an. Information Security Awareness Program

Business Case. for an. Information Security Awareness Program Business Case (BS.ISAP.01) 1 (9) Business Case for an Information Security Business Case (BS.ISAP.01) 2 Contents 1. Background 3 2. Purpose of This Paper 3 3. Business Impact 3 4. The Importance of Security

More information

Cyber Security: Threat & The Maritime Environment Cyber Security: now byting the maritime industry

Cyber Security: Threat & The Maritime Environment Cyber Security: now byting the maritime industry Cyber Security: Threat & The Maritime Environment Cyber Security: now byting the maritime industry Templar Executives NIAS 2007 DHR 2008 IAMM 2008 1 st CSS 2009 2 nd CSS 2011 Advising Government & Industry

More information

ELITE PROTECTION RAID AWARENESS TRAINING

ELITE PROTECTION RAID AWARENESS TRAINING ELITE PROTECTION RAID AWARENESS TRAINING PROTECTING THE WORLDS LEADING ORGANISATIONS INTRODUCTION03 GOLD RAID MANAGEMENT COURSE04 SILVER RAID AWARENESS COURSE05-06 BRONZE RAID AWARENESS COURSE07 02 Introduction

More information

Cyber Security Incident Response High-level Maturity Assessment Tool

Cyber Security Incident Response High-level Maturity Assessment Tool Cyber Security Incident Response High-level Maturity Assessment Tool Introduction Overview Many organisations are extremely concerned about potential and actual cyber security attacks, both on their own

More information

Access Governance. Delivering value. What you gain. Putting a project back on track for success

Access Governance. Delivering value. What you gain. Putting a project back on track for success What you gain Risk-managed access Having a second line of defence to identify what needs to be controlled and who owns it lowers your operational costs, while taking a risk-based approach ensures greater

More information

Experience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC.

Experience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC. Experience the commitment WHITE PAPER Information Security Continuous Monitoring Charting the Right Course May 2014 cgi.com 2014 CGI GROUP INC. During the last few months of 2013, six federal agencies

More information

CYBER STREETWISE. Open for Business

CYBER STREETWISE. Open for Business CYBER STREETWISE Open for Business As digital technologies transform the way we live and work, they also change the way that business is being done. There are massive opportunities for businesses that

More information

E-SECURITY REVIEW 2008 DISCUSSION PAPER FOR PUBLIC CONSULTATION

E-SECURITY REVIEW 2008 DISCUSSION PAPER FOR PUBLIC CONSULTATION 1. Introduction E-SECURITY REVIEW 2008 DISCUSSION PAPER FOR PUBLIC CONSULTATION Australia s national security and economic and social well-being rely upon the use and availability of a range of Information

More information

Confident in our Future, Risk Management Policy Statement and Strategy

Confident in our Future, Risk Management Policy Statement and Strategy Confident in our Future, Risk Management Policy Statement and Strategy Risk Management Policy Statement Introduction Risk management aims to maximise opportunities and minimise exposure to ensure the residents

More information

Foregenix Incident Response Handbook. A comprehensive guide of what to do in the unfortunate event of a compromise

Foregenix Incident Response Handbook. A comprehensive guide of what to do in the unfortunate event of a compromise Foregenix Incident Response Handbook A comprehensive guide of what to do in the unfortunate event of a compromise Breadth of Expertise - You re in safe hands Foregenix is a global Information Security

More information

National Cyber Security Policy -2013

National Cyber Security Policy -2013 National Cyber Security Policy -2013 Preamble 1. Cyberspace 1 is a complex environment consisting of interactions between people, software and services, supported by worldwide distribution of information

More information

JOB DESCRIPTION REF: 50039237

JOB DESCRIPTION REF: 50039237 JOB DESCRIPTION REF: 50039237 Note: This job description does not form part of the employee s contract of employment but is provided for guidance. The precise duties and responsibilities of any job may

More information

CBEST Implementation Guide

CBEST Implementation Guide CBEST Implementation Guide Introduction Existing penetration testing services conducted within the financial services sector are well understood and utilised. Whilst these services have provided a good

More information

SECURITY INCIDENT REPORTING AND MANAGEMENT. Standard Operating Procedures

SECURITY INCIDENT REPORTING AND MANAGEMENT. Standard Operating Procedures SECURITY INCIDENT REPORTING AND MANAGEMENT Standard Operating Procedures Notice: This document has been made available through the Police Service of Scotland Freedom of Information Publication Scheme.

More information

Cyber-safety for Senior Australians. Inquiry Submission

Cyber-safety for Senior Australians. Inquiry Submission SUBMISSION NO. 32 Cyber-safety for Senior Australians Inquiry Submission The AISA Response to the Parliament s Joint Select Committee s call for submissions Date 23 March 2012 Page 1 Executive Summary:

More information

2015 INFORMATION SECURITY BREACHES SURVEY

2015 INFORMATION SECURITY BREACHES SURVEY 2015 INFORMATION SECURITY BREACHES SURVEY Executive Summary Survey conducted by In association with 2 INFORMATION SECURITY BREACHES SURVEY 2015 executive summary Commissioned by: The UK Cyber Security

More information

Sytorus Information Security Assessment Overview

Sytorus Information Security Assessment Overview Sytorus Information Assessment Overview Contents Contents 2 Section 1: Our Understanding of the challenge 3 1 The Challenge 4 Section 2: IT-CMF 5 2 The IT-CMF 6 Section 3: Information Management (ISM)

More information

MANAGING CYBER RISK IN THE SUPPLY CHAIN

MANAGING CYBER RISK IN THE SUPPLY CHAIN MANAGING CYBER RISK IN THE SUPPLY CHAIN How.trust simplifies the validation of trusted supply partners Author: Gunter Ollmann, CTO INTRODUCTION In today s highly competitive business world the speed at

More information

How to Justify Your Security Assessment Budget

How to Justify Your Security Assessment Budget 2BWhite Paper How to Justify Your Security Assessment Budget Building a Business Case For Penetration Testing WHITE PAPER Introduction Penetration testing has been established as a standard security practice

More information

Are your people playing an effective role in your cyber resilience?

Are your people playing an effective role in your cyber resilience? Are your people playing an effective role in your cyber resilience? 01 Cyber attacks are now business as usual for organizations around the world. Organizations have typically trusted in technology to

More information

Business Plan 2012/13

Business Plan 2012/13 Business Plan 2012/13 Contents Introduction 3 About the NFA..4 Priorities for 2012/13 4 Resources.6 Reporting Arrangements.6 Objective 1 7 To raise the profile and awareness of fraud among individuals,

More information

Security Risk Management Strategy in a Mobile and Consumerised World

Security Risk Management Strategy in a Mobile and Consumerised World Security Risk Management Strategy in a Mobile and Consumerised World RYAN RUBIN (Msc, CISSP, CISM, QSA, CHFI) PROTIVITI Session ID: GRC-308 Session Classification: Intermediate AGENDA Current State Key

More information

JOB DESCRIPTION REF: 50001776

JOB DESCRIPTION REF: 50001776 JOB DESCRIPTION REF: 50001776 Note: This job description does not form part of the employee s contract of employment but is provided for guidance. The precise duties and responsibilities of any job may

More information

Cloud Computing in a Government Context

Cloud Computing in a Government Context Cloud Computing in a Government Context Introduction There has been a lot of hype around cloud computing to the point where, according to Gartner, 1 it has become 'deafening'. However, it is important

More information

Best Practices to Improve Breach Readiness

Best Practices to Improve Breach Readiness Best Practices to Improve Breach Readiness Dr. Robert W. Griffin Chief Security Architect RSA, the Security Division of EMC http://blog.emc2.de/trust-security @RobtWesGriffin 1 Security Breaches 2 Security

More information

Cyber Security Survey

Cyber Security Survey Cyber Security Survey SELF ASSESSMENTS AQUILES A. ALMANSI THE WORLD BANK Objective and Scope The objective of the World Bank Group s Vienna Center for Financial Sector Advisory Services (FinSAC) survey

More information

Close the security gap with a unified approach. Detect, block and remediate risks faster with end-to-end visibility of the security cycle

Close the security gap with a unified approach. Detect, block and remediate risks faster with end-to-end visibility of the security cycle Close the security gap with a unified approach Detect, block and remediate risks faster with end-to-end visibility of the security cycle Events are not correlated. Tools are not integrated. Teams are not

More information

CYBER-ATLAS A COMPLETE CYBER RISK MANAGEMENT SOLUTION

CYBER-ATLAS A COMPLETE CYBER RISK MANAGEMENT SOLUTION CYBER-ATLAS A COMPLETE CYBER RISK MANAGEMENT SOLUTION CYBER-ATLAS A COMPLETE CYBER RISK MANAGEMENT SOLUTION In the ever-evolving technological landscape which we all inhabit, our lives are dominated by

More information

Cyber Security. CYBER SECURITY presents a major challenge for businesses of all shapes and sizes. Leaders ignore it at their peril.

Cyber Security. CYBER SECURITY presents a major challenge for businesses of all shapes and sizes. Leaders ignore it at their peril. Cyber Security Personal and commercial information is the new commodity of choice for the virtual thief, argues Adrian Leppard, Commissioner for City of London Police, as he sets out the challenges facing

More information

WHITE PAPER. How to simplify and control the cardholder security environment

WHITE PAPER. How to simplify and control the cardholder security environment WHITE PAPER How to simplify and control the cardholder security environment Document Version V1-0 Document Set: QCC Information Security Prepared By Nick Prescot - QCC Information Security Ltd Sponsored

More information

How do we Police Cyber Crime?

How do we Police Cyber Crime? How do we Police Cyber Crime? Thursday 4 th June 2015 Craig Jones, SEROCU Presentation Content UK policing cyber crime programme Cyber threat landscape and impact Cyber business resilience Future Challenges

More information

The Influence of Software Vulnerabilities on Business Risks 1

The Influence of Software Vulnerabilities on Business Risks 1 The Influence of Software Vulnerabilities on Business Risks 1 Four sources of risk relevant for evaluating the influence of software vulnerabilities on business risks Authors Hilbrand Kramer, MSc (Royal

More information

Audit summary of Security of Infrastructure Control Systems for Water and Transport

Audit summary of Security of Infrastructure Control Systems for Water and Transport V I C T O R I A Victorian Auditor-General Audit summary of Security of Infrastructure Control Systems for Water and Transport Tabled in Parliament 6 October 2010 Background Infrastructure critical to the

More information

Information Security in Business: Issues and Solutions

Information Security in Business: Issues and Solutions Covenant University Town & Gown Seminar 2015 Information Security in Business: Issues and Solutions A Covenant University Presentation By Favour Femi-Oyewole, BSc, MSc (Computer Science), MSc (Information

More information

Managing internet security

Managing internet security Managing internet security GOOD PRACTICE GUIDE Contents About internet security 2 What are the key components of an internet system? 3 Assessing internet security 4 Internet security check list 5 Further

More information

Risk Management Policy

Risk Management Policy Risk Management Policy Responsible Officer Author Ben Bennett, Business Planning & Resources Director Julian Lewis, Governance Manager Date effective from December 2008 Date last amended December 2012

More information

CYBER SECURITY. ADVISORY SERVICES Governance Risk & Compliance. Shemrick Rodney IT Specialist Consultant Antigua & St. Kitts

CYBER SECURITY. ADVISORY SERVICES Governance Risk & Compliance. Shemrick Rodney IT Specialist Consultant Antigua & St. Kitts CYBER SECURITY ADVISORY SERVICES Governance Risk & Compliance Shemrick Rodney IT Specialist Consultant Antigua & St. Kitts The Financial Services Industry at Crossroads: Where to From Here? WELCOME What

More information

Identifying Cyber Risks and How they Impact Your Business

Identifying Cyber Risks and How they Impact Your Business 10 December, 2014 Identifying Cyber Risks and How they Impact Your Business David Bateman, Partner, K&L Gates, Seattle Sasi-Kanth Mallela, Special Counsel, K&L Gates, London Copyright 2013 by K&L Gates

More information

Rebecca Massello Energetics Incorporated

Rebecca Massello Energetics Incorporated Cybersecurity Procurement Language for Energy Delivery Systems Rebecca Massello Energetics Incorporated NRECA TechAdvantage February 25, 2015 Talking Points What is this document? Who can use this document

More information

WHAT ARE THE BENEFITS OF OUTSOURCING NETWORK SECURITY?

WHAT ARE THE BENEFITS OF OUTSOURCING NETWORK SECURITY? WHAT ARE THE BENEFITS OF OUTSOURCING NETWORK SECURITY? Contents Introduction.... 3 What Types of Network Security Services are Available?... 4 Penetration Testing and Vulnerability Assessment... 4 Cyber

More information

The Cyber Threat Profiler

The Cyber Threat Profiler Whitepaper The Cyber Threat Profiler Good Intelligence is essential to efficient system protection INTRODUCTION As the world becomes more dependent on cyber connectivity, the volume of cyber attacks are

More information

HOW DOES ACCREDITATION BENEFIT GOVERNMENT AND REGULATORS?

HOW DOES ACCREDITATION BENEFIT GOVERNMENT AND REGULATORS? HOW DOES ACCREDITATION BENEFIT GOVERNMENT AND REGULATORS? TABLE OF CONTENTS INTRODUCTION...02 PARTNERING WITH REGULATORS AND GOVERNMENT DEPARTMENTS TO BUILD TRUST AND REDUCE RISK...03 BENEFITS FOR REGULATORS

More information

EDS Innovation Research Programme DISCUSSION PAPER SERIES. No.005 Media, Connectivity, Literacies and Ethics

EDS Innovation Research Programme DISCUSSION PAPER SERIES. No.005 Media, Connectivity, Literacies and Ethics EDS Innovation Research Programme DISCUSSION PAPER SERIES No.005 Media, Connectivity, Literacies and Ethics Security Challenges of Networks: Cyber Trust and Cyber Crime Robin Mansell March 2006 EDS Innovation

More information

Cyber Security Risk Management: A New and Holistic Approach

Cyber Security Risk Management: A New and Holistic Approach Cyber Security Risk Management: A New and Holistic Approach Understanding and Applying NIST SP 800-39 WebEx Hosted by: Business of Security and Federal InfoSec Forum April 12, 2011 Dr. Ron Ross Computer

More information

Guiding Principles on Cyber Security. Guidance for Internet Service Providers and Government

Guiding Principles on Cyber Security. Guidance for Internet Service Providers and Government Guiding Principles on Cyber Security Guidance for Internet Service Providers and Government December 2013 Contents Contents... 2 Industry Contributors... 3 Introduction... 4 Section 1 - Internet Service

More information

BIBA response to DEFRA consultation on Securing the future availability and affordability of home insurance in areas of flood risk.

BIBA response to DEFRA consultation on Securing the future availability and affordability of home insurance in areas of flood risk. S:\Wp\Files\Current\Grane\Nicol\2013\July 8 August 2013 Flood Insurance Consultation Department for Environment, Food and Rural Affairs 3 rd Floor, Zone C, Nobel House 17 Smith Square London SW1P 3JR Dear

More information

SCOTTISH CENSUS INDEPENDENT SECURITY REVIEW REPORT

SCOTTISH CENSUS INDEPENDENT SECURITY REVIEW REPORT SCOTTISH CENSUS INDEPENDENT SECURITY REVIEW REPORT Issue 1.0 Date 24/03/2011 Logica is a business and technology service company, employing 39,000 people. It provides business consulting, systems integration

More information