CESG CIR SCHEME AND CREST CSIR SCHEME FREQUENTLY ASKED QUESTIONS
|
|
- Erin Heath
- 8 years ago
- Views:
Transcription
1 CESG CIR SCHEME AND CREST CSIR SCHEME FREQUENTLY ASKED QUESTIONS QUESTION General What is the Cyber Security Incident Response (CSIR) Scheme? What is the Cyber Incident Response (CIR) scheme? Why have these schemes been launched? A broadly based scheme led by CREST and endorsed by GCHQ and CPNI, which focuses on appropriate standards for incident response aligned to demand from all sectors of industry, the wider public sector and academia. A small and focussed Government run Cyber Incident Response scheme certified by GCHQ and CPNI responding to sophisticated, targeted attacks against networks of national significance. All indications are that the level, sophistication and frequency of cyber security attacks are increasing. It has been accepted that the national security authorities do not have the capacity to directly support private sector organisations or government departments where the nature of the attack does not suggest a risk to national security. It was therefore decided that a much more collaborative approach would be required with strong well defined links between the industry and government. The schemes, CIR and CSIR, have therefore been launched to enable all those organisations that may be victims of cyber-attack SMEs, national and multinational industry, the CNI, the wider public sector and central government to source an appropriate incident response service tailored to their particular needs. CREST Cyber Security Incident Response Members with access to qualified personnel providing recovery and clean up services to the majority of organisations and government departments and allowing GCHQ and CPNI to focus on the attacks that have a potential impact on national security. It is also the case that organisations suffering a cyber-security attack do not know where to go for help; and have no way of assessing the quality of those helping them; nor the security arrangements and support provided by the organisations they work for. The CREST register of cyber security incident response organisations, the CREST qualifications and the CNI scheme will provide a much greater level of confidence to the buying community.
2 Why have government and industry collaborated in this initiative? What is the relationship between CESG/CPNI and CREST? Will there be any other bodies apart from CREST endorsed by CESG and CPNI? Government and industry have worked closely on a number of schemes and initiatives related to cyber security. It is recognised that lessons learnt from one type of attack will be of great value to a wide range of organisations. To be able to work collaboratively provides both scale and quality to combat cyber security attacks. CESG and CPNI have reviewed CREST s Cyber Security Incident Response (CSIR) scheme and endorsed it as setting appropriate processes, procedures, governance, qualifications, skills and experience to provide effective incident response for a significant proportion of cyber incidents. They have discussed the standard used for the scheme with CREST and endorsed the scheme as providing an appropriate standard for effective incident response. CESG has conducted a review of the market and there are not currently any other organisations that could provide these types of services today - technical examinations in Cyber Incident Response and company assessment. CESG has worked closely with CREST in the past on penetration testing and security architecture examinations and the CREST and CHECK schemes are well aligned. Whilst CREST is the only scheme currently endorsed, there is no restriction on other such bodies gaining endorsement in this important area both locally and internationally. Who can join the CSIR Scheme? Who can join the CIR Scheme? Any quality organisation providing cyber security incident response services. There is no restriction on size, where the organisation is domiciled or what specific industry sectors they work in. To become a member of the Scheme is not trivial. They will be required to pass a comprehensive assessment process demonstrating their knowledge and application in this area, their ability to protect client based information and their willingness to sign up to a comprehensive code of conduct. In addition to similar requirements to the CSIR Scheme, an organisation will be required to provide additional contractual information, demonstrate their ability to work on projects with a national security bias and have access to staff capable of meeting national security requirements.
3 Is it a two tier scheme? QUESTION No it is not a two tiered scheme. There is no implied indication that one scheme is more comprehensive nor that the companies or individuals are more capable or well qualified. The difference is those in the CIR scheme have the necessary attributes to deal with a very specific set of threats in a particular context. It is not implied that the cyber security incidents experienced by private sector organisations or government departments requires any less capability. Is membership of the CSIR Scheme a prerequisite for joining the CIR Scheme? There are no prerequisites for membership of the CIR Scheme; however, organisations that have met the stringent CREST requirements will be in a much stronger position to demonstrate their capability during the selection process. Company Application Process What is the process for applying for the CSIR scheme? Is the process the same for existing CREST penetration testing member companies? Organisations wishing to join the CSIR Scheme will need to sign a Non- Disclosure Agreement (NDA) with CREST. On receipt of the signed NDA CREST will issue an application form. The organisation will be required to complete all parts of the application and submit it to CREST. The application will be reviewed in detail and where necessary areas of concern will be highlighted in a formal letter to the applicant company. Once the paper application has been completed to a satisfactory standard, a site visit will be required to validate the claims made on the application and to remind the organisation of its obligations under the code of conduct. Once this has been completed and membership payment received the company will be entered onto the CREST register under the Cyber-Security category. Many of the questions regarding the quality of the service and the policies, processes and procedures for the protection of client based information will already have been completed and will have been assessed. Existing CREST Penetration Testing Member companies will also have already signed up to the CREST code of conduct and signed an NDA. An existing member company should therefore request an application form and will be required to complete the sections relating to the Cyber-Security Incident Response service. Once completed this section will be reviewed and assessed in line with the process for new members as outlined above.
4 Is the process the same for existing CREST penetration testing member companies? [cont d.] Who will conduct the CREST company assessments? There have been some updates to the existing CREST application form. All existing CREST organisations will be required to complete the new application form as part of their three year renewal cycle. The new questions reflect recognised best practice and therefore organisations should consider completing all parts of the new form. Details of the process are described on the CREST website or from new CREST fully recognises the sensitivity of the material provided as part of the company assessment process. All applications submitted to CREST are only seen by CREST employed staff. No information is passed to the member company representatives of either the CREST Executive or any other parties regarding the submission of an application, nor any correspondence relating to the application process. The member company representatives on the CREST Executive have no part in the decision to award or not to award CREST membership. What is the process for joining the CIR scheme Is membership of the CSIR scheme a mandatory requirement for the CIR scheme? See CESG website ( There is no prerequisite for a CIR company to have first passed the CSIR assessment; however, organisations that have met the stringent CREST requirements will be in a much stronger position to demonstrate their capability during the selection process. What are the costs for the CIR Scheme? Potential Scheme Members For companies that can demonstrate that they meet the CIR requirements and are existing CHECK companies there will a minimal charge of 1 plus VAT for companies certified during FY 2013/14. Whilst future fees will be kept to a minimum, CESG will reserve the right to increase the cost of CIR membership in subsequent years. For companies that can demonstrate that they meet the CIR requirements and are not existing CHECK companies there will be an initial charge of 7,500 plus VAT. These companies will derive the same benefits as existing CHECK companies. In subsequent years the cost will be kept in line with the CHECK scheme. CESG reserve the right to levy an additional cost for ongoing CIR membership.
5 What are the costs for the CSIR Scheme? What are the costs for the CSIR Scheme? [cont d] CREST company membership is 7,000 plus VAT per annum. For existing CREST member companies there will be no additional membership charge although an administration fee of 250 plus VAT will be levied against existing CREST members seeking assessment under the additional CSIR category. For companies that are not current CREST members but would like to be CSIR members, the annual fee after passing the company assessment will be 7,000 per annum. This will provide the company will all the existing CREST member benefits. What is the renewals process for the CIR Scheme? What is the renewals process for the CSIR Scheme? Annual renewal is detailed in contract document. After the initial assessment there will be an annual renewal. This is designed to be relatively easy to complete and looks to validate certain essential elements of the membership process, confirm agreements between the company and CREST and providing an update where existing policies, processes and procedures have been amended or improved. Given that this is a new scheme, there may be some additional questions to answer over and above the initial assessment. These will be based in experience of operating the scheme. There is no charge for this annual review. Every three years the company will be subject to a full assessment requiring a full resubmission. There will be an assessment fee of 400 plus VAT for this. When will the CSIR scheme have company members? CREST has been publicising the scheme to existing CREST members, the companies that are were part of the CIR trial and others who it is believed have a capability in this area. A number of submissions have already been received and the process of reviewing them has commenced. It is our intention to be in a position to formally announce the first wave of memberships at the end of September This cannot be guaranteed as we do not currently know who if any will be able to pass the CREST assessment. We would prefer to do this in this way as it will create more of an announcement, but more importantly it will not allow any one organisation to say that they were first to market.
6 When will the new CIR scheme announce members and will the existing four companies continue to be included? Will the application process be continual or will there be set times for companies to apply for CSIR membership? Will the application process be continual or will there be set times for companies to apply for CIR membership? What qualifications are currently available that are recognised under the new schemes? CIR was announced on 13 August The original 4 pilot companies are all required to reapply under the new CIR requirements. CREST accepts applications for company membership and membership applications to be included in the CSIR through the year. Continual There are four qualifications that are available from CREST that relate to this area of business. The first is the CREST Registered Intrusion Analyst (CRIA). The (CRIA) examination tests a candidates knowledge across host and network based malware analysis and reverse engineering of a malware attack. This examination has been designed for individuals with in the region of 6,000 hours relevant and frequent experience in this area. It will expect candidates to have an in depth understand of certain parts of the intrusion analyst role and a good broad understanding of all aspects. It will expect the candidate to be able to work in this area independently of support. The next is CREST Certified Host Intrusion Analyst (CCHIA). The (CCHIA) examination has been designed for individuals with in the region of 10,000 hours of practical and relevant experience. It tests candidates knowledge of analysing Windows hosts for evidence of potential compromise. The CREST Certified Malware Reverse Engineer (CCMRE) identifies at a high level a candidate s ability to reverse engineer malware, particularly remote access Trojans. It also includes a core skills exam covering network and host intrusion. The candidate will be expected to possess not only the technical ability to find security weaknesses and vulnerabilities, but also the skills to ensure findings are presented in a clear, concise and understandable manner. The CCMRE examination has been designed for individuals with in the region of 10,000 hours of practical and relevant experience.
7 What qualifications are currently available that are recognised under the new schemes? [cont d.] Are there any specific roles that relate to the schemes and will they be mandatory? The last is the CREST Certified Network Intrusion Analyst (CCNIA). The (CCNIA) examination tests candidates knowledge and expertise in analysing data sources for evidence relating to potential network compromise. It has been designed for individuals with in the region of 10,000 hours of practical and relevant experience. Details of all of these examinations can be found on the CREST website CREST is also working with industry and government on another examination for a Senior Cyber Security Incident Response Manager role. It is planned to have this examination formally launched before the end of the year. All of the intrusion analyst and malware reverse engineering roles described above are relevant to the schemes. There will be other qualifications in areas such as forensics and business continuity management that may well be required in order to form an effective team to facilitate certain types of recovery. Having direct access to individuals holding these types of qualifications will be viewed as beneficial but will not currently be mandatory. Once the Senior Cyber Security Incident Response Manager examination has been formally launched, the intention is to make this a mandatory role within the CIR Scheme within a year of the launch. It is likely that the CREST CSIR Scheme will follow a similar route but may allow an individual to contract to an organisation. If this is approach is adopted an individual will only be allowed to be associated with one member organisation. They will be responsible for conduct of all members of the team that they are responsible for. It will be clear from the CREST website which qualifications they have within their organisation. When will the Senior Cyber Security Incident Manager examination be available? By the end of Alpha and beta testing will have been conducted prior to this date.
8 Individual Consultants What will be the criteria for sitting the Senior Cyber Security Incident Response Manager examination? Will any other qualifications be recognised by the two schemes There are no plans for any prerequisites for sitting the new Senior Cyber Security Incident Response Manager examination. It is however being designed for individuals with 10,000 hours experience in the management of significant technical incidents. Individuals will have to be technically competent, understand technical risks and be able to assemble and manage teams to deal with a wide range of technical attacks. It is also likely that there will be soft skills requirements that not only allow them to manage the team effectively but also deal with senior management and the media. Specific qualifications in other related areas are being considered particularly in related disciplines, however currently no other qualifications are recognised under the CSIR Scheme. Further analysis will be carried out within the UK and internationally. Who will set and administer the Senior Cyber Security Incident Response Manager role examinations? How are the Assessors selected? As a certification organisation, CREST operates a small network of Assessors drawn from CREST Member Companies to manage the examination process. This includes collectively devising syllabus content, invigilating, marking and generally operating the exam environment on behalf of CREST. The Assessors, jointly, comprise the CREST Assessors Panel. When new Assessors are required, either as replacements to previous incumbents or as an additional resource, the CREST member company main points of contact and previous successful candidates from within member companies are contacted in writing seeking CVs with letters of application from individuals with current CREST Certified Tester (CCT) qualifications interested in taking on the role. Potential Assessors are invited to explain: Their experience within the industry and examples of team leadership ; Their technical skills and how these could help the progression of the CREST assessments and rigs. Details of other technical areas that could be championed within the Assessors group (eg. mobile, code review, wireless, architecture, etc.).
9 Who will set and administer the Senior Cyber Security Incident Response Manager role examinations? How are the Assessors selected? [cont d.] A confirmation of their ability to commit the requisite resource to the CREST Assessors group. There is a limit of two assessors per CREST Member Company. Once applications have been received, the Chair and Vice-Chair of the Assessors Panel will review and score them using a predefined weighting scheme CREST pays for the services of the assessors and requires them to sign a specific NDA relating to the services required. How much are the existing CREST intrusion analysis and malware reverse engineering examinations? How much will the Senior Cyber Security Incident Manager examination cost to sit? CREST Registered Intrusion Analyst examination costs VAT CREST Certified Tester examinations (NIA, HIA, MRE) cost 1,600 + VAT This has not been formally agreed but is likely to be aligned with existing CREST Certified level examinations. How do I book for the examinations? Bookings for the existing examinations can be made by to admin@crest-approved.org. CREST would be willing to take pre bookings for the Senior Cyber Incident Response Manager examination. It will obviously not be possible to confirm a date. There may also be opportunities for participating in the alpha or beta testing of the examinations. Successes in the alpha and beta testing will be recognised under the scheme, there may however be a requirement to provide structured feedback on the examination content, detail and timings. Is there an annual membership for individuals? There is no requirement for an annual fee for individuals who have passed the CREST examinations. All those who have passed the examination do however receive CREST benefits including attendance to CRESTCon, access to CREST workshops, access to CREST research material etc. As with all other CREST qualifications there is a requirement to re-sit the examination every three years to ensure the currency of knowledge and application.
10 Is there a requirement for CPD s? How can I prepare staff to be in a position to sit the existing cyber-security incident response examinations? Under the CREST scheme there are currently no requirements to provide evidence of CPD s. Currency of knowledge, skill and competence is assessed by the retaking of the examination after three years. Whilst the need to manage technical security incidents has existed for a relatively long period of time, some of the knowledge and skill required to manage some cyber security attacks is still evolving. There is not currently a recognised body of knowledge from which potential candidates can draw. The CREST syllabus will provide a basis for an individual to assess whether they have knowledge, skill and competence in the required areas. CREST is working to provide access to state of the art research and case study material. It is also hoped that access to information provided by the UK Cert will also be available. How can I prepare staff to be in a position to sit the existing cyber-security incident response examinations? [cont d.] In penetration testing, CREST is working with e-skills to established agreed development pathways. These pathways will be used to help an individual create a professional development plan based on training, personal research and experience. This will also be used to assess training courses and to try and stimulate training activity in the market. The same approach will be adopted for the intrusion analysis, malware reverse engineering and incident management roles. CREST will also be willing to provide access to assessors who will talk through the requirements of the examinations, without providing any hints, tips or guidance on examination questions. Are there any requirements to employ staff with specific qualifications? All of the intrusion analyst and malware reverse engineering roles are relevant to the schemes. There will be other qualifications in areas such as forensics and business continuity management that may well be required in order to form an effective team to facilitate certain types of recovery. Having direct access to individuals holding these types of qualifications will be viewed as beneficial but will not currently be mandatory. Once the Senior Cyber Security Incident Response Manager examination has been formally launched, the intention is to make this a mandatory role within the CIR Scheme within a year of the launch. It is likely that the CREST CSIR Scheme will follow a similar route but may allow an individual to contract to an organisation. If this is approach is adopted, an individual will only be allowed to be associated with one member organisation.
11 Are there any requirements to employ staff with specific qualifications? [cont d.] When will it become mandatory to employ a cyber-security incident manager to be part of the CIR scheme? Is there a requirement to carry a national security clearance? It will be clear from the CREST website which qualifications they have within their organisation. One year after the formal introduction of the examination. There is no requirement to hold a national security clearance to take any CREST examinations. There is no requirement for a CREST member company to be able to issue government security clearances under the CSIR scheme. As part of the audit there is a requirement to demonstrate effective personal vetting in line with standards such as BS7858. For the vast majority of work in the private sector there is no requirement for an individual to carry a national security clearance. Where the incident investigation and clean up services are being provided to a government department operating at IL3 or below there is no requirement for a national security clearance. For government departments operating at above IL3 there will be specific clearance requirements. The nature of information handled, companies certified for the CESG/CPNI CIR scheme require at least one member of staff to be DV cleared. Where a company meets all requirements excepting DV clearance, a suitable candidate from the company will be sponsored for DV clearance. Will it be mandatory to employ a Senior Cyber-Security Incident Manager under the CSIR scheme? All of the intrusion analyst and malware reverse engineering roles are relevant to the schemes. There will be other qualifications in areas such as forensics and business continuity management that may well be required in order to form an effective team to facilitate certain types of recovery. Having direct access to individuals holding these types of qualifications will be viewed as beneficial but will not currently be mandatory. Once the Senior Cyber Security Incident Response Manager examination has been formally launched, the intention is to make this a mandatory role within the CIR Scheme within a year of the launch. It is likely that the CREST CSIR Scheme will follow a similar route but may allow an individual to contract to an organisation. If this is approach is adopted, an individual will only be allowed to be associated with one member organisation.
12 Will it be mandatory to employ a Senior Cyber-Security Incident Manager under the CSIR scheme? [cont d.] Will CSIR Scheme members be able to provide cyber incident response and clean up services to UK Government Departments? It will be clear from the CREST website which qualifications they have within their organisation. Yes the scheme has been designed by a group representing the supply industry and government and private sector buying communities. It has then been reviewed and endorsed by CESG and CPNI. At IL3 and below any CREST Cyber Security member company can provide services. Above IL3 there will be other specific requirements laid down by CESG. Is there a requirement to carry a national security clearance? Is there a requirement to carry a national security clearance? [cont d.] What are the costs of joining the CIR scheme? CREST company membership is 7,000 plus VAT per annum. There is a 400 plus VAT assessment fee for company membership. This includes all support and liaison with CREST regarding the application. The fee will cover both Cyber Incident Response membership and Penetration Testing membership. There is no discount for applying for only one of the membership categories. For existing CREST member companies there will be no additional membership charge although an administration fee of 250 plus VAT will be levied against existing CREST members seeking assessment under the additional CSIR category. On successful completion of the assessment there is an annual charge of 7,000 plus VAT: this provides the organisation with all the benefits associated with CREST membership. Every three years, the company will be subject to a full assessment requiring a full resubmission. There will be an assessment fee of 400 plus VAT for this re-assessment. There is an annual fee associated with award of a certification mark along similar lines to other CESG certified services. This will be reviewed annually. For companies certified during FY 2013/14 this will be 1 plus VAT.
13 Companies Looking For Cyber Security Incident Response Service Under the CSIR scheme will there be any requirement to provide information on incidents to GovCert or any other security bodies? No there will be no requirements, with the exception of where there is a legal requirement to report certain types of information. No information will be provided to any government authority of the fact that an incident is being investigated or any details of the incident. CREST does, however, work closely with GovCertUK and other similar organisations and would where possible recommend that some anonymous information is provided for the common good of enhancing cyber security taking account of confidentiality. Will it be possible to contract cyber incident response services under existing government procurement frameworks? Will the companies within the CSIR Scheme be allowed to use contractors? CREST, CESG and CPNI are discussing this and will keep members of both schemes informed of progress. Under the CSIR Scheme it will be possible to utilise contracted staff to help make up the recovery and clean up teams. The organisation should look to contract to CREST qualified contractors as these will be bound by the CREST individuals code of conduct and therefore will have to adhere to the policies, processes and procedures of the member company. In the same way there will be an obligation on the CREST member company to inform the contractor of the company s policies, processes and procedures and to ensure compliance. As this type of contract is often procured very quickly, it is recommended that a CREST member company has pre-trained potential contracting staff or has a process for a quick start induction. Can more than one CREST company work in consortia to deliver these types of services? There may in the future be a requirement to employ or have direct access to a Senior Cyber Security Incident Response Manager. There would be no problem with this and the Scheme has been designed to recognise that very few companies will have the full range of services required to deal with a major Cyber Attack. To work with other CREST registered companies would generally work better than work with others outside of the Scheme as the common code of conduct will apply and assurances on important aspects such as contractual arrangements, scope and protection of client information will already have been assessed. It will be possible from the CREST website to see the capabilities of other CREST member companies.
14 Under the CIR scheme will there be any mandatory requirements to report incidents to any other regulatory bodies? In the interests of enhancing cyber security and enabling CESG and CPNI to support incident response companies, service providers and organisations affected by cyber incidents are encouraged to share technical information with CESG about incidents. This exchange of information will take into account any confidentiality agreements between organisations and service providers. Direct engagement of a Service Provider by an organisation does not require CESG or CPNI to be notified, although organisations and service providers are encouraged to do so. Can more than one CIR Scheme member work in consortia to deliver the required services? Can a CIR Member Company contract work in consortia with a CREST member company to deliver the required services? How will it be possible to differentiate between incidents that are appropriate for the CSIR scheme and those that should be passed to the CIR scheme? I am a private sector company and have experienced a cyber-attack. What scheme should I utilise? I am part of the critical national infrastructure and have experienced a cyberattack. What scheme should I utilise? I am a government department and have experienced a cyber-attack. What scheme should I utilise? Yes, providing the component consortia companies meet the criteria Depending on the level or severity of the incident and the clearances that may be required and provided also that the CREST Member Company is a CSIR scheme member it would be acceptable. In essence, the CREST CSIR scheme encompasses SMEs, national and multinational industry, the CNI, the wider public sector and central government. The CESG CIR scheme will respond sophisticated, targeted attacks against networks of national significance. Therefore, for the majority, if an incident has a potential impact on any element of national security, including critical infrastructure or national prosperity, it will be handled under the CIR Scheme. That does not mean to say that CREST member Companies will not be involved if they possess the necessary credentials. In the first instance, approach a CREST Cyber Security Incident Response Member Company. Their integrity should be trusted that if it is an incident outside of their sphere of expertise or qualification, they will refer you. Companies who run Critical National Infrastructure networks are recommended to use the CIR service in order to benefit from the assured procurement that it offers. In the first instance, approach a CREST Cyber Security Incident Response Member Company. Their integrity should be trusted that if it is an incident outside of their sphere of expertise or qualification, they will refer you. In the selection of a suitable company national security requirements should be considered where the information is at IL3 and above.
15 I am a government department and have experienced a cyber-attack. What scheme should I utilise? [cont d.] Does the CSIR scheme operate on an international basis? If GCHQ finds evidence of a Cyber incident in a Government or CNI organisation, depending on the severity the affected organisation may be informed by GovCERTUK or CPNI. It is then be up to that organisation to identify and undertake any remediation activity, which may or may not include engaging the technical assistance of a security provider. CESG/GovCertUK/CPNI expect to receive feedback on the remedial action taken. Some CREST Member Companies have international operations. This requirement should be stated during initial contact with a service provider in the event of an incident. CREST Member Companies that are CSIR Scheme members should state this capability. CREST international chapters and overseas affiliates will be fully informed of the schemes. How do I identify what company I should use to help me recover from a cyber-security incident? Consumer organisations should look for the following from a reputable commercial supplier: People who are trained and proficient (experienced) Clear, repeatable methodology Appropriate tools for the technology Cyber insurance and liability insurance Relevant understanding of current environments may be sector specific Ability to contract in additional cyber specialisms if required Accreditations aligned to industry standards Necessary qualifications/ability (eg. clearances) to work within client s environment A clear, shared understanding of the scope regarding skills, output - and a matched breadth of business An upfront service delivery schedule with the necessary detail (which should be transparent whether there is a managed service in place or not) - and include a minimum/baseline standard (or common framework) to ensure expectations are met Transparency and independence of service offering a distinction between a managed service and an incident response service.
16 How do I identify what company I should use to help me recover from a cyber-security incident? [cont d.] All organisations should put a mutual NDA in place from the outset to cover initial conversations. The Guide needs to highlight this as an essential prerequisite. A CREST Guide to procuring cyber security incident response services will be published by the end of If you would like to pre-reserve a copy of this guide please admin@crest-approved.org What does the CSIR code of conduct provide? Is there any guidance on how to select a suitable supplier from the CSIR register? The CREST Code of Conduct describes the standards of practice expected of CREST Member Companies providing technical information security services and offers assurance of the qualifications and integrity of member companies and their CREST Qualified employees. It also contains the guarantee of a robust complaints handling process in the unlikely event of any problems. Consumer organisations should look for the following from a reputable commercial supplier: People who are trained and proficient (experienced) Clear, repeatable methodology Appropriate tools for the technology Cyber insurance and liability insurance Relevant understanding of current environments may be sector specific Ability to contract in additional cyber specialisms if required Accreditations aligned to industry standards Necessary qualifications/ability (eg. clearances) to work within client s environment A clear, shared understanding of the scope regarding skills, output - and a matched breadth of business An upfront service delivery schedule with the necessary detail (which should be transparent whether there is a managed service in place or not) - and include a minimum/baseline standard (or common framework) to ensure expectations are met Transparency and independence of service offering a distinction between a managed service and an incident response service. All organisations should put a mutual NDA in place from the outset to cover initial conversations. The Guide needs to highlight this as an essential prerequisite.
17 Is there any guidance on how to select a suitable supplier from the CSIR register? [cont d.] Is there any guidance available to help me to prepare for managing a cyberattack? A CREST Guide to procuring cyber security incident response services will be published by the end of To be effectively prepared, you should be able to determine the criticality of your key assets; analyse threats to them; and implement a set of complimentary controls to provide an appropriate level of protection. Considering the implications of people, process, technology and information; you can then update your cyber security response capability and review your state of readiness in cyber security response. A CREST Cyber Security Incident Response Guide will be published by the end of Are the existing roles part of the CESG Certified Professional (CCP) Scheme? Will the new Cyber Security Incident Response Manager Role be part of the CCP scheme? Who derived the requirements for company membership of the CSIR scheme? Who derived the requirements for the company membership of the CIR scheme? Who derived the requirements for the company membership of the CIR scheme? [cont d.] The current CCP scheme does not include the roles described in this FAQ. There is however a plan to include all IA roles under the scheme in some form so as the roles mature it is likely that they will be included. It is likely that some of the existing participants under the CCP scheme would be capable of applying for the roles described. The current CCP scheme does not include the Senior Cyber Security Incident Response role. There is however a plan to include all IA roles under the scheme in some form so as the roles mature it is likely that they will be included. It is likely that some of the existing participants under the CCP scheme would be capable of applying for this role. A team drawn from industry and government experts in the CSIR field devised the questions and identified the optimum answers against which applicants are assessed. The selected team had to provide evidence of their expertise in this area prior to being allowed to participate. Determination of requirements for the CESG/CPNI scheme was led by CESG in its role as National Technical Authority for IA, drawing on the experience and contribution of GovCERTUK and CPNI.
18 Who developed the syllabus and examination for the existing examinations? A team drawn from industry and government experts in the various fields devised the questions. The team had to provide written evidence of their expertise in this area. All participates had to sign an NDA regarding the information provided for the examinations. Separate teams where utilised so that no members had access to all information. Where short or long form written questions were devised, the team also identified the optimum answers against which candidates are assessed. A series of alpha and beta examinations with volunteer candidates were also held and any appropriate observations were fed back into the syllabus. The syllabus and detail was also assessed by CESG. Who is developing the syllabus and examination for the Senior Cyber Security Incident Response Manager examination? A team drawn from industry experts in the CSIR field devised the questions. The team had to provide written evidence of their expertise in this area. All participates had to sign an NDA regarding the information being provided for the examination. Where short or long form written questions are required the team will also identify the optimum answers against which candidates are assessed. A series of alpha and beta examinations with volunteer candidates will also be held and any appropriate observations will be fed back into the syllabus. CESG, CPNI and GovCert are participating in the development of the syllabus and detailed questions. I need more information where can I go? CREST Tel: admin@crest-approved.org Web: CESG Tel: enquiries@cesg.gsi.gov.uk Web:
A Guide to the Cyber Essentials Scheme
A Guide to the Cyber Essentials Scheme Published by: CREST Tel: 0845 686-5542 Email: admin@crest-approved.org Web: http://www.crest-approved.org/ Principal Author Jane Frankland, Managing Director, Jane
More informationCREST EXAMINATIONS. CREST (GB) Ltd 2016 All Rights Reserved
CREST EXAMINATIONS This document and any information therein are the property of CREST and without infringement neither the whole nor any extract may be disclosed, loaned, copied or used for manufacturing,
More informationProcuring Penetration Testing Services
Procuring Penetration Testing Services Introduction Organisations like yours have the evolving task of securing complex IT environments whilst delivering their business and brand objectives. The threat
More informationCBEST Implementation Guide
CBEST Implementation Guide Introduction Existing penetration testing services conducted within the financial services sector are well understood and utilised. Whilst these services have provided a good
More informationCyber Security Consultancy Standard. Version 0.2 Crown Copyright 2015 All Rights Reserved. Page 1 of 13
Cyber Security Consultancy Standard Version 0.2 Crown Copyright 2015 All Rights Reserved Page 1 of 13 Contents 1. Overview... 3 2. Assessment approach... 4 3. Requirements... 5 3.1 Service description...
More informationNorth East Regional Bias Against Information Security Threat
Summary Information Security North East () is a forum for council and public service information security managers from Northumberland, Tyne and Wear, Durham and the Tees Valley 1. is also the Warning,
More informationCyber Security Incident Response Supplier Selection Guide
Cyber Security Incident Response Supplier Selection Guide Version 1 Published by: CREST Tel: 0845 686-5542 Email: admin@crest-approved.org Web: http://www.crest-approved.org/ Principal Author Jason Creasey,
More informationApplication Guidance CCP Penetration Tester Role, Practitioner Level
August 2014 Issue No: 1.0 Application Guidance CCP Penetration Tester Role, Practitioner Level Application Guidance CCP Penetration Tester Role, Practitioner Level Issue No: 1.0 August 2014 This document
More informationCBEST FAQ February 2015
CBEST Frequently Asked Questions: February 2015 At this time, the UK Financial Authorities have only made CBEST available to firms and FMIs which they consider to be core to the UK financial system. Those
More informationCESG Certification of Cyber Security Training Courses
CESG Certification of Cyber Security Training Courses Supporting Assessment Criteria for the CESG Certified Training (CCT) Scheme Portions of this work are copyright The Institute of Information Security
More informationCFTC BRIEFING 2 JUNE 2015 CYBERSECURITY CONSIDERING BANK OF ENGLAND S CBEST PROGRAM
CFTC BRIEFING 2 JUNE 2015 CYBERSECURITY CONSIDERING BANK OF ENGLAND S CBEST PROGRAM Objectives Provide an overview of the CBEST program Overview will include answers to the following questions: What types
More informationDepartment for Business, Innovation and Skills 1 Victoria Street London SW1H 0ET. 7 th May 2014. Dear Sir or Madam,
Department for Business, Innovation and Skills 1 Victoria Street London SW1H 0ET 7 th May 2014 Dear Sir or Madam, The Federation of Small Businesses (FSB) welcomes the opportunity to respond to this consultation
More informationAustralia. CREST in. The THE NEWSLETTER KEEPING YOU CONNECTED WITH CREST. September 2013. Also Inside
Script The September 2013 THE NEWSLETTER KEEPING YOU CONNECTED WITH CREST CREST in Australia Also Inside Update from Ian Glover CESG and CPNI launch new schemes CRESTCon 2014 The CCP Report New Members
More informationPractitioner Certificate in Information Assurance Architecture (PCiIAA)
Practitioner Certificate in Information Assurance Architecture (PCiIAA) 15 th August, 2015 v2.1 Course Introduction 1.1. Overview A Security Architect (SA) is a senior-level enterprise architect role,
More informationNational Approach to Information Assurance 2014-2017
Document Name File Name National Approach to Information Assurance 2014-2017 National Approach to Information Assurance v1.doc Author David Critchley, Dave Jamieson Authorisation PIAB and IMBA Signed version
More informationAssessment plan: Mortgage Adviser
Assessment plan: Mortgage Adviser ST0182/AP 1. Introduction and Overview Mortgage advice is provided by a number of different types of businesses; direct to consumer through banks & building societies
More informationESKISP6046.02 Direct security architecture development
Overview This standard covers the competencies concerned with directing security architecture activities. It includes setting the strategy and policies for security architecture, and being fully accountable
More informationCyber Essentials Scheme. Protect your business from cyber threats and gain valuable certification
Cyber Essentials Scheme Protect your business from cyber threats and gain valuable certification Why you need it Cybercrime appears in the news on an almost daily basis - but it s not just the large and
More informationCyber Security Incident Response coordinators. The THE NEWSLETTER KEEPING YOU CONNECTED WITH CREST. January 2014 ALSO INSIDE
Script January 2014 Incident Response coordinators Update from Ian Glover CRESTCon & IISP Congress Careers New Members CSIR coordinators First CSIR certified companies have been announced Put into Context
More informationGood Practice Guide Security Incident Management
October 2015 Issue No: 1.2 Good Practice Guide Security Incident Management Customers can continue to use this guidance. The content remains current, although may contain references to legacy SPF policy
More informationAdvance with CIMA. Applying for CIMA Accreditation of Higher Education Programmes
Advance with CIMA Applying for CIMA Accreditation of Higher Education Programmes Education Directorate February 2014 Contents Contents... 2 Introduction... 3 1.0 Core Principles of Accreditation... 3 1.1
More informationBusiness Continuity Management Framework 2014 2017
Business Continuity Management Framework 2014 2017 Blackpool Council Business Continuity Framework V3.0 Page 1 of 13 CONTENTS 1.0 Forward 03 2.0 Administration 04 3.0 Policy 05 4.0 Business Continuity
More informationHow To Help Your Business Succeed
G Cloud III Framework Lot 4 (SCS) CHECK Accredited Penetration Testing Services Contents Executive Summary 3 CHECK Accredited Penetration Testing Services 4 Why Deloitte? 5 Package Cost 7 Contact 9 Service
More informationA GOOD PRACTICE GUIDE FOR EMPLOYERS
MITIGATING SECURITY RISK IN THE NATIONAL INFRASTRUCTURE SUPPLY CHAIN A GOOD PRACTICE GUIDE FOR EMPLOYERS April 2015 Disclaimer: Reference to any specific commercial product, process or service by trade
More informationHMG Security Policy Framework
HMG Security Policy Framework Security Policy Framework 3 Foreword Sir Jeremy Heywood, Cabinet Secretary Chair of the Official Committee on Security (SO) As Cabinet Secretary, I have a good overview of
More informationMANAGING CYBERSECURITY INVESTIGATIONS
MANAGING CYBERSECURITY INVESTIGATIONS Tara Swaminatha, Of Counsel, Washington, DC Sam Millar, Partner, London May 12, 2016 If you cannot hear us speaking, please make sure you have called into the teleconference
More informationCyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft
Cyber Security and Privacy Services Working in partnership with you to protect your organisation from cyber security threats and data theft 2 Cyber Security and Privacy Services What drives your security
More informationG-Cloud Definition of Services Security Penetration Testing
G-Cloud Definition of Services Security Penetration Testing Commercial in Confidence G-Cloud Services An Overview Inner Security is a leading CREST registered information security services provider. We
More informationVocational Education and Training Reform Submission
Vocational Education and Training Reform Submission Prepared by: Suresh Manickam Date: 23 rd July 2014 Page 1 NECA response to VET reform draft RTO standards As a lead player in the electrical training
More informationThe standard for extraordinary project professionals...
The standard for extraordinary project professionals... Registered Project Professional RPP Candidate Guidance RPP the standard for extraordinary project professionals from the RPP the standard for extraordinary
More informationRelease of the Draft Cybersecurity Procurement Language for Energy Delivery Systems
Release of the Draft Cybersecurity Procurement Language for Energy Delivery Systems Energy Sector Control Systems Working Group Supporting the Electricity Sector Coordinating Council, Oil & Natural Gas
More informationIRAP Policy and Procedures up to date as of 16 September 2014.
Australian Signals Directorate Cyber and Information Security Division Information Security Registered Assessors Program Policy and Procedures 09/2014 IRAP Policy and Procedures 09/2014 1 IRAP Policy and
More informationWhy compromise on the quality of your cyber security training? How APMG, CESG and QA accreditations ensure the highest possible training standards
Why compromise on the quality of your cyber security training? How APMG, CESG and QA accreditations ensure the highest possible training standards Cyber Security CESG Certified Training // 2 Contents 3
More informationLot 1 Service Specification MANAGED SECURITY SERVICES
Lot 1 Service Specification MANAGED SECURITY SERVICES Fujitsu Services Limited, 2013 OVERVIEW OF FUJITSU MANAGED SECURITY SERVICES Fujitsu delivers a comprehensive range of information security services
More informationFebruary 2015 Issue No: 5.2. CESG Certification for IA Professionals
February 2015 Issue No: 5.2 CESG Certification for IA Professionals Issue No: 5.2 February 2015 The copyright of this document is reserved and vested in the Crown. This document may not be reproduced or
More informationdeveloping your potential Cyber Security Training
developing your potential Cyber Security Training The benefits of cyber security awareness The cost of a single cyber security incident can easily reach six-figure sums and any damage or loss to a company
More informationISO 27001 Information Security Management Services (Lot 4)
ISO 27001 Information Security Management Services (Lot 4) CONTENTS 1. WHY LEICESTERSHIRE HEALTH INFORMATICS SERVICE?... 3 2. LHIS TECHNICAL ASSURANCE SERVICES... 3 3. SERVICE OVERVIEW... 4 4. EXPERIENCE...
More informationApril 2015 Issue No:1.0. Application Guidance - CCP Security and Information Risk Advisor Role, Practitioner Level
April 2015 Issue No:1.0 Application Guidance - CCP Security and Information Risk Advisor Role, Practitioner Level Application Guidance CCP Security and Information Risk Advisor Role, Practitioner Level
More informationPaul Vlissidis Group Technical Director NCC Group plc paulv@nccgroup.com
Managing IT Fraud Using Ethical Hacking Paul Vlissidis Group Technical Director NCC Group plc paulv@nccgroup.com Agenda Introductions Context for Ethical Hacking Effective use of ethical hacking in fraud
More informationInformation Governance Management Framework
Information Governance Management Framework Responsible Officer Author Business Planning & Resources Director Governance Manager Date effective from October 2015 Date last amended October 2015 Review date
More informationIT Security Testing Services
Context Information Security T +44 (0)207 537 7515 W www.contextis.com E gcloud@contextis.co.uk IT Security Testing Services Context Information Security Contents 1 Introduction to Context Information
More informationInternal Audit - progress report 2015-16 and 2016-17 plan
Audit Committee, 16 March 2016 Internal Audit - progress report 2015-16 and 2016-17 plan Executive summary and recommendations Introduction Grant Thornton have prepared the attached report which sets out
More informationCESG Certified Professional
CESG Certified Professional Verify your skills and competence in information assurance Now open to cyber security professionals working in UK industry CONTENTS 1. Introduction 2. IA in Context: Why Professionalism
More informationProcurement Policy Note Use of Cyber Essentials Scheme certification
Procurement Policy Note Use of Cyber Essentials Scheme certification Action Note 09/14 25 September 2014 Issue 1. Government is taking steps to further reduce the levels of cyber security risk in its supply
More informationNetwork Rail Infrastructure Projects Joint Relationship Management Plan
Network Rail Infrastructure Projects Joint Relationship Management Plan Project Title Project Number [ ] [ ] Revision: Date: Description: Author [ ] Approved on behalf of Network Rail Approved on behalf
More informationG Cloud III Framework Lot 4 (SCS) Project Management
G Cloud III Framework Lot 4 (SCS) Project Management Contents Executive Summary 3 Project Management 4 Why Deloitte? 6 SFIA Rate Card 7 Contact 8 Service Definition (a) to (p) 9 Executive Summary PROJECT
More informationDefine & Assess Skills - Smart Grid Security Specialists
Define & Assess Skills - Smart Grid Security Specialists SANS 2011 North American SCADA & Process Control Summit Michael Assante President & CEO NBISE michae.assante@nbise.org 208-557-8026 Cyber Security:
More informationAudit, Business Risk and Compliance Committee Charter Pact Group Holdings Ltd (Company)
Audit, Business Risk and Compliance Committee Charter Pact Group Holdings Ltd (Company) ACN 145 989 644 Committee Charter 1 MEMBERSHIP OF THE COMMITTEE The Committee must consist of: only non-executive
More informationWho s next after TalkTalk?
Who s next after TalkTalk? Frequently Asked Questions on Cyber Risk Fraud threat to millions of TalkTalk customers TalkTalk cyber-attack: website hit by significant breach These are just two of the many
More informationstrategic plan and implementation framework 2013-2018
strategic plan and implementation framework 2013-2018 contents Introduction 3 Strategic Plan 2013-2018 4 Strategic Priorities 4 2 Implementing the Plan 5 Measuring and Monitoring 5 Communicating and Reporting
More informationCyber Essentials Scheme. Summary
Cyber Essentials Scheme Summary June 2014 Introduction... 3 Background... 4 Scope... 4 Assurance Framework... 5 Next steps... 6 Questions about the scheme?... 7 2 Introduction The Cyber Essentials scheme
More informationAssociate Engineer. Regulations for the title of Associate Engineer
Associate Engineer Regulations for the title of Associate Engineer FOREWORD Engineers Ireland is the operating title of the Institution of Engineers of Ireland. Engineers Ireland, founded in 1835, represents
More informationA Best Practice Guide
A Best Practice Guide Contents Introduction [2] The Benefits of Implementing a Privacy Management Programme [3] Developing a Comprehensive Privacy Management Programme [3] Part A Baseline Fundamentals
More informationINFORMATION GOVERNANCE POLICY
INFORMATION GOVERNANCE POLICY Primary Intranet Location Information Management & Governance Version Number Next Review Year Next Review Month 7.0 2018 January Current Author Phil Cottis Author s Job Title
More informationLevel 5 Diploma in Compliance Risk Management. Meeting your professional development needs
Level 5 Diploma in Compliance Risk Management Meeting your professional development needs Contents Introduction Qualification overview About this qualification Assessment methods The Legal and Regulatory
More informationInformation security controls. Briefing for clients on Experian information security controls
Information security controls Briefing for clients on Experian information security controls Introduction Security sits at the core of Experian s operations. The vast majority of modern organisations face
More informationCommittees Date: Subject: Public Report of: For Information Summary
Committees Audit & Risk Management Committee Finance Committee Subject: Cyber Security Risks Report of: Chamberlain Date: 17 September 2015 22 September 2015 Public For Information Summary Cyber security
More informationINTRODUCTION. The Merlin Principles. The Elements of each Principle
0 INTRODUCTION The development of the Merlin Standard has been progressed as a joint exercise between the Department for Work and Pensions (DWP) and its providers operating in the Welfare to Work (W2W)
More informationProfessional Marketing Qualifications
Professional Qualifications Smart and flexible qualifications from CIM Foundation Certificate in Certificate in Professional Diploma in Professional Chartered Postgraduate Diploma in Smart, flexible and
More informationCertification of Master s Degrees Providing a General Broad Foundation in Cyber Security
OFFICIAL Certified Master s Briefing Meeting 14 April 2014 Certification of Master s Degrees Providing a General Broad Foundation in Cyber Security Chris Ensor Michael Kirton Ellie England Graeme Dykes
More informationThe Institute of Car Fleet Management. Education & Training Syllabus
The Institute of Car Fleet Management Education & Training Syllabus The Route to Professional Competence DIPLOMA IN CAR FLEET MANAGEMENT PLUS 5 years strategic car fleet management, demonstrated personal
More information1.1 Terms of Reference Y P N Comments/Areas for Improvement
1 Scope of Internal Audit 1.1 Terms of Reference Y P N Comments/Areas for Improvement 1.1.1 Do Terms of Reference: a) Establish the responsibilities and objectives of IA? b) Establish the organisational
More informationDIGITAL FORENSICS AND CYBER INCIDENT RESPONSE SERVICES
G Cloud IV Framework Lot 4 DIGITAL FORENSICS AND CYBER INCIDENT RESPONSE SERVICES Service Description - ANSEC IA Limited CONTENTS 1 Company Profile. 2 The ANSEC Effect 3 Qualifications 4 Service Description..
More informationCyber Security Issues - Brief Business Report
Cyber Security: Are You Prepared? This briefing provides a high-level overview of the cyber security issues that businesses should be aware of. You should talk to a lawyer and an IT specialist for a complete
More informationThis Unit is a mandatory Unit within the National Progression Award in Cyber Security at SCQF 6.
National Unit specification General information Unit code: H9E2 46 Superclass: CC Publication date: September 2015 Source: Scottish Qualifications Authority Version: 02 Unit purpose The purpose of this
More informationMode of Study The MPH course will be delivered full-time and part-time on campus at the Kedleston Road site
PROGRAMME SPECIFICATION DOCUMENT SECTION ONE: GENERAL INFORMATION Programme Title/ Subject Title: Master of Public Health Award title and Interim awards: Postgraduate Certificate in Public Health Postgraduate
More informationProject Management Certification Options within Australia
Project Services Pty Ltd 13 Martin Street South Melbourne VIC 3205 A.C.N. 074 006 081 Tel. (03) 9696 8684 Fax. (03) 9686 1404 Project Management Certification Options within Australia Overview Professional
More informationCertified Installer Partnership Code of Practice
Certified Installer Partnership Code of Practice Proper practice guidelines for our accredited tradesmen Find an installer you know you can trust with Certified Installer Partnership When looking for an
More informationCASSIDIAN CYBERSECURITY
CASSIDIAN CYBERSECURITY ADVANCED PERSISTENT THREAT (APT) SERVICE In a world where cyber threats are emerging daily, often from unknown sources, information security is something no organisation can afford
More informationESKISP6056.01 Direct security testing
Direct security testing Overview This standard covers the competencies concerning with directing security testing activities. It includes setting the strategy and policies for security testing, and being
More informationCareer Paths in Information Security v6.0
Career Paths in Information Security v6.0 Have you ever considered a career in computer security but didn t know how to get started? The Information Security industry is an exciting and diverse place to
More informationFinancial Services Industry - Pros and Cons of the PJC Model
Lifting the professional, ethical and education standards in the financial services industry Consultation on recommendations of the Parliamentary Joint Committee on Corporations and Financial Services
More informationCyber Defence Capability Assessment Tool (CDCAT ) Improving cyber security preparedness through risk and vulnerability analysis
Cyber Defence Capability Assessment Tool (CDCAT ) Improving cyber security preparedness through risk and vulnerability analysis An analogue approach to a digital world What foundations is CDCAT built on?
More informationHow To Manage Risk In Ancient Health Trust
SharePoint Location Non-clinical Policies and Guidelines SharePoint Index Directory 3.0 Corporate Sub Area 3.1 Risk and Health & Safety Documents Key words (for search purposes) Risk, Risk Management,
More informationCP14 ISSUE 5 DATED 1 st OCTOBER 2015 BINDT Audit Procedure Conformity Assessment and Certification/Verification of Management Systems
Certification Services Division Newton Building, St George s Avenue Northampton, NN2 6JB United Kingdom Tel: +44(0)1604-893-811. Fax: +44(0)1604-893-868. E-mail: pcn@bindt.org CP14 ISSUE 5 DATED 1 st OCTOBER
More information1. Why did MICPA and ACCA enter into this agreement?
ACCA to MICPA FAQs 1. Why did MICPA and ACCA enter into this agreement? This Mutual Recognition Agreement (MRA) strengthens the already excellent relationship between the two bodies. It provides a route
More informationSCC Information Assurance Practice, CLAS Consulting, Check Testing and Accreditation Services
SCC Information Assurance Practice, CLAS Consulting, Check Testing and Accreditation Services Contents 1 Introduction...2 2 IA, CLAS Consulting and CHECK Testing...3 3 Information Assurance...4 4 Accreditation...5
More informationICT and Information Security Resources
Methods GCloud Service Definition ICT and Information Security Resources HEAD OFFICE: 125 Shaftesbury Avenue, London WC2H 8AD Scottish Office: Exchange Place 2, 5 Semple Street, Edinburgh, EH3 8BL t: +44
More informationMANAGE THIRD PARTY RISKS
SECURITY FOR INDUSTRIAL CONTROL SYSTEMS MANAGE THIRD PARTY RISKS A GOOD PRACTICE GUIDE Disclaimer Reference to any specific commercial product, process or service by trade name, trademark, manufacturer,
More informationDigital Industries Apprenticeship: Assessment Plan. Cyber Security Technologist. April 2016
Digital Industries Apprenticeship: Assessment Plan Cyber Security Technologist April 2016 1 Digital Industries Apprenticeships: Assessment Plan 1. General Introduction and Overview The apprenticeship Standard
More informationAwarding body monitoring report for: English Speaking Board (International) Ltd (ESB) May 2009. Ofqual/09/4637
Awarding body monitoring report for: English Speaking Board (International) Ltd (ESB) May 2009 Ofqual/09/4637 2009 Office of the Qualifications and Examinations Regulator 2 Contents Introduction...4 Regulating
More informationerisks Policyholder s Guide to Privacy & Security Breach Response Planning
erisks Policyholder s Guide to Privacy & Security Breach Response Planning Professional Indemnity Financial Institutions Directors & Officers Management Liability Medical Malpractice Media Liability Level
More informationBYOD Guidance: Architectural Approaches
GOV.UK Guidance BYOD Guidance: Architectural Approaches Published Contents 1. Service separation 2. Scenario 1: Exposing internal web applications 3. Scenario 2: Exposing email, calendar and contacts This
More informationBusiness Continuity Policy and Business Continuity Management System
Business Continuity Policy and Business Continuity Management System Summary: This policy sets out the structure for ensuring that the PCT has effective Business Continuity Plans in place in order to maintain
More informationProgramme Specification for MSc Applied Sports Performance Analysis
PROGRAMME SPECIFICATION Postgraduate Courses Programme Specification for MSc Applied 1. Awarding institution/body University of Worcester 2. Teaching institution University of Worcester 3. Programme accredited
More informationAudit and Performance Committee Report
Audit and Performance Committee Report Date: 3 February 2016 Classification: Title: Wards Affected: Financial Summary: Report of: Author: General Release Maintaining High Ethical Standards at the City
More informationThe Audit Committee self-assessment checklist
GOOD PRACTICE The Audit Committee self-assessment checklist 2nd edition January 2012 Financial Management and Reporting 2 The Audit Committee self-assessment checklist Our vision is to help the nation
More informationThe Next Generation of Security Leaders
The Next Generation of Security Leaders In an increasingly complex cyber world, there is a growing need for information security leaders who possess the breadth and depth of expertise necessary to establish
More informationInternal Audit Quality Assessment Framework
Internal Audit Quality Assessment Framework May 2013 Internal Audit Quality Assessment Framework May 2013 Crown copyright 2013 You may re-use this information (excluding logos) free of charge in any format
More informationProcurement guidance Prequalifying suppliers
Procurement guidance Prequalifying suppliers Procurement guidance: Prequalifying suppliers Page 2 of 21 Table of contents Table of contents... 2 Purpose of this Guide... 4 Who should read this Guide?...
More informationfoundation programs and Explanatory Guide
National Standards FOR foundation programs and Explanatory Guide national standards for foundation programs Contents National Standards for Foundation Programs Preamble...1 Requirements: Standard 1...3
More informationLevel 2 Certificate in Understanding the Safe Handling of Medicines (QCF)
Skillsfirst Awards Handbook Level 2 Certificate in Understanding the Safe Handling of Medicines (QCF) SHMC2 Suite 215 Fort Dunlop Fort Parkway Birmingham B24 9FD www.skillsfirst.co.uk Contents Page Section
More information06100 POLICY SECURITY AND INFORMATION ASSURANCE
Version: 5.4 Last Updated: 30/01/14 Review Date: 27/01/17 ECHR Potential Equality Impact Assessment: Low Management of Police Information (MoPI) The Hampshire Constabulary recognises that any information
More informationDAQ Guide 9 December 2008. A Good Practice Guide to Accreditation of Prior Achievement (APA)
DAQ Guide 9 December 2008 A Good Practice Guide to Accreditation of Prior Achievement (APA) This guide is for De Montfort University staff who want to introduce Accreditation of Prior Achievement (APA),
More informationSorrento Group. Sorrento Group Caters for four main services: Sorrento Electrical Contracting, Sorrento Data Centre Consultancy
Company Profile Table of Contents About Sorrento Group 3 Sorrento Educational Consultancy 4 About Educational Consulting 5 Mission, Vision and Our Aims 6 Our services 7 Services 8 Specialised Services
More informationDCA metrics for the approval of Auditing Firms for Certifications Scheme VERSION 1.0
DCA metrics for the approval of Auditing Firms for Certifications Scheme VERSION 1.0 2013, Data Centre Alliance Limited (www.datacentrealliance.org). All rights reserved. This publication may not be reproduced
More informationLEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction
LEEDS BECKETT UNIVERSITY Information Security Policy 1.0 Introduction 1.1 Information in all of its forms is crucial to the effective functioning and good governance of our University. We are committed
More informationQualification details
Qualification details Title New Zealand Diploma in Organisational Risk and Compliance (Level 6) Version 1 Qualification type Diploma Level 6 Credits 120 NZSCED 080317 Quality Management DAS classification
More informationA. Reference information. A0. G-Cloud Programme unique ID number for the service and version number of this scoping template
G-Cloud Service Pan Government Security Accreditation Scope This form is intended for Suppliers of services on the G-Cloud to complete. Upon receipt, the G-Cloud Programme will check Section A, Reference
More informationUNCLASSIFIED CESG ASSURED SERVICE CAS SERVICE REQUIREMENT DESTRUCTION. Version 1.0. Crown Copyright 2012 All Rights Reserved.
CESG ASSURED SERVICE CAS SERVICE REQUIREMENT DESTRUCTION Version 1.0 Crown Copyright 2012 All Rights Reserved Page 1 Document History Version Date Description 0.1 June 2012 Initial Draft Version 1.0 July
More information