Signalling Centre Control Panel. Cyber Security Strategy
|
|
- Violet Stevenson
- 7 years ago
- Views:
Transcription
1 Signalling Centre Control Panel Cyber Security Strategy September 2013
2 Table of Contents Executive Summary... 3 Introduction... 4 Relevance to Network Rail... 6 Our Cyber Security Goals... 7 Our Strategy... 7 Review & Validation Cyber Security Strategy 2
3 Executive Summary Network Rail owns and operates the rail infrastructure in Great Britain, with the aim of delivering outstanding value to the UK Taxpayer. Our business activities range from planning and delivering train paths through operational signalling systems, maintaining the physical infrastructure assets that make up the railway, managing a significant property portfolio and a plethora of back office functions that help us to administer our business and support our employees, customers and stakeholders. To deliver an excellent rail service, we make great use of information technologies and automated computer systems. These systems control train movement, deliver power to the network, support our timetabling and operational planning processes, schedule work activities across our maintenance teams, manage and pay our suppliers and our people, and allow them to communicate effectively. Every part of every business activity in Network Rail relies in some way on computerised systems and information technologies. Technology is critical to our business and rail infrastructure operations. programme. The groups carrying out these "cyber" attacks have also changed from teenage hackers in universities to organised criminal groups, activists and foreign nation state sponsored attackers with a strong political motive. The UK Government has added cyber activity to its list of Tier One threats to the UK, alongside terrorism, war and global pandemic. According to a Cabinet Office report, Cybercrime cost the UK economy 27bn in 2011 BAE Systems Detica, The Cost of Cyber Crime, Feb 2012 European Train Control System Driver Machine Interface These systems, upon which we rely, are under constant and growing threat. Computer security threats have advanced significantly from early viruses such as Anna Kournikova and Melissa, which caused widespread disruption of systems at the turn of the century, to sophisticated "digital weapons" such as the Stuxnet virus responsible damaging centrifuges supporting the Iranian nuclear enrichment Protecting Network Rail from the effects of a Cyber attack is a key priority. As part of the UK's Critical National Infrastructure with high levels of public visibility, a growing commercial presence and a large, at times transitory, workforce, there are many reasons we may be targeted. Protestors and activists may seek to disrupt our planned work, foreign intelligence services may wish to gain access to control systems or strategic plans, private businesses may attempt to gain commercial advantage and disgruntled individuals may damage our systems or steal our information for financial gain. We need to be better. To date our response has been effective; we have experienced few cyber related incidents with little obvious impact on our operations. However, as the threat grows, our systems become more connected and our reliance on them increases, our defences need to evolve. Cyber Security Strategy 3
4 Cyber Security Strategy 4
5 Introduction This publication details Network Rail s strategy to manage the risk of cyber attacks against our organisation and describes how the strategy will be delivered. It is fully aligned with the Network Rail and Industry Strategic Business Plans and further informed by the government s UK Cyber Security Strategy. What is Cyber Security? Cyber security is the protection of networked electronic systems from attack or misuse. It includes elements of physical, personnel and information security. Cyber attacks could lead to the compromise of sensitive information, denial of access to computing services or degradation/loss of control of systems. The sophistication and pervasiveness of cyber attacks is constantly growing, driven partly by technological progress, profitable applications in organised crime and state sponsored innovation. We must continue to develop and use modern, business enabling technologies to meet the needs of our customers and other stakeholders. In doing so, we should ensure that we are adequately protected from the prospect of those technologies being exploited in ways that could damage us. Cyber threats can originate from multiple sources, as illustrated in Figure 1. TERRORISTS FOREIGN INTELLIGENCE SERVICES INVESTIGATIVE JOURNALISTS THREATS ORGANISED CRIMINALS HACKTIVISTS CONTROLS INDUSTRIAL SPIES INSIDERS (ACCIDENTAL / MALICIOUS) EXPLOITABLE ASSETS? VULNERABILITIES TRAFFIC MANAGEMENT REMOTELY MANAGEABLE INFRASTRUCTURE CONFIDENTIAL & SAFETY INFORMATION CORPORATE INTRANET EXTERNAL WEBSITES TELEPHONY PASSENGER INFORMATION PERFORMANCE INDICATION BILLING & DELAY ATTRIBUTION PROCUREMENT SYSTEMS Figure 1 - Cyber Security Threats & Vulnerabilities Cyber Security Strategy 5
6 Relevance to Network Rail As an organisation, we are wholly reliant on technology to conduct our business operations, whether it is the delivery of front-line rail infrastructure operations or back office corporate support. We are also a category 2 provider of critical national infrastructure, as set out in the Civil Contingencies Act As such, we are obligated by law to cooperate with relevant authorities in order to protect the services we provide, which are crucial for the UK s continued political and economic well-being. As a provider of critical national infrastructure, we may be targeted by groups with political or ideological differences to the UK at large, in addition to attacks from amateur hackers, organised criminals, industrial spies, or disgruntled employees. All of these to one degree or another may have the motivation and an increasing technical capability to exploit vulnerable systems. The Network Rail Executive Board recognises the risk posed by cyber attack and has assigned a score of 8 in the corporate risk register (Probability 3/5+ Impact 5/5) Although the short-term risk to our business from cyber attacks can be considered relatively low in comparison to other critical infrastructure providers, the exposure of our systems and information will increase significantly during Control Period 5 as we adopt and become increasingly dependent on more networked technologies. An increasing commercial focus in our business activities will also increase the motivation for industrial espionage against us. These events are occurring against a backdrop where malware is becoming increasingly sophisticated and ubiquitous, and where the segregation of the business into semi-autonomous units could increase the risk of inconsistencies and incompatibilities in security controls. Overhead line electrification near London Euston Cyber Security Strategy 6
7 Our Cyber Security Vision Our vision is that Network Rail continues to embrace modern, business-enabling technologies in the interconnected world, while adopting suitable processes and controls to protect itself, staff, customers and suppliers, as far as practicable, from cyber attack. Our Cyber Security Goals To achieve this vision, we will adopt a common set of security goals based on the threats that we face. These are: 1. Our cyber security defences operate consistently across all technology domains; 2. We recognise malicious activity and can act swiftly to limit the damage; 3. We understand the extent of our exposure to attack; 4. Our systems are developed and maintained to keep step with evolving threats; 5. Our people recognise the cyber security risk and act with due care. Our Strategy To realise our vision and security goals, we will deliver and maintain a range of proportionate, risk-based cyber security capabilities that are applied consistently across the entire Network Rail Group. Our strategy encompasses people, organisational structures, business processes and technology, and it will be delivered on the basis of a clear understanding of what it is we are protecting and where our most critical vulnerabilities are. The aims and principles of our strategy are detailed in the following pages. Proportionate Security Controls We will establish and maintain proportionate cyber security controls and not waste resources by delivering best of breed defences where none are required. We will not commit resources to mitigate risks that are many years from maturing, will not bury non-critical systems and information behind layers of onerous security controls, and we will not impose unnecessary restrictions on our workforce that impede productivity. Instead we will tailor our security controls in response to the prevailing risks (illustrated in Figure 2). Security Controls Risk Exposure Time Figure 2 - Security Controls vs. Risk Cyber Security Strategy 7
8 Risk Intelligence To support a risk-based approach, we will build a more comprehensive knowledge of our cyber risk exposure so that we understand and deliver the right controls at the right time. We will conduct a thorough risk assessment across the organisation, cataloguing and assessing all IP-enabled assets and associated operating procedures. The assessment will also extend to key work areas within the business and the potential susceptibility of personnel to social engineering attacks. With a better understanding of our risk exposure, we will be able to target our subsequent actions in the most appropriate ways. We will also put into place the means to continuously assess our risk exposure and tailor our treatment over an extended period of time. Although our approach to mitigating cyber security risks will be a pragmatic and proportionate one, it is imperative that we not tolerate genuine, very high impact risks (i.e. those that may have safety implications or threaten our organisation s existence), irrespective of their perceived probability. Events in the banking world, terrorism, natural disasters and the industry s own experience all show that freak events can occur and we should not assume that, left untended, they will not occur again. This is illustrated in the weighted risk matrix in Figure 3, where impact is assigned a higher relative value than probability to account for extreme events. Some example (non-prescriptive) treatment options are shown in Figure 4. Business Support Our approach to cyber security must be supportive of the business, not a hinderance to it. The flow of open data that enhances value and improves the customer experience must be maintained. Similarly, we must continue to be transparent over the running of our business to meet key strategic objectives and commitments to our stakeholders. Rather than being contrary to these aims, strong cyber security is complimentary. Protecting the integrity and availability of our information will help to ensure that the correct information is available to our staff and customers at the time they require it. Confidentiality allows us to control the flow of information into the public domain so to not disappoint or confuse our stakeholders by accidentally leaking immature information at inappropriate moments. Figure 3 Weighted Risk Matrix Figure 4 Example Risk Treatment Options Cyber Security Strategy 8
9 External Engagement Providing rail services to Great Britain is a collaborative effort. Every day we work with train and freight operating companies, engineering contractors, regulators and others to deliver a reliable and efficient service for the benefit of the public and UK at large. This requires close partnerships and information sharing, exemplified by our strategic alliances with train operators. This situation must continue and the flow of open data, as already stated, must not be disrupted by the need to secure our systems and information. To ensure that this remains to be the case, we will extend our successful business relationships into the security arena. We will share appropriate threat intelligence with our rail partners and seek to collaboratively realise the capabilities that are necessary to protect the industry from attack. We must also act in the recognition that Network Rail is a unique organisation within the rail industry. Our civil engineering pedigree and provision of services that are more akin to the utilities sector means that we would be welladvised to also look outside of the rail industry for additional strategic partnerships and information sharing. To that end, we will seek a forum with other organisations outside of the rail industry that face a similar range of business and cyber security challenges to our own. We will make full use of government sponsored information exchanges wherever possible and beneficial, but will also be prepared to take a proactive lead in engaging with wider industry whenever required. Source: Cyber Security Strategy 9
10 Supply Chain Assurance In delivering and operating Great Britain s rail infrastructure, we are highly dependent on external suppliers for various products and services. However strong our own security controls may be, there remains a possibility that they could be subverted by inadvertent vulnerabilities coming through the supply chain. To counter this we will ensure that our procurement standards and processes help to minimise the risk as far as possible by placing security specific requirements on suppliers. We will strengthen our ability to assure the security of externally sourced products and services and work with suppliers so that they understand our needs and ensure that their own assurance efforts are suitably aligned. Organisation Our approach to cyber security will change from one that varies according to technology domain (encompassing business, operational, asset management and telecoms systems), to one that is consistent across the group. To support this we will establish clear lines of authority, responsibility and accountability. A senior executive risk owner and group-level governance will drive consistency of cyber security controls from the top of the organisation down. Individual business units will be responsible for maintaining cyber security controls that are both aligned to the central strategy and relevant to their technology domain and strategic objectives. People The achievement of effective cyber security is not a task that is limited to the delivery of improved technical security controls and business processes. Ultimately our defences are defined by our people. We are seeing a shift away from the isolated electro-mechical rail control systems of old towards new IP-enabled, computer controlled systems that require a different technical and security philosophy to successfully deliver and operate. We will therefore ensure that our engineering workforce is suitably equipped and supported to identify and mitigate cyber security risks that apply to the latest, and future, generations of systems. With regards to our non-engineering personnel, we must become better at educating and supporting a workforce that, with the rest of society, is becoming increasingly exposed to cyber security threats. We will cultivate a more security aware culture at Network Rail so that our staff manage information and systems securely and can recognise and respond appropriately to both opportunistic and targeted cyber attacks, for their personal benefit as well as for the business as a whole. Finally we will ensure that our specialist security personnel possess and maintain the professional skills needed to deliver effective cyber security capabilities and support for the rest of the organisation. As a result of the new professional development opportunities offered by our organisation, we will become a destination of choice for cyber security professionals. Rail signalling centre Cyber Security Strategy 10
11 Principles The principles that we will adhere to in our execution of the strategy are: We will immediately address issues that are recognised to be affecting our ability to detect and respond to threatening cyber activity; We will operate in an assumed state of compromise, that is there will not be a presumption that our network boundaries, internal and external, are invulnerable; We will develop and maintain a detailed understanding of our risk exposure to inform cyber defence All information and systems will have identified owners. and business change activities; We will create a culture in which the security of technological systems, information and processes is assessed and verified from the point of inception through to delivery, use and disposal; We will seek to manage rather than avoid all risk so that we and our people can continue to benefit from opportunities in cyberspace; We will develop our people s knowledge and skills, recruit appropriately, and invest in technology where required to maintain an effective cyber defence; We will organise and operate across Network Rail functional boundaries and business units to meet the cyber threat effectively and minimise duplication; We will make use of expert guidance when appropriate and collaborate with government and industry to benefit from tried and tested approaches, knowledge and experience; Cyber Security Strategy 11
12 Review & Validation This strategy document will be reviewed annually to check its continuing relevance and the progress we have made against our strategic goals. The initial review will be commissioned on the first anniversary of publication and this document will be updated accordingly. Measuring the success of the strategy will not be a straightforward task. Until we have thoroughly assessed the risk and established an accurate moving picture of the vulnerabilities of our organisation and systems, it is impossible to determine what good enough is. Our efforts to cultivate a more security aware culture throughout the organisation will mean that many cyber risks that would otherwise have had an impact will be simply avoided. In the meantime, the external threats and attack surface of our business will likely increase, resulting in a moving baseline that makes analysis and trend identification difficult. Adequate cyber security is not a point condition. We must maintain an awareness of our risk exposure and deploy the controls that are appropriate at the given time to ensure we are not left unnecessarily exposed to attack or waste valuable resources investing in security controls that are not required. We will therefore asses the success of the strategy through largely qualitative means rather than predetermining specific levels of cyber security maturity based on widely recognised models and control frameworks, such as those published by the World Economic Forum and SANS Institute. We will however use these models and frameworks as a comparative means to track our progress. Generally speaking, we will expect to see a positive trend with regards to our cyber security maturity, although negative trends may be permissible provided they correlate to a reduction of threat or risk exposure. This is the essence of our risk-based approach and the analysis of our maturity levels will be conducted as part of the annual Cyber Security Strategy review. Although the assessment of our strategy as a whole will be largely qualitative, our programme of delivery and each constituent project will be based upon robust business cases, including demonstrable benefits arising from each individual piece of work. Every project will be justified separately and a mechanism for demonstrating eventual benefits and value for money, either as a direct contributor or enabler, will be designed into each one. Cyber Security Strategy 12
13 Addressing the cyber security threats to business operations is a growing concern for governments, private enterprises and other commercial organisations. As a fast moving environment, the types of attack we might face, the people carrying them out, and the potential harm to our business is not fully understood and will change rapidly over time. Delivering our five strategic cyber security goals will put Network Rail in a far stronger position to meet whatever cyber threat we experience head on. With an assured approach to cyber security, Network Rail can continue to embrace business enabling technologies in the modern, interconnected world, whilst protecting our customers, stakeholders and people from avoidable risk. Cyber Security Strategy 13
14 Network Rail Kings Place 90 York Way London N1 9AG Tel:
Asset Management Policy March 2014
Asset Management Policy March 2014 In February 2011, we published our current Asset Management Policy. This is the first update incorporating further developments in our thinking on capacity planning and
More informationCYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility
CYBER SECURITY AND RISK MANAGEMENT An Executive level responsibility Cyberspace poses risks as well as opportunities Cyber security risks are a constantly evolving threat to an organisation s ability to
More informationCyber Risk Management
Cyber Risk Management A short guide to best practice Insight October 2014 So what exactly is 'cyber risk'? In essence, cyber risk means the risk connected to online activity and internet trading but also
More informationCyber Security Evolved
Cyber Security Evolved Aware Cyber threats are many, varied and always evolving Being aware is knowing what is going on so you can figure out what to do. The challenge is to know which cyber threats are
More informationAGENDA ITEM: B2. RSSB Board Meeting Final: 08 May 2014 Page 1 of 3. November 2011
MEETING: RSSB Board Meeting DATE: 08 May 2014 SUBJECT: Cyber security SPONSORS: Anson Jack and Gareth Llewellyn AUTHORS: Tom Lee and Peter Gibbons 1. Purpose 1.1 This paper has been prepared jointly by
More informationCOUNTERINTELLIGENCE. Protecting Key Assets: A Corporate Counterintelligence Guide
COUNTERINTELLIGENCE O F F I C E O F T H E N A T I O N A L C O U N T E R I N T E L L I G E N C E Protecting Key Assets: A Corporate Counterintelligence Guide E X E C U T I V E Counterintelligence for the
More informationHMG Security Policy Framework
HMG Security Policy Framework Security Policy Framework 3 Foreword Sir Jeremy Heywood, Cabinet Secretary Chair of the Official Committee on Security (SO) As Cabinet Secretary, I have a good overview of
More informationThe Cancer Running Through IT Cybercrime and Information Security
WHITE PAPER The Cancer Running Through IT Prepared by: Richard Brown, Senior Service Management Consultant Steve Ingall, Head of Consultancy 60 Lombard Street London EC3V 9EA T: +44 (0)207 464 8883 E:
More informationSection A: Introduction, Definitions and Principles of Infrastructure Resilience
Section A: Introduction, Definitions and Principles of Infrastructure Resilience A1. This section introduces infrastructure resilience, sets out the background and provides definitions. Introduction Purpose
More informationManaging IT Security with Penetration Testing
Managing IT Security with Penetration Testing Introduction Adequately protecting an organization s information assets is a business imperative one that requires a comprehensive, structured approach to
More informationOur Group strategic framework
Our Group strategic framework The Executive Committee focuses on evolving and delivering the Group strategy. For 2012, the Group strategic framework has been refreshed. Our purpose (why we exist) Network
More informationOverview TECHIS60441. Carry out security testing activities
Overview Information, services and systems can be attacked in various ways. Understanding the technical and social perspectives, how attacks work, the technologies and approaches used are key to being
More informationA NEW APPROACH TO CYBER SECURITY
A NEW APPROACH TO CYBER SECURITY We believe cyber security should be about what you can do not what you can t. DRIVEN BY BUSINESS ASPIRATIONS We work with you to move your business forward. Positively
More informationThreat Intelligence. Benefits for the enterprise
Benefits for the enterprise Contents Introduction Threat intelligence: a maturing defence differentiator Understanding the types of threat intelligence: from the generic to the specific Deriving value
More informationTHE STRATEGIC POLICING REQUIREMENT. July 2012
THE STRATEGIC POLICING REQUIREMENT July 2012 Contents Foreward by the Home Secretary...3 1. Introduction...5 2. National Threats...8 3. Capacity and contribution...9 4. Capability...11 5. Consistency...12
More informationA Changing Commission: How it affects you - Issue 1
A Changing Commission: How it affects you - Issue 1 Contents Overview... 3 Change Programme... 4 Introduction... 4 Reviewing how we regulate and engage... 4 What are the key changes... 5 What does it mean
More informationAddressing Cyber Risk Building robust cyber governance
Addressing Cyber Risk Building robust cyber governance Mike Maddison Partner Head of Cyber Risk Services The future of security The business environment is changing The IT environment is changing The cyber
More informationThe UK cyber security strategy: Landscape review. Cross-government
REPORT BY THE COMPTROLLER AND AUDITOR GENERAL HC 890 SESSION 2012-13 12 FEBRUARY 2013 Cross-government The UK cyber security strategy: Landscape review 4 Key facts The UK cyber security strategy: Landscape
More informationTechnology and Cyber Resilience Benchmarking Report 2012. December 2013
Technology and Cyber Resilience Benchmarking Report 2012 December 2013 1 Foreword by Andrew Gracie Executive Director, Special Resolution Unit, Bank of England On behalf of the UK Financial Authorities
More informationNATIONAL CYBERSECURITY STRATEGIES: AUSTRALIA AND CANADA
NATIONAL CYBERSECURITY STRATEGIES: AUSTRALIA AND CANADA JOÃO MANUEL ASSIS BARBAS Coronel de Artilharia. Assessor de Estudos do IDN INTRODUCTION Globalization and information and communication technologies
More informationNetwork Rail Infrastructure Projects Joint Relationship Management Plan
Network Rail Infrastructure Projects Joint Relationship Management Plan Project Title Project Number [ ] [ ] Revision: Date: Description: Author [ ] Approved on behalf of Network Rail Approved on behalf
More informationInformation Security: Business Assurance Guidelines
Information Security: Business Assurance Guidelines The DTI drives our ambition of prosperity for all by working to create the best environment for business success in the UK. We help people and companies
More informationCyber Security - What Would a Breach Really Mean for your Business?
Cyber Security - What Would a Breach Really Mean for your Business? August 2014 v1.0 As the internet has become increasingly important across every aspect of business, the risks posed by breaches to cyber
More informationSecuring Internet Payments across Europe. Guidelines for Detecting and Preventing Fraud
Securing Internet Payments across Europe Guidelines for Detecting and Preventing Fraud Table of Contents Executive Summary Protecting Internet Payments: A Top Priority for All Stakeholders European Central
More informationStrengthening UK Based Supply Chains: Construction and Infrastructure
Industrial strategy: government and industry in partnership Strengthening UK Based Supply Chains: Construction and Infrastructure Introduction Setting the scene We have set out our vision for an Industrial
More informationLondon 2012 Olympic Safety and Security Strategic Risk. Mitigation Process summary Version 2 (January 2011) Updated to reflect recent developments
London 2012 Olympic Safety and Security Strategic Risk Assessment (OSSSRA) and Risk Mitigation Process summary Version 2 (January 2011) Updated to reflect recent developments Introduction London 2012
More informationHow To Protect Your Business From A Cyber Attack
Intelligence FIRST helping your business make better decisions Cyber security Keeping your business resilient Cyber security is about keeping your business resilient in the modern technological age. It
More informationOECD PROJECT ON CYBER RISK INSURANCE
OECD PROJECT ON CYBER RISK INSURANCE Introduction 1. Cyber risks pose a real threat to society and the economy, the recognition of which has been given increasingly wide media coverage in recent years.
More informationCybersecurity MORE THAN A GOOD HEADLINE. Protect more
Cybersecurity MORE THAN A GOOD HEADLINE Protect more Contents 2 Introduction 3 What is Cybersecurity? 4 Thought model 5 Social, Economic, Political, and IT Alignment 8 ICT Infrastructure 10 National Projects
More informationCyber Security Organisational Standards. Guidance
Cyber Security Organisational Standards Guidance April 2013 Contents Contents...2 Overview...3 Background...4 Definitions...5 Presentation and Layout...6 Submissions Guidance...7 Acceptance Criteria...8
More informationFinal Draft/Pre-Decisional/Do Not Cite. Forging a Common Understanding for Critical Infrastructure. Shared Narrative
Final Draft/Pre-Decisional/Do Not Cite Forging a Common Understanding for Critical Infrastructure Shared Narrative March 2014 1 Forging a Common Understanding for Critical Infrastructure The following
More informationCyber security Time for a new paradigm. Stéphane Hurtaud Partner Information & Technology Risk Deloitte
Cyber security Time for a new paradigm Stéphane Hurtaud Partner Information & Technology Risk Deloitte 90 More than ever, cyberspace is a land of opportunity but also a dangerous world. As public and private
More informationSytorus Information Security Assessment Overview
Sytorus Information Assessment Overview Contents Contents 2 Section 1: Our Understanding of the challenge 3 1 The Challenge 4 Section 2: IT-CMF 5 2 The IT-CMF 6 Section 3: Information Management (ISM)
More informationProject organisation and establishing a programme management office
PROJECT ADVISORY Project organisation and establishing a programme office Leadership Series 1 kpmg.com/nz About the Leadership Series KPMG s Leadership Series is targeted towards owners of major capital
More informationPolicy Scrutiny Committee 24 September 2013 Partnership Business Continuity Arrangements
Policy Scrutiny Committee 24 September 2013 Partnership Business Continuity Arrangements For information Member Champion(s): Cllr A Thacker, Community Safety & Access Choose an item. Director: D Evans,
More informationCyber Security. CYBER SECURITY presents a major challenge for businesses of all shapes and sizes. Leaders ignore it at their peril.
Cyber Security Personal and commercial information is the new commodity of choice for the virtual thief, argues Adrian Leppard, Commissioner for City of London Police, as he sets out the challenges facing
More informationNational Corporate Practice. Cyber risks explained what they are, what they could cost and how to protect against them
National Corporate Practice Cyber risks explained what they are, what they could cost and how to protect against them what this briefing covers ff Introduction ff Section 1: What are the risks and the
More informationSecurity in the smart grid
Security in the smart grid Security in the smart grid It s hard to avoid news reports about the smart grid, and one of the media s favorite topics is security, cyber security in particular. It s understandable
More informationManaging Supply Chain Impacts
Managing Supply Chain Impacts Increasing shareholder, public and media scrutiny means that any irregular or irresponsible practices within an organisation's supply chain can permanently damage an organisation's
More informationRUAG Cyber Security. More security for your data
RUAG Cyber Security More security for your data More security in cyberspace The RUAG Cyber Security Portfolio offers greater protection for your data through inspection, event analysis and decision-making
More informationRisk Management & Business Continuity Manual 2011-2014
ANNEX C Risk Management & Business Continuity Manual 2011-2014 Produced by the Risk Produced and by the Business Risk and Business Continuity Continuity Team Team February 2011 April 2011 Draft V.10 Page
More informationLevel4. Civil Service Competency Framework 2012-2017. Level 4 Grade 7 and 6 or equivalent
Level4 Civil Service Competency Framework 2012-2017 About this framework We are introducing a new competency framework to support the Civil Service Reform Plan and the new performance management system.
More informationCYBERSECURITY IN FINANCIAL SERVICES POINT OF VIEW CHALLENGE 1 REGULATORY COMPLIANCE ACROSS GEOGRAPHIES
POINT OF VIEW CYBERSECURITY IN FINANCIAL SERVICES Financial services institutions are globally challenged to keep pace with changing and covert cybersecurity threats while relying on traditional response
More informationPERSONNEL SECURITY PRACTICAL ADVICE FOR HR AND SECURITY MANAGERS
PERSONNEL SECURITY PRACTICAL ADVICE FOR HR AND SECURITY MANAGERS A DELICATE BALANCE Every year brings stories of organisations falling victim to the embarrassing, costly or disruptive consequences of staff
More informationBusiness Plan 2012/13
Business Plan 2012/13 Contents Introduction 3 About the NFA..4 Priorities for 2012/13 4 Resources.6 Reporting Arrangements.6 Objective 1 7 To raise the profile and awareness of fraud among individuals,
More informationRisk-Based Assessment and Scoping of IV&V Work Related to Information Assurance Presented by Joelle Spagnuolo-Loretta, Richard Brockway, John C.
Risk-Based Assessment and Scoping of IV&V Work Related to Information Assurance Presented by Joelle Spagnuolo-Loretta, Richard Brockway, John C. Burget September 14, 2014 1 Agenda Information Assurance
More informationNational Approach to Information Assurance 2014-2017
Document Name File Name National Approach to Information Assurance 2014-2017 National Approach to Information Assurance v1.doc Author David Critchley, Dave Jamieson Authorisation PIAB and IMBA Signed version
More informationWelcome to this ACT webinar
Welcome to this ACT webinar Cybersecurity: threats and responses 02 June 2015 12.30-13.15 Sponsored BST by Sponsored by Introduction James Lockyer Development Director ACT Interactive widgets Please take
More informationSupply Chain Risk: Understanding Emerging Threats to Global Supply Chains
Supply Chain Risk: Understanding Emerging Threats to Global Supply Chains Prof John Manners-Bell, Logistics and Supply Chain Council, WEF CEO, Transport Intelligence Sao Paulo, March 2015 Changes in SCM
More informationThe centre of government: an update
Report by the Comptroller and Auditor General Cabinet Office and HM Treasury The centre of government: an update HC 1031 SESSION 2014-15 12 MARCH 2015 4 Overview The centre of government: an update Overview
More informationUnit 3 Cyber security
2016 Suite Cambridge TECHNICALS LEVEL 3 IT Unit 3 Cyber security Y/507/5001 Guided learning hours: 60 Version 1 September 2015 ocr.org.uk/it LEVEL 3 UNIT 3: Cyber security Y/507/5001 Guided learning hours:
More informationCyber Security Strategy
NEW ZEALAND S Cyber Security Strategy 2015 A secure, resilient and prosperous online New Zealand Ministerial Foreword The internet and technology have become a fundamental element in our lives. We use
More informationInstitute of Internal Auditors Cyber Security. Birmingham Event 15 th May 2014 Jason Alexander
Institute of Internal Auditors Cyber Security Birmingham Event 15 th May 2014 Jason Alexander Introduction Boards growing concern with Cyber Risk Cyber risk is not new, but incidents have increased in
More informationIMPLEMENTING A SECURITY ANALYTICS ARCHITECTURE
IMPLEMENTING A SECURITY ANALYTICS ARCHITECTURE Solution Brief SUMMARY New security threats demand a new approach to security management. Security teams need a security analytics architecture that can handle
More informationCybersecurity and the Romanian business environment in the regional and European context
KPMG Legal Cybersecurity and the Romanian business environment in the regional and European context Developing a cybersecurity culture for the users of digital and communications systems has become a mandatory
More informationTrends in Malware DRAFT OUTLINE. Wednesday, October 10, 12
Trends in Malware DRAFT OUTLINE Presentation Synopsis Security is often a game of cat and mouse as security professionals and attackers each vie to stay one step ahead of the other. In this race for dominance,
More informationLevel5. Civil Service Competency Framework 2012-2017. Level 5 Deputy Directors
Level5 Civil Service Competency Framework 2012-2017 About this framework We are introducing a new competency framework to support the Civil Service Reform Plan and the new performance management system.
More informationICT Digital Transformation Programme
Officer and Date Item Cabinet 11 th May 2016 Public ICT Digital Transformation Programme Responsible Officer: Clive Wright, Chief Executive Email: Clive.wright@shropshire.gov.uk Tel: 01743 252007 1.0 Summary
More informationV1.0 - Eurojuris ISO 9001:2008 Certified
Risk Management Manual V1.0 - Eurojuris ISO 9001:2008 Certified Section Page No 1 An Introduction to Risk Management 1-2 2 The Framework of Risk Management 3-6 3 Identification of Risks 7-8 4 Evaluation
More informationInternet Safety and Security: Strategies for Building an Internet Safety Wall
Internet Safety and Security: Strategies for Building an Internet Safety Wall Sylvanus A. EHIKIOYA, PhD Director, New Media & Information Security Nigerian Communications Commission Abuja, NIGERIA Internet
More informationwww.pwc.co.uk Cyber security Building confidence in your digital future
www.pwc.co.uk Cyber security Building confidence in your digital future November 2013 Contents 1 Confidence in your digital future 2 Our point of view 3 Building confidence 4 Our services Confidence in
More informationCompliance Guide: ASD ISM OVERVIEW
Compliance Guide: ASD ISM OVERVIEW Australian Information Security Manual Mapping to the Principles using Huntsman INTRODUCTION In June 2010, The Australian Government Protective Security Policy Framework
More informationNational Cyber Security Policy -2013
National Cyber Security Policy -2013 Preamble 1. Cyberspace 1 is a complex environment consisting of interactions between people, software and services, supported by worldwide distribution of information
More informationdeveloping your potential Cyber Security Training
developing your potential Cyber Security Training The benefits of cyber security awareness The cost of a single cyber security incident can easily reach six-figure sums and any damage or loss to a company
More informationGUIDANCE NOTE FOR DEPOSIT-TAKERS. Operational Risk Management. March 2012
GUIDANCE NOTE FOR DEPOSIT-TAKERS Operational Risk Management March 2012 Version 1.0 Contents Page No 1 Introduction 2 2 Overview 3 Operational risk - fundamental principles and governance 3 Fundamental
More informationThe Cyber Threat Profiler
Whitepaper The Cyber Threat Profiler Good Intelligence is essential to efficient system protection INTRODUCTION As the world becomes more dependent on cyber connectivity, the volume of cyber attacks are
More information2 Gabi Siboni, 1 Senior Research Fellow and Director,
Cyber Security Build-up of India s National Force 2 Gabi Siboni, 1 Senior Research Fellow and Director, Military and Strategic Affairs and Cyber Security Programs, Institute for National Security Studies,
More informationCourse 4202: Fraud Awareness and Cyber Security Workshop (3 days)
Course introduction It is vital to ensure that your business is protected against the threats of fraud and cyber crime and that operational risk processes are in place. This three-day course provides an
More informationSYMANTEC CYBERV ASSESSMENT SERVICE OVER THE HORIZON VISIBILITY INTO YOUR CYBER RESILIENCE MORE FOCUS, LESS RISK.
SYMANTEC CYBERV ASSESSMENT SERVICE OVER THE HORIZON VISIBILITY INTO YOUR CYBER RESILIENCE Cyberspace the always-on, technologically hyperconnected world offers unprecedented opportunities for connectivity,
More informationNATIONAL STRATEGY FOR GLOBAL SUPPLY CHAIN SECURITY
NATIONAL STRATEGY FOR GLOBAL SUPPLY CHAIN SECURITY JANUARY 2012 Table of Contents Executive Summary 1 Introduction 2 Our Strategic Goals 2 Our Strategic Approach 3 The Path Forward 5 Conclusion 6 Executive
More informationBusiness Continuity Management
Business Continuity Management Policy Statement & Strategy July 2009 Basildon District Council Business Continuity Management Policy Statement The Council is committed to ensuring robust and effective
More informationCorporate Risk Management Policy
Corporate Risk Management Policy Managing the Risk and Realising the Opportunity www.reading.gov.uk Risk Management is Good Management Page 1 of 19 Contents 1. Our Risk Management Vision 3 2. Introduction
More informationHow To Manage Risk On A Scada System
Risk Management for Industrial Control Systems (ICS) And Supervisory Control Systems (SCADA) Information For Senior Executives (Revised March 2012) Disclaimer: To the extent permitted by law, this document
More informationSection 2 - Key Account Management - Core Skills - Critical Success Factors in the Transition to KAM
Section 2 - Key Account Management - Core Skills - Critical Success Factors in the Transition to KAM 1. This presentation looks at the Core skills required in Key Account Management and the Critical Success
More informationMonitoring Highways England The monitoring framework
Monitoring Highways England The monitoring framework October 2015 Contents Executive summary 4 Roads reform 4 ORR s role in monitoring Highways England 5 What we will do next 10 1. Overview of this document
More informationItaly. EY s Global Information Security Survey 2013
Italy EY s Global Information Security Survey 2013 EY s Global Information Security Survey 2013 This year s survey our 16th edition captures the responses of 1,909 C-suite and senior level IT and information
More informationCyber security and critical national infrastructure
120 Dr Richard Piggin Manager Defence, Aerospace & Communications Atkins Cyber security and critical national infrastructure Abstract Cyber security is an all-embracing term, meaning different things to
More informationEEI Business Continuity. Threat Scenario Project (TSP) April 4, 2012. EEI Threat Scenario Project
EEI Business Continuity Conference Threat Scenario (TSP) April 4, 2012 EEI Threat Scenario 1 Background EEI, working with a group of CIOs and Subject Matter Experts, conducted a survey with member companies
More informationThe internet and digital technologies play an integral part
The Cyber challenge Adjacent Digital Politics Ltd gives an overview of the EU Commission s Cyber Security Strategy and Commissioner Ashton s priorities to increase cyber security in Europe The internet
More informationCYBER SECURITY DASHBOARD: MONITOR, ANALYSE AND TAKE CONTROL OF CYBER SECURITY
CYBER SECURITY DASHBOARD: MONITOR, ANALYSE AND TAKE CONTROL OF CYBER SECURITY INTRODUCTION Information security has evolved. As the landscape of threats increases and cyber security 1 management becomes
More informationCyber Security. Protecting the UK water industry
Cyber Security Protecting the UK water industry In today s connected world, cyber attacks are a daily occurrence. These attacks can have potentially disastrous consequences for water companies and the
More informationUnder control 2015 Hot topics for IT internal audit in financial services. An Internal Audit viewpoint
Under control 2015 Hot topics for IT internal audit in financial services An Internal Audit viewpoint Introduction Welcome to our fourth annual review of the IT hot topics for IT internal audit in financial
More informationA Guide to the Cyber Essentials Scheme
A Guide to the Cyber Essentials Scheme Published by: CREST Tel: 0845 686-5542 Email: admin@crest-approved.org Web: http://www.crest-approved.org/ Principal Author Jane Frankland, Managing Director, Jane
More informationCyber Defence Capability Assessment Tool (CDCAT ) Improving cyber security preparedness through risk and vulnerability analysis
Cyber Defence Capability Assessment Tool (CDCAT ) Improving cyber security preparedness through risk and vulnerability analysis An analogue approach to a digital world What foundations is CDCAT built on?
More informationCYBER SECURITY GUIDANCE
CYBER SECURITY GUIDANCE With the pervasiveness of information technology (IT) and cyber networks systems in nearly every aspect of society, effectively securing the Nation s critical infrastructure requires
More informationCPNI VIEWPOINT CONFIGURING AND MANAGING REMOTE ACCESS FOR INDUSTRIAL CONTROL SYSTEMS
CPNI VIEWPOINT CONFIGURING AND MANAGING REMOTE ACCESS FOR INDUSTRIAL CONTROL SYSTEMS MARCH 2011 Acknowledgements This Viewpoint is based upon the Recommended Practice: Configuring and Managing Remote Access
More informationMalware isn t The only Threat on Your Endpoints
Malware isn t The only Threat on Your Endpoints Key Themes The cyber-threat landscape has Overview Cybersecurity has gained a much higher profile over the changed, and so have the past few years, thanks
More informationBuilding Public Trust: Ethics Measures in OECD Countries
Building Public Trust: Ethics Measures in OECD Countries Annex 1998 Recommendation of the OECD Council on Improving Ethical Conduct in the Public Service, 36 Including Principles for Managing Ethics in
More informationScotland s National Action Plan to tackle Child Sexual Exploitation
Scotland s National Action Plan to tackle Child Sexual Exploitation Ministerial Foreword Aileen Campbell The safety and wellbeing of all children and young people is a key priority for the Scottish Government.
More informationExternal Environment. and Industry Trends
External Environment External Environment and Industry Trends We have identified various external factors, emerging risks and industry trends together with our key stakeholders which may impact our business.
More informationCybercrime: risks, penalties and prevention
Cybercrime: risks, penalties and prevention Cyber attacks have been appearing in the news with increased frequency and recent victims of cybercrime have included well-known companies such as Sony, LinkedIn,
More information06100 POLICY SECURITY AND INFORMATION ASSURANCE
Version: 5.4 Last Updated: 30/01/14 Review Date: 27/01/17 ECHR Potential Equality Impact Assessment: Low Management of Police Information (MoPI) The Hampshire Constabulary recognises that any information
More informationCyber security. Cyber Security. Digital Employee Experience. Digital Customer Experience. Digital Insight. Payments. Internet of Things
Cyber security Digital Customer Experience Digital Employee Experience Digital Insight Internet of Things Payments IP Solutions Cyber Security Cloud 2015 CGI IT UK Ltd Contents... Securing organisations
More informationSouth West Lincolnshire NHS Clinical Commissioning Group Business Continuity Policy
South West Lincolnshire NHS Clinical Commissioning Group Business Continuity Policy Reference No: CG 01 Version: Version 1 Approval date 18 December 2013 Date ratified: 18 December 2013 Name of Author
More informationWHAT YOU NEED TO KNOW ABOUT CYBER SECURITY
SMALL BUSINESSES WHAT YOU NEED TO KNOW ABOUT CYBER SECURITY ONE CLICK CAN CHANGE EVERYTHING SMALL BUSINESSES My reputation was ruined by malicious emails ONE CLICK CAN CHANGE EVERYTHING Cybercrime comes
More informationCyber Resilience Implementing the Right Strategy. Grant Brown Security specialist, CISSP @TheGrantBrown
Cyber Resilience Implementing the Right Strategy Grant Brown specialist, CISSP @TheGrantBrown 1 2 Network + Technology + Customers = $$ 3 Perfect Storm? 1) Increase in Bandwidth (extended reach) 2) Available
More informationCyber Security: Threat & The Maritime Environment Cyber Security: now byting the maritime industry
Cyber Security: Threat & The Maritime Environment Cyber Security: now byting the maritime industry Templar Executives NIAS 2007 DHR 2008 IAMM 2008 1 st CSS 2009 2 nd CSS 2011 Advising Government & Industry
More informationSmall businesses: What you need to know about cyber security
Small businesses: What you need to know about cyber security March 2015 Contents page What you need to know about cyber security... 3 Why you need to know about cyber security... 4 Getting the basics right...
More informationThe enemies ashore Vulnerabilities & hackers: A relationship that works
The enemies ashore Vulnerabilities & hackers: A relationship that works Alexandros Charvalias, Manager CISSP, CISA, ACDA Assurance & Enterprise Risk Services Cyber security maturity model How effectively
More information