New UK.gov cyber-security standard puts MANAGERS in firing line
Gov seeks views on private sector rules
The UK government is seeking to hear from businesses that would be interested in submitting evidence to help form a new "organisational standard" for cyber security.
The Cyber Security and Resilience Team within the Department for Business, Innovation, and Skills (BIS) has asked businesses to detail initial interest in submitting views on such a standard by 8 April with a view to providing guidance to those companies about their submissions before the beginning of May. Respondents will then have until Monday 14 October 2013 to make those submissions.
As part of its Cyber Security Strategy published in November 2011, the government promised to develop industry-led cyber security standards for private sector companies. The Government said it was now acting on that pledge.
"The government intends to select and endorse an organisational standard that best meets the requirements for effective cyber risk management," BIS said in a statement.
"There are currently various relevant standards and guidance, which can be confusing for organisations, businesses and companies that want to improve their cyber security. We aim to offer clarity to the private sector, based on the standard that we select and choose to promote. We will shortly publish guidance to help organisations and groups prepare their evidence for submission," it added.
The government said that an organisational standard for cyber security should protect firms (8-page/122KB PDF) both large and small against "low-end methods of compromise, such as phishing and social engineering, malware and viruses". The standard should incorporate "an independent audit and assurance framework" and be aligned with international standards, it said.
The standard, "when correctly implemented", should be "designed to deliver" certain "outcomes", the government said. Those outcomes include that senior managers within companies can be held to account for failing to meet their cyber security responsibilities and that there can be "confidence that the controls in place mitigate the risks posed from low-end methods of compromise".
The government said that the outcomes the new cyber security organisational standard should be able to facilitate could only be achieved if the standard sets a number of "auditable requirements" over controls that companies should have to have in place.
Those controls should include that there is "governance of cyber security" across a business and that the measures firms put in place for mitigating cyber security risks contain "using an appropriate mix of awareness, preventative, detective and recovery controls across the physical, personnel and technical security functions", it said.
In addition, the controls set out in the standard should specify how businesses should monitor for cyber security threats and check how effective their controls are at repelling such threats, the Government said. They should also include reporting requirements so that firms' owners, customers and regulators are informed of "cyber security performance and incidents ... in a structured manner that enables monitoring of cyber security trends across industry and identification of root causes of incidents".
"Cyberspace is vital for the UK’s economic prosperity, national security and for our way of life," the government said. "It brings many opportunities for businesses and consumers, but also threats from cyber crime, espionage, and terrorism, which must be addressed. The loss of - or damage to - information, can have a significant impact on an organisation and on the broader UK economy. Whether that loss is by accident or through malicious attack, the outcome is the same; risk to brand and reputation, financial risk, risk to growth potential."
Copyright © 2013, Out-Law.com
Out-Law.com is part of international law firm Pinsent Masons.
The Defence sector has a bunch of standards we have to follow. (eg JSP440), plus a quango to approve applications etc, (CESG). I don't understand why UK.GOV aren't chatting to those guys.
(All defence IT systems are supposed to be pen. tested and must be accredited)
No. Don't sack the managers
sack the directors who hired them in the first place.
Here's an opportunity
for those peddling secure operating systems.
We have two 'cyber-security' workstreams
One aimed at achieving compliance with government standards, which keeps a significant bureaucracy lucratively employed, but does nothing to mitigate the real-world risks we face. The other, carried out by practical people with a clue, is aimed at giving us some real protection against those threats.
Years of experience says this new government initiative will make the situation worse
First bring ISO27001 up to date. Then you can create a whole series of more detailed standards from it, each addressing a particular area of information security that you think needs attention.
There - my employer would have charged many thousands for that - you've had it for free whilst I'm having my breakfast .