Feeds

New UK.gov cyber-security standard puts MANAGERS in firing line

Gov seeks views on private sector rules

Secure remote control for conventional and virtual desktops

The UK government is seeking to hear from businesses that would be interested in submitting evidence to help form a new "organisational standard" for cyber security.

The Cyber Security and Resilience Team within the Department for Business, Innovation, and Skills (BIS) has asked businesses to detail initial interest in submitting views on such a standard by 8 April with a view to providing guidance to those companies about their submissions before the beginning of May. Respondents will then have until Monday 14 October 2013 to make those submissions.

As part of its Cyber Security Strategy published in November 2011, the government promised to develop industry-led cyber security standards for private sector companies. The Government said it was now acting on that pledge.

"The government intends to select and endorse an organisational standard that best meets the requirements for effective cyber risk management," BIS said in a statement.

"There are currently various relevant standards and guidance, which can be confusing for organisations, businesses and companies that want to improve their cyber security. We aim to offer clarity to the private sector, based on the standard that we select and choose to promote. We will shortly publish guidance to help organisations and groups prepare their evidence for submission," it added.

The government said that an organisational standard for cyber security should protect firms (8-page/122KB PDF) both large and small against "low-end methods of compromise, such as phishing and social engineering, malware and viruses". The standard should incorporate "an independent audit and assurance framework" and be aligned with international standards, it said.

The standard, "when correctly implemented", should be "designed to deliver" certain "outcomes", the government said. Those outcomes include that senior managers within companies can be held to account for failing to meet their cyber security responsibilities and that there can be "confidence that the controls in place mitigate the risks posed from low-end methods of compromise".

The government said that the outcomes the new cyber security organisational standard should be able to facilitate could only be achieved if the standard sets a number of "auditable requirements" over controls that companies should have to have in place.

Those controls should include that there is "governance of cyber security" across a business and that the measures firms put in place for mitigating cyber security risks contain "using an appropriate mix of awareness, preventative, detective and recovery controls across the physical, personnel and technical security functions", it said.

In addition, the controls set out in the standard should specify how businesses should monitor for cyber security threats and check how effective their controls are at repelling such threats, the Government said. They should also include reporting requirements so that firms' owners, customers and regulators are informed of "cyber security performance and incidents ... in a structured manner that enables monitoring of cyber security trends across industry and identification of root causes of incidents".

"Cyberspace is vital for the UK’s economic prosperity, national security and for our way of life," the government said. "It brings many opportunities for businesses and consumers, but also threats from cyber crime, espionage, and terrorism, which must be addressed. The loss of - or damage to - information, can have a significant impact on an organisation and on the broader UK economy. Whether that loss is by accident or through malicious attack, the outcome is the same; risk to brand and reputation, financial risk, risk to growth potential."

Copyright © 2013, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

Choosing a cloud hosting partner with confidence

More from The Register

next story
Bladerunner sequel might actually be good. Harrison Ford is in it
Go ahead, you're all clear, kid... Sorry, wrong film
Musicians sue UK.gov over 'zero pay' copyright fix
Everyone else in Europe compensates us - why can't you?
I'll be back (and forward): Hollywood's time travel tribulations
Quick, call the Time Cops to sort out this paradox!
Megaupload overlord Kim Dotcom: The US HAS RADICALISED ME!
Now my lawyers have bailed 'cos I'm 'OFFICIALLY' BROKE
Euro Parliament VOTES to BREAK UP GOOGLE. Er, OK then
It CANNA do it, captain.They DON'T have the POWER!
Forget Hillary, HP's ex CARLY FIORINA 'wants to be next US Prez'
Former CEO has political ambitions again, according to Washington DC sources
prev story

Whitepapers

Go beyond APM with real-time IT operations analytics
How IT operations teams can harness the wealth of wire data already flowing through their environment for real-time operational intelligence.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Why CIOs should rethink endpoint data protection in the age of mobility
Assessing trends in data protection, specifically with respect to mobile devices, BYOD, and remote employees.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Seattle children’s accelerates Citrix login times by 500% with cross-tier insight
Seattle Children’s is a leading research hospital with a large and growing Citrix XenDesktop deployment. See how they used ExtraHop to accelerate launch times.