Feeds

New UK.gov cyber-security standard puts MANAGERS in firing line

Gov seeks views on private sector rules

Beginner's guide to SSL certificates

The UK government is seeking to hear from businesses that would be interested in submitting evidence to help form a new "organisational standard" for cyber security.

The Cyber Security and Resilience Team within the Department for Business, Innovation, and Skills (BIS) has asked businesses to detail initial interest in submitting views on such a standard by 8 April with a view to providing guidance to those companies about their submissions before the beginning of May. Respondents will then have until Monday 14 October 2013 to make those submissions.

As part of its Cyber Security Strategy published in November 2011, the government promised to develop industry-led cyber security standards for private sector companies. The Government said it was now acting on that pledge.

"The government intends to select and endorse an organisational standard that best meets the requirements for effective cyber risk management," BIS said in a statement.

"There are currently various relevant standards and guidance, which can be confusing for organisations, businesses and companies that want to improve their cyber security. We aim to offer clarity to the private sector, based on the standard that we select and choose to promote. We will shortly publish guidance to help organisations and groups prepare their evidence for submission," it added.

The government said that an organisational standard for cyber security should protect firms (8-page/122KB PDF) both large and small against "low-end methods of compromise, such as phishing and social engineering, malware and viruses". The standard should incorporate "an independent audit and assurance framework" and be aligned with international standards, it said.

The standard, "when correctly implemented", should be "designed to deliver" certain "outcomes", the government said. Those outcomes include that senior managers within companies can be held to account for failing to meet their cyber security responsibilities and that there can be "confidence that the controls in place mitigate the risks posed from low-end methods of compromise".

The government said that the outcomes the new cyber security organisational standard should be able to facilitate could only be achieved if the standard sets a number of "auditable requirements" over controls that companies should have to have in place.

Those controls should include that there is "governance of cyber security" across a business and that the measures firms put in place for mitigating cyber security risks contain "using an appropriate mix of awareness, preventative, detective and recovery controls across the physical, personnel and technical security functions", it said.

In addition, the controls set out in the standard should specify how businesses should monitor for cyber security threats and check how effective their controls are at repelling such threats, the Government said. They should also include reporting requirements so that firms' owners, customers and regulators are informed of "cyber security performance and incidents ... in a structured manner that enables monitoring of cyber security trends across industry and identification of root causes of incidents".

"Cyberspace is vital for the UK’s economic prosperity, national security and for our way of life," the government said. "It brings many opportunities for businesses and consumers, but also threats from cyber crime, espionage, and terrorism, which must be addressed. The loss of - or damage to - information, can have a significant impact on an organisation and on the broader UK economy. Whether that loss is by accident or through malicious attack, the outcome is the same; risk to brand and reputation, financial risk, risk to growth potential."

Copyright © 2013, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

Providing a secure and efficient Helpdesk

More from The Register

next story
Doctor Who's Flatline: Cool monsters, yes, but utterly limp subplots
We know what the Doctor does, stop going on about it already
Facebook, Apple: LADIES! Why not FREEZE your EGGS? It's on the company!
No biological clockwatching when you work in Silicon Valley
'Cowardly, venomous trolls' threatened with TWO-YEAR sentences for menacing posts
UK government: 'Taking a stand against a baying cyber-mob'
Happiness economics is bollocks. Oh, UK.gov just adopted it? Er ...
Opportunity doesn't knock; it costs us instead
Ex-US Navy fighter pilot MIT prof: Drones beat humans - I should know
'Missy' Cummings on UAVs, smartcars and dying from boredom
Sysadmin with EBOLA? Gartner's issued advice to debug your biz
Start hoarding cleaning supplies, analyst firm says, and assume your team will scatter
Zippy one-liners, broken promises: Doctor Who on the Orient Express
Series finally hits stride, but Clara's U-turn is baffling
Don't bother telling people if you lose their data, say Euro bods
You read that right – with the proviso that it's encrypted
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.