Feeds

New UK.gov cyber-security standard puts MANAGERS in firing line

Gov seeks views on private sector rules

The Essential Guide to IT Transformation

The UK government is seeking to hear from businesses that would be interested in submitting evidence to help form a new "organisational standard" for cyber security.

The Cyber Security and Resilience Team within the Department for Business, Innovation, and Skills (BIS) has asked businesses to detail initial interest in submitting views on such a standard by 8 April with a view to providing guidance to those companies about their submissions before the beginning of May. Respondents will then have until Monday 14 October 2013 to make those submissions.

As part of its Cyber Security Strategy published in November 2011, the government promised to develop industry-led cyber security standards for private sector companies. The Government said it was now acting on that pledge.

"The government intends to select and endorse an organisational standard that best meets the requirements for effective cyber risk management," BIS said in a statement.

"There are currently various relevant standards and guidance, which can be confusing for organisations, businesses and companies that want to improve their cyber security. We aim to offer clarity to the private sector, based on the standard that we select and choose to promote. We will shortly publish guidance to help organisations and groups prepare their evidence for submission," it added.

The government said that an organisational standard for cyber security should protect firms (8-page/122KB PDF) both large and small against "low-end methods of compromise, such as phishing and social engineering, malware and viruses". The standard should incorporate "an independent audit and assurance framework" and be aligned with international standards, it said.

The standard, "when correctly implemented", should be "designed to deliver" certain "outcomes", the government said. Those outcomes include that senior managers within companies can be held to account for failing to meet their cyber security responsibilities and that there can be "confidence that the controls in place mitigate the risks posed from low-end methods of compromise".

The government said that the outcomes the new cyber security organisational standard should be able to facilitate could only be achieved if the standard sets a number of "auditable requirements" over controls that companies should have to have in place.

Those controls should include that there is "governance of cyber security" across a business and that the measures firms put in place for mitigating cyber security risks contain "using an appropriate mix of awareness, preventative, detective and recovery controls across the physical, personnel and technical security functions", it said.

In addition, the controls set out in the standard should specify how businesses should monitor for cyber security threats and check how effective their controls are at repelling such threats, the Government said. They should also include reporting requirements so that firms' owners, customers and regulators are informed of "cyber security performance and incidents ... in a structured manner that enables monitoring of cyber security trends across industry and identification of root causes of incidents".

"Cyberspace is vital for the UK’s economic prosperity, national security and for our way of life," the government said. "It brings many opportunities for businesses and consumers, but also threats from cyber crime, espionage, and terrorism, which must be addressed. The loss of - or damage to - information, can have a significant impact on an organisation and on the broader UK economy. Whether that loss is by accident or through malicious attack, the outcome is the same; risk to brand and reputation, financial risk, risk to growth potential."

Copyright © 2013, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

Application security programs and practises

More from The Register

next story
BBC goes offline in MASSIVE COCKUP: Stephen Fry partly muzzled
Auntie tight-lipped as major outage rolls on
iPad? More like iFAD: We reveal why Apple fell into IBM's arms
But never fear fanbois, you're still lapping up iPhones, Macs
Stick a 4K in them: Super high-res TVs are DONE
4,000 pixels is niche now... Don't say we didn't warn you
Philip K Dick 'Nazi alternate reality' story to be made into TV series
Amazon Studios, Ridley Scott firm to produce The Man in the High Castle
Sonos AXES support for Apple's iOS4 and 5
Want to use your iThing? You can't - it's too old
There's NOTHING on TV in Europe – American video DOMINATES
Even France's mega subsidies don't stop US content onslaught
You! Pirate! Stop pirating, or we shall admonish you politely. Repeatedly, if necessary
And we shall go about telling people you smell. No, not really
Too many IT conferences to cover? MICROSOFT to the RESCUE!
Yet more word of cuts emerges from Redmond
Joe Average isn't worth $10 a year to Mark Zuckerberg
The Social Network deflates the PC resurgence with mobile-only usage prediction
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Securing Web Applications Made Simple and Scalable
Learn how automated security testing can provide a simple and scalable way to protect your web applications.