Upload
it-governance-ltd
View
364
Download
0
Embed Size (px)
DESCRIPTION
Find out about the UK Government's new Cyber Essentials scheme -what it is, how you can comply and why it is good for your business.
Citation preview
What is the Cyber Essentials scheme, and, how do we comply?
21st August 2014
Alastair StewartIT Governance Ltd
www.itgovernance.co.uk
© IT Governance Ltd 2014
• Alastair Stewart• PCI DSS Consultant at IT Governance Ltd• Cyber Essentials Consultant & Trainer• Associate of (ISC)2 for CISSP
Introduction
2
© IT Governance Ltd 2014
• Cyber breaches: key facts• What sorts of breaches?• An overview of Cyber Essentials • The requirements of CES • IT Governance; a CREST-accredited certification body• Meeting the CES requirements at your own pace and
within budget • How documentation aids compliance • Going beyond CES• Using CES as part of your wider cyber resilience
Agenda
3
© IT Governance Ltd 2014
Cyber breaches: key facts
4
• In 2013 81% of large organisations & 61% of small organisation suffered data breaches.
• The median number of breaches per company were:Large organisations: 16
Small organisations: 6
• Average cost of the worst single breach:Large organisations: £600k - £1.15m
Small organisations: £65k - £115k
• 59% of respondents expect more breaches this than last
PwC and BIS: 2014 ISBS Survey
60% of breached small organisations close down within 6
months – National Cyber
Security Alliance
© IT Governance Ltd 2014
What sorts of breaches?
5
Of Large Organisations:• External attack – 55% • Malware or viruses – 73%• Denial of Service – 38%• Network penetration (detected) – 24%
– (if you don’t think you’ve been breached, you’re not looking hard enough)
• Know they’ve suffered IP theft – 16%• Staff-related security breaches – 58%• Breaches caused by inadvertent human error – 31%
PwC and BIS: 2014 ISBS Survey
© IT Governance Ltd 2014
Governance of Cyber Security
Board
Cyber Risk: How Should Boards Respond?
6
Security ManagementBusiness and IT, Activities and Processes
Monitor
Per
form
ance
Con
form
ance
Direct
Pla
ns &
Pol
icie
s
Evaluate
Pro
posa
ls
Business Objectives
Cyber Risk environment
“Corporate governance consists of the set of processes, customs, policies, laws and institutions affecting the way people direct, administer or control a corporation.” (Wikipedia)
Management “is the act of getting people together to accomplish desired goals and objectives using available resources efficiently and effectively.” (Wikipedia)
Governance ≠ Management
© IT Governance Ltd 2014
Cyber Security Framework
7
Effective cyber security depends on resilience: co-ordinated, integrated preparations for rebuffing, responding to and recovering from a wide range of possible attacks.
• A strategy is essential.• A management system is fundamental.• Defence, continuity, and recovery must each be provided for.• No single stand-alone solution is sufficient.
• Money will be required
• 80% of breaches could be prevented through basic security ‘hygiene’
© IT Governance Ltd 2014
Why assess Cyber Security risk?
8
Demands for assurance
74% of respondents say their customers prefer dealing with suppliers with proven cyber security credentials, while 50% say their company has been asked about its information security measures by customers in the past 12 months.
The need for increased compliance
Given our findings, and the fact the existence of best practice information security standard ISO/IEC 27001 is known to 87% of respondents, it is striking that only 35% of responding organisations are compliant with the standard.
© IT Governance Ltd 2014
• A government scheme designed to make the UK a safer place for online business
• Part of the governments National Cyber Security Strategy
• Outlines requirements for mitigating the most common internet based threats
• Designed not to exclude SME’s
The Cyber Essentials Scheme
9
© IT Governance Ltd 2014
• Has evolved from other schemes and HMG guidance such as– 10 Steps to Cyber Security– Small Businesses: What you need to know about cyber security
• Forms the next stage from these schemes• Gives practical controls to implement• Involves a level of independent testing to give assurance
to other parties• Designed as a security profile for all businesses to follow• Addresses SME specific challenges in implementing
cyber security
Background to CES
10
© IT Governance Ltd 2014
• Cyber Essentials– Self-Assessed by completing a questionnaire– Certification Bodies will verify compliance– Different CB’s will use different methods to verify
compliance
• Cyber Essentials Plus– All of the previous option– Also includes independent vulnerability testing
• The different options don’t indicate the security stance, but the robustness of the check on the security stance
Certification Options
11
© IT Governance Ltd 2014
• The scope should be clearly defined at the start of a CES project
• It should include internal and external systems• You should consider service providers such as
cloud service or hosting providers• Should exclude bespoke or highly complex IT
systems (SCADA, POS etc.)• A meaningless scope creates a useless
implementation
Scoping Controls of CES
12
© IT Governance Ltd 2014
1. Boundary firewalls and internet gateways
2. Secure Configuration
3. User Access Control
The CES Controls
13
Objective: Information, applications and computers within the organisation’s internal networks should be protected against unauthorised access and disclosure from the internet, using boundary firewalls, internet gateways or equivalent network devices.
Objective: Computers and network devices should be configured to reduce the level of inherent vulnerabilities and provide only the services required to fulfil their role.
Objective: User accounts, particularly those with special access privileges (e.g. administrative accounts) should be assigned only to authorised individuals, managed effectively and provide the minimum level of access to applications, computers and networks.
© IT Governance Ltd 2014
4. Malware Protection
5. Patch Management
The CES Controls
14
Objective: Computers that are exposed to the internet should be protected against malware infection through the use of malware protection software.
Objective: Software running on computers and network devices should be kept up-to-date and have the latest security patches installed.
© IT Governance Ltd 2014
• Accreditation bodies– Accredits or licences organisations to be
certification bodies– Ensures certification bodies are competent
and able to implement the certification process
• Certification bodies– Must meet the requirements set out by the
accreditation bodies– Must follow the accreditation bodies
certification scheme
• Currently only two AB’s: IASME & CREST• IASME CB’s can only certify to CE• CREST CB’s can certify to CE and CE+
Certification Bodies
15
© IT Governance Ltd 2014
• We follow CREST’s certification scheme• Allows certification at both levels• CE is verified by external vulnerability
scanning– Provides a more robust check than just the
questionnaire
• CE + uses internal vulnerability assessments– Assessments performed by CREST approved
penetration testers
IT Governance Ltd; a CREST approved CB
16
© IT Governance Ltd 2014
17
How to comply?
IT Governance can help.
© IT Governance Ltd 2014
18
We are a CREST member and a CREST-accredited certification
body for CES.
© IT Governance Ltd 2014
Certification
19
We offer three solutions for certification.
You implement the requirements yourself
and we provide certification subject to
compliance.
DO-IT-YOURSELF
GET A LITTLE HELP
GET A LOT OF HELP
Training Toolkit Online help Certification
On-site consultancy
Toolkit Certification
We give you the implementation tools
and provide certification subject to
compliance.
We show you how to implement the
requirements and provide certification
subject to compliance.
© IT Governance Ltd 2014
• CREST approved• Able to offer both CE and CE+ certification• Perform both the external and internal scanning
in house• Expertise surrounding Cyber Resilience• Able to integrate CES into other information
security standards
Why us?
20
© IT Governance Ltd 2014
• Designed to aid in meeting the controls
• Includes policy and procedure templates
• Utilises record templates
• Includes a Gap Analysis tool
The Toolkit
21
© IT Governance Ltd 2014
• Easy and simple interface
• Lists all the controls and requirements
• Offers locations to find further guidance
• Clear and simple summary layout to show progress
The Gap Analysis Tool
22
© IT Governance Ltd 2014
• Most effective way of implementing the controls and maintaining compliance– Allows you to set the accepted standard for the five
control areas– Responsibility for the controls can be assigned
through policies– Effectiveness of the controls can be monitored– Procedures for implementing the controls can be
developed and standardised
• Writing policies requires a level of understanding on management systems
Why Policies and Procedures?
23
© IT Governance Ltd 2014
• CES is derived from ‘10 Steps to Cyber Security’– Only covers 5 of the 10
• Mapped to ISO/IEC 27001 & 27002
• Mapped to PCI DSS• Compliance with another
standard doesn’t automatically mean compliance with CES
Beyond CES
24
© IT Governance Ltd 2014
Next steps to consider
25
• Evolve your CES into an ISMS and create a robust and cyber resilient system for your business processes.
• Consider the Cloud Controls Matrix (CCM) as well as protecting devices with BYOD policies and procedures.
• Make the right choice for a permanent solution.
© IT Governance Ltd 2014
ISO/IEC 27001, together with the international code of practice, ISO/IEC 27002, provide a globally recognised standard and best-practice framework for addressing the entire range of cyber risks
ISO27001 The Cyber Security Standard
26
- Could be a first step to ISO27001- Could add strength to an existing ISMS
© IT Governance Ltd 2014
Benefits
27
Being Cyber Resilient
Reduce insurance costs
Major cost saving
Impress customers
Protect reputation
Avoid significant disruption
SurvivalProtect jobs
Win new business:- Existing markets- Supply Chain Assurance- Contracting with HMG
Impress stakeholders
© IT Governance Ltd 2014
For more information on our products and services you can simply email us here:
Or call us on:
+44 (0)1353 771107
Any Questions?
28
Cyber Essentials: A Pocket Guide £3.49
Cyber Essentials Gap Analysis Tool £19.95
Cyber Essentials Documentation Toolkit £99.95
DIY Package CE: £400CE Plus: £1,150
‘Get a little help’ Package CE: £885CE Plus: £1,635
‘Get a lot of help’ Package CE: £1,245CE Plus: £1,995