Click here to load reader
View
251
Download
0
Embed Size (px)
DESCRIPTION
Cyber Security Model presentation from 30 September 2014 Innovation Network event in Scotland
Citation preview
Defence Cyber Protection Partnership
Daniel Selman Cyber Industry Deputy Head
ISS DAIS
CDE Innovation Network event: 30 September 2014, Glasgow
The Latest Trends in Cyber Security Information Security Breaches Survey (2014) – Trends
Small Businesses (< 50 Staff)
% of respondents that had a breach
Average number of breaches in year
Cost of worst breach of the year
Overall cost of security breaches
2013 2014
£65k £115k
“The average cost of the worst breach suffered has gone up significantly particularly for small businesses – it’s nearly
doubled over the last year.”
3
DCPP ENABLING WORK
Information Sharing • Reducing adversaries’ window of opportunity by:-
• Timely sharing of information across industry and government – some of it sensitive
Measurements & Standards
• Providing clarity in terms of where we are and where we need to get to by:
• Defining the proportionate and practical cyber security standards required in all defence contracts
Supply Chain Awareness • Raising awareness of cyber security by:
• Briefing a common message and surveying readiness
Proportionate Security into the Procurement Lifecycle
The DCPP Cyber Security Model’s (CSM’s) principles involved are:
To mandate Cyber Security Risk Management To bring about a cultural change – top-down, policy change
(primarily affecting all new contracts placed)
To risk-assess all supplies (including services) so that a proportionate level of security is routinely requested by acquirers
To ensure that all contracts include clear, appropriate cyber security requirements
To ensure that acquirers assess their aggregated risk through active monitoring of their own and suppliers’ on-going compliance to contracted security requirements
Cyber Security Risk Management in Procurement
DCPP CSM Key Points:
It mandates organisational Security Risk Management Security Risk Assessments (by default)
Contracts include proportionate security requirements
Suppliers’ security reporting evidence routinely assessed
Based on ISO27001:2013 and HMG requirements and controls
Based on a maturity model, not a pass/fail test
Incorporates Cyber Essential Scheme (CES) requirements
Has been developed in collaboration (MOD, Industry, Advisory)
Has been tested by Pilots involving both Primes and SMEs
DCPP CSM Pilots - Criteria
Confirm the process is simple to follow and identify any areas of concern
Confirm the questions are clear and easily understood and identify any areas of concern
Confirm hypothesis that CES is subset of DCPP CSM (identify gaps/overlaps)
Understand level of effort, skills required and identify commercial issues
Determine level of automation / tool support required
Pilots Feedback
• Good engagement from all projects • Broad support for the aims of the Cyber Security
Model • Useful comments on both the approach and
specific questions • Feedback being collated and analysed to
understand what changes are needed • Initial conclusions – tweaks needed to the
question sets, bit more thinking required on how to manage the burden on supply chain and MOD alike
FURTHER ADVICE
General Cyber Security Advice and Guidance: Check your organisation and your IT service provider(s) against HMG’s
“10 Steps to Cyber Security” (search www.cesg.gov.uk or www.gov.uk)
BIS Cyber Essentials Scheme (search www.gov.uk)
Ask your information security staff to join Cyber Security Information Sharing Partnership (CISP) to access threat information (www.cisp.org.uk)
Access Technology Strategy Board’s voucher scheme for funding to improve cyber security (Search https://vouchers.innovateuk.org, closing date: 23 July 2014)
CERT UK (www.cert.gov.uk)
CPNI (www.cpni.gov.uk/advice/cyber)
CESG (www.cesg.gov.uk)
Defence Sector Specific Advice Ask for advice: ADS, techUK, Primes, trade associations