Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

What is the UK Cyber Essentials scheme?

1,476 views

Published on

Find out about the UK Government's new Cyber Essentials scheme -what it is, how you can comply and why it is good for your business.

Published in: Business
  • Be the first to comment

What is the UK Cyber Essentials scheme?

  1. 1. What is the Cyber Essentials scheme, and, how do we comply? 21st August 2014 Alastair Stewart IT Governance Ltd www.itgovernance.co.uk
  2. 2. Introduction • Alastair Stewart • PCI DSS Consultant at IT Governance Ltd • Cyber Essentials Consultant & Trainer • Associate of (ISC)2 for CISSP © IT Governance Ltd 2014 2
  3. 3. Agenda • Cyber breaches: key facts • What sorts of breaches? • An overview of Cyber Essentials • The requirements of CES • IT Governance; a CREST-accredited certification body • Meeting the CES requirements at your own pace and within budget • How documentation aids compliance • Going beyond CES • Using CES as part of your wider cyber resilience © IT Governance Ltd 2014 3
  4. 4. Cyber breaches: key facts © IT Governance Ltd 2014 60% of breached small organisations close down within 6 months – National Cyber Security Alliance 4 • In 2013 81% of large organisations & 61% of small organisation suffered data breaches. • The median number of breaches per company were: Large organisations: 16 Small organisations: 6 • Average cost of the worst single breach: Large organisations: £600k - £1.15m Small organisations: £65k - £115k • 59% of respondents expect more breaches this than last PwC and BIS: 2014 ISBS Survey
  5. 5. What sorts of breaches? © IT Governance Ltd 2014 5 Of Large Organisations: • External attack – 55% • Malware or viruses – 73% • Denial of Service – 38% • Network penetration (detected) – 24% – (if you don’t think you’ve been breached, you’re not looking hard enough) • Know they’ve suffered IP theft – 16% • Staff-related security breaches – 58% • Breaches caused by inadvertent human error – 31% PwC and BIS: 2014 ISBS Survey
  6. 6. Cyber Risk: How Should Boards Respond? © IT Governance Ltd 2014 Governance of Cyber Security Board 6 Cyber Risk environment Monitor Performance Conformance Business Objectives Direct Plans & Policies Evaluate Proposals Security Management Business and IT, Activities and Processes “Corporate governance consists of the set of processes, customs, policies, laws and institutions affecting the way people direct, administer or control a corporation.” (Wikipedia) Management “is the act of getting people together to accomplish desired goals and objectives using available resources efficiently and effectively.” (Wikipedia) Governance ≠ Management
  7. 7. Cyber Security Framework © IT Governance Ltd 2014 7 Effective cyber security depends on resilience: co-ordinated, integrated preparations for rebuffing, responding to and recovering from a wide range of possible attacks. • A strategy is essential. • A management system is fundamental. • Defence, continuity, and recovery must each be provided for. • No single stand-alone solution is sufficient. • Money will be required • 80% of breaches could be prevented through basic security ‘hygiene’
  8. 8. Why assess Cyber Security risk? © IT Governance Ltd 2014 8 Demands for assurance 74% of respondents say their customers prefer dealing with suppliers with proven cyber security credentials, while 50% say their company has been asked about its information security measures by customers in the past 12 months. The need for increased compliance Given our findings, and the fact the existence of best practice information security standard ISO/IEC 27001 is known to 87% of respondents, it is striking that only 35% of responding organisations are compliant with the standard.
  9. 9. The Cyber Essentials Scheme • A government scheme designed to make the UK a safer place for online business • Part of the governments National Cyber Security Strategy • Outlines requirements for mitigating the most common internet based threats • Designed not to exclude SME’s © IT Governance Ltd 2014 9
  10. 10. Background to CES • Has evolved from other schemes and HMG guidance such as – 10 Steps to Cyber Security – Small Businesses: What you need to know about cyber security • Forms the next stage from these schemes • Gives practical controls to implement • Involves a level of independent testing to give assurance to other parties • Designed as a security profile for all businesses to follow • Addresses SME specific challenges in implementing cyber security © IT Governance Ltd 2014 10
  11. 11. Certification Options • Cyber Essentials – Self-Assessed by completing a questionnaire – Certification Bodies will verify compliance – Different CB’s will use different methods to verify compliance • Cyber Essentials Plus – All of the previous option – Also includes independent vulnerability testing • The different options don’t indicate the security stance, but the robustness of the check on the security stance © IT Governance Ltd 2014 11
  12. 12. Scoping Controls of CES • The scope should be clearly defined at the start of a CES project • It should include internal and external systems • You should consider service providers such as cloud service or hosting providers • Should exclude bespoke or highly complex IT systems (SCADA, POS etc.) • A meaningless scope creates a useless implementation © IT Governance Ltd 2014 12
  13. 13. The CES Controls 1. Boundary firewalls and internet gateways 2. Secure Configuration 3. User Access Control © IT Governance Ltd 2014 13 Objective: Information, applications and computers within the organisation’s internal networks should be protected against unauthorised access and disclosure from the internet, using boundary firewalls, internet gateways or equivalent network devices. Objective: Computers and network devices should be configured to reduce the level of inherent vulnerabilities and provide only the services required to fulfil their role. Objective: User accounts, particularly those with special access privileges (e.g. administrative accounts) should be assigned only to authorised individuals, managed effectively and provide the minimum level of access to applications, computers and networks.
  14. 14. The CES Controls 4. Malware Protection 5. Patch Management © IT Governance Ltd 2014 14 Objective: Computers that are exposed to the internet should be protected against malware infection through the use of malware protection software. Objective: Software running on computers and network devices should be kept up-to-date and have the latest security patches installed.
  15. 15. Certification Bodies • Accreditation bodies – Accredits or licences organisations to be certification bodies – Ensures certification bodies are competent and able to implement the certification process • Certification bodies – Must meet the requirements set out by the accreditation bodies – Must follow the accreditation bodies certification scheme • Currently only two AB’s: IASME & CREST • IASME CB’s can only certify to CE • CREST CB’s can certify to CE and CE+ © IT Governance Ltd 2014 15
  16. 16. IT Governance Ltd; a CREST approved CB • We follow CREST’s certification scheme • Allows certification at both levels • CE is verified by external vulnerability scanning – Provides a more robust check than just the questionnaire • CE + uses internal vulnerability assessments – Assessments performed by CREST approved penetration testers © IT Governance Ltd 2014 16
  17. 17. © IT Governance Ltd 2014 17 How to comply? IT Governance can help.
  18. 18. © IT Governance Ltd 2014 18 We are a CREST member and a CREST-accredited certification body for CES.
  19. 19. DO-IT-YOURSELF  Certification © IT Governance Ltd 2014 19 We offer three solutions for certification. You implement the requirements yourself and we provide certification subject to compliance. GET A LITTLE HELP GET A LOT OF HELP  Training  Toolkit  Online help  Certification  On-site consultancy  Toolkit  Certification We give you the implementation tools and provide certification subject to compliance. We show you how to implement the requirements and provide certification subject to compliance.
  20. 20. Why us? • CREST approved • Able to offer both CE and CE+ certification • Perform both the external and internal scanning in house • Expertise surrounding Cyber Resilience • Able to integrate CES into other information security standards © IT Governance Ltd 2014 20
  21. 21. The Toolkit • Designed to aid in meeting the controls • Includes policy and procedure templates • Utilises record templates • Includes a Gap Analysis tool © IT Governance Ltd 2014 21
  22. 22. The Gap Analysis Tool • Easy and simple interface • Lists all the controls and requirements • Offers locations to find further guidance • Clear and simple summary layout to show progress © IT Governance Ltd 2014 22
  23. 23. Why Policies and Procedures? • Most effective way of implementing the controls and maintaining compliance – Allows you to set the accepted standard for the five control areas – Responsibility for the controls can be assigned through policies – Effectiveness of the controls can be monitored – Procedures for implementing the controls can be developed and standardised • Writing policies requires a level of understanding on management systems © IT Governance Ltd 2014 23
  24. 24. Beyond CES • CES is derived from ‘10 Steps to Cyber Security’ – Only covers 5 of the 10 • Mapped to ISO/IEC 27001 & 27002 • Mapped to PCI DSS • Compliance with another standard doesn’t automatically mean compliance with CES © IT Governance Ltd 2014 24
  25. 25. Next steps to consider © IT Governance Ltd 2014 25 • Evolve your CES into an ISMS and create a robust and cyber resilient system for your business processes. • Consider the Cloud Controls Matrix (CCM) as well as protecting devices with BYOD policies and procedures. • Make the right choice for a permanent solution.
  26. 26. ISO27001 The Cyber Security Standard ISO/IEC 27001, together with the international code of practice, ISO/IEC 27002, provide a globally recognised standard and best-practice framework for addressing the entire range of cyber risks © IT Governance Ltd 2014 26 - Could be a first step to ISO27001 - Could add strength to an existing ISMS
  27. 27. Benefits Impress stakeholders © IT Governance Ltd 2014 27 Being Cyber Resilient Reduce Protect Survival jobs insurance costs Major cost saving Impress customers Protect reputation Avoid significant disruption Win new business: - Existing markets - Supply Chain Assurance - Contracting with HMG
  28. 28. Any Questions? For more information on our products and services you can simply email us here: © IT Governance Ltd 2014 team@itgovernancepublishing.co.uk Or call us on: +44 (0)1353 771107 28 Cyber Essentials: A Pocket Guide £3.49 Cyber Essentials Gap Analysis Tool £19.95 Cyber Essentials Documentation Toolkit £99.95 DIY Package CE: £400 CE Plus: £1,150 ‘Get a little help’ Package CE: £885 CE Plus: £1,635 ‘Get a lot of help’ Package CE: £1,245 CE Plus: £1,995

×