The Codex of Business Writing Software for Real-World Solutions 2.pptx
9 September 2014: Cyber Security Model
1. Defence Cyber Protection Partnership
Industry Information Security Liaison, Ministry of Defence
CDE Innovation Network event
9 September 2014, London
2. Context of the cyber threat
“…the greatest transfer of wealth in history."
General Alexander, Director of the NSA
“We ignore the cyber threat at our peril…. 93% of large corporations… have had a cyber security breach in the past year.”
Francis Maude, Minister for the Cabinet Office
The cyber threat is real and growing
Detica Report 2011
Cyber attack is a ‘Tier 1’ threat to the nation National Security Strategy, 2010
2
Longest time period within which APT1 has continued to access a victim’s network:
4 years, 10 months
Mandiant report 2013
Largest APT1 data theft from a single organisation:
6.5 Terabytes
over 10 months
Mandiant report 2013
3. It won’t happen to me
My systems are already protected
It’s the CIO’s problem
It’s the customer’s problem
I’m too small to be a target
I can’t afford it
It’s the Prime’s problem
Do I need to worry?
3
4. The latest trends in cyber security
Information Security Breaches Survey (2014) – trends
Small businesses (< 50 staff)
% of respondents that had a breach
Average number of breaches in year
Cost of worst breach of the year
Overall cost of security breaches
2013
2014
£65k
£115k
“The average cost of the worst breach suffered has gone up significantly particularly for small businesses – it’s nearly doubled over the last year.”
5.
6. DCPP ENABLING WORK
Information sharing
•
Reducing adversaries’ window of opportunity by:
•
Timely sharing of information across industry and government – some of it sensitive
Measurements and standards
•
Providing clarity in terms of where we are and where we need to get to by:
•
Defining the proportionate and practical cyber security standards required in all defence contracts
Supply chain awareness
•
Raising awareness of cyber security by:
•
Briefing a common message and surveying readiness
7. DCPP proportionate security model
Proportionate security within the procurement lifecycle
The principles involved are:
To mandate cyber security risk management
To bring about a cultural change – top-down, policy change (primarily affecting all new contracts placed)
To risk-assess all supplies (including services) so that a proportionate level of security is routinely requested by acquirers
To ensure that all contracts include clear, appropriate cyber security requirements
To ensure that acquirers assess their aggregated risk through active monitoring of their own and suppliers’ on-going compliance to contracted security requirements
8. Outline
Risk assessment
•
Used by buyer, pre- contract
•
26 questions
•
Output is indicative requirement ‘low’, ‘medium’, ‘high’ for supply, organisation and supply chain
Assurance questionnaire
•
Used by buyer to specify detail expectations
•
Used by supplier to respond
•
97 questions in 14 categories
control
‘red flag’
degree of rigour
10. Pilots - criteria
Confirm the process is simple to follow and identify any areas of concern
Confirm the questions are clear and easily understood and identify any areas of concern
Confirm hypothesis that CES is subset of DCPP (identify gaps/overlaps)
Understand level of effort and appropriate skills
Understand whether responses are naturally organisational or project specific
11. WHERE CAN I GO FOR FURTHER ADVICE?
For general cyber security advice and guidance:
Check your organisation and your IT service provider(s) against HMG’s ‘10 Steps to Cyber Security’ (search www.cesg.gov.uk)
BIS Cyber Essentials Scheme (search www.gov.uk)
Ask your information security staff to join Cyber Security Information Sharing Partnership (CiSP) to access threat information (www.cisp.org.uk)
Access Technology Strategy Board’s voucher scheme for funding to improve cyber security (Search https://vouchers.innovateuk.org, closing date: 23 July 2014)
CERT UK (www.cert.gov.uk)
CPNI (www.cpni.gov.uk/advice/cyber)
CESG (www.cesg.gov.uk)
For defence sector specific advice
Ask for advice: ADS, techUK, Primes, trade associations