There’s no shortage of advice to infosec leaders about what they ought to be doing to tighten the IT security of their organization, starting with the Center for Internet Security’s critical security controls . But what if the board and C-suite wants to tell departments what they must do?
The recently-issued minimum cyber security standard for U.K. government departments is a good place to start. In seven pages the government sets out what it expects departments to adhere to — and exceed wherever possible.
This concise document goes along with the more detailed best practices security policy framework for protecting government assets, first published in 2014, to comply with the U.K. national cyber security strategy.
Those two documents can be granular, and in some ways ‘here’s how you do it’. The minimum cyber security standard is ‘here’s what you better be doing.’
So, for example, one of the first standards is “Departments shall identify and manage the significant risks to sensitive information and key operational services.”
Here’s another notable must: “Access shall be removed when individuals leave their role or the organization. Periodic reviews should also take place to ensure appropriate access is maintained.”
And another: “Multi-factor authentication shall be used where technically possible, such as where administrative consoles provide access to manage cloud based infrastructure, platforms or services. Multi-factor authentication shall be used for access to enterprise level social media accounts.”
Four sections
The standard is broken down into four sections infosec pros will recognize for creating a strategy: Identify, Protect, Detect and Respond. Within each department heads are mandated to take certain action. This means if there is a failure the government can ask, ‘Why wasn’t this done?”
“This is a useful starting point for Canadian authorities,” said David Swan, the Alberta-based director of cyber intelligence at the Centre for Strategic Cyberspace + Security Science, an international consultancy. “All levels of government can use it. The requirements of the standard can be integrated into any regulatory framework. The standard can be expanded or included in other guidance. In the corporate environment, this level of knowledge should be required by boards of directors, CEOs, CSOs and CISOs. Organizations that don’t require this level of knowledge are essentially ‘co-operative victims’, unaware of their risk, cyber threat and consequences.”
The standard does allow some implementation flexibility. So the definition of ‘sensitive’, ‘essential’, ‘important’ and ‘appropriate’ are left open. “However , the document adds, “departments are accountable for the effectiveness of these decisions.”
U.K. departments “shall understand and manage security issues that arise because of dependencies on external suppliers or through their supply chain,” the standard says. That includes ensuring that the standards are met by the suppliers of third party services, such as hardware, software, consulting or cloud providers However, those third parties could meet compliance in one of several ways. One is if the supplier holds a valid Cyber Essentials2 certificate as a minimum.
The U.K. Cyber Essentials program has accredited bodies issue certificates to private sector companies attesting they have met certain minimum security standards. Last month, when it released the latest Canadian cyber security standard Ottawa said it is looking to set up a similar program here.
However, the Canadian program may take some time. The government said it will first consult with the private sector and potential certification bodies. At this point it isn’t known who those certification firms could be. In the U.K. they include many IT security consulting companies, who have expertise in the area. The department of Innovation, Science and Economic Development (ISED) will be responsible for approving the Canadian program. The Communications Security Establishment (CSE), which oversees security for federal systems, will define a basic set of measures SMEs would have to follow. And the Standards Council of Canada will approve certification bodies to assure evaluate SMEs have met the standard.
Note where the U.K. mimimum standard starts: “There shall be clear lines of responsibility and accountability to named individuals for the security of
sensitive information and key operational services.”