UK standards and benchmarks
- Cybersecurity guidance for non-executive directors: 25 key questions to ask: Reflecting just how far cybersecurity has now risen up the business agenda, in December 2014, the Department for Business, Innovation and Skills (BIS) issued “Cyber Security: balancing risk and reward with confidence (Guidance for Non-Executive Directors)”.Read our summary of the key issues here.
- Latest FTSE 350 Cyber governance Health Check shows that cyber threat continue to rise up the risk agenda: In January BIS released its second annual review of FTSE 350 companies’ preparedness for potential cyber attacks. The BIS report, entitled “FTSE 350 Cyber Governance Health Check Tracker Report”, revealed a number of interesting trends. Read our summary of the key issues here.
- Revised Cybersecurity Guidance for Businesses: In January the UK government revised and augmented its cybersecurity guidance (originally published in 2012). The revised suite of documents, published jointly by The Cabinet Office, CESG, Centre for the Protection of National Infrastructure and BIS, now comprises: the 10 Steps Guidance, 10 Steps: Board Level Responsibility, 10 Steps Executive Companion, a guide to Reducing Risk in 10 Critical Areas, a new paper entitled “Common Cyber Attacks: Reducing The Impact” and various accompanying infographics.
- Revised guidance from the ICO: The UK Information Commissioner’s Office has revised its high-level guide to data protection. The section on Information Security (Principle 7) provides a non-exhaustive list of the kinds of technical and organisational measures which may be appropriate, and provides links to the ICO’s various detailed guidance documents on security-related compliance including its IT security top tips, and guidance on asset disposal, encryption, BYOD and the use of cloud-based storage.
- Updates to the Cyber Essentials Scheme: BIS launched its Cyber Essentials Scheme in June 2014. This sets out 12 technical requirements that organisations must meet to achieve certification. Since October, Cyber Essentials certification has become a requirement for suppliers bidding for certain government contracts involving sensitive and/or personal information. In January BIS published an updated version of its Assurance Framework.
- CESG Information Risk Management Guidance: CESG has published (in November 2014) and updated (March 2015) its guidance for public sector organisations “to support people making decisions in technology projects which have a security impact”. It comprises: a detailed guide to Managing information risk, Principles of effective risk management, a detailed Analysis of risk management methodologies and three case studies. It also includes a set of principles for effective risk management, and some case studies based on procurement by The Cabinet Office, CERT UK and CESG.
- Guidance for cyber exports: TechUK (the technology trade association), in association with the Institute of Human Rights and Business, has published government-backed guidelines entitled “Assessing Cyber Security Export Risks” for UK cybersecurity companies. The guidance aims to maximise profits from such exports, whilst protecting companies from reputational damage, protecting national security and ensuring the products are not used in human rights abuses. Culture Minister Ed Vaizey has described the guide as a “valuable and accessible tool which will help British companies respond with confidence to opportunities in the global cybersecurity market”.
EU standards and benchmarks
ENISA, the European Network and Information Security Agency, has published the following new reports and guidance:
- The Secure ICT Procurement in Electronic Communications report, which highlights the growing dependency of providers on ICT products and outsourced services and the Security Guide for ICT Procurement, which maps security risks to the full framework of security requirements which can be used as a tool during procurement.
- A “Good Practice Guide on Training Methodologies”, to provide guidance to organisations on how to create, organise and conduct training for information security and CERT professionals. This new guidance is intended to be coupled with the ENISA CERT training material.
- “Privacy and Data Protection by Design – from policy to engineering”, detailing leading privacy design strategies. The report aims to marry the EU’s existing legal framework with expected technological implementation measures in the field. Targeted at data protection authorities, policy makers, regulators, engineers and researchers, the report suggests producing further incentives for adopting privacy by design measures and new standards for electronic communication.
- “Cloud Certification Schemes Metaframework” (CCSM). The CCSM is an online tool for businesses to ensure security when purchasing cloud storage services. By requiring 27 security objectives in order to become a certified cloud scheme provider, Udo Helmbrecht, the Executive Director of ENISA, hopes that procurement of cloud services can be greatly simplified.
- ISO 27018 Code of practice for protection of PII in public clouds; where are we now? Since its release in August 2014, ISO 27018 is becoming well established as the “go to” standard to help cloud customers to comply with their privacy obligations when using public cloud services. Privacy regulators recognise and refer to the new standard. Cloud customers are using it in their RFP requirements. This post on Olswang’s telecoms blog looks at how the new ISO is gaining recognition from privacy regulators and cloud customers around the world.