UK STANDARDS & FRAMEWORKS
Given the threats to an organisation's information, it is essential that both large and small organisations implement effective but workable controls, to ensure that their information is kept secure but at the same time not hinder the ability of employees to do their job.
The first step for all organisations is to carry out a comprehensive risk management for its information assets. Synovum recommends use of either ISO/IEC 27005:2011 or NIST's SP800-30r1.
Following the initial risk assessment process, an organisation should implement a number of controls (logical/technical, physical, and administrative ) to mitigate any identified risks, unless it has decided to either accept or avoid the risks previously identified.
The UK-based standard/frameworks described below can, if implemented, provide some measure of confidence that the most common attack vectors have been mitigated to some extent.
In June 2014, the UK government launched the 'Cyber Essentials' scheme. The scheme, which is aimed at small and medium sized businesses (SMEs), complements the previous guidance documents '10 Steps to Cyber Security' and the 'Small Businesses: what you need to know about Cyber Security' guide published in 2013.
The scheme identifies and focuses on five principal areas that businesses of all types and sizes must consider as "the essential" foundation of their cyber security - boundary firewalls and internet gateways, secure configuration, access control, malware protection and patch management.
Organisations can choose between the initial certification and the 'Plus' option', whereby additional technical tests are carried out by an external certifying organisation.
In addition to Cyber Essentials the IASME organisation created the IASME Governance standard, to which organisations can both become compliant with and certified to. In addition, compliance/certification to the IASME governance standard can be used as a stepping stone to the creation/operation of an information security management system (ISMS) which in turn leads to compliance/certification against the international ISO 27001 standard.
Originally published in 2012, the UK government's '10 steps to Cybersecurity' provides guidelines for organisations to follow so that they can remain safe and secure.
As with the CIS 20 controls, implementation of these 10 steps can go a long way to mitigating the risk from the most common cyber attack vectors.
Working with the above, Synovum can help your organisation to become 'cyber-secure' and protect your information assets through comprehensive review and implementation of the necessary controls. Please contact us for more information.
“Andy has proved himself to be an invaluable asset when I was working in the Government arena. His depth of experience, together with a pragmatic, no-nonsense approach, would help any business deliver what it should - a high level of service, with integrity and ultimately, focussed results for both the client and the business.
I have worked with Andy over many months and found him to be a true professional, and an individual I would be happy to collaborate with again, knowing his professional standards, ethics and an ability to get the job done. In short, one of those rare people who delivers.”
Mark Rogers, FCO Services