Is Cyber resilient?
The recent announcement from Matt Hancock about Cyber Essentials becoming important for the supply chains of public and private sector organisations is one that is a logical evolution of the Cyber strategy. However, is it really making the United Kingdom resilient to Cyber attack?
What’s wrong with existing compliance?
It’s often said that ISO/IEC-27001:2013 has failed to provide sufficient protection against Cyber attacks. But, this misses the purpose of the standard, which is merely to identify the information assets and impacts, assess the risks, select controls to manage the risks and ensure that the controls operate as designed. The fact that ISO/IEC-27001:2013 has evolved from the N3 network, into the National Cyber Security Centre’s (NCSC) standard for assessing telecommunications services shows that the public sector still value this standard.
The fallings of a scheme to deliver a standard
Cyber essentials, however, is merely a scheme to allow accreditation bodies to create frameworks that certification bodies assess against.
It can be said that Cyber Essentials looks at technical controls that are not mandated by any other management standards. We wouldn’t consider a strong door with BSI-rated locks that’s only locked once a year as sufficient security. So why would we allow a small set of technical controls to be tested annually as a benchmark? Without context of the risk that the technical controls are managing, then it’s unlikely that protection will be delivered.
Ironically, it was this lack of risk management that led to the UK Government implementing BS-7799 Part 2 (which became ISO/IEC-27001:2005 – the predecessor for the current standard that is deemed to be lacking).
Information risk is crucial for digital
Again, the UK Government recognised the need for a consistent approach to risk management and governance when it implemented the HM Treasury Orange Book on Management of Risk.
The forthcoming General Data Protection Regulation (GDPR), which came into force in 24th May 2016, and becomes law in 25th May 2018, is one that places a great deal of focus on understanding the information acquired by organisations. This is much more than mere security of information, and requires some organisations to employ dedicated Data Protection Officers.
An equal amount of focus is being placed on the fine regime under the GPDR, but recent case law (Dr Deer vs Oxford University – http://www.hendersonchambers.co.uk/wp-content/uploads/2017/03/Data-Protection-Alerter-on-Deer-v-University-of-Oxford.pdf) shows that failing to understand the location of information can have significant costs to an organisation without a breach (in this case circa £116,000 from having to search data repositories such as email servers etc.).
This case is significant in that it highlights the issue from unknown datasets holding information (also referred to as ‘Dark Data’), which is estimated to constitute 54% of data protected and managed by organisations. With parliamentary reports showing that over 90% of data circulating the internet has been created in the past few years, this problem will only grow.
Understanding information
If we take the existing legal frameworks, we find there are circa 45 and 55 baseline legal obligations that are likely to apply to public and private sector organisations, which aggregate into understanding the following areas:
- the location of the data (how do you know where it is being stored, or if it has been deleted?)
- the format of the information (what is the asset?)
- the disclosure requirements (can you share it, and what are the requirements?)
- the retrieval requirements (the retention period and can you access the information throughout that period?)
- the handling requirements (does it need encryption, where can it be accessed from, what right of audit is there?)
Using existing guidance
The wealth of guidance from the UK Government in assuring Cloud services (https://www.innopsis.org/wp-content/uploads/2017/03/Is-the-Cloud-forecast-becoming-clearer-final.pdf) provides the structure to build on assurance which, when combined with the requirements of existing legislation, provides the framework to manage risk and make Cyber Essentials operate more effectively.
If you know why the control is there, it is more likely to be operated effectively. Indeed, it could be said that better use of guidance could lead to less information being stored and therefore reducing both cost and exposure to the vulnerabilities exploited by technical means. This is a more logical description of Cyber – the threats are consistent – as are the impacts. It’s only the vulnerabilities that allow the threat to cause an impact that differ.
Delivering the Cyber strategy through risk management
There is a danger that we ask too much of the supply chains of the private and public sectors by requiring that they implement disparate compliance requirements that have no incremental requirements.
We have learned over 17 years ago that technical controls without a management framework to govern their implementation are sub-optimal, so why not combine the two approaches together with an approach to information management that shows that it is impossible to scope an organisation’s legal compliance obligations for information management and that these exceed the impending GDPR?
This approach will not only result in cost savings for those organisations as they prepare to embrace disruptive technologies such as Software-Defined Networks (SDN), but also reduce their exposure to Cyber and allow them to implement controls which are relevant to their organisation.