New cyber security certification scheme proposed

9 April 2014

As we mentioned in previous posts, cyber security challenges are growing for all kind of businesses in a variety of different industries. However, those that are involved in the movement of money or payments technology may be most at risk due to the lucrative information they possess.

Cyber criminals are becoming more sophisticated in their attacks, but thankfully, so is cyber security among major firms, as chief information security officers and the boards of major businesses are aware of the pressing need to improve security where possible.

With this in mind, criminals are looking to explore other avenues when it comes to making money through cyber attacks, with many targeting smaller start-up businesses. This is a particular concern in the financial technology sector, as more and more new businesses are launching in this area, to meet the demands of larger businesses.

Recent research has indicated these small start-up businesses are at risk of attack and now the government in the UK has proposed a new certification process that will see those that comply with best practice receiving a certificate acknowledging the robustness of their cyber security measures.

When outlining what it has called the "assurance framework", a government statement read: "The cyber essentials scheme identifies the security controls that organisations must have in place within their enterprise IT to have any confidence that they are mitigating the risk from internet-based threats that use 'commodity' capabilities, i.e. capabilities that are freely available on the internet.

"Organisations are free to implement the requirements within their organisation as appropriate. However, some organisations may want independent assurance that they have fully implemented the controls, whilst others may need to demonstrate to a third party as part of a business transaction, such as contracting," it said.

So how does the framework, which is being consulted on until May 7th, work?

There is expected to be a three-tiered process in place for the assessment and certification of business' cyber security measures, with the rigour of the assessments increasing at each level. Each individual organisations in question will be able to select the level that suits their needs and the needs of other companies and individuals who may be dealing with them on a daily basis.

As well as consulting on the launch of the new certification process, the government has issued new guidelines aimed at start-up firms to ensure these companies meet the minimum requirements for cyber security, which includes the installation of boundary firewalls, internet gateways or equivalent network devices.

The guidelines also set out minimum technical standards that businesses should attain when installing firewall protections or equivalent measures to defend their data and systems from a cyber attack, which include the setting of strong administrative passwords, putting controls in place and supervision over the decision to let specific traffic flow through a firewall.

It is hoped these new guidelines and the certification process will encourage smaller start-up firms to improve their security measures with the aim of achieving certification.

Businesses have also been advised on how to manage the information they own or are responsible for, their applications and their hardware. The guidelines state that "all user account creation should be subject to a provisioning and approval process" and that only a "limited number of authorised individuals" should be given special access privileges. The guidelines also said that details about special access accounts should be "documented, kept in a secure location and reviewed on a regular basis".

The advice also indicates the importance of installing and updating software, as vulnerabilities can be easily exploited by cyber criminals and their malicious cyber attacks. The guidelines state: "Software should be kept up-to-date. As a minimum: software running on computers and network devices that are connected to or capable of connecting to the internet should be licensed and supported (by the software vendor or supplier of the software) to ensure security patches for known vulnerabilities are made available."

By Tony Aynsley

Become a bobsguide member to access the following

1. Unrestricted access to bobsguide
2. Send a proposal request
3. Insights delivered daily to your inbox
4. Career development