Gartner challenges business to focus on security projects that drive the most business value and reduce the most risk, and not to over analyse security choices trying to achieve perfect protection in a constantly shifting security landscape. Regulating the conduct of 60 000 businesses in the finance sector, the Financial Conduct Authority (FCA) strongly advise that Cyber risks pose one of the biggest threats to financial services firms and the onus is then to be aware of the threat, put measures in place to defend themselves effectively, and therefore enable financial organisations to respond proportionately to cyber events.
To execute on this advice, an organisation needs to understand the options available to them and then simply follow a four-step progression plan to ensure Cyber security, they may also choose to outsource to a Cyber Security partner. The initial step would be to assess the status of security of the organisation by undertaking an audit.
Three types of Cyber Security Frameworks
Three Cyber Security control frameworks
So let’s understand a little more about each step’s compliance requirements:
Cyber Essentials Scheme:
The simplest framework to achieve is Cyber Essentials. This framework protects data and programs on networks, computers, servers, and other elements of IT infrastructure. An initial audit will help ascertain whether the organisation has the necessary measures in place to defend itself against the most common forms of Cyber-attacks.
Attaining certification in either Cyber Essentials or Cyber Essentials Plus requires that five key controls are implemented:
- Secure internet connection
- Secure devices and software
- Controlled access to data and services
- Protection from viruses and other malware
- Up-to-date devices and software
Cyber Essentials is a self-assessment option that assures protection against a wide variety of the most common cyber attacks.
Cyber Essentials PLUS involves an external vulnerability scan – a certification body will visit the organisation and perform a test that is in line with the Cyber Essentials requirements. In addition to mitigation against phishing and most types of hacking, UK Cyber Essentials is a partial means of supporting the ISO 27001 certification.
CIS Control framework:
The CIS Critical Security Controls framework encompasses all the elements of Cyber Essentials plus a prescriptive, prioritised set of cybersecurity best practices and defensive actions that can help prevent the most pervasive and dangerous attacks, and support compliance in a multi-framework era. These actionable best practices for cyber defence are formulated by a group of IT experts using the information gathered from actual attacks and their effective defences. The CIS Controls provide specific guidance and a clear pathway for organisations to achieve the goals and objectives described by multiple legal, regulatory, and policy frameworks.
Some questions to consider:
- Do we know what is connected to our systems and networks?
- Do we know what software is running (or trying to run) on our systems and networks?
- Are we continuously managing our systems using “known good” configurations?
- Are we continuously looking for and managing “known bad” software?
- Do we minimise risk by tracking the people who can bypass, change, or over-ride our security defences?
- Are our people aware of the most common threats to our business or mission, and what they can do about them?
CIS Control Framework Pillars
ISO 27001 provides requirements for an information security management system (ISMS), though there are more than a dozen standards in the ISO 27000 family. Its best-practice approach helps organisations manage their information security by addressing people and processes as well as technology.
Software development companies, cloud companies, and IT support companies implement ISO 27001 to assure clients with certification that they can safeguard their information in the best possible way. The basic goal of ISO 27001 is to protect three aspects of information:
- Confidentiality: only the authorised persons have the right to access information
- Integrity: only the authorised persons can change the information
- Availability: the information must be accessible to authorised persons whenever it is needed.
Because ISO 27001 certification demonstrates robust security practices, certified organisations find that their client relationships and retention is improved by this investment. In addition to improving how an organisation is perceived by clients, suppliers and other stakeholders, ISO 27001 certification benefits an organisation’s internal systems, structure and day to day processes and procedures. It provides a clear framework that addresses information security risks, management processes and key operational elements such as how IT systems must be kept up to date, anti-virus protection, data storage and back-ups, IT change management, and event logging.
Where to get Cyber Security guidance
The Financial Conduct Authority FCA promotes Cyber security as a shared responsibility, offering to take a co-operative approach to address this threat, working with Government, other regulators, nationally and internationally on this important issue. The National Cyber Security Centre provides guidance on how financial organisations can work to protect their information and systems and the FCA provide a list of publications on how to respond to a cyber attack.
Infinity Group, are a leading Cyber Security Company in London with clients in Finance, Retail, Care and Professional Services, gives organisations access to strategic and vetted advice. Our IT Consultants provide a wide range of Cyber Security Consultancy ranging from GDPR Audits, IT Security Strategy, Business IT Solutions, Disaster Recovery and Backup solutions and the Cyber Essentials Certification.