Difference between revisions of "Security Standards and Certifications"
(14 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
+ | I have been lead implementer of the main security and privacy standards several times each. These can seem intimidating, but properly used they improve security overall, and can help a business run more smoothly. |
||
− | I have perforce been involved in implementing the main security and privacy standards several times each. It is useful to see how CompSci and Information Management meet the hard reality of industry practices and cultures. These are not beautiful instruments, but properly used they improve security overall. The reason that ISO9001 is relevant to security practices is because it is a Management System that operates in the same way as ISO27001 and GDPR compliance management systems, whether it is implemented in paper, a pile of Word documents or anything else. CompSci professionals need to be familiar with these sorts of systems because they are a repeating pattern found throughout the field of software quality and safety. Hopefully we can do better than a pile of documents, but it is the process that matters. |
||
+ | |||
+ | From a pragmatic, business point of view: |
||
+ | |||
+ | : These standards are about writing down the actual rules of your business relevant to security and privacy, and then writing down how you improve these rules, and recording how well they work. All businesses can benefit from challenging their working habits and practices, and since privacy and security touch most parts of a business, this is an opportunity to review how the business works before something goes wrong. |
||
+ | |||
+ | From the point of view of both Computer Science and Information Management Science: |
||
+ | |||
+ | : These standards all involve creating a [[:wikipedia:Records management|Records Management System]] that tracks information, and they all work after the style of the [[:wikipedia:ISO9001|ISO9001 Quality Standards]] in the sense that a documented process is called a "control", and once a control exists it can be measured and improved. This is a repeating pattern found throughout the field of software quality and safety, and helps give security professionals a place to start when something does go wrong. |
||
= The Big Standards = |
= The Big Standards = |
||
− | ISO27001/9001 and GDPR have a dreadful reputation in industry because one or more of the following |
+ | ISO27001/9001 and GDPR have a dreadful reputation in industry. I think that is mostly unfair, and is because one or more of the following mistakes are made: |
− | # In the 21st century, realistically we must implement a Records Management System (RMS), ie, every document is tracked in a database through its lifecycle until deletion, and |
+ | # ''Unwilling to modernise''. In the 21st century, realistically we must implement a Records Management System (RMS), ie, every document is tracked in a database through its lifecycle until deletion. Many companies do not look at their data like this, and so they are shocked when ISO/GDPR standards require them to behave in a modern way. It is possible to do this without spending money on a very expensive and proprietary Document Management System. |
− | # The social impact needs to be a top priority. |
+ | # ''Refuse to involve staff''. The social impact of information systems needs to be a top priority, otherwise they won't be used effectively! Many companies ignore their staff and then they incorrectly blame 27k/GDPR for a poor result. Instead, an organisation's staff need to feel that they are in charge of the RMS, with personal responsibility for the parts most relevant to them, and that it is easy to use. If staff feel like pointless rules have been imposed on how they do their daily work then the system will fail, and security is likely to get worse not better. |
− | # |
+ | # ''Insufficient funding''. Despite the risks involved, security is often underfunded. As well as organisation-wide involvement with change authority delegated all the way down, there needs to be specific funding in the form of staff time to support the culture change that is required to introduce a RMS. It will save the organisation much more money in the long run. |
⚫ | These big standards relate to the fields of [[:wikipedia:Information Management|Information Management]] and Cybersecurity. Information Management is about defining the data and documents the RMS is to be managing. An early step is often to discover all the data the organisation is responsible for, usually a shock to the IT department. |
||
− | Next the core matter of these standards needs to be addressed, which is about applying two more disciplines, Information Management and Cybersecurity: |
||
− | # quality measurement (ISO9001), or security implementation (ISO27001), or privacy compliance (GDPR), all of which are both academic and applied topics, and |
||
⚫ | |||
− | A |
+ | A good understanding of Open Source software stacks really helps too, from sniffing out data repositories and potential security issues, to implementing RMS software and processes that are as lightweight as possible. |
= Cyber Essentials = |
= Cyber Essentials = |
||
− | In addition to |
+ | In addition to the above standards, the UK government responded to the EU Cybersecurity initiatives by setting up the National Cyber Security Centre (NCSC). The NCSC is effectively a subsidiary of GCHQ the UK's electronics spying organisation, and billions have been given to NCSC from various government budgets. It is NCSC who responded to the EU Network Information Security Directive with a standard assessment and framework, and then a few years later came up with the idea of the CyberSecurity certifications. A company called IASME has been given the UK-wide monopoly on issuing the CyberEssentials certifications, and I have asked NCSC if they will reconsider this decision. |
− | |||
= IASME Certifications = |
= IASME Certifications = |
||
+ | I do '''not''' endorse IASME in any way, but I acknowledge they have raised security awareness in the UK and that is a good thing. |
||
− | CyberEssentials seems to be effective as intended to improve the UK's average security, but the positioning is confusing to say the least. |
||
+ | |||
+ | The CyberEssentials certification is useful for an organisation that has never thought about security before, although the marketing is quite confusing. |
||
'''IASME Cyber Essentials - £300 Entry Level''' |
'''IASME Cyber Essentials - £300 Entry Level''' |
||
− | + | The commercial explanation is that this is ''Easy to do, and addresses 80% of external attacks. Also required by Government departments''. |
|
* Self-assessed, with sanity checking by a contractor to IASME |
* Self-assessed, with sanity checking by a contractor to IASME |
||
Line 43: | Line 50: | ||
'''IASME Governance - £400 Top Level''' |
'''IASME Governance - £400 Top Level''' |
||
− | + | The commercial explanation is that this is ''an excellent alternative to ISO 27001 for small and medium sized organisations''. |
|
* Certification includes Cyber Essentials for free |
* Certification includes Cyber Essentials for free |
Latest revision as of 23:09, 8 March 2023
I have been lead implementer of the main security and privacy standards several times each. These can seem intimidating, but properly used they improve security overall, and can help a business run more smoothly.
From a pragmatic, business point of view:
- These standards are about writing down the actual rules of your business relevant to security and privacy, and then writing down how you improve these rules, and recording how well they work. All businesses can benefit from challenging their working habits and practices, and since privacy and security touch most parts of a business, this is an opportunity to review how the business works before something goes wrong.
From the point of view of both Computer Science and Information Management Science:
- These standards all involve creating a Records Management System that tracks information, and they all work after the style of the ISO9001 Quality Standards in the sense that a documented process is called a "control", and once a control exists it can be measured and improved. This is a repeating pattern found throughout the field of software quality and safety, and helps give security professionals a place to start when something does go wrong.
The Big Standards
ISO27001/9001 and GDPR have a dreadful reputation in industry. I think that is mostly unfair, and is because one or more of the following mistakes are made:
- Unwilling to modernise. In the 21st century, realistically we must implement a Records Management System (RMS), ie, every document is tracked in a database through its lifecycle until deletion. Many companies do not look at their data like this, and so they are shocked when ISO/GDPR standards require them to behave in a modern way. It is possible to do this without spending money on a very expensive and proprietary Document Management System.
- Refuse to involve staff. The social impact of information systems needs to be a top priority, otherwise they won't be used effectively! Many companies ignore their staff and then they incorrectly blame 27k/GDPR for a poor result. Instead, an organisation's staff need to feel that they are in charge of the RMS, with personal responsibility for the parts most relevant to them, and that it is easy to use. If staff feel like pointless rules have been imposed on how they do their daily work then the system will fail, and security is likely to get worse not better.
- Insufficient funding. Despite the risks involved, security is often underfunded. As well as organisation-wide involvement with change authority delegated all the way down, there needs to be specific funding in the form of staff time to support the culture change that is required to introduce a RMS. It will save the organisation much more money in the long run.
These big standards relate to the fields of Information Management and Cybersecurity. Information Management is about defining the data and documents the RMS is to be managing. An early step is often to discover all the data the organisation is responsible for, usually a shock to the IT department.
A good understanding of Open Source software stacks really helps too, from sniffing out data repositories and potential security issues, to implementing RMS software and processes that are as lightweight as possible.
Cyber Essentials
In addition to the above standards, the UK government responded to the EU Cybersecurity initiatives by setting up the National Cyber Security Centre (NCSC). The NCSC is effectively a subsidiary of GCHQ the UK's electronics spying organisation, and billions have been given to NCSC from various government budgets. It is NCSC who responded to the EU Network Information Security Directive with a standard assessment and framework, and then a few years later came up with the idea of the CyberSecurity certifications. A company called IASME has been given the UK-wide monopoly on issuing the CyberEssentials certifications, and I have asked NCSC if they will reconsider this decision.
IASME Certifications
I do not endorse IASME in any way, but I acknowledge they have raised security awareness in the UK and that is a good thing.
The CyberEssentials certification is useful for an organisation that has never thought about security before, although the marketing is quite confusing.
IASME Cyber Essentials - £300 Entry Level
The commercial explanation is that this is Easy to do, and addresses 80% of external attacks. Also required by Government departments.
- Self-assessed, with sanity checking by a contractor to IASME
- Cyber Essentials Plus is an external review of the same thing, rather than self-assessed
Diagram source code here: IASME Cyber Essentials
IASME Governance - £400 Top Level
The commercial explanation is that this is an excellent alternative to ISO 27001 for small and medium sized organisations.
- Certification includes Cyber Essentials for free
- Includes all of the 5 Cyber Essentials technical topics, and adds topics related to people and processes from other standards as per diagram
- Will take a lot longer and cost the company a lot more effort than Cyber Essentials
- The assessed version involves a site visit, but covers the same questions
Diagram source code here: IASME Governance