9 September 2014: Cyber Security Model
0 likes5,743 views
The document discusses the cyber threat landscape and the Defence Cyber Protection Partnership (DCPP) which aims to improve cyber security in the defence sector through information sharing, defining security standards, and raising supply chain awareness. The DCPP uses a proportionate security model involving risk assessment and assurance questionnaires to determine appropriate security requirements for contracts. Pilot programs are being used to test the process and identify any issues. The document provides resources for further cyber security advice, including government websites and industry associations.
9 September 2014: Cyber Security Model
- 1. Defence Cyber Protection Partnership Industry Information Security Liaison, Ministry of Defence CDE Innovation Network event 9 September 2014, London
- 2. Context of the cyber threat “…the greatest transfer of wealth in history." General Alexander, Director of the NSA “We ignore the cyber threat at our peril…. 93% of large corporations… have had a cyber security breach in the past year.” Francis Maude, Minister for the Cabinet Office The cyber threat is real and growing Detica Report 2011 Cyber attack is a ‘Tier 1’ threat to the nation National Security Strategy, 2010 2 Longest time period within which APT1 has continued to access a victim’s network: 4 years, 10 months Mandiant report 2013 Largest APT1 data theft from a single organisation: 6.5 Terabytes over 10 months Mandiant report 2013
- 3. It won’t happen to me My systems are already protected It’s the CIO’s problem It’s the customer’s problem I’m too small to be a target I can’t afford it It’s the Prime’s problem Do I need to worry? 3
- 4. The latest trends in cyber security Information Security Breaches Survey (2014) – trends Small businesses (< 50 staff) % of respondents that had a breach Average number of breaches in year Cost of worst breach of the year Overall cost of security breaches 2013 2014 £65k £115k “The average cost of the worst breach suffered has gone up significantly particularly for small businesses – it’s nearly doubled over the last year.”
- 6. DCPP ENABLING WORK Information sharing • Reducing adversaries’ window of opportunity by: • Timely sharing of information across industry and government – some of it sensitive Measurements and standards • Providing clarity in terms of where we are and where we need to get to by: • Defining the proportionate and practical cyber security standards required in all defence contracts Supply chain awareness • Raising awareness of cyber security by: • Briefing a common message and surveying readiness
- 7. DCPP proportionate security model Proportionate security within the procurement lifecycle The principles involved are: To mandate cyber security risk management To bring about a cultural change – top-down, policy change (primarily affecting all new contracts placed) To risk-assess all supplies (including services) so that a proportionate level of security is routinely requested by acquirers To ensure that all contracts include clear, appropriate cyber security requirements To ensure that acquirers assess their aggregated risk through active monitoring of their own and suppliers’ on-going compliance to contracted security requirements
- 8. Outline Risk assessment • Used by buyer, pre- contract • 26 questions • Output is indicative requirement ‘low’, ‘medium’, ‘high’ for supply, organisation and supply chain Assurance questionnaire • Used by buyer to specify detail expectations • Used by supplier to respond • 97 questions in 14 categories control ‘red flag’ degree of rigour
- 10. Pilots - criteria Confirm the process is simple to follow and identify any areas of concern Confirm the questions are clear and easily understood and identify any areas of concern Confirm hypothesis that CES is subset of DCPP (identify gaps/overlaps) Understand level of effort and appropriate skills Understand whether responses are naturally organisational or project specific
- 11. WHERE CAN I GO FOR FURTHER ADVICE? For general cyber security advice and guidance: Check your organisation and your IT service provider(s) against HMG’s ‘10 Steps to Cyber Security’ (search www.cesg.gov.uk) BIS Cyber Essentials Scheme (search www.gov.uk) Ask your information security staff to join Cyber Security Information Sharing Partnership (CiSP) to access threat information (www.cisp.org.uk) Access Technology Strategy Board’s voucher scheme for funding to improve cyber security (Search https://vouchers.innovateuk.org, closing date: 23 July 2014) CERT UK (www.cert.gov.uk) CPNI (www.cpni.gov.uk/advice/cyber) CESG (www.cesg.gov.uk) For defence sector specific advice Ask for advice: ADS, techUK, Primes, trade associations