In TrustedSec’s Advisory division, one question we often hear is, “how can we prioritize our information security efforts?” It is not surprising, as there are many things organizations can and often should be doing from an information security perspective, but there are only so many hours in the day, and so many dollars in the budget.
Without fully understanding an organization’s operations and risk tolerance, it is challenging to determine what security controls and program elements are of the highest priority. With that being said, there are tons of standards and frameworks that provide guidance around these components. Many of these can be overwhelming for an organization wondering where to start implementing an information security program.
On June 25, the Cabinet Office in the UK released a new Minimum Cyber Security Standard. At first glance, it is hard miss the similarities to the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF). As with the NIST CSF, the UK Minimum Cyber Security Standard does a good job of addressing the foundations for cyber security in a simple, straightforward fashion. While there are certain elements and requirements that are obviously specific to organizations in the UK (“Use the UK Public Sector DNS Service to resolve internet DNS queries”, for example), the Standard is a good base for any organization to reference. For organizations looking to begin a cyber security program, or those assessing where their program is currently, the UK Minimum Cyber Security Standard may be a great benchmark. The Standard may also serve as a schematic to create a program aimed at aligning with the NIST CSF without embarking on an overwhelming undertaking.
The applicability of this standard to non-UK organizations will be up to each organization to investigate and determine, but organizations that have operations in the UK should definitely become familiar with it. That being said, The Minimum Cyber Security Standard is broken out into the following areas, which should look very familiar to anyone who has seen the NIST CSF:
- Departments shall put in place appropriate cyber security governance processes.
- Departments shall identify and catalogue sensitive information they hold.
- Departments shall identify and catalogue the key operational services they provide.
- The need for users to access sensitive information or key operational services shall be understood and continually managed.
- Access to sensitive information and key operational services shall only be provided to identified, authenticated and authorised users or systems.
- Systems which handle sensitive information or key operational services shall be protected from exploitation of known vulnerabilities.
- Highly privileged accounts should not be vulnerable to common cyber- attacks.
- Departments shall take steps to detect common cyber- attacks.
- Departments shall have a defined, planned and tested response to cyber security incidents that impact sensitive information or key operational services.
- Departments shall have well defined and tested processes in place to ensure the continuity of key operational services in the event of failure or compromise.
Outside of the direct applicability to organizations who fall under this standard, it appears to be a standard that could be used by those looking to start on a path to increasing the maturity of their security program. Where the NIST CSF can seem daunting, the elements in this standard may be a good way for organizations to incorporate some elements of the NIST CSF in an achievable way. This is a good reminder that good guidance can come from places where you may not have been looking.
Author: Alex Hamerstone
Alex Hamerstone, QSA, ISO 27001, CISSP is the Practice Lead for the Governance, Risk, and Compliance division at TrustedSec. TrustedSec’s motto “Information Security Made Simple” holds true to Alex’s beliefs and his ability to deliver effective solutions to our customers. Known as a passionate advocate for the clients he works with and also the security industry, Alex uses his consulting experience to work with all sizes of organizations in all verticals, performing assessments, audits, and security program development.