Part 2 of 3. This is the second in a series of blog articles where Ascentor discuss some of the recent UK Government Information Assurance changes – and what they mean for you.
Written to be concise, they explain the essential “need to know” facts and implications with links to read further should you wish.
In part 2 of the series, we look at:
- Cyber Essentials
- The Cyber Security Model (CSM) of the Defence Cyber Protection Partnership (DCPP)
- The new PSN Compliance process
Cyber Essentials
What’s changed?
Cyber Essentials is seen as the “organisational standard” for all UK businesses and organisations that want to mitigate basic cyber risks. Launched in June 2014 and developed by government and industry, it offers two relatively low-cost levels of certification – Cyber Essentials and Cyber Essentials Plus.
The Government’s summary paper on the Cyber Essentials scheme describes it as: “A set of controls which, when properly implemented, will provide organisations with basic protection from the most prevalent forms of threats coming from the Internet. In particular, it focuses on threats which require low levels of attacker skill, and which are widely available online.”
Cyber Essentials concentrates on five key controls relating to the CESG “10 Steps to Cyber Security” published in 2012. These controls were identified by the government as those that, if they had been in place, would have stopped the majority of the successful cyber attacks over the last few years.
Why do you need to know?
It’s not just the large organisations that are at risk from cyber attack. If you are in business and online, you are a target. Implementing Cyber Essentials will provide measures to reduce your vulnerability to a cyber security attack.
There’s also a potential legal requirement. If you are an organisation bidding for public sector contracts involving access to government information – in some cases Cyber Essentials certification has been mandatory since October 1st 2014.
But, you can also steal a march on your competition. Cyber Essentials certification will demonstrate your cyber resilience and level of compliance to customers.
A word of caution. While Cyber Essentials is a positive step towards better security, it is important to recognise that certification is only an audit and “snapshot” of your cyber security capability – at the time of assessment. Consequently, it shouldn’t be seen as evidence of ongoing cyber security effectiveness.
How do you get further information?
The Ascentor website has a dedicated Cyber Essentials page with details of the different levels and how we can support you to ensure you meet this security management standard.
Cyber Streetwise: The Government’s official Cyber Essentials site.
The Cyber Security Model of the Defence Cyber Protection Partnership
What’s changed?
The Defence Cyber Protection Partnership (DCPP), which comprises MOD representatives, 13 prime suppliers and defence industry trade bodies, was established in 2012 with the aim of improving cyber security maturity for the community.
Developed by the DCPP, the Cyber Security Model (CSM) is a three-stage risk assessment process that will enable government procurers to mandate proportionate cyber security standards from suppliers, appropriate to the level required for a particular contract.
It is based upon the Cyber Essentials scheme but with some additional control requirements for defence purposes.
The planned rollout of CSM in August of 2016 has been delayed. We expect the Cyber Security Model (CSM) to be rolled out to large suppliers from January 2017 – with a full launch by April. FATS (a commercial MOD framework) will also go live in April and it is expected to include the contractual aspects of CSM.
Why do you need to know?
The importance of the security of defence information in the supply chain cannot be underestimated. Even if you feel your current security measures are robust, you will always be at risk of a cyber attack if you operate in the defence industry. In this climate, CSM has been designed to strengthen supplier cyber security.
If your company supports MOD contracts, then you will be required to comply with the CSM – it is intended that it will be mandatory for all new defence contracts. There has not been a statement on whether the CSM will be applied to legacy systems, but it is believed to be unlikely.
Importantly, the CSM will be applied to individual defence contracts; how that will work with companies that support multiple contracts has yet to be determined. Also, for companies that have List X status already, it is not yet clear what other evidence they will need to provide. We will keep you posted on all these matters as they develop.
Ascentor strongly recommends that defence industry companies prepare for CSM by gaining certification to Cyber Essentials in advance – so they are ready to respond to the new contract requirements. In our experience, the larger the business, the more complex and time-consuming the process. Don’t delay and put future contracts at risk.
How do you get further information?
The CSM, in particular the three-stage assessment process, is covered in more depth in our blog article “The Cyber Security Model for the Defence Industries – why it matters and how to be ready”.
MOD Overview: DCPP and cyber security controls
The new PSN compliance process
What’s changed?
The previous PSN compliance process was widely viewed as far too expensive, time-consuming and complex to implement. Nor was it considered to be particularly accommodating to initiatives designed to cut costs in public sector organisations.
That’s why the Government Digital Service (GDS) made a commitment at the end of 2014 to make the new PSN compliance process simpler, clearer and faster. Accordingly, the new process could be described as more to do with what you have done – rather than how you did it. It went live at the end of May 2015.
There are now five steps to completing your application for a PSN connection compliance certificate. This new process applies whether you are renewing or applying for your first PSN connection
Why do you need to know?
The new compliance process reflects the changing security needs of public sector organisations. To achieve compliance, you must meet Government Information Assurance (IA) requirements, which have been designed to provide an achievable and sensible baseline for security.
Along with these IA requirements, you’ll also need to make a number of commitments about how you’ll ensure the ongoing security of the PSN.
How do you get further information?
The Ascentor blog carries an article “Understanding the new, more simplified PSN compliance” explaining the five steps for completing a PSN connection certificate in more depth and looks at other changes you should be aware of.
Government guidance: How to apply for a Public Services Network (PSN) connection compliance certificate.
For more information:
If you have found this article interesting, the Ascentor blog regularly carries articles about cyber security and information assurance issues. You might also like to keep in touch with Ascentor by receiving our quarterly newsletter and following us on LinkedIn and Twitter.
If you’d like to discuss how our consultants could advise on any aspect of cyber security, please contact Dave James at Ascentor.
