Eastern Illinois University Cerious Cybernetics Crop Research Paper

User Generated


Business Finance

Eastern Illinois University


# Word count(3,900-4,200) excluding title page.table of contents,references,appendices.


-> The nature of the brief/commission and the topic should be briefly outlined and defined alongside details of

how the paper is organised


*Main body

1) Critical discussion of the scope for risk management in an organisational context

2).Implement a set of policies and procedures for research&development for cerious cybernetics corp company.

-> use ISMS policies

->Identification and evaluation of the principles and concepts of information assurance

and risk management.

3). Sample service improvement plan(SIP) pertaining to the scenario given. (need to be on ransomware)

4).Risk management

- assessing risk

- current risks,vulnerabilities,threats hazards

- risk management in action

- Assurance and certification

- Future Risk and Assurance Challenges

5).How to mitigate ransomware attack in IT company

-> which ISMS controls to be implemented for ransomware in cybernetics corp company for preventing it from cyber attacks

-> Use ISO standers and its quality measures


*Acronyms and abbreviations

*References(use Harvard referencing style)



Note :- please make sure you use ISO, ISMS, IG(information Governance)

The iso standards need to be more specific and we need to tell what type of standards are there out of that we need to suggest some standards and
explain why we suggest those standards.

Unformatted Attachment Preview

Information Assurance and Risk Management White Paper A Critical Analysis Report In this white paper the author draws attention of the executive to the personal and organisational risks they face, how information assurance and risk management best practices can guard against ever-increasing cyber security threats, and how Cerious Cybernetics Corp can create opportunities with customers and suppliers who value independent reassurance. Page 1 Contents Introduction ............................................................................................................................................ 3 Executive Summary................................................................................................................................. 4 News Headlines....................................................................................................................................... 5 Challenges for CCC .................................................................................................................................. 5 Using Standards ...................................................................................................................................... 6 Selecting Standards ................................................................................................................................. 7 Implementing Standards Frameworks .................................................................................................... 8 Risk Management ................................................................................................................................... 9 Assessing Risk .................................................................................................................................... 10 Current Risks, Vulnerabilities, Threats, and Hazards ........................................................................ 10 Risk Management in Action – An Example ....................................................................................... 11 Assurance and Certification .............................................................................................................. 11 Organisational Structure Considerations .............................................................................................. 12 Ransomware and Service Improvement Plan (SIP) ............................................................................... 12 Future Risk and Assurance Challenges.................................................................................................. 15 Summary ............................................................................................................................................... 15 Acronyms and Abbreviations ................................................................................................................ 16 References ............................................................................................................................................ 16 Resources .............................................................................................................................................. 21 Appendix A Assumptions ...................................................................................................................... 22 Appendix B Legislation, Regulation, Contractual .................................................................................. 23 Appendix C Policies ............................................................................................................................... 27 Appendix D Assets................................................................................................................................. 33 Appendix E Statement of Applicability ................................................................................................. 34 Appendix F Supporting Standards......................................................................................................... 41 Appendix G ISO27k_ISMS_implementation_and_certification_process_v4.pdf ................................. 44 Appendix H Common Threats and Hazards .......................................................................................... 45 Appendix I Mapping ISO to NIST ........................................................................................................... 48 Appendix J Future Risks ........................................................................................................................ 49 Appendix K Organisational Structure.................................................................................................... 53 Page 2 Introduction ‘Cerious Cybernetics Corp.’ (CCC) is a private cybernetics research and development company that require fit-for-purpose, robust and comprehensive information assurance and risk management policies, procedures and practices which will ensure successful information assurance for their business via cutting edge and relevant risk assessment, treatment and management both in the current climate and also, for future provision. CCC is competing in the research and development market space which according to Gould and Bender (2015) has increased in value from USD $63.5BN in 2015 to USD $71.8BN in 2017 according to the DoD (2016), and in the UK around half of the £410 million Ministry of Defence (MOD) science and technology (S&T) research is outsourced to the commercial market by the Defence Science and Technology Laboratory (DSTL) and this is will be increasingly outsourced advises the DSTL (2014/2016). Cerious Cybernetics Corp. has its headquarters in London, England, employing a total of 60 full time staff and at any given time upwards of 20 agency staff. The headquarters is the location for the core business functions such as Human Resources, Finance, IT, data governance, legal resources and service level agreements (including those for customers and with the agencies supplying staff). CCC currently have a number of ongoing research and development contracts, including the UK Ministry of Defence and the United States Department of Defence. Following extensive critical analysis and research of their expected operational needs at present and over the next five years, they have requested a white paper to act as detailed and critical guide that will inform the Cerious Cybernetics Corp. executive about information assurance (from a combined, managerial, organisational and technical perspective) and risk management (from an organisational context). The white paper will aid Cerious Cybernetics Corp.’s understanding and ultimately, ability to make a decision on which policies, procedures need developing and implementing within the organisation and also ensure any associated resource implications can be successfully supported. The Cerious Cybernetics Corp. executive has further requested a sample Service Improvement Plan (SIP) within the white paper as part of the wider review; specifically, they want the detailed explanation to focus on the scenario of ransomware. Cerious Cybernetics Corp. is keen to establish improvements or initiatives which will ensure their IT function including infrastructure and data is kept secure. Page 3 Executive Summary The executive of Cerious Cybernetics Corp (CCC) can be held personal liable for failings of their fiduciary duties (Companies Act 2006, Chapter 2 General Duties of Directors). Through a misfeasance claim directors can be held personally liable for the diminished value of company assets, such as the loss of Intellectual Property, or for the failure of the company (The Insolvency Service 2011). Both are possible outcomes from a serious data breach or a loss of critical systems, which could see customers lose confidence in the company and the value of assets reduced. It is expedient that directors and company officers fund and direct measures to secure information, and manage risks, thereby demonstrating reasonable care, skill, and diligence. Calder (2009) explains there are four main reasons CCC need to implement Information Assurance (IA) and Risk Management (RM) Strategic – requirements within contracts and rules governing the nature of business relationships imposed by the government and a decision by the board to better manage information security for the business Customer and Supplier confidence – by demonstrating to customers and suppliers through the use of independent assurance and certification, that the company has adopted and implemented information security best practice, CCC can gain a competitive advantage in the market. According to MacLennan (2014) assurance implies confidence that the organisation has done the right thing Regulatory – to meet statutory and regulatory requirements which are common to all business and also specifically within this market sector Internal effectiveness – to make the organisation more efficient and effective when managing information and to the risk and impact to the business of any event or data loss By providing the right level of assurance CCC can secure new opportunities in a growing market (Gould and Bender 2015, DSTL 2014/2016). Without suitable levels of assurance new opportunities will be difficult to secure, market share for CCC will reduce, and organisation efficiency will not be realised. CCC’s customers and suppliers prefer to trade with companies who can demonstrate IA and RM as it is to their benefit too. The following white paper offers to inform the executive of responsibilities defined within law, applicable regulations and contractual obligations, the challenges and considerations the organisation faces today and into the future, the concepts and methods for implementing IA and RM. Using a Ransomware case study is used as an example to demonstrate how IA and RM can serve the needs of the organisation and its stakeholders. Page 4 News Headlines How would the Board of Cerious Cybernetic Corp. like the news headlines to read? Information Assurance and Risk Management Cerious Cybernetics Corp hit by ransomware attack and cannot recover critical data systems! Cerious Cybernetics Corp annual revenue exceeds expectations Cerious Cybernetics Corp hacked and Intellectual Property Stolen! Cerious Cybernetics Corp win lucrative new product development contract Cerious Cybernetics Corp Loses Core Customers Cerious Cybernetics Corp win award for fastest growing company in its sector, director attributes business growth to information assurance Cerious Cybernetics Corp required to pay a record settlement for loss of DoD Intellectual Property Information assurance and risk management pays dividends for Cerious Cybernetics Corp Challenges for CCC CCC must comply with contractual obligations, laws, and regulations in the two principal countries where it operates, the UK where it maintains its headquarters and develops for the Ministry of Defence (MoD), and the USA where is develops under contract to the Department of Defense (DoD). As a business CCC must comply with regular business law and practices. Additionally CCC operates in the military research and development (R&D) arena which brings about an additional level of governance, regulation and contractual obligations that are itemised in Appendix B Legislation, Regulation, Contractual. The key asset for the business is the Intellectual Property (IP). Given that this IP is military in nature the information governance standards imposed are extremely rigorous. Not only does CCC handle their own IP but they are entrusted with IP from other organisations. Complying with the standards imposed and being able to demonstrate that CCC can be entrusted with sensitive information is critical to the success of the organisation. The executive will want to achieve the information security goals of Confidentiality, Integrity, Availability, Authenticity, and Non-Repudiation so that CCC can lower risks, operate efficiently, sell more, and service customer requirements. Page 5 S U C C E S S With only two main customers the risk associated with failing to comply with the customers obligations could cause a fatal loss of business. Calder (2009) states there are four key objectives for implementing Information Assurance and Risk Management. Strategic – requirements within contracts and rules governing the nature of business relationships imposed by the government and a decision by the board to better manage information security for the business Customer and Supplier confidence – by demonstrating to customers and suppliers through the use of independent assurance and certification, that the company has adopted and implemented information security best practice, CCC can gain a competitive advantage in the market. Regulatory – to meet statutory and regulatory requirements which are common to all business and also specifically within this market sector Internal effectiveness – to make the organisation more efficient and effective when managing information and to the risk and impact to the business of any event or data loss These four objectives intersect in the following diagram from Calder (2009) to show that an Information Security Management System (ISMS) can satisfy all four objectives. Figure 1 Four Objectives of an Information Security Management System (ISMS) Using Standards Protecting and strengthening the business through Information Security (IS) should be a priority but implementing IS is not about buying technology solutions. The ISO/IEC 27002:2017 standards document states that “Information security is achieved by implementing a suitable set of controls, including policies, processes, procedures, organizational structures and software and hardware functions”. Adopting a widely recognised framework helps guide the identification, assessment, selection, and implementation of controls. Customers and suppliers want to see that a common framework so that measurability and assurance is achieved without prohibitive cost and effort to validate the organisations security posture. Page 6 Information Assurance (IA) says MacLennan (2014) is the confidence that the organisation has done the right thing based on standards and independent verification. An organisation may have the best or worst information management practices but without a common measurement scale against which to judge their effectiveness it would be difficult and expensive to seek assurance of other organisations or provide assurance of CCC. NIST (2014, Framework for Improving Critical Infrastructure Cybersecurity) says that standards frameworks are a mechanism and taxonomy by which adherence can be measured. The BSI’s Small business guide to standards, lists ten things standards can do for CCC 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Improve your goods and services Prove your commitment to quality Obtain new and keep existing customers Sharpen your business processes Cut costs – and drive profitability Help ensure regulatory compliance Give your firm a competitive edge Help you to innovate Support your export efforts Strengthen your marketing pitch Standards will help with innovation as they allow a common vocabulary for communications between organisations. You can to describe the products and services you offer in marketable terms and with increased acceptance and adoption from customers as it removes the perception that products and servers are proprietary. Standards frameworks enable increased speed bringing products to market and allows patents to be drawn up. Standards deliver competitive advantage (BSI Innovation The role of standards, no date). Selecting Standards There are three important standards frameworks that CCC should adopt as they are used and specified by the two main customers. These are widely adopted, not proprietary, and offer assurance from an independent body. The three standards which provide independent assurance and certification are  ISO 27001  Cyber Essentials Plus  NIST 800-53 The various ISO/IEC standards, supported by British Standards, are designed to interoperate and can be developed by the organisation over time. The ISO 27001 standard is increasingly being demanded by customers and therefore increasingly being implemented by suppliers. Certifications for ISO 27001 increased by 18% in 2011 (Calder 2013) and 20% in 2015 (ISO 2015). This standard integrates with ISO 31000 & 31010 Risk Management, ISO 22301 Business Continuity, ISO/IEC 20000 Service Management, and ISO 9001 Quality Management. It is supported by ISO 30301 Records Management, BS 7858:2012 People and HR Security, ISO/IEC TR 18044:2004 Incident Management, BS ISO 28000 Supply Chain, and BS 13500 Organisational Governance. Further information about these and others can be found in Appendix F Supporting Standards. Under the Defence Cyber Protection Partnership (DCPP) Guidance Update (2016), CCC must at a minimum obtain a Cyber Essentials Certificate to undertake new contracts with the MoD. According to the Cyber Security Model (CSM) each new MoD contract awarded will be subject to a risk assessment and due to the sensitive information that CCC handles, a cyber-risk level of “High” might be expected. This would require CCC to obtain Cyber Essentials Plus that requires independent Page 7 testing of systems. The DCPP’s CSM also requires CCC to complete a supplier assurance questionnaire to demonstrate, via an auditable self-assessment, that information security will be provided against the level of risk assessed. Furthermore according to Insley of Defence Commercial (2017) it will be necessary in the future to apply the same degree of rigour to subcontracts from CCC to its suppliers. Cyber Essentials is a somewhat narrowly focused framework that is limited to boundary firewalls and internet gateways, secure configuration, access control, malware protection, and patch management. Cyber Essentials is required in addition to ISO 27001. NIST is another applicable standard as it is adopted by the DoD. The DoD in 2014 stated in Instruction Number 8510.01, policy statement b, that the DoD would adopt a Risk Management Framework (RMF) consistent with the principles of NIST Special Publication (SP) 800-37. And in policy statement d, that systems categorisation must be done in accordance to Committee on National Security Systems Instruction (CNSSI) 1253, and that security controls from NIST SP 800-53 be implemented and assessed by procedures detailed in NIST SP 800-53A. This approach supersedes the previously used DoD Information Assurance Certification and Accreditation Process (DIACAP). The DoD, reports Marzigliano (2014), is taking a more risk focused approach using NIST for assessment & authorisation, risk assessment, risk management and dynamic continuous monitoring practices. As explained in NIST SP 800-37 the RMF aims to provide continuous monitoring of risk so that near real-time risk management can be achieved while allowing senior leadership to make cost-effective risk decision for IT systems. It also promotes security by design so that architectural design and development deliver secure systems, links information risk management processes to organisational risk management processes, and defines responsibility and accountability for the security controls that have been deployed. NIST has the advantage over ISO in that it is freely available whereas ISO standards documents are paid for per document. Cyber Essentials is also freely available. All require a fee for assurance and certification activities. Given that ISO 27000 family of standards is one of the most widely recognised standards for information security and complements and aligns to the NIST, as seen in SP800-171 Appendix D, and covers the Cyber Essentials frameworks elements, it is suitable for CCC to adopt it as a master framework while a majority of the business comes from the MoD. More information on applicable standards can be found in Appendix F Supporting Standards. Implementing Standards Frameworks The stages for implementing the ISO 27000 security framework is summarised as a diagram in Appendix G ISO27k_ISMS_implementation_and_certification_process_v4.pdf The early stages requires senior management to provide strategy, direction, resources and support to help define the scope. The next stage is to create an inventory or catalogue of assets. Assets are the things that need to be protected, and for CCC this includes information systems, data, and intellectual property. Once the assets are know they can be assessed for risks, followed by a decision on which risks need to be address. These decisions are recorded in a Statement of Applicability (SOA). See an example SOA in Appendix E Statement of Applicability. Risks that need to be addressed are added to a Risk Treatment Plan (RTP) that defines how and when the risk will be addressed. After which an ISMS programme is initiated to implement the ISMS. Guidance on implementation is available in ISO/IEC 27003. Page 8 After implementing the ISMS programme the ISMS will need to be maintained through regular risk reviews and decision about enhancements to controls, often referred to as continuous improvement, and driven by a Service Improvement Plan (SIP). Risk Management The removal of information security risk and the assurance that the risks have been addressed is the purpose of the information security frameworks. Risks need to be identified, recorded and assessed. The outcome of a risk management cycle should be an understanding of the identified in terms of likelihood and consequences. This allows the prioritisation within a risk treatment plan (RTP). Guidance is available in BS ISO/IEC 27005:2011 for information security risk assessment. It is a focused subset that references the BS ISO 31000 risk management principles and guidelines document, and BS EN 31010:2010 risk assessment techniques. The stages according to in BS ISO/IEC 27005:2011 are: Context establishment: Setting the scope to be a set of systems, a department, or organisation wide. Risk assessment: This includes    Identification of the risks: A good starting point would be to look at the controls in ISO 27002 and understand for each asset which controls are missing. Other risks identification may come from audit reports or management consulting reports. Analysis of the risk: What is the likelihood (the expected frequency or probability) and consequences (in terms of disruption or financial impact)? Risk evaluation: How important is the risk? Some risks may not need treatment. Others will be a priority. Risks need to recorded on the risk register. Risk treatment: The treatment options are a) reduce or modify risk b) accept or retain the risk c) avoid the risk d) share the risk (insurance or subcontracting to a third party) If a control is needed consider the treatment options in terms of ISO 27000, Cyber Essentials, and NIST controls. These controls probably cover a majority of the security controls required but others may also be needed. Risk acceptance: The risk treatment plan (RTP), accepted risks, and residual risks require managerial approval that the organisational needs will be met Risk communication: Information is shared between decision makers and stakeholders so that it is clear what decision have been taken and why Risk monitoring and review: The introduction of new assets, changes in threats or vulnerabilities, changes to the impact and consequences, and security incidents are amongst the reasons for monitoring and reviewing. Maturity models typically rate maturity from 0 non-existent, 1 the least coverage for the control, up to 5 where the control is the matured. Review the risk mitigation controls against a maturity model such as BS ISO/IEC 15504 (or COBIT, CMMi, OPM3, SSE-CMM etc). An IG maturity model is published by ARMA (2013) and this provides a clear example of how a maturity model works. The maturity assessment score will guide improvements using the Plan-DoCheck-Act or similar service improvement plan (SIP). Page 9 Assessing Risk Risks can have both positive and negative influences on the company. As the executive you will be asked to fund and prioritise activities based on risk and you may have to justify your decision in the future. How do you know if the assessment of risk is correct? Would another person make the same assessment with the same information? Gigerenzer (2014) advocates absolute simplicity when calculating risk using intuition and rules of thumb. How though can the risk decision be defended? Freund and Jones (2015) present a risk assessment technique named FAIR (Factor Analysis of Information Risk) which presents risks in an intuitive way which can be consumed without needing a great deal of technical understanding about the risk. The advantage of FAIR is that it presents risk information in a concise manner which is easily interpreted through the use of FAIR risk factors. The decisions based on this information are defensible as they give sufficient information to understand how a risk was evaluated compared to say a High, Medium, Low assessment based on a hunch or gut-feeling. FAIR shows the assessed minimum, maximum and most likely occurrences along with the threat capability and threat community influencing factors. This information when combined with the value assessment of your assets will guide decisions for funding and prioritisation. Risk assessment using FAIR has these phases as summarised by Dixon (2009) Phase I Identify the assets Identify the community of threats Phase II Evaluate the Loss Event Frequency through estimation of the threat frequency, threat capability, strength of controls to device the Phase III Evaluate the Probably Loss Magnitude as a factor of monetary value for worst-case loss and estimated probably loss Phase IV Derive and articulate risk Although more quantitative than other methods, FAIR doesn’t address risk appetite or tolerance and does not address risk treatment so is only useful at an early stage of risk assessment according to Sutton (2014). It would be appropriate to the results from FAIR to feed into BS ISO/IEC 27005:2011 and redefine the context, reviewing the risk assessment and creating a risk treatment plan. Risk identification can be asset led but may also consider cultural, political, legal, regulatory, financial, economic and competition factors at national and international level. Risk identification may also incorporate other sources such as management consultant or audit reports. Other methodologies area available such as those offered by the Department of Homeland Security, NIST, Octave, CMS, however CCC should use BS ISO/IEC 27005:2011 for planning risk assessment, treatment, and monitoring as it will align more easily with ISO 27001, and use FAIR where quantitative assessment is required. Current Risks, Vulnerabilities, Threats, and Hazards As summarised in Appendix H Common Threats and Hazards it can be seen that many organisations face the same information security issues. CCC also have military sector specific concerns for regulations and controls, contractual stipulations, Intellectual Property loss, espionage, advanced persistent threats (APT), information sharing, social media, country and customer specific variations, access and use of data outside of the office, use of personal devices, background checking of staff, and more. Page 10 The list of identified legislation, regulation and contractual considerations are listed in Appendix B Legislation, Regulation, Contractual. These drivers along with an assessment of current controls has guided the list of policies that will need to be written. The suggested policies are listed in Appendix C Policies along with a suggested prioritisation based on the perceived risk. Risk Management in Action – An Example In List X (Cabinet Office, 2014) a number of compliance requirements are stated including inspection, organisational structures, visitor restrictions, supervision requirements, contingency plans, marketing and sales, export controls, asset protection, and home working. Looking specifically at the risk of home working data loss through theft, a concise risk management review is presented. Identification: List X stipulates controls on home working to protect sensitive data Analysis: Burglaries in Hertfordshire boroughs according to Police.UK (2017) is between four and six per thousand people. Assuming an average dwelling occupancy of 2 people that increases the odds to 12 per 1000 or a 1 in 83 chance (1000/12=83) that any house would be burgled leading to the loss of equipment and data. The average cost of data loss and incident handling has been valued at £50,000. The loss of sensitive data would necessitate an incident reporting process and consume a lot of time and effort. Data may be recovered even when encrypted. Evaluation: There is a contractual obligation to adhere to List X. The ramifications of uncontrolled data loss are significant, possibly leading to prosecution or fines and loss of contracts so this needs to be a priority. Record the risk on the risk register. Risk Treatment: There is currently no policy for remote or home working. A policy would address when it is appropriate to work from home and what authorisation is required, what classification of data is allowed to be access, and how assets should be secured when not in use. Printed documentation and R&D models need to be stored securely when not in use in locking furniture of a safe. IT equipment will use strong encryption, strong passwords, and be enabled to auto lock after an agreed time. After multiple failed login attempts the device will be configured to auto-wipe. A risk assessment at the house may be required. Training and guidance are required as per List X requirements. An incident reporting process and an incidents register is needed with actions and defined responsibilities. Communications: All staff will be made aware of the homeworking policy and controls Monitoring and Evaluation: A record of all incidents related to home working will be kept so that a future assessment can be made more accurately. The policies and authorisations for home working will be reviewed quarterly. Assurance and Certification With the controls are in place, and measurements defined with guidance from ISO/IEC 27004, and with Business Continuity Planning (BCP) using ISO 22301 having taken place, CCC should be able to satisfy an internal audit and a compliance review. Now is the time for an independent assessment. The British Assessment Bureau (2014) states that ISO 27001 certification can be achieved in 10-12 weeks and the certificate lasts three years subject to at least annual reassessment. A Stage 1 audit assesses the current capabilities and defines the actions to complete before a Stage 2 audit which is the verification audit after which certification can be recommended. This assessment is performed by an external accredited auditor who will decide if certification is the correct outcome. Page 11 Instead of traditional Certification and Accreditation (C&A) NIST SP 800-37 specifies six steps to apply the Risk Management Framework (RMF). In order, these steps are categorise information systems, select security controls, implement security controls, assess security controls, authorise information systems, monitor security controls. Independent assessment occurs but the final decision for certification remains with the system owner. Cyber Essentials assurance and can be achieved in two stages. Cyber Essentials which is largely selfassessed then verified independently, and Cyber Essentials Plus which has a higher degree of assurance though independent vulnerability assessment. Recertification is required once a year or more frequently if demanded by a commercial requirement. According to the MoD (2016) Defence Assurance and Information Security (DIAS) is applicable to List X companies and requires that the Defence Assurance Risk Tool (DART) be used to register MoD industry partners who connect to MoD information systems or processing of data marked as OFFICIAL-SENSITIVE or higher. The Risk Management Accreditation Document Sets (RMADS) captures the threats, vulnerabilities, assets, risks and mitigations, and allows an accreditor to assess the risk posture and residual risk of a company. Depending on the method and information accessed CCC could be out-of-scope so further investigation is required to confirm the applicability. Organisational Structure Considerations Although not directly applicable to CCC guidance document Security policy framework from HMG (2014) gives an indication of the sorts of organisation structures for security that may be imposed in contract terms. Indeed through List X, supplied by the Cabinet Office (2014), requires that a board level appointment who is responsible for security and a Security Controller who is responsible for day to day security activities must be in post. Both must be a British Nationals. Given the size of CCC this could be the same person. It is necessary to fully understand the role and the responsibilities of the Security Controller role, such as reporting security incidents of MoD data to the MoD Defence Industry Warning, Advice and Reporting Point (WARP) in the Joint Security Co-ordination Centre (JSyCC). A Clearance Contact is required to perform clearance of staff. This is especially important for CCC given the reliance of agency staff. It is also a requirement of List X to manage who has access to information from visitors to staff. The IT Installation Security Officer is to take responsibility for networks and IT delivery and it is not envisaged that a Crypto Custodian is required at this time. Organisation recommendations are made in more detail in Appendix K Organisational Structure Ransomware and Service Improvement Plan (SIP) Ransomware is a threat that involves downloading malware on to the host device after triggering a macro delivered by a phishing or spam attack, or visiting a website. The malware encrypts files before uploading a key and displaying a message asking for money to decrypt the files. Blackmail is another variation where the threat of leaking documents to the public domain provides the motivation for payment of the ransom. See Figure 2 Ransomware: how hackers take your data hostage [AFP]. Recent variations such as NotPetya are considered destructive-ware as the mechanism for encryption key recovery was not functional, as reported by Mathews (2017), leaving no option to pay a ransom to recovery files. Kaspersky (2016) says that 1 in 5 who paid never get their files back. This would limit recovery to restoration of files from backups or possibly to invoke business continuity and disaster recovery plans. Crowe (2017) reports that ransomware variants grew by a factor of 30x in 2016, Kaspersky (2016) claim an 11x increase by September 2016, with Crowe saying 71 percent of companies attacked experiencing a successful ransomware incident. Only 33 percent Page 12 (Kaspersky) to 58 percent (Crowe) of companies were able to fully recover data from backups. Others were forced to pay or suffer the loss of data. The phycology of ransomware demands victims to act quickly says Hadlington (2017). However this should not be a time to panic but to follow a well-defined checklist of activities to isolate then recover systems. Kaspersky (2016) claims 18 percent of companies in the defence sector were attacked so CCC need to be prepared. Figure 2 Ransomware: how hackers take your data hostage [AFP] Malware typically exploits either software or configuration vulnerabilities on workstations, laptops and servers, but can also impact mobile devices and tablets. The NCSC (2016, 2017) provides up-todate guidance on Ransomware prevention and support during an incident through the Cyber Incident Response (CIR). The cost from downtime and recovery can be very large even for a small business. Reid (2016) provides calculation examples suggesting that CCC could be impacted by more than £12,000 per day in lost staff productivity alone. Add to this the cost of recovery and any penalties for late delivery on contracts, reputation damage and lost business opportunities, the impact could be crippling for the business. There are a number of considerations to prevent and respond to Ransomware and the focus should be on prevention rather than response, but both are needed. According to Kenyon (2016) ransomware needs access to a command and control centre to download the malware from an initial embedded macro to infect the system, through to publishing the encryption key to C&C. Street et al. (2015) say that malware communications traffic is often blended into other normal traffic such as HTTP web traffic. Disruption and prevention through patching, configuration, web URL filtering, DNS and firewalls are simple yet effective controls. Page 13 Restoration from backups is time consuming but this is only part of the recovery. The environment must be isolated to prevent further infection, the infection source and method must be identified so that steps can be taken to prevent reoccurrence, and the identification of other infected is necessary. Kenyon (2016) summarised a set of actions for preparation, prevention, response and recovery as listed. Be Prepared: Assume an incident will occur and be ready Get agreement that business operations can be stopped to deal with a serious incident Define what response options would be perused and under what circumstances (pay, recover, accept the loss) Defined the roles and responsibilities and action playbooks when an incident occurs Ransomware Prevention: Limit the size of shared networks and shared data storage areas Use RPS (response Policy Zones for Domain Name Services) Use a good spam filter Scan all incoming emails for malware Setup monitoring and alerting that triggers on the change of a static ‘honeypot’ file Perform regular patching of applications, operating systems and network devices Isolate fragile or sensitive information systems Train users to recognise and deal with phishing and spam and how to report incidents Train staff to look for anything out of the ordinary Encourage incident reporting Report risks and threats, costs, incidents, preventions, and other information to the management of the organisation Incident Management: Manage the incident, follow the checklists Communicate between teams and individuals. Keep communicating Conduct checkpoint meetings and management update meetings Post Incident: Keep the incident checklist and use it for lessons learned and for continuous improvement to controls and processes Considering the needs of CCC it would be wise to add additional controls such as policies, processes and procedures, security by design, firewalls, web URL filtering, Intrusion Prevention and Detection Systems (IPDS), forensics capabilities, business continuity and disaster recovery planning, document marking, Pen Testing, incident reporting to the JSyCC WARP in accordance with ISN 2014/02, removable media, and software execution controls. A number of ISO 27001 controls are identified in the ransomware column of Appendix E Statement of Applicability. By layering controls it is possible to achieve Defence in Depth and given the nature of the threat it is appropriate to apply multiple controls. Following the principles of Plan, Do, Check, Act the SIP could be addressed in this way. Plan: Use statistics for risk planning Assess the required security controls based on the risks, threats, and vulnerabilities against the maturity model assessment of each of the required controls Prioritise the control improvements considering the benefits, timeline for delivery, costs and resources required, and the opportunities and outcomes that will be achieved Seek approval, funding and resources from management Page 14 Do: Initiate a project or programme of works Implement the controls based on the priorities set in planning Check: Validate the controls through testing and assurance activities Monitor the effectiveness and note any gap, residual risks, and improvements Act: Respond to security incidents following the procedures and checklists Review lessons learnt and feed the information in the next improvement cycle for continuous improvement Future Risk and Assurance Challenges The leadership and staff of CCC are going to need to predict, respond and adapt to emerging threats and trends in the general business landscape, and in military research and development (R&D). The organisation needs to assess and respond to new threats, monitor and improve, and exploit opportunities, to provide assurance to its investors, suppliers and customers. Threats and opportunities are continually emerging so a regular review must be conducted at a suitable frequency, based on risk level, allowing a timely response. Risks should be tracked on the risk register so that the organisation can track and adapt to new threats and exploit opportunities, and use a service improvement plan to continuously improve its security posture thereby providing assurance to its investors, suppliers and customers. Predicted risks and opportunities with a commentary are presented in Appendix J Future Risks. Amongst the common themes of future risks and assurance are:         Medical and health concerns from human applied sciences Financial uncertainty which may reduce the spending on security controls Risk exposure for niche solutions which have a narrow application and therefore higher risk of not selling the solution to recoup costs Changes to laws and regulations Collaboration and information sharing with other companies Increased cyber attacks New ways of working generating new risks Increased competition but also opportunities for growth in the market sector And political changes like Brexit resulting in the UK exclusion from contracts. E.g. The French are collaborating with Germans on a new fighter jet but excluding the UK Summary Implementing Information Assurance and Risks Management best practices though security frameworks offers the organisation as a whole a number of benefits. It also reduces the risk to the executive and through proactive review cycles ensures continuous improvement and adaption and response to emerging threats. By adopting the ISO27001, Cyber Essentials and NIST frameworks the organisation will be in a stronger position to resist security threats and lowers the risk and costs associated with security incidents. The Board needs to drive an organisation wide cultural change from the top down to mobilise, direct, and empower staff alongside policies, processes, procedures and technology controls to defend against harmful threats, both now and in the future. An Information Security Management System (ISMS) combines all elements into one ‘system’ working together to deliver the benefits to the organisational. An ISMS can demonstrate regulatory compliance, enhance reputation to win and retain business, improve efficiency, and satisfy audit says Calder (2009). Page 15 It is clear that the contractual and regulatory relationships that CCC has will influence the security frameworks adopted and the choice of controls implemented, and will also influence the organisation governance structures. CCC have to seek assurance through the Cyber Essentials and NIST assurance processes to be permitted to conduct business with the MoD and DoD respectively. In addition ISO27001 should be adopted as a master framework and mapped to NIST to satisfy the US business requirements and reduce duplication. CCC should implement an information governance programme and maintain information and risk management best practices using the security frameworks, then engage independent verification to demonstrate and provide assurance to shareholders, staff, customers and suppliers, that CCC is protecting information assets and that CCC is a trustworthy partner for business relationships with a secure trading future. This initiative should be viewed not an unwelcome cost, but rather as a competitive advantage for CCC. Acronyms and Abbreviations BS British Standards CPA Commercial Product Assurance DIAS Defence Assurance and Information Security IG Information Governance ISMS Information Security Management System JSyCC Joint Security Co-ordination Centre MISIRS MOD Information Security Incident Reporting Scheme ISO/IEC International Standards Organisation (ISO) / International Electrotechnical Commission (IEC) SAPMA Security Assessment for Protectively Marked Assets risk assessment methodology SIEM Security Information and Event Management WARP warning and reporting point References Act of Parliament. (2006). Companies Act 2006. Available at: http://www.legislation.gov.uk/ukpga/2006/46/part/10/chapter/2 (Accessed: 2 August 2017) Alderson, C. (2017) The future of technology in the defence sector. ForrestBrown. Available at: https://forrestbrown.co.uk/news/the-future-of-technology-in-the-defence-sector/ (Accessed: 19 July 2017) ARMA International. (2013). Generally Accepted Recordkeeping Principles Information Governance Maturity Model. Available at: https://www.arma.org/docs/bookstore/theprinciplesmaturitymodel.pdf?sfvrsn=2 (Accessed: 20 August 2017) Bureau of Industry and Security. (2013). Export Controls are Relevant to Your Business. U.S. Department of Commerce. Available at: https://www.bis.doc.gov/index.php/formsdocuments/technology-evaluation/781-export-licensing/file (Accessed: 25 July 2017) Brill, A & Straight, J. (2013) Cyber Due Diligence: How and Why Investors—and the Companies They Are Targeting—Should Assess Their Cyberrisks. Risk Management Magazine. Available at: http://www.rmmagazine.com/2013/10/01/cyber-due-diligence-how-and-why-investors-and-thecompanies-they-are-targeting-should-assess-their-cyberrisks/ (Accessed: 25 July 2017) British Assessment Bureau. (2014). CERTIFICATION CYCLE EXPLAINED Available at: http://www.british-assessment.co.uk/guides/the-3-year-certification-cycle-explained/ (Accessed: 12 August 2017) Page 16 British Standards Institution (BSI). (no date) The small business guide to standards. Available at: https://www.bsigroup.com/Documents/standards/smes/bsi-small-business-guide-to-standards-engb.pdf (Accessed: 19 July 2017). British Standards Institution (BSI). (no date). Innovation, The role of standards. Available at: https://shop.bsigroup.com/upload/Standards%20&%20Publications/Innovation&Design/Innovation %20&%20Design%20white%20paper.pdf (Accessed: 8 July 2017) BSI. (no date) Supply Chain Security Management. Available at: https://www.bsigroup.com/enGB/iso-28000-supply-chain-security-management (Accessed: 19 July 2017) BSI. (no date) Supply Chain Security Management for SME’s. Available at: https://www.bsigroup.com/en-GB/iso-28000-supply-chain-security-management/management-ISO28000/ (Accessed: 19 July 2017) BSI. (no date) Need to better manage security risks in your supply chain? Available at: https://www.bsigroup.com/Documents/iso-28000/resources/iso-28000-client-manual.pdf (Accessed: 19 July 2017) Cabinet Office. (2014). Security Requirements for List X Contractors. Available at: https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/367514/Security_ Requirements_for_List_X_Contractors.pdf (Accessed: 30 July 2017) Calder, A. (2011). Implementing information security based on ISO 27001/ISO 27002 : A management guide (2nd ed.). Zaltbommel: Van Haren Publishing. Calder, A. (2013). Can Compliance Shield your Organization from Cyberthreats? Credit Control, 34(2), 67-71. Competition & Markets Authority. (2014). Cartel Offence Prosecution Guidance . Available at: https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/288648/CMA9_Ca rtel_Offence_Prosecution_Guidance.pdf (Accessed: 3 August 2017) Corfield, G. (2017) Brits must now register virtually all new drones and undergo safety tests. Available at: http://www.theregister.co.uk/2017/07/24/uk_mandatory_drone_registration_rules_floated/ (Accessed: 24 July 2017) Corfield, G. (2017) Air, sea drones put through their paces on Solent testing range. The Register. Available at: http://www.theregister.co.uk/2017/07/18/drone_testing_range_solent/ (Accessed: 24 July 2017) Crowe, J. (2017). 2017 Ransomeware Trends and Forecasts. Available at: https://blog.barkly.com/new-ransomware-trends-2017 (Accessed: 19 August 2017) Curtis, S. (2013) Spy agencies 'ban Lenovo from secret networks'. The Telegraph. Available at: http://www.telegraph.co.uk/technology/news/10208578/Spy-agencies-ban-Lenovo-from-secretnetworks.html (Accessed: August 2017) Defence Contracts Online. (no date). Supplier Registration. Defence Contracts Online. Available at: https://www.contracts.mod.uk/delta/signup.html?userType=supplier (Accessed: 25 July 2017) Department for International Trade. (2016). Guidance, Sanctions, embargoes and restrictions. Available at: https://www.gov.uk/guidance/sanctions-embargoes-and-restrictions (Accessed: 17 July 2017) Dixon, B. (2009). Understanding the FAIR Risk Assessment. Available at: https://www.certconf.org/presentations/2009/files/TA-2.pdf (Accessed: 7 August 2917) Page 17 DoD (Department of Defense) (2014). INSTRUCTION, NUMBER 8510.01 Available at: http://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodi/851001_2014.pdf (Accessed: 13 August 2017) DoD (Department of Defense [SIC)). (2016) Releases Fiscal Year 2017 President’s Budget Proposal, Press Operations, Release No: NR-046-16, Feb. 9, 2016. Available at: https://www.defense.gov/News/News-Releases/News-Release-View/Article/652687/departmentof-defense-dod-releases-fiscal-year-2017-presidents-budget-proposal/ (Accessed: 16 August 2017) DSTL (Defence Science and Technology Laboratory) (2014 updated 2016). How to work with or sell to Dstl: industry, academia and other research organisations. Available at: https://www.gov.uk/guidance/how-to-sell-to-dstl-industry-academia-and-other-researchorganisations (Accessed: 16 August 2017) DSTL (Defence Science and Technology Laboratory). (2017). MOD DIPR and Ploughshare sign agreement for wider intellectual property commercialisation. . Available at: https://www.gov.uk/government/news/mod-dipr-and-ploughshare-sign-agreement-for-widerintellectual-property-commercialisation (Accessed: 18 July 2017) Freund, J and Jones, J. (2015). Measuring and managing information risk. A FAIR Approach. Oxford. Elsevier Inc. Goad, B. (2016). We are all cyborgs. ForrestBrown. Available at: https://forrestbrown.co.uk/news/we-are-all-cyborgs/ (Accessed: 19 July 2017) Gould, S and Bender, J. (2015) Here's how the US military spends its billions. Business Insider UK. Available at: http://uk.businessinsider.com/how-the-us-military-spends-its-billions-20158?r=US&IR=T (Accessed: 16 August 2017) Hadlington, L. (2017). Exploring the Psychological Mechanisms used in Ransomware Splash Screens. De Montfort University, Leicester. Available at: https://sentinelone.com/wpcontent/uploads/2017/06/Psychology-of-Ransomware-Report-Final.pdf (Accessed: 24 July 2017) HMG. (2014). Guidance, Security policy framework. Available at: https://www.gov.uk/government/publications/security-policy-framework/hmg-security-policyframework (Accessed: 20 August 2017) ICO. (2017).Subject access code of practice, Dealing with requests from individuals for personal information. Available at: https://ico.org.uk/media/for-organisations/documents/2014223/subjectaccess-code-of-practice.pdf (Accessed: 5 August 2017) ICO. (no date). Key areas to consider, Lawful processing. Information Commissioners Office. . Available at: https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/keyareas-to-consider/ Infosecurity Magazine. (2013). Chinese hackers make off with US weapons blueprints, Australian spy HQ plans. Available at: https://www.infosecurity-magazine.com/news/chinese-hackers-make-offwith-us-weapons/ (Accessed: 14 July 2017) Insley, F. (2017). MOD Implementation of Cyber Essentials Scheme. Defence Contracts Online. Available at: https://www.contracts.mod.uk/announcements/mod-implementation-of-cyberessentials-scheme/ (Accessed: 12 August 2017) The Insolvency Service. (2011). RECOVERIES FROM DIRECTORS AND OTHER COMPANY OFFICERS. The Insolvency ServiceGov.UK Available at: https://www.insolvencydirect.bis.gov.uk/technicalmanual/ch2536/Chapter31/part4B/part4/part_4.htm#31.4B.78 (Accessed: 2 August 2017) Page 18 International Visits Control Office. (2015) International Visits Control Office Guidance Notes for MOD List X Contractors. Available at: https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/428564/20150319 -IVCO_Contractor_Guidance.pdf (Accessed: 30 July 2017) ISO. (2015). The ISO Survey of Management System Standard Certifications 2015 Available at: https://www.iso.org/files/live/sites/isoorg/files/standards/conformity_assessment/certification/doc /survey_executive-summary.pdf (Accessed: 6 August 2017) ISO27k Forum. (2016). ISO27k ISMS implementation and certification process v4. Available at: http://www.iso27001security.com/ISO27k_ISMS_implementation_and_certification_process_v4.pdf (Accessed: 16 August 2017) Kenyon, B. (2016). Ransomware recovery. ITNOW, 58(4), 32-33. Kaspersky. (2016). Kaspersky Security Bulletin 2016. Story of the year: The Ransomware Revolution. Available at: https://securelist.com/files/2016/12/KSB2016_Story_of_the_Year_ENG.pdf (Accessed: 19 August 2017) Lange, K. (2015). 18 Tips to Safeguard Your Mobile Devices, Social Media. DoD Live. Available at: http://www.dodlive.mil/2015/10/20/18-tips-to-safeguard-your-mobile-devices-social-media/ (Accessed: 9 July 2017) Li, Shancang, Tryfonas, Theo, & Li, Honglei. (2016). The Internet of Things: A security point of view. Internet Research, 26(2), 337-359. MacLennan, A. (2014). Information governance and assurance, Reducing risk, promoting policy. Facet Publishing. London. Marzigliano, L. (2014). Defense Department Adopts NIST Security Standards. Available at: http://www.informationweek.com/government/cybersecurity/defense-department-adopts-nistsecurity-standards/d/d-id/1127706 (Accessed: 13 August 2017) Mathews, L. (2017). The NotPetya Ransomware May Actually Be A Devastating Cyberweapon. Available at: https://www.forbes.com/sites/leemathews/2017/06/30/the-notpetya-ransomwaremay-actually-be-a-devastating-cyberweapon/#57ca740c39e8 (Accessed: 19 August 2017) Merrick, R. (2017) Theresa May pledges to increase defence spending after military chiefs warn UK losing the ability to fight wars. The Independent. Available at: http://www.independent.co.uk/news/uk/politics/theresa-may-defence-spending-pledge-militarywars-warning-a7729056.html (Accessed: 18 July 2017) Millar, J. (2017). Germany and France snub Britain in military deal as EU members grow impatient with UK. The Express. Available at: http://www.express.co.uk/news/uk/832303/brexit-francegermany-military-uk-aviation-eu-army (Accessed: 24 July 2017) Ministry of communication and Information [SG). (2017). Cybersecurity Bill, Bill No. /2017. Available at: https://www.csa.gov.sg/~/media/csa/cybersecurity_bill/consult_document.ashx?la=en (Accessed: 5 August 2017) MoD. (2012). Using Social Media - a guide for military personnel. Available at: https://www.gov.uk/government/publications/using-social-media-a-guide-for-military-personnel (Accessed: 5 August 2017) MoD. (2016) Defence Assurance and Information Security: defence industry/list X. Ministry of Defence. Available at: https://www.gov.uk/guidance/defence-security-and-assurance-servicesdefence-industry-list-x (Accessed: 24 July 2017) Page 19 MoD Defence Contracts Online (MOD DCO). (2017). Connecting the Defence Procurement Supply Chain Defence Procurement, Research, Technology & Exportability (DPRTE) 2017 Available at: https://www.contracts.mod.uk/procurement-at-mod/dprte-2017/ (Accessed: 7 August 2017) MoD (2017) Industry Security Notice, Number 2017/04, Industry Supplier Guidance on DEFCON 658 (Cyber). Available at: https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/634863/20170726 -Cyber_ISN_for_Industry.pdf (Accessed: 19 August 2017) NCSC. (2016). Protecting your organisation from ransomware. Available at: https://www.ncsc.gov.uk/guidance/protecting-your-organisation-ransomware (Accessed: 19 August 2017) NCSC. (2016). Professional service scheme. Cyber Incidents. Available at: https://www.ncsc.gov.uk/scheme/cyber-incidents (Accessed: 19 August 2017) NCSC. (2017). Ransomware: Latest NCSC Guidance. Available at: https://www.ncsc.gov.uk/guidance/ransomware-latest-ncsc-guidance (Accessed: 19 August 2017) NCSC. (no date) About CPA certification. Available at: https://www.ncsc.gov.uk/scheme/commercial-product-assurance-cpa (Accessed: 5 August 2017) NIST. (2014). Framework for Improving Critical Infrastructure Cybersecurity version 1.0 National Institute of Standards and Technology. Available at: https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-framework021214.pdf (Accessed: 9 July 2017) NIST. (2010) Guide for Applying the Risk Management Framework to Federal Information Systems Available at: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r1.pdf (Accessed: 13 August 2017) Police.UK (2017). Crime changes over time in St Albans and in the Hertfordshire force area . Home Office. Available at: https://www.police.uk/hertfordshire/F01/performance/compare-yourarea/burglary/?section=timeline#timeline (Accessed: 20 August 2017) Reid, J. (2016). Ransomware Attacks: Calculating the Cost of Downtime. AssureStor. Available at: https://www.assurestor.com/cost-of-downtime/ (Accessed: 19 August 2017) Sculthorpe, T. (2017) EXC: Jeremy Corbyn demanded 'more cuts' to Britain's Armed Forces while they were still fighting in Afghanistan. The Daily Mail. Available at: http://www.dailymail.co.uk/news/article-4547898/Corbyn-demanded-cuts-Britain-s-ArmedForces.html (Accessed: 18 July 2017) Smout, M. (2015). The sky is the limit for R&D in drones. ForrestBrown. Available at: https://forrestbrown.co.uk/news/the-sky-is-the-limit-for-rd-in-drones/ (Accessed: 19 July 2017) Street, J., Baskin, Brian, & Sims, Kristin. (2015). Dissecting the Hack : The V3rb0ten Network. Burlington: Elsevier Science. Thomson, I. (2017). Leaked NSA point-and-pwn hack tools menace Win2k to Windows 8. The Register. Available at: https://www.theregister.co.uk/2017/04/14/latest_shadow_brokers_data_dump/ (Accessed: 19 July 2017) UKCS. (2017) Fact sheet P-01: UK Copyright Law Available at: https://www.copyrightservice.co.uk/copyright/p01_uk_copyright_law (Accessed: 9 July 2017) Verisign. (2017). Using DNS to combat Ransomware. Available at: https://www.verisign.com/assets/ebook-combat-ransomware.pdf (Accessed: 15 July 2017) Page 20 Wass, R. (2017). Developing underwater ROVs – Remotely Operated Vehicles. ForrestBrown. Available at: https://forrestbrown.co.uk/news/developing-underwater-rovs-remotely-operatedvehicles/ (Accessed: 19 July 2017) Resources National Vulnerability Database https://nvd.nist.gov/ #Cyberaware https://twitter.com/search?q=%23CyberAware&src=tyah National Cybersecurity Protection System (NCPS) https://www.dhs.gov/national-cybersecurityprotection-system-ncps DEFENSE SECURITY INFORMATION EXCHANGE https://www.dsie.org/membership.html Defence Growth Partnership (DGP) http://www.defencegrowthpartnership.co.uk/ UK Defence Solutions Centre http://www.ukdsc.org/about-ukdsc/ Industry Security Notice (ISN) https://www.gov.uk/government/publications/industry-securitynotices-isns Page 21 Appendix A Assumptions ASMP001 Current research and development activities do not include human or animal subjects ASMP002 The presentation of information in the White Paper format cannot be fully achieved as it is directed to one individual company and includes academic references. Amongst other resources on what a white paper should be I referred to https://contentwriters.com/blog/white-paper/ it would not be possible to respond to the assessment question without extending beyond the scope of a White Paper. ASMP003 CCC are a contractor who holds sensitive data and are required to comply with List X ASMP004 Recommendations are to be made but a full risk assessment and writing policies is beyond the scope of this assignment ASMP005 The assignment should be limited to the Risk Management and Information Assurance aspects of an Information Governance (IG) programme and not cover the implementation of an entire IG programme Page 22 Appendix B Legislation, Regulation, Contractual UK Companies Act 2006 Computer Misuse Act 1990 US Securities Act of 1933 Securities and Exchange Act of 1934 Sarbanes-Oxley Act of 2002 Dodd-Frank Act of 2010 The Computer Fraud and Abuse Act 1996?? Replaced by patriot act? Computer Security Act of 1987? USA PATRIOT Act and Homeland Security Presidential Directives (HSPDs). DoD Directives Division http://www.esd.whs.mil/DD/ The E-Government Act of 2002 (H.R. 2458) This law is known as the “Federal Information Security Management Act of 2002” (also referred to as FISMA). The purpose is to provide efficient secure delivery of web based and other technology for government to public, other agencies, and government entities. (SANS 2003) Data Protection Act 1998 ICO “If you handle personal information, you may need to register as a data controller with the ICO. Registration is a statutory requirement and every organisation that processes personal information must register with the ICO, unless they are exempt. Failure to register is a criminal offence” Electronic Communications Act 2000 Freedom of Information Act 2000 Freedom of Information Act (FOIA) 1967 For applicable to public and government bodies but indirect disclosure information by a public body may have implications to CCC The same government agency disclosure requirement nine exemptions which protect interests such as personal privacy, national security, and law enforcement Page 23 Federal Records Act Protection of Freedoms Act (POFA) When using CCTV: Freedom of Information Act 2000 (FOIA), the POFA, the Human Rights Act 1998 (HRA) and the Surveillance Camera Code of Practice issued under the Protection of Freedoms Act (POFA code). You should also take into account other relevant rules and guidance which may cover your activities. For example the ICO’s ‘code of practice on Privacy notices, transparency and control’, ‘Data sharing code of practice’, ‘Employment practices code’, ‘Employment practices code - supplementary guidance’ (this supplementary guidance is particularly important if surveillance systems will be used to monitor employees) and, as mentioned above, the ‘Conducting privacy impact assessments code of practice’. ICO’s guidance on the use of cloud computing Public Interest Disclosure Act 1998 The Whistleblower Protection Enhancement Act of 2012 General Data Protection Regulation (GDPR) Competition and Markets Authority (CMA) Copyright, Designs and Patents Act (CDPA) 1988 Before attempting to export military or dual use goods to the US, UK companies should research whether they are subject to ITAR. You must consider any future restrictions that may be placed upon your export as a result of ITAR before entering into any formal contract. US International Traffic in Arms Regulations (ITAR) controls the import/export of items on United States Munitions List (USML) International Traffic in Arms Regulations (ITAR) is a set of United States Government regulations on the export and import of defense related articles and services Export Administration Regulations (EAR) US product liability law Employment rights Act 1996 Information Commissioner’s Employment Practice Code Page 24 Equality Act 2010 (Disability Discrimination Act 1995 in Northern Ireland) Security Aspects Letter (SAL) DEFCON 659A Invitation to Tender (ITT) List X ‘facility security clearance’ (FSC). JSP 440 JSP 895 The MOD Simplified Purchasing and Payment Process Manual JSP 503 - MOD BUSINESS CONTINUITY MANAGEMENT JSP 441 Managing Information in Defence JSP 441 MANAGING INFORMATION IN DEFENCE PART 2 - GUIDANCE JSP 536 Ministry of Defence Policy for Research Involving Human Participants JSP 740 Acceptable Use Policy (AUP) for Information and Communications Technology (ICT) SPIRE Form 680 application All UK companies must obtain MOD Form 680 approval in order to release information or equipment classified OFFICIAL-SENSITIVE and above to foreign entities Global Declaration Against Corruption Export controls Open General Export Licence Military Components Open General Export Licence Military Goods, Software and Technology Open General Export Licence Exports under the US-UK Defence Trade Cooperation Treaty UK Strategic Export Control List Defence Logistics Framework (DLF) has replaced JSP 886 in 2016 The International Visits Control Office approval for travel for inbound visitors and outbound staff. Request for Visit (RFV). The Cabinet Office Security Policy Framework; The Letter of Intent (LOI) Framework Agreement; Page 25 Bi-lateral Security Agreements/Arrangements The Declaration of Principles between the United Kingdom and the United States of America; The security policies and regulations required by International Organisations such as the North Atlantic Treaty Organisation (NATO) and: Procedures for countries acting under the auspices of the Multi-National Industrial Security Working Group (MISWG). (International Visits Control Office 2015) Cartel Offence Prosecution Guidance. Competition & Markets Authority. (2014). Official Secrets Act 1989 Serious Organised Crime and Police Act 2005 Page 26 Appendix C Policies Policy Information Governance (IG) Policy Comment and Considerations Staring with a statement of commitment by the organisation to developing and adhering to IG practices with clarity around roles and responsibilities Priority High Requirements under BS 13500:2013 Annex A for governance system, governance accountability, vision and strategic outcomes, and risk limits See requirements within List X and HMG (2014) Guidance, Security policy framework Remote Access and Remote Working Policy Staff currently only undertake R&D work within the company facilities. The data which may be accessed and carried out of the company’s offices and the regions and locations from which remote working may be undertaken (public or foreign countries), data encryption technology for data in transmission and stored on media, two factor authentication. There is risk of being overlooked, and consideration needs to be given to the secure storage of sensitive information under lock and key such as test reports or models of products Medium Bring Your Own Device (BYOD) Policy Staff are currently supplied ICT equipment, however there are certain types of devices which could be used to leak data such as personal tablets, cameras, phones, laptops or other devices. Also some brands of equipment have security concerns that they have data gathering capabilities built in for state sponsored espionage (Information Security Magazine 2013). Consideration should be given to the use of only CPA approved devices (NCSC About CPA certification). Medium Mobile Device Policy Keeping in touch has led to an increased usage of mobile devices for email, instant messaging, texting and phone calls High Password Policy Insecure and infrequently changed passwords which are guessable due to a lack of complexity is a significant risk High eMail Policy Phishing attacks and the distribution of malware using embedded links in email attachments is increasing, document marking to avoid accidental disclosure, encryption and digital signing of messages, the type and importance of data that is permitted to be sent/received, data loss prevention High Page 27 Data Loss Prevention Policy With CCC dealing with so much IP it is important to track and alert unauthorised data movement and anomalies High Acceptable Usage Policy What corporate systems and data can be used for and how access is permitted. High PCI Compliance Policy CCC do not currently process card payments Low Business Continuity Plan & Disaster Recovery Policy This will allow the company to recover from loss of facilities and systems through natural disaster such as a flood or earthquake, fire, catastrophic failure of systems though hardware of software failure, cyber-attack, loss of communications, loss of access to facilities, materials, transport, etc. High Human Resource Recruitment Policy Personnel Security recruitment checks as required by List X High Bullying and harassment complaints policy and procedures Disability and Equality Records management policy & Data Retention & Archiving & Records Disposition policy The marking of documents, storage, processing, archiving and disposal of records. Medium Sales and Marketing Policy Sales and marketing to foreign countries can be restricted due to sanctions, controls and embargos. Refer to Department for International Trade (2016), and Bureau of Industry and Security (2013). High A process needs to be developed to frequently assess the list(s) and feed back into management. Data at rest Storage using encryption and the use of access controls High Data in transit The use of VPN technology over open/non-secure WiFi and other networks. High Backup Policy The frequency of backups, rotation and retention schedules, offsite storage location, encryption of backups, and restoration test frequency High Information security policy Statements about how information security is positioned in the organisation High Data privacy policy Which records are deemed personally identifiable and who will have access and why High Page 28 Security Incident Management Policy and Procedure CCC have obligations to report data loss incidents as defined in their contracts and the regulations governing their business relationship High Document Marking Policy A relatively simple and low cost control for document marking can be used to control access to documents and guide information processors on acceptable usages of data and to inform the organisation of the impact of data loss events High Information sharing policy The type and classification of data shared inwards or outwards, and the methods for transmission and storage are key to protecting IP. High See DSTL (2017) on the MOD DIPR and Ploughshare Agreement Staff Training Policy Policies, procedures, standards, guidelines will not be effective unless staff are aware High they exist and their obligations to follow them. Enforcement and disciplinary action would be ineffective without proving that staff had undertaken the training. Freedom of Information Policy Disclosure of information under the freedom of information act. Less likely to apply to CCC directly but a policy and procedure should be defined Low Refer to the ICO Subject access requests code of practice. Anti-Bribery Policy In a market sector with a history of special payments a corporate gifts, bribery and corruption policy should be developed to avoid staff being compromised by gift giving or receiving Medium Supplier management policy A right to audit suppliers. A flow-down of contractual requirements for suppliers to meet security standards. Medium With the use of Third Party Suppliers for subcontracting CCC should consider MoD Defence Contracts Online (MOD DCO). (2017) supply chain security. Whistle blowing policy Protection for whistle blowing. BS 13500:2013 Low Quality control policy Defective products and complaints procedures Low being responsive to field complaints and having clear documentation as proof of your response regular audits of product literature to ensure clear instructions about safety effective risk management to manage safety compliance Page 29 document retention and staff training around product design, manufacture, marketing and field experience product liability insurance Physical Security Controls Policy Security guards and patrols, the use of safes and locking storage, door locks and access passes for each zone, staff identity badges being displayed openly. Compliance with CCTV licensing and operation. High Travel Authorisation is required for inward and outward international travel through the International Visits Control Office (IVCO). This control allows consideration to combat threats of espionage and is a contractual requirement for List X companies. High Travel to high risk countries. Need to know Linked to document marking the restriction of information will help protect IP and sensitive corporate information such as the value of contracts, the status of an RFP or tender response High Clear desk policy The facilities have good physical security controls so staff can only access permitted areas meaning that staff in a given section would typically share information anyway. A clear desk policy would improve security further Medium Obscured screen Very little work is performed out of the company offices, however it is important to avoid being overlooked and screen locking, blanking and obscurification filters would be an enhancement especially for remote working Medium Data Storage Physical security including locking furniture and safes, technology controls, defence in depth, High Moving assets by hand Caution about being overlooked, large volumes of data need to be authorised, tamper proof containers, risk assessment. Compliance with List X controls including approval to move data. Medium Refer to List X Moving asses by courier or post There is a higher need for a policy for this activity as it alerts the chain of custody for data. The policy should cover sending only to known physical addresses and to Page 30 High known and named addressee, registered and tracked delivery, signature on receipt, authorisation depending on classification, tamper proof containers, Refer to List X Bulk transfers of data Authorisation to transfer bulk data, approved transfer methods and physical controls would be a useful addition after the basic policies and controls are put in place Medium Refer to List X ICT services Allow only permitted services from approved providers. This will include only sourcing services within country and not from overseas service providers. Those providers should be vetted for their information security practices to avoid loss via the service provider as was seen by the Stone Panda/APT10 infiltration of service providers. The use of new services, including cloud services, must be risk assesses before use High Removable media An easy way to introduce unauthorised software, malware or stolen IP into the corporate systems, and similarly an easy method and easily concealed method of removing data from the company High Telephony (landline and mobile) video conferencing , fax usage policy Considered use of communications mediums is required to avoid eavesdropping so the use of unsecured communications mediums, where they may be used (public, private, foreign locations), and the High Social Media Policy LinkedIn, Facebook, Twitter, Instagram, and other platforms can be used to profile individuals for social engineering attacks and these platforms offer an opportunity for accidental disclosure or reputational damage. It can also be used as a positive tool for communications if used properly High See Lange (2015), and MoD (2012) Corporate communications and media Policy Ensuring that only responsible people can communicate information about the company via press release, the corporate website, or press interviews to avoid disclosure or reputational damage (Ministry of Defence 2012) Medium eDiscovery policy and procedure Litigation is commonplace in the US market and increasingly common in the UK. This is a time consuming process if not managed well and has serious implication if avoided and poorly executed. As the occurrence for CCC is low this is an area to be developed after other policies and procedures Medium Page 31 Security By Design All technology solutions and product solutions must include security design principles and controls as appropriate for the solution. This offers the lower cost option than trying to retrofit security High Testing Policy All solutions will be reviewed and validated that the implementation followed the design and that the security outcomes can be evidenced against the design, including any Pen Testing and assurance activities Medium Development Environment Data Usage Policy Exclude the use of production data in non-production environments High Mobile Device Policy Lost and Stolen devices process Mobile Device encryption Password and access PIN complexity Device auto-lock settings and remote device wiping Permitted device makes and models Acceptable make and model of hardware High Hardware and Software Procurement Policy Medium Receiving and tracking new equipment and software Acceptable hardware and software including supported version The selection of equipment from the Commercial Product Assurance (CPA) list could be considered but an awareness that Lenovo and Huawei equipment and other Chinese made equipment including mobile devices should be treated with due caution due to concerns of backdoor and trapdoors. Curtis (2013) reports that Lenovo is banned by the Five Eyes agencies Secret and Top Secret networks. A policy governing who can purchase, what authorisation is required to purchase, a standard stating the makes and models that can be purchased and if they need to be CPA approved. Incident reporting policy Define what constitutes an incident the roles and responsibilities in incident management. Reporting procedures. Page 32 High Appendix D Assets A list of CCC assets                  Servers Workstations Laptop Smart Phones Firewall Copyright and trademark Intellectual Property Designs, models and prototypes Third party owned information Business Plan/Strategy Marketing Plan Finance system Lab equipment Paper records Contracts Routers, Switches and cabling Telephone system HR records Page 33 Appendix E Statement of Applicability Statement of Applicability ISO27001:2013 ISO/IEC 27001:2013 Annex A controls Clause Sec 5.1 5 Security Policies 5.1.1 5.1.2 6 Organisation of information security 7 Human resource security Control Objective/Control Management direction for information security Policies for information Review of the policies for information security Current controls Reasons Selected controls and reasons for selection Legal Contractual Business Risk no x x x no x x x x x x x x 6.1 6.1.1 6.1.2 6.1.3 6.1.4 Internal organisation Information security roles and responsibilities Segregation of duties Contact with authorities Contact with special interest groups no no partial partial x x x x x x 6.1.5 Information security in project management no x x x 6.2 6.2.1 Mobile devices and teleworking Mobile device policy no x x x 6.2.2 Teleworking no x x x 7.1 7.1.1 7.1.2 7.2 7.2.1 Prior to employment Screening Terms and conditions of employment During employment Management responsibilities Information security awareness, education and training partial no x x x x x x no x x x no x x x 7.2.2 Page 34 Ransomwae x x x x x x x x 7.2.3 7.3 7.3.1 8 Asset management no x x x no x x x 8.1 8.1.1 8.1.2 8.1.3 8.1.4 8.2 Responsibility for assets Inventory of assets Ownership of assets Acceptable use of assets Return of assets Information classification no no no no x x x x x x x x x x x x 8.2.1 Classification of information no x x x 8.2.2 Labelling of information no x x x 8.2.3 Handling of assets no x x x 8.3 8.3.1 8.3.2 Media handling Management of removable media Disposal of media no no x x x x x x 8.3.3 Physical media transfer no x x x 9.1 9 Access control Disciplinary process Termination and change of employment Termination or change of employment responsibilities x x x x x x x x Business requirements of access control 9.1.1 Access control policy no x x x 9.1.2 Access to networks and network services no x x x 9.2 9.2.1 User access management User registration and de-registration partial x x x 9.2.2 User access provisioning partial x x x 9.2.3 Management of privileged access rights no x x x Page 35 x x x 9.2.5 9.2.6 9.3 9.3.1 9.4 9.4.1 9.4.2 9.4.3 9.4.4 9.4.5 Management of secret authentication information of users Review of user access rights Removal or adjustment of access rights User responsibilities Use of secret authentication information System and application access control Information access restriction Secure log-on procedures Password management system Use of privileged utility programs Access control to program source code 10.1 10.1.1 Cryptographic controls Policy on the use of cryptographic controls no 10.1.2 Key management no 11.1 11.1.1 11.1.2 11.1.3 Secure areas Physical security perimeter Physical entry controls Securing office, room and facilities Protecting against enteral end environmental threats Working in secure areas Delivery and loading areas Equipment Equipment siting and protection Supporting utilities Cabling security Equipment maintenance 9.2.4 10 Cryptography 11.1.4 11 Physical and environmental security 11.1.5 11.1.6 11.2 11.2.1 11.2.2 11.2.3 11.2.4 no x x x no no x x x x x x no x x x no no no no no x x x x x x x x x x x x x x x x x x x yes yes yes x x x x x x x x x no x x x no no x x x x x x x x x x x x x x x x x no partial no no Page 36 x x x 11.2.5 11.2.7 11.2.8 11.2.9 Removal of assets Security of equipment and assets offpremises Secure disposal or re-use of equipment Unattended user equipment Clear desk and clear screen policy 12.1 12.1.1 12.1.2 12.1.3 Operational procedures and responsibilities Documented operating procedures Change management Capacity management 12.1.4 Separation of development, testing and operational environments 11.2.6 12.2 Protection from malware 12.2.1 Controls against malware 12.3 12 Operations security 12.3.1 12.4 no x x x no x x x no no no x x x x x x x x x no no no x x x x x x x x x no x x x partial x x x partial x x x x x Backup Information backup x Logging and monitoring x 12.4.1 Event logging no x x x 12.4.2 Protection of log information no x x x x 12.4.3 12.4.4 12.5 Administrator and operator logs Clock synchronisation Control of operational software Installation of software on operational systems Technical vulnerability management no yes x x x x x x x no x x x 12.5.1 12.6 Page 37 x Management of technical vulnerabilities no x x x 12.6.2 12.7 Restrictions on software installation Information systems audit considerations no x x x x 12.7.1 Information systems audit controls no x x x x 13.1 13 Communications security Network security management 13.1.1 Network controls partial x x x x 13.1.2 13.1.3 13.2 13.2.1 13.2.2 Security of network services Segregation in networks Information transfer Information transfer policies and procedures Agreements on information transfer no partial x x x x x x x x no no x x x x x x 13.2.3 Electronic messaging no x x x 13.2.4 Confidentiality or non-disclosure agreements no x x x 14.1 Security requirements of information systems no x x x no x x x 14.1.1 14.1.2 14 System acquisition, development and maintenance x 12.6.1 14.1.3 14.2 14.2.1 14.2.2 14.2.3 Information security requirements analysis and specification Securing applications services on public networks No etransaction systems Protecting application services transactions n/a Security in development and support processes Secure development policy System change control procedures no no x x x x x x no x x x Technical review of applications after operating platform changes Page 38 14.2.4 14.2.5 14.2.6 14.2.7 14.2.8 14.2.9 14.3 14.3.1 Restrictions on changes to software packages Secure system engineering principles Secure development environment Outsourced development System security testing System acceptance testing Test data Protection of test data 15.1 Information security in supplier relationships Information security policy for supplier relationships Addressing security within supplier agreements Information and communication technology supply chain Supplier service delivery management Monitoring and review of supplier services Managing changes to supplier services 15.1.1 15 Supplier relationships 15.1.2 15.1.3 15.2 15.2.1 15.2.2 16.1 16 Information security incident management no no no no no no x x x x x x x x x x x x x x x x x x no x x x no x x x no x x x no x x x no no x x x x x x x x x x x Management of information security incidents and improvements 16.1.1 Responsibilities and procedures no x x x 16.1.2 Reporting information security events no x x x 16.1.3 Reporting information security weaknesses no x x x 16.1.4 Assessment of and decision on information security events no x x x 16.1.5 16.1.6 Response to information security incidents Learning from information security incidents no no x x x x x x Page 39 x x x x 17 Information security aspects of business continuity management x x x x Information security continuity Planning information security continuity partial x x x Implementing information security continuity partial x x x x x no x x x partial x x x Collection of evidence 17.1 17.1.1 17.1.2 17.1.3 17.2 17.2.1 18.1 18 Compliance no 16.1.7 Verify, review and evaluate information security continuity Redundancies Availability of information processing facilities x x Compliance with legal and contractual requirements x 18.1.1 Identification of applicable legislation and contractual requirements partial x x x x 18.1.2 18.1.3 Intellectual property rights Protection of records partial no x x x x x x x x 18.1.4 Privacy and protection of personally identifiable information no x x x x 18.1.5 18.2 18.2.1 Regulation of cryptographic controls Information security reviews Independent review of information security no x x x x no x x x 18.2.2 Compliance with security policies and standards no x x x 18.2.3 Technical compliance review no x x x Page 40 x x x x x Appendix F Supporting Standards FRAMEWORKS BS EN ISO/IEC 27000:2017 Information technology. Security techniques. Information security management systems. Overview and vocabulary BS EN ISO/IEC 27001:2017 Information technology. Security techniques. Information security management systems. Requirements BS EN ISO/IEC 27002:2017 Information technology. Security techniques. Code of practice for information security controls BS ISO/IEC 27005:2011 Information technology. Security techniques. Information security risk management BS ISO/IEC 27007:2011 Information technology. Security techniques. Guidelines for information security management systems auditing BS ISO/IEC 27013:2015 Information technology. Security techniques. Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1 SP 800-53 Security and Privacy Controls for Federal Information Systems and Organizations SP 800-53A Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans Cyber Essentials and Cyber Essentials Plus RISK MANAGEMENT BS ISO 31000:2009 Risk management. Principles and guidelines BS EN 31010:2010 Risk management. Risk assessment techniques NIST SP 800-37 Guide for Applying the Risk Management Framework to Federal Information Systems NIST SP 800-37 Supplemental Guidance on Ongoing Authorization Transitioning to Near Real-Time Risk Management NIST SP 800-39 Managing Information Security Risk Organization, Mission, and Information System View NIST SP 800-60 Guide for Mapping Types of Information and Information Systems to Security Categories NIST SP 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information (PII) RECORDS MANAGEMENT ISO 30301 Information and documentation. Management systems for records. Requirements ISO 15489 Information and documentation. Records management. Concepts and principles BS ISO/IEC 11770-1:2010 Information technology. Security techniques. Key management BS ISO 15489-1:2016 Information and documentation. Records management. Concepts and principles NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations SERVICE MANAGEMENT BS ISO/IEC 20000-1:2011 Information technology. Service management. Service management system requirements NIST SP 800-55 Performance Measurement Guide for Information Security TESTING NIST SP 800-115 Technical Guide to Information Security Testing and Assessment Page 41 BS 10500 Anti-Bribery; ISO 37001:2016 Anti-Bribery Management System BS OHSAS 18001 Occupational Health and Safety BS 7858:2012 Security screening of individuals employed in a security environment. Code of practice SECURITY CONTROLS AND METHODS ISO 29151 Security Impact Assessment BS 10008 Legal Admissibility of Electronic Information NIST SP 800-45 Guidelines on Electronic Mail Security NIST SP 800-63 Digital Identity Guidelines Enrollment [SIC] and Identity Proofing NIST SP 800-64 Security Considerations in the System Development Life Cycle NIST SP 800-157 Guidelines for Derived Personal Identity Verification (PIV) Credentials NIST SP 800-175A Guideline for Using Cryptographic Standards in the Federal Government: Directives, Mandates and Policies NIST SP 800-175B Guideline for Using Cryptographic Standards in the Federal Government: Cryptographic Mechanisms NIST SP 800-177 Trustworthy Email INCIDENT MANAGEMENT PD ISO/IEC TR 18044:2004 Information technology. Security techniques. Information security incident management NIST SP 800-61 Revision 2, Computer Security Incident Handling Guide NIST SP 800-83 Guide to Malware Incident Prevention and Handling for Desktops and Laptops NIST SP 800-86 Guide to Integrating Forensic Techniques into Incident Response NIST 800-184 Guide for Cybersecurity Event Recovery NIST SP 800-150, Guide to Cyber Threat Information Sharing BUSINESS CONTINUITY BS ISO/IEC 27031:2011 Information technology. Security techniques. Guidelines for information and communication technology readiness for business continuity BS EN ISO 22301:2014 Societal security. Business continuity management systems. Requirements NIST SP 800-34 Contingency Planning Guide for Federal Information Systems NIST SP 800-137 Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations SUPPLY CHAIN BS ISO 28000:2007 Specification for security management systems for the supply chain NIST SP 800-161 Supply Chain Risk Management Practices for Federal Information Systems and Organizations IT GOVERNANCE BS ISO/IEC 38500:2015 Information technology. Governance of IT for the organization BS ISO/IEC 19086-3:2017 Information technology. Cloud computing. Service level agreement (SLA) framework. Core conformance requirements Page 42 BS ISO/IEC 15504-6:2013 Information technology. Process assessment. An exemplar system life cycle process assessment model View details QUALITY MANAGEMENT BS EN ISO 9000:2015 Quality management systems. Fundamentals and vocabulary ORGANISATIONAL GOVERNANCE BS 13500 Code of practice for delivering effective governance of organizations TRAINING AND EDUCATION NIST 800-181 National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework SP 800-50 Building an Information Technology Security Awareness and Training Program OTHER All the latest NIST guidance can be found here http://csrc.nist.gov/publications/PubsSPs.html#SP%20800 Page 43 Appendix G ISO27k_ISMS_implementation_and_certification_process_v4.pdf An overview of the information risk management http://www.iso27001security.com/ ISO27k_ISMS_implementation_and_certification_process_v4.pdf Page 44 Appendix H Common Threats and Hazards The following summary of frequently occurring threats as summarised by Sutton (2014) 1. Malicious Intrusion: a. Denial of Service (DOS) b. Unauthorised access (internal/external) c. Unauthorised network scanning d. Interception of communications e. Session hijacking f. Website modification g. Software modification (insertion of malicious source code or malware) h. Data modification i. Decryption of encrypted data j. Credential theft and impersonation 2. Environmental Threat a. Natural hazards (weather events, geological events) b. Accidental and malicious physical damage c. Fire d. Communication jamming or deliberate interference e. Communications failure f. Power failures 3. Errors and Failures a. Software failures b. Software interdependencies c. System overloads d. Hardware Failure e. User errors f. Technical staff errors g. Internal and external software errors h. Change failures 4. Social Engineering a. Spoofing, masquerading and impersonation b. Phishing c. Spam d. Disclosure 5. Misuse and Abuse Page 45 a. Modification of system access privileges b. Unauthorised systems activity c. Software theft and business information theft 6. Physical Threats a. Unauthorised access b. Theft of computers and portable devices c. Theft of authentication devices 7. Malware a. Viruses b. Worms c. Backdoors d. Trojan horses e. Rootkits f. Spyware g. Active content h. Botnet clients i. Ransomware The following summary of frequently occurring vulnerabilities as summarised by Sutton (2014) 1. Access control a. Lack of or poorly written access control policies b. Failure to change user access rights when changing roles or leaving the organisation c. Inadequate user password management d. Default system accounts and passwords e. Embedded system accounts and passwords f. Lack of security for mobile devices g. Lack of network segregation h. Lack of clear desk and clear screen policy i. Using untested software j. No restrictions of system utilities 2. Poor procedures a. Lack of functional procurement specifications b. Lack of functional development specifications c. Failure to validate data entry d. Use of undocumented software e. Use of unauthorised software Page 46 f. Lack of business continuity and disaster recovery planning 3. Physical and environmental security a. Poor control of access to premises and areas within them b. Insecure physical barriers, doors, and widows c. Unprotected storage d. Inadequate environmental controls like cooling and humidity control e. Located in flooding zones f. Storage of flammable materials g. Proximity to hazardous materials and processing facilities 4. Communication and Operations Management a. Missing segregation of duties b. Lack of network and intrusion monitoring c. Use of public networks without protection d. Use of uncontrolled wireless access points e. Lack of malware protection f. Unpatched systems and poor patching schedules g. Untested backup and restore procedures h. Improper disposal of media i. Lack of BYOD policy j. Poor change management procedures k. Lack of audit trails, non-repudiation of transactions and emails l. Lack of segregation of test and production systems m. Uncontrolled copying of business information 5. People-related security failures a. Inadequate security training for technical staff b. Lack of security awareness training for users c. Lack of monitoring or intrusion detection systems d. Lack of acceptable usage and other policies e. Failure to review and amend access-rights of users when the change roles or leave f. Lack of asset collection procedures when users leave g. Unmotivated or disgruntled staff h. Lack of oversight of third parties or staff working outside of business hours Page 47 Appendix I Mapping ISO to NIST The mapping table is presented in NIST SP 800-171, Appendix D pages 30-51. Available at: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r1.pdf Page 48 Appendix J Future Risks Trend or Opportunity Risk and Assurance Impact Exoskeletons for strength and endurance load carrying such as the Human Universal Load Carrier from Lockheed Martin. (Goad, 2016) Medical record keeping required. Potential personal injury claims caused by testing. Strong competition could cause a lack of market share for a completed product. Restorative prosthetics for injured soldiers created through 3D printing. Electrical stimulation of hearing nerves to restore hearing. Vision restoration and enhancement using biological and technological solutions. Bio-lung, artificial kidney and heart. Tactile distance feedback wearable clothing for low visibility environments to provide proximity feedback to the wearer (Goad, 2016). Potential niche markets and applications of the technology not already considered. Medical record keeping required. Potential personal injury claims caused by testing. Remotely Operated Vehicles (ROVs) and Autonomous Underwater Vehicles (AUVs) for inspection, reconnaissance, load carrying, working under ice, and hostile environments. Supporting technology such as stress resistant materials, propulsion systems, higher capacity power systems, sensors, cameras, comms, and human control interfaces (Wass, 2017). Market may have a limited sales volume making recouping of costs difficult. Applications of the technology not already considered could create new opportunities including in non-military applications. Drones or Unmanned Aerial Vehicles (UAVs) have continued to grow in popularity for a number of military reconnaissance and offensive operational tasks. Development is likely to include collaborative interfaces and communication between UAV’s that can work in tandem or even swarm (Alderson, 2017) to complete tasks. Enhancements with technology is likely to include endurance communications, navigation and trajectory planning and control, sensor fusion (Smout, 2015). Other trends may include miniaturising and the mimicking of animals to avoid detection (Alderson, 2017). Changes in laws and regulations may necessitate changes to software and controls to avoid no-fly zones and for collision prevention. Growing market with many applications of the technology not already considered. A drone registration schedule has been announced by the UK government (Corfield, 2017) Page 49 Reactive materials such as the Mesh Worm (Alderson, 2017) could create new materials and new behaviours or applications which are currently uncategorised or regulated by any laws or governing body Legislative and regulatory changes after product development “Biohacking” which is the insertion of sensory implants for function and identify purposes (Goad, 2016). Medical record keeping required. Potential personal injury claims caused by testing. Singapore have introduced a draft bill to licence cybersecurity personal (Ministry of Communication and Information [Singapore] (2017) and this approach could be adopted by the UK or US governments to combat the rise in cybersecurity attacks by separating the good guys from the bad and making it easier to prosecute offenders. CCC may have to use licensed personnel and exercise caution when developing and testing products if any research and development activities could be deemed to be in scope and require a license. It would introduce additional complexity and legislation to comply with. ...
Purchase answer to see full attachment
User generated content is uploaded by users for the purposes of learning and should be used following Studypool's honor code & terms of service.

Explanation & Answer


Cerious Cybernetics

Information Assurance and Risk Management

White Paper
A Critical Analysis Report
This white paper brings to the reader’s attention about the executive to organizational and
personal risks that are faced as well as how risk management and information assurance
shield against the upsurge of cyber hazards and how CCC can create opportunities to the
customers and suppliers who value independent reassurance.

The Cerious Cybernetics Corporation is a popular development and cybernetics
Research Company which identifies extensive information assurance as well as risk
management practices, policies and procedures for the purpose of ensuring information
assurance that suffices their business through edge cutting and necessary risk assessment. The
headquarters of Cerious Cybernetics Corporation are situated in London. This location is
essential since the most vital business functions like IT, data governance, Human resources,
legal services and service level agreement. As at now, there are a number of research and
development contracts that are on. A good example is the US Defence Department as well as
UK’s Ministry of defence.
The Cerious Cybernetics Corporation competes fairly well in the cybernetics market
especially on research and development. This is a move that helped the company to earn itself
a good reputation and increase its value as well by a high margin. In accordance with the
management, white paper is the best idea to extensively analyse and give details about
various aspects of CCC including the information assurance and risk management. The
reason behind requesting for a white paper is simply to aid in understanding CCC as well as
equipping the company with the ability to make rightful decisions on particular policies.
The white paper is a vital document that acts as a critical and detailed guide to inform
the executive on risk management and information assurance. This paper will critically
explore factors within the Cerious Cybernetics Corporation. Firstly, it seeks to discuss the
scope of risk management in the organizational context. Secondly, it analyses the
implementation of sets of policies as well as procedures which are the basis of research and
development for the CCC. This identifies and evaluates the principles and concepts of

information assurance as well as risk management. Thirdly, a Sample Service Improvement
connected to the given scenario ought to be outlined. The fourth area of discussion will be
risk management which will capture assessing risk, the contemporary risks, threats and
hazards, risk management in action, future assurance and Assurance with certification.
Finally, the paper will discuss how to mitigate attack that may transpire in IT Company.
1. Scope for Risk Management
Risk management is a critical process of identification, control and assessment of
threats to a company’s capital and earnings. The risks could have emanated from an
enormous variety of reasons and this includes financial uncertainty, natural disasters, legal
liabilities and strategic management errors among others. Most digitalized companies like the
CCC seek to alleviate data-related risks and IT security threats. It is for this reason that
strategies for risk management are given a priority in such companies. In any company or
organizational set up, there is the risk of harmful and unexpected events that may incur high
costs to the company or cause the company or the corporate to close permanently. Risk
management therefore helps in allowing the company to prepare for the unexpected. This is
possible through minimizing extra costs and risks before they occur (Chopra & Chaudhary,
Risk management plan implementation and consideration of potential risks prior to
their occurrence save money and resources for a company thus protecting its future as well.
This is possible because an effective risk management plan gives a company the ability to
establish procedures which evade these potential threats. According to Chopra & Chaudhary,
(p. 247) the risk control enables a company or organization to be more confident in their
decisions. From an organizational perspective, risk management is crucial in the sense that it
creates a secure working environment for customers and their staff, it increases the stability

and convenience in business operations while consequently decreasing legal liability, it offers
protection to all the people and assets involved in a business from a potential harm, it aids in
establishing an organization’s insurance operations and eventually, it offers protection of an
organization from detrimental events. The essence of patient safety and risk management
combination is to incorporate indifferent leadership, scope and goals.
2. Implementation of Policies
a. ISMS policies
Information Security Management System (ISMS) is crucial in any organization or
company as far as the company’s security is concerned. It enables one to manage, review,
monitor and most importantly to improve the information security practices. ISMS also
contain the controls, procedures and policies which are designed to satisfy three information
security objectives. These objectives include integrity, confidentiality and availability.
Integrity refers to keeping data complete and accurate. Confidentiality refers to ensuring that
an organization’s data wil...

Just what I needed. Studypool is a lifesaver!


Related Tags