Maksim Kabakou - Fotolia
Security Think Tank: Use Cyber Essentials to kick-start outcomes-based security
What is the first step towards moving from a tick-box approach to security to one that is outcomes-based and how can an organisation test whether its security defences are delivering the desired outcome?
When a company undertakes a “security” audit, be it physical or electronic, it will typically use a check list to guide that audit. The temptation is then to use the check list to undertake a tick-box exercise that can be mainly carried out from the desktop.
The danger of such a desktop approach is that areas that are either not compliant or partially compliant with a security requirement might be ticked as being compliant “because it is being worked on” or “because work is being planned” or because “Joe or Jane said it was OK”. Another problem is that, over time, a company’s environment will change, thus necessitating a check list update, which often is not done. In essence, a “tick box”approach can lead to a false sense of security.
So how does a company move forward to a meaningful and effective way of assessing its security? For a start, check boxes as such are not dead, but rather they need to be nuanced. By that, I mean that for any given security requirement (or standard), there are a number of check boxes, ranging from fully compliant (with the requirement) through nearly, partially to non-compliant.
A narrative box would also be required to identify what was found and what needs correcting, its risk profile and a date set for when corrective action should be completed. By implication, this means that a company must have a set of security policies and associated security standards and procedures. These must be endorsed and actively supported by the company’s board (top down).
My recommended starting point for IT security is to adopt the IASME Cyber Essentials (CE) certification route. IASME is one of five companies appointed as accreditation bodies for assessing and certifying against the UK government’s Cyber Essentials Scheme.
There are two IASME work-books available – one covers the basic IT security CE certification, and the other covers both IT security and governance, including General Data Protection Regulation (GDPR) CE certification. These work-books identify a set of requirements, and associated with each requirement is a narrative box (not a check box).
Read more Security Think Tank articles about achieving outcomes-based security
Once complete, a CE work-book can be submitted to IASME for an independent review – there is a small fee of £300 for the basic CE and £400 for the IT and governance CE, both plus VAT. If successful, a certificate will be issued but, in all cases, feedback will be given.
Having gained a CE certificate and possibly undertaking any suggested corrective work, a company might want to test its IT security defences. If Cyber Essentials Plus certification is the company’s goal, then this is done by engaging a third-party company to undertake both external (internet-based) and internal tests of the IT infrastructure.
The cost for such an evaluation is determined individually for each company. See the IASME website for more information and a link to the NCSC website for the CE IT security test specification.
Should a company be comfortable with Cyber Essentials certification – be it the Basic or the Basic Plus governance – rather than a Cyber Essentials Plus certification but still wants some form of test of its security defences, there are a number of companies that offer automated internet-based vulnerability security testing. My suggested search criterion is “vulnerability scanning service”.