The UK government via CESG, the Information Security Arm of GCHQ, have recently released a document entitled “10 Steps to Cyber Security”. The full document is available at http://www.bis.gov.uk/assets/biscore/business-sectors/docs/0-9/12-1121-10-steps-to-cyber-security-advice-sheets.pdf
The 10 areas of focus within the document are given two pages each for further review and are as follows:
• Home and Mobile Working
• User Education and Awareness
• Incident Management
• Information Risk Management Regime
• Managing User Privileges
• Removable Media Controls
• Monitoring
• Secure Configuration
• Malware Protection
• Network Security
Overall, it is very important that the government are being proactive in highlighting the online threat landscape for businesses and references to control frameworks such as ISO 27000 are welcome. On the other hand, the fact that 3rd party service providers and [often exploited] online interfaces are not referenced appears to be a massive oversight. Unfortunately, many of the control frameworks are not easily found online. For example, the controls referenced are familiar from the PCI DSS, ISO 27000, the Code of Connection, Public Sector Network and IL3 requirements. Not all of these standards are freely distributed.
Sources of training and other informational material for the above would also be of enormous value to those perusing the document as otherwise, it appears to come to a ‘dead end’. Use of SANS, NIST and CIS for secure systems baselines and the ‘Think Privacy’ campaign for user awareness are examples of excellent resources. Achieving other controls through the implementation of sound and considered policies for users, passwords and audit logs can also use the SANS, NIST and CIS documents as well as Microsoft and other online resources.
The 10 areas of focus within the document are given two pages each for further review and are as follows:
• Home and Mobile Working
• User Education and Awareness
• Incident Management
• Information Risk Management Regime
• Managing User Privileges
• Removable Media Controls
• Monitoring
• Secure Configuration
• Malware Protection
• Network Security
Overall, it is very important that the government are being proactive in highlighting the online threat landscape for businesses and references to control frameworks such as ISO 27000 are welcome. On the other hand, the fact that 3rd party service providers and [often exploited] online interfaces are not referenced appears to be a massive oversight. Unfortunately, many of the control frameworks are not easily found online. For example, the controls referenced are familiar from the PCI DSS, ISO 27000, the Code of Connection, Public Sector Network and IL3 requirements. Not all of these standards are freely distributed.
Sources of training and other informational material for the above would also be of enormous value to those perusing the document as otherwise, it appears to come to a ‘dead end’. Use of SANS, NIST and CIS for secure systems baselines and the ‘Think Privacy’ campaign for user awareness are examples of excellent resources. Achieving other controls through the implementation of sound and considered policies for users, passwords and audit logs can also use the SANS, NIST and CIS documents as well as Microsoft and other online resources.
