Out-Law / Your Daily Need-To-Know

New cyber security guidelines and certification scheme proposed by UK government

Out-Law News | 08 Apr 2014 | 6:39 pm | 3 min. read

Businesses that meet specified basic standards of cyber security will be able to obtain an independent certification of compliance with those standards under a new scheme proposed by the UK government.

The department for business, innovation & skills (BIS) has published new guidance for businesses on how to mitigate against the risk of cyber attacks (18-page / 361KB PDF). The guidance is predominantly aimed at SMEs, it said.

Alongside the 'cyber essentials' guidelines it has published a proposed new "assurance framework" which it said will allow businesses that adhere to the guidelines to obtain a certificate acknowledging the robustness of their cyber security measures.

"The cyber essentials scheme identifies the security controls that organisations must have in place within their enterprise IT to have any confidence that they are mitigating the risk from internet-based threats that use 'commodity' capabilities, i.e. capabilities that are freely available on the internet," the government said in outlining its proposed assurance framework.

"Organisations are free to implement the requirements within their organisation as appropriate. However, some organisations may want independent assurance that they have fully implemented the controls, whilst others may need to demonstrate to a third party as part of a business transaction, such as contracting," it said.

The proposed certification scheme, which the government is consulting on until 7 May, is three tiered in nature.

"The framework will provide degrees of confidence that the controls defined in the requirements document have been implemented correctly," the government said. "The degree of confidence will be based upon the rigour of the assessment. There will be three levels or tiers of rigour. Organisations will be able to select the level of rigour that best meets their needs or the needs of their customers. Independent organisations will be available to provide assessments at each level and certify that an organisation has successfully implementing the controls."

According to the new cyber essentials guidelines, businesses should use "boundary firewalls, internet gateways or equivalent network devices" to protect against cyber attacks.

The guidelines set out minimum technical standards that businesses should reach when installing firewall protections or equivalent measures to defend their data and systems from cyber attacks, which include the setting of strong administrative passwords, putting in place appropriate control and supervision over decisions to allow certain traffic to pass through the firewall, and applying default settings to block certain unapproved services or those "typically vulnerable to attack".

The guidelines also warn businesses of the need to securely configure new computers and devices and, to achieve this, has advised that companies disable unnecessary software and user accounts, among other recommendations.

Businesses were also advised on how to effectively manage user access to information, applications and computers. The guidelines said that "all user account creation should be subject to a provisioning and approval process" and that only a "limited number of authorised individuals" should be given special access privileges. The guidelines also said that details about special access accounts should be "documented, kept in a secure location and reviewed on a regular basis".

They also contained further advice on how businesses can protect themselves against malware and on managing software updates and security patches. It warned businesses against running unsupported software.

"Any computer and network device that runs software can contain weaknesses or flaws, typically referred to as technical vulnerabilities," it said. "Vulnerabilities are common in many types of popular software, are frequently being discovered (e.g. daily), and once known can quickly be deliberately misused (exploited) by malicious individuals or groups to attack an organisation’s computers and networks."

"Vendors of software will typically try to provide fixes for identified vulnerabilities as soon as possible, in the form of software updates known as patches, and release them to their customers (sometimes using a formal release schedule such as weekly). To help avoid becoming a victim of cyber attacks that exploit software vulnerabilities, an organisation needs to manage patches and the update of software effectively," it added.

"Software should be kept up-to-date. As a minimum: software running on computers and network devices that are connected to or capable of connecting to the internet should be licensed and supported (by the software vendor or supplier of the software) to ensure security patches for known vulnerabilities are made available," the guidelines said.

Software updates should, at a minimum, be implemented within 30 days of their release, whilst security patches specifically should be installed within 14 days of their release, it said.

The new guidance follows previous steps the government has advised businesses to take to reduce their vulnerability to cyber attacks. The government has previously signalled its intention to create a new cyber security standard for businesses to conform to based on the ISO27000-series of standards that already exist.