A new cyber-security certification scheme has been launched to help organisations defend themselves against Internet-borne threats.
The Cyber Essentials Scheme has been developed by the Department for Business, Innovation and Skills (BIS) and CESG, the Information Security arm of GCHQ, and the free to download guide can be used by any organisation as guidance to implement essential security controls.
The scheme, part of the National Cyber Security Strategy, also provides the means for organisations to gain one of two new Cyber Essentials badges, which will give them the right to display a Cyber Essentials badge to demonstrate to their customers that they have taken steps to ensure their cyber-security.
Launching the scheme this morning Universities and Science Minister David Willetts said: “The recent GOZeuS and CryptoLocker attacks, as well as the Ebay hack, shows how far cyber-criminals will go to steal people’s financial details, and we absolutely cannot afford to be complacent.
“We already spend more online than any other major country in the world, and this is in no small part because Britain is already a world leader in cyber-security. Developing this new scheme will give consumers further confidence that business and government have defences in place to protect against the most common cyber-threats.”
The Government worked with the Information Assurance for Small and Medium Enterprises (IASME) consortium and the Information Security Forum (ISF) to develop the set of basic technical controls for organisations to apply.
Companies will be provided with a step-by-step framework involving five key controls: boundary firewalls and internet gateways, secure configuration, access control, malware protection and patch management.
Companies can then complete a self-assessment questionnaire, with responses independently reviewed by an external certifying body, to gain a Cyber Essentials badge. A Cyber Essentials PLUS badge is also available, with companies require to undergo independent tests of their systems by an external certifying body.
Security companies responsible for these checks will be accredited by CREST, the not-for-profit organisation that represents and certifies the information security industry, which helped develop the assessment framework for the scheme.
“Not all organisations have the resources available to invest in the most rigorous levels of information security and compliance. Cyber Essentials addresses this by creating a baseline for UK cyber security,” explains Ian Glover president of CREST.
“By assembling and working with a forum of industry and technical experts, CREST has built an assessment framework optimised for the Cyber Essentials Scheme that will ensure organisations of all sizes and from all sectors can be properly and independently assessed to have the key technical controls in place to manage cyber risks.”
From 1 October 2014, government will require all suppliers bidding for certain personal and sensitive information handling contracts to be Cyber Essentials certified and a number of insurers have announced plans to incentivise accreditation.
Jamie Bouloux, Cyber Liability underwriting manager of insurance firm AIG, said: “As part of our commitment to the programme, we will incorporate Cyber Essentials into our risk assessment process for new cyber insurance policies, offering preferential rates to those prospective AIG clients who have obtained a Cyber Essentials Certificate as part of our commitment to superior cyber hygiene and overall cyber risk management.”
Download a copy of the Cyber Essentials Guide here.