Your own organisation will have procedures in place specific to them and their operations, so on top of the global standards you’ll have to guide you, there’s information in place to support you in your day-to-day tasks.

But, you’re not just protected by the guidance in place. Can you think of how else your systems might be protected?

Decorative image: Lock icon with ‘Cyber security’ written beside it

Security products and evaluations

The security products you use have to go through strict measures, ensuring they receive certifications, meet the common standards set by the ISO and others, and complete their security level testing. Not only are there standards for you to follow, but the tools you use too. Time for a little more detail on this…

Security products and certification

Security related products require a measure of confidence that the security enforcing functions they deliver are implemented properly. The industry regulates the claims made by vendors through product certifications. These involve testing by an independent body specialising in security evaluation.

In the past, evaluations have primarily been carried out by, or on behalf of, government agencies. However, this approach meant certifications were at a national level, so products certified in the US needed to be re-certified in the UK. This was a cost that the vendor had to bear so wasn’t often pursued.

The common criteria

The Common Criteria for Information Technology Security Evaluation (CC), based on ISO 15408 is the latest method which moves away from national level certifications to ones that are transferrable across borders.

Each time a product – known as the target of evaluation (or ToE) – is tested under ISO 15408, it’s evaluated against security criteria known as the security target. After the evaluation it achieves an evaluation assurance level, the EAL, ranging from 1 (the lowest) to 7 (the highest). This specifies how thoroughly the product has been tested.

Security testing and EAL

Evaluation Assurance Level is a category ranking assigned to an IT product that indicates to what level it was tested. The highest EAL only applies to products that have been thoroughly tested and evaluated, down to the level of code analysis and mathematical modelling of failure conditions. As EAL 7 is a very expensive process, very few products attain this level of confidence, typically only military grade cryptographic devices.

The NCSC, CPA and CTAS

The National Cyber Security Centre is an organisation of the United Kingdom Government that provides advice and support for the public and private sector in how to avoid computer security threats. Included in this, the NCSC provides Commercial Product Assurance (CPA) on Smart Meters and smart metering products. THE NCSC also have approved test laboratories (such as the British Standards Institute) who can carry out services such as the Tailored Assurance Services (CTAS) do where they evaluate the IT security attributes of a system. For more from NCSC on product testing click here.

Another Essential Partner for the NCSC is the Information Assurance for Small and Medium Enterprises Consortium, who manage Cyber Essentials schemes to ensure the very basic cyber security controls are in place and effective. 

There are two levels of certification: Cyber Essentials and Cyber Essentials Plus.

Cyber Essentials is a self-assessment option that gives you protection against a wide variety of the most common cyber-attacks. This is important because vulnerability to basic attacks can mark you out as target for more in-depth, unwanted attention from cyber criminals and others.

Certification gives you peace of mind that your defences will protect against the vast majority of common cyber-attacks simply because these attacks are looking for targets which do not have the Cyber Essentials technical controls in place. Cyber Essentials shows you how to address those basics and prevent the most common attacks.

Cyber Essentials Plus has the Cyber Essentials trademark simplicity of approach, and the protections you need to put in place are the same, but for Cyber Essentials Plus includes a hands-on technical verification which is carried out.

If you want to work with MOD, you’ll need to meet these MOD standards which build on cyber essentials foundation but are more robust depending on the cyber risk profile.

Other standards

Federal Information Processing Standards Publications (FIPS)

Federal Information Processing Standards Publications, known as FIPS PUBS in the US, are used to publish the most pertinent standards for their security industry. NIST will also test products and publishes a directory, similar to the Common Criteria directory, of products that have achieved various levels of security testing.

Many of these FIPS standards are transferable to the UK where the certification of a security product as FIP compliant, means it’s been tested by the US government NIST labs and assured against a specific level of testing. For example, FIPS 140-3 is the certification scheme for Security Requirements for Cryptographic Modules.

Capability Maturity Model (CMM)

CMM (Capability Maturity Model) and CMMI (Capability Maturity Model Integration) created at Carnegie Mellon University, provides a framework for organising evolutionary steps into five maturity levels that lay successive foundations for continuous process improvement. The main difference between CMM (Capability Maturity Model) and CMMI (Capability Maturity Model Integration) ISO/IEC 62443 is that the former focuses on evaluating whether an organisation completes specific tasks related to the process or not, while the latter focuses on building an architecture for the whole development process. Both CMM and CMMI have five stages in their model, but the stages are different from each other. While CMM has- Initial, Repeat, Defined, Managed, Optimised. CMMI has Initial, Managed, Defined, Quantitively Managed, and Optimised foundations.

Key points

Let’s take a look at some of the key points to take with you as you move through the rest of this Learning Path and course:

Enterprise security architecture principles include TOGAF, SABSA, Zachman.
Employee rights under the human rights act and the rights of organisations to monitor staff under Lawful Business Practices and Investigatory Powers Regulations if authorised.
Intellectual Property rights, including copyright, patents, trademarks, and trade secrets.
Computer Misuse Act and the four main offences.
Payment Card Industry Data Security Standard (PCI -DSS) defines regulations for credit card information storage, transmission, and processing.
Internet Engineering task Force (IETF) are the leading internet standards body, developing open standards to make the internet work better.
ISO 27001 ISMS standard requirements and ISO 27002 is the controls to implemented.
ISO 27005 information security risk management.
ISO 15408 Common Criteria evaluation of products.
Commercial Product Assurance (CPA) on smart metering products.
Cyber essentials and cyber essential plus base line for cyber security.
MOD cyber security build on top the cyber essentials for additional security.
Federal Information Processing standard (FIPS) cryptographic (encryption) assurance of products.
CMM (Capability Maturity Model) and CMMI (Capability Maturity Model Integration) ISO 62443 is an international series of standards that address cybersecurity for operational technology in automation and control systems.

Conclusion

So, now that you have a better understanding of what goes into the software you use, as well as the guidance provided for you, you should feel assured that a great deal of effort goes into ensuring that our information is protected on a global scale. It would be naive though, to assume that nothing ever goes wrong, so, you also need to understand Security Incident Management and gather the tools necessary to deal with disruptions.