The fourteen National Cyber Security principles were designed by the National Cyber Security Centre to help protect data in transit, data going across different networks, physical security, personal security, incident handling, resilience, maintaining the CIA - the confidentiality, integrity, and availability. So, people cannot unauthorised access the data, the data's not being modified or changed, and accessibility of the data when required when using the Cloud. But obviously these are interoperable, so they can be used in other areas of cyber security.  

So, data in transit is where data goes across a network. And that can go in different ways, so we tend to use something called IPSec, or IP security. So, data when it's moving across a network, will use either tunnel mode, now tunnel mode is where your data is encapsulated into security and that will be-, an example of that would be a VPN, a Virtual Private Network. Transport mode security, which is the other method that we use, would be very similar to using WhatsApp, so you have end-to-end encryption, so your data's protected at both points so people can't access that information. The key element of data in transit is the adequate protection and trying to prevent people from tampering, and eavesdropping, and accessing your data.  

So, asset protection and resilience is referring to the storage and processing of your data. Now the storage can be virtually, and obviously it's going to be in the Cloud, but it can also talk about physical storage as well, so that obviously has an impact depending where you are in the world. So, in the UK, we operate under UK GDPR, General Data Protection Regulations, and the Data Protection Act, so that would obviously be the basis of how our data's stored, managed, and processed. So, in terms of physical management of it, that would obviously be done by people in the business, maybe having different security mechanisms in place. Intangible, which obviously is a key element as part of this process is talking about brand and reputation. A lot of companies have suffered data breaches and as a consequence to that, their branding image has been affected so if they can do anything to help, like a media policy to help bring that reputation back, that can be quite a saving grace for companies, so.  

So, separation of users is talking about different users accessing the data. Now if one user gets attacked through a phishing email or spear phishing, which is a targeted attack, what we don't want is the ripple effect, where it affects not just the user but affects other people in the business or company. So, what you want to do is restrict that just to that one user if any damages happen, and it could be maliciously or it could have been accidentally, and that's some of the things we have to refer to in this one. We may also want to have separation of controls, sometimes separation of controls means that one person doesn't authorise everything, you might have two people signing things off, like someone signing off a cheque. Obviously, it doesn't stop collusion, but it still can help mitigate these type of things, the Barings Bank was a good example of that one where Nick Leeson was writing his own cheques without any oversight. And then we've also got the public Cloud, which is what people can access but the problem with public Cloud is other people can access that information potentially if they're malicious. Private Cloud, obviously it's restricted to the people who are using those. Hybrid is a mixture of private and public. And then community cloud is normally a locked down version of users, like people in the energy industry working together.  

So, governance framework is, obviously as the keyword there - governance, is talking about leadership and getting direction from the board. So, the board is strategic level, they have to give the lead for the business and direct the business in how to deal with maybe cyber security. So, this obviously then has to be broken down into different elements within the business itself, so we need clear direction from them and obviously that will probably come with information security. So that would be the chief information security manager will probably be able to distribute the guidance in relation to the use of security and compliance, and auditing as part of that process. An example of that would be the PCI DSS, which is the Payment Card Industry Data Security Standard. Obviously, we have regulatory requirements which obviously have to feature as part of this, and this is a good example of one, credit card data, handling credit card data. So, we're talking about the storage, processing, and transmission of credit card data, and this could also include, for example, somebody accessing wi-fi, making sure their wi-fi connection is secure. Because if you don't have secure wi-fi connection, quite easily someone could infiltrate that and get access to-, unauthorised access to your data.   

So, operation security configuration management is talking about your products, your systems, being tested. So, if we take for example your overall network, and from a Cloud's security perspective, we want to make sure that we are protected against threats. And the types of things you might use is a technique called Nessus, which is a vulnerability scanning tool, which can test networks to see if there's any vulnerabilities and let us know about that. For testing websites, that would be using Burp Suite, and that would give us-, it's a vulnerability scanning tool and technique that would identify any vulnerabilities and issues. In terms of SIEM, Security Information Event Management, we might have, for example, at two o'clock in the morning when people are not around, suddenly you get about ten or fifteen thousand password resets happening. And for a company that's only operating mainly nine to five, that potentially could indicate to you that you've had a compromise, and someone is trying a brute force attack to launch against your organisation. So, we-, obviously that has to be flagged up, that's normally would be some form parameter set up to alert us about that. The security operation centre would then inform the IT team to look into that and deal with that situation.  

So, personnel security is obviously to do with trust, you know, you've got new people joining the company, so they would have to have some form of vetting. So that could be security vetting, it could be through the Government's baseline protection scheme in terms of classification and clearance. It could also be through screening, getting the vetting of people who are joining your company. Checking your credit rating, and then obviously through training and this has to be done on a regular basis, you know, you should be doing this at least annually, not just a one-stop shop, so that has to be done quite regularly.  

So secure development process is talking about the design of your network, which could be, you know, cradle to grave so that the entire start of the phase of the design, security's gotta be baked in right at the beginning. And then obviously has to be tested on a regular basis to make sure that you've not got any coding issues which could be exploited, no vulnerabilities, no problems where, for example, where people might want to have privileged escalation when they shouldn't have access, it should be access only from a user’s perspective, not from a privileged access. Testing it regularly, we use something called the deming cycle, which is plan, do, check, act. So, when we go through any process, any iteration of something that's being released, we have to check it to make sure it's valid, it's not causing any issues to the network and can be integrated without any security issues.