A Critical Analysis Report | My Assignment Tutor

Page 1Information Assurance and Risk ManagementWhite PaperA Critical Analysis ReportIn this white paper the author draws attention of the executive to the personal and organisationalrisks they face, how information assurance and risk management best practices can guard againstever-increasing cyber security threats, and how Cerious Cybernetics Corp can create opportunitieswith customers and suppliers who value independent reassurance.Page 2ContentsIntroduction …………………………………………………………………………………………………………………………..3Executive Summary…………………………………………………………………………………………………………………4News Headlines………………………………………………………………………………………………………………………5Challenges for CCC ………………………………………………………………………………………………………………….5Using Standards ……………………………………………………………………………………………………………………..6Selecting Standards…………………………………………………………………………………………………………………7Implementing Standards Frameworks……………………………………………………………………………………….8Risk Management …………………………………………………………………………………………………………………..9Assessing Risk……………………………………………………………………………………………………………………10Current Risks, Vulnerabilities, Threats, and Hazards ………………………………………………………………10Risk Management in Action – An Example ……………………………………………………………………………11Assurance and Certification ………………………………………………………………………………………………..11Organisational Structure Considerations………………………………………………………………………………….12Ransomware and Service Improvement Plan (SIP)…………………………………………………………………….12Future Risk and Assurance Challenges……………………………………………………………………………………..15Summary ……………………………………………………………………………………………………………………………..15Acronyms and Abbreviations………………………………………………………………………………………………….16References …………………………………………………………………………………………………………………………..16Resources…………………………………………………………………………………………………………………………….21Appendix A Assumptions ……………………………………………………………………………………………………….22Appendix B Legislation, Regulation, Contractual……………………………………………………………………….23Appendix C Policies ……………………………………………………………………………………………………………….27Appendix D Assets…………………………………………………………………………………………………………………33Appendix E Statement of Applicability …………………………………………………………………………………….34Appendix F Supporting Standards……………………………………………………………………………………………41Appendix G ISO27k_ISMS_implementation_and_certification_process_v4.pdf ……………………………44Appendix H Common Threats and Hazards ………………………………………………………………………………45Appendix I Mapping ISO to NIST ……………………………………………………………………………………………..48Appendix J Future Risks …………………………………………………………………………………………………………49Appendix K Organisational Structure……………………………………………………………………………………….53Page 3Introduction‘Cerious Cybernetics Corp.’ (CCC) is a private cybernetics research and development company thatrequire fit-for-purpose, robust and comprehensive information assurance and risk managementpolicies, procedures and practices which will ensure successful information assurance for theirbusiness via cutting edge and relevant risk assessment, treatment and management both in thecurrent climate and also, for future provision.CCC is competing in the research and development market space which according to Gould andBender (2015) has increased in value from USD $63.5BN in 2015 to USD $71.8BN in 2017 accordingto the DoD (2016), and in the UK around half of the £410 million Ministry of Defence (MOD) scienceand technology (S&T) research is outsourced to the commercial market by the Defence Science andTechnology Laboratory (DSTL) and this is will be increasingly outsourced advises the DSTL(2014/2016).Cerious Cybernetics Corp. has its headquarters in London, England, employing a total of 60 full timestaff and at any given time upwards of 20 agency staff. The headquarters is the location for the corebusiness functions such as Human Resources, Finance, IT, data governance, legal resources andservice level agreements (including those for customers and with the agencies supplying staff). CCCcurrently have a number of ongoing research and development contracts, including the UK Ministryof Defence and the United States Department of Defence.Following extensive critical analysis and research of their expected operational needs at present andover the next five years, they have requested a white paper to act as detailed and critical guide thatwill inform the Cerious Cybernetics Corp. executive about information assurance (from a combined,managerial, organisational and technical perspective) and risk management (from an organisationalcontext). The white paper will aid Cerious Cybernetics Corp.’s understanding and ultimately, abilityto make a decision on which policies, procedures need developing and implementing within theorganisation and also ensure any associated resource implications can be successfully supported.The Cerious Cybernetics Corp. executive has further requested a sample Service Improvement Plan(SIP) within the white paper as part of the wider review; specifically, they want the detailedexplanation to focus on the scenario of ransomware. Cerious Cybernetics Corp. is keen to establishimprovements or initiatives which will ensure their IT function including infrastructure and data iskept secure.Page 4Executive SummaryThe executive of Cerious Cybernetics Corp (CCC) can be held personal liable for failings of theirfiduciary duties (Companies Act 2006, Chapter 2 General Duties of Directors). Through a misfeasanceclaim directors can be held personally liable for the diminished value of company assets, such as theloss of Intellectual Property, or for the failure of the company (The Insolvency Service 2011). Bothare possible outcomes from a serious data breach or a loss of critical systems, which could seecustomers lose confidence in the company and the value of assets reduced.It is expedient that directors and company officers fund and direct measures to secure information,and manage risks, thereby demonstrating reasonable care, skill, and diligence.Calder (2009) explains there are four main reasons CCC need to implement Information Assurance(IA) and Risk Management (RM)Strategic – requirements within contracts and rules governing the nature of businessrelationships imposed by the government and a decision by the board to better manageinformation security for the businessCustomer and Supplier confidence – by demonstrating to customers and suppliers throughthe use of independent assurance and certification, that the company has adopted andimplemented information security best practice, CCC can gain a competitive advantage inthe market. According to MacLennan (2014) assurance implies confidence that theorganisation has done the right thingRegulatory – to meet statutory and regulatory requirements which are common to allbusiness and also specifically within this market sectorInternal effectiveness – to make the organisation more efficient and effective whenmanaging information and to the risk and impact to the business of any event or data lossBy providing the right level of assurance CCC can secure new opportunities in a growing market(Gould and Bender 2015, DSTL 2014/2016). Without suitable levels of assurance new opportunitieswill be difficult to secure, market share for CCC will reduce, and organisation efficiency will not berealised. CCC’s customers and suppliers prefer to trade with companies who can demonstrate IA andRM as it is to their benefit too.The following white paper offers to inform the executive of responsibilities defined within law,applicable regulations and contractual obligations, the challenges and considerations theorganisation faces today and into the future, the concepts and methods for implementing IA andRM. Using a Ransomware case study is used as an example to demonstrate how IA and RM can servethe needs of the organisation and its stakeholders.Page 5News HeadlinesHow would the Board of Cerious Cybernetic Corp. like the news headlines to read?Challenges for CCCCCC must comply with contractual obligations, laws, and regulations in the two principal countrieswhere it operates, the UK where it maintains its headquarters and develops for the Ministry ofDefence (MoD), and the USA where is develops under contract to the Department of Defense (DoD).As a business CCC must comply with regular business law and practices. Additionally CCC operates inthe military research and development (R&D) arena which brings about an additional level ofgovernance, regulation and contractual obligations that are itemised in Appendix B Legislation,Regulation, Contractual.The key asset for the business is the Intellectual Property (IP). Given that this IP is military in naturethe information governance standards imposed are extremely rigorous. Not only does CCC handletheir own IP but they are entrusted with IP from other organisations. Complying with the standardsimposed and being able to demonstrate that CCC can be entrusted with sensitive information iscritical to the success of the organisation.The executive will want to achieve the information security goals of Confidentiality, Integrity,Availability, Authenticity, and Non-Repudiation so that CCC can lower risks, operate efficiently, sellmore, and service customer requirements. Cerious Cybernetics Corp hit byransomware attack and cannotrecover critical data systems!Cerious Cybernetics Corphacked and IntellectualProperty Stolen!CeriousCybernetics CorpLoses CoreCustomersCerious Cybernetics Corp winaward for fastest growingcompany in its sector, directorattributes business growth toinformation assuranceCerious CyberneticsCorp win lucrativenew productdevelopment contractCerious Cybernetics Corpannual revenue exceedsexpectationsS U C C E S SF A I L U R EInformation Assurance and Risk ManagementWithout With Information assurance andrisk management paysdividends for CeriousCybernetics CorpCerious Cybernetics Corp required topay a record settlement for loss of DoDIntellectual PropertyPage 6With only two main customers the risk associated with failing to comply with the customersobligations could cause a fatal loss of business.Calder (2009) states there are four key objectives for implementing Information Assurance and RiskManagement.Strategic – requirements within contracts and rules governing the nature of businessrelationships imposed by the government and a decision by the board to better manageinformation security for the businessCustomer and Supplier confidence – by demonstrating to customers and suppliers throughthe use of independent assurance and certification, that the company has adopted andimplemented information security best practice, CCC can gain a competitive advantage inthe market.Regulatory – to meet statutory and regulatory requirements which are common to allbusiness and also specifically within this market sectorInternal effectiveness – to make the organisation more efficient and effective whenmanaging information and to the risk and impact to the business of any event or data lossThese four objectives intersect in the following diagram from Calder (2009) to show that anInformation Security Management System (ISMS) can satisfy all four objectives.Figure 1 Four Objectives of an Information Security Management System (ISMS)Using StandardsProtecting and strengthening the business through Information Security (IS) should be a priority butimplementing IS is not about buying technology solutions. The ISO/IEC 27002:2017 standardsdocument states that “Information security is achieved by implementing a suitable set of controls,including policies, processes, procedures, organizational structures and software and hardwarefunctions”. Adopting a widely recognised framework helps guide the identification, assessment,selection, and implementation of controls. Customers and suppliers want to see that a commonframework so that measurability and assurance is achieved without prohibitive cost and effort tovalidate the organisations security posture.Page 7Information Assurance (IA) says MacLennan (2014) is the confidence that the organisation has donethe right thing based on standards and independent verification. An organisation may have the bestor worst information management practices but without a common measurement scale againstwhich to judge their effectiveness it would be difficult and expensive to seek assurance of otherorganisations or provide assurance of CCC. NIST (2014, Framework for Improving CriticalInfrastructure Cybersecurity) says that standards frameworks are a mechanism and taxonomy bywhich adherence can be measured.The BSI’s Small business guide to standards, lists ten things standards can do for CCC1. Improve your goods and services2. Prove your commitment to quality3. Obtain new and keep existing customers4. Sharpen your business processes5. Cut costs – and drive profitability6. Help ensure regulatory compliance7. Give your firm a competitive edge8. Help you to innovate9. Support your export efforts10. Strengthen your marketing pitchStandards will help with innovation as they allow a common vocabulary for communicationsbetween organisations. You can to describe the products and services you offer in marketable termsand with increased acceptance and adoption from customers as it removes the perception thatproducts and servers are proprietary. Standards frameworks enable increased speed bringingproducts to market and allows patents to be drawn up. Standards deliver competitive advantage (BSIInnovation The role of standards, no date).Selecting StandardsThere are three important standards frameworks that CCC should adopt as they are used andspecified by the two main customers. These are widely adopted, not proprietary, and offerassurance from an independent body.The three standards which provide independent assurance and certification are ISO 27001 Cyber Essentials Plus NIST 800-53The various ISO/IEC standards, supported by British Standards, are designed to interoperate and canbe developed by the organisation over time.The ISO 27001 standard is increasingly being demanded by customers and therefore increasinglybeing implemented by suppliers. Certifications for ISO 27001 increased by 18% in 2011 (Calder 2013)and 20% in 2015 (ISO 2015). This standard integrates with ISO 31000 & 31010 Risk Management, ISO22301 Business Continuity, ISO/IEC 20000 Service Management, and ISO 9001 Quality Management.It is supported by ISO 30301 Records Management, BS 7858:2012 People and HR Security, ISO/IECTR 18044:2004 Incident Management, BS ISO 28000 Supply Chain, and BS 13500 OrganisationalGovernance. Further information about these and others can be found in Appendix F SupportingStandards.Under the Defence Cyber Protection Partnership (DCPP) Guidance Update (2016), CCC must at aminimum obtain a Cyber Essentials Certificate to undertake new contracts with the MoD. Accordingto the Cyber Security Model (CSM) each new MoD contract awarded will be subject to a riskassessment and due to the sensitive information that CCC handles, a cyber-risk level of “High” mightbe expected. This would require CCC to obtain Cyber Essentials Plus that requires independentPage 8testing of systems. The DCPP’s CSM also requires CCC to complete a supplier assurancequestionnaire to demonstrate, via an auditable self-assessment, that information security will beprovided against the level of risk assessed. Furthermore according to Insley of Defence Commercial(2017) it will be necessary in the future to apply the same degree of rigour to subcontracts from CCCto its suppliers.Cyber Essentials is a somewhat narrowly focused framework that is limited to boundary firewalls andinternet gateways, secure configuration, access control, malware protection, and patchmanagement. Cyber Essentials is required in addition to ISO 27001.NIST is another applicable standard as it is adopted by the DoD. The DoD in 2014 stated inInstruction Number 8510.01, policy statement b, that the DoD would adopt a Risk ManagementFramework (RMF) consistent with the principles of NIST Special Publication (SP) 800-37. And inpolicy statement d, that systems categorisation must be done in accordance to Committee onNational Security Systems Instruction (CNSSI) 1253, and that security controls from NIST SP 800-53be implemented and assessed by procedures detailed in NIST SP 800-53A. This approach supersedesthe previously used DoD Information Assurance Certification and Accreditation Process (DIACAP).The DoD, reports Marzigliano (2014), is taking a more risk focused approach using NIST forassessment & authorisation, risk assessment, risk management and dynamic continuous monitoringpractices.As explained in NIST SP 800-37 the RMF aims to provide continuous monitoring of risk so that nearreal-time risk management can be achieved while allowing senior leadership to make cost-effectiverisk decision for IT systems. It also promotes security by design so that architectural design anddevelopment deliver secure systems, links information risk management processes to organisationalrisk management processes, and defines responsibility and accountability for the security controlsthat have been deployed.NIST has the advantage over ISO in that it is freely available whereas ISO standards documents arepaid for per document. Cyber Essentials is also freely available. All require a fee for assurance andcertification activities.Given that ISO 27000 family of standards is one of the most widely recognised standards forinformation security and complements and aligns to the NIST, as seen in SP800-171 Appendix D, andcovers the Cyber Essentials frameworks elements, it is suitable for CCC to adopt it as a masterframework while a majority of the business comes from the MoD.More information on applicable standards can be found in Appendix F Supporting Standards.Implementing Standards FrameworksThe stages for implementing the ISO 27000 security framework is summarised as a diagram inAppendix G ISO27k_ISMS_implementation_and_certification_process_v4.pdfThe early stages requires senior management to provide strategy, direction, resources and supportto help define the scope. The next stage is to create an inventory or catalogue of assets. Assets arethe things that need to be protected, and for CCC this includes information systems, data, andintellectual property. Once the assets are know they can be assessed for risks, followed by a decisionon which risks need to be address. These decisions are recorded in a Statement of Applicability(SOA). See an example SOA in Appendix E Statement of Applicability.Risks that need to be addressed are added to a Risk Treatment Plan (RTP) that defines how andwhen the risk will be addressed. After which an ISMS programme is initiated to implement the ISMS.Guidance on implementation is available in ISO/IEC 27003.Page 9After implementing the ISMS programme the ISMS will need to be maintained through regular riskreviews and decision about enhancements to controls, often referred to as continuousimprovement, and driven by a Service Improvement Plan (SIP).Risk ManagementThe removal of information security risk and the assurance that the risks have been addressed is thepurpose of the information security frameworks. Risks need to be identified, recorded and assessed.The outcome of a risk management cycle should be an understanding of the identified in terms oflikelihood and consequences. This allows the prioritisation within a risk treatment plan (RTP).Guidance is available in BS ISO/IEC 27005:2011 for information security risk assessment. It is afocused subset that references the BS ISO 31000 risk management principles and guidelinesdocument, and BS EN 31010:2010 risk assessment techniques.The stages according to in BS ISO/IEC 27005:2011 are:Context establishment: Setting the scope to be a set of systems, a department, or organisationwide.Risk assessment: This includes Identification of the risks: A good starting point would be to look at the controls in ISO27002 and understand for each asset which controls are missing. Other risks identificationmay come from audit reports or management consulting reports. Analysis of the risk: What is the likelihood (the expected frequency or probability) andconsequences (in terms of disruption or financial impact)? Risk evaluation: How important is the risk? Some risks may not need treatment. Others willbe a priority. Risks need to recorded on the risk register.Risk treatment: The treatment options area) reduce or modify riskb) accept or retain the riskc) avoid the riskd) share the risk (insurance or subcontracting to a third party)If a control is needed consider the treatment options in terms of ISO 27000, Cyber Essentials,and NIST controls. These controls probably cover a majority of the security controls requiredbut others may also be needed.Risk acceptance: The risk treatment plan (RTP), accepted risks, and residual risks require managerialapproval that the organisational needs will be metRisk communication: Information is shared between decision makers and stakeholders so that it isclear what decision have been taken and whyRisk monitoring and review: The introduction of new assets, changes in threats or vulnerabilities,changes to the impact and consequences, and security incidents are amongst the reasons formonitoring and reviewing. Maturity models typically rate maturity from 0 non-existent, 1 the leastcoverage for the control, up to 5 where the control is the matured. Review the risk mitigationcontrols against a maturity model such as BS ISO/IEC 15504 (or COBIT, CMMi, OPM3, SSE-CMM etc).An IG maturity model is published by ARMA (2013) and this provides a clear example of how amaturity model works. The maturity assessment score will guide improvements using the Plan-DoCheck-Act or similar service improvement plan (SIP).Page 10Assessing RiskRisks can have both positive and negative influences on the company. As the executive you will beasked to fund and prioritise activities based on risk and you may have to justify your decision in thefuture. How do you know if the assessment of risk is correct? Would another person make the sameassessment with the same information? Gigerenzer (2014) advocates absolute simplicity whencalculating risk using intuition and rules of thumb. How though can the risk decision be defended?Freund and Jones (2015) present a risk assessment technique named FAIR (Factor Analysis ofInformation Risk) which presents risks in an intuitive way which can be consumed without needing agreat deal of technical understanding about the risk.The advantage of FAIR is that it presents risk information in a concise manner which is easilyinterpreted through the use of FAIR risk factors. The decisions based on this information aredefensible as they give sufficient information to understand how a risk was evaluated compared tosay a High, Medium, Low assessment based on a hunch or gut-feeling. FAIR shows the assessedminimum, maximum and most likely occurrences along with the threat capability and threatcommunity influencing factors. This information when combined with the value assessment of yourassets will guide decisions for funding and prioritisation.Risk assessment using FAIR has these phases as summarised by Dixon (2009)Phase IIdentify the assetsIdentify the community of threatsPhase IIEvaluate the Loss Event Frequency through estimation of the threat frequency, threatcapability, strength of controls to device thePhase IIIEvaluate the Probably Loss Magnitude as a factor of monetary value for worst-case loss andestimated probably lossPhase IVDerive and articulate riskAlthough more quantitative than other methods, FAIR doesn’t address risk appetite or tolerance anddoes not address risk treatment so is only useful at an early stage of risk assessment according toSutton (2014). It would be appropriate to the results from FAIR to feed into BS ISO/IEC 27005:2011and redefine the context, reviewing the risk assessment and creating a risk treatment plan.Risk identification can be asset led but may also consider cultural, political, legal, regulatory,financial, economic and competition factors at national and international level. Risk identificationmay also incorporate other sources such as management consultant or audit reports. Othermethodologies area available such as those offered by the Department of Homeland Security, NIST,Octave, CMS, however CCC should use BS ISO/IEC 27005:2011 for planning risk assessment,treatment, and monitoring as it will align more easily with ISO 27001, and use FAIR wherequantitative assessment is required.Current Risks, Vulnerabilities, Threats, and HazardsAs summarised in Appendix H Common Threats and Hazards it can be seen that many organisationsface the same information security issues.CCC also have military sector specific concerns for regulations and controls, contractual stipulations,Intellectual Property loss, espionage, advanced persistent threats (APT), information sharing, socialmedia, country and customer specific variations, access and use of data outside of the office, use ofpersonal devices, background checking of staff, and more.Page 11The list of identified legislation, regulation and contractual considerations are listed in Appendix BLegislation, Regulation, Contractual. These drivers along with an assessment of current controls hasguided the list of policies that will need to be written. The suggested policies are listed in Appendix CPolicies along with a suggested prioritisation based on the perceived risk.Risk Management in Action – An ExampleIn List X (Cabinet Office, 2014) a number of compliance requirements are stated including inspection,organisational structures, visitor restrictions, supervision requirements, contingency plans,marketing and sales, export controls, asset protection, and home working.Looking specifically at the risk of home working data loss through theft, a concise risk managementreview is presented.Identification: List X stipulates controls on home working to protect sensitive dataAnalysis: Burglaries in Hertfordshire boroughs according to Police.UK (2017) is between four and sixper thousand people. Assuming an average dwelling occupancy of 2 people that increases the oddsto 12 per 1000 or a 1 in 83 chance (1000/12=83) that any house would be burgled leading to the lossof equipment and data. The average cost of data loss and incident handling has been valued at£50,000. The loss of sensitive data would necessitate an incident reporting process and consume alot of time and effort. Data may be recovered even when encrypted.Evaluation: There is a contractual obligation to adhere to List X. The ramifications of uncontrolleddata loss are significant, possibly leading to prosecution or fines and loss of contracts so this needsto be a priority. Record the risk on the risk register.Risk Treatment: There is currently no policy for remote or home working. A policy would addresswhen it is appropriate to work from home and what authorisation is required, what classification ofdata is allowed to be access, and how assets should be secured when not in use.Printed documentation and R&D models need to be stored securely when not in use in lockingfurniture of a safe.IT equipment will use strong encryption, strong passwords, and be enabled to auto lock after anagreed time. After multiple failed login attempts the device will be configured to auto-wipe.A risk assessment at the house may be required. Training and guidance are required as per List Xrequirements.An incident reporting process and an incidents register is needed with actions and definedresponsibilities.Communications: All staff will be made aware of the homeworking policy and controlsMonitoring and Evaluation: A record of all incidents related to home working will be kept so that afuture assessment can be made more accurately. The policies and authorisations for home workingwill be reviewed quarterly.Assurance and CertificationWith the controls are in place, and measurements defined with guidance from ISO/IEC 27004, andwith Business Continuity Planning (BCP) using ISO 22301 having taken place, CCC should be able tosatisfy an internal audit and a compliance review.Now is the time for an independent assessment. The British Assessment Bureau (2014) states thatISO 27001 certification can be achieved in 10-12 weeks and the certificate lasts three years subjectto at least annual reassessment. A Stage 1 audit assesses the current capabilities and defines theactions to complete before a Stage 2 audit which is the verification audit after which certification canbe recommended. This assessment is performed by an external accredited auditor who will decide ifcertification is the correct outcome.Page 12Instead of traditional Certification and Accreditation (C&A) NIST SP 800-37 specifies six steps toapply the Risk Management Framework (RMF). In order, these steps are categorise informationsystems, select security controls, implement security controls, assess security controls, authoriseinformation systems, monitor security controls. Independent assessment occurs but the finaldecision for certification remains with the system owner.Cyber Essentials assurance and can be achieved in two stages. Cyber Essentials which is largely selfassessed then verified independently, and Cyber Essentials Plus which has a higher degree ofassurance though independent vulnerability assessment. Recertification is required once a year ormore frequently if demanded by a commercial requirement.According to the MoD (2016) Defence Assurance and Information Security (DIAS) is applicable to ListX companies and requires that the Defence Assurance Risk Tool (DART) be used to register MoDindustry partners who connect to MoD information systems or processing of data marked asOFFICIAL-SENSITIVE or higher. The Risk Management Accreditation Document Sets (RMADS)captures the threats, vulnerabilities, assets, risks and mitigations, and allows an accreditor to assessthe risk posture and residual risk of a company. Depending on the method and information accessedCCC could be out-of-scope so further investigation is required to confirm the applicability.Organisational Structure ConsiderationsAlthough not directly applicable to CCC guidance document Security policy framework from HMG(2014) gives an indication of the sorts of organisation structures for security that may be imposed incontract terms. Indeed through List X, supplied by the Cabinet Office (2014), requires that a boardlevel appointment who is responsible for security and a Security Controller who is responsible forday to day security activities must be in post. Both must be a British Nationals. Given the size of CCCthis could be the same person.It is necessary to fully understand the role and the responsibilities of the Security Controller role,such as reporting security incidents of MoD data to the MoD Defence Industry Warning, Advice andReporting Point (WARP) in the Joint Security Co-ordination Centre (JSyCC).A Clearance Contact is required to perform clearance of staff. This is especially important for CCCgiven the reliance of agency staff. It is also a requirement of List X to manage who has access toinformation from visitors to staff.The IT Installation Security Officer is to take responsibility for networks and IT delivery and it is notenvisaged that a Crypto Custodian is required at this time.Organisation recommendations are made in more detail in Appendix K Organisational StructureRansomware and Service Improvement Plan (SIP)Ransomware is a threat that involves downloading malware on to the host device after triggering amacro delivered by a phishing or spam attack, or visiting a website. The malware encrypts filesbefore uploading a key and displaying a message asking for money to decrypt the files. Blackmail isanother variation where the threat of leaking documents to the public domain provides themotivation for payment of the ransom. See Figure 2 Ransomware: how hackers take your datahostage [AFP].Recent variations such as NotPetya are considered destructive-ware as the mechanism forencryption key recovery was not functional, as reported by Mathews (2017), leaving no option topay a ransom to recovery files. Kaspersky (2016) says that 1 in 5 who paid never get their files back.This would limit recovery to restoration of files from backups or possibly to invoke businesscontinuity and disaster recovery plans. Crowe (2017) reports that ransomware variants grew by afactor of 30x in 2016, Kaspersky (2016) claim an 11x increase by September 2016, with Crowe saying71 percent of companies attacked experiencing a successful ransomware incident. Only 33 percentPage 13(Kaspersky) to 58 percent (Crowe) of companies were able to fully recover data from backups.Others were forced to pay or suffer the loss of data.The phycology of ransomware demands victims to act quickly says Hadlington (2017). However thisshould not be a time to panic but to follow a well-defined checklist of activities to isolate thenrecover systems.Kaspersky (2016) claims 18 percent of companies in the defence sector were attacked so CCC needto be prepared.Figure 2 Ransomware: how hackers take your data hostage [AFP]Malware typically exploits either software or configuration vulnerabilities on workstations, laptopsand servers, but can also impact mobile devices and tablets. The NCSC (2016, 2017) provides up-todate guidance on Ransomware prevention and support during an incident through the CyberIncident Response (CIR). The cost from downtime and recovery can be very large even for a smallbusiness. Reid (2016) provides calculation examples suggesting that CCC could be impacted by morethan £12,000 per day in lost staff productivity alone. Add to this the cost of recovery and anypenalties for late delivery on contracts, reputation damage and lost business opportunities, theimpact could be crippling for the business.There are a number of considerations to prevent and respond to Ransomware and the focus shouldbe on prevention rather than response, but both are needed.According to Kenyon (2016) ransomware needs access to a command and control centre todownload the malware from an initial embedded macro to infect the system, through to publishingthe encryption key to C&C. Street et al. (2015) say that malware communications traffic is oftenblended into other normal traffic such as HTTP web traffic. Disruption and prevention throughpatching, configuration, web URL filtering, DNS and firewalls are simple yet effective controls.Page 14Restoration from backups is time consuming but this is only part of the recovery. The environmentmust be isolated to prevent further infection, the infection source and method must be identified sothat steps can be taken to prevent reoccurrence, and the identification of other infected isnecessary.Kenyon (2016) summarised a set of actions for preparation, prevention, response and recovery aslisted.Be Prepared:Assume an incident will occur and be readyGet agreement that business operations can be stopped to deal with a serious incidentDefine what response options would be perused and under what circumstances (pay,recover, accept the loss)Defined the roles and responsibilities and action playbooks when an incident occursRansomware Prevention:Limit the size of shared networks and shared data storage areasUse RPS (response Policy Zones for Domain Name Services)Use a good spam filterScan all incoming emails for malwareSetup monitoring and alerting that triggers on the change of a static ‘honeypot’ filePerform regular patching of applications, operating systems and network devicesIsolate fragile or sensitive information systemsTrain users to recognise and deal with phishing and spam and how to report incidentsTrain staff to look for anything out of the ordinaryEncourage incident reportingReport risks and threats, costs, incidents, preventions, and other information to themanagement of the organisationIncident Management:Manage the incident, follow the checklistsCommunicate between teams and individuals. Keep communicatingConduct checkpoint meetings and management update meetingsPost Incident:Keep the incident checklist and use it for lessons learned and for continuous improvement tocontrols and processesConsidering the needs of CCC it would be wise to add additional controls such as policies, processesand procedures, security by design, firewalls, web URL filtering, Intrusion Prevention and DetectionSystems (IPDS), forensics capabilities, business continuity and disaster recovery planning, documentmarking, Pen Testing, incident reporting to the JSyCC WARP in accordance with ISN 2014/02,removable media, and software execution controls.A number of ISO 27001 controls are identified in the ransomware column of Appendix E Statementof Applicability. By layering controls it is possible to achieve Defence in Depth and given the natureof the threat it is appropriate to apply multiple controls.Following the principles of Plan, Do, Check, Act the SIP could be addressed in this way.Plan:Use statistics for risk planningAssess the required security controls based on the risks, threats, and vulnerabilities againstthe maturity model assessment of each of the required controlsPrioritise the control improvements considering the benefits, timeline for delivery, costs andresources required, and the opportunities and outcomes that will be achievedSeek approval, funding and resources from managementPage 15Do:Initiate a project or programme of worksImplement the controls based on the priorities set in planningCheck:Validate the controls through testing and assurance activitiesMonitor the effectiveness and note any gap, residual risks, and improvementsAct:Respond to security incidents following the procedures and checklistsReview lessons learnt and feed the information in the next improvement cycle forcontinuous improvementFuture Risk and Assurance ChallengesThe leadership and staff of CCC are going to need to predict, respond and adapt to emerging threatsand trends in the general business landscape, and in military research and development (R&D). Theorganisation needs to assess and respond to new threats, monitor and improve, and exploitopportunities, to provide assurance to its investors, suppliers and customers.Threats and opportunities are continually emerging so a regular review must be conducted at asuitable frequency, based on risk level, allowing a timely response. Risks should be tracked on therisk register so that the organisation can track and adapt to new threats and exploit opportunities,and use a service improvement plan to continuously improve its security posture thereby providingassurance to its investors, suppliers and customers.Predicted risks and opportunities with a commentary are presented in Appendix J Future Risks.Amongst the common themes of future risks and assurance are:- Medical and health concerns from human applied sciences Financial uncertainty which may reduce the spending on security controls Risk exposure for niche solutions which have a narrow application and therefore higher risk ofnot selling the solution to recoup costs Changes to laws and regulations Collaboration and information sharing with other companies Increased cyber attacks New ways of working generating new risks Increased competition but also opportunities for growth in the market sector And political changes like Brexit resulting in the UK exclusion from contracts. E.g. The French arecollaborating with Germans on a new fighter jet but excluding the UKSummaryImplementing Information Assurance and Risks Management best practices though securityframeworks offers the organisation as a whole a number of benefits. It also reduces the risk to theexecutive and through proactive review cycles ensures continuous improvement and adaption andresponse to emerging threats. By adopting the ISO27001, Cyber Essentials and NIST frameworks theorganisation will be in a stronger position to resist security threats and lowers the risk and costsassociated with security incidents.The Board needs to drive an organisation wide cultural change from the top down to mobilise,direct, and empower staff alongside policies, processes, procedures and technology controls todefend against harmful threats, both now and in the future. An Information Security ManagementSystem (ISMS) combines all elements into one ‘system’ working together to deliver the benefits tothe organisational. An ISMS can demonstrate regulatory compliance, enhance reputation to win andretain business, improve efficiency, and satisfy audit says Calder (2009).Page 16It is clear that the contractual and regulatory relationships that CCC has will influence the securityframeworks adopted and the choice of controls implemented, and will also influence theorganisation governance structures.CCC have to seek assurance through the Cyber Essentials and NIST assurance processes to bepermitted to conduct business with the MoD and DoD respectively. In addition ISO27001 should beadopted as a master framework and mapped to NIST to satisfy the US business requirements andreduce duplication.CCC should implement an information governance programme and maintain information and riskmanagement best practices using the security frameworks, then engage independent verification todemonstrate and provide assurance to shareholders, staff, customers and suppliers, that CCC isprotecting information assets and that CCC is a trustworthy partner for business relationships with asecure trading future. This initiative should be viewed not an unwelcome cost, but rather as acompetitive advantage for CCC.Acronyms and AbbreviationsBS British StandardsCPA Commercial Product AssuranceDIAS Defence Assurance and Information SecurityIG Information GovernanceISMS Information Security Management SystemJSyCC Joint Security Co-ordination CentreMISIRS MOD Information Security Incident Reporting SchemeISO/IEC International Standards Organisation (ISO) / International Electrotechnical Commission (IEC)SAPMA Security Assessment for Protectively Marked Assets risk assessment methodologySIEM Security Information and Event ManagementWARP warning and reporting pointReferencesAct of Parliament. (2006). Companies Act 2006. Available at:http://www.legislation.gov.uk/ukpga/2006/46/part/10/chapter/2 (Accessed: 2 August 2017)Alderson, C. (2017) The future of technology in the defence sector. ForrestBrown. Available at:https://forrestbrown.co.uk/news/the-future-of-technology-in-the-defence-sector/ (Accessed: 19July 2017)ARMA International. (2013). Generally Accepted Recordkeeping Principles Information GovernanceMaturity Model. Available at:https://www.arma.org/docs/bookstore/theprinciplesmaturitymodel.pdf?sfvrsn=2 (Accessed: 20August 2017)Bureau of Industry and Security. (2013). Export Controls are Relevant to Your Business. U.S.Department of Commerce. Available at: https://www.bis.doc.gov/index.php/formsdocuments/technology-evaluation/781-export-licensing/file (Accessed: 25 July 2017)Brill, A & Straight, J. (2013) Cyber Due Diligence: How and Why Investors—and the Companies TheyAre Targeting—Should Assess Their Cyberrisks. Risk Management Magazine. Available at:http://www.rmmagazine.com/2013/10/01/cyber-due-diligence-how-and-why-investors-and-thecompanies-they-are-targeting-should-assess-their-cyberrisks/ (Accessed: 25 July 2017)British Assessment Bureau. (2014). CERTIFICATION CYCLE EXPLAINED Available at:http://www.british-assessment.co.uk/guides/the-3-year-certification-cycle-explained/ (Accessed: 12August 2017)Page 17British Standards Institution (BSI). (no date) The small business guide to standards. Available at:https://www.bsigroup.com/Documents/standards/smes/bsi-small-business-guide-to-standards-engb.pdf (Accessed: 19 July 2017).British Standards Institution (BSI). (no date). Innovation, The role of standards. Available at:https://shop.bsigroup.com/upload/Standards%20&%20Publications/Innovation&Design/Innovation%20&%20Design%20white%20paper.pdf (Accessed: 8 July 2017)BSI. (no date) Supply Chain Security Management. Available at: https://www.bsigroup.com/enGB/iso-28000-supply-chain-security-management (Accessed: 19 July 2017)BSI. (no date) Supply Chain Security Management for SME’s. Available at:https://www.bsigroup.com/en-GB/iso-28000-supply-chain-security-management/management-ISO-28000/ (Accessed: 19 July 2017)BSI. (no date) Need to better manage security risks in your supply chain? Available at:https://www.bsigroup.com/Documents/iso-28000/resources/iso-28000-client-manual.pdf(Accessed: 19 July 2017)Cabinet Office. (2014). Security Requirements for List X Contractors. Available at:https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/367514/Security_Requirements_for_List_X_Contractors.pdf (Accessed: 30 July 2017)Calder, A. (2011). Implementing information security based on ISO 27001/ISO 27002 : A managementguide (2nd ed.). Zaltbommel: Van Haren Publishing.Calder, A. (2013). Can Compliance Shield your Organization from Cyberthreats? Credit Control, 34(2),67-71.Competition & Markets Authority. (2014). Cartel Offence Prosecution Guidance . Available at:https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/288648/CMA9_Cartel_Offence_Prosecution_Guidance.pdf (Accessed: 3 August 2017)Corfield, G. (2017) Brits must now register virtually all new drones and undergo safety tests.Available at:http://www.theregister.co.uk/2017/07/24/uk_mandatory_drone_registration_rules_floated/(Accessed: 24 July 2017)Corfield, G. (2017) Air, sea drones put through their paces on Solent testing range. The Register.Available at: http://www.theregister.co.uk/2017/07/18/drone_testing_range_solent/ (Accessed: 24July 2017)Crowe, J. (2017). 2017 Ransomeware Trends and Forecasts. Available at:https://blog.barkly.com/new-ransomware-trends-2017 (Accessed: 19 August 2017)Curtis, S. (2013) Spy agencies ‘ban Lenovo from secret networks’. The Telegraph. Available at:http://www.telegraph.co.uk/technology/news/10208578/Spy-agencies-ban-Lenovo-from-secretnetworks.html (Accessed: August 2017)Defence Contracts Online. (no date). Supplier Registration. Defence Contracts Online. Available at:https://www.contracts.mod.uk/delta/signup.html?userType=supplier (Accessed: 25 July 2017)Department for International Trade. (2016). Guidance, Sanctions, embargoes and restrictions.Available at: https://www.gov.uk/guidance/sanctions-embargoes-and-restrictions (Accessed: 17 July2017)Dixon, B. (2009). Understanding the FAIR Risk Assessment. Available at:https://www.certconf.org/presentations/2009/files/TA-2.pdf (Accessed: 7 August 2917)Page 18DoD (Department of Defense) (2014). INSTRUCTION, NUMBER 8510.01 Available at:http://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodi/851001_2014.pdf (Accessed: 13August 2017)DoD (Department of Defense [SIC)). (2016) Releases Fiscal Year 2017 President’s Budget Proposal,Press Operations, Release No: NR-046-16, Feb. 9, 2016. Available at:https://www.defense.gov/News/News-Releases/News-Release-View/Article/652687/departmentof-defense-dod-releases-fiscal-year-2017-presidents-budget-proposal/ (Accessed: 16 August 2017)DSTL (Defence Science and Technology Laboratory) (2014 updated 2016). How to work with or sell toDstl: industry, academia and other research organisations. Available at:https://www.gov.uk/guidance/how-to-sell-to-dstl-industry-academia-and-other-researchorganisations (Accessed: 16 August 2017)DSTL (Defence Science and Technology Laboratory). (2017). MOD DIPR and Ploughshare signagreement for wider intellectual property commercialisation. . Available at:https://www.gov.uk/government/news/mod-dipr-and-ploughshare-sign-agreement-for-widerintellectual-property-commercialisation (Accessed: 18 July 2017)Freund, J and Jones, J. (2015). Measuring and managing information risk. A FAIR Approach. Oxford.Elsevier Inc.Goad, B. (2016). We are all cyborgs. ForrestBrown. Available at:https://forrestbrown.co.uk/news/we-are-all-cyborgs/ (Accessed: 19 July 2017)Gould, S and Bender, J. (2015) Here’s how the US military spends its billions. Business Insider UK.Available at: http://uk.businessinsider.com/how-the-us-military-spends-its-billions-2015-8?r=US&IR=T (Accessed: 16 August 2017)Hadlington, L. (2017). Exploring the Psychological Mechanisms used in Ransomware Splash Screens.De Montfort University, Leicester. Available at: https://sentinelone.com/wpcontent/uploads/2017/06/Psychology-of-Ransomware-Report-Final.pdf (Accessed: 24 July 2017)HMG. (2014). Guidance, Security policy framework. Available at:https://www.gov.uk/government/publications/security-policy-framework/hmg-security-policyframework (Accessed: 20 August 2017)ICO. (2017).Subject access code of practice, Dealing with requests from individuals for personalinformation. Available at: https://ico.org.uk/media/for-organisations/documents/2014223/subjectaccess-code-of-practice.pdf (Accessed: 5 August 2017)ICO. (no date). Key areas to consider, Lawful processing. Information Commissioners Office. .Available at: https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/keyareas-to-consider/Infosecurity Magazine. (2013). Chinese hackers make off with US weapons blueprints, Australian spyHQ plans. Available at: https://www.infosecurity-magazine.com/news/chinese-hackers-make-offwith-us-weapons/ (Accessed: 14 July 2017)Insley, F. (2017). MOD Implementation of Cyber Essentials Scheme. Defence Contracts Online.Available at: https://www.contracts.mod.uk/announcements/mod-implementation-of-cyberessentials-scheme/ (Accessed: 12 August 2017)The Insolvency Service. (2011). RECOVERIES FROM DIRECTORS AND OTHER COMPANY OFFICERS. TheInsolvency ServiceGov.UK Available at:https://www.insolvencydirect.bis.gov.uk/technicalmanual/ch25-36/Chapter31/part4B/part4/part_4.htm#31.4B.78 (Accessed: 2 August 2017)Page 19International Visits Control Office. (2015) International Visits Control Office Guidance Notes for MODList X Contractors. Available at:https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/428564/20150319-IVCO_Contractor_Guidance.pdf (Accessed: 30 July 2017)ISO. (2015). The ISO Survey of Management System Standard Certifications 2015 Available at:https://www.iso.org/files/live/sites/isoorg/files/standards/conformity_assessment/certification/doc/survey_executive-summary.pdf (Accessed: 6 August 2017)ISO27k Forum. (2016). ISO27k ISMS implementation and certification process v4. Available at:http://www.iso27001security.com/ISO27k_ISMS_implementation_and_certification_process_v4.pdf(Accessed: 16 August 2017)Kenyon, B. (2016). Ransomware recovery. ITNOW, 58(4), 32-33.Kaspersky. (2016). Kaspersky Security Bulletin 2016. Story of the year: The Ransomware Revolution.Available at: https://securelist.com/files/2016/12/KSB2016_Story_of_the_Year_ENG.pdf (Accessed:19 August 2017)Lange, K. (2015). 18 Tips to Safeguard Your Mobile Devices, Social Media. DoD Live. Available at:http://www.dodlive.mil/2015/10/20/18-tips-to-safeguard-your-mobile-devices-social-media/(Accessed: 9 July 2017)Li, Shancang, Tryfonas, Theo, & Li, Honglei. (2016). The Internet of Things: A security point of view.Internet Research, 26(2), 337-359.MacLennan, A. (2014). Information governance and assurance, Reducing risk, promoting policy.Facet Publishing. London.Marzigliano, L. (2014). Defense Department Adopts NIST Security Standards. Available at:http://www.informationweek.com/government/cybersecurity/defense-department-adopts-nistsecurity-standards/d/d-id/1127706 (Accessed: 13 August 2017)Mathews, L. (2017). The NotPetya Ransomware May Actually Be A Devastating Cyberweapon.Available at: https://www.forbes.com/sites/leemathews/2017/06/30/the-notpetya-ransomwaremay-actually-be-a-devastating-cyberweapon/#57ca740c39e8 (Accessed: 19 August 2017)Merrick, R. (2017) Theresa May pledges to increase defence spending after military chiefs warn UKlosing the ability to fight wars. The Independent. Available at:http://www.independent.co.uk/news/uk/politics/theresa-may-defence-spending-pledge-militarywars-warning-a7729056.html (Accessed: 18 July 2017)Millar, J. (2017). Germany and France snub Britain in military deal as EU members grow impatientwith UK. The Express. Available at: http://www.express.co.uk/news/uk/832303/brexit-francegermany-military-uk-aviation-eu-army (Accessed: 24 July 2017)Ministry of communication and Information [SG). (2017). Cybersecurity Bill, Bill No. /2017. Availableat: https://www.csa.gov.sg/~/media/csa/cybersecurity_bill/consult_document.ashx?la=en(Accessed: 5 August 2017)MoD. (2012). Using Social Media – a guide for military personnel. Available at:https://www.gov.uk/government/publications/using-social-media-a-guide-for-military-personnel(Accessed: 5 August 2017)MoD. (2016) Defence Assurance and Information Security: defence industry/list X. Ministry ofDefence. Available at: https://www.gov.uk/guidance/defence-security-and-assurance-servicesdefence-industry-list-x (Accessed: 24 July 2017)Page 20MoD Defence Contracts Online (MOD DCO). (2017). Connecting the Defence Procurement SupplyChain Defence Procurement, Research, Technology & Exportability (DPRTE) 2017 Available at:https://www.contracts.mod.uk/procurement-at-mod/dprte-2017/ (Accessed: 7 August 2017)MoD (2017) Industry Security Notice, Number 2017/04, Industry Supplier Guidance on DEFCON 658(Cyber). Available at:https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/634863/20170726-Cyber_ISN_for_Industry.pdf (Accessed: 19 August 2017)NCSC. (2016). Protecting your organisation from ransomware. Available at:https://www.ncsc.gov.uk/guidance/protecting-your-organisation-ransomware (Accessed: 19 August2017)NCSC. (2016). Professional service scheme. Cyber Incidents. Available at:https://www.ncsc.gov.uk/scheme/cyber-incidents (Accessed: 19 August 2017)NCSC. (2017). Ransomware: Latest NCSC Guidance. Available at:https://www.ncsc.gov.uk/guidance/ransomware-latest-ncsc-guidance (Accessed: 19 August 2017)NCSC. (no date) About CPA certification. Available at:https://www.ncsc.gov.uk/scheme/commercial-product-assurance-cpa (Accessed: 5 August 2017)NIST. (2014). Framework for Improving Critical Infrastructure Cybersecurity version 1.0 NationalInstitute of Standards and Technology. Available at:https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-framework-021214.pdf (Accessed: 9 July 2017)NIST. (2010) Guide for Applying the Risk Management Framework to Federal Information SystemsAvailable at: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r1.pdf (Accessed:13 August 2017)Police.UK (2017). Crime changes over time in St Albans and in the Hertfordshire force area . HomeOffice. Available at: https://www.police.uk/hertfordshire/F01/performance/compare-yourarea/burglary/?section=timeline#timeline (Accessed: 20 August 2017)Reid, J. (2016). Ransomware Attacks: Calculating the Cost of Downtime. AssureStor. Available at:https://www.assurestor.com/cost-of-downtime/ (Accessed: 19 August 2017)Sculthorpe, T. (2017) EXC: Jeremy Corbyn demanded ‘more cuts’ to Britain’s Armed Forces while theywere still fighting in Afghanistan. The Daily Mail. Available at:http://www.dailymail.co.uk/news/article-4547898/Corbyn-demanded-cuts-Britain-s-ArmedForces.html (Accessed: 18 July 2017)Smout, M. (2015). The sky is the limit for R&D in drones. ForrestBrown. Available at:https://forrestbrown.co.uk/news/the-sky-is-the-limit-for-rd-in-drones/ (Accessed: 19 July 2017)Street, J., Baskin, Brian, & Sims, Kristin. (2015). Dissecting the Hack : The V3rb0ten Network.Burlington: Elsevier Science.Thomson, I. (2017). Leaked NSA point-and-pwn hack tools menace Win2k to Windows 8. TheRegister. Available at:https://www.theregister.co.uk/2017/04/14/latest_shadow_brokers_data_dump/ (Accessed: 19 July2017)UKCS. (2017) Fact sheet P-01: UK Copyright Law Available at:https://www.copyrightservice.co.uk/copyright/p01_uk_copyright_law (Accessed: 9 July 2017)Verisign. (2017). Using DNS to combat Ransomware. Available at:https://www.verisign.com/assets/ebook-combat-ransomware.pdf (Accessed: 15 July 2017)Page 21Wass, R. (2017). Developing underwater ROVs – Remotely Operated Vehicles. ForrestBrown.Available at: https://forrestbrown.co.uk/news/developing-underwater-rovs-remotely-operatedvehicles/ (Accessed: 19 July 2017)ResourcesNational Vulnerability Database https://nvd.nist.gov/#Cyberaware https://twitter.com/search?q=%23CyberAware&src=tyahNational Cybersecurity Protection System (NCPS) https://www.dhs.gov/national-cybersecurityprotection-system-ncpsDEFENSE SECURITY INFORMATION EXCHANGE https://www.dsie.org/membership.htmlDefence Growth Partnership (DGP) http://www.defencegrowthpartnership.co.uk/UK Defence Solutions Centre http://www.ukdsc.org/about-ukdsc/Industry Security Notice (ISN) https://www.gov.uk/government/publications/industry-securitynotices-isnsPage 22Appendix A Assumptions ASMP001Current research and development activities do not include human or animalsubjectsASMP002The presentation of information in the White Paper format cannot be fullyachieved as it is directed to one individual company and includes academicreferences. Amongst other resources on what a white paper should be I referredto https://contentwriters.com/blog/white-paper/ it would not be possible torespond to the assessment question without extending beyond the scope of aWhite Paper.ASMP003CCC are a contractor who holds sensitive data and are required to comply with ListXASMP004Recommendations are to be made but a full risk assessment and writing policies isbeyond the scope of this assignmentASMP005The assignment should be limited to the Risk Management and InformationAssurance aspects of an Information Governance (IG) programme and not coverthe implementation of an entire IG programme Page 23Appendix B Legislation, Regulation, Contractual UKUSCompanies Act 2006Securities Act of 1933Securities and Exchange Act of 1934Sarbanes-Oxley Act of 2002Dodd-Frank Act of 2010Computer Misuse Act 1990The Computer Fraud and Abuse Act 1996?? Replaced by patriot act?Computer Security Act of 1987?USA PATRIOT Act and Homeland SecurityPresidential Directives (HSPDs).DoD Directives Divisionhttp://www.esd.whs.mil/DD/The E-Government Act of 2002 (H.R. 2458) This law is known as the“Federal Information Security Management Act of 2002” (also referred toas FISMA). The purpose is to provide efficient secure delivery of webbased and other technology for government to public, other agencies,and government entities. (SANS 2003)Data Protection Act 1998ICO “If you handle personal information, you may need to register as a datacontroller with the ICO. Registration is a statutory requirement and everyorganisation that processes personal information must register with the ICO,unless they are exempt. Failure to register is a criminal offence”Electronic Communications Act 2000Freedom of Information Act 2000For applicable to public and government bodies but indirect disclosure informationby a public body may have implications to CCCFreedom of Information Act (FOIA) 1967The same government agency disclosure requirementnine exemptions which protect interests such as personal privacy,national security, and law enforcement Page 24 Federal Records ActProtection of Freedoms Act (POFA)When using CCTV: Freedom of Information Act 2000 (FOIA), the POFA, the HumanRights Act 1998 (HRA) and the Surveillance Camera Code of Practice issued underthe Protection of Freedoms Act (POFA code).You should also take into account other relevant rules and guidance which maycover your activities. For example the ICO’s ‘code of practice on Privacy notices,transparency and control’, ‘Data sharing code of practice’, ‘Employment practicescode’, ‘Employment practices code – supplementary guidance’ (this supplementaryguidance is particularly important if surveillance systems will be used to monitoremployees) and, as mentioned above, the ‘Conducting privacy impact assessmentscode of practice’.ICO’s guidance on the use of cloud computingPublic Interest Disclosure Act 1998The Whistleblower Protection Enhancement Act of 2012General Data Protection Regulation (GDPR)Competition and Markets Authority (CMA)Copyright, Designs and Patents Act (CDPA) 1988Before attempting to export military or dual use goods to the US, UK companiesshould research whether they are subject to ITAR. You must consider any futurerestrictions that may be placed upon your export as a result of ITAR beforeentering into any formal contract.US International Traffic in Arms Regulations (ITAR) controls theimport/export of items on United States Munitions List (USML)International Traffic in Arms Regulations (ITAR) is a set of United StatesGovernment regulations on the export and import of defense relatedarticles and servicesExport Administration Regulations (EAR)US product liability lawEmployment rights Act 1996Information Commissioner’s Employment Practice Code Page 25 Equality Act 2010 (Disability Discrimination Act 1995 in Northern Ireland)Security Aspects Letter (SAL)DEFCON 659AInvitation to Tender (ITT)List X ‘facility security clearance’ (FSC).JSP 440JSP 895 The MOD Simplified Purchasing and Payment Process ManualJSP 503 – MOD BUSINESS CONTINUITY MANAGEMENTJSP 441 Managing Information in DefenceJSP 441 MANAGING INFORMATION IN DEFENCE PART 2 – GUIDANCEJSP 536 Ministry of Defence Policy for Research Involving Human ParticipantsJSP 740 Acceptable Use Policy (AUP) for Information and Communications Technology(ICT)SPIRE Form 680 application All UK companies must obtain MOD Form 680 approval inorder to release information or equipment classified OFFICIAL-SENSITIVE and aboveto foreign entitiesGlobal Declaration Against CorruptionExport controlsOpen General Export Licence Military ComponentsOpen General Export Licence Military Goods, Software and TechnologyOpen General Export LicenceExports under the US-UK Defence Trade Cooperation TreatyUK Strategic Export Control ListDefence Logistics Framework (DLF) has replaced JSP 886 in 2016The International Visits Control Office approval for travel for inbound visitors andoutbound staff. Request for Visit (RFV).The Cabinet Office Security Policy Framework;The Letter of Intent (LOI) Framework Agreement; Page 26 Bi-lateral Security Agreements/ArrangementsThe Declaration of Principles between the United Kingdom and the United Statesof America;The security policies and regulations required by International Organisations suchas the North Atlantic Treaty Organisation (NATO) and:Procedures for countries acting under the auspices of the Multi-National IndustrialSecurity Working Group (MISWG).(International Visits Control Office 2015)Cartel Offence Prosecution Guidance. Competition & Markets Authority. (2014).Official Secrets Act 1989Serious Organised Crime and Police Act 2005 Page 27Appendix C Policies PolicyComment and ConsiderationsPriorityInformation Governance (IG) PolicyStaring with a statement of commitment by the organisation to developing andadhering to IG practices with clarity around roles and responsibilitiesRequirements under BS 13500:2013 Annex A for governance system, governanceaccountability, vision and strategic outcomes, and risk limitsSee requirements within List X and HMG (2014) Guidance, Security policy frameworkHighRemote Access and Remote Working PolicyStaff currently only undertake R&D work within the company facilities. The datawhich may be accessed and carried out of the company’s offices and the regions andlocations from which remote working may be undertaken (public or foreigncountries), data encryption technology for data in transmission and stored onmedia, two factor authentication. There is risk of being overlooked, andconsideration needs to be given to the secure storage of sensitive information underlock and key such as test reports or models of productsMediumBring Your Own Device (BYOD) PolicyStaff are currently supplied ICT equipment, however there are certain types ofdevices which could be used to leak data such as personal tablets, cameras, phones,laptops or other devices. Also some brands of equipment have security concernsthat they have data gathering capabilities built in for state sponsored espionage(Information Security Magazine 2013). Consideration should be given to the use ofonly CPA approved devices (NCSC About CPA certification).MediumMobile Device PolicyKeeping in touch has led to an increased usage of mobile devices for email, instantmessaging, texting and phone callsHighPassword PolicyInsecure and infrequently changed passwords which are guessable due to a lack ofcomplexity is a significant riskHigheMail PolicyPhishing attacks and the distribution of malware using embedded links in emailattachments is increasing, document marking to avoid accidental disclosure,encryption and digital signing of messages, the type and importance of data that ispermitted to be sent/received, data loss preventionHigh Page 28 Data Loss Prevention PolicyWith CCC dealing with so much IP it is important to track and alert unauthorised datamovement and anomaliesHighAcceptable Usage PolicyWhat corporate systems and data can be used for and how access is permitted.HighPCI Compliance PolicyCCC do not currently process card paymentsLowBusiness Continuity Plan & Disaster RecoveryPolicyThis will allow the company to recover from loss of facilities and systems throughnatural disaster such as a flood or earthquake, fire, catastrophic failure of systemsthough hardware of software failure, cyber-attack, loss of communications, loss ofaccess to facilities, materials, transport, etc.HighHuman Resource Recruitment PolicyPersonnel Security recruitment checks as required by List XBullying and harassment complaints policy and proceduresDisability and EqualityHighRecords management policy & Data Retention &Archiving & Records Disposition policyThe marking of documents, storage, processing, archiving and disposal of records.MediumSales and Marketing PolicySales and marketing to foreign countries can be restricted due to sanctions, controlsand embargos. Refer to Department for International Trade (2016), and Bureau ofIndustry and Security (2013).A process needs to be developed to frequently assess the list(s) and feed back intomanagement.HighData at restStorage using encryption and the use of access controlsHighData in transitThe use of VPN technology over open/non-secure WiFi and other networks.HighBackup PolicyThe frequency of backups, rotation and retention schedules, offsite storage location,encryption of backups, and restoration test frequencyHighInformation security policyStatements about how information security is positioned in the organisationHighData privacy policyWhich records are deemed personally identifiable and who will have access and whyHigh Page 29 Security Incident Management Policy andProcedureCCC have obligations to report data loss incidents as defined in their contracts andthe regulations governing their business relationshipHighDocument Marking PolicyA relatively simple and low cost control for document marking can be used to controlaccess to documents and guide information processors on acceptable usages of dataand to inform the organisation of the impact of data loss eventsHighInformation sharing policyThe type and classification of data shared inwards or outwards, and the methods fortransmission and storage are key to protecting IP.See DSTL (2017) on the MOD DIPR and Ploughshare AgreementHighStaff Training PolicyPolicies, procedures, standards, guidelines will not be effective unless staff are awarethey exist and their obligations to follow them. Enforcement and disciplinary actionwould be ineffective without proving that staff had undertaken the training.HighFreedom of Information PolicyDisclosure of information under the freedom of information act. Less likely to applyto CCC directly but a policy and procedure should be definedRefer to the ICO Subject access requests code of practice.LowAnti-Bribery PolicyIn a market sector with a history of special payments a corporate gifts, bribery andcorruption policy should be developed to avoid staff being compromised by giftgiving or receivingMediumSupplier management policyA right to audit suppliers. A flow-down of contractual requirements for suppliers tomeet security standards.With the use of Third Party Suppliers for subcontracting CCC should consider MoDDefence Contracts Online (MOD DCO). (2017) supply chain security.MediumWhistle blowing policyProtection for whistle blowing. BS 13500:2013LowQuality control policyDefective products and complaints proceduresbeing responsive to field complaints and having clear documentation as proof ofyour responseregular audits of product literature to ensure clear instructions about safetyeffective risk management to manage safety complianceLow Page 30 document retention and staff training around product design, manufacture,marketing and field experienceproduct liability insurancePhysical Security Controls PolicySecurity guards and patrols, the use of safes and locking storage, door locks andaccess passes for each zone, staff identity badges being displayed openly.Compliance with CCTV licensing and operation.HighTravelAuthorisation is required for inward and outward international travel through theInternational Visits Control Office (IVCO). This control allows consideration tocombat threats of espionage and is a contractual requirement for List X companies.Travel to high risk countries.HighNeed to knowLinked to document marking the restriction of information will help protect IP andsensitive corporate information such as the value of contracts, the status of an RFPor tender responseHighClear desk policyThe facilities have good physical security controls so staff can only access permittedareas meaning that staff in a given section would typically share information anyway.A clear desk policy would improve security furtherMediumObscured screenVery little work is performed out of the company offices, however it is important toavoid being overlooked and screen locking, blanking and obscurification filters wouldbe an enhancement especially for remote workingMediumData StoragePhysical security including locking furniture and safes, technology controls, defencein depth,HighMoving assets by handCaution about being overlooked, large volumes of data need to be authorised,tamper proof containers, risk assessment. Compliance with List X controls includingapproval to move data.Refer to List XMediumMoving asses by courier or postThere is a higher need for a policy for this activity as it alerts the chain of custody fordata. The policy should cover sending only to known physical addresses and toHigh Page 31 known and named addressee, registered and tracked delivery, signature on receipt,authorisation depending on classification, tamper proof containers,Refer to List XBulk transfers of dataAuthorisation to transfer bulk data, approved transfer methods and physical controlswould be a useful addition after the basic policies and controls are put in placeRefer to List XMediumICT servicesAllow only permitted services from approved providers. This will include onlysourcing services within country and not from overseas service providers. Thoseproviders should be vetted for their information security practices to avoid loss viathe service provider as was seen by the Stone Panda/APT10 infiltration of serviceproviders. The use of new services, including cloud services, must be risk assessesbefore useHighRemovable mediaAn easy way to introduce unauthorised software, malware or stolen IP into thecorporate systems, and similarly an easy method and easily concealed method ofremoving data from the companyHighTelephony (landline and mobile) videoconferencing , fax usage policyConsidered use of communications mediums is required to avoid eavesdropping sothe use of unsecured communications mediums, where they may be used (public,private, foreign locations), and theHighSocial Media PolicyLinkedIn, Facebook, Twitter, Instagram, and other platforms can be used to profileindividuals for social engineering attacks and these platforms offer an opportunityfor accidental disclosure or reputational damage. It can also be used as a positivetool for communications if used properlySee Lange (2015), and MoD (2012)HighCorporate communications and media PolicyEnsuring that only responsible people can communicate information about thecompany via press release, the corporate website, or press interviews to avoiddisclosure or reputational damage (Ministry of Defence 2012)MediumeDiscovery policy and procedureLitigation is commonplace in the US market and increasingly common in the UK. Thisis a time consuming process if not managed well and has serious implication ifavoided and poorly executed. As the occurrence for CCC is low this is an area to bedeveloped after other policies and proceduresMedium Page 32 Security By DesignAll technology solutions and product solutions must include security designprinciples and controls as appropriate for the solution. This offers the lower costoption than trying to retrofit securityHighTesting PolicyAll solutions will be reviewed and validated that the implementation followed thedesign and that the security outcomes can be evidenced against the design,including any Pen Testing and assurance activitiesMediumDevelopment Environment Data Usage PolicyExclude the use of production data in non-production environmentsHighMobile Device PolicyLost and Stolen devices processMobile Device encryptionPassword and access PIN complexityDevice auto-lock settings and remote device wipingPermitted device makes and modelsHighHardware and Software Procurement PolicyAcceptable make and model of hardwareReceiving and tracking new equipment and softwareAcceptable hardware and software including supported versionThe selection of equipment from the Commercial Product Assurance (CPA) list couldbe considered but an awareness that Lenovo and Huawei equipment and otherChinese made equipment including mobile devices should be treated with duecaution due to concerns of backdoor and trapdoors. Curtis (2013) reports thatLenovo is banned by the Five Eyes agencies Secret and Top Secret networks.A policy governing who can purchase, what authorisation is required to purchase, astandard stating the makes and models that can be purchased and if they need to beCPA approved.MediumIncident reporting policyDefine what constitutes an incident the roles and responsibilities in incidentmanagement. Reporting procedures.High Page 33Appendix D AssetsA list of CCC assets Servers Workstations Laptop Smart Phones Firewall Copyright and trademark Intellectual Property Designs, models and prototypes Third party owned information Business Plan/Strategy Marketing Plan Finance system Lab equipment Paper records Contracts Routers, Switches and cabling Telephone system HR recordsPage 34Appendix E Statement of Applicability ISO27001:2013Statement of ApplicabilityISO/IEC 27001:2013 Annex A controlsCurrentcontrolsReasonsSelected controls and reasons for selectionLegalContractualBusinessRiskRansomwaeClauseSecControl Objective/Control5 Security Policies5.1Management direction for informationsecurity5.1.1Policies for informationnoxxxx5.1.2Review of the policies for informationsecuritynoxxxx6 Organisation ofinformationsecurity6.1Internal organisation6.1.1Information security roles and responsibilitiesnoxxxx6.1.2Segregation of dutiesnoxx6.1.3Contact with authoritiespartialxxxx6.1.4Contact with special interest groupspartialxxxx6.1.5Information security in project managementnoxxx6.2Mobile devices and teleworking6.2.1Mobile device policynoxxxx6.2.2Teleworkingnoxxx7 Humanresource security7.1Prior to employment7.1.1Screeningpartialxxx7.1.2Terms and conditions of employmentnoxxx7.2During employment7.2.1Management responsibilitiesnoxxxx7.2.2Information security awareness, educationand trainingnoxxxx Page 35 7.2.3Disciplinary processnoxxxx7.3Termination and change of employment7.3.1Termination or change of employmentresponsibilitiesnoxxxx8 Assetmanagement8.1Responsibility for assets8.1.1Inventory of assetsnoxxxx8.1.2Ownership of assetsnoxxx8.1.3Acceptable use of assetsnoxxxx8.1.4Return of assetsnoxxx8.2Information classification8.2.1Classification of informationnoxxxx8.2.2Labelling of informationnoxxxx8.2.3Handling of assetsnoxxxx8.3Media handling8.3.1Management of removable medianoxxxx8.3.2Disposal of medianoxxx8.3.3Physical media transfernoxxx9 Access control9.1Business requirements of access control9.1.1Access control policynoxxxx9.1.2Access to networks and network servicesnoxxxx9.2User access management9.2.1User registration and de-registrationpartialxxx9.2.2User access provisioningpartialxxx9.2.3Management of privileged access rightsnoxxxx Page 36 9.2.4Management of secret authenticationinformation of usersnoxxx9.2.5Review of user access rightsnoxxxx9.2.6Removal or adjustment of access rightsnoxxxx9.3User responsibilities9.3.1Use of secret authentication informationnoxxx9.4System and application access control9.4.1Information access restrictionnoxxxx9.4.2Secure log-on proceduresnoxxx9.4.3Password management systemnoxx9.4.4Use of privileged utility programsnoxxx9.4.5Access control to program source codenoxxx10 Cryptography10.1Cryptographic controls10.1.1Policy on the use of cryptographic controlsnoxxx10.1.2Key managementnoxx11 Physical andenvironmentalsecurity11.1Secure areas11.1.1Physical security perimeteryesxxx11.1.2Physical entry controlsyesxxx11.1.3Securing office, room and facilitiesyesxxx11.1.4Protecting against enteral end environmentalthreatsnoxxx11.1.5Working in secure areasnoxxx11.1.6Delivery and loading areasnoxxx11.2Equipment11.2.1Equipment siting and protectionnoxx11.2.2Supporting utilitiespartialxxx11.2.3Cabling securitynoxxx11.2.4Equipment maintenancenoxxx Page 37 11.2.5Removal of assetsnoxxx11.2.6Security of equipment and assets offpremisesnoxxx11.2.7Secure disposal or re-use of equipmentnoxxx11.2.8Unattended user equipmentnoxxx11.2.9Clear desk and clear screen policynoxxx12 Operationssecurity12.1Operational procedures and responsibilities12.1.1Documented operating proceduresnoxxxx12.1.2Change managementnoxxx12.1.3Capacity managementnoxxx12.1.4Separation of development, testing andoperational environmentsnoxxx12.2Protection from malware12.2.1Controls against malwarepartialxxxx12.3Backup12.3.1Information backuppartialxxxx12.4Logging and monitoring12.4.1Event loggingnoxxxx12.4.2Protection of log informationnoxxxx12.4.3Administrator and operator logsnoxxx12.4.4Clock synchronisationyesxxxx12.5Control of operational software12.5.1Installation of software on operationalsystemsnoxxxx12.6Technical vulnerability management Page 38 12.6.1Management of technical vulnerabilitiesnoxxxx12.6.2Restrictions on software installationnoxxxx12.7Information systems audit considerations12.7.1Information systems audit controlsnoxxxx13Communicationssecurity13.1Network security management13.1.1Network controlspartialxxxx13.1.2Security of network servicesnoxxxx13.1.3Segregation in networkspartialxxxx13.2Information transfer13.2.1Information transfer policies and proceduresnoxxx13.2.2Agreements on information transfernoxxx13.2.3Electronic messagingnoxxx13.2.4Confidentiality or non-disclosure agreementsnoxxx14 Systemacquisition,development andmaintenance14.1Security requirements of information systems14.1.1Information security requirements analysisand specificationnoxxx14.1.2Securing applications services on publicnetworksnoxxx14.1.3Protecting application services transactionsn/aNo etransactionsystems14.2Security in development and supportprocesses14.2.1Secure development policynoxxx14.2.2System change control proceduresnoxxx14.2.3Technical review of applications afteroperating platform changesnoxxx Page 39 14.2.4Restrictions on changes to software packagesnoxxx14.2.5Secure system engineering principlesnoxxx14.2.6Secure development environmentnoxxx14.2.7Outsourced developmentnoxxx14.2.8System security testingnoxxxx14.2.9System acceptance testingnoxxxx14.3Test data14.3.1Protection of test datanoxxx15 Supplierrelationships15.1Information security in supplier relationships15.1.1Information security policy for supplierrelationshipsnoxxx15.1.2Addressing security within supplieragreementsnoxxx15.1.3Information and communication technologysupply chainnoxxx15.2Supplier service delivery management15.2.1Monitoring and review of supplier servicesnoxxxx15.2.2Managing changes to supplier servicesnoxxx16 Informationsecurity incidentmanagement16.1Management of information securityincidents and improvements16.1.1Responsibilities and proceduresnoxxxx16.1.2Reporting information security eventsnoxxxx16.1.3Reporting information security weaknessesnoxxxx16.1.4Assessment of and decision on informationsecurity eventsnoxxxx16.1.5Response to information security incidentsnoxxxx16.1.6Learning from information security incidentsnoxxxx Page 40 16.1.7Collection of evidencenoxxxx17 Informationsecurity aspectsof businesscontinuitymanagement17.1Information security continuity17.1.1Planning information security continuitypartialxxxx17.1.2Implementing information security continuitypartialxxxx17.1.3Verify, review and evaluate informationsecurity continuitynoxxxx17.2Redundancies17.2.1Availability of information processing facilitiespartialxxxx18 Compliance18.1Compliance with legal and contractualrequirements18.1.1Identification of applicable legislation andcontractual requirementspartialxxxxx18.1.2Intellectual property rightspartialxxxx18.1.3Protection of recordsnoxxxxx18.1.4Privacy and protection of personallyidentifiable informationnoxxxxx18.1.5Regulation of cryptographic controlsnoxxxx18.2Information security reviews18.2.1Independent review of information securitynoxxxx18.2.2Compliance with security policies andstandardsnoxxxx18.2.3Technical compliance reviewnoxxxx Page 41Appendix F Supporting StandardsFRAMEWORKSBS EN ISO/IEC 27000:2017 Information technology. Security techniques. Information security management systems. Overview and vocabularyBS EN ISO/IEC 27001:2017 Information technology. Security techniques. Information security management systems. RequirementsBS EN ISO/IEC 27002:2017 Information technology. Security techniques. Code of practice for information security controlsBS ISO/IEC 27005:2011 Information technology. Security techniques. Information security risk managementBS ISO/IEC 27007:2011 Information technology. Security techniques. Guidelines for information security management systems auditingBS ISO/IEC 27013:2015 Information technology. Security techniques. Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1SP 800-53 Security and Privacy Controls for Federal Information Systems and OrganizationsSP 800-53A Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment PlansCyber Essentials and Cyber Essentials PlusRISK MANAGEMENTBS ISO 31000:2009 Risk management. Principles and guidelinesBS EN 31010:2010 Risk management. Risk assessment techniquesNIST SP 800-37 Guide for Applying the Risk Management Framework to Federal Information SystemsNIST SP 800-37 Supplemental Guidance on Ongoing Authorization Transitioning to Near Real-Time Risk ManagementNIST SP 800-39 Managing Information Security Risk Organization, Mission, and Information System ViewNIST SP 800-60 Guide for Mapping Types of Information and Information Systems to Security CategoriesNIST SP 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)RECORDS MANAGEMENTISO 30301 Information and documentation. Management systems for records. RequirementsISO 15489 Information and documentation. Records management. Concepts and principlesBS ISO/IEC 11770-1:2010 Information technology. Security techniques. Key managementBS ISO 15489-1:2016 Information and documentation. Records management. Concepts and principlesNIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and OrganizationsSERVICE MANAGEMENTBS ISO/IEC 20000-1:2011 Information technology. Service management. Service management system requirementsNIST SP 800-55 Performance Measurement Guide for Information SecurityTESTINGNIST SP 800-115 Technical Guide to Information Security Testing and AssessmentPage 42BS 10500 Anti-Bribery; ISO 37001:2016 Anti-Bribery Management SystemBS OHSAS 18001 Occupational Health and SafetyBS 7858:2012 Security screening of individuals employed in a security environment. Code of practiceSECURITY CONTROLS AND METHODSISO 29151 Security Impact AssessmentBS 10008 Legal Admissibility of Electronic InformationNIST SP 800-45 Guidelines on Electronic Mail SecurityNIST SP 800-63 Digital Identity Guidelines Enrollment [SIC] and Identity ProofingNIST SP 800-64 Security Considerations in the System Development Life CycleNIST SP 800-157 Guidelines for Derived Personal Identity Verification (PIV) CredentialsNIST SP 800-175A Guideline for Using Cryptographic Standards in the Federal Government: Directives, Mandates and PoliciesNIST SP 800-175B Guideline for Using Cryptographic Standards in the Federal Government: Cryptographic MechanismsNIST SP 800-177 Trustworthy EmailINCIDENT MANAGEMENTPD ISO/IEC TR 18044:2004 Information technology. Security techniques. Information security incident managementNIST SP 800-61 Revision 2, Computer Security Incident Handling GuideNIST SP 800-83 Guide to Malware Incident Prevention and Handling for Desktops and LaptopsNIST SP 800-86 Guide to Integrating Forensic Techniques into Incident ResponseNIST 800-184 Guide for Cybersecurity Event RecoveryNIST SP 800-150, Guide to Cyber Threat Information SharingBUSINESS CONTINUITYBS ISO/IEC 27031:2011 Information technology. Security techniques. Guidelines for information and communication technology readiness for business continuityBS EN ISO 22301:2014 Societal security. Business continuity management systems. RequirementsNIST SP 800-34 Contingency Planning Guide for Federal Information SystemsNIST SP 800-137 Information Security Continuous Monitoring (ISCM) for Federal Information Systems and OrganizationsSUPPLY CHAINBS ISO 28000:2007 Specification for security management systems for the supply chainNIST SP 800-161 Supply Chain Risk Management Practices for Federal Information Systems and OrganizationsIT GOVERNANCEBS ISO/IEC 38500:2015 Information technology. Governance of IT for the organizationBS ISO/IEC 19086-3:2017 Information technology. Cloud computing. Service level agreement (SLA) framework. Core conformance requirementsPage 43BS ISO/IEC 15504-6:2013 Information technology. Process assessment. An exemplar system life cycle process assessment model View detailsQUALITY MANAGEMENTBS EN ISO 9000:2015 Quality management systems. Fundamentals and vocabularyORGANISATIONAL GOVERNANCEBS 13500 Code of practice for delivering effective governance of organizationsTRAINING AND EDUCATIONNIST 800-181 National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce FrameworkSP 800-50 Building an Information Technology Security Awareness and Training ProgramOTHERAll the latest NIST guidance can be found here http://csrc.nist.gov/publications/PubsSPs.html#SP%20800An overview of the information risk management http://www.iso27001security.com/ISO27k_ISMS_implementation_and_certification_process_v4.pdfPage 44Appendix G ISO27k_ISMS_implementation_and_certification_process_v4.pdfPage 45Appendix H Common Threats and HazardsThe following summary of frequently occurring threats as summarised by Sutton (2014)1. Malicious Intrusion:a. Denial of Service (DOS)b. Unauthorised access (internal/external)c. Unauthorised network scanningd. Interception of communicationse. Session hijackingf. Website modificationg. Software modification (insertion of malicious source code or malware)h. Data modificationi. Decryption of encrypted dataj. Credential theft and impersonation2. Environmental Threata. Natural hazards (weather events, geological events)b. Accidental and malicious physical damagec. Fired. Communication jamming or deliberate interferencee. Communications failuref. Power failures3. Errors and Failuresa. Software failuresb. Software interdependenciesc. System overloadsd. Hardware Failuree. User errorsf. Technical staff errorsg. Internal and external software errorsh. Change failures4. Social Engineeringa. Spoofing, masquerading and impersonationb. Phishingc. Spamd. Disclosure5. Misuse and AbusePage 46a. Modification of system access privilegesb. Unauthorised systems activityc. Software theft and business information theft6. Physical Threatsa. Unauthorised accessb. Theft of computers and portable devicesc. Theft of authentication devices7. Malwarea. Virusesb. Wormsc. Backdoorsd. Trojan horsese. Rootkitsf. Spywareg. Active contenth. Botnet clientsi. RansomwareThe following summary of frequently occurring vulnerabilities as summarised by Sutton (2014)1. Access controla. Lack of or poorly written access control policiesb. Failure to change user access rights when changing roles or leaving the organisationc. Inadequate user password managementd. Default system accounts and passwordse. Embedded system accounts and passwordsf. Lack of security for mobile devicesg. Lack of network segregationh. Lack of clear desk and clear screen policyi. Using untested softwarej. No restrictions of system utilities2. Poor proceduresa. Lack of functional procurement specificationsb. Lack of functional development specificationsc. Failure to validate data entryd. Use of undocumented softwaree. Use of unauthorised softwarePage 47f. Lack of business continuity and disaster recovery planning3. Physical and environmental securitya. Poor control of access to premises and areas within themb. Insecure physical barriers, doors, and widowsc. Unprotected storaged. Inadequate environmental controls like cooling and humidity controle. Located in flooding zonesf. Storage of flammable materialsg. Proximity to hazardous materials and processing facilities4. Communication and Operations Managementa. Missing segregation of dutiesb. Lack of network and intrusion monitoringc. Use of public networks without protectiond. Use of uncontrolled wireless access pointse. Lack of malware protectionf. Unpatched systems and poor patching schedulesg. Untested backup and restore proceduresh. Improper disposal of mediai. Lack of BYOD policyj. Poor change management proceduresk. Lack of audit trails, non-repudiation of transactions and emailsl. Lack of segregation of test and production systemsm. Uncontrolled copying of business information5. People-related security failuresa. Inadequate security training for technical staffb. Lack of security awareness training for usersc. Lack of monitoring or intrusion detection systemsd. Lack of acceptable usage and other policiese. Failure to review and amend access-rights of users when the change roles or leavef. Lack of asset collection procedures when users leaveg. Unmotivated or disgruntled staffh. Lack of oversight of third parties or staff working outside of business hoursPage 48Appendix I Mapping ISO to NISTThe mapping table is presented in NIST SP 800-171, Appendix D pages 30-51.Available at: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r1.pdfPage 49Appendix J Future Risks Trend or OpportunityRisk and Assurance ImpactExoskeletons for strength and endurance load carrying such as the HumanUniversal Load Carrier from Lockheed Martin. (Goad, 2016)Medical record keeping required. Potential personal injury claims caused by testing.Strong competition could cause a lack of market share for a completed product.Restorative prosthetics for injured soldiers created through 3D printing.Electrical stimulation of hearing nerves to restore hearing. Vision restorationand enhancement using biological and technological solutions. Bio-lung,artificial kidney and heart. Tactile distance feedback wearable clothing forlow visibility environments to provide proximity feedback to the wearer(Goad, 2016).Potential niche markets and applications of the technology not already considered.Medical record keeping required. Potential personal injury claims caused by testing.Remotely Operated Vehicles (ROVs) and Autonomous Underwater Vehicles(AUVs) for inspection, reconnaissance, load carrying, working under ice, andhostile environments. Supporting technology such as stress resistantmaterials, propulsion systems, higher capacity power systems, sensors,cameras, comms, and human control interfaces (Wass, 2017).Market may have a limited sales volume making recouping of costs difficult.Applications of the technology not already considered could create new opportunitiesincluding in non-military applications.Drones or Unmanned Aerial Vehicles (UAVs) have continued to grow inpopularity for a number of military reconnaissance and offensiveoperational tasks. Development is likely to include collaborative interfacesand communication between UAV’s that can work in tandem or even swarm(Alderson, 2017) to complete tasks. Enhancements with technology is likelyto include endurance communications, navigation and trajectory planningand control, sensor fusion (Smout, 2015). Other trends may includeminiaturising and the mimicking of animals to avoid detection (Alderson,2017).Changes in laws and regulations may necessitate changes to software and controls toavoid no-fly zones and for collision prevention. Growing market with manyapplications of the technology not already considered. A drone registration schedulehas been announced by the UK government (Corfield, 2017) Page 50 Reactive materials such as the Mesh Worm (Alderson, 2017) could createnew materials and new behaviours or applications which are currentlyuncategorised or regulated by any laws or governing bodyLegislative and regulatory changes after product development“Biohacking” which is the insertion of sensory implants for function andidentify purposes (Goad, 2016).Medical record keeping required. Potential personal injury claims caused by testing.Singapore have introduced a draft bill to licence cybersecurity personal(Ministry of Communication and Information [Singapore] (2017) and thisapproach could be adopted by the UK or US governments to combat the risein cybersecurity attacks by separating the good guys from the bad andmaking it easier to prosecute offenders.CCC may have to use licensed personnel and exercise caution when developing andtesting products if any research and development activities could be deemed to be inscope and require a license. It would introduce additional complexity and legislationto comply with.Growth opportunities for enhanced military spend on R&D may requiremore staffThis would necessitate continued rigour around staff suitability and backgroundcheckingAs research and technology development increases in complexitycollaboration with other companies may offer opportunities which cannotbe realised as a single company. The Ministry of Defence’s IntellectualProperty Rights group (DIPR) is promoting information sharing betweenMOD groups through Ploughshare (Defence Science and TechnologyLaboratory, 13 July 2017). Another example of closer collaboration betweencompeting companies can be seen with the recent testing of “roboats” andROV’s where a consortium of companies were funded to create a drone testrange (Corfield 2017).Collaborations with other companies will require information sharing policy changes,changes in company to company contracts, assurance and audit checking to and fromthe other organisations and in some cases their suppliersPromotion of military exports by the UK government could increasecompetition with an adverse impact on CCC or it could help promoteproducts and services which aide the growth of the company into newmarkets (Defence Science and Technology Laboratory, 2016)Increased competition and/or increase sales opportunities Page 51 Increased requirement to provide evidence of information assurancethrough certification when bidding for contracts or for the supply of goodand services. Since 1t January 2016 it has been mandatory to hold at leastCyber Essentials Certification to be able to conduct business with theMOD(Defence Contracts Online, no date)Increased requirement to evidencing information assurance and risk managementbest practice through certification and independent review/auditIncreased spending by the MOD and DOD gives growth opportunities butthe level of funding could decrease with the change of political leadershipwho are opposed to military spending (Sculthorpe, 2017, Merrick, 2017)Policies for investment and spending controls including spending limits by role andspending approval stages. Policies on who can negotiate and sign contracts andcommit the organisation to spend depending on contract value. Budget forecastingand cash flow management considerations including credit control practices toperform due diligence on customers and procedures to chase debtors.Continued knowledge sharing and changes to MOD procurement policy andinnovation (MOD Defence Contracts Online, DPRTE 2017)Regular review of information sharing policies, documentation classification and datamanagement against changing legislation, regulation or contractual compliance.Variations to export controls, sanctions and embargoes (www.gov.uk, 31March 2016) may increase or restrict sales opportunities and productdemand, including any products sold under license.Policies and procedures for regular reviews of sanctions and embargoes to ensurecompliance with an ever changing to avoid penalties or prosecution.Brexit may make it harder to sell into the EU market. If there is a reductionin the UK GDP then the commitment to spend 2% of GDP would reduceaccordingly. A new fighter jet project has seen France collaborate withGermany and exclude the UK (Millar 2017).Reduced income due to lower R&D budget. Cancelled or delayed projects may causeloss due to committed spend with a third party.Escalating cybercrime, ransomware, destructive wareContinuous improvement of detection and mitigation controls using an ISMSUK political leadership changes such as the replacement of May with Corbyncould see a shift from supporting military spend to a reduction in spend(Sculthorpe, 2017, Merrick, 2017)Reduced budget. Delays or stoppage of projects.State political influences as discussed in the media attribute a growingnumber of nation sponsored espionage and cyber-attacks to China, NorthKorea, Russia, and the USA as has been seen with the recent USA electiontampering and WannaCry ransomware attack. The WannaCry attackallegedly uses an NSA toolkit and is being sold off by The Shadow BrokersAn increased number of cyber-attacks will require continual assessment and updatesof security policy, the ISMS and controls, along with incident handing and datarecovery. Page 52 (Thomson, 2017) which could increase the availability of exploits.Infosecurity Magazine (2013) reported direct espionage by China to stealweapons blueprints.Wearable tech and micro tech may create increased risk of IP theft orinformation leakage by covert information capture (image, video, audio,data) and/or tracking and telemetry data of the wearer/user. This mayinclude Internet of Things (IoT) devices that offer point solutions andautomation through low cost and low quality/security devices that may besubject to compromise (Li, Shancang et al 2016).Policies on BYOD, personal devices, technology standards, proximity usageconsideration. Changing security standards to IoT devices (Shancang et al 2016) mayoffer higher grade and secure devices.A changing workforce dynamic as seen with the Gig economy may createmore task based assignment driven staff and supplier engagementsNew HR policies and procedures to engage staff or suppliers to provide short taskbased assignmentsNew ways of delivering technology such as with the many new tools andtechniques available from Cloud providers and the supporting tools in theirmarket places. Many of these new tools are rapidly developed which maygive rise to concerns about vulnerabilities within the products. Approachessuch as creating data lakes may give rise to data management and retentionissues.Dynamic risk assessment, automation of recovery and controls, data residencypolicies and compliance issues, software assurance and procurement policies, datastorage and processing policiesGPDR regulations will give rise to a number of considerations for lawfulprocessing of data (ICO, no date)Policies for data storage, management and processing personal information. A clearmandate must be established for processing the data (ICO, no date), and roles andresponsibilities need to be defined within the organisation such as the role of a DataController.A purchase of another company, a sale of CCC to another company, amerger, or business partnerships, or inward investment.The value of a company’s Intellectual Property value is dependent on the cybersecurity controls in place by organisation. Due diligence of companies expectsinformation assurance and risk management practices to be in place (Brill & Straight,2013) Page 53Appendix K Organisational StructureThe following are recommendations for organisational structures that CCC requireBoard Level: Appoint the Managing Director (MD) as the board level security contact who is accountable for security from a board level. The MD will approve security policyand delegate responsibility for security to the relevant committees and job functions including supporting the Security Controller. The MD will also be responsible forinterfacing with the Contracting Authority about the status, ownership and control of CCC, including shareholdings, appointments to the board or persons of influence withnon-UK citizenship. While the use of the MD is an option under List X guidance, as the organisation grows this would be separated into a Chief Operating Office (COO) witha Chief information security officer (CISO) reporting into the COO.Security Operations: The UK based Group Security Controller will have a US based Security Officer reporting to them and also oversee UK security operations as defined inList X (Ministry of Defence 2014) points 8-12.The IT Director will perform the function of the IT Installation Security Officer with support of the IT Operations Manager. The IT Director will also perform the role of theDeputy Security Officer as defined in List X.The appointment of a Travel Specialist to arrange inward and outward travel authorisations as required under List X and the International Visits Control Office (2015).The appointment of a Data Owner who ensures document classification and management are correctly operated and manage authorisations to move data by hand orelectronically.Outsourced to a managed security service provider (MSSP) are a Security Operations Centre who perform Security Information and Event Management (SIEM) and provideThreat Intelligence.Human Resource: The Clearance Contact is aligned with the Human Resources function and reports to the HR Director. A resource dedicated to vetting staff and managingtraining and development so that staff possess the knowledge to maintain compliance with legislation, regulation and contracts. Also an ongoing high reliance on agencystaff indicates that a talent development and management plan is required.Compliance: To keep up with the web of legislations and regulation and ensure filings and submissions obligations are met the appointment of a Compliance Manager isneeded. This role will regularly check and report on sanctions, controls and embargos.Audit: The Auditor will ensure the controls are continuing to be applied and to assist in preparing CCC for external audits and certification and to prepare audits onsuppliers.Legal: Supporting the interpretation of legislation, regulation and contractual obligations the Legal Team will specialise in UK and US regions and collaborate on group wideactivities including protecting Intellectual Property through patents, trademarks and copyright. They will be involved in drafting contracts, RFP and tender responses,responding to information discovery request and other dealing with other legal matters.Sales and Marketing: The nature of the sales engagements where the opportunities are won via tender and the long duration of the research project would indicate thatonly a core team is required.Facilities: Physical building security measures and security staff, secure furniture, CCTV operation, health and safetyPage 54IT: Service Delivery and implementation and operation of the technology controls such as identity and access management, backups, software and hardware provisioning,managing communications devices etc will be overseen by the IT Directory and IT Operations ManagerResearch and Development: The various Head of Research and Development posts will provide day-to-day security and data owner and data governance functions andinterface with legal for IP protection.—END OF DOCUMENT—