MEETING: RSSB Board Meeting DATE: 03 November 2016 SUBJECT: Rail Industry Cyber Security Strategy SPONSOR: Mark Phillips AUTHOR: Tom Lee
|
|
- Deirdre Stevenson
- 5 years ago
- Views:
Transcription
1 MEETING: RSSB Board Meeting DATE: 03 November 2016 SUBJECT: Rail Industry Cyber Security Strategy SPONSOR: Mark Phillips AUTHOR: Tom Lee 1. Purpose of the paper 1.1 The purpose of this paper is to seek agreement of the board to remit the draft Rail Industry Cyber Security Strategy to RDG in line with the new way of working recently agreed with industry bodies. 2. Background 2.1 Following requests from the Centre for Protection of National Infrastructure and the Department for Transport for RSSB to develop a Rail Industry Cyber Security Strategy, RSSB consulted with industry to seek support and in November 2015 the board approved development of a cyber security strategy. 2.2 RSSB mobilised and developed a strategy overseen by a representative group established for this purpose the Cyber Security Advisory Group (CSAG, see Annex A). CSAG included leading experts in the field from Network Rail, train operators, RoSCos, Police, Government, the security services and academia. 2.3 The draft Strategy has been subject to industry consultation during September/October, supplemented by briefing sessions to key stakeholder groups. The Strategy has been welcomed and detailed comments have been addressed. 3. The Strategy 3.1 Content The Strategy has five chapters: a b c d e Introduction, setting out the target audience and roles and responsibilities. The approach is explained (understand, detect, protect, respond) and context is provided to help the rai industry understand threats and impacts Achieving our Vision which presents a vision (the end game) with an associated mission (how we get there) with a set of five objectives (what we need to achieve to get to the vision). The chapter includes challenges and information on forthcoming legislation. Actions, the key content of the Strategy with ten actions to achieve the five objectives. Assessing the impact, where governance, maturity assessment, monitoring, and review of the Strategy are presented. Conclusion which presents recommendations linked to the ten actions. RSSB Board Meeting Final: 03 November 2016 Page 1 of 2
2 3.1.2 Actions are written as pledges, demonstrating an industry commitment to deliver the intent of the Strategy. This commitment has been supported by the CSAG and tested through consultation. 3.2 Industry support The draft Strategy was consulted with industry. 767 individual requests were sent to 227 organisations, in addition the material was shared with various stakeholder groups; 21 people responded from 18 organisations with a total of 264 detailed comments and 56 sets of answers to more general questions on governance, assessment, monitoring, review and omissions. Views on implementation were also sought which elicited 13 sets of comments All of the consultees provided positive responses, but there were some challenges too. The vast majority have resulted in changes to the Strategy, a handful were not supported as they were contrary to prior agreements made with CSAG. Detailed responses are being prepared to every comment and these will be returned to consultees. A summary of the comments is included in Annex B Endorsement of the Strategy by CSAG is being sought ahead of the board meeting on 3 November. 4. Next steps 4.1 Since commencing work on the Strategy, there has been an evolution in RSSB s position in the industry and increased clarity in the role of RDG and RSG. 4.2 Using the model developed as part of the ORR Review, the Strategy is an example of discretionary work undertaken by RSSB. 4.3 Given the above, it is proposed that the board remits the Strategy to RDG along with the detailed responses to the industry consultation. 5. Recommendations 5.1 The RSSB board is requested to REMIT the draft Rail Industry Cyber Security Strategy to RDG, including the detailed responses to the industry consultation. RSSB Board Meeting Final: 03 November 2016 Page 2 of 2
3 Annex A Cyber Security Advisory Group A.1 Membership A.1.1 The membership of the cyber security advisory group was drawn from duty holders, RoSCos, security services and governmental organisations. Members were selected by their employers or other representative groups, such as the Chief Information Officers Forum. A.1.2 Members included: Abellio, Arriva, ATOC, BTP, CPNI, Imperial College London, Colas Rail, Crossrail, DfT, GB Railfreight, GWR, Go-Ahead Group, London Midland, Network Rail, ORR, Porterbrook and Stagecoach. A.2 Meetings A.2.1 CSAG met nine times between February and July 2016, with a final meeting by telephone in October The group has now been disbanded as it has fulfilled its purpose. A.2.2 CSAG has helped shape the development of the strategy, with members providing material and reviewing draft content. To inform development, presentations were received from dutyholders, government bodies and academia. Content was drafted by RSSB, supported by PA Consulting. A.3 Conclusion A.3.1 The final position from CSAG will be confirmed at the 3 November Board meeting, due to the last CSAG meeting being after the close of this paper. RSSB Board Meeting Final: 03 November 2016 Page 1 of 4
4 Annex B Summary of consultation responses A.4 Introduction A.4.1 Consultees were requested to answer five questions. The first identified their role and the capacity in which they were responding. The second concerned any general views on governance, assessment, monitoring and review of the strategy. Question three requested detailed comments on the strategy and the fourth question asked for any omissions in the strategy. The fifth question sought views on implementation. A.4.2 A.4.3 A.4.4 Most respondents were replying on behalf of their organisation and were responsible for contributing at a senior level on cyber security, some were the professional leads for cyber security. Only responses to questions three and four materially affect the strategy document. The vast majority of the 264 detailed comments have been accepted and revisions made. The few that have not been accepted have been considered carefully, but have not been addressed as they generally contradict other comments or agreements and direction from the CSAG. A detailed response to each comment has been prepared. Responses to the other questions, summarised below, need to be taken into account in the future development of the strategy and in particular, implementation. Overall, the comments were positive, supportive and constructive. A.5 Governance, assessment, monitoring and review of the strategy A.5.1 There was very strong support for the development of an assessment framework and a related cyber-informed procurement process. Benchmarking between companies/suppliers was seen as important including non-rail companies, for comparison purposes. There was support for this to be independent and external to an organisation whilst the industry is relatively immature. A.5.2 A.5.3 A.5.4 A.5.5 Raising industry awareness was considered important and general competency was seen as an area of weakness, with a competency framework recommended and many requests for further support. One correspondent summed up the views of many by stating the biggest challenge is behavioural change. In implementing the strategy, there were requests for alignment to industry standards (in particular ISO27001 Information security management and IEC62443 Industrial communication networks Network and system security, in draft) and the government s Cyber Essentials and National Rail Security Plan. The strategy is intended to achieve this, at the level that it is written. There were written comments and feedback at stakeholder meetings requesting greater regulation. These reflect concerns that there is too much dependence on self-assessment and commitment rather than compulsion. There was a perception that organisations that adopted the strategy could be undermined, technically and commercially, by those that had not. There were also comments that the strategy was too dependent on trust and goodwill between industry partners. There were many comments about needing to have clarity on roles and responsibilities. The strategy was criticised for stopping short of implementation and the resourcing, both people and financial, that implementation will require. RSSB Board Meeting Final: 03 November 2016 Page 2 of 4
5 A.5.6 A.5.7 A.5.8 For governance of the strategy, there was general support for RSSB having a role with a group, such as the High Integrity Systems Group, recommended as a sensible arrangement for governance. A counter proposal was that the DfT should execute governance, particularly because of their current engagement in cyber security. The need for continual monitoring of implementation was noted, with one respondent stressing that intermittent monitoring was insufficient. Help and support for monitoring was requested by several respondents. There were very few specific comments on future reviews of the strategy, but one respondent urged that advances in technology need to be taken into account. A.6 Omissions A.6.1 There were few comments (eleven) about omissions and two comments praising the strategy on its completeness. It is considered that many of these are best addressed through implementation. A request was made for comparison to other industries. A.6.2 A.6.3 A.6.4 A.6.5 The lack of an overall system authority was highlighted as need for system-wide detection and the response to manage whole system risk was considered weak. One commentator expressed concern that the strategy didn t adequately recognise the criminal aspects of cyber security and the need for criminal investigations. The internal threat was felt not to sufficiently recognised and it was felt that there needed to be greater distinction between organisation security and system security (which the respondent defined as the difference between the overall security and the security of individual equipment). The adequacy of self-assessment and the need for a supplier assurance framework were raised as omissions in addition to comments made in response to the other questions. A closer alignment with DfT guidance, particularly in respect of intelligent defence and protection was requested and, also similar to comments to other questions, the imperative (or compulsion to act) was felt to be not strong enough. More detail on a multi-layered approach, security-informed safety cases and measures for detection/monitoring and prevention was requested. Addressing legacy systems and management of obsolescence was also felt to be inadequate. One respondent requested that ticketing, revenue systems and other commercial transactions should be included. It was felt that there was insufficient consideration of protection of customer data and relationship with other legislation, such as the Data Protection Act. This contradicts the original agreed scope of the work. A.7 Implementation A.7.1 Many comments on implementation were embedded in other comments (some of which are summarised above). There were significant calls for support for implementation and concern that the existing industry frameworks are not set up for this. The concept of an overall railway system authority came up repeatedly and respondents started to identify roles and responsibilities for this notional body. In the absence of a single system authority, clear definitions of systems, boundaries and roles and responsibilities was seen as very important. RSSB Board Meeting Final: 03 November 2016 Page 3 of 4
6 A.7.2 A.7.3 A.7.4 A.7.5 Further comments were made on the challenge of staff engagement and the need for common assurance and assessment processes was stressed again. One suggestion was to use similar accreditation schemes as used for military or nuclear suppliers. Greater regulation and enforcement was requested with the need for appropriate remedies for failure to implement. Industry compliance was noted as a massive task and a request was made for an industry impact assessment. The strategy positioned rail as leading the way on cyber security but one correspondent considered that this contradicted a proportionate and appropriate response as advocated by the strategy. Others didn t comment on this. The draft strategy proposed a monitoring and review role for RSSB, overseen by the Board. There were no adverse comments to this principle and some respondents specifically noted agreement. However, this has been removed as it prejudges how RDG may wish to handle the strategy subsequent to the repositioning of RSSB. A suggestion was made for RSSB to fund pilot projects to develop best practice and guidance. One comment summed up many quite well: UK Rail needs to understand the enormity of the challenge and take the appropriate remedial action as soon as possible, by engaging with the appropriate agencies that can provide direction and also provide the controls framework for third parties, suppliers, contract staff. Attachment: draft Rail Industry Cyber Security Strategy RSSB Board Meeting Final: 03 November 2016 Page 4 of 4
Remit Issue April 2016
1 Introduction Remit Issue 02 18 April 2016 1.1 This document defines the scope, purpose and working arrangements for the High Integrity Systems Group. High integrity systems are playing an increasingly
More informationCyber Security of ETCS
1 Addressing the challenges Cyber Security of ETCS Simon Tonks 2 Background The UK rail network is currently being upgraded to use new signalling technology (ERTMS) The ROSCOs are delivering the First
More informationNational Policing Community Security Policy
Document Name File Name National Policing Community Security Policy Community_Security_Policy_FINAL v4_3.doc Authorisation Information Management Business Area Signed version held by National Police Information
More informationInformation Technology Branch Organization of Cyber Security Technical Standard
Information Technology Branch Organization of Cyber Security Technical Standard Information Management, Administrative Directive A1461 Cyber Security Technical Standard # 1 November 20, 2014 Approved:
More informationOFFICIAL COMMISSIONING OF SECURITY SYSTEMS AND INFRASTRUCTURE
Title of document ONR GUIDE COMMISSIONING OF SECURITY SYSTEMS AND INFRASTRUCTURE Document Type: Unique Document ID and Revision No: Nuclear Security Technical Assessment Guide CNS-TAST-GD-4.4 Revision
More informationUKAS Guidance for Bodies Offering Certification of Anti-Bribery Management Systems
CIS 14 Edition 1 September 2018 UKAS Guidance for Bodies Offering Certification of Anti-Bribery Management Systems CIS 14 Edition 1 Page 1 of 10 Contents 1. Introduction 3 2. UKAS Assessment Approach 3
More informationDated 3 rd of November 2017 MEMORANDUM OF UNDERSTANDING SIERRA LEONE NATIONAL ehealth COORDINATION HUB
Memorandum of Understanding for Joint Working by Ministry of Health and Sanitation, Ministry of Information and Communication on the Government of Sierra Leone ehealth Coordination Hub Dated 3 rd of November
More informationIT Governance ISO/IEC 27001:2013 ISMS Implementation. Service description. Protect Comply Thrive
IT Governance ISO/IEC 27001:2013 ISMS Implementation Service description Protect Comply Thrive 100% guaranteed ISO 27001 certification with the global experts With the IT Governance ISO 27001 Implementation
More informationCriteria for selecting methods in user-centred design
Extended version of I-USED 2009 workshop paper Criteria for selecting methods in user-centred design Nigel Bevan Professional Usability Services 12 King Edwards Gardens, London W3 9RG, UK mail@nigelbevan.com
More informationPolicy. Business Resilience MB2010.P.119
MB.P.119 Business Resilience Policy This policy been prepared by the Bi-Cameral Business Risk and Resilience Group and endorsed by the Management Boards of both Houses. It is effective from December to
More informationCyber Security Strategy
Cyber Security Strategy Committee for Home Affairs Introduction Cyber security describes the technology, processes and safeguards that are used to protect our networks, computers, programs and data from
More informationPOSITION DESCRIPTION
POSITION DESCRIPTION Engagement Manager Unit/Branch, Directorate: Location: Outreach & Engagement, Information Assurance and Cyber Security Directorate Auckland Salary range: H $77,711 - $116,567 Purpose
More informationBSI BIM Solutions. Copyright 2016 BSI. All rights reserved.
BSI BIM Solutions Copyright 2016 BSI. All rights reserved. 1 BSI Group Policy, Engagement National Standards Body Assessment and Certification Compliance support Standards Information Solutions Training
More informationICB Industry Consultation Body
ICB Industry Consultation Body POSITION PAPER Regulatory Response to ATM Cyber-Security Increasing reliance on inter-connected ATM systems, services and technologies increases the risk of cyber-attacks.
More informationLEADERSHIP GROUP LG (2017) Paper October 2017 RESILIENCE BOARD
RESILIENCE BOARD Executive summary 1. At its meeting on 27 September, Leadership Group (LG) considered a proposal to establish a Resilience Board to take strategic oversight of personnel, physical and
More informationAUDIT OF ICT STRATEGY IMPLEMENTATION
APPENDIX A 2 1. Background AUDIT OF ICT STRATEGY IMPLEMENTATION 1.1. This report summarises the findings from the audit of ICT Strategy Implementation. This was a planned audit assignment which was undertaken
More informationREPORT 2015/010 INTERNAL AUDIT DIVISION
INTERNAL AUDIT DIVISION REPORT 2015/010 Audit of information and communications technology strategic planning, governance and management in the Investment Management Division of the United Nations Joint
More informationIDENTITY ASSURANCE PRINCIPLES
IDENTITY ASSURANCE PRINCIPLES PRIVACY AND CONSUMER ADVISORY GROUP (PCAG) V3.1 17 th July 2014 CONTENTS 1. Introduction 3 2. The Context of the Principles 4 3. Definitions 6 4. The Nine Identity Assurance
More informationPOSITION DESCRIPTION
Network Security Consultant POSITION DESCRIPTION Unit/Branch, Directorate: Location: Regulatory Unit Information Assurance and Cyber Security Directorate Auckland Salary range: I $90,366 - $135,548 Purpose
More informationIncentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO
White Paper Incentives for IoT Security May 2018 Author: Dr. Cédric LEVY-BENCHETON, CEO Table of Content Defining the IoT 5 Insecurity by design... 5 But why are IoT systems so vulnerable?... 5 Integrating
More informationSCHEME OF DELEGATION (Based on the model produced to the National Governors Association)
SCHEME OF DELEGATION (Based on the model produced to the National Association) THE PURPOSE OF A SCHEME OF DELEGATION: A scheme of delegation (SoD) is the key document defining which functions have been
More informationManchester Metropolitan University Information Security Strategy
Manchester Metropolitan University Information Security Strategy 2017-2019 Document Information Document owner Tom Stoddart, Information Security Manager Version: 1.0 Release Date: 01/02/2017 Change History
More informationFinancial Crime Data and Information Sharing Solution
July 2017 Financial Crime Data and Information Sharing Solution Proposed Approach and Outline Project Transfer Document V1.6 FINAL Document Context: This document was finalised in July 2017 as part of
More informationBirmingham Community Healthcare NHS Foundation Trust. 2017/17 Data Security and Protection Requirements March 2018
1.0 Executive Summary Birmingham Community Healthcare NHS Foundation Trust 2017/17 Data Security and Protection Requirements March 2018 The Trust has received a request from NHS Improvement (NHSI) to self-assess
More informationREPORT 2015/149 INTERNAL AUDIT DIVISION
INTERNAL AUDIT DIVISION REPORT 2015/149 Audit of the information and communications technology operations in the Investment Management Division of the United Nations Joint Staff Pension Fund Overall results
More informationAccreditation Process. Trusted Digital Identity Framework February 2018, version 1.0
Accreditation Process Trusted Digital Identity Framework February 2018, version 1.0 Digital Transformation Agency This work is copyright. Apart from any use as permitted under the Copyright Act 1968 and
More informationCollaborative Working presentation for CIPS. Bob Meakes I C W Associate Director
Collaborative Working presentation for CIPS Bob Meakes I C W Associate Director Context Journey BS 11000 Adopters Q & A 1990 VISION Lord Joseph (formerly Sir Keith Joseph) ex Minister of the D T I Effective
More informationANZPAA National Institute of Forensic Science BUSINESS PLAN
ANZPAA National Institute of Forensic Science BUSINESS PLAN 2018 19 OUR STRATEGIC INTENT PROMOTE AND FACILITATE EXCELLENCE IN FORENSIC SCIENCE The National Institute of Forensic Science is a directorate
More informationSecurity and Privacy Governance Program Guidelines
Security and Privacy Governance Program Guidelines Effective Security and Privacy Programs start with attention to Governance. Governance refers to the roles and responsibilities that are established by
More informationGlobal Wildlife Cybercrime Action Plan1
Global Wildlife Cybercrime Action Plan1 A Call to Action for the London Conference on Illegal Wildlife Trade October 11-12, 2018 1 Wildlife cybercrime in this context refers to cyber-enabled wildlife trafficking.
More informationPosition Description. Engagement Manager UNCLASSIFIED. Outreach & Engagement Information Assurance and Cyber Security Directorate.
Position Description Engagement Manager Business unit: Position purpose: Direct reports: Directorate overview: Business Unit Overview Remuneration indicator: Outreach & Engagement Information Assurance
More informationPOSITION DESCRIPTION
UNCLASSIFIED IT Security Certification Assessor POSITION DESCRIPTION Unit, Directorate: Location: IT & Physical Security, Protective Security Wellington Salary range: H $77,711 - $116,567 Purpose of position:
More informationISO27001:2013 The New Standard Revised Edition
ECSC UNRESTRICTED ISO27001:2013 The New Standard Revised Edition +44 (0) 1274 736223 consulting@ecsc.co.uk www.ecsc.co.uk A Blue Paper from Page 1 of 14 Version 1_00 Date: 27 January 2014 For more information
More informationCYBER INCIDENT REPORTING GUIDANCE. Industry Reporting Arrangements for Incident Response
CYBER INCIDENT REPORTING GUIDANCE Industry Reporting Arrangements for Incident Response DfT Cyber Security Team CYBER@DFT.GSI.GOV.UK Introduction The Department for Transport (DfT) has produced this cyber
More informationProduct Development Road
Product Development Road Map Priorities - ITIL As we are building a new business, your continued support is important to us. Our immediate focus is on getting the core functions right so that we are ready
More informationHSCIC Audit of Data Sharing Activities:
Directorate / Programme Data Dissemination Services Project / Work Data Sharing Audits Status Final Acting Director Chris Roebuck Version 1.0 Owner Rob Shaw Version issue date 19-Jan-2015 HSCIC Audit of
More informationNATIONAL INFRASTRUCTURE COMMISSION CORPORATE PLAN TO
NATIONAL INFRASTRUCTURE COMMISSION CORPORATE PLAN 2017-18 TO 2019-20 CONTENTS Introduction 3 Review of period from October 2015 to end 2016 3 Corporate Governance 4 Objectives and Business Activity Plan
More informationCEN and CENELEC Position Paper on the draft regulation ''Cybersecurity Act''
CEN Identification number in the EC register: 63623305522-13 CENELEC Identification number in the EC register: 58258552517-56 CEN and CENELEC Position Paper on the draft regulation ''Cybersecurity Act''
More informationMystery Shopping BBC Trust Conclusions
Mystery Shopping BBC Trust Conclusions February 2014 Getting the best out of the BBC for licence fee payers Contents Mystery Shopping / BBC Trust Conclusions Introduction 1 Mystery Shopping Research 1
More informationSussex Police Business Crime Strategy
Sussex Police Business Crime Strategy 2014-2016 Sussex Police Serving Sussex www.sussex.police.uk Foreword Sussex Police recognise that businesses are a vital part of our local communities and are essential
More informationAon Service Corporation Law Global Privacy Office. Aon Client Data Privacy Summary
Aon Client Data Privacy Summary Table of Contents Our Commitment to Data Privacy 3 Our Data Privacy Principles 4 Aon Client Data Privacy Summary 2 Our Commitment to Data Privacy Data Privacy Backdrop As
More informationBusiness Assurance for the 21st Century
14/07/2011 Navigating the Information Assurance landscape AUTHORS Niall Browne NAME AFFILIATION Shared Assessments Program Michael de Crespigny (CEO) Jim Reavis Kurt Roemer Raj Samani Information Security
More informationCorporate Information Security Policy
Overview Sets out the high-level controls that the BBC will put in place to protect BBC staff, audiences and information. Audience Anyone who has access to BBC Information Systems however they are employed
More informationPolicy Title; Business Continuity Management Policy. Date Published/Reviewed; February 2018
Policy Title; Business Continuity Management Policy Date Published/Reviewed; February 2018 Business Lead; Head of Strategic Governance CCMT sponsor; Deputy Chief Constable Thames Valley Police ensures
More informationTHE STRATEGIC POLICING REQUIREMENT. July 2012
THE STRATEGIC POLICING REQUIREMENT July 2012 Contents Foreward by the Home Secretary...3 1. Introduction...5 2. National Threats...8 3. Capacity and contribution...9 4. Capability...11 5. Consistency...12
More informationMotorola Mobility Binding Corporate Rules (BCRs)
Motorola Mobility Binding Corporate Rules (BCRs) Introduction These Binding Privacy Rules ( Rules ) explain how the Motorola Mobility group ( Motorola Mobility ) respects the privacy rights of its customers,
More informationCanada Life Cyber Security Statement 2018
Canada Life Cyber Security Statement 2018 Governance Canada Life has implemented an Information Security framework which supports standards designed to establish a system of internal controls and accountability
More informationImplementation of INFCIRC 901: Promoting Certification, Quality Management and Sustainability of Nuclear Security Training
Implementation of INFCIRC 901: Promoting Certification, Quality Management and Sustainability of Nuclear Security Training Rhonda Evans Head, WINS Academy Presentation to the IAEA International Conference
More informationPublic Safety Canada. Audit of the Business Continuity Planning Program
Public Safety Canada Audit of the Business Continuity Planning Program October 2016 Her Majesty the Queen in Right of Canada, 2016 Cat: PS4-208/2016E-PDF ISBN: 978-0-660-06766-7 This material may be freely
More informationPOWER AND WATER CORPORATION POLICY MANAGEMENT OF EXTERNAL SERVICE PROVIDERS
POWER AND WATER CORPORATION POLICY MANAGEMENT OF EXTERNAL SERVICE PROVIDERS Prepared by: Approved by: Chief Procurement Officer John Baskerville Chief Executive File number: D2015/65737 June 2015 MANAGEMENT
More informationMemorandum of Understanding
Memorandum of Understanding between the European Commission, the European Union Agency for Railways and the European rail sector associations (CER, EIM, EPTTOLA, ERFA, the ERTMS Users Group, GSM-R Industry
More informationNottinghamshire Office of the Police & Crime Commissioner & Nottinghamshire Chief Constable
Nottinghamshire Office of the Police & Crime Commissioner & Nottinghamshire Chief Constable Internal Audit Progress Report Audit Committee meeting: December 2014 Nottinghamshire Office of the Police &
More informationResolution adopted by the General Assembly. [on the report of the Fifth Committee (A/61/592/Add.4)]
United Nations General Assembly Distr.: General 2 May 2007 Sixty-first session Agenda item 117 Resolution adopted by the General Assembly [on the report of the Fifth Committee (A/61/592/Add.4)] 61/263.
More informationNHS Gloucestershire Clinical Commissioning Group. Business Continuity Strategy
NHS Gloucestershire Clinical Commissioning Group 1 Document Control Title of Document Gloucestershire CCG Author A Ewens (Emergency Planning and Business Continuity Officer) Review Date February 2017 Classification
More informationGOVERNANCE, RISK MANAGEMENT AND COMPLIANCE TRENDS BY FCPAK ERIC KIMANI
GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE TRENDS BY FCPAK ERIC KIMANI CONTENTS Overview Conceptual Definition Implementation of Strategic Risk Governance Success Factors Changing Internal Audit Roles
More informationData Protection. Code of Conduct for Cloud Infrastructure Service Providers
Data Protection Code of Conduct for Cloud Infrastructure Service Providers 27 JANUARY 2017 Introduction... 3 1 Structure of the Code... 5 2 Purpose... 6 3 Scope... 7 4 Data Protection Requirements... 9
More informationPrivacy Impact Assessment
Automatic Number Plate Recognition (ANPR) Deployments Review Of ANPR infrastructure February 2018 Contents 1. Overview.. 3 2. Identifying the need for a (PIA).. 3 3. Screening Questions.. 4 4. Provisions
More informationISO 9001 Auditing Practices Group Guidance on:
International Organization for Standardization International Accreditation Forum Date: 13 January 2016 ISO 9001 Auditing Practices Group Guidance on: Expected Outcomes The expected outcomes documents (given
More informationCyber security. Strategic delivery: Setting standards Increasing and. Details: Output:
Cyber security Strategic delivery: Setting standards Increasing and informing choice Demonstrating efficiency economy and value Details: Meeting Audit and Governance Committee Agenda item 8 Paper number
More informationInformation Security Strategy
Security Strategy Document Owner : Chief Officer Version : 1.1 Date : May 2011 We will on request produce this Strategy, or particular parts of it, in other languages and formats, in order that everyone
More informationDirective on security of network and information systems (NIS): State of Play
Directive on security of network and information systems (NIS): State of Play Svetlana Schuster Unit H1 Cybersecurity and Digital Privacy DG Communications Networks, Content and Technology, European Commission
More informationEXIN BCS SIAM Foundation. Sample Exam. Edition
EXIN BCS SIAM Foundation Sample Exam Edition 201704 Copyright EXIN Holding B.V. and BCS, 2017. All rights reserved. EXIN is a registered trademark. SIAM is a registered trademark. ITIL is a registered
More informationGlobal Specification Protocol for Organisations Certifying to an ISO Standard related to Market, Opinion and Social Research.
CONTENTS i. INTRODUCTION 3 ii. OVERVIEW SPECIFICATION PROTOCOL DOCUMENT DEVELOPMENT PROCESS 4 1. SCOPE 5 2. DEFINITIONS 5 3. REFERENCES 6 4. MANAGEMENT STANDARDS FOR APPROVED CERTIFICATION BODIES 6 4.1
More informationIMO MEASURES TO ENHANCE MARITIME SECURITY. Outcome of the 2002 SOLAS conference. Information on the current work of the ILO
INTERNATIONAL MARITIME ORGANIZATION E IMO MARITIME SAFETY COMMITTEE 77th session Agenda item 6 MSC 77/6/9 20 March 2003 Original: ENGLISH MEASURES TO ENHANCE MARITIME SECURITY Outcome of the 2002 SOLAS
More informationThe Experience of Generali Group in Implementing COBIT 5. Marco Salvato, CISA, CISM, CGEIT, CRISC Andrea Pontoni, CISA
The Experience of Generali Group in Implementing COBIT 5 Marco Salvato, CISA, CISM, CGEIT, CRISC Andrea Pontoni, CISA Generali Group at a glance Let me introduce myself Marco Salvato CISA, CISM, CGEIT,
More informationPROPOSALS FOR THE REGULATION OF VIDEO ON DEMAND SERVICES RESPONSE BY BRITISH SKY BROADCASTING LIMITED
PROPOSALS FOR THE REGULATION OF VIDEO ON DEMAND SERVICES RESPONSE BY BRITISH SKY BROADCASTING LIMITED 1. INTRODUCTION 1.1. On 14 September 2009, Ofcom published its consultation document entitled Proposals
More informationGovernment Resolution No of February 15, Resolution: Advancing National Regulation and Governmental Leadership in Cyber Security
Government Resolution No. 2443 of February 15, 2015 33 rd Government of Israel Benjamin Netanyahu Resolution: Advancing National Regulation and Governmental Leadership in Cyber Security It is hereby resolved:
More informationNuclear Security. Resolution adopted on 30 September 2016 during the tenth plenary meeting
General Conference GC(60)/RES/10 Date: September 2016 General Distribution Original: English Sixtieth regular session Item 14 of the agenda (GC(60)/20) Nuclear Security Resolution adopted on 30 September
More informationGRAMPIAN SCG PUBLIC COMMUNICATIONS PLAN
Page 1 of 11 Page 1 of 11 Communications Plan GRAMPIAN SCG PUBLIC COMMUNICATIONS PLAN Version: Communications Liaison Group Approval Planned Review Chair SCG Plans Workstream Protective Marking: Planned
More informationNIS Directive : Call for Proposals
National Cyber Security Centre, in Collaboration with the Research Institute in Trustworthy Inter-connected Cyber-physical Systems (RITICS) Summary NIS Directive : Call for Proposals Closing date: Friday
More informationData Protection Policy
Data Protection Policy Addressing the General Data Protection Regulation (GDPR) 2018 [EU] and the Data Protection Act (DPA) 2018 [UK] For information on this Policy or to request Subject Access please
More informationEIT Health UK-Ireland Privacy Policy
EIT Health UK-Ireland Privacy Policy This policy describes how EIT Health UK-Ireland uses your personal information, how we protect your privacy, and your rights regarding your information. We promise
More informationENISA s Position on the NIS Directive
ENISA s Position on the NIS Directive 1 Introduction This note briefly summarises ENISA s position on the NIS Directive. It provides the background to the Directive, explains its significance, provides
More informationDigital Health Cyber Security Centre
Digital Health Cyber Security Centre Current challenges Ransomware According to the ACSC Threat Report 2017, cybercrime is a prevalent threat for Australia. Distributed Denial of Service (DDoS) Targeting
More informationData Security Standards
Data Security Standards Overall guide The bigger picture of where the standards fit in 2018 Copyright 2017 Health and Social Care Information Centre. The Health and Social Care Information Centre is a
More informationARTICLE 29 DATA PROTECTION WORKING PARTY
ARTICLE 29 DATA PROTECTION WORKING PARTY 18/EN WP261 Article 29 Working Party Draft Guidelines on the accreditation of certification bodies under Regulation (EU) 2016/679 Adopted on 6 february 2018 1 THE
More informationGatekeeper Public Key Infrastructure Framework. Information Security Registered Assessors Program Guide
Gatekeeper Public Key Infrastructure Framework Information Security Registered Assessors Program Guide V 2.1 December 2015 Digital Transformation Office Commonwealth of Australia 2015 This work is copyright.
More informationUK EPR GDA PROJECT. Name/Initials Date 30/06/2011 Name/Initials Date 30/06/2011. Resolution Plan Revision History
RP unique number: GI-UKEPR-CI-01-RP 0 30/06/2011 1 of 19 Approved for EDF by: A. PETIT Approved for AREVA by: C. WOOLDRIDGE Name/Initials Date 30/06/2011 Name/Initials Date 30/06/2011 Resolution Plan History
More informationNew Zealand Certificate in Regulatory Compliance (Core Knowledge) (Level 3)
New Zealand Certificate in Regulatory Compliance (Core Knowledge) (Level 3) If your staff need to learn the basics about regulatory compliance in New Zealand, then this is the paper for them. This qualification
More informationSRM Service Guide. Smart Security. Smart Compliance. Service Guide
SRM Service Guide Smart Security. Smart Compliance. Service Guide Copyright Security Risk Management Limited Smart Security. Smart Compliance. Introduction Security Risk Management s (SRM) specialists
More informationThe Key Principles of Cyber Security for Connected and Automated Vehicles. Government
The Key Principles of Cyber Security for Connected and Automated Vehicles Government Contents Intelligent Transport System (ITS) & Connected and Automated Vehicle (CAV) System Security Principles: 1. Organisational
More informationSOC for cybersecurity
April 2018 SOC for cybersecurity a backgrounder Acknowledgments Special thanks to Francette Bueno, Senior Manager, Advisory Services, Ernst & Young LLP and Chris K. Halterman, Executive Director, Advisory
More informationBusiness Continuity Policy
Business Continuity Policy Version Number: 3.6 Page 1 of 14 Business Continuity Policy First published: 07-01-2014 Amendment record Version Date Reviewer Comment 1.0 07/01/2014 Debbie Campbell 2.0 11/07/2014
More informationTechnical Advisory Board (TAB) Terms of Reference
Technical Advisory Board (TAB) Terms of Reference ACS Technical Advisory Board Terms of Reference V1.1 27 May 2017 Page 1 ACS Technical Advisory Board Terms of Reference V1.1 27 May 2017 Page 1 CONTENTS
More informationSecurity Director - VisionFund International
Security Director - VisionFund International Location: [Europe & the Middle East] [United Kingdom] Category: Security Job Type: Open-ended, Full-time *Preferred location: United Kingdom/Eastern Time Zone
More informationINCEPTION IMPACT ASSESSMENT. A. Context, Problem definition and Subsidiarity Check
TITLE OF THE INITIATIVE LEAD DG RESPONSIBLE UNIT AP NUMBER LIKELY TYPE OF INITIATIVE INDICATIVE PLANNING December 2017 ADDITIONAL INFORMATION - INCEPTION IMPACT ASSESSMENT Governmental Satellite Communications
More informationOur Data Protection Officer is Andrew Garrett, Operations Manager
Construction Youth Trust Privacy Notice We are committed to protecting your personal information Construction Youth Trust is committed to respecting and keeping safe any personal information you share
More informationWelcome John Harris, Director General
Business Plan 2018 Welcome John Harris, Director General Agenda - speakers Chief Minister, Senator Ian Gorst, Government of Jersey Key highlights of Lord Eatwell, Chairman, JFSC Strategic and major priorities
More informationElectronic Commerce Working Group report
RESTRICTED CEFACT/ECAWG/97N012 4 December 1997 Electronic Commerce Ad hoc Working Group (ECAWG) Electronic Commerce Working Group report SOURCE: 10 th ICT Standards Board, Sophia Antipolis, 4 th November
More informationDirector, Major Projects and Resilience. To: Planning and Performance Committee 6 November 2014
Item Number: B1 By: Director, Major Projects and Resilience To: Planning and Performance Committee 6 November 2014 Subject: Classification: KENT RESILIENCE TEAM Unrestricted FOR DECISION SUMMARY This report
More informationSWIFT Customer Security Controls Framework and self-attestation via The KYC Registry Security Attestation Application FAQ
SWIFT Customer Security Controls Framework and self-attestation via The KYC Registry Security Attestation Application FAQ 1 SWIFT Customer Security Controls Framework Why has SWIFT launched new security
More informationCERTIFICATION BODY (CB) APPROVAL REQUIREMENTS FOR THE IFFO RESPONSIBLE SUPPLY (IFFO RS) AUDITS AND CERTIFICATION
CERTIFICATION BODY (CB) APPROVAL REQUIREMENTS FOR THE IFFO RESPONSIBLE SUPPLY (IFFO RS) AUDITS AND CERTIFICATION Introduction The IFFO RS Certification Programme is a third party, independent and accredited
More informationSECURING THE UK S DIGITAL PROSPERITY. Enabling the joint delivery of the National Cyber Security Strategy's objectives
SECURING THE UK S DIGITAL PROSPERITY Enabling the joint delivery of the National Cyber Security Strategy's objectives 02 November 2016 2 SECURING THE UK S DIGITAL PROSPERITY SECURING THE UK S DIGITAL PROSPERITY
More informationLevel 4 Diploma in Computing
Level 4 Diploma in Computing 1 www.lsib.co.uk Objective of the qualification: It should available to everyone who is capable of reaching the required standards It should be free from any barriers that
More informationBBC Executive response to BBC Trust request for clarification Project Canvas Executive Summary
BBC Executive response to BBC Trust request for clarification Project Canvas Executive Summary 1. Overview The BBC submitted its proposals for Project Canvas to the BBC Trust in November 2008 and the proposals
More informationAudit of Information Technology Security: Roadmap Implementation
ASSISTANT DEPUTY MINISTER (REVIEW SERVICES) Reviewed by ADM(RS) in accordance with the Access to Information Act. Information UNCLASSIFIED. Audit of Information Technology Security: Roadmap Implementation
More informationAudit Report. The Prince s Trust. 27 September 2017
Audit Report The Prince s Trust 27 September 2017 Contents 1 Background 1 1.1 Scope 1 1.2 Audit Report and Action Plan Timescales 2 1.3 Summary of Audit Issues and Recommendations 3 1.4 Risk Rating of
More informationICAEW REPRESENTATION 68/16
ICAEW REPRESENTATION 68/16 Improving the Structure of the Code of Ethics for Professional Accountants - Phase 1 ICAEW welcomes the opportunity to comment on the Improving the Structure of the Code of Ethics
More informationPolicy on the Provision of Mobile Phones
Provision of Mobile Phones Policy on the Provision of Mobile Phones Originator name: Section / Dept: Implementation date: Date of next review: Related policies: Policy history: Roger Stickland Approval
More informationCERT.LV activities, role in Latvia and globally. Baiba Kaskina, CERT.LV , Sofia, Bulgaria
CERT.LV activities, role in Latvia and globally Baiba Kaskina, CERT.LV 30.11.2016., Sofia, Bulgaria CERT.LV Overview CERT.LV Information Technology Security Incident Response Institution of the Republic
More information