Cyber risk resilience A consistent approach for a consistently major risk Sara Walton Standards Market Development (Risk, Resilience, Governance) 12 Sept 2017 Copyright 2017 BSI. All rights reserved 1
Cyber security the challenge 2 2
Resilience: Organizational resilience is the ability of an organization to anticipate, prepare for, respond and adapt to incremental change and sudden disruptions in order to survive and prosper. BS 65000, Guidance on Organizational Resilience Copyright 2017 BSI. All rights reserved 3
Cyber security isn t just about technology: more than anything, it s about you Copyright 2017 BSI. All rights reserved 4
Copyright 2017 BSI. All rights reserved 5
The human dimension Copyright 2017 BSI. All rights reserved 6
General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) Comes into force May 2018 Note the accountability principle requires organizations to prove compliance Sanctions up to the greater of 4% of annual turnover or 20m Copyright 2017 BSI. All rights reserved 7
General Data Protection Regulation Compliance: establish leadership; map personal data; analyze processes for compliance; establish risks and approach to them; communicate with and train staff (and business networks); monitor, review etc IE implement consistent best practices to influence culture and practice Copyright 2017 BSI. All rights reserved 8
Standards are made by people for people. BSI as the UK National Standards Body publishes 2,500 and withdraws over 1,000 standards per annum. This maintains a coherent, consistent body of knowledge for industry, government and the public. Our role is to be an independent facilitator for industry experts. 95% of British Standards published each year are international and European. For BSI, standards are a consensus of what good looks like. Copyright 2017 BSI. All rights reserved 9
The international and European standards bodies ISO (International Organization for Standardization) 164 National Standards Body members globally ISO CASCO (ISO committee on conformity assessment) IEC (International Electrotechnical Commission) 80 members (National Committees) and 80 affiliates globally ITU (International Telecommunications Union) Agency of the UN. Members are national governments and industry (BSI supports DCMS) CEN (European Committee for Standardization) CENELEC (European Committee for Electrotechnical Standardization) CEN & CENELEC have 33 member countries (EU 28, EFTA 3, FYROM and Turkey). 24 countries including the UK have common members of both CEN and CENELEC. ETSI (European Telecommunications Standards Institute) Industry, government and NSB members Copyright 2017 BSI. All rights reserved.
Information Resilience - PAS PAS 555:2013 Cyber security risk. Governance and management. Specification PAS 754:2014 Software Trustworthiness. Governance and management. Specification PAS 1192-5:2015 Specification for securityminded building information modelling, digital built environments and smart asset management PAS in development. Smart Cities Specification for establishing and implementing a security minded approach 11
Information resilience: British Standards BS 7799-3 Information security risk management (Q3 2017) BS 31111 Cyber risk and resilience Guide (2017) BS 10010 Information classification, marking and handling Specification (published in March 2017) BS 10012 Data Protection Specification for a personal information management system (published in March 2017) Copyright 2017 BSI. All rights reserved 12
BS 31111 Cyber risk & resilience - Setting the framework BSI Standard makers 2016 Establishing context A clear strategy with your business objectives clearly stated. Should include all the internal & external uncertainties across the organization. Risk Identification Risk identification process that comprehensively connects the cyber environment and business objectives so that they are identified, whether or not they are under the influence of the firm. Risk Analysis Risk Evaluation Risk Treatment Develop a clear financial and operational understanding of the possible effects of the risks identified and quantify in a relevant business context. Assess likelihood and apply a risk ranking. Identify the Risk Owner Describe the control & assess its effectiveness Test & review the control Specify the risk treatment agreed - Document the treatment plan Assign to appropriate owner - Set completion or review timetable Document expected change to the risk identified 2017 Page 13
Summary Consistency Organization context risks, best practice Technical & human solutions Cyber-aware culture Copyright 2017 BSI. All rights reserved 14
Thank you. Sara Walton Market Development Manager (Risk, resilience) 00 44 208 996 7792 sara.walton@bsigroup.com
Appendix Additional information slides
UK experts participate in 95% of international standards committees, UK hosts 200 international committees including all the major business standards. Copyright 2017 BSI. All rights reserved 17
BSI is the UK national standards body and is responsible for all national, regional and international standards used in the UK and for maintaining the infrastructure for UK experts to participate in all relevant organizations All ENs and most international (ISO, IEC) standards are adopted as BS and conflicting standards withdrawn. All BSI work must meet the 3 fundamental WTO principles: full stakeholder engagement open public consultation and Consensus. National standards work alongside other codes and industry best practice, etc International Standards (ISO, IEC) British national adoption of European standards (BS ENs) and/or ISO/IEC British standards (BS) and sponsored standards (BSI PAS) Private and consortia standards, corporate technical specifications, professional codes & guidance Copyright 2017 BSI. All rights reserved.
BSI Group structure Policy, Engagement UK National Standards Body Assessment and Certification Compliance support Standards Market Development, Committee management Information Solutions Sales, Membership, ICT Platforms Training Advisory Services Copyright 2016 BSI. All rights reserved.
NSB strategic engagement Business CBI, IoD, FSB, Digital Catapult, Future Cities Catapult, Transport Systems Catapult, High Value Manufacturing Catapult, Energy Systems Catapult Academia Cambridge, Edinburgh, ICL Strathclyde, Surrey, UCL Industry Stakeholders Central Government BIS, Cabinet Office, UKTI, FCO, No. 10, Innovate UK, MOD, DCMS, IPO, Research Councils Government Regional Government Scotland, Wales Regulators Finance (FCA) Health (CQC, DoH, HSE) Food (FSA, Elliott Review) Professions techuk, BCS, ICE, IET, Royal Colleges, CSFC Copyright 2016 BSI. All rights reserved. TUC, NGOs Public Consumers CPISAC, IEHF Charities RNIB, Alzheimer s Society Authorities Trading Standards Institute, SCOTTS
The standards development cycle idea Feedback and new proposals Representative stakeholder group Drafting Publish and support Consensus Review comments Public consultation Copyright 2016 BSI. All rights reserved.
UK cyber security breaches survey Continuing trends online: Since 2016, the proportion of businesses with websites (85%) or social media pages (59%) has risen (by 8 and 9% respectively), as has the use of cloud services (from 49% to 59%). Steady trend of cyber security improvement: Three-quarters (74%) of UK businesses say that cyber security is high priority for their senior management. Three in ten (31%) say it is very high priority. Majority of businesses (67%) have spent money on their cyber security, and this again tends to be higher among medium firms (87%) and large firms (91%) But 46% of UK businesses identified at least one cyber security breach or attack in the last year. Rising to two-thirds among medium firms (66%) and large firms (68%). Average business identified 998 breaches last year. Average business faces costs of 1,570 as a result of these breaches. Much higher for the average large firm, at 19,600. Average medium firm ( 3,070) and micro and small firms ( 1,380) also incur sizeable costs. Copyright 2017 BSI. All rights reserved 22 https://www.gov.uk/government/ statistics/cyber-security-breachessurvey-2017
National Cyber Security Strategy Vision: the UK is secure and resilient to cyber threats; prosperous and confident in the digital world HMG investing 1.9 billion over five years in defending HMG systems and infrastructure, deterring adversaries, and developing a whole-society capability from the biggest companies to the individual citizen. Three prongs defend, deter and develop Selected intentions: National Cyber Security Centre Organisations in the UK to manage cyber risk backed by regulation and incentives Technology products and services to have cyber security designed into them HMG (and HMG suppliers) meets and drives development of appropriate standards https://www.gov.uk/government/ publications/national-cybersecurity-strategy-2016-to-2021 Copyright 2016 BSI. All rights reserved. 23
Information Security ISO/IEC standards (27k series) Source: ISO/IEC 27000: 2016 24
Relevant future SC27 standards Title Est date Stage ISO/IEC 29134 Guidelines for privacy impact assessment 2017 Publish soon ISO/IEC 29151 Code of practice for personally identifiable information protection 2017 FDIS ISO/IEC 27021 Competence requirements for information security management systems professionals ISO/IEC 27007 Guidelines for information security management systems auditing (revision) ISO/IEC 27008 Guidelines for the assessment of information security controls (revision) ISO/IEC 27552 Enhancement to ISO/IEC 27001 for privacy management Requirements Copyright 2017 BSI. All rights reserved 25 2017/8 DIS / FDIS 2017/8 DIS / FDIS 2017/8 DIS / FDIS 2019/2020 AWI ISO/IEC 29184 Guidelines for online privacy notices and consent 2020? AWI
Development areas for standardization Cyber Security Big Data Internet of Things Blockchain/DLT Artificial Intelligence VR/AR Copyright 2017 BSI. All rights reserved