Cyber risk resilience

Similar documents
UK-led international standards for BIM

CEN and CENELEC Position Paper on the draft regulation ''Cybersecurity Act''

About BSI & Brexit. Presentation by: Asghar Ashrafi BSI Retired Employee : Oct 2016

AUTOMOTIVE FUNCTIONAL SAFETY: ACCELERATING INNOVATION THROUGH COOPERATION AND CONSENSUS IN STANDARDS

European Union Agency for Network and Information Security

Introduction to Standards Development

Cyber Security in Europe

An Overview of ISO/IEC family of Information Security Management System Standards

Friedrich Smaxwil CEN President. CEN European Committee for Standardization

Information Security Management Systems Standards ISO/IEC Global Opportunity for the Business Community

Fostering Competitiveness, Growth and Jobs. Wrocław, Poland, 15 October 2014

NIS Standardisation ENISA view

The Key Principles of Cyber Security for Connected and Automated Vehicles. Government

Discussion on MS contribution to the WP2018

SOC for cybersecurity

Standards to support digital transformation

Future-Proof Security & Privacy in IoT

The ISO/TMB Smart Cities Strategic Advisory Group (S_Cities SAG)

ERCI cybersecurity seminar Guildford ERCI cybersecurity seminar Guildford

EU General Data Protection Regulation (GDPR) Achieving compliance

Regulating Cyber: the UK s plans for the NIS Directive

IoT and Privacy by Design

SECURING THE UK S DIGITAL PROSPERITY. Enabling the joint delivery of the National Cyber Security Strategy's objectives

Call for Expressions of Interest

John Snare Chair Standards Australia Committee IT/12/4

U.S. Japan Internet Economy Industry Forum Joint Statement October 2013 Keidanren The American Chamber of Commerce in Japan

COUNCIL OF THE EUROPEAN UNION. Brussels, 24 May /13. Interinstitutional File: 2013/0027 (COD)

Horizon 2020 Security

cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

Response to the Security of Network and Information Systems Public Consultation Compiled on behalf of the UK Computing Research Committee, UKCRC.

Enhancing the security of CIIPs in Europe - ENISA s Approach Dimitra Liveri Network and Information Security Expert

ENISA EU Threat Landscape

ENISA s Position on the NIS Directive

cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

VdTÜV Statement on the Communication from the EU Commission A Digital Single Market Strategy for Europe

Driving Global Resilience

This document is a preview generated by EVS

ISO/IEC JTC 1 N 13145

Data Security Standards

BSI Group supporting digital transformation in the Built Environment

BSI BIM Solutions. Copyright 2016 BSI. All rights reserved.

ITU Asia-Pacific Centres of Excellence Training on Conformity and Interoperability. Session 2: Conformity Assessment Principles

The NIS Directive and Cybersecurity in

Business Continuity Management: How to get started. Presented by: Tony Drewitt, Managing Director IT Governance Ltd 19 April 2018

WHO-ITU National ehealth Strategy Toolkit

EN 50600, EU COC, EMAS AND EUROPEAN DATA CENTRE ENERGY EFFICIENCY MANAGEMENT

COMMISSION STAFF WORKING DOCUMENT EXECUTIVE SUMMARY OF THE IMPACT ASSESSMENT. Accompanying the document

Digital Healthcare. Yordan Iliev Director R&D Healthcare. Regional Cybersecurity Forum, November 2016, Grand Hotel Sofia, Bulgaria

NSAI s ICT standardization participation and consultation system and operation as ETSI/NSO. Dr. Ian J. Cowan, Technical Secretary, NSAI/ICTSCC

Enhancing the cyber security &

NIS Directive : Call for Proposals

Implementing Executive Order and Presidential Policy Directive 21

,000+ What is the BCI Corporate Partnership? What are the benefits of becoming a Corporate Partner? Levels of Partnership

TEL2813/IS2820 Security Management

ENISA Cooperation in the EU / NIS Directive

Birmingham Community Healthcare NHS Foundation Trust. 2017/17 Data Security and Protection Requirements March 2018

Business Model for Global Platform for Big Data for Official Statistics in support of the 2030 Agenda for Sustainable Development

Conformity Assessment Schemes and Interoperability Testing (1) Keith Mainwaring ITU Telecommunication Standardization Bureau (TSB) Consultant

Global Statement of Business Continuity

Security Management Models And Practices Feb 5, 2008

GDPR Update and ENISA guidelines

The UK s National Cyber Security Strategy

Asset Management conference 2016

Information technology Security techniques Information security controls for the energy utility industry

Build confidence in the cloud Best practice frameworks for cloud security

The emerging EU certification framework: A role for ENISA Dr. Andreas Mitrakas Head of Unit EU Certification Framework Conference Brussels 01/03/18

Regional Development Forum For the Arab States(RDF-ARB) 2018

European Standards- preparation, approval and role of CEN. Ashok Ganesh Deputy Director - Standards

BUSINESS CONTINUITY MANAGEMENT PROGRAM OVERVIEW

13967/16 MK/mj 1 DG D 2B

ISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Information security management systems Overview and vocabulary

La certificazione ISO27001

EU policy on Network and Information Security & Critical Information Infrastructures Protection

The European System of Standardization in the Globalized Economy. AFSEC General Assembly Johannesburg, 10 August 2010

CYBER INSURANCE: MANAGING THE RISK

Economic and Social Council

Architecture and Standards Development Lifecycle

Enhancing infrastructure cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

Control System Security for Social Infrastructure

GDPR COMPLIANCE REPORT

falanx Cyber ISO 27001: How and why your organisation should get certified

THE CYBER SECURITY ENVIRONMENT IN LITHUANIA

Doug Couto Texas A&M Transportation Technology Conference 2017 College Station, Texas May 4, 2017

In Accountable IoT We Trust

Version 1/2018. GDPR Processor Security Controls

Building a Resilient Security Posture for Effective Breach Prevention

Framework for Improving Critical Infrastructure Cybersecurity

Cybersecurity & Digital Privacy in the Energy sector

Standardization of Knowledge and Skills for IT Security

THE POWER OF TECH-SAVVY BOARDS:

COMESA CYBER SECURITY PROGRAM KHARTOUM, SUDAN

From the E-readiness Assessment and Analysis to an Action Plan and Policies Recommendations. Gabriel Accascina

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

Governance and Compliance Learning from the Private Sector. David Coverdale

Data Protection. Practical Strategies for Getting it Right. Jamie Ross Data Security Day June 8, 2016

Policy. Business Resilience MB2010.P.119

IoT and Privacy by Design

Predstavenie štandardu ISO/IEC 27005

UNCLASSIFIED. National and Cyber Security Branch. Presentation for Gridseccon. Quebec City, October 18-21

Transcription:

Cyber risk resilience A consistent approach for a consistently major risk Sara Walton Standards Market Development (Risk, Resilience, Governance) 12 Sept 2017 Copyright 2017 BSI. All rights reserved 1

Cyber security the challenge 2 2

Resilience: Organizational resilience is the ability of an organization to anticipate, prepare for, respond and adapt to incremental change and sudden disruptions in order to survive and prosper. BS 65000, Guidance on Organizational Resilience Copyright 2017 BSI. All rights reserved 3

Cyber security isn t just about technology: more than anything, it s about you Copyright 2017 BSI. All rights reserved 4

Copyright 2017 BSI. All rights reserved 5

The human dimension Copyright 2017 BSI. All rights reserved 6

General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) Comes into force May 2018 Note the accountability principle requires organizations to prove compliance Sanctions up to the greater of 4% of annual turnover or 20m Copyright 2017 BSI. All rights reserved 7

General Data Protection Regulation Compliance: establish leadership; map personal data; analyze processes for compliance; establish risks and approach to them; communicate with and train staff (and business networks); monitor, review etc IE implement consistent best practices to influence culture and practice Copyright 2017 BSI. All rights reserved 8

Standards are made by people for people. BSI as the UK National Standards Body publishes 2,500 and withdraws over 1,000 standards per annum. This maintains a coherent, consistent body of knowledge for industry, government and the public. Our role is to be an independent facilitator for industry experts. 95% of British Standards published each year are international and European. For BSI, standards are a consensus of what good looks like. Copyright 2017 BSI. All rights reserved 9

The international and European standards bodies ISO (International Organization for Standardization) 164 National Standards Body members globally ISO CASCO (ISO committee on conformity assessment) IEC (International Electrotechnical Commission) 80 members (National Committees) and 80 affiliates globally ITU (International Telecommunications Union) Agency of the UN. Members are national governments and industry (BSI supports DCMS) CEN (European Committee for Standardization) CENELEC (European Committee for Electrotechnical Standardization) CEN & CENELEC have 33 member countries (EU 28, EFTA 3, FYROM and Turkey). 24 countries including the UK have common members of both CEN and CENELEC. ETSI (European Telecommunications Standards Institute) Industry, government and NSB members Copyright 2017 BSI. All rights reserved.

Information Resilience - PAS PAS 555:2013 Cyber security risk. Governance and management. Specification PAS 754:2014 Software Trustworthiness. Governance and management. Specification PAS 1192-5:2015 Specification for securityminded building information modelling, digital built environments and smart asset management PAS in development. Smart Cities Specification for establishing and implementing a security minded approach 11

Information resilience: British Standards BS 7799-3 Information security risk management (Q3 2017) BS 31111 Cyber risk and resilience Guide (2017) BS 10010 Information classification, marking and handling Specification (published in March 2017) BS 10012 Data Protection Specification for a personal information management system (published in March 2017) Copyright 2017 BSI. All rights reserved 12

BS 31111 Cyber risk & resilience - Setting the framework BSI Standard makers 2016 Establishing context A clear strategy with your business objectives clearly stated. Should include all the internal & external uncertainties across the organization. Risk Identification Risk identification process that comprehensively connects the cyber environment and business objectives so that they are identified, whether or not they are under the influence of the firm. Risk Analysis Risk Evaluation Risk Treatment Develop a clear financial and operational understanding of the possible effects of the risks identified and quantify in a relevant business context. Assess likelihood and apply a risk ranking. Identify the Risk Owner Describe the control & assess its effectiveness Test & review the control Specify the risk treatment agreed - Document the treatment plan Assign to appropriate owner - Set completion or review timetable Document expected change to the risk identified 2017 Page 13

Summary Consistency Organization context risks, best practice Technical & human solutions Cyber-aware culture Copyright 2017 BSI. All rights reserved 14

Thank you. Sara Walton Market Development Manager (Risk, resilience) 00 44 208 996 7792 sara.walton@bsigroup.com

Appendix Additional information slides

UK experts participate in 95% of international standards committees, UK hosts 200 international committees including all the major business standards. Copyright 2017 BSI. All rights reserved 17

BSI is the UK national standards body and is responsible for all national, regional and international standards used in the UK and for maintaining the infrastructure for UK experts to participate in all relevant organizations All ENs and most international (ISO, IEC) standards are adopted as BS and conflicting standards withdrawn. All BSI work must meet the 3 fundamental WTO principles: full stakeholder engagement open public consultation and Consensus. National standards work alongside other codes and industry best practice, etc International Standards (ISO, IEC) British national adoption of European standards (BS ENs) and/or ISO/IEC British standards (BS) and sponsored standards (BSI PAS) Private and consortia standards, corporate technical specifications, professional codes & guidance Copyright 2017 BSI. All rights reserved.

BSI Group structure Policy, Engagement UK National Standards Body Assessment and Certification Compliance support Standards Market Development, Committee management Information Solutions Sales, Membership, ICT Platforms Training Advisory Services Copyright 2016 BSI. All rights reserved.

NSB strategic engagement Business CBI, IoD, FSB, Digital Catapult, Future Cities Catapult, Transport Systems Catapult, High Value Manufacturing Catapult, Energy Systems Catapult Academia Cambridge, Edinburgh, ICL Strathclyde, Surrey, UCL Industry Stakeholders Central Government BIS, Cabinet Office, UKTI, FCO, No. 10, Innovate UK, MOD, DCMS, IPO, Research Councils Government Regional Government Scotland, Wales Regulators Finance (FCA) Health (CQC, DoH, HSE) Food (FSA, Elliott Review) Professions techuk, BCS, ICE, IET, Royal Colleges, CSFC Copyright 2016 BSI. All rights reserved. TUC, NGOs Public Consumers CPISAC, IEHF Charities RNIB, Alzheimer s Society Authorities Trading Standards Institute, SCOTTS

The standards development cycle idea Feedback and new proposals Representative stakeholder group Drafting Publish and support Consensus Review comments Public consultation Copyright 2016 BSI. All rights reserved.

UK cyber security breaches survey Continuing trends online: Since 2016, the proportion of businesses with websites (85%) or social media pages (59%) has risen (by 8 and 9% respectively), as has the use of cloud services (from 49% to 59%). Steady trend of cyber security improvement: Three-quarters (74%) of UK businesses say that cyber security is high priority for their senior management. Three in ten (31%) say it is very high priority. Majority of businesses (67%) have spent money on their cyber security, and this again tends to be higher among medium firms (87%) and large firms (91%) But 46% of UK businesses identified at least one cyber security breach or attack in the last year. Rising to two-thirds among medium firms (66%) and large firms (68%). Average business identified 998 breaches last year. Average business faces costs of 1,570 as a result of these breaches. Much higher for the average large firm, at 19,600. Average medium firm ( 3,070) and micro and small firms ( 1,380) also incur sizeable costs. Copyright 2017 BSI. All rights reserved 22 https://www.gov.uk/government/ statistics/cyber-security-breachessurvey-2017

National Cyber Security Strategy Vision: the UK is secure and resilient to cyber threats; prosperous and confident in the digital world HMG investing 1.9 billion over five years in defending HMG systems and infrastructure, deterring adversaries, and developing a whole-society capability from the biggest companies to the individual citizen. Three prongs defend, deter and develop Selected intentions: National Cyber Security Centre Organisations in the UK to manage cyber risk backed by regulation and incentives Technology products and services to have cyber security designed into them HMG (and HMG suppliers) meets and drives development of appropriate standards https://www.gov.uk/government/ publications/national-cybersecurity-strategy-2016-to-2021 Copyright 2016 BSI. All rights reserved. 23

Information Security ISO/IEC standards (27k series) Source: ISO/IEC 27000: 2016 24

Relevant future SC27 standards Title Est date Stage ISO/IEC 29134 Guidelines for privacy impact assessment 2017 Publish soon ISO/IEC 29151 Code of practice for personally identifiable information protection 2017 FDIS ISO/IEC 27021 Competence requirements for information security management systems professionals ISO/IEC 27007 Guidelines for information security management systems auditing (revision) ISO/IEC 27008 Guidelines for the assessment of information security controls (revision) ISO/IEC 27552 Enhancement to ISO/IEC 27001 for privacy management Requirements Copyright 2017 BSI. All rights reserved 25 2017/8 DIS / FDIS 2017/8 DIS / FDIS 2017/8 DIS / FDIS 2019/2020 AWI ISO/IEC 29184 Guidelines for online privacy notices and consent 2020? AWI

Development areas for standardization Cyber Security Big Data Internet of Things Blockchain/DLT Artificial Intelligence VR/AR Copyright 2017 BSI. All rights reserved

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback