Newly launched are two official schemes to provide access to industry expertise to respond effectively to the consequences of cyber security attacks. They are by CESG, the Information Security arm of GCHQ (http://www.gchq.gov.uk), and the Centre for the Protection of National Infrastructure (CPNI), in collaboration with the Council of Registered Ethical Security Testers (CREST), the professional body representing the technical security industry.
The Cyber Incident Response schemes follow on from the pilot by CESG and CPNI from November 2012 and funded by the National Cyber Security Programme. The new CESG scheme will provide a list of government assured, certified providers of response and clean up services in the event of a cyber-attack.
The pilot concluded that the objectives of the National Cyber Security Strategy in providing greater resilience to Critical National Infrastructure (CNI) companies, as well as the wider public and private sectors, can be best met by adopting a complementary twin track approach for certified Cyber Incident Response services:
A scheme led by CREST and endorsed by GCHQ and CPNI, which focuses on appropriate standards for incident response aligned to demand from all sectors of industry, the wider public sector and academia. A small and focused Government run Cyber Incident Response scheme certified by GCHQ and CPNI responding to sophisticated, targeted attacks against networks of national significance.
This approach will enable all those organisations that may be victims of cyber-attack – SMEs, national and multinational industry, the CNI, the wider public sector and central government – to source an appropriate incident response service tailored to their particular needs and allow GCHQ and CPNI to focus on the most challenging attacks.
Industry-led certification
CREST, a not for profit organisation, has worked with industry and government to define standards that companies providing ‘Cyber Security Incident Response (CSIR)’ services should have in place to protect client information. CREST will audit the service providers against these standards and ensure compliance through codes of conduct. This with professional qualifications for individuals will provide the buying community with confidence in the integrity and competence of the companies with whom they are contracting.
The CREST standard for the industry-led segment will act as a foundation to establish a UK cyber incident response industry able to tackle the vast majority of cyber-attacks. This will enable service providers to establish a track record and, if they so choose, apply for certification under the CESG/CPNI-led scheme for the most sophisticated cyber-attacks.
CESG/CPNI-led certification
Some organisations need incident response support equipped to tackle the most sophisticated of attacks. Only a small number of industry providers are likely to achieve the necessary expertise and quality standards to successfully tackle the threats and techniques employed by highly skilled threat actors and related to networks of national significance.
The detailed requirements for these providers are available on the CESG website (www.cesg.gov.uk).
Chloë Smith, Minister for Cyber Security said: “We know that UK organisations are confronted with cyber threats that are growing in number and sophistication. The best defence for organisations is to have processes and measures in place to prevent attacks getting through, but we also have to recognise that there will be times when attacks do penetrate our systems and organisations want to know who they can reliably turn to for help. I am delighted to announce a unique Government-Industry partnership to tackle the effects of cyber incidents. This scheme and others like it, together with the ‘10 Steps to Cyber Security’ guidance for business launched last year, are an important part of our effort to provide assistance to industry and government in order to protect UK interests in cyberspace.”
Notes
The UK Cyber Security Strategy – http://www.cabinetoffice.gov.uk/resource-library/cyber-security-strategy
The National Cyber Security Programme is run by the Office of Cyber Security and Information Assurance (OCSIA) within Cabinet Office and coordinates work by Government Departments to implement the UK Cyber Security Strategy. To find out more about the Office of Cyber Security and Information Assurance – visit: https://www.gov.uk/government/policy-teams/office-of-cyber-security-and-information-assurance.
“10 Steps to Cyber Security” was launched in September 2012, aimed at business leaders, describing the cyber security threat and providing advice on the basic measures to increase cyber security within their organisations: http://www.bis.gov.uk/news/topstories/2012/Aug/cyber-security-for-business
