UK Government Information Assurance Standards No.1 and 2
We have recently been involved in a government tender where the procurement officer referred back to Information Assurance Standards, which is the basis of this article. Information Assurance Standards 1 & 2, usually abbreviated to IS1 & 2, were security standards applied to government computer systems in the UK, before being superseded by Cyber Essentials Accreditation, a much more catchy name!
Whilst looking at the Information Assurance Standards, we came across quite a bit of advice from the National Cyber Security Centre on minimising risk, so thought we would write this article to point out to anyone looking for IS1 & IS2 that they no longer exist and also to summarise the article from the NCSC on cyber security and risk. The advice was geared up to SMEs and sole traders.
Set a minimum level of Cyber Security control or ‘baseline’
Signing up to get accredited for Cyber Essentials costs around £500 in time and assessment fees. If you need a consultant to assist with the form completion you are looking at a cost of around £300 plus VAT. As the NCSC (National Cyber Security Centre) says, this approach doesn’t require risk analysis; ‘it’s just about applying some basic security controls and demonstrating that your organisation takes cyber security seriously’.
All organisations face risks, no matter the size
A lot of hacks and cyber attacks fire out millions of bits of code to attack millions of websites and devices at once. A very small number will have an effect, the rest will get zapped by security systems. NCSC point out that ‘if you’re an SME or sole trader, you’re just as likely to be a victim of these scatter-gun attacks as a large organisation’.
Understand what you care about, and why
Know how your organisation works and operates. Think about the people, the data, the processes and equipment that are vital to your day to day operations. Plan for life without them should an attack occur. ‘Prioritise where to protect your organisation most’.
Think about situations in which you could be compromised
Think about the consequences of decisions and take steps to avoid the worst case scenarios. For example changing passwords regularly or thinking about what you would need to do if a data breach occurred.
Accept Some Risk
Take risks – there is always some with every decision.. ‘We all experience risk because the future is uncertain, and cyber risk is no different’. No security software or equipment is risk free or can eliminate all risks. Take such claims with a very large pinch of salt!
Balance cyber risks against other types of risk
Some security measures can reduce one type of risk, whilst increasing risk somewhere else. For example setting up a system to manage customers online may increase security risks, but not doing so may increase risk of your customers leaving and not coming back.
Learn from other organisations
Watch other organisations closely. For example, the description of the NCSC’s own IT architecture might be a useful starting point for some organisations. Keep an eye out for how other organisations have solved security problems.
Keep an eye out for cyber security myths
The NCSC give an example of a current myth that cloud-based infrastructures are more risky than using your own equipment. They think this is rarely true – large and reputable cloud service providers generally have far more robust security arrangements than most organisations would be able to afford themselves. We question this advice as a lot of government tenders require companies not to use offshore data transfer.
Use Companies that have Robust Security Procedures
Ok – we may have written this one ourselves, but surely its common sense that if one Cyber Essentials accredited transcription company has gone to the trouble of using GDPR secure UK based ISO 27001 accredited servers to provide file upload services for audio recordings, which are then handled by DBS checked transcribers and a BPSS cleared transcription manager, all operating to an ISO 9001 accredited quality system, then chances are their data is going to be a lot more secure than a bloke working out of his back bedroom accepting file uploads via Google Drive..
For details of such an IT risk aware company please visit www.universitytranscriptions.co.uk