Professional Documents
Culture Documents
Cyber security, which can be defined as the protection of systems, networks and data in cyber
space, is a critical issue for all businesses.
Rapid technological developments have provided vast areas of new opportunity and potential
sources of efficiency for organisations of all sizes. These new technologies which we all rely upon have,
however, also brought with them unprecedented threats.
This page will introduce you to some of these threats, including cyber crime, cyber war, and
cyber terror, and explain the precautions you should take against them.
20 Critical Controls/Consensus Audit
Guidelines (CAG)
The Twenty Critical Security Controls for Cyber Security: Consensus Audit Guidelines
The 20 Critical Security Controls were developed, in the USA, by a consortium led by the Center for
Strategic and International Studies (CSI). The history of the Security Controls describes how they have
been widely adopted across the US Federal Government as well as by the UKs CPNI (Centre for
Protection of the National Infrastructure). The US State Department claims to have achieved a 94%
reduction in measured risk through the rigorous adoption of these controls.
The 20 Critical Controls are specifically technical controls; there are a number of additional areas that
should also be addressed as part of a robust security posture, including information security policy,
physical security, staff training and awareness, organisational structure, documented policies and
procedures, and so on. ISO27001 is the best practice international standard for an Information Security
Management System that enables organisations to comprehensively secure information and provide
independent assurance that this has been done.
Each of the 20 listed critical controls (all of which can be cross-mapped to controls in Annex A of
ISO27001, and thus seamlessly integrated into any ISO27001 ISMS) is supported by detailed
implementation, automation, measurement and test/audit guidance which reflects a consensus of
multiple security experts on the most effective ways to mitigate the specific attacks which these controls
are designed to deal with.
The OWASP Top Ten Project continues to identify and list the Top 10 Web Application vulnerabilities and
organisations that operate websites should also ensure that their web applications are, as a minimum,
secure against these publicly identified vulnerabilities.
A growing range of software solutions and professional services are available to help organisations
implement and audit these controls.
The Twenty Critical Security Controls themselves are published by the CSI and are maintained on th
Boardroom Cyber Watch 2014 Survey
Cyber Security Consultancy Services
In most cases, organisations simply do not have the adequate in-house skills and competence in place to
identify and assess todays multi-level, multi-channel, variably sophisticated cyber security threats and
the range of vulnerabilities they target, or apply the most appropriate mitigation and remediation
strategies.
In response to the ever-changing cyber security landscape, IT Governance offers independent,
professional services tailored to your organisation. Our services are delivered by our in-house
consultants who have a comprehensive and deep experience of cyber security risk management and will
work with you to provide the best possible solutions.
Why use IT Governance?
IT Governance brings a wealth of experience in the cyber security and risk management sector. As part
of our work with hundreds of private and public organisations in all industries, we have been carrying
detailed risk assessments for more than 10 years. All our consultants are qualified and experienced
practitioners.
Cyber Security Risk Assessments (10 Steps To Cyber Security)
Todays attacks are multi-level and multi-channel by default. According to the most current UK
government research, 87% of small firms in the UK experienced a cyber security breach last year, and
93% of large firms were also targeted. Some incidents caused more than 1 million in damages.
A cyber security risk assessment is necessary to identify the gaps in your organisations critical risk areas
and determine actions to close those gaps. It will also ensure that you invest time and money in the right
areas and do not waste resources where there is no need for it.
Even if you have implemented an ISO 27001Information Security Management System, you may want to
check if your cyber security hygiene is up to standard with the UK governments guidelines.
What does a cyber security risk assessment include?
Our risk assessment takes into account the UKs Cyber Security Framework for Business (jointly
published by the Department for Business, Innovation and Skills (BIS) and CESG, the security arm of
GCHQ), which suggests a ten-step approach to cyber security.
We will send a qualified and experienced consultant who will work on site with you and your team to
examine each of the ten risk areas (described below) in sufficient detail to identify the strengths and
weaknesses of your current security posture. All this information will be consolidated into a tailored,
immediately usable action plan that will help you close the gap between recognised good practice and
what you are actually doing.
Why use IT Governance?
IT Governance brings a wealth of experience in the cyber security and risk management domain. As part
of our information security work with hundreds of private and public organisations in all industries, we
have been delivering comprehensive risk assessments for more than ten years. All our consultants are
qualified and experienced practitioners.
Getting Cyber Secure
Cyber security is about far more than investing in hardware and software. First and foremost, cyber
security is a business matter. This means that top management is accountable for ensuring its
organisations cyber security strategy meets business objectives. In fact, organisations need competent
people and effective processes in order to maximise the value of security technology.
A cohesive cyber security approach
In order to achieve real cyber security, todays organisations have to recognise that expensive software
alone is not enough to protect them from cyber threats. For example, the deployment of anti-malware
software requires peoples skills and has to be managed by a process. Organisations who fail to
understand these interdependencies wont withstand the ever-growing onslaught of cyber attacks.
Additionally, just trying to prevent an attack is no longer a solution. Organisations need to be prepared
for rebuffing, responding to, and recovering from a range of possible attacks. This can only be achieved
if people, process and technology are taken into account.
Assess your cyber security risk
There are ten key areas that should form part of an effective cyber security strategy. The principle
of people, process and technology also applies to these areas, which are as follows:
Board-led Information Risk Management Regime
Secure Home and Mobile Working
User Education and Awareness
User Privilege Management
Removable Media Controls
Activity Monitoring
Secure Configurations
Malware Protection
Network Security
Incident Management
Assess your organisation against the above critical risk areas by completing our free online Cyber
Security Self-Assessment Questionnaire. We will provide you with a high-level cyber security report.
Alternatively, contact us for an in-depth cyber security risk assessment which will enable you to identify
your weakest areas and take measures. A risk assessment looks at what might happen, works out the
probabilities and the impacts and then selects controls to deal with it. It is a classic example of the
connectivity between people, process and technology.
You can use existing cyber security standards and frameworks to achieve cyber security. In order to do
this you also need a coherent set of products and servces that will help you do this effectively
Certificated Cyber Security Training
Cyber security skill any organisation committed to addressing the rising cyber threat. For information
security professionals, developing knowledge and skills in this area through certificated training is crucial
to future career development.
Our Cyber Security Learning Pathway provides opportunities to develop expertise and gain industry-
standard certifications.
Cyber security
Cyber Security Learning Pathway
Develop skills in cyber security strategy development, as well as the practical expertise required to
implement plans effectively through our Cyber Security Learning Pathway.
Define your strategy
Deliver your strategy
Cyber
Resilience
Cyber Security
Data
Compliance
IT
Governance
Enhance your career
PAS 555: cyber security risk management
PAS 555 clearly defines the required outcomes of an effective cyber security strategy. The advanced
level Cyber Security Risk Management Course explores the outcomes specified in PAS 555 and how to
implement standards and frameworks that are appropriate to achieving cyber security risk management
in your organisation.
ISO 27001: cyber security risk management
ISO/IEC 27001 forms the backbone of every intelligent cyber security risk management strategy. Gaining
knowledge and experience in implementing and auditing an ISO 27001 compliant information security
management system (ISMS) will deliver cyber security objectives and enhance your information security
career.
The ISO 27001 Certified ISMS Lead Implementer Masterclass provides the skills required to plan and
implement an effective ISO 27001 compliance project and is part of the wider ISO 27001 Learning
Pathway.
ISO 22301: cyber resilience
ISO/IEC 22301 defines the requirements of a business continuity management system (BCMS). Planning
to ensure that your business can continue to operate, in the event of a cyber security incident is a key
part of a complete cyber security strategy.
The ISO22301 Certified BCMS Lead Implementer course will enable you to plan and implement an
ISO22301 compliant BCMS and is part of the wider ISO 22301 Learning Pathway.
ISO 20000: cyber secure service delivery
ISO/IEC 20000, the IT service management standard, can be integrated into a broader cyber security
strategy. The ISO 20000 Practitioner certificate provides an overview of ISO 20000 and how it applies to
service management. This course forms part of our wider Service Management Learning Pathway.
Data compliance (PCI DSS, DPA)
The PCI DSS (Payment Card Industry Data Security Standard) aims to increase credit card data security.
For organisations that store, transmit, or process card-holder data, PCI DSS compliance forms a key part
of an effective cyber security strategy. PCI DSS Implementation and Maintenance training will enable
you to develop the skills to plan and implement a cost-effective route to compliance.
All UK organisations must comply with the Data Protection Act (DPA). With the increasing at risk of
hacking, data breaches and data loss, the DPA Foundation Course will provide you with a clear overview
of the DPA and its application.
Cyber security professional certifications
IT Governance offers an unrivalled portfolio of training courses leading to industry-standard professional
certifications.
Certificated ISO 27001 training and development
We deliver the worlds first certificated programme of ISO27001 education, which leads to the following
cyber security certifications, awarded by the International Board for IT Governance Qualifications
(IBITGQ):
Certified ISMS Foundation (CIS F)
Certified ISMS Lead Implementer (CIS LI)
Certified ISMS Lead Auditor (CIS LA)
Certified ISMS Risk Management (CIS RM)
CISA, CISM, CGEIT, CRISC, CISSP and CISMP certifications
(ISC) and ISACA awarded certifications are globally accepted with the CISA, CISM, CGEIT, CRISC and
CISSP qualifications which are already recognised as the must-have requirements for a career in
cybersecurity, audit and IT governance management.
With over 150,000 qualified professionals worldwide, (ISC) and ISACA certifications demonstrate
proven experience, and are key to a higher earning potential in the future.
(ISC) and ISACA Exam Preparation courses include:
CISA - Certified Information Systems Auditor Training Course
CISM - Certified Information Security Manager Training Course
CGEIT - Certified in the Governance of Enterprise IT Training Course
CRISC - Certified in Risk and Information Systems Control Training Course
Cyber Crime Landscape
Cyber threats are very real and can have a serious impact on organisations of all types and sizes. The
Internet is beyond any agencys control and, as such, security in cyberspace doesnt exist.
The latest surveys on data breaches show that the threat of cyber crime is becoming ever more wide-
spread. On this page we explore the most common threats and targets.
Cyber crime is a global phenomenon which affects everyone, from individuals and employees to small
and large organisations. The majority of cyber crimes are perpetrated overseas, beyond the jurisdiction
of the victims country, meaning that, for example, a financial institution in London can be attacked from
China and theres nothing the British authorities can do about it.
According to the 2013 Norton Report, the highest numbers of cyber crime victims globally were to be
found in Russia (85%), China (77%) and South Africa (73%); the cost of consumer cyber crime was found
to be highest in the USA ($38bn), Europe ($13bn) and China ($37bn).
According to the BIS Information Security Breaches Survey 2013, 87% of small firms and 93% of large
firms in the UK experienced a cyber security breach in 2012. Some incidents caused more than 1
million in damages. The median number of breaches suffered by large organisations rose from 71 the
previous year to 113 and, for small firms, from 11 to 17. The average cost of a serious cyber security
breach for a small firm is between 35,000 and 65,000.
The True Cost of Information Security Breaches and Cyber Crime (Pocket Guide) sets out a sensible,
realistic assessment of the actual costs of a data or information breach and explains how managers can
determine the business damage caused.
What information do cyber criminals target?
The mostly targeted information is commercial, including intellectual property, customer lists and
related information, business and commercial strategy and financially sensitive information.
Data assets such as banking information, payment card details, PII (personally identifiable information)
and contact details are also on the top of cyber criminals agenda.
According to The Global State of Information Security