Information Security

Last updated: 
4 days 23 hours ago
Group Manager
A group for the discussion of security issues affecting Janet and Janet customers.
Log in to request membershipHide group description

Group administrators:

Recent members:

Implementation Profile for Basic Cyber Hygiene

6 February 2014 at 9:47am

On Tuesday I had the opportunity to read and provide feedback on the first draft of the government's "Implementation Profile for Basic Cyber Hygiene". This document comes as a result of their consultation last year on "Cyber security organisational standards".

The Profile is intended to set out some basic controls suitable for organisations to implement to achieve a basic level of cyber security. An auditing scheme will be established, and where appropriate the compliance to the profile will be required in government procurements.

Without going into detail the standard breaks down into four controls.

  1. Patch Management
  2. Firewalls and Internet Gateways
  3. Control of Administrative Privileges and user Accounts
  4. Malware Protection

Each control is provided with a brief level of guidance and context that might help those who may be technical, but not security experts.

So will this standard be applicable to the research and education sectors? I'm not sure. At some level it'd be beneficial to have a broad standard with real business drivers for compliance that provided assurances of a basic standard of security - but there may be issues with the standard as it's currently written.

The standard makes assumptions about how organisations are using technology. Cloud is not mentioned at all which makes it look dated already. There are some prescriptive requirements such as "[you shall] have a firewall on the boundary of the network" (what if your network doesn't have a boundary, or your organisation has no network? Or has to connect students and visitors within that perimeter?) and it's tricky to see how to apply this standard to a complex, modern environment. Detailed information on how the standard will be audited will likely clarify some of this issues.

As has been discussed elsewhere in the community, finding a one-size fits all approach to even a basic level of security compliance across complex and often federated university is impossible and undesirable. What's important is implementing these types of controls where there is a real risk and need to do so - most educational organisations will already be doing these, and more, on their core systems.

  • Twitter logo
  • LinkedIn logo
  • Google+ logo
  • Reddit logo
  • StumbleUpon logo
infosec
security
standards
compliance
controls