This article is written by Pooja Arora from ILS Law College Pune and modified by Gitika Jain. This is an exhaustive article which deals with the concept of international cyber security standards and cyber security compliances along with the essentials and role of cyber security.
Ever wondered the reason why the multinational companies have their data highly secured that they do not even give some of their own employees access to it?
The answer is simple: in today’s world of digitalization, data is the king. And to protect this data from possible threats, the cyber environment has cyber security standards that an organization abides by. These standards include guidelines, frameworks, methods that ensure the efficiency of security. They are usually applicable to all industries and sectors. As the internet has no geographical restrictions, the international cyber security standards ensure the ideal execution of certain cyber security standards globally. This enhances the security of data and ensures minimum risk in ways.
SO/IEC JTC 1 is a joint technical committee of the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). These standards facilitate international trade by ensuring world-class specification of products, services, computers that ensure quality and safety.
Cyber security is a function that shows how and to what extent the security program adheres to the standards set by the regulatory authorities like the government or international organization. Cyber security compliance is an important part of cyber security and often organizations aim to fulfill these compliances. Cyber security compliances are programs that protect the confidentiality of information and data assets. However, they are not based on stand-alone standards or regulations. They establish risk-based control and are a continuous organizational process.
In June 2018, certain baseline requirements in the cyber standards were launched by the UK government called the Minimum Cyber Security standards (MCSS). These standards are to be adhered to by all government departments including organizations, agencies, and suppliers dealing with them as well. The UK government seeks to exceed these at all times. These minimum cyber security standards comprise 10 sections with 5 broad categories. They are:
Under this category, there are 4 standards. This includes that the departments are to comply with proper cyber security governance processes and to ensure the overall cyber security the management policies and processes must be appropriate. Also, the departments need to be informed about the reason for holding any information and catalog the same information. It is also important for the departments to identify the key operational services they provide and classify the same. Periodic reviews should take place to ensure that the users are given minimum access to sensitive information or key operational services and therefore their need to access sensitive data shall be continually managed.
Only identified, authenticated or authorized users should be given access to information and key operational services. The four main areas covered under this category are enterprise technology, end-user devices, email systems, and digital services. A full audit of hardware and software assets should be done to protect the exploitation of data. Multi authentication should be used wherever possible.
The cyber attackers often use common techniques to hack data. Under this standard, the transitional monitoring techniques should be used and departments should detect common cyber attacks. The information that is to be protected should be clearly defined by the department.
This includes having a planned response with clearly defined action and roles that must be implemented in response to cyber security incidents that impact sensitive information. This includes having communication protocols that activate when an incident is discovered. This plan should be regularly tested to ensure security at all times.
This minimum security standard requires that the processes are well defined and tested so as to ensure the continuity of the key operational services. The contingency mechanism makes sure that the department is able to deliver essential services in case of any failure. Also, the processes should be tested and vulnerabilities should be remediated.
Cyber security involves protecting servers, computers, mobile and other electronic devices from potential cyber-attacks. The following are some of the cyber security essentials that are used by organizations to protect their information from potential threats:
Multi-Factor Authentication is a security system that allows access to the data or information only after asking for multiple credentials. MFA goes beyond passwords and asks for additional elements such as pins or fingerprints.
User application hardening
The user application is a method to safeguard the network by blocking the advertisements or blocking the access of applications to the data. Hardening of applications makes them more secure and less likely to be used against us.
Implementing a next-generation firewall
A next-generation firewall is a network security device that prevents any cyber-attacks by detecting and blocking them at the port level. This helps in securing the business information as these firewalls enforce security policies and bring together deep packet inspection, URL blocking, packet filtering, application awareness.
A penetration test or pen test is a test for exploitable vulnerabilities of a network and it breaches the application system to uncover weaknesses. This helps a business to possible points of failure and guard against them. Conducting penetrating tests and vulnerability checks regularly is an element of cyber security.
Implement a Security Information and Event Management (SIEM) solution
Security information and event management (SIEM) is a set of integrated technology that gives an insight into the activities in the cyber environment of an enterprise. This software collects, analyzes, and organizes the data collected through the organization’s technology infrastructure. It provides information on cyber-related activities such as failed login attempts and sends alerts if there is any indication of cyber security issues.
An organization uses many tools and techniques to safeguard and protect its data. Some of the common types of cyber security are:
Anti-virus software is the most commonly used type of cyber security. From an individual to a big company, everyone uses anti-virus these days. These softwares are most commonly used and are known to everyone. They scan the computer to identify the known threats. All hackers face the antivirus software in the preliminary stage.
Network security focuses on network traffic. It controls the incoming and outgoing traffic to prevent threats from entering the system. It is a set of rules designed to protect the confidentiality of computer networks and data using both software and hardware technologies.
Cloud security is also known as cloud computing security. It provides protection to the data used in cloud-based applications. This also protects the individuals’ authentication rules and their privacy. From authenticating access to filtering traffic, cloud security can be configured to the exact needs of the business. The way cloud security is delivered will depend on the individual cloud provider or the cloud security solutions in place.
Intrusion Detection System (IDS) or Intrusion Prevention System (IPS)
The intrusion detection system or intrusion prevention system watches your network and notes any cyber activities, records the information, and also helps in stopping incidents and reports them to the authorities. It has become a common part of security infrastructure for most of the organizations as they can stop the attackers from gathering information from the network.
Though cyber security and compliance may seem the same, as they both are important to protect information assets, but they are not the same. Cyber security is a set of tools that an organization uses to protect its data, system and programs from potential cyber-attacks. An effective cyber security system includes looking at the organization as a whole and ensuring the safety of business assets. On the other hand, compliance is the extent to which an organization adheres to a set of frameworks or standards. These standards are usually put by a third party, either the government or a client, or an international organization. But only fulfilling the bare minimum requirements are not enough to secure an organization’s information.
Both cyber security and compliance are crucial to protect the network environment from the attack of criminals. Cyber security involves identifying the organization’s needs and conducting a gap and risk analysis. When this risk assessment is used in compliance, it helps the organization to identify potential data risks and their impact on the organization. It analyzes the technology and internal processes to identify vulnerabilities and cyber risks that may arise. This may sometimes lead organizations with less threat or scarce resources to focus on targeted strategy programs over compliance programs which may increase organizational risk and create potential vulnerabilities.
Some of the things an organization can do to ensure compliance with cyber security regulations with the help of ISO and IEC standards are:
Establish an Information Security Management System (ISMS)
ISO describes ISMS in the standard ISO/IEC27001 which is a management-based approach to manage information security risks and data. It helps the organization to manage people, systems, and processes. These security controls can follow common security standards or be more focused on the industry.
Commission an independent audit
The organization should commission an ISMS certification audit after implementing the ISMS standard ISO/IEC27001. In order to prove that an organization has its cyber risk approach complied with both local and international regulations, this certification is important. The ISMS certification verifies that the organization has evaluated all the cyber risks it faces and implemented appropriate steps to mitigate the same.
Keep an accurate data inventory
An organization should at all times keep an accurate data inventory. This must include both data and network assets. ISO has given ISO/IEC 27002 standards which includes information security codes and the guidelines for implementing the codes. These include keeping the inventory up to date, identifying information asset, etc.
Implement Privacy Information Management System (PIMS)
An extension of ISO/IEC27001 is ISO/IEC 27701 which provides detailed guidelines for the privacy management system and to implement and maintain them. These also include privacy processing control. The organizations should adhere to this in order to comply with privacy regulations.
Implement a data minimization process
Data minimization is the process by which the organizations should retain the information that can identify individuals for not more than necessary. The code ISO/IEC 27018 provides for the practice of protection of personally identifiable information (PII) in public clouds. It also contains the guidelines for the secure removal of temporary files within a specified period. The organizations should, therefore, comply with the data minimization process to ensure compliance with regulations.
Data security is one of the primary concerns of any organization. Not only do the organizations want to secure their own data by compiling and fulfilling the cyber security standards but also to build trust between them and their users. Compliances also help businesses to trust each other as they share data back and forth. Also, the users want to make sure that the companies respect the data they give them and they do not misuse it.
Adhering to the international cyber security standards mitigates risk for any business and helps them grow. The international cyber security standards are very detailed and comprehensive and they provide full guidelines for the organizations to follow. These standards though available online for anyone to read, do not pose a threat if a hacker knows them as these are general guiltiness and codes that a business follows. Therefore, both cyber security and cyber compliance are equally important for a company. Companies should not risk their cyber security and rely only on compliance.
Advancement in technology has surely ensured better security but cyber crimes have still been on their peak. It is necessary, therefore, for organizations to take necessary steps to not only just comply with international security standards but also to develop cyber security that goes beyond these regulations. These standards may be difficult to comply within a small organization as they have fewer resources, but they still have to comply with the same standards as others. In addition to contributing to the development of new standards, organizations should also consider participating in the maintenance of existing standards.
LawSikho has created a telegram group for exchanging legal knowledge, referrals and various opportunities. You can click on this link and join: