Guidance

Having confidence in cyber security

Created:  17 Aug 2016
Updated:  17 Aug 2016
When evaluating cyber security, how certain can you be that you, or your suppliers, have done a good job?

As you and your suppliers design and build systems, you will include mechanisms to reduce the chances of cyber security problems occurring. You'll also introduce measures which minimise harm in the event that problems do occur.

But how certain can you be that these important measures are in place and working as intended? Outlined below are some of the ways in which you can gain confidence that security measures are genuine and effective.

At the low end of the scale, this may mean a straightforward promise from a supplier, with no attempt at verification.

At the high end, it might entail the use of independently assured components in a configuration approved by a qualified professional. And perhaps independently tested for good measure.

It should be noted that the approaches below are not mutually exclusive. Many of them can be combined to provide higher levels of confidence. 

 

1. Assertion or commitment from a supplier

The supplier describes how their service meets your security objectives, but is unwilling (or unable) to provide evidence of independent validation.

You are, in effect, reliant on the honesty, accuracy and completeness of the supplier’s assertions.

Things to consider:

  • the service provider’s level of security maturity
  • whether they have a reputable in-house security team
  • their approach to proactive testing
  • historical evidence of how they have responded to security issues
  • whether you're allowed to perform your own security testing

2. Contractual commitment from a supplier

Commodity services often come with terms and conditions or license agreements which you are unable to change. However, in situations where you are able to negotiate contractual terms you will need to ensure that these represent your needs accurately.

Things to consider:

  • security requirements should be specific and measurable, since clauses which are too generic can add cost, have limited value and may be unenforceable
  • being over-prescriptive can lead to adversarial behaviour
  • try to build a shared risk proposition with suppliers so they are invested in doing the right thing, rather than just what it says in the contract
  • think about if, and how, you might check whether the contract clauses are being followed

3. Independent validation

An independent and expert third party reviews and confirms your own efforts, or the commitments that have been made to you by a supplier. This can help you gain confidence in the claims or commitments made by the supplier. It can also reassure you that your own endeavours are well designed and implemented.

3.1 Validation by an independent third party

An independent third party has confirmed that claims or commitments made by a supplier, or asserted by you, are true. Crucially, in this case, the confidence does not stem from compliance with a particular standard.

Things to consider:

  • whether the third party has the right skills to undertake such a review
  • the extent to which the third party verified your assersions, or your supplier's commitments

3.2 Compliance with a recognised and appropriate standard

The service holds a valid certificate of compliance with a recognised standard.

Things to consider:

  • the scope of certification - validation should ensure that all service-impacting controls are covered by the certification
  • whether the auditor verified that controls are present and effective - they may have only established that controls exists, or that a policy on their use exists
  • the skills and competence of the auditor - check that the auditor is suitably qualified 

3.3 Independent testers validate the implementation of controls

Independent testers, such as qualified penetration testers, have evaluated the effectiveness of the security controls which you or your supplier have asserted are in place.

Things to consider:

  • testers should have appropriate industry-recognised qualifications for the testing they are carrying out (see our recommendations specific to penetration testing if appropriate)
  • testing will validate security controls at a particular moment in time - regular re-testing will be necessary to retain confidence

3.4 Security architecture review

The technical architecture of your system, or your supplier's system, has been reviewed by an appropriate security expert. The expert has given you an independent assessment of the system's design. This will tell you whether the system provides a reasonable level of mitigation for the attacks you are concerned about.

Things to consider:

  • the skills of the person or people performing the review (e.g. do they hold a qualification such as CCP ‘IA Architect’ at the Senior or Lead level?)
  • the threat model the system should be reviewed against 

Note that a security architecture review does not verify that components have been properly configured when deployed, or that the system is maintained well in practice.

3.5 Assurance in a component

There is independent assurance in a product or service used within your service or its underlying components.

Things to consider:

  • Is the component an appropriate control in this context? Does the independent assurance reflect how you are using it?
  • Is the component configured and used appropriately? Is it being used in the same fashion as it was assured?

We have our own Foundation Grade evaluation scheme which can provide assurance in this area.

Was this guidance helpful?

We need your feedback to improve this content.

Yes No