Who is really responsible for the Information Security Management System (ISMS)?

A Common Problem

We often find organisations where the Information Security team believe the next external audit could mean the demise of the ISMS. They know that the necessary stipulations have not been fulfilled during the last 12 months or longer. They also know that this is likely to be due to disjointedness within the organisation, and ultimately, a lack of clear leadership. They have struggled to persuade colleagues to comply with the requirements of the ISMS. They see the Certifying Authority threat of discontinued ISO certification from the as the only way to change attitudes, especially at the top of the organisation.

The International Organization for Standardization (ISO) suggests that in some businesses “leadership from the business owner” ¹  is required. However, this is slightly confused in vocabulary standards such as ISO 9000 and ISO/IEC 27000, where the following language is used: “If the scope of the management system covers only part of an organization, then top management refers to those who direct and control that part of the organization” . ²

Many organisations prefer to start on the ISMS journey by limiting the scope to the organisation’s Information Technology / Information Management. Taking such a literal approach from the guidance, however, can lead to a scenario where business owners (CEOs / MDs) believe they are absolved of their responsibility for the ISMS as they come to believe the management system is in safe hands under IT/IM management.

There is a simple test in this scenario to establish if the ISMS is in the right hands. Imagine the IT Director approves a technical process that involves taking down operational systems during normal business hours. If there is somebody else in the organisation who can overrule the IT Director and prevent the process from taking place, then the ISMS is in the wrong hands.

This scenario is likely to lead to further undesirable consequences:

  • The IT Director’s information security leadership will be brought into question and may even be considered weak;
  • The external auditor will record their concerns around leadership as part of the audit, and will likely instigate further investigations;
  • Any negligence in the area of leadership would normally be reported as a Major Non-conformity as it represents a major stipulation within the Standard.

A Better Approach

We recommend establishing board-level ‘accountability’ for the ISMS. ‘Responsibility’ for its management may be delegated, but accountability must rest with those at the top of the organisation.

Most ISO management systems (certainly all those which follow Annex SL; 9001, 14001 and 27001) have a stipulation for Management Reviews. We recommend that Management Review meetings are held regularly (e.g. twice a year) and include board-level representation. They will be in the best position to report on any changes in external and internal strategic matters that could be relevant to the ISMS. They will need to be made aware of, and perhaps could report in to the meeting any feedback on, the organisation’s information security performance. They will need to be informed of information security nonconformities and the results from monitoring, measurement and audit activities. They may know why the nonconformities have come about, or they may be in the best position to propose the most effective corrective actions.

Policy for the ISMS needs to be written (signed off) by the head of the business in full knowledge of the requirements of the business, but with observance of all information security risks and mitigation options. The CEO/MD will be forgiven for not being the most IT-aware member of the business, but this doesn’t mean they cannot be counselled, where necessary, by the organisation’s IT experts. Contrary to popular belief the ISMS is not all about IT, it’s about leadership with an information security flavour.

In conclusion, the ISMS should be overseen by organisational leadership who know the organisation’s strategy, are aware (or can be made aware by their experts) of the ever-changing risks to the ISMS and the risk mitigation options, and should be the ones setting policy, based on the strategy, in balance of those risks.

How Regency Can Help

Regency ISO/IEC 27001 Lead Auditor consultants have a long track record in helping customers meet and maintain ISO/IEC 27001 requirements both in the UK and abroad. From initial assessment, through designing a pragmatic and effective ISMS, to audit support and ISMS maintenance, we provide a low-risk approach to achieving and maintaining ISO/IEC 27001 certification.

We won’t leave you with a library of standard templates that need experts to decipher. We will be with you every step of the way, including during your Certification Audit, confirming our support meets with the expectations of the Certifying Authority. We’ll be there to get you over the initial line but will be on hand for guidance, if you need us, in the months and years to follow as your ISMS matures.

If you would like to explore how Regency can help your organisation, please contact us on our office number 01242 225699 or email enquiries@regencyitc.co.uk

¹ Source: https://www.iso.org/management-system-standards.html
² Source: ISO/IEC 27000:2018

Regency helps the Wanderers Keep Warm this Winter

Regency are delighted to have been asked to provide support to the FC Highnam Youth Football Club U8 Boys (aka “The Wanderers”). One of our very own Regency consultants, Stephen Bottomley, not only coaches the team but also helps out as goal-erector, lace-tier, sub-rotator and (most importantly) is Dad to one of the players. A few months ago, Stephen presented this rather sad photo to the Regency Management Team, showing the boys looking wet and obviously freezing after one of their games last October…

BEFORE

… so we decided to buy them something to keep warm and dry for the harsher winter weather.

AFTER

Happily “The Wanderers” are having a successful 2018-19 season in both the Severn Valley Youth Football League and U8 Challenge Cup, with the boys growing in confidence, improving as individual players, and as a team throughout their first season together.  We wish the team all the very best for the remainder of the season, and for their footballing futures.

Cyber Security Consultant

Regency has a numbr of exciting opportunities for experienced Cyber Security Consultants to join our growing team.

The role involves:

  • Providing customer-facing Cyber security advice and guidance potentially across multiple client assignments simultaneously;
  • Working within multi-disciplinary teams against tight deadlines;
  • Delivering both tactical and strategic solutions focused around customer priorities;
  • Supporting the customer’s overall information risk management function to ensure they have a comprehensive understanding of their risk landscape;
  • Producing detailed risk assessments to the customer’s identified area of focus;
  • Producing risk management/accreditation artefacts across the full risk management lifecycle;
  • Developing innovative and novel approaches to mitigate risks in technically complex business areas;
  • Devising and recommending options for cost-effective security controls;
  • Conducting security compliance assessments against recognised best practice and industry standards as appropriate to the organisation;
  • Developing and implementing new security policies to address any deficiencies identified.

The Individual

  • You will be an experienced Cyber Security consultant comfortable with delivering into a variety of different, public and private sector client settings;
  • You will be a self-starter capable of taking a proactive approach to understanding customer requirements and responding by providing effective inputs that add tangible value to the customer’s business;
  • You will recognise that there can be many contributory factors to cyber security/information risk that require you to be aware of the wider technical, physical, and procedural context;
  • You will be an advocate for positive change and able to help the customer appreciate the benefits of challenging the status quo;
  • You will be able to tailor your delivery approach as appropriate to the requirements of the assignment, whether the work is within an established security/assurance team or working independently;
  • You will be capable of producing high quality deliverables to tight timescales;
  • You will be an excellent communicator, able to translate between business and technical requirements, and interpret these requirements back into relevant and insightful security advice at all levels of the organisation;
  • You will be expected to actively participate in all aspects of the business development lifecycle and support ongoing customer relationship management.

 Essential

  • A minimum of three years consulting experience providing Cyber security advice, audits and guidance;
  • Experience of working within a recognised Information Security governance framework (HMG SPF, ISO-27001 or similar);
  • At least one of the following recognised IT Security certifications. (CISSP, CISM, CISA, ISO 27001) with demonstrable experience;
  • At least one of the following recognised Risk Assessment or Risk Management certifications or training. (HMG IS1&2, CRISC, COBIT, ISO27005, Octave) with demonstrable experience;
  • Experience of producing comprehensive information risk assessments;
  • Hold a Full UK Driving Licence;
  • Current HMG security clearance (or ability to obtain).

Desirable

  • NCSC CCP certification in one of the following. (Accreditor, IA Architect, IA Auditor, ISSO, SIRA);
  • Membership of a recognised Information Security professional body (e.g. IISP, BCS);
  • Demonstrable knowledge of data privacy legislation (e.g. DPA, GDPR);
  • Experience of using recognised project management methodologies;
  • Experience with using enterprise architecture modelling approaches such as ArchiMate;
  • Military/MoD experience within the Air, Land or Joint domains (preferably with a cyber security dimension).

Remuneration

  • Salary and package will be highly competitive commensurate with experience and qualifications.

If interested, please email your CV and a covering letter to recruitment@regencyitc.co.uk

Incident Response Planning

“Plan to Fail, don’t Fail to Plan”

It might be a difficult message for some in our industry to hear, but the reality is that at some point there will likely be a security incident in your OT system. Whether it is some forgotten about remote connection for maintenance that was never properly secured, or an inadvertent (or malicious) operator action that causes an event, the key to whether it brings your process down or is managed and contained in an orderly way will be down to your Incident Response Plan (IRP).

Whilst most businesses will have a response and recovery plan for their IT infrastructure, it does not necessarily follow that this plan can also be utilised in an OT context. There are key differences in the requirements and operation of Industrial Control systems that mean having a dedicated OT IRP will pay dividends when things go wrong.

For example, the loss of a part of your Industrial Control System (ICS) could mean the plant or process will stop, so you will need to ensure that Control Systems engineers and technicians should be on the key contacts list, rather than just IT focussed staff. Also, recovery from an incident can be more difficult because often ICS are within validated systems, so there needs to be some process to manage & revalidate the workstations and databases servers which have been reimaged from backups, before operations can start. Not to mention that Distributed Control Systems (DCS) and Programmable Logic Controllers (PLCs) can’t be reimaged in the same way that PCs can.

Another point to note is that if you have an incident, but the systems are still operational, then one can’t simply remove and replace the affected items. Availability is crucial in ICS, so managing the running process is just as much of a concern as managing the security incident.

What are the key considerations you should be looking for when designing your OT IRP?

First, there are lots of good sources of information to help you to get started. Government agencies are typically a good place to start. The US ICS-CERT has published a document with recommended practices (https://ics-cert.us-cert.gov/Abstract-ICS-Cyber-Incident-Response-Plan-RP ).

In the UK, the new NIS Directive has a clear objective (D1. Response and Recovery Planning) to ensure that Operators of Essential Services have put some thought into their Incident Response Planning. The NCSC CAF (https://www.ncsc.gov.uk/guidance/caf-objective-d) has a list of Indicators of Good Practice (IGP) for response and recovery. These recommendations are useful not only for the operators who will be directly affected by the NIS regulation, but are also good advice for any company with ICS looking to develop and mature their own incident response plan.

Key areas to look at:

Planning – Plan the IRP, brief everybody who has a role, and make sure that the plan is tested in a table-top exercise or some other simulated scenario. Understand the most critical areas of your system, so a graded response can be enacted depending on the location of the incident.

Communications – how will you co-ordinate with team members in the event of an incident? If your internal network is unavailable due to the incident, then an alternative to email will be required, such as text messaging, WhatsApp etc. Make sure you have an up to date record of everyone’s phone numbers and other contact details.

One important area to consider as part of the IRP is the collection/storage of the system forensics to allow full analysis of the security event to take place, to understand how it happened which will enable the correct mitigations to be put in place to prevent future occurrence. Dedicated ICS tools are available that can detect these incidents and store all the system logs. Such tools can also push the information into a Security Incident and Event Management (SIEM) system which could be part of a dedicated OT Security Operations Centre (SOC), or a shared Enterprise SOC. (There are lots of additional questions on this topic: whether to go for a combined IT/OT SOC, or dedicated for OT; whether to go in-house or to a manged SOC service provider, etc etc. These will be the focus of a future blog post).

Sharing information within the community – you may be able to find answers to your problems, plus you can warn similar organisations of the incidents you are experiencing, the indicators of compromise etc, to help the community become more robust. In the UK, forums such as the CiSP (https://www.ncsc.gov.uk/cisp) are invaluable for this type of information sharing.

If you have any questions on Incident Response Planning or would like to explore how Regency / Airbus CyberSecurity can help your organisation, please contact us on our office number 01242 225699 or email us at enquiries@regencyitc.co.uk

By Ben Worthy (Security Consultant – OT Cyber Consulting Team)

Cyber Security Monitoring Solutions for Industrial Control Systems

How to Select the Correct Cyber Security Monitoring Tool for Your Organisation

Critical National Infrastructure (CNI) typically relies on Industrial Control Systems (ICS) to provide the core operational function that our society relies upon. Previously, these control systems were isolated and run on special hardware and software, where cyber security was not considered in the design. In time these systems have become more complex, more connected, and use a high level of communication: this can increase their vulnerability and increase the likelihood they become a target for cyber-attacks. A typical industrial control system consists of Programmable Logic Controllers (PLC), Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS) as well as IT assets such as Windows computers, Historian Databases, printers, etc. ICS are connected via different industrial protocols which were initially designed to achieve the communication task without considering the cyber security requirements.

In recent years, many cyber-attacks have targeted industrial sectors and critical infrastructure such as Stuxnet, BlackEnergy, Industroyer, and TRITON. The result of these attacks led to major impacts on safety, availability, operation, the organisations reputation and ultimately a financial impact. Thus, there is a pressing need to monitor and secure these critical infrastructures.

Many tools (or solutions) are available in the market to monitor the cyber security posture of ICS/OT infrastructure, where alerts are triggered in case of any threat or vulnerability detected. These tools are connected to the OT network using either hardware appliances (such as network sensors), or software agents in order to monitor all network traffic. This enables the tool to detect the anomalous activities and, in some cases, block the traffic to prevent a cyber-attack. However, selecting a suitable solution that meets all requirements for each specific industrial application is a very challenging task due to the wide variety of features and supplier vendors. Also, the way these features can be deployed at customer site to gain the full visibility and resiliency of all critical and non-critical assets requires specialist knowledge and experience.

Many criteria should be considered when selecting a cyber security monitoring tool. Noting that this blog focuses on the technical criteria only, these criteria are:

  • Asset and network discovery,
  • Real time network activity monitoring and threat detection,
  • Vulnerability management,
  • Alerting system, and
  • Tool interoperability.

The selected tool needs to be able to discover all OT assets and inventory passively without affecting the operation of the ICS; identify the network topology and extract the asset artefacts such as: model, part number or serial number, firmware version, OS version, IP or MAC address, open ports, and installed software. Furthermore, some tools can also model or arrange these assets to zones or layers which reflect the actual network architecture.

Additionally, the selected tools should have the capability to monitor and detect all threats and suspicious activities using detection techniques such as signature-based detection, statistical anomaly-based detection, protocol deep packet inspection detection, and operational risk detection. The tool also needs to detect all vulnerabilities for each asset, prioritize these vulnerabilities using a scoring system, alert the operator and provide a remediation recommendation. It should then be able to generate a report for all security measures and provide different Key Performance Indicators (KPIs) tailored to suit different stakeholders’ requirements. Finally, the tool needs to provide connectivity with other tools such as SIEM, backup server, Historian server, SCADA and other third-party service tools.

Regency IT Consulting can provide targeted research to customers in order to support them in selecting the most appropriate cyber security monitoring tool for their environment. Different tools can be recommended according to the industrial application requirements in energy, oil & gas, water and waste water, manufacturing, transportation, nuclear and other critical infrastructure. Regency’s methodology for selecting cyber security monitoring solution follows four phases:

  • Define end customer site requirements,
  • Perform market research and identify all tools (solutions) that fit customer requirements,
  • Conduct evaluation for each identified solution based on research, vendor meetings and test bed deployments.
  • Report the findings and propose recommendations based on the outcome of the study.

In summary, cyber security monitoring tools are recommended to be used to enhance the cyber security posture for CNI, the correct selection and implementation of these solutions can minimise the downtime and increase the overall cyber security resiliency of industrial plants. However, selecting the correct solution and tool is a crucial step to achieve these targets, and ensures the ICS system availability, integrity and confidentiality.

For more information on how Regency can help your organisation, please contact enquiries@regencyitc.co.uk

Mohammad JBair

By Mohammad Jbair (Security Consultant – OT Cyber Consulting Team)

Regency IT Consulting Continues its Sponsorship of Royal Signals Course

Regency IT Consulting has sponsored the Royal Signals,’ Foreman of Signals (Information Systems), course since approximately 2010. Continue reading “Regency IT Consulting Continues its Sponsorship of Royal Signals Course”

Protecting Modern Manufacturing from Modern Cyber Risks

The whole concept of Industry 4.0 is one of  “super-connected plants” with product and service on demand and instant access to real time data. The principle it embodies include the creation of interoperable manufacturing environments, integrated sales and delivery data sets, real time plant management data and remote and autonomous service and maintenance management. It is the embodiment of the future that was imagined in the science fiction of the seventies and eighties.

However with this all connected, autonomous and self managed industry environment come a set of risks and threats and the potential for system breakdown that the same science fictional world relied on for its story lines. Continue reading “Protecting Modern Manufacturing from Modern Cyber Risks”

Developing the cyber security profession – have your say!

Whilst wading through all the social media items that I had marked as interesting and should read futher, I came across this blog article from the NCSC describing some of hte work being performed by DCMS and NCSC around the future of the cyber security profession and requesting comments on the proposal.

https://www.ncsc.gov.uk/blog-post/developing-cyber-security-profession-have-your-say

The blog article goes on to explain that there are plans to create a Cyber Security Council and to  integrate and harmonise the existing schemes (including CyBOK, NCSC and CCP) and asks for your thoughts (which can be submitted as an individual or company) which need to be submitted by 31 August 2018.

The public consultation document can be found at https://www.gov.uk/government/consultations/developing-the-uk-cyber-security-profession and thoughts can be submitted via https://dcms.eu.qualtrics.com/jfe/form/SV_5uxqglvphWTsYUl

Please note that Regency does not take any responsibility for the content of any of the links contained within this article.  The links have been directly copied from the NCSC blog article.

 

Top Tips on Human Training

Despite an increased awareness about cyber threats among the general population, hackers continue to prey on people because they believe them to be the weakest link in an organisation’s security. Continue reading “Top Tips on Human Training”

It’s Your Data: Look After It.

‘Can you name a city that doesn’t have a Y in it?’ ‘Can you spell your mother’s maiden name with no vowels.’ Continue reading “It’s Your Data: Look After It.”

NIS Directive – 9th May is the Starting Point, not the Finishing Line.

The forthcoming NIS Directive is being studied keenly by Operators of Essential Services across the UK to understand the impact on their business. Whilst it does not have the same public attention as the more wide-ranging GDPR (another piece of EU cyber security legislation coming into force in May) NIS-D is of vital importance to the UK’s Critical National Infrastructure. Continue reading “NIS Directive – 9th May is the Starting Point, not the Finishing Line.”