Feeds

back to article New UK.gov cyber-security standard puts MANAGERS in firing line

The UK government is seeking to hear from businesses that would be interested in submitting evidence to help form a new "organisational standard" for cyber security. The Cyber Security and Resilience Team within the Department for Business, Innovation, and Skills (BIS) has asked businesses to detail initial interest in …

COMMENTS

This topic is closed for new posts.
Anonymous Coward

No. Don't sack the managers

sack the directors who hired them in the first place.

3
0
Silver badge

Here's an opportunity

for those peddling secure operating systems.

2
0
WTF?

Easy-peasy

First bring ISO27001 up to date. Then you can create a whole series of more detailed standards from it, each addressing a particular area of information security that you think needs attention.

There - my employer would have charged many thousands for that - you've had it for free whilst I'm having my breakfast .

1
0

This post has been deleted by its author

Silver badge

AIMemo from/for Offices and Officers of CyberIntelAIgent Security and Virtual Protection ..... MuI7

Gov seeks views on private sector rules.

The UK government is seeking to hear from businesses that would be interested in submitting evidence to help form a new "organisational standard" for cyber security.

Rules for and/or from the private sector on a new "organisational standard" for cyber security? Oh, FFS, wise up and smell the Java/Cocoa, Crashed Test Dummies. There aint no stinkin' rules other than screw your neighbour better than they have ever been screwed before …. and in so doing, make a packet and a bundle for all who would be highly supportive of the pleasure, although it can be even simpler than that whenever they would be unable to do anything to stop anything considered worth doing.

You just don't quite get it and IT yet, do you? Things have changed …. and governments aren't in control of anything, and most certainly not in that very private, and even as needs must oft, and even always, pirate sector, for they just aint fit for future purpose with the personnel they have in dummy elected offices.

And y'all can crow and cry about it and try to deny that as much as you like, but that be the gospel and Global Operating Devices honest truth clearly shared. Get used to it and be prepared for CHAOS to reign in the place of rules and madness and mayhem, ignorance and arrogance.

And you do know what CHAOS can do both for real, practically, and virtually for the surreal and sublime, don't you, or haven't you been paying attention to wall that which you have been told all these years?

Here's an opportunity .... for those peddling secure operating systems. ... Ole Juul Posted Thursday 7th March 2013 07:46 GMT

Quite so, old bean, and a golden opportunity it be too, with the very best providers very careful and discerning about who they supply their intellectual property to, because it can be so catastrophically dangerous to recipients if abused and used wrongly and badly.

Although, having said all of that, it would be more than just nice to be proven wrong and find out that there may be an effective few in active government who be quick learners and willing to embrace the new age and follow new protocols and principals with novel and noble principles, but I aint holding my breath a'waiting for that to happen or make itself known.

1
2

CESG

The Defence sector has a bunch of standards we have to follow. (eg JSP440), plus a quango to approve applications etc, (CESG). I don't understand why UK.GOV aren't chatting to those guys.

(All defence IT systems are supposed to be pen. tested and must be accredited)

3
0
Meh

I smell a potentially good idea about to go very wrong

The main problem with cyber security is that in a lot of organisations nobody really cares until after its too late.

If some sort of "cyber security standard" means that organisations are willing to invest in security simply to keep their accreditation then that can only be a good thing, although I have no idea what this standard could involve to achieve that and I suspect neither does anyone who is going to be involved in creating it.

0
0
Silver badge

We have two 'cyber-security' workstreams

One aimed at achieving compliance with government standards, which keeps a significant bureaucracy lucratively employed, but does nothing to mitigate the real-world risks we face. The other, carried out by practical people with a clue, is aimed at giving us some real protection against those threats.

Years of experience says this new government initiative will make the situation worse

1
0
Facepalm

Designed to deliver certain outcomes?

"The government said that an organisational standard for cyber security should protect firms .. The standard, "when correctly implemented", should be "designed to deliver" certain "outcomes"

What it won't do is make your 'computer' any more secure ...

0
0
Flame

Muhahahahaha

The commercial world will of course mandate that every fucking computer has Flash, Adobe Reader, MS Office and Windows "securely" installed. Of course ALL computers in the "enterprise" must be the same. Every corpo drone must be able to view Flash videos embedded into Excel sheets at any time !

So that whenever near or far east intel has an urgent need for something will be able to get their fingers into the cookie jar. The whole proposition of this story clearly is meant to be parody.

Any *real* security does not come from the spineless commercialworld scumbags. That's why capable governments have their own departments for designing ciphers.

References:

http://en.wikipedia.org/wiki/SecurID#March_2011_system_compromise

0
0
Anonymous Coward

Cyber = fail

Use of the word "cyber" in this context shows that this initiative is merely american-infected security theatre.

There is already ISO2700x and PCIDSS. What does this add?

0
0
Bronze badge
Pirate

Certainly as far as development goes it's usually managers and directors that set the *pace* of development to leave little time for the unit testing, code reviews etc that are fairly normal in say Open Source. If that's the case and they're to blame (in this special circumstance) they should be prosecutable and prosecuted in a situation where they negligent and put the public in some way at risk. But then again so should bankers have been so that's going nowhere...

It's not absurd for government to be legislating, and making rules, and attempt to protect the public - sometimes from themselves - it's actually what they're elected to do. The question is if they know what they're doing.

The problem with security standards from basically anywhere - they're usually all obvious anyway, cover work in unnecessary bureaucracy and generally aren't fit for purpose. PCI-DSS for example..

It should probably be easier to whistle-blow security failings in the UK when companies fail to report compromises, that would accomplish more in the area of data security than any standards because overnight it will make managers think twice about corner-cutting.

0
0
Bronze badge
Terminator

Also not for nothing but when a government does an IT consultation it implicitly looks for people to consult who are lacking clue. Seems to be looking for Google to answer the question again.

0
0

Safeguard Proprietary Information

It is time to end the indiscriminate use of the Internet for information the organization cannot afford to lose and doesn’t know how to protect. It is time to ask acquisition program managers and industry executives to exercise due diligence and to supply evidence of safeguarding proprietary information based on rational conditions for Internet use and various degrees of urgency. What are the pre-conditions for using the Internet?

Acquisition program managers and enterprise executives have a duty and responsibility to safeguard the proprietary information under their control from the clear and present danger associated with Internet use. Accordingly, an organization should not use the Internet for data or information it cannot afford to lose or cannot protect. If it decides to do so in the presence of the known risks, it must be prepared to accept the consequences for stepping over the red line.

Internet availability is a live connection or pathway to the Internet open to Cyber attacks accompanied by known weaknesses, vulnerable attributes, unresolved outcomes, persistent bad actors, and unresolved consequences. The organization that explicitly assesses the rational conditions for Internet use, follows the rules and conditions governing rational use of the Internet by staying within the lines of the truth table of rational conditions; decides to accept the risk of Internet use due to urgency whether vital, necessary or desirable; and rationally accepts the consequences governing use of the Internet beyond the red line is an accountable organization to be admired.

0
0
This topic is closed for new posts.