There are many examples of good practice guidelines on the internet, making it an impossible task to list them all. However, the following are of particular note, and will direct the reader to those guidelines of interest that will provide the level of detail required.
GENERAL CYBER SECURITY ADVICE
CPNI has a wealth of information covering all sectors of the CNI at https://www.cpni.gov.uk/advice/cyber/Good-practice-catalogue/
Good practice information on industrial control systems can be found at https://www.cisa.gov/uscert/sites/default/files/recommended_practices/
NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf
The UK’s Health and Social Care Information Centre (HSCIC) posts good practice information for cyber security at http://systems.hscic.gov.uk/infogov/security/infrasec/gpg
NCSC promotes cyber security good practice information for both public and private sectors, and guidance documents can be found at https://www.ncsc.gov.uk/guidance
For both public and private sectors, warning advice and reporting points (WARPs) can be found at https://socitm.net/about/warps/
As part of the National Cyber Strategy, the UK’s CERT has four areas of responsibility:
- national cyber security incident management;
- supporting critical national infrastructure companies to handle cyber security incidents;
- promoting cyber security situational awareness across industry, academia and the public sector;
- providing the single international point of contact for coordination and collaboration between national CERTs.
Further information can be obtained from www.ukcert.org.uk
Organisations that are members of the Information Security Forum (ISF) have access to its Standard of Good Practice, the most recent version being from 2013. See https://www.securityforum.org/blog/standard-of-good-practice-for-
information-security-2020-now-available-to-members/
UK GOVERNMENT CYBER SECURITY ADVICE
The following is a selection of useful advice and guidance documents from the UK government for both small and larger businesses:
Help small businesses stay safe online: https://www.cyberstreetwise.com
What small businesses need to know about cyber security: https://www.gov.uk/government/publications/cyber-security-what-
small-businesses-need-to-know
The UK Cyber Aware scheme: https://www.ncsc.gov.uk/cyberaware/home
The UK Cyber Essentials Plus schemes: https://www.ncsc.gov.uk/cyberessentials/overview
Cyber security guidance for business: https://www.gov.uk/government/collections/cyber-security-guidance-for-business
10 Steps to Cyber Security: https://www.ncsc.gov.uk/collection/10-steps
IoT Security Assured
The IoT Security Assured scheme provides an opportunity for manufacturers to improve the security of their internet-connected devices and to show they are compliant with best-practice security.
Within the IoT Security Assured scheme, there are three levels of security that a device can be certified to, as follows:
- The Basic is aligned with proposed UK legislation and covers the top three requirements of the European Telecommunications Standards Institute (ETSI) standard.
- The Silver level is aligned with the ETSI mandatory requirements and Data Protection provisions.
- The Gold level is aligned with the ETSI mandatory requirements as well as all the additional ETSI recommended requirements and Data Protection provisions.
https://iasme.co.uk/internet-of-things/about-iot-
security-assured-self-assessment/
Pillar 1: Strengthening the UK cyber ecosystem, investing in our people and skills and deepening the partnership between government, academia and industry
Pillar 2: Building a resilient and prosperous digital UK, reducing cyber risks so businesses can maximise the economic benefits of digital technology and citizens are more secure online and confident that their data is protected
Pillar 3: Taking the lead in the technologies vital to cyber power, building our industrial capability and developing frameworks to secure future technologies
Pillar 4: Advancing UK global leadership and influence for a more secure, prosperous and open international order, working with government and industry partners and sharing the expertise that underpins UK cyber power
Pillar 5: Detecting, disrupting and deterring our adversaries to enhance UK security in and through cyberspace, making more integrated, creative and routine use of the UK’s full spectrum of levers
NCSC advice – actions to take
The most important thing for organisations of all sizes is to make sure that the fundamentals of cyber security are in place to protect their devices, networks and systems. The actions they recommend are about ensuring that basic cyber hygiene controls are in place and functioning correctly. This is important under all circumstances but critical during periods of heightened cyber threat.
An organisation is unlikely to be able to make widespread system changes quickly in response to a change in threat, but organisations should make every effort to implement these actions as a priority.
See https://www.ncsc.gov.uk/guidance/actions-to-take-when-the-cyber-
threat-is-heightened