quinta-feira, 20 de julho de 2017

Security: CyberEssentials Plus?

The Short Story 

"The UK Government's Cyber Essentials scheme is designed to make the UK a safer place to conduct business online. The Cyber Essentials scheme identifies some fundamental technical security controls that an organisation needs to have in place to help defend against Internet-borne threats." (source here)

What does it have with Software Development? Well, security is a quality attribute of an information system (and, in parts, of the code being developed to build it, if applicable). So even though - if you read more below - there are lots of measures related to infra-structure (e.g. firewalls), some of them will impact the architecture, the code you are building, and the way you are installing and configuring some of the components of your system. So you as a Software Engineer must be aware of it (so that errors spotted by the latter certification attempts, or even worse, business faults do not occur because of you (your work).

The Long Story

The scheme consists of five baseline controls that businesses should have in place as their presence reduces the risk of data breaches from internet based attacks.

These five controls are:

  1. Boundary Firewalls
  2. Secure Configuration
  3. Access Control
  4. Malware Protection
  5. Patch Management

Being certified for Cyber Essentials is now mandated for businesses that require access to UK Government information.

The Cyber Essentials scheme has two parts:

1) Cyber Essentials - A first stage that conducts an external vulnerability scan accompanied with a questionnaire, which ensures that internal processes are in place to ensure that best practice is in use. Once this stage has been passed a company is certified as passing Cyber Essentials.

2) Cyber Essentials Plus - The second stage is the Cyber Essentials Plus certification. This encompasses a detailed assessment of your infrastructure, with detailed examination of the technologies and servers in use within the company. Once a company had demonstrated that they have created a secure environment they will gain the Cyber Essentials Plus Badge.

Context is certified to provide both assessments for UK businesses." (source, links below)

Additional information 

Cyber Essentials Scheme: overview - GOV.UK
MTI_Cyber_Essentials_Scheme.pdf (PDF)

Cyber Essentials Plus

Publicada por à(s)
Etiquetas: , , , ,