A root question for Cyber Security implementation is what standards to follow and what
policies to implement. As an example, the Information Security Standard IS27001
describes 14 areas
• Information Security Policies
• Organization of information security
• Human resource security
• Asset management
• Access control
• Cryptography
• Physical and environmental security
• Operations security
• Communications security
• System acquisition, development and maintenance
• Supplier relationships
• Information security incident management
• Information security aspects of business continuity management
• Compliance
and 114 control points that need to be proactively managed, policies written, solutions
implemented, and ongoing effectiveness monitored.
Normally the key person responsible for this is the Chief Information Security Officer
(CISO) and the security team reporting to him. But implementation is distributed across the
organisation (as each department must operate the appropriate controls) and so the
definition, implementation and monitoring of the security stance becomes fragmented.
This makes it hard to manage, hard to change, hard to monitor, and hard to audit.
The Information & Cyber Assurance Suite (ICAS) from Caveris Ltd is a management
system that enables the CISO and his team to locate all the security policy information in
one place, and then to have manual and/or automated controls to ensure that the
implemented solutions adhere to policy. ICAS is not a “security solution” in the sense of an
intrusion detection system, an anti–virus/malware system, an end point protection
system, or numerous other such offerings. Rather, ICAS is there to enable the CISO to
proactively manage the organisations Cyber Security stance.
ICAS gives the CISO a top–level view of the organisation’s cyber security both in terms of
“Corporate Domain” issues like HR policies or Supplier Management, and also in the
“Technology Domain” area for IT Systems and Network compliance. A workflow engine is
included to direct security policy issues to the right person and elicit a response. For
example, the HR Manager may be prompted annually to confirm that the HR Security
Policy is up to date and upload the latest version to ICAS as proof. In the “Technology
Domain” ICAS executes automated controls to check that policy requirements are met –
for example, query the anti–virus system to confirm that all anti–virus databases are up to
date.
With both manual and automated responses, ICAS computes a Security Assurance Index
(SAI) score which the CISO can monitor to see whether the cyber security preparedness of
the organisation is improving over time.
By implementing ICAS, the benefits to an organisation include:
• A centralized approach to cyber security management, thus avoiding
fragmentation and disjointed implementation.
• The workload on the CISO and his team is significantly reduced in terms of chasing
people for policy updates and monitoring control execution. In other words,
implementation costs are significantly lower.
• Centralizing the policies and centralizing the logging of enforcement means that
Audit information is readily available.
• Responses to regulatory queries can be quickly answered.
If you need further information, please do not hesitate to call.