Documentation
Support
Home
General
A2 Framework Section References

Having confidence in cyber security

Edited

As you and your suppliers design and build systems, you will include mechanisms to reduce the chances of cyber security problems occurring. You'll also introduce measures which minimize harm in the event that problems do occur. But how certain can you be that these important measures are in place and working as intended? Outlined below are some of the ways in which you can gain confidence that security measures are *genuine* and effective. At the low end of the scale, this may mean a straightforward promise from a supplier, with no attempt at verification. At the high end, it might entail the use of independently assured components in a configuration approved by a qualified professional. And perhaps independently tested for good measure. It should be noted that the approaches below are not mutually exclusive. Many of them can be combined to provide higher levels of confidence. ## 1\. Assertion or commitment from a supplier The supplier describes how their service meets your security objectives, but is unwilling (or unable) to provide evidence of independent validation. You are, in effect, reliant on the honesty, accuracy and completeness of the supplier’s assertions. #### Things to consider: - the service provider’s level of security maturity - whether they have a reputable in-house security team - their approach to proactive testing - historical evidence of how they have responded to security issues - whether you're allowed to perform your own security testing ## 2\. Contractual commitment from a supplier Commodity services often come with terms and conditions or license agreements which you are unable to change. However, in situations where you are able to negotiate contractual terms you will need to ensure that these represent your needs accurately. #### Things to consider: - security requirements should be specific and measurable, since clauses which are too generic can add cost, have limited value and may be unenforceable - being over-prescriptive can lead to adversarial behavior - try to build a shared risk proposition with suppliers so they are invested in doing the right thing, rather than just what it says in the contract - think about if, and how, you might check whether the contract clauses are being followed ## 3\. Independent validation An independent and expert third party reviews and confirms your own efforts, or the commitments that have been made to you by a supplier. This can help you gain confidence in the claims or commitments made by the supplier. It can also reassure you that your own endevors are well designed and implemented. ### 3.1 Validation by an independent third party An independent third party has confirmed that claims or commitments made by a supplier, or asserted by you, are true. Crucially, in this case, the confidence does not stem from compliance with a particular standard. #### Things to consider: - whether the third party has the right skills to undertake such a review - the extent to which the third party verified your assertions, or your supplier's commitments ### 3.2 Compliance with a recognized and appropriate standard The service holds a valid certificate of compliance with a recognized standard. #### Things to consider: - the scope of certification - validation should ensure that all service-impacting controls are covered by the certification - whether the auditor verified that controls are present and effective - they may have only established that controls exists, or that a policy on their use exists - the skills and competence of the auditor - check that the auditor is suitably qualified ### **3.3 Independent testers validate the** ***implementation*** of controls Independent testers, such as qualified penetration testers, have evaluated the effectiveness of the security controls which you or your supplier have asserted are in place. #### Things to consider: - testers should have appropriate industry-recognized qualifications for the testing they are carrying out (see our recommendations specific to penetration testing if appropriate) - testing will validate security controls at a particular moment in time - regular re-testing will be necessary to retain confidence ### 3.4 Security architecture review The technical architecture of your system, or your supplier's system, has been reviewed by an appropriate security expert. The expert has given you an independent assessment of the system's design. This will tell you whether the system provides a reasonable level of mitigation for the attacks you are concerned about. #### Things to consider: - the skills of the person or people performing the review (e.g. do they hold a qualification such as CCP ‘IA Architect’ at the Senior or Lead level?) - the threat model the system should be reviewed against Note that a security architecture review does not verify that components have been properly configured when deployed, or that the system is maintained well in practice. ### 3.5 Assurance in a component There is independent assurance in a product or service used within your service or its underlying components. #### Things to consider: - Is the component an appropriate control in this context? Does the independent assurance reflect how you are using it? - Is the component configured and used appropriately? Is it being used in the same fashion as it was assured?