Amicus ITS Awarded Full Certification For Cyber Essentials Plus

cyber-essentials-plus-award-2017_03_03_17

Amicus ITS has announced its award of the higher level ‘Cyber Essentials Plus’ status.  This industry-backed technical security scheme seeks to heighten the defences of companies against threat.  For Amicus ITS with its long history of serving healthcare, regulated industries and blue chip corporates, it was a logical and natural extension of its existing security standards.

Led by Standards Co-Ordinator Emma Purr of Amicus ITS’ Security & Compliance Team, Emma Purr said:  “This was a good team effort, supported by members of our technical Escalation Team.  Cyber Essentials Plus is normally a first step-in for organisations to gain the more stringent security accreditation, ISO 27001.  Cyber Essentials Plus requires a 5-step security approach, whilst information security standard ISO27001 has 114 control requirements in 14 groups and 35 control objectives which must be addressed, so is both very broad and very deep.  However, we’ve done it in reverse, having gained our ISO27001 status back in July 2014. This was however no walk in the park and illustrates the critical importance of ensuring robust defences exist around your business.  Obtaining Cyber Essentials Plus status has further strengthened our resilience and is great to have on show as another recognised security badge”.

What is Cyber Essentials Plus about?

To create the UK Cyber Essentials scheme, the UK Government worked with the Information Assurance for Small and Medium Enterprises (IASME) consortium and the Information Security Forum (ISF) for several years before launching the current system in June 2014.  Backers also include the Federation of Small Businesses (FSB), the Confederation of British Industry (CBI) and various insurance institutions.  Forming a set of comprehensive and challenging technical controls, it endorses compliance for organisations to create better technical protection from cyber attack and misuse of systems.  With standards which are risk-based and prompted by international best practice, they include aspects such as physical security, staff awareness and data backup.

What does Cyber Essentials Plus focus on?

Amicus ITS had to focus on five mitigation strategies:

1.   Boundary firewalls and internet gateways – for any user trying to access any websites which may have malicious content
2.   Secure configuration – ensuring the administration control of all user devices are securely configured, so the rights on what can be downloaded is appropriate and controlled.
3.   User access control eg, new starters only have access to the systems they require as part of their job; special access privileges which are restricted to a limited number of authorised individuals, which includes domain admin and the restriction of selected system administrators to be able to make any changes at a high level to internal systems and security firewalls; plus password strengthening and complexity in relation to service accounts. These get changed regularly – and automatically on the exit of any personnel.
4.   Malware protection – ensuring that relevant antivirus malware software is installed and kept up to date, which scans files and web locations automatically on access to identify they are safe and also to re-endorse the protection against accessing unsafe websites which get automatically blocked.
5.   Patch management – this ensures all software running on company devices are licenced and up to date, installed in a timely manner and that out of date software is removed from devices. Additionally, that security patches are deployed automatically on release.

Anyone wishing to discuss business information security issues or about being supported to obtain Cyber Essentials status, should contact the Sales team or speak to JP Norman on 02380 429429.

cyber-essentials-plus-badge-high-res

Cloud based financial applications starting to take off in Europe

European CFOs are finally starting to show some interest in cloud-based financial applications with the maturing of data security and improved delivery models.  The rationale being that by adopting cloud delivered application services, their organisations can enjoy the benefits of reduced costs and efficiency increases.

In a recent Claranet survey of 900 IT decision-makers in Europe:

  • 40% of European IT Directors stated security was the most important factor in the delivery of finance applications.
  • 29% of respondents selected availability
  • 31% selected performance

Whilst in a separate survey by Blackline, a US financial controls and automation company:

  • 80% of financial decision makers questioned agreed that Cloud delivery increased levels of automation and productivity.
  • 75% of CFOs think their business is missing out on revenue opportunities by not having the right cloud applications and infrastructure in place to support digital business transformation.

“Cloud is not the dirty word it once was for European CFOs”, Andy Wilton, CIO of MSP Claranet commented.

With nearly 50% of organisations using third parties to manage and host their financial applications, it is little surprise that data sovereignty remains a key issue around hosting.

In-country datacentres are likely to be preferred for the hosting of financial data as we await the implementation of EU Data Protection Regulations and beyond.

One trend has been for legacy applications to remain in the private cloud to save on infrastructure costs and on hosting niche products such as financial reconciliation tools, whilst early test flavours getting favourable responses include bolt-on financial applications for a specific process eg. supplier statement reconciliation.

The upside potential is significant, with estimates of a reduction in total cost of ownership of up to 40% and a reduction in the speed and risk of implementation as companies adopt standard products, and increase their agility.

Hybrid cloud options are probably a more palatable mix to the Board, involving the use of public and private cloud, as this route stops the problems of shadow IT bypassing the internal IT department. Public cloud resources can then be applied alongside internal data management, so efficiency, performance results and ROI can be analysed in the round.

Compliance and security will always be the wrapper for any endeavour to move an organisation’s data into the Cloud environment and there will always be complexity with legacy systems to integrate. However, if well planned, professionally executed with an eye always on the security of the environment, businesses should benefit and future protect themselves through a SaaS model, despite the sense of challenge.

vault

 

This week’s technology news – 25th July 2014

Policing Cloud and data policies provides good practice
The evolution of big data and the harnessing of data in the Cloud has, with all its technological innovation and wider corporate adoption, flagged up ever increasing policing needs around compliance and information risk management. These must be reviewed regularly and intensely by the CISO to protect the organisation.  Failure to do so will make the threat of fines and penalties (which can be more severe than fines) ever more likely.

If strong information security measures and good governance practice are put in place, this can keep organisations ahead of regulatory mandates.  The speed of change in data and privacy laws does not make it easy to stay on top but a vigilant CISO will be thinking ahead constantly.

Cloud services may be offered by multiple suppliers using multiple data centres, sending data around the world. This crossing of borders gets complicated as each country has its own jurisdictions, making safeguarding complex especially if the review is triggered by incident versus proactively controlled and selected.

The right of respect for personal information data held by organisations is at the heart of information security. Accordingly, companies need to know what information they hold and whether it is “Personal Identifiable Information” (PII).  Protecting PII is the responsibility of the data controller.  Apart from names and addresses, PII can include medical records, bank account details, photos, videos, personal preferences, opinions and work locations. It does not however, have to include a name to be PII.  Privacy is a compliance AND business risk area.

Approved jurisdictions are recognised by the EU as having an adequate levels of protection under local regulation.  Countries which have satisfied the requirements outside Europe include:  Argentina, Canada, Israel, Uruguay and New Zealand.   The US is a jurisdiction that is missing from the list.  Their ‘work around’ is the Safe Harbour Treaty, that allows EU information to be transferred to US based organisations, but this may still not provide sufficient regulatory assurance or liability for some organisations or public bodies.

The decision to use Cloud systems should be accompanied by an information risk assessment concentrating on the complexity not only of the Cloud system, but privacy regulations too – and the level of security required for that data.  Once analysed, the right path for each organisation becomes less complex and the knowledge and understanding of the CISO increases, as does the confidence of the Board that they and their data is in “safe hands”.

Reputations are lost quickly in the modern age.  Trust which may have taken years to build, when lost, is gone forever – and the swift migration of consumers will always hit the bottom line. Governance is not always present in the information security function and breaches may be more often down to an inadvertent mistake rather than criminal intent, but all steps taken to reduce risk, so long as it still enables the organisation to reach its goals, will smarten the way business operates and reacts.  So wake up and smell the coffee:  be close to your Cloud provider to know and understand where your information will be stored and processed.

Plastering on the care
digital patch plaster

A very clever battery-operated, wireless, sticking plaster-sized, patient monitoring patch has been developed by Oxford based firm, Sensium Healthcare. The monitoring patch could revolutionise patient care and increase the amount of time medical staff can give to those patients in greatest need.   Currently, patients requiring monitoring are hooked up, immobile and require constant observation, normally in four hour cycles.  The new monitoring patch enables the patient to get up and move around (encouraged as part of the process of speeding up recovery) and vital sign data is updated every few minutes, passing the data via a ‘router box’ in each room to the hospital IT system.

It is not intended to replace routine checks, but nursing staff report that it has helped take off some of the pressure on ward rounds.  The patches provided early detection of deterioration in 12% of patients wearing them in the tests at the Brighton hospital.   With a high incident of 12,000 recorded preventable deaths in England in 2012, of which one third were down to monitoring, this could be a significant game changer for NHS England – and at only £35 each and lasting 5 days, it is a refreshingly cheap solution for the Minister for Health to consider!  http://www.bbc.co.uk/news/health-28317509#

The next big thing in Mobile Memory
rice-rram
Tablets have come a long way in the last 10 years: from Windows XP tablet PC edition, to all the options that exist today. But memory is one of the areas where we have not seen great strides. Rice University in Texas is claiming a breakthrough in this field. Their silicon oxide technology – a type of RRAM – has been in development for five years and is nearing mass production, having gone through several refinements. The technology is undergoing prototyping of chips,  capable of storing one Terabyte, the size of a postage stamp. The cost of a chip so memory-dense would likely be sky high but the technology also provides all size variants in-between.

When Operating System and Device makers have a lot more memory to play with, how we use our devices could change. Being able to dump all of your apps into memory mean you could access all your information instantly. This can change how we both multitask and perform complex tasks on mobile devices.  As always cost and power consumption will be vital in what role this technology does play in the future, but with the right balance struck, this could be a turning point for mobile devices.

MDM vs Containerisation
Last year certain analysts were predicting that traditional mobile-device-management (MDM) was on the way out, to be replaced with containerisation of both data and apps. It would seem the market has taking a different approach after all. Application level management has in fact grown but MDM is still the preferred method for BYOD security. This has led to many a heated discussion on which path is best for mobile security going forwards.

So what is the right choice? Many companies are taking a two pronged attack, taking advantage of the strengths of each to use either, or both, when best appropriate. Just because MDM and containerisation can exist together does not mean that is what is best for your own organisation.  Define your own device use cases and security / governance requirements beforehand to decide which solution best suits your needs  Then you will be able to deliver the best options for your organisation’s needs.

 

This week’s technology news from Amicus ITS – Friday 23rd August 2013

Planning for a disaster
Disaster Recovery is blue language to many IT Directors, but prevention and preparation are necessary activities in this technological age. Checks include: could DR infrastructure and your primary datacentre be affected by the same event? Are Recovery Point Objectives and Recovery Time Objectives built into your DR solution? Do key staff have access to the DR documents and processes, should they need to be followed? Can users connect to applications post Event as the networks and primary datacentre are no longer there? So, no matter the size of organisation, companies ignore regular DR policy reviews at their peril.

The importance of software compliance
Software Asset Management (SAM) is an all-important but often forgotten factor in Enterprise. A recent report from Forrester shows that interest in SAM has increased, mainly driven by potential IT cost savings. Many organisations were found to be still paying for software or maintenance agreements for additional licences that were no longer needed. On the other side of the coin, failure to be software compliant can lead to hefty fines, damage to reputation and even imprisonment of Directors. BYOD also introduces new challenges, with employees using personal devices at work these must have corporate compliant software and not just software licenced for personal use. If they are on your network, the software will be picked up and you must be prepared to be audited.

Hacked off about risk? No, not really it would seem
Cyber attacks and mass outages are viewed as a bigger threat to the UK banking sector than the impact of the recession according to a global study by KPMG. 71% of companies may be using outdated versions of Microsoft and Adobe the study found. Hackers are now targeting cloud based servers with multi-faceted automation, and malware targeting the Google mobile Android OS is appearing to try and get around two factor authentication. With a 12% increase in online fraud and 6 of the major US banks suffering website outages in 2012 (plus the historic RBS/Natwest UK bank meltdown in Summer 2012), financial losses and interruption from computer bugs should make security a top priority for banks and all enterprise businesses.

Breaking the smart phone mould
We recently asked who will be next in shaking things up from the now standard smart phone design. Samsung is the first to answer our cry and is bringing something new to the table. The Samsung Galaxy Golden when closed, looks like the modern all-screen smart phone, however it can be flipped open to reveal a classic T9 numeric pad with another screen behind the first. It seems Samsung is trying to use the Galaxy Golden as a bridge device, attracting users who are still holding onto their flip phones, but could later be swayed into buying an all-touch device, after using the touchscreen on the Galaxy Golden in its closed position. Important or not in terms of market penetration, it does not drive forward design for the tech enthusiasts. It seems we still have some time to wait until we see the next step in smart phone evolution.

GalaxyGolden