Risk Management in Action
There are a variety of compliance prerequisites stipulated in list x, such as organizational structures, inspections, contingency plans, visitor restrictions, export controls, supervision requirements, marketing and sales, and home working. Focusing on the risk of data loss through theft when working at home, below would be a brief review of risk management. Regulations of homeworking are clearly outlined in List X. The loss of delicate data would require a procedure of reporting the occurrence, which utilizes a lot of effort and time. Even when encoded, data might still be retrieved. The risks should be documented on the risk catalog since the implications of unmanaged data loss are substantial, which could lead to fines, prosecution, or loss of contracts.
When a homeworking policy is established, it will address when it is suitable to work from home, the approval needed, how resources should be safeguarded when not in usage, and the category of data that is permissible to be retrieved. There is no policy presently regarding homeworking. All staff will be informed of the homeworking rules and controls. A documentation of all events related to home working will be preserved for future reference so that a prospective evaluation can be done more precisely. The guidelines and approvals for home working will be revised quarterly.
Assurance and Certification
CCC should be able to fulfill an internal audit and compliance appraisal owing to the controls put in place, and capacities outlined with direction from ISO/IEC 27004 and with Business Continuity Planning (BCP) using ISO 22301 having effected. The perfect time for an independent assessment is now. ISO 27001 accreditation can be completed in 3 months, and the license continues for three years with yearly reevaluation. Current capabilities are evaluated at the first stage audit, and actions to achieve are outlined in this stage. At the second stage audit, verifications are done after which certification can be endorsed. It is an external certified organization that performs this appraisal, consequently deciding whether to certify or not.
There are six precise steps to employ the Risk Management Framework (RMF) that NIST SP 800-37 identifies replacing the traditional Certification and Accreditation (C&A). They include categorized information systems, implement security controls, select security controls, assess security controls, monitor security controls, and authorize information systems. Independent evaluation occurs, but the ultimate verdict for accreditation stays with the owner of the system.
Assurance of Cyber Essentials and can be accomplished in two phases. The first phase is Cyber Essentials, which is self-evaluated then substantiated independently. The second phase is Cyber Essentials Plus, which has a larger scale of assurance yet independent susceptibility review. Recertification is requisite once a year. The Risk Management Accreditation Document Sets (RMADS) seizures the threats, assets, vulnerabilities, risks, and modifications. It also lets an accreditor to evaluate the residual and the risk position of a business. Depending on the method and information, it was accessed. CCC could be out-of-scope depending on the technique used and data obtained. Therefore the additional investigation is necessary to endorse the applicability.
Organizational Structure Considerations
Given the size of CCC, it is a requirement that a board-level employee who is liable for the security and a Security Controller who is responsible for the day to day security activities must be in the post. It is indispensable to understand the security controller’s function and duties thoroughly. CCC must obtain a clearance contact to execute clearance of staff given the trust of agency staff. It is also a prerequisite of list x to control those retrieving info from guests to employees. Networks and IT delivery are responsible for the IT Installation Security, and it is not envisioned that a Crypto Custodian is needed at this time.