CCC
CCC must conform to contractual responsibilities, laws, and guidelines in the two major countries where it runs, the UK and the US. An additional level of governance and contractual obligations brought about by its dealing in military research and development (R & D) must be adhered to. With their crucial asset being a military intellectual property, CCC must also demonstrate that it can be trusted with sensitive information by complying with the extremely rigorous information governance standards imposed. This is critical for the success of the organization.
The CCC executive must attain information security goals such as integrity, confidentiality, availability, non- repudiation, and authenticity. This will help the company to increase its customer base and operate efficiently.
Selecting Standards
CCC should adopt the three widely adopted standards that provide certification and independent assurance. The three standards are ISO 27001, Cyber Essentials Plus, and NIST 800-53. Customers are increasingly in demand of the ISO 27001 standard, making suppliers implement it. According to an observation by Calder, ISO 27001 certification grew by 18% in 2011 (2013). It grew further by 20% in 2015 (ISO 2015). This standard integrates with ISO 31000 & 31010 Risk Management, ISO 22301 Business Continuity, ISO/IEC 20000 Service Management, and ISO 9001 Quality Management. It is supported by ISO 30301 Records Management, BS 7858:2012 People and HR Security, ISO/IEC TR 18044:2004 Incident Management, BS ISO 28000 Supply Chain, and BS 13500 Organisational Governance. Further information about these and others can be found in Appendix F Supporting Standards.
To undertake new contracts with the Ministry of Defense, CCC must, at a minimum, obtain a Cyber Essentials Certificate (Defense Cyber Protection Partnership (DCPP) Guidance Update, 2016). All new contracts MoD awards are subjected to a risk valuation. Due to the sensitivity of information CCC manages, it may anticipate a cyber-risk level of “High”; hence obtaining Cyber Essentials Plus that needs independent evaluation of systems is vital. Cyber Essentials concentrates on secure configuration, boundary firewalls and internet gateways, access control, patch management, and malware protection. It is the best framework to complement ISO 27001.
Since DoD is using NIST for evaluation & approval, risk appraisal, risk control, and vigorous constant monitoring methods, adopting it within CCC would be beneficial. DoD in 2014 announced that it would embrace a Risk Management Framework (RMF) coherent with the codes of NIST dropping the DoD Information Assurance Certification and Accreditation Process (DIACAP). It also upholds security by design so that architectural design and development deliver secure systems, link information risk management processes to organizational risk management processes, and defines responsibility and accountability for the security controls that have been deployed. NIST is freely available, whereas ISO standards documents are paid for the per report, an advantage it has over ISO.
Implementing Standards Frameworks
There are various stages for effecting the ISO 27000 security structure. Senior management is required to provide strategy, direction, resources, and support in the early stages. Protecting data, information systems, and intellectual property, which are the main assets for CCC company should follow in the second stage. An assessment of risks and recommendations to mitigate the risks that can be done after identifying the assets. A Risk Treatment Plan (RTP) should then be developed. It should contain risks that should be addressed and clearly outline how and when they will be addressed. ISMS program should then be initiated to implement the ISMS. Lastly, there will need to maintain ISMS through regular risk evaluations and decisions about enhancements to controls. This process is often referred to as continuous improvement; and it is driven by a Service Improvement Plan (SIP).
Summary
Implementing the best practices of Information Assurance and Risk Management through various security frameworks has so many benefits to the business. An active evaluation cycle warrants constant enhancement, adjustment, and reaction to arising threat. This consequently reduces significant risk to the executive. CCC will be in the best position to fight security threats by embracing NIST, ISO27001, and Cyber Essentials. This will also lower risks and costs that come with security incidents.
The CCC Board should employ various cultural changes within the firm ranging from top to bottom This course of action coupled with processes, policies, technological controls, and procedures, will marshal direct motivation and empower staff to guard against detrimental threats, presently and in future. All elements in an Information Security Management System (ISMS) are combined into one practice working together to deliver the benefits to the business. A validation of regulatory obedience by ISMS can improve status to earn and hold business, develop effectiveness, and fulfillment.
Organization governance arrangements will be swayed by contractual and regulatory relations that the company has CCC. This will also dictate the security structures embraced and the selection of controls applied. CCC must pursue assurance through the Cyber Essentials and NIST assurance procedures to do business with both the MoD and DoD. Additionally, CCC should implement ISO27001, the main framework, and drawn to NIST to fulfill the US corporate conditions and decrease repetition.
CCC should use the security structures to instigate an information governance programmer and preserve information and risk controlling most excellent practices. They should then involve autonomous authentication to exhibit and offer assurance to stakeholders, staff, clientele and contractors that the firm is guarding information properties. This wills also other potential customers that CCC is a trusted partner that secures trading future. This proposal should be regarded not as an undesirable cost, but rather as a competitive advantage for the company.