MASS UK Industry Conduct Principles and Code of Practice 2022 (V6)
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
5. CIS v7<br />
The body responsible for developing <strong>and</strong> maintaining the CIS v7 framework is the Center for Information Security<br />
(CIS). CIS v7 lists 20 actionable cyber security requirements meant for enhancing the security st<strong>and</strong>ards <strong>of</strong> all<br />
organisations. Most companies perceive the security requirements as best practices since the CIS has a credible<br />
reputation for developing baseline security programs. The framework categorises the information security controls<br />
into three implementation groups. Implementation group 1 is for businesses that have limited cyber security<br />
expertise <strong>and</strong> resources. Implementation group 2 is for all organisations with moderate technical experience <strong>and</strong><br />
resources in implementing the sub controls, whereas implementation group 3 targets companies with vast cyber<br />
security expertise <strong>and</strong> resources. CIS v7 st<strong>and</strong>s out from the rest since it enables organisations to create budgetfriendly<br />
cyber security programs. It also allows them to prioritise cyber security efforts.<br />
https://www.cisecurity.org/controls/<br />
6. NIST 800-53<br />
NIST created NIST 800-53 publication for enabling federal agencies to realise effective cyber security practices.<br />
The framework focuses on information security requirements designed to enable federal agencies to secure<br />
information <strong>and</strong> information systems. Besides, NIST 800-53 provides governmental organisations with the<br />
requirements for allowing them to comply with FISMA (Federal Information Security Management Act)<br />
requirements. NIST 800-53 is unique as it contains more than 900 security requirements, making it among the<br />
most complicated frameworks for organisations to implement. The requirements recommended in the framework<br />
include controls for enhancing physical security, penetration testing, guidelines for implementing security<br />
assessments <strong>and</strong> authorisation policies or procedures, among others. NIST 800-53 is a useful framework for<br />
organisations maintaining federal information systems, companies with systems that interact with federal<br />
information systems, or institutions seeking FISMA compliance.<br />
https://nvd.nist.gov/800-53<br />
7. COBIT<br />
COBIT (Control Objectives for Information <strong>and</strong> Related Technologies) is a cyber security framework that integrates<br />
a business’s best aspects to its IT security, governance, <strong>and</strong> management. ISACA (Information Systems Audit<br />
<strong>and</strong> Control Association) developed <strong>and</strong> maintains the framework. The COBIT cyber security framework is useful<br />
for companies aiming at improving production quality <strong>and</strong> at the same time, adhere to enhanced security practices.<br />
The factors that led to the creation <strong>of</strong> the framework are the necessity to meet all stakeholder cyber security<br />
expectations, end to end procedure controls for enterprises, <strong>and</strong> the need to develop a single but integrated<br />
security framework.<br />
http://www.isaca.org/cobit/pages/default.aspx<br />
8. COSO<br />
COSO (Committee <strong>of</strong> Sponsoring Organisations) is a framework that allows organisations to identify <strong>and</strong> manage<br />
cyber security risks. The core points behind the development <strong>of</strong> the framework include monitoring, auditing,<br />
reporting, controlling, among others. Also, the framework consists <strong>of</strong> 17 requirements, which are categorised into<br />
five different categories. The categories are control environment, risk assessments, control activities, information<br />
<strong>and</strong> communication, <strong>and</strong> monitoring <strong>and</strong> controlling. All <strong>of</strong> the framework’s components collaborate to establish<br />
sound processes for identifying <strong>and</strong> managing risks. A company using the framework routinely identifies <strong>and</strong><br />
assess security risks at all organisational levels, thus improving its cyber security strategies. Also, the framework<br />
recommends communication processes for communicating information risks <strong>and</strong> security objectives up or down in<br />
an organisation. The framework further allows for continuous monitoring <strong>of</strong> security events to permit prompt responses.<br />
https://www.coso.org/Pages/default.aspx<br />
9. TC CYBER<br />
The TC CYBER (Technical Committee on Cyber Security) framework was developed to improve the telecommunication<br />
st<strong>and</strong>ards across countries located within the European zones. The framework recommends a set <strong>of</strong> requirements<br />
for improving privacy awareness for individuals or organisations. It focuses on ensuring that organisations <strong>and</strong><br />
individuals can enjoy high levels <strong>of</strong> privacy when using various telecommunication channels. Moreover, the framework<br />
recommends measures for enhancing communication security. Although the framework specifically addresses<br />
telecommunication privacy <strong>and</strong> security in European zones, other countries around the world also use it.<br />
https://www.etsi.org/cyber-security/tc-cyber-roadmap<br />
10. HITRUST CSF<br />
HITRUST (Health Information Trust Alliance) cyber security framework addresses the various measures for<br />
enhancing security. The framework was developed to cater to the security issues organisations within the health<br />
industry face when managing IT security. This is through providing such institutions with efficient, comprehensive,<br />
<strong>and</strong> flexible approaches to managing risks <strong>and</strong> meeting various compliance regulations. In particular, the<br />
framework integrates various compliance regulations for securing personal information. Such include Singapore’s<br />
Personal Data Protection Act <strong>and</strong> interprets relevant requirement recites from the General Data Protection<br />
Regulation. Also, the HITRUST cyber security framework is regularly revised to ensure it includes data protection<br />
requirements that are specific to the HIPPA regulation.<br />
https://hitrustalliance.net/hitrust-csf/<br />
11. CISQ<br />
CISQ (Consortium for IT S<strong>of</strong>tware Quality) provides security st<strong>and</strong>ards that developers should maintain when<br />
developing s<strong>of</strong>tware applications. Additionally, developers use the CISQ st<strong>and</strong>ards to measure the size <strong>and</strong> quality<br />
<strong>of</strong> a s<strong>of</strong>tware program. More so, CISQ st<strong>and</strong>ards enable s<strong>of</strong>tware developers to assess the risks <strong>and</strong> vulnerabilities<br />
present in a completed application or one that is under development. As a result, they can efficiently address all<br />
threats to ensure users access <strong>and</strong> use secure s<strong>of</strong>tware applications. The vulnerabilities <strong>and</strong> exploits which the<br />
Open Web Application Security Project (OWASP), SANS Institute, <strong>and</strong> CWE (Common Weaknesses Enumeration)<br />
identify forms the basis upon which the CISQ st<strong>and</strong>ards are developed <strong>and</strong> maintained.<br />
https://www.it-cisq.org/<br />
12. Ten Steps to Cyber security<br />
The Ten Steps to Cyber security is an initiative by the <strong>UK</strong>’s Department for Business. It provides business<br />
executives with a cyber security overview. The framework recognises the importance <strong>of</strong> providing executives with<br />
knowledge <strong>of</strong> cyber security issues that impact business development or growth, <strong>and</strong> the various measures used<br />
to mitigate such problems. This is to enable them to make better-informed management decisions in regards to<br />
organisational cyber security. As such, the framework uses broad descriptions but with lesser technicalities to<br />
explain the various cyber risks, defences, mitigation measures, <strong>and</strong> solutions, thus enabling a business to employ<br />
a company-wide approach for enhancing cyber security.<br />
https://www.ncsc.gov.uk/collection/10-steps-to-cyber-security.<br />
48<br />
<strong>MASS</strong> <strong>UK</strong> <strong>Industry</strong> <strong>Conduct</strong> <strong>Principles</strong> <strong>and</strong> <strong>Code</strong> <strong>of</strong> <strong>Practice</strong> Version 6<br />
<strong>MASS</strong> <strong>UK</strong> <strong>Industry</strong> <strong>Conduct</strong> <strong>Principles</strong> <strong>and</strong> <strong>Code</strong> <strong>of</strong> <strong>Practice</strong> Version 6 49