16.11.2022 Views

MASS UK Industry Conduct Principles and Code of Practice 2022 (V6)

Create successful ePaper yourself

Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.

5. CIS v7<br />

The body responsible for developing <strong>and</strong> maintaining the CIS v7 framework is the Center for Information Security<br />

(CIS). CIS v7 lists 20 actionable cyber security requirements meant for enhancing the security st<strong>and</strong>ards <strong>of</strong> all<br />

organisations. Most companies perceive the security requirements as best practices since the CIS has a credible<br />

reputation for developing baseline security programs. The framework categorises the information security controls<br />

into three implementation groups. Implementation group 1 is for businesses that have limited cyber security<br />

expertise <strong>and</strong> resources. Implementation group 2 is for all organisations with moderate technical experience <strong>and</strong><br />

resources in implementing the sub controls, whereas implementation group 3 targets companies with vast cyber<br />

security expertise <strong>and</strong> resources. CIS v7 st<strong>and</strong>s out from the rest since it enables organisations to create budgetfriendly<br />

cyber security programs. It also allows them to prioritise cyber security efforts.<br />

https://www.cisecurity.org/controls/<br />

6. NIST 800-53<br />

NIST created NIST 800-53 publication for enabling federal agencies to realise effective cyber security practices.<br />

The framework focuses on information security requirements designed to enable federal agencies to secure<br />

information <strong>and</strong> information systems. Besides, NIST 800-53 provides governmental organisations with the<br />

requirements for allowing them to comply with FISMA (Federal Information Security Management Act)<br />

requirements. NIST 800-53 is unique as it contains more than 900 security requirements, making it among the<br />

most complicated frameworks for organisations to implement. The requirements recommended in the framework<br />

include controls for enhancing physical security, penetration testing, guidelines for implementing security<br />

assessments <strong>and</strong> authorisation policies or procedures, among others. NIST 800-53 is a useful framework for<br />

organisations maintaining federal information systems, companies with systems that interact with federal<br />

information systems, or institutions seeking FISMA compliance.<br />

https://nvd.nist.gov/800-53<br />

7. COBIT<br />

COBIT (Control Objectives for Information <strong>and</strong> Related Technologies) is a cyber security framework that integrates<br />

a business’s best aspects to its IT security, governance, <strong>and</strong> management. ISACA (Information Systems Audit<br />

<strong>and</strong> Control Association) developed <strong>and</strong> maintains the framework. The COBIT cyber security framework is useful<br />

for companies aiming at improving production quality <strong>and</strong> at the same time, adhere to enhanced security practices.<br />

The factors that led to the creation <strong>of</strong> the framework are the necessity to meet all stakeholder cyber security<br />

expectations, end to end procedure controls for enterprises, <strong>and</strong> the need to develop a single but integrated<br />

security framework.<br />

http://www.isaca.org/cobit/pages/default.aspx<br />

8. COSO<br />

COSO (Committee <strong>of</strong> Sponsoring Organisations) is a framework that allows organisations to identify <strong>and</strong> manage<br />

cyber security risks. The core points behind the development <strong>of</strong> the framework include monitoring, auditing,<br />

reporting, controlling, among others. Also, the framework consists <strong>of</strong> 17 requirements, which are categorised into<br />

five different categories. The categories are control environment, risk assessments, control activities, information<br />

<strong>and</strong> communication, <strong>and</strong> monitoring <strong>and</strong> controlling. All <strong>of</strong> the framework’s components collaborate to establish<br />

sound processes for identifying <strong>and</strong> managing risks. A company using the framework routinely identifies <strong>and</strong><br />

assess security risks at all organisational levels, thus improving its cyber security strategies. Also, the framework<br />

recommends communication processes for communicating information risks <strong>and</strong> security objectives up or down in<br />

an organisation. The framework further allows for continuous monitoring <strong>of</strong> security events to permit prompt responses.<br />

https://www.coso.org/Pages/default.aspx<br />

9. TC CYBER<br />

The TC CYBER (Technical Committee on Cyber Security) framework was developed to improve the telecommunication<br />

st<strong>and</strong>ards across countries located within the European zones. The framework recommends a set <strong>of</strong> requirements<br />

for improving privacy awareness for individuals or organisations. It focuses on ensuring that organisations <strong>and</strong><br />

individuals can enjoy high levels <strong>of</strong> privacy when using various telecommunication channels. Moreover, the framework<br />

recommends measures for enhancing communication security. Although the framework specifically addresses<br />

telecommunication privacy <strong>and</strong> security in European zones, other countries around the world also use it.<br />

https://www.etsi.org/cyber-security/tc-cyber-roadmap<br />

10. HITRUST CSF<br />

HITRUST (Health Information Trust Alliance) cyber security framework addresses the various measures for<br />

enhancing security. The framework was developed to cater to the security issues organisations within the health<br />

industry face when managing IT security. This is through providing such institutions with efficient, comprehensive,<br />

<strong>and</strong> flexible approaches to managing risks <strong>and</strong> meeting various compliance regulations. In particular, the<br />

framework integrates various compliance regulations for securing personal information. Such include Singapore’s<br />

Personal Data Protection Act <strong>and</strong> interprets relevant requirement recites from the General Data Protection<br />

Regulation. Also, the HITRUST cyber security framework is regularly revised to ensure it includes data protection<br />

requirements that are specific to the HIPPA regulation.<br />

https://hitrustalliance.net/hitrust-csf/<br />

11. CISQ<br />

CISQ (Consortium for IT S<strong>of</strong>tware Quality) provides security st<strong>and</strong>ards that developers should maintain when<br />

developing s<strong>of</strong>tware applications. Additionally, developers use the CISQ st<strong>and</strong>ards to measure the size <strong>and</strong> quality<br />

<strong>of</strong> a s<strong>of</strong>tware program. More so, CISQ st<strong>and</strong>ards enable s<strong>of</strong>tware developers to assess the risks <strong>and</strong> vulnerabilities<br />

present in a completed application or one that is under development. As a result, they can efficiently address all<br />

threats to ensure users access <strong>and</strong> use secure s<strong>of</strong>tware applications. The vulnerabilities <strong>and</strong> exploits which the<br />

Open Web Application Security Project (OWASP), SANS Institute, <strong>and</strong> CWE (Common Weaknesses Enumeration)<br />

identify forms the basis upon which the CISQ st<strong>and</strong>ards are developed <strong>and</strong> maintained.<br />

https://www.it-cisq.org/<br />

12. Ten Steps to Cyber security<br />

The Ten Steps to Cyber security is an initiative by the <strong>UK</strong>’s Department for Business. It provides business<br />

executives with a cyber security overview. The framework recognises the importance <strong>of</strong> providing executives with<br />

knowledge <strong>of</strong> cyber security issues that impact business development or growth, <strong>and</strong> the various measures used<br />

to mitigate such problems. This is to enable them to make better-informed management decisions in regards to<br />

organisational cyber security. As such, the framework uses broad descriptions but with lesser technicalities to<br />

explain the various cyber risks, defences, mitigation measures, <strong>and</strong> solutions, thus enabling a business to employ<br />

a company-wide approach for enhancing cyber security.<br />

https://www.ncsc.gov.uk/collection/10-steps-to-cyber-security.<br />

48<br />

<strong>MASS</strong> <strong>UK</strong> <strong>Industry</strong> <strong>Conduct</strong> <strong>Principles</strong> <strong>and</strong> <strong>Code</strong> <strong>of</strong> <strong>Practice</strong> Version 6<br />

<strong>MASS</strong> <strong>UK</strong> <strong>Industry</strong> <strong>Conduct</strong> <strong>Principles</strong> <strong>and</strong> <strong>Code</strong> <strong>of</strong> <strong>Practice</strong> Version 6 49

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!