The UK Cabinet Office has announced a consultation into the proposed cyber risk management standard for organisations as part of its cyber security strategy announced in November 2011.
The proposed guidance and accompanying call for views and evidence define Cyber security as "preservation of confidentiality, integrity, and availability of information in cyberspace" and cyberspace quite broadly as "complex environment resulting from the interaction of people, software, and services on the Internet by means of technology devices and networks connected to it, which does not exist in any physical form".
The UK Government intends to select and endorse an organisational standard that best meets the requirements for effective cyber risk management. The current proposal outlines requirements for a standard, its objectives, outcomes, auditable requirements and controls in "at least" the following areas:
- Network security
- Malware prevention
- Secure configuration of information systems
- Removable media
- Home and mobile working
- Managing user privileges
- User education and awareness
- Incident management.
So, somewhat disappointing that application security isn't mentioned, but those requirements pre-date this consultation - about the choice of an existing standard to follow.
Responses can be sent by email to firstname.lastname@example.org or by post to Cyber Security Team, BIS, 1 Victoria Street, London SW1H 0ET. The closing date to submit evidence is 14 October 2013.