Ministry of Defence lowers supplier infosec standards thanks to COVID-19 outbreak Security standards for defence contractors have been lowered thanks to the coronavirus outbreak, Britain's Ministry of Defence has told its suppliers. In an Industry Security Notice published to an obscure corner of GOV.UK, the ministry said it is suspending the need for its suppliers to have the Cyber Essentials Plus security …
The two levels of Cyber Essentials should really be called Cyber Essentials Very Basic and Cyber Essentials Basic, as neither ensures continuing resilience against cyber attack. The best on offer is an "MOT test" of following some specific rules, and at the "higher" level also passing a pen test on a given occasion.
When Cyber Essentials was in its infancy I recommended verification of the maturity (on the lines of CMM) with which the specified controls are managed. I got no traction, despite most cyber breaches primarily succeeding due to lax management rather than not having controls notionally in place (witness Equifax).
It's also worth noting that despite all the publicity about the insecurity of Zoom, both government agencies and others to my knowledge conferencing at Secret and Top Secret levels are still using it.
So much for cyber security.
My last place got Cyber Essentials (3 to 4 odd years ago) purely by ignoring half the network and systems and getting HR to fill the form in.
Without someone actually checking that what you have said you do is what you do its just a box ticking exercise where you always give the expected answer. How can you fail...
Also paying a company to do a check is also questionable as its in thier interest for you to pass and to keep paying them... Not sure how you get around this one though!
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2023
