UK cyber security community: Difference between revisions
Undid revision 1214826268 by 143.159.184.104 (talk) non-neutral copyvio of the organisations website |
|||
(46 intermediate revisions by 33 users not shown) | |||
Line 1: | Line 1: | ||
The [[United Kingdom]] has a diverse cyber security community, interconnected in a complex network. |
|||
The cyber security (or information assurance) community in the [[United Kingdom]] is diverse, with many stakeholders groups contributing to support the ''[[UK Cyber Security Strategy]]''.<ref>{{cite web|title=UK Cyber Security Strategy|url=http://www.cabinetoffice.gov.uk/resource-library/cyber-security-strategy}}</ref> The following is a list of some of these stakeholders. |
|||
Although the terminology is currently largely aligned to a "cyber" view of the world, it is taken to still include information-related concerns, with previous predominant terminology including: |
|||
{{Expand list|date=January 2013}} |
|||
* Automated Data Processing Security or ADP Security (1980s) |
|||
* Computer Security or CompuSec (early 1990s) |
|||
* IT Security or ITSec (mid 1990s) |
|||
* Information Security or InfoSec (late 1990s and early 2000s) |
|||
* Information Assurance or IA (2000s and early 2010s) |
|||
The significant constituents within that community are probably best understood by grouping into high level categories, namely: |
|||
* Public sector bodies |
|||
* Academia |
|||
* Professional bodies |
|||
* Industry groups |
|||
* Cross-sector bodies |
|||
== Public sector bodies == |
|||
=== Legislative === |
|||
== Government == |
|||
{{Expand list|date=January 2013}} |
|||
According to a parliamentary committee the UK government is not doing enough to protect the nation against cyber attack.<ref>[https://www.theguardian.com/technology/2018/nov/19/uk-wholly-unprepared-to-stop-devastating-cyber-attack-mps-warn UK 'wholly' unprepared to stop devastating cyber-attack, MPs warn] ''[[The Guardian]]''</ref> |
According to a parliamentary committee the UK government is not doing enough to protect the nation against cyber attack.<ref>[https://www.theguardian.com/technology/2018/nov/19/uk-wholly-unprepared-to-stop-devastating-cyber-attack-mps-warn UK 'wholly' unprepared to stop devastating cyber-attack, MPs warn] ''[[The Guardian]]''</ref> |
||
* [[EURIM]], the Digital Policy Alliance <ref>{{cite web|title=EURIM|url=https://www.dpalliance.org.uk/publications/eurim-archive/}}</ref> |
|||
=== Cyber Aware === |
|||
Cyber Aware is a cross-government awareness and behaviour campaign which provides advice on the simple measures individuals can take to protect themselves from cyber crime. |
|||
=== Central government === |
|||
==== National strategy ==== |
|||
The UK Government periodically publishes a Cyber Security Strategy.<ref>{{cite web|title=UK Cyber Security Strategy|url=http://www.cabinetoffice.gov.uk/resource-library/cyber-security-strategy |publisher=HMG}}</ref> |
|||
Many of the stakeholders across all categories are engaged with that effort. |
|||
==== Capstone components ==== |
|||
The overall responsibility for security within the UK rests with the [[National Security Council (United Kingdom)|National Security Council]] which is a [[United Kingdom cabinet committee|cabinet committee]] chaired by the [[Prime Minister]] tasked with overseeing all issues related to [[national security]], intelligence coordination, and defence strategy. |
|||
The internal protective security coordination role for UK government is led by the Government Chief Security Officer (GCSO) within the Cabinet Office, who since 2021 has been [[Vincent Devine]].<ref>{{cite web | title=GCSO | url=https://www.gov.uk/government/people/vincent-devine |publisher=HMG}}</ref> |
|||
The central organisation supporting the GCSO is the Government Security Group (GSG), with a distributed Government Security Function / Government Security Profession across the departments and Arms Length Bodies (ALB), and three National Technical Authorities (NTA), all of which have a role in information and/or cyber security: |
|||
* The National Technical Authority for Cyber Security (NTA-C) is the [[National Cyber Security Centre (United Kingdom)|National Cyber Security Centre]] (NCSC) is the UK's authority on cyber security; its parent organisation is [[GCHQ]]. It absorbed and replaced [[Government Communications Headquarters#CESG|CESG]] (the [[information security]] arm of GCHQ) as well as the Centre for Cyber Assessment (CCA), Computer Emergency Response Team UK (CERT UK) and the cyber-related responsibilities of the former [[Centre for the Protection of National Infrastructure]] (CPNI). NCSC provides advice and support for the public and private sector in how to avoid cyber threats.<ref>{{cite web|author1=HM Government|title=National Cyber Security Strategy 2016-2021|url=https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/564268/national_cyber_security_strategy.pdf|website=gov.uk|access-date=2 November 2016|date=1 November 2016}}</ref> CESG (originally Communications-Electronics Security Group) was a branch of GCHQ which worked to secure the communications and information systems of the government and critical parts of UK national infrastructure. The [https://www.npsa.gov.uk/ NPSA] provided protective security advice to businesses and organisations across the national infrastructure. |
|||
* The National Technical Authority for Protective Security (NTA-P) is the [[National Protective Security Authority]] (NPSA) is the successor organisation to CPNI, but retains some elements of information and cyber security that were not transferred to NCSC, including for Cyber Physical Systems (CPS), and for security containers, locks, and structures to protect assets |
|||
* The National Technical Authority for Technical Security (NTA-T) is the [[UK National Technical Authority for Counter-Eavesdropping]] (UK NACE), which deals predominantly with countering technical surveillance |
|||
Coordination of activity across government is through a series of committees, both from within the world of security,<ref>{{cite web | title=Committees | url=https://hansard.parliament.uk/Commons/2008-03-05/debates/08030589000002/DataProtection}}</ref> and in aligned domains such as the Chief Technology Officers (CTO), and Knowledge and Information Management (KIM). |
|||
==== Civilian components ==== |
|||
The role of Lead Government Department (LGD) for Cyber Security is currently fulfilled by the [[Department for Science, Innovation, and Technology]] (DSIT), having previously rested with: |
|||
* The [[Department for Culture, Media, and Sports]] (DCMS) |
|||
* The [[Department for Business, Energy & Industrial Strategy]] (BEIS) |
|||
* The Department for Business & Industrial Strategy (BIS) |
|||
* The Department for Trade and Industry (DTI) |
|||
DSIT is responsible for supporting and promoting the UK cyber security sector, promoting cyber security research and innovation, and working with the National Cyber Security Centre to help ensure all UK organisations are secure online and resilient to cyber threats. |
|||
All other government departments and ALBs will have staff in the government security function / government security profession, supporting both their internal staff, and their client communities. |
|||
Former bodies in this category include: |
|||
* The [[Office of Cyber Security and Information Assurance]] (OCSIA) supports the Minister for the [[Cabinet Office]], the Rt Hon [[Francis Maude]] MP and the [[National Security Council (United Kingdom)|National Security Council]] in determining priorities in relation to securing cyberspace. The unit provided strategic direction and coordinates action relating to enhancing cyber security and information assurance in the UK. The OCSIA was headed by James Quinault.,<ref>{{cite web|title=OCSIA|url=http://www.cabinetoffice.gov.uk/content/office-cyber-security-and-information-assurance-ocsia|access-date=2013-01-14|archive-date=2013-01-23|archive-url=https://web.archive.org/web/20130123174427/http://www.cabinetoffice.gov.uk/content/office-cyber-security-and-information-assurance-ocsia|url-status=dead}}</ref> but the function has been subsumed into the Government Security Group. |
|||
==== Defence components ==== |
|||
The [[Ministry of Defence (United Kingdom)|Ministry of Defence]] has primacy for information and cyber security within both its civilian and military staffs (approximately 250,000 personnel), and for the Defence Supply Base (DSB - approximately 30,000 companies). |
|||
It has two main security organisations: |
|||
* The Directorate of Security and Resilience (DSR), predominantly focused on physical and personnel security |
|||
* The Directorate of Cyber Defence and Risk (CyDR), predominantly focused on information and cyber security |
|||
These organisation work collaboratively to publish not only the internal rules, but also [[Defence Standards]] and Industry Security Notices (ISN)<ref>{{cite web | title=ISN | date=14 December 2023 | url=https://www.gov.uk/government/publications/industry-security-notices-isns |publisher=HMG}}</ref> |
|||
In April 2016, the MOD announced the creation of the Cyber Security Operations Centre (CSOC) "to protect the MOD's cyberspace from malicious actors" with a budget of over £40 million. It is located at [[MoD Corsham]].<ref name=mod-20190401>{{cite web|title=Defence Secretary announces £40m Cyber Security Operations Centre|url=https://www.gov.uk/government/news/defence-secretary-announces-40m-cyber-security-operations-centre|publisher=Ministry of Defence|access-date=2 April 2016|date=1 April 2016|archive-date=25 April 2019|archive-url=https://web.archive.org/web/20190425061752/https://www.gov.uk/government/news/defence-secretary-announces-40m-cyber-security-operations-centre|url-status=live}}</ref><ref name=miltimes-20181030>{{cite news |last=Hammick |first=Murray |date=30 October 2018 |title=The Budget and Defence |newspaper=The Military Times |location=London |url=https://www.themilitarytimes.co.uk/uncategorised/the-budget-and-defence/ |access-date=7 May 2020 |archive-date=22 October 2019 |archive-url=https://web.archive.org/web/20191022115351/https://www.themilitarytimes.co.uk/uncategorised/the-budget-and-defence/ |url-status=dead }}</ref> |
|||
MOD collaborates with the DSB over information and cyber security matters through a number of organisations, including: |
|||
* Defence Cyber Protection Partnership (DCPP)<ref>{{cite web | title=DCPP | date=23 November 2023 | url=https://www.gov.uk/guidance/defence-cyber-protection-partnership |publisher=HMG}}</ref> |
|||
* Defence Industrial Security Association (DISA),<ref>{{cite web | title=DISA | url=https://www.thedisa.org/}}</ref> formerly the Guild of Security Controllers (GSC) |
|||
* Team Defence Information (the current operating name for the UK Council for Electronic Business (UKCeB)), which is a not-for-profit, membership organisation whose mission is to transform secure information sharing for through life collaboration in defence acquisition and support.<ref>{{cite web|title=UK CeB|url=http://www.ukceb.org/}}</ref> |
|||
Former bodies in this category include: |
|||
* DIPCOG, the Defence Infosec Product Co-Operation Group |
|||
==== National Cyber Force (NCF) ==== |
|||
The [[National Cyber Force]] consolidates offensive cyber capabilities from the [[Ministry of Defence (United Kingdom)|Ministry of Defence]] and [[GCHQ]]. |
|||
=== Department for Digital, Culture, Media and Sport === |
|||
The [[Department for Digital, Culture, Media and Sport]] is one of the lead government departments on cyber security policy, responsible for supporting & promoting the UK cyber security sector, promoting cyber security research and innovation, and working with the National Cyber Security Centre to help ensure all UK organisations are secure online and resilient to cyber threats. |
|||
=== |
=== Law Enforcement === |
||
[[Get Safe Online]] is a United Kingdom-based campaign and national initiative to teach citizens about basic computer security and [[internet privacy]]. |
|||
=== National Crime Agency (NCA) === |
|||
The [[National Crime Agency]] (NCA) hosts the law enforcement cyber crime unit, incorporating the [[Child Exploitation and Online Protection Centre]]. |
The [[National Crime Agency]] (NCA) hosts the law enforcement cyber crime unit, incorporating the [[Child Exploitation and Online Protection Centre]]. |
||
Former bodies in this category include: |
|||
=== National Cyber Security Centre === |
|||
* National High Tech Crime Unit (NHTCU) |
|||
The [[National Cyber Security Centre (United Kingdom)|National Cyber Security Centre]] is the UK’s authority on cyber security; its parent organisation is [[GCHQ]]. It absorbed and replaced [[Government Communications Headquarters#CESG|CESG]] (the information security arm of GCHQ) as well as the Centre for Cyber Assessment (CCA), Computer Emergency Response Team UK (CERT UK) and the cyber-related responsibilities of the [[Centre for the Protection of National Infrastructure]] (CPNI).<ref>{{cite web|title=About us|url=https://www.ncsc.gov.uk/about-us|publisher=National Cyber Security Centre|accessdate=9 March 2017}}</ref> NCSC provides advice and support for the public and private sector in how to avoid cyber threats.<ref>{{cite web|author1=HM Government|title=National Cyber Security Strategy 2016-2021|url=https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/564268/national_cyber_security_strategy.pdf|website=gov.uk|accessdate=2 November 2016|date=1 November 2016}}</ref> |
|||
=== Wider Public Sector === |
|||
CESG (originally Communications-Electronics Security Group) was a branch of GCHQ which worked to secure the communications and information systems of the government and critical parts of UK national infrastructure. The Centre for the Protection of National Infrastructure (CPNI) provided protective security advice to businesses and organisations across the national infrastructure. |
|||
The Wider Public Sector (WPS) covers both the Central Government and Law Enforcement categories that are itemised separately, but also elements such as: |
|||
=== National Security Council === |
|||
* Education |
|||
The [[National Security Council (United Kingdom)|National Security Council]] is a [[United Kingdom cabinet committee|Cabinet committee]] tasked with overseeing all issues related to [[national security]], intelligence coordination, and defence strategy. |
|||
* Health |
|||
* Local Authorities |
|||
Within the WPS, there are a number of collaborative bodies, including: |
|||
=== Office of Cyber Security and Information Assurance === |
|||
* Assurance Specialism Advisory Group (ASAG), which runs the [[SUAC]] series of Conferences |
|||
{{anchor|OCSIA}} |
|||
* Cyber Technical Advisory Group (CTAG),<ref>{{cite web|title=Cyber Technical Advisory Group|url=https://www.ctag.gov.uk/ |access-date=2023-12-24}}</ref> formerly the Public Sector IA Coordination Group (PSIACG) |
|||
The [[Office of Cyber Security and Information Assurance]] (OCSIA) supports the Minister for the [[Cabinet Office]], the Rt Hon [[Francis Maude]] MP and the [[National Security Council (United Kingdom)|National Security Council]] in determining priorities in relation to securing cyberspace. The unit provides strategic direction and coordinates action relating to enhancing cyber security and information assurance in the UK. The OCSIA is headed by James Quinault.<ref>{{cite web|title=OCSIA|url=http://www.cabinetoffice.gov.uk/content/office-cyber-security-and-information-assurance-ocsia}}</ref> |
|||
* Cyber Aware is a cross-government awareness and behaviour campaign which provides advice on the simple measures individuals can take to protect themselves from cyber crime. |
|||
Former bodies in this category include: |
|||
=== Trustworthy Software Initiative === |
|||
* CIPCOG, the Civil Infosec Product Co-Operation Group |
|||
The [[Trustworthy Software Initiative]] (TSI)<ref>[http://www.uk-tsi.org UK Trustworthy Software Initiative], retrieved 4 January 2014</ref> is a UK public good activity, sponsored<ref>[https://www.gov.uk/government/news/protecting-and-promoting-the-uk-in-a-digital-world-2-years-on Protecting and promoting the UK in a digital world: 2 years on] – Government Press Release, retrieved 12 December 2013</ref> by the UK government's [[Centre for the Protection of National Infrastructure]], aimed at 'making software better'. |
|||
=== Regulatory bodies === |
|||
=== Warning, Advice and Reporting Points (WARPs) === |
|||
Warning, Advice and Reporting Points ([[WARP (information security)|WARP]]s) provide a trusted environment where members of a community can share problems and solutions.<ref>{{cite web|title=WARP|url=http://www.warp.gov.uk/index.html}}</ref> |
|||
Two regulatory bodies have a specific cyber security related function: |
|||
== Professional bodies and industry groups == |
|||
* The Information Commissioner's Office ([[Information Commissioner's Office|ICO]]),<ref>{{cite web|title=ICO - About | date=20 November 2023 | url=https://ico.org.uk/about-the-ico/ |access-date=2023-12-24}}</ref> leading on Data Protection (DP) for Personally Identifiable Information (PII) |
|||
{{Expand list|date=January 2013}} |
|||
* [[OFCOM]], leading on telecommunications and broadcast aspects of security |
|||
Most other regulatory bodies will have staff covering information and cyber security function for both their internal staff, and their client communities. |
|||
=== UK Cyber Security Forum === |
|||
The [[UK Cyber Security Forum]] is a social enterprise representing cyber SME's (Small and Medium Enterprise) in the UK. The forum is composed of 20 regional cyber clusters around the UK. Each cluster is run as a subsidiary of the UK Cyber Security Forum and all are operated by groups of volunteers. They provide events around the UK to engage the public in [[Computer security|cyber security]] and to provide continued professional development to cyber professionals. The official clusters are: |
|||
== Academia == |
|||
Work in academia on information and cyber security can be delineated into research and teaching. |
|||
=== Academic Centres of Excellence in Cyber Security Research === |
|||
NCSC has accredited several Academic Centres of Excellence in Cyber Security Research:<ref>{{cite web|title=Academic Centres of Excellence in Cyber Security Research|url=https://www.ncsc.gov.uk/information/academic-centres-excellence-cyber-security-research|publisher=NCSC}}</ref> |
|||
* [[Queen's University Belfast]] |
|||
* [[University of Birmingham]] |
|||
* [[University of Bristol]] |
|||
* [[University of Cambridge]] |
|||
* [[Cardiff University]] |
|||
* [[De Montfort University]] |
|||
* [[University of Edinburgh]] |
|||
* [[University of Kent]] |
|||
* [[King's College London]] |
|||
* [[Lancaster University]] |
|||
* [[Imperial College London]] |
|||
* [[University College London]] |
|||
* [[Royal Holloway, University of London]] |
|||
* [[Newcastle University]] |
|||
* [[Northumbria University]] |
|||
* [[University of Oxford]] |
|||
* [[University of Southampton]] |
|||
* [[University of Surrey]] |
|||
* [[University of Warwick]] |
|||
== Professional bodies == |
|||
* [[Association of Cyber Forensics and Threat Investigators]] (ACFTI) is a not-for-profit, international professional organization focusing on the academics and research of cybersecurity, digital forensics, incident response, and threat investigations and their influence to the society. The vision of the association is to promote research and education in cybersecurity, digital forensics, incident response, and threat investigations fields and to contribute to the creation and dissemination of knowledge and technology in these domains.<ref>{{cite web|title=ACFTI UK|url=https://www.acfti.org/}}</ref> |
|||
* [[British Computer Society]] (BCS) is a professional body and a learned society that represents those working in information technology both in the United Kingdom and internationally. It has a security, data and privacy group.<ref>{{cite web|title=BCS Security|url=http://www.bcs.org/category/11307}}</ref> |
|||
* [[Business Continuity Institute]] (BCI) was established in 1994 to enable individual members to obtain guidance and support from fellow business continuity practitioners. BCI has a six certification standards to ensure individual practitioners literacy in organizations, responses, and other strategies.<ref>{{Cite book|last=Kaye, David.|url=https://www.worldcat.org/oclc/849744629|title=Managing risk and resilience in the supply chain|date=2008|publisher=BSI Business Information|isbn=978-1-62198-414-6|location=London [England]|oclc=849744629}}</ref> |
|||
* [[Council of Registered Ethical Security Testers]] (CREST) is a Not for profit accreditation and certification organization.<ref>{{cite web |url=http://crest-approved.org/ |title=Home |website=crest-approved.org}}</ref> CREST does not have its own study material and leverage on third party coursework so that the member can become certified. As of 24/8/2022, the cost of CREST membership is 5000GBP for membership of one country chapter and 25000GBP for a regional membership. On two occasions between 2012 and 2014, the examination-related activities of one of more NCC Group employees and candidates breached the CREST Code of Conduct and NCC Group was, as their employer, vicariously responsible for those individuals at the time |
|||
* [[Cyber Scheme]] is a not for profit professional examination body under contract to the National Cyber Security Centre to provide technical exams in support of the government's assured penetration testing company scheme CHECK. The exams are independent and rigorous and are conducted for practitioner team member level and team leader levels. |
|||
* [[Chartered Institute of Information Security]] (CIISec), formerly the Institute of Information Security Professionals (IISP), is an independent, non-profit body governed by its members, with the principal objective of advancing the professionalism of information security practitioners and thereby the professionalism of the industry as a whole. |
|||
* [[Institution of Engineering and Technology]] (IET) is a multidisciplinary professional engineering institution, formed in 2006 from two separate institutions: the Institution of Electrical Engineers, dating back to 1871, and the Institution of Incorporated Engineers dating back to 1884 |
|||
* [[ISACA]] is an international professional association that deals with IT governance. Previously known as the Information Systems Audit and Control Association. |
|||
* [[(ISC)²]] is the International Information Systems Security Certification Consortium is a non-profit organization which specializes in information security education and certifications. |
|||
* [[Information Systems Security Association]] (ISSA) is a not-for-profit, international professional organization of information security professionals and practitioners. There is a UK chapter.<ref>{{cite web|title=ISSA UK|url=http://www.issa-uk.org/}}</ref> |
|||
== Industry groups == |
|||
* [[ADS Group|ADS]] is a trade organisation for companies operating in the UK aerospace, defence, security and space industries.<ref>{{cite web|title=ADS|url=http://www.adsgroup.org.uk/}}</ref> |
|||
* [[Asset Disposal & Information Security Alliance]], ADISA |
|||
* [[Crypto Developers Forum]] (CDF) promotes the global interests of the UK crypto development industry.<ref>{{cite web|title=CDF|url=http://ukcdf.org/}}</ref> |
|||
* [[IT Security Forum]] |
|||
* [[Law Society]] |
|||
* [[Nominet]] |
|||
* [[TechUK]], formerly known as Intellect, is a UK [[trade association]] for the technology industry.<ref>{{cite web|title=techUK|url=http://www.techuk.org/}}</ref> It has a [[computer security|Cyber Security]] Group focused on “high threat” areas – including defence, national security and resilience, protection of critical national infrastructure, intelligence, and organised crime, chaired by Dr Andrew Rogoyski of [[Roke Manor Research]].<ref>{{cite web|title=Intellect Cyber Security|url=http://www.intellectuk.org/defence-and-security-members-councils-groups/5697|access-date=2013-01-14|archive-date=2013-06-14|archive-url=https://web.archive.org/web/20130614125032/http://www.intellectuk.org/defence-and-security-members-councils-groups/5697|url-status=dead}}</ref> The Security and Resilience Group works to build relationships between the technology industry and policymakers, customers and end users, and is chaired by Stephen Kingan of [[Nexor]].<ref>{{cite web|title=Intellect Defence & Security|url=http://www.intellectuk.org/defence-and-security-members-councils-groups/3614|access-date=2013-01-16|archive-date=2013-06-14|archive-url=https://web.archive.org/web/20130614111404/http://www.intellectuk.org/defence-and-security-members-councils-groups/3614|url-status=dead}}</ref> |
|||
* [[Tigerscheme]] is a commercial certification scheme for technical security specialists, backed by university standards and covering a wide range of expertise.<ref>{{cite web |url=http://www.tigerscheme.org/ |title=Home |website=tigerscheme.org}}</ref> Tigerscheme is CESG certified in the UK and candidates are subject to an independent rigorous academic assessment authority. Tigerscheme was founded in 2007 on the principle that a commercial certification scheme run on independent lines would give buyers of security testing services confidence that they were hiring a recognised and reputable company. In June 2014 the operational authority for Tigerscheme was transferred to USW Commercial Services Ltd. |
|||
* [[UK Cloud Pooled Audit Group]] (UK CPAG) is a membership organisation consisting of the UK's largest banks. Established in 2020 with a mission to use the collective power of the banks to audit Cloud Service Providers such as Google, Amazon and Microsoft. The group is operated by the [[Worshipful Company of Information Technologists]] |
|||
* [[UK Cyber Security Forum]] is a social enterprise representing cyber SME's (Small and Medium Enterprise) in the UK. The forum is composed of 20 regional cyber clusters around the UK. Each cluster is run as a subsidiary of the UK Cyber Security Forum and all are operated by groups of volunteers. They provide events around the UK to engage the public in [[Computer security|cyber security]] and to provide continued professional development to cyber professionals. The official clusters are: |
|||
{| class="wikitable" |
{| class="wikitable" |
||
|+ |
|+ |
||
Line 88: | Line 209: | ||
|} |
|} |
||
== Cross-sector bodies == |
|||
===ADS=== |
|||
[[ADS Group|ADS]] is a trade organisation for companies operating in the UK aerospace, defence, security and space industries.<ref>{{cite web|title=ADS|url=http://www.adsgroup.org.uk/}}</ref> |
|||
Current bodies that cover multiple sectors include: |
|||
=== Business Continuity Institute (BCI) === |
|||
* [[British Standards Institution]] (BSI),<ref>{{cite web|title=BSI - NSB|url=https://www.bsigroup.com/en-GB/about-bsi/national-standards-body/ |website=www.bsigroup.com |access-date=2023-12-24}}</ref> the UK's National Standards Body (NSB), which not only produces British Standards (BS) and Publicly Available Specifications (PAS) in the areas of Information and Cyber Security, but also provides the UK interface into international Standards Development Organisations (SDO), including ISO, IEC, ITU-T, CEN, CENELEC, and ETSI. The main Expert Committees for BSI relevant to these topic are IST/33 (Information and Cyber Security) and ICT/003 (Trustworthy Systems) |
|||
The [[Business Continuity Institute]] (BCI) was established in 1994 to enable individual members to obtain guidance and support from fellow business continuity practitioners. |
|||
* [[Get Safe Online]] (GSOL) is a United Kingdom-based campaign and national initiative to teach citizens about basic computer security and [[internet privacy]]. It subsumed ITSafe. |
|||
* National IA Forum (NIAF),<ref>{{cite web|title=NIAF|url=https://twitter.com/niaf | access-date=2023-12-24}}</ref> an independent committee of leading UK Public and Private Sector Information Assurance (IA) experts, which largely replaced the role of GIPSI |
|||
=== Council of Registered Ethical Security Testers (CREST) === |
|||
* [[Trustworthy Software Foundation]] (TSFdn) <ref>{{cite web |title=Trustworthy Software Foundation |url=https://www.tsfdn.org/ | access-date=2023-12-24 }}</ref> which is a UK public good activity aimed to encouraging good proactive in systems specification, realisation, and use, and providing related independent Organisational and Solution Conformity Assessments. It arose from the [[Trustworthy Software Initiative]] (TSI), previously the Software Security, Dependability and Reliability Initiative (SSDRI), and the Secure Software Development Partnership (SSDP), which were sponsored<ref>[https://www.gov.uk/government/news/protecting-and-promoting-the-uk-in-a-digital-world-2-years-on Protecting and promoting the UK in a digital world: 2 years on] – Government Press Release, retrieved 12 December 2013</ref> by the UK government's [https://www.npsa.gov.uk/ NPSA], aimed at "making software better". |
|||
Not for profit accreditation and certification organisation. <ref>http://crest-approved.org/</ref> |
|||
* [[UK Cyber Security Council]]<ref>{{cite web|title=UKCSC|url=https://www.ukcybersecuritycouncil.org.uk/about-the-council/ |access-date=2023-12-24}}</ref> is the self-regulatory body for the UK's cyber security profession. It develops, promotes and stewards nationally recognised standards for cyber security in support of the UK Government's National Cyber Security Strategy to make the UK the safest place to live and work online. |
|||
* Warning, Advice and Reporting Points ([[WARP (information security)|WARP]]s) provide a trusted environment where members of a community can share problems and solutions.<ref>{{cite web|title=WARP|url=http://www.warp.gov.uk/index.html}}</ref> |
|||
===Crypto Developers Forum=== |
|||
{{anchor|CDF}} |
|||
The CDF promotes the global interests of the UK crypto development industry.<ref>{{cite web|title=CDF|url=http://ukcdf.org/}}</ref> |
|||
===Information Assurance Advisory Council (IAAC)=== |
|||
{{anchor|IAAC}} |
|||
The Information Assurance Advisory Council (IAAC) works across industry, government and academia towards ensuring the UK’s information society has a robust, resilient and secure foundation.<ref>{{cite web|title=IAAC|url=http://www.iaac.org.uk/}}</ref> The IAAC was set up by [[Pauline Neville-Jones, Baroness Neville-Jones|Baroness Neville-Jones]] who chaired the organisation until 2007,<ref>{{cite web|title=IAAC - Neville-Jones|url=http://www.computerweekly.com/news/2240083002/Burton-takes-over-from-Neville-Jones-at-IAAC}}</ref> handing over to the current chairman Sir [[Edmund Burton]]. Affiliates include [[BT Group]], [[Northrop Grumman]], [[QinetiQ]], [[Raytheon]], [[PwC]], [[O2 UK]], [[Ultra Electronics]] and [[GlaxoSmithKline]].<ref>{{cite web|title=IAAC Sponsors|url=http://www.iaac.org.uk/about/sponsors/}}</ref> The 2012/13 work programme focused on [[consumerisation]] and its effects on information assurance. |
|||
===Information Assurance Collaboration Group (IACG)=== |
|||
{{anchor|IACG}} |
|||
The IACG was formed following the UK's national IA conference in 2006.<ref>{{cite web|title=Establishment of the IACG|url=http://www.cabinetoffice.gov.uk/csia/ia_technical_programme/stakeholders/industry.aspx|archive-url=http://webarchive.nationalarchives.gov.uk/20080305141506/http://www.cabinetoffice.gov.uk/csia/ia_technical_programme/stakeholders/industry.aspx|url-status=dead|archive-date=2008-03-05|publisher=National Archives}}</ref> The IACG encourages greater collaboration between the commercial supply base for [[information assurance]] products and services operating within the UK public sector.<ref>{{cite web|title=IACG Overview|url=https://www.scribd.com/doc/117496158/IACG-Overview}}</ref> Stakeholders include [[Communications-Electronics Security Group|CESG]], [[Department for Business, Innovation and Skills|BIS]], the Office of Cyber Security and Information Assurance ([[OCSIA]]), [[Cyber Security Operations Centre]] (CSOC),<ref>{{cite web|title=CSOC|url=http://www.infosecurity-magazine.com/view/8020/uk-government-cyber-security-operations-centre-going-live-soon/}}</ref> and the [[Centre for the Protection of National Infrastructure|CPNI]]. The group maintains the UK information assurance community map,<ref>{{cite web|title=IA Community Map|url=http://www.cesg.gov.uk/publications/Documents/uk_ia_community.pdf}}</ref> hosted on the CESG's web site. It has two co-chairs: [[Colin Robbins (software engineer)|Colin Robbins]] of [[Nexor]] and Ross Parsell of Thales. The IACG ceased operation in 2014. |
|||
=== Information Systems Security Association (ISSA) === |
|||
The [[Information Systems Security Association]] (ISSA) is a not-for-profit, international professional organization of information security professionals and practitioners. There is a UK chapter.<ref>{{cite web|title=ISSA UK|url=http://www.issa-uk.org/}}</ref> |
|||
=== Institute of Information Security Professionals (IISP) === |
|||
The [[Institute of Information Security Professionals]] (IISP) is an independent, non-profit body governed by its members, with the principal objective of advancing the professionalism of information security practitioners and thereby the professionalism of the industry as a whole. |
|||
=== ISACA === |
|||
[[ISACA]] is an international professional association that deals with IT governance. Previously known as the Information Systems Audit and Control Association. |
|||
=== (ISC)² === |
|||
[[(ISC)²]] is the International Information Systems Security Certification Consortium is a non-profit organization which specializes in information security education and certifications. |
|||
===NDI UK=== |
|||
[[NDI UK|NDI]] is a former government-funded organisation building supply chains for the MOD and manufacturers using SMEs in the United Kingdom.<ref>{{cite web|title=NDI UK|url=http://www.ndi.org.uk/}}</ref> |
|||
===TechUK=== |
|||
:{{anchor|techUK}} |
|||
TechUK, formerly known as Intellect, is a UK [[trade association]] for the technology industry.<ref>{{cite web|title=techUK|url=http://www.techuk.org/}}</ref> It has a [[computer security|Cyber Security]] Group focused on “high threat” areas – including defence, national security and resilience, protection of critical national infrastructure, intelligence, and organised crime, chaired by Dr Andrew Rogoyski of [[Roke Manor Research]].<ref>{{cite web|title=Intellect Cyber Security|url=http://www.intellectuk.org/defence-and-security-members-councils-groups/5697}}</ref> The Security and Resilience Group works to build relationships between the technology industry and policymakers, customers and end users, and is chaired by Stephen Kingan of [[Nexor]].<ref>{{cite web|title=Intellect Defence & Security|url=http://www.intellectuk.org/defence-and-security-members-councils-groups/3614}}</ref> |
|||
=== Tigerscheme === |
|||
Tigerscheme is a commercial certification scheme for technical security specialists, backed by university standards and covering a wide range of expertise.<ref>http://www.tigerscheme.org/</ref> |
|||
Tigerscheme is CESG certified in the UK and candidates are subject to an independent rigorous academic assessment authority. Tigerscheme was founded in 2007 on the principle that a commercial certification scheme run on independent lines would give buyers of security testing services confidence that they were hiring a recognised and reputable company. In June 2014 the operational authority for Tigerscheme was transferred to USW Commercial Services Ltd. |
|||
===UK Council for Electronic Business=== |
|||
:{{anchor|UKCeB}} |
|||
UKCeB is a not-for-profit, membership organisation whose mission is to transform secure information sharing for through life collaboration in defence acquisition and support.<ref>{{cite web|title=UK CeB|url=http://www.ukceb.org/}}</ref> |
|||
=== British Computer Society (BCS) === |
|||
The [[British Computer Society]] (BCS) is a professional body and a learned society that represents those working in information technology both in the United Kingdom and internationally. It has a security, data and privacy group.<ref>{{cite web|title=BCS Security|url=http://www.bcs.org/category/11307}}</ref> |
|||
=== Cyber Scheme === |
|||
The Cyber Scheme is a not for profit professional examination body under contract to the National Cyber Security Centre to provide technical exams in support of the Governments assured Penetration testing company scheme CHECK. The exams are independent and rigorous and are conducted for Practitioner Team member level and Team leader levels. |
|||
== Academic == |
|||
{{Expand list|date=January 2013}} |
|||
=== Academic Centres of Excellence in Cyber Security Research === |
|||
GCHQ has accredited several Academic Centres of Excellence in Cyber Security Research:<ref>{{cite web|title=Academic Centers of Excellence|url=http://www.cesg.gov.uk/awarenesstraining/academia/Pages/Academic-Centres.aspx|publisher=CESG}}</ref> |
|||
* [[University of Bristol]] |
|||
* [[Imperial College London]] |
|||
* [[Lancaster University]] |
|||
* [[University of Oxford]] |
|||
* [[Queen's University Belfast]] |
|||
* [[Royal Holloway, University of London|Royal Holloway]] |
|||
* [[University of Southampton]] |
|||
* [[University College London]] |
|||
* [[University of Cambridge]] |
|||
* [[University of Birmingham]] |
|||
* [[Newcastle University|University of Newcastle upon Tyne]] |
|||
* [[University of Surrey]] |
|||
* [[University of Kent]] |
|||
These accreditations expire in July 2017; results of the re-accreditation process are expected in mid February 2017. |
|||
Former bodies in this category include: |
|||
=== University of South Wales Information Security Research Group === |
|||
* Cyber Security Knowledge Transfer Network (CS KTN), as sponsored by Innovate UK (formerly the Technology Strategy Board) |
|||
The Information Security Research Group (ISRG) at the [[University of South Wales]] is a multidisciplinary team of academics and industrial experts focusing upon cyber security.<ref>{{cite web|title=ISRG|url=http://security.research.southwales.ac.uk/about/}}</ref> |
|||
* [[Information Assurance Advisory Council]] (IAAC) worked across industry, government and academia towards ensuring the UK's information society has a robust, resilient and secure foundation.<ref>{{cite web|title=IAAC|url=http://www.iaac.org.uk/|access-date=2013-01-14|archive-date=2018-04-10|archive-url=https://web.archive.org/web/20180410103034/http://www.iaac.org.uk/|url-status=dead}}</ref> The IAAC was set up by [[Pauline Neville-Jones, Baroness Neville-Jones|Baroness Neville-Jones]] who chaired the organisation until 2007,<ref>{{cite web|title=IAAC - Neville-Jones|url=http://www.computerweekly.com/news/2240083002/Burton-takes-over-from-Neville-Jones-at-IAAC}}</ref> handing over to the current chairman Sir [[Edmund Burton]]. Affiliates include [[BT Group]], [[Northrop Grumman]], [[QinetiQ]], [[Raytheon]], [[PwC]], [[O2 UK]], [[Ultra Electronics]] and [[GlaxoSmithKline]].<ref>{{cite web|title=IAAC Sponsors|url=http://www.iaac.org.uk/about/sponsors/|access-date=2016-05-17|archive-date=2017-06-07|archive-url=https://web.archive.org/web/20170607235623/http://www.iaac.org.uk/about/sponsors|url-status=dead}}</ref> The 2012/13 work programme focused on [[consumerisation]] and its effects on information assurance. |
|||
* The [[Information Assuarnce Coordination Group]] (IACG) was formed following the UK's national IA conference in 2006.<ref>{{cite web|title=Establishment of the IACG|url=http://www.cabinetoffice.gov.uk/csia/ia_technical_programme/stakeholders/industry.aspx|archive-url=http://webarchive.nationalarchives.gov.uk/20080305141506/http://www.cabinetoffice.gov.uk/csia/ia_technical_programme/stakeholders/industry.aspx|url-status=dead|archive-date=2008-03-05|publisher=National Archives}}</ref> The IACG encourages greater collaboration between the commercial supply base for [[information assurance]] products and services operating within the UK public sector.<ref>{{cite web|title=IACG Overview|url=https://www.scribd.com/doc/117496158/IACG-Overview}}</ref> The group maintained the UK information assurance community map,<ref>{{cite web|title=IA Community Map|url=http://www.cesg.gov.uk/publications/Documents/uk_ia_community.pdf|access-date=2013-01-14|archive-date=2013-07-31|archive-url=https://web.archive.org/web/20130731001653/http://www.cesg.gov.uk/Publications/Documents/uk_ia_community.pdf|url-status=dead}}</ref> hosted on the CESG's web site. It has two co-chairs: [[Colin Robbins (software engineer)|Colin Robbins]] of [[Nexor]] and Ross Parsell of Thales. The IACG ceased operation in 2014. |
|||
* General IA Products and Service Initiative (GIPSI),<ref>EC2ND 2006 - Proceedings of the Second European Conference on Computer Network Defence, 2006</ref> which was largely replaced by NIAF |
|||
* [[ITSafe]] (IT Security Awareness for Everyone) was a former government-funded organisation that provided alerts, which was subsumed into GetSafeOnline |
|||
* [[NDI UK|NDI]] was a former government-funded organisation building supply chains for the MOD and manufacturers using SMEs in the United Kingdom.<ref>{{cite web|title=NDI UK|url=http://www.ndi.org.uk/|access-date=2013-08-21|archive-date=2016-10-21|archive-url=https://web.archive.org/web/20161021183318/http://ndi.org.uk/|url-status=dead}}</ref> |
|||
== International Linkages== |
|||
In particular the group is focusing upon: |
|||
* Network security |
|||
* Intrusion detection and wireless security |
|||
* Penetration testing and vulnerability assessment |
|||
* [[Computer forensics]] and digital evidence visualisation |
|||
* Threat assessment and risk management |
|||
Many of these categories will provide linkages from the UK to other nations' activities in cyber security, including: |
|||
=== De Montfort University Cyber Security Centre === |
|||
* Inter-governmental linkages |
|||
The Cyber Security Centre (CSC) at [[De Montfort University]] is a multidisciplinary group of academics who focus on a wide variety of cyber security and digital forensics issues. The Centre's mission is to provide the full benefits to all of a safe, secure and resilient cyberspace.<ref>{{cite web|title=DeMontFort Cyber Security Centre|url=http://www.dmu.ac.uk/research/research-faculties-and-institutes/technology/cyber-security-centre/cyber-security-centre.aspx}}</ref> |
|||
* Defence links, in particular with NATO and the Five Eyes Allies |
|||
* Standards links, predominantly through BSI |
|||
* Community of Practice links, such as the Open Systems Software Foundation (OSSF) |
|||
==See also== |
==See also== |
||
Line 181: | Line 241: | ||
{{reflist|25em}} |
{{reflist|25em}} |
||
[[Category:Computer security in the United Kingdom]] |
|||
[[Category:Computer security organizations]] |
[[Category:Computer security organizations]] |
||
[[Category:Cybercrime in the United Kingdom]] |
|||
[[Category:Internet in the United Kingdom]] |
[[Category:Internet in the United Kingdom]] |
Latest revision as of 03:18, 22 March 2024
The United Kingdom has a diverse cyber security community, interconnected in a complex network.
Although the terminology is currently largely aligned to a "cyber" view of the world, it is taken to still include information-related concerns, with previous predominant terminology including:
- Automated Data Processing Security or ADP Security (1980s)
- Computer Security or CompuSec (early 1990s)
- IT Security or ITSec (mid 1990s)
- Information Security or InfoSec (late 1990s and early 2000s)
- Information Assurance or IA (2000s and early 2010s)
The significant constituents within that community are probably best understood by grouping into high level categories, namely:
- Public sector bodies
- Academia
- Professional bodies
- Industry groups
- Cross-sector bodies
Public sector bodies
[edit]Legislative
[edit]According to a parliamentary committee the UK government is not doing enough to protect the nation against cyber attack.[1]
Central government
[edit]National strategy
[edit]The UK Government periodically publishes a Cyber Security Strategy.[3]
Many of the stakeholders across all categories are engaged with that effort.
Capstone components
[edit]The overall responsibility for security within the UK rests with the National Security Council which is a cabinet committee chaired by the Prime Minister tasked with overseeing all issues related to national security, intelligence coordination, and defence strategy.
The internal protective security coordination role for UK government is led by the Government Chief Security Officer (GCSO) within the Cabinet Office, who since 2021 has been Vincent Devine.[4]
The central organisation supporting the GCSO is the Government Security Group (GSG), with a distributed Government Security Function / Government Security Profession across the departments and Arms Length Bodies (ALB), and three National Technical Authorities (NTA), all of which have a role in information and/or cyber security:
- The National Technical Authority for Cyber Security (NTA-C) is the National Cyber Security Centre (NCSC) is the UK's authority on cyber security; its parent organisation is GCHQ. It absorbed and replaced CESG (the information security arm of GCHQ) as well as the Centre for Cyber Assessment (CCA), Computer Emergency Response Team UK (CERT UK) and the cyber-related responsibilities of the former Centre for the Protection of National Infrastructure (CPNI). NCSC provides advice and support for the public and private sector in how to avoid cyber threats.[5] CESG (originally Communications-Electronics Security Group) was a branch of GCHQ which worked to secure the communications and information systems of the government and critical parts of UK national infrastructure. The NPSA provided protective security advice to businesses and organisations across the national infrastructure.
- The National Technical Authority for Protective Security (NTA-P) is the National Protective Security Authority (NPSA) is the successor organisation to CPNI, but retains some elements of information and cyber security that were not transferred to NCSC, including for Cyber Physical Systems (CPS), and for security containers, locks, and structures to protect assets
- The National Technical Authority for Technical Security (NTA-T) is the UK National Technical Authority for Counter-Eavesdropping (UK NACE), which deals predominantly with countering technical surveillance
Coordination of activity across government is through a series of committees, both from within the world of security,[6] and in aligned domains such as the Chief Technology Officers (CTO), and Knowledge and Information Management (KIM).
Civilian components
[edit]The role of Lead Government Department (LGD) for Cyber Security is currently fulfilled by the Department for Science, Innovation, and Technology (DSIT), having previously rested with:
- The Department for Culture, Media, and Sports (DCMS)
- The Department for Business, Energy & Industrial Strategy (BEIS)
- The Department for Business & Industrial Strategy (BIS)
- The Department for Trade and Industry (DTI)
DSIT is responsible for supporting and promoting the UK cyber security sector, promoting cyber security research and innovation, and working with the National Cyber Security Centre to help ensure all UK organisations are secure online and resilient to cyber threats.
All other government departments and ALBs will have staff in the government security function / government security profession, supporting both their internal staff, and their client communities.
Former bodies in this category include:
- The Office of Cyber Security and Information Assurance (OCSIA) supports the Minister for the Cabinet Office, the Rt Hon Francis Maude MP and the National Security Council in determining priorities in relation to securing cyberspace. The unit provided strategic direction and coordinates action relating to enhancing cyber security and information assurance in the UK. The OCSIA was headed by James Quinault.,[7] but the function has been subsumed into the Government Security Group.
Defence components
[edit]The Ministry of Defence has primacy for information and cyber security within both its civilian and military staffs (approximately 250,000 personnel), and for the Defence Supply Base (DSB - approximately 30,000 companies).
It has two main security organisations:
- The Directorate of Security and Resilience (DSR), predominantly focused on physical and personnel security
- The Directorate of Cyber Defence and Risk (CyDR), predominantly focused on information and cyber security
These organisation work collaboratively to publish not only the internal rules, but also Defence Standards and Industry Security Notices (ISN)[8]
In April 2016, the MOD announced the creation of the Cyber Security Operations Centre (CSOC) "to protect the MOD's cyberspace from malicious actors" with a budget of over £40 million. It is located at MoD Corsham.[9][10]
MOD collaborates with the DSB over information and cyber security matters through a number of organisations, including:
- Defence Cyber Protection Partnership (DCPP)[11]
- Defence Industrial Security Association (DISA),[12] formerly the Guild of Security Controllers (GSC)
- Team Defence Information (the current operating name for the UK Council for Electronic Business (UKCeB)), which is a not-for-profit, membership organisation whose mission is to transform secure information sharing for through life collaboration in defence acquisition and support.[13]
Former bodies in this category include:
- DIPCOG, the Defence Infosec Product Co-Operation Group
National Cyber Force (NCF)
[edit]The National Cyber Force consolidates offensive cyber capabilities from the Ministry of Defence and GCHQ.
Law Enforcement
[edit]The National Crime Agency (NCA) hosts the law enforcement cyber crime unit, incorporating the Child Exploitation and Online Protection Centre.
Former bodies in this category include:
- National High Tech Crime Unit (NHTCU)
Wider Public Sector
[edit]The Wider Public Sector (WPS) covers both the Central Government and Law Enforcement categories that are itemised separately, but also elements such as:
- Education
- Health
- Local Authorities
Within the WPS, there are a number of collaborative bodies, including:
- Assurance Specialism Advisory Group (ASAG), which runs the SUAC series of Conferences
- Cyber Technical Advisory Group (CTAG),[14] formerly the Public Sector IA Coordination Group (PSIACG)
- Cyber Aware is a cross-government awareness and behaviour campaign which provides advice on the simple measures individuals can take to protect themselves from cyber crime.
Former bodies in this category include:
- CIPCOG, the Civil Infosec Product Co-Operation Group
Regulatory bodies
[edit]Two regulatory bodies have a specific cyber security related function:
- The Information Commissioner's Office (ICO),[15] leading on Data Protection (DP) for Personally Identifiable Information (PII)
- OFCOM, leading on telecommunications and broadcast aspects of security
Most other regulatory bodies will have staff covering information and cyber security function for both their internal staff, and their client communities.
Academia
[edit]Work in academia on information and cyber security can be delineated into research and teaching.
Academic Centres of Excellence in Cyber Security Research
[edit]NCSC has accredited several Academic Centres of Excellence in Cyber Security Research:[16]
- Queen's University Belfast
- University of Birmingham
- University of Bristol
- University of Cambridge
- Cardiff University
- De Montfort University
- University of Edinburgh
- University of Kent
- King's College London
- Lancaster University
- Imperial College London
- University College London
- Royal Holloway, University of London
- Newcastle University
- Northumbria University
- University of Oxford
- University of Southampton
- University of Surrey
- University of Warwick
Professional bodies
[edit]- Association of Cyber Forensics and Threat Investigators (ACFTI) is a not-for-profit, international professional organization focusing on the academics and research of cybersecurity, digital forensics, incident response, and threat investigations and their influence to the society. The vision of the association is to promote research and education in cybersecurity, digital forensics, incident response, and threat investigations fields and to contribute to the creation and dissemination of knowledge and technology in these domains.[17]
- British Computer Society (BCS) is a professional body and a learned society that represents those working in information technology both in the United Kingdom and internationally. It has a security, data and privacy group.[18]
- Business Continuity Institute (BCI) was established in 1994 to enable individual members to obtain guidance and support from fellow business continuity practitioners. BCI has a six certification standards to ensure individual practitioners literacy in organizations, responses, and other strategies.[19]
- Council of Registered Ethical Security Testers (CREST) is a Not for profit accreditation and certification organization.[20] CREST does not have its own study material and leverage on third party coursework so that the member can become certified. As of 24/8/2022, the cost of CREST membership is 5000GBP for membership of one country chapter and 25000GBP for a regional membership. On two occasions between 2012 and 2014, the examination-related activities of one of more NCC Group employees and candidates breached the CREST Code of Conduct and NCC Group was, as their employer, vicariously responsible for those individuals at the time
- Cyber Scheme is a not for profit professional examination body under contract to the National Cyber Security Centre to provide technical exams in support of the government's assured penetration testing company scheme CHECK. The exams are independent and rigorous and are conducted for practitioner team member level and team leader levels.
- Chartered Institute of Information Security (CIISec), formerly the Institute of Information Security Professionals (IISP), is an independent, non-profit body governed by its members, with the principal objective of advancing the professionalism of information security practitioners and thereby the professionalism of the industry as a whole.
- Institution of Engineering and Technology (IET) is a multidisciplinary professional engineering institution, formed in 2006 from two separate institutions: the Institution of Electrical Engineers, dating back to 1871, and the Institution of Incorporated Engineers dating back to 1884
- ISACA is an international professional association that deals with IT governance. Previously known as the Information Systems Audit and Control Association.
- (ISC)² is the International Information Systems Security Certification Consortium is a non-profit organization which specializes in information security education and certifications.
- Information Systems Security Association (ISSA) is a not-for-profit, international professional organization of information security professionals and practitioners. There is a UK chapter.[21]
Industry groups
[edit]- ADS is a trade organisation for companies operating in the UK aerospace, defence, security and space industries.[22]
- Asset Disposal & Information Security Alliance, ADISA
- Crypto Developers Forum (CDF) promotes the global interests of the UK crypto development industry.[23]
- IT Security Forum
- Law Society
- Nominet
- TechUK, formerly known as Intellect, is a UK trade association for the technology industry.[24] It has a Cyber Security Group focused on “high threat” areas – including defence, national security and resilience, protection of critical national infrastructure, intelligence, and organised crime, chaired by Dr Andrew Rogoyski of Roke Manor Research.[25] The Security and Resilience Group works to build relationships between the technology industry and policymakers, customers and end users, and is chaired by Stephen Kingan of Nexor.[26]
- Tigerscheme is a commercial certification scheme for technical security specialists, backed by university standards and covering a wide range of expertise.[27] Tigerscheme is CESG certified in the UK and candidates are subject to an independent rigorous academic assessment authority. Tigerscheme was founded in 2007 on the principle that a commercial certification scheme run on independent lines would give buyers of security testing services confidence that they were hiring a recognised and reputable company. In June 2014 the operational authority for Tigerscheme was transferred to USW Commercial Services Ltd.
- UK Cloud Pooled Audit Group (UK CPAG) is a membership organisation consisting of the UK's largest banks. Established in 2020 with a mission to use the collective power of the banks to audit Cloud Service Providers such as Google, Amazon and Microsoft. The group is operated by the Worshipful Company of Information Technologists
- UK Cyber Security Forum is a social enterprise representing cyber SME's (Small and Medium Enterprise) in the UK. The forum is composed of 20 regional cyber clusters around the UK. Each cluster is run as a subsidiary of the UK Cyber Security Forum and all are operated by groups of volunteers. They provide events around the UK to engage the public in cyber security and to provide continued professional development to cyber professionals. The official clusters are:
UK Cyber Clusters |
---|
Bristol and Bath Cyber |
Bournemouth Cyber Cluster |
Cambridge Cluster |
East Midlands |
London |
Malvern Cluster |
Norfolk Cyber Cluster |
North East Cyber Cluster |
North Wales |
North West Cluster |
N Somerset Cluster |
Oxford |
Scottish Cyber Cluster |
Solent Cyber Cluster |
South Wales |
South West Cyber Cluster (Exeter) |
Sussex Cluster |
Thames Valley Cluster |
West Midlands Cluster |
Yorkshire Cluster |
Cross-sector bodies
[edit]Current bodies that cover multiple sectors include:
- British Standards Institution (BSI),[28] the UK's National Standards Body (NSB), which not only produces British Standards (BS) and Publicly Available Specifications (PAS) in the areas of Information and Cyber Security, but also provides the UK interface into international Standards Development Organisations (SDO), including ISO, IEC, ITU-T, CEN, CENELEC, and ETSI. The main Expert Committees for BSI relevant to these topic are IST/33 (Information and Cyber Security) and ICT/003 (Trustworthy Systems)
- Get Safe Online (GSOL) is a United Kingdom-based campaign and national initiative to teach citizens about basic computer security and internet privacy. It subsumed ITSafe.
- National IA Forum (NIAF),[29] an independent committee of leading UK Public and Private Sector Information Assurance (IA) experts, which largely replaced the role of GIPSI
- Trustworthy Software Foundation (TSFdn) [30] which is a UK public good activity aimed to encouraging good proactive in systems specification, realisation, and use, and providing related independent Organisational and Solution Conformity Assessments. It arose from the Trustworthy Software Initiative (TSI), previously the Software Security, Dependability and Reliability Initiative (SSDRI), and the Secure Software Development Partnership (SSDP), which were sponsored[31] by the UK government's NPSA, aimed at "making software better".
- UK Cyber Security Council[32] is the self-regulatory body for the UK's cyber security profession. It develops, promotes and stewards nationally recognised standards for cyber security in support of the UK Government's National Cyber Security Strategy to make the UK the safest place to live and work online.
- Warning, Advice and Reporting Points (WARPs) provide a trusted environment where members of a community can share problems and solutions.[33]
Former bodies in this category include:
- Cyber Security Knowledge Transfer Network (CS KTN), as sponsored by Innovate UK (formerly the Technology Strategy Board)
- Information Assurance Advisory Council (IAAC) worked across industry, government and academia towards ensuring the UK's information society has a robust, resilient and secure foundation.[34] The IAAC was set up by Baroness Neville-Jones who chaired the organisation until 2007,[35] handing over to the current chairman Sir Edmund Burton. Affiliates include BT Group, Northrop Grumman, QinetiQ, Raytheon, PwC, O2 UK, Ultra Electronics and GlaxoSmithKline.[36] The 2012/13 work programme focused on consumerisation and its effects on information assurance.
- The Information Assuarnce Coordination Group (IACG) was formed following the UK's national IA conference in 2006.[37] The IACG encourages greater collaboration between the commercial supply base for information assurance products and services operating within the UK public sector.[38] The group maintained the UK information assurance community map,[39] hosted on the CESG's web site. It has two co-chairs: Colin Robbins of Nexor and Ross Parsell of Thales. The IACG ceased operation in 2014.
- General IA Products and Service Initiative (GIPSI),[40] which was largely replaced by NIAF
- ITSafe (IT Security Awareness for Everyone) was a former government-funded organisation that provided alerts, which was subsumed into GetSafeOnline
- NDI was a former government-funded organisation building supply chains for the MOD and manufacturers using SMEs in the United Kingdom.[41]
International Linkages
[edit]Many of these categories will provide linkages from the UK to other nations' activities in cyber security, including:
- Inter-governmental linkages
- Defence links, in particular with NATO and the Five Eyes Allies
- Standards links, predominantly through BSI
- Community of Practice links, such as the Open Systems Software Foundation (OSSF)
See also
[edit]References
[edit]- ^ UK 'wholly' unprepared to stop devastating cyber-attack, MPs warn The Guardian
- ^ "EURIM".
- ^ "UK Cyber Security Strategy". HMG.
- ^ "GCSO". HMG.
- ^ HM Government (1 November 2016). "National Cyber Security Strategy 2016-2021" (PDF). gov.uk. Retrieved 2 November 2016.
- ^ "Committees".
- ^ "OCSIA". Archived from the original on 2013-01-23. Retrieved 2013-01-14.
- ^ "ISN". HMG. 14 December 2023.
- ^ "Defence Secretary announces £40m Cyber Security Operations Centre". Ministry of Defence. 1 April 2016. Archived from the original on 25 April 2019. Retrieved 2 April 2016.
- ^ Hammick, Murray (30 October 2018). "The Budget and Defence". The Military Times. London. Archived from the original on 22 October 2019. Retrieved 7 May 2020.
- ^ "DCPP". HMG. 23 November 2023.
- ^ "DISA".
- ^ "UK CeB".
- ^ "Cyber Technical Advisory Group". Retrieved 2023-12-24.
- ^ "ICO - About". 20 November 2023. Retrieved 2023-12-24.
- ^ "Academic Centres of Excellence in Cyber Security Research". NCSC.
- ^ "ACFTI UK".
- ^ "BCS Security".
- ^ Kaye, David. (2008). Managing risk and resilience in the supply chain. London [England]: BSI Business Information. ISBN 978-1-62198-414-6. OCLC 849744629.
- ^ "Home". crest-approved.org.
- ^ "ISSA UK".
- ^ "ADS".
- ^ "CDF".
- ^ "techUK".
- ^ "Intellect Cyber Security". Archived from the original on 2013-06-14. Retrieved 2013-01-14.
- ^ "Intellect Defence & Security". Archived from the original on 2013-06-14. Retrieved 2013-01-16.
- ^ "Home". tigerscheme.org.
- ^ "BSI - NSB". www.bsigroup.com. Retrieved 2023-12-24.
- ^ "NIAF". Retrieved 2023-12-24.
- ^ "Trustworthy Software Foundation". Retrieved 2023-12-24.
- ^ Protecting and promoting the UK in a digital world: 2 years on – Government Press Release, retrieved 12 December 2013
- ^ "UKCSC". Retrieved 2023-12-24.
- ^ "WARP".
- ^ "IAAC". Archived from the original on 2018-04-10. Retrieved 2013-01-14.
- ^ "IAAC - Neville-Jones".
- ^ "IAAC Sponsors". Archived from the original on 2017-06-07. Retrieved 2016-05-17.
- ^ "Establishment of the IACG". National Archives. Archived from the original on 2008-03-05.
- ^ "IACG Overview".
- ^ "IA Community Map" (PDF). Archived from the original (PDF) on 2013-07-31. Retrieved 2013-01-14.
- ^ EC2ND 2006 - Proceedings of the Second European Conference on Computer Network Defence, 2006
- ^ "NDI UK". Archived from the original on 2016-10-21. Retrieved 2013-08-21.