Cyber Security

News11:30

Crime will be a top issue for Surrey in run-up to civic election, says longtime journalist

iStock_000030963216Large-e1432042538156.jpg

SURREY (NEWS 1130) – With three high-profile murders in Surrey last month alone, a longtime journalist believes crime will be a major focus when people go to the polls to elect a new mayor in October.

Frank Bucholtz — a former columnist with the Surrey Now Leader, among other roles — tells us the issue will be perhaps the most prominent issue in October’s vote.

But he says it’s not just murders that are the focus for voters — it’s a lot of those lesser crimes that are proving to be an agitation.

“It isn’t just the murders. It’s also a lot of the other crime that goes on, that’s associated with it. I think people are just feeling that it’s not under any kind of control.”

“In many parts of Surrey, crime is a pretty common thing,” he adds. “It may not be murders or it may not be violent crime. It might be petty crime. It might be property, break-ins, theft or vandalism or things like that.”

That said, Bucholtz says it will be a major challenge for anyone to take on the reigning Surrey First party, suggesting that party will be the favourite unless a high-profile name enters the fray — like perhaps Rich Coleman, the former BC Liberal cabinet minister who was said to be considering a run for mayor.

“Surrey First definitely has an edge financially,” says Bucholtz. “They’ve undoubtedly raised hundreds of thousands of dollars before the new rules kicked in that the province brought in. Therefore, I think, any opponent is going to have one hand tied behind their back to compete financially.”

Forty-five per cent of people who responded to a recent Research Co survey say crime is the most important issue in Surrey. Bucholtz says the percentage of people who feel that way might actually be higher, in reality.

But the crime problem is not what’s scaring off potential candidates, in the view of Bucholtz. He believes people may opt out of running due to Surrey First’s dominance in recent elections.

“I think people just feel — what’s the point in putting a lot of money, energy and time and volunteer effort into mounting a campaign against a civic slate which has this kind of advantage financially — incumbency, coziness with business and developers — so I think people have looked at it and said, ‘I’ll take a pass,'” says Bucholtz.

 – With files from Monika Gul

It world Canada

UK minimum cyber security standard should be followed in Canada, says expert

There’s no shortage of advice to infosec leaders about what they ought to be doing to tighten the IT security of their organization, starting with the Center for Internet Security’s critical security controls . But what if the board and C-suite wants to tell departments what they must do?

The recently-issued minimum cyber security standard for U.K. government departments is a good place to start. In seven pages the government sets out what it expects departments to adhere to — and exceed wherever possible.

This concise document goes along with the more detailed best practices security policy framework for protecting government assets, first published in 2014, to comply with the U.K. national cyber security strategy.

Those two documents can be granular, and in some ways ‘here’s how you do it’. The minimum cyber security standard is ‘here’s what you better be doing.’

So, for example, one of the first standards is “Departments shall identify and manage the significant risks to sensitive information and key operational services.”

Here’s another notable must: “Access shall be removed when individuals leave their role or the organization. Periodic reviews should also take place to ensure appropriate access is maintained.”

And another: “Multi-factor authentication shall be used where technically possible, such as where administrative consoles provide access to manage cloud based infrastructure, platforms or services. Multi-factor authentication shall be used for access to enterprise level social media accounts.”

Four sections

The standard is broken down into four sections infosec pros will recognize for creating a strategy: Identify, Protect, Detect and Respond. Within each department heads are mandated to take certain action. This means if there is a failure the government can ask, ‘Why wasn’t this done?”

“This is a  useful starting point for Canadian authorities,” said David Swan, the Alberta-based director of cyber intelligence at the Centre for Strategic Cyberspace + Security Science, an international consultancy. “All levels of government can use it. The requirements of the standard can be integrated into any regulatory framework. The standard can be expanded or included in other guidance. In the corporate environment, this level of knowledge should be required by boards of directors, CEOs, CSOs and CISOs. Organizations that don’t require this level of knowledge are essentially ‘co-operative victims’, unaware of their risk, cyber threat and consequences.”

The standard does allow some implementation flexibility. So the definition of ‘sensitive’, ‘essential’, ‘important’ and ‘appropriate’ are left open. “However , the document adds, “departments are accountable for the effectiveness of these decisions.”

U.K. departments “shall understand and manage security issues that arise because of dependencies on external suppliers or through their supply chain,” the standard says. That includes ensuring that the standards are met by the suppliers of third party services, such as hardware, software, consulting or cloud providers  However, those third parties could meet compliance in one of several ways. One is if the supplier holds a valid Cyber Essentials2 certificate as a minimum.

The U.K. Cyber Essentials program has accredited bodies issue certificates to private sector companies attesting they have met certain minimum security standards. Last month, when it released the latest Canadian cyber security standard Ottawa said it is looking to set up a similar program here.

Related Articles

Ottawa vows to make Canada a global leader in cyber security

Ottawa has released its long-awaited update to its national cyber security strategy, promising to better protect Canadians from cyber crime,...

June 12th, 2018 Howard Solomon @howarditwc

However, the Canadian program may take some time. The government said it will first consult with the private sector and potential certification bodies.  At this point it isn’t known who those certification firms could be. In the U.K. they include many IT security consulting companies, who have expertise in the area. The department of Innovation, Science and Economic Development (ISED) will be responsible for approving the Canadian program. The Communications Security Establishment (CSE), which oversees security for federal systems, will define a basic set of measures SMEs would have to follow. And the Standards Council of Canada will approve certification bodies to assure evaluate SMEs have met the standard.

Note where the U.K. mimimum standard starts: “There shall be clear lines of responsibility and accountability to named individuals for the security of
sensitive information and key operational services.”