Want to start Information Security in your company, but don't know where to begin?

Written by CDS Team,

Wednesday, 11 May 2011

Not knowing where to start in Information Security is a common problem and is the reason why we started developing this simple to follow standard (now in simpler English) back in September 2008.

Since June 2009, we have worked to develop the CDS to be as accessible as possible, removing techie and the complex security speak that peppers most standards. Whilst we respect and recognise the value of ISO27001, HIPPA, PCI DSS and other Information Security standards, we believe they weren't written with the Small to Medium Enterprise (SME) organisation in mind, because they were designed by security professionals for security professionals.

The Certified Digital Security (CDS) standard is different;
it was developed by an SME for SMEs.

CDS was designed to allow smaller organisations to be able to demonstrate to their larger clients that they had undertaken the security basics, that the big corporations' data was safe on the SME's systems and that they would assist in developing a greater confidence between your businesses .

CDS was actually developed following the authors our work with the music and film industries; we had conducted many reviews and audits on small technical and artistically unique organisations as they were delivering music gold out of the security versions of tin cans.

We developed these simple to follow steps to allow SMEs to 'work at it' over several years, incrementally improving their security, while still allowing the organisation to be boutique and specialised, secure and robust but still nimble and fast.

In October 2008 CDS Level 3 and Level 6 were openly adopted (with some content-management-industry specific adjustments) by the Content Delivery and Storage Association or CDSA, (the film and music trade body) as the basis for their Content Protection and Security, THE worldwide standard that they use to gauge compliance for all sites but especially their SME partners. See here for further details http://www.cdsaonline.org/content-protection-and-security-standards-and-procedures/.

To get an understanding of the types of organisations that now work to CDS Levels 3 and 6, have a look at the CDSA Members listings: http://www.cdsaonline.org/directory/member-companies/.

So if you are looking for the most implemented, but easiest to understand IT Security Strategy in the world then CDS Levels 1 through 3 is what you need. These requirements are written in simple English, and all 3 Levels fit on one page of A4! (There is also link to a PDF version)

Think about what areas that are important to your business; now focus upon the things that relate to data or information and CDS will be concentrate on how you protect these items and this information.

Certified Digital Security Level 1

To achieve a CDS Level 1 grade of security, you will need to show you have done the following:

Write a Policy for Managing Information and its Security (including how your staff should use email and the Internet).
Give everyone their own user account (protected with a password).
Don’t use a Microsoft Windows ‘Administrator’ or 'Super User' account for routine work (eg email).
Install an AntiVirus product (and keep it up to date).
Tell your staff how they need to dispose of things that may hold important information (yours or that of your customers).
See if the Information Commissioner’s Office believes you should be Data Protection Act registered.

Certified Digital Security Level 2

To achieve a CDS Level 2 grade of security, you will need to show you have also (in addition to Level 1) done the following:

Confirm your computer administrator’s references and have them background checked (eg credit check).
Teach your users how to use computers and the Internet in a safe and secure way.
Keep your software and hardware up to date.
Keep a list of your most valuable assets.
Switch on your computer’s logging and record keeping (where possible).
Get the contact details of a computer emergency call-out company printed out in case the computers crash, you lose data or get hacked (this could be your normal IT Support).
Switch on the encryption on the wireless networks (WPA2).
Check for things you didn't agree to have on your network.

Certified Digital Security Level 3

To achieve a CDS Level 3 grade of security, you will then need to show you have also (in addition to Levels 1 and 2) done the following:

Check you need and have licences for all the software installed (remove stuff you don’t).
Ensure your computer administrators are trained to do the stuff you need them to do.
Use an up-to-date firewall when connecting to other networks (including the Internet).
Dispose of things that hold data, in a way that prevent others ever reading it again.
Plan how you would deal with a disaster or big computer problem.
Make sure your servers are physically secure.
Don’t allow personal equipment on the network.
Limit external access to computers from the Internet.

Attachments:
File	Description	File size
Starting Information Security	One page outlining CDS Levels 1 to 3, in simple English	406 Kb

Last Updated ( Thursday, 19 May 2011 19:13 )

IT Security for the Small Business

Written by CDS Team,

Monday, 23 May 2011

Certified Digital Security welcomes Logically Secure Ltd to the CDS community. We have recently completed an assessment of the SecureME! product offered by Logically Secure and we are pleased to announce that we have awarded them a Level 3 certificate specific to the product; this means that every purchase of SecureME! will now come with a CDS Level 3 (SecureMe!) certificate.

SecureME! provides enterprise-style security measures and support to the lone operator, taking care of the encryption, anti-virus, secure configuration and training requirements, as well as supplying CDS compliant policies, plans and procedures. Logically Secure deliver their product in partnership with world class providers such as Symantec, McAfee and Cy4or, helping to ensure that the end-user has reliable security measures in place and a first-rate support network.

For further details go to http://www.LogicallySecure.com/SecureME

Last Updated ( Monday, 23 May 2011 16:36 )

Overview of CDS

Written by CDS Team,

Tuesday, 30 June 2009

The concept of Digital Security Levels
Digital Assets are information assets that exist in electronic form. We are not concerned as to the type or nature of the asset – it could be a customer’s personal record, an engineering design document, a new unreleased song or proprietary food recipe; it is irrelevant, the common thread to all of these is that they need to be protected and available to their owner(s) so they retain their usefulness and value.

However, digital assets are frequently shared with partners, contractors, customers and 3^rd parties and this all requires an element of trust. This trust should be based upon evidence and external verification of this evidence; however, it is common for no evidence to be requested, and thus none is provided as a result much of the inter-organizational trust is misplaced.

Furthermore, currently there is no cross industry method of checking how secure an organization or department is before establishing a contract with them (in a reasonable time frame and cost limit). Linked to this is the fact that many small organisations (eg sub 50 staff) are not able or reluctant to fund external consultants to audit/test or document their systems, and while they continue to attract clients they will not change this position.

Digital information processing has become more specialised in the last 5 years and large numbers of highly specialised small businesses process digital assets for larger corporations and departments, however, few of these sectors are regulated or practices validated.

This presents a problem to large organisations when letting contracts as they have no method of comparing competing contractors in terms of their digital and information security practices, policy and processes. Through the use of Certified Digital Security Levels it is hoped to address this lack of comparability.

Attachments:
File	Description	File size
Overview of the CDS		527 Kb

Last Updated ( Saturday, 24 April 2010 15:00 )

CDS RoadMap

Written by CDS Team,

Saturday, 29 May 2010

CDS RoadMap

This RoadMap has been designed to allow organizations to conduct a quick check of their current standing in relation to the CDS levels.

Under each level are the short descriptions for the items required at each level. Areas already implemented can be checked off the sheet and then can be used to compare what has already been achieved and to quickly allow the viewer to see what could be done next.

The PDF file linked to this posting outlines the roadmap through the various levels; it was designed to be printed onto A3 paper, so the text and check boxes were scaled appropriately.

Remember that the CDS material on the website maybe used to improve a organizations security at no cost to them. The information is provided free on the condition it retains the branding it was released with.

For additional information do not hesitate to contact us.

Last Updated ( Sunday, 30 May 2010 16:58 )

Implementing CDS

DigitalSy Twitter Feed

With the removal of the auditor at the lower CDS levels comes a significant price drop; so CDS Certification is possible for all SMEs! - Mon 30 Jan 2012 - View »
We will shortly be providing online training packages to enable SMEs to train their staff without the overhead of travel etc. - Fri 27 Jan 2012 - View »
We have some awesome changes happening to the CDS standard including self certification and free compliance tracking tool. Watch this space! - Thu 26 Jan 2012 - View »
Logically Secure's "SecureME" is CDS approved @ lvl 3, even single traders can gain certified security http://bit.ly/ieBSmx - Mon 23 May 2011 - View »
RT @ChrisJohnRiley: VMware vSphere 4.1 security hardening guide http://bit.ly/eh0zO8 - Sat 09 Apr 2011 - View »