|
The concept of Digital Security Levels
Digital Assets are information assets that exist in electronic form. We are not concerned as to the type or nature of the asset – it could be a customer’s personal record, an engineering design document, a new unreleased song or proprietary food recipe; it is irrelevant, the common thread to all of these is that they need to be protected and available to their owner(s) so they retain their usefulness and value.
However, digital assets are frequently shared with partners, contractors, customers and 3rd parties and this all requires an element of trust. This trust should be based upon evidence and external verification of this evidence; however, it is common for no evidence to be requested, and thus none is provided as a result much of the inter-organizational trust is misplaced.
Furthermore, currently there is no cross industry method of checking how secure an organization or department is before establishing a contract with them (in a reasonable time frame and cost limit). Linked to this is the fact that many small organisations (eg sub 50 staff) are not able or reluctant to fund external consultants to audit/test or document their systems, and while they continue to attract clients they will not change this position.
Digital information processing has become more specialised in the last 5 years and large numbers of highly specialised small businesses process digital assets for larger corporations and departments, however, few of these sectors are regulated or practices validated.
This presents a problem to large organisations when letting contracts as they have no method of comparing competing contractors in terms of their digital and information security practices, policy and processes. Through the use of Certified Digital Security Levels it is hoped to address this lack of comparability.
Use of the Digital Security Model
The information provided on this site is free for all to use, it is a model we offer to the community. Certified Digital Security Levels (CDS levels) are published in the public space (www.certifieddigitalsecurity.com), they may be copied, downloaded, however, the master/current versions will always be held on the site, and users are advised to check the version there before committing time and resources to achieve an older version of the CDS.
How do CDS Levels assist organisations achieve and demonstrate better Security
CDS levels range from 1 (basic security) to 9 (highly secured network) note levels are cumulative ie to achieve level 5 you must provide evidence of how you meet levels 5,4,3,2 and 1.
Organizations are able to use the CDS model to identify where they could improve their security measures as they follow the CDS modelled roadmap to a more secure IT System. Organizations are able to view the requirements for the various CDS Levels and thereby can choose the amount of work, funds and time they wish to dedicate to the task of achieving the target level. There is no pressure on organizations to adopt the model as their own standard however, if they do we encourage them to get their efforts validated.
Demonstrating Compliance of a target CDS level
Organisations that elect to have their CDS compliance validated generate evidence to prove they meet the target level and an impartial auditor verifies that the evidence is correct and of the standard required to meet the target CDS. The audit outputs are verified by Digital Security Ltd (as the developers of the model) and the target level is awarded to the organization.
Those organizations that pass their target level will be awarded a uniquely numbered certificate that maybe published and used as part of their standard PR and business communication.
The unique certificate number if forwarded to Digital Security Ltd will reveal:
1. The CDS level achieved (including a link to the scope of that CDS – ie what was checked).
2. The area of the subject’s business that is included in the CDS scope (this is applicable mainly to large organisations or multi site organizations).
3. The date when the CDS check was conducted.
4. When the CDS Certificate expires.
5. Which Auditor (by auditor number) conducted the Audit (to prove impartiality).
We believe that when bidding or competing for business, a subject organization should include their unique CDS number allowing bid assessors can check the independently verified security measures in place at the organisation at the time of the validation.
Finally, organisations can use their CDS level to promote their security to new clients and customers to say “Hey we treat your data seriously”. By having a simple to read numbering scheme, the public can quickly see how is implementing more security on their networks.
|
