离岸外包的理论基础
Image Source: Pexels
图片来源: Pexels
Without having the right technical controls against the most common cyber threats, you could be putting your sensitive data, customers, and entire business at risk.
如果没有针对最常见的网络威胁的正确技术控制,您可能会使敏感数据,客户和整个业务面临风险。
Not only can cyber-attacks like data breaches ruin your reputation, but they can also cause serious damages to your systems and disrupt your operations.
Plus, you can lose massive amounts of critical information and money in the aftermath of a cyber-attack.
诸如数据泄露之类的网络攻击不仅会破坏您的声誉,而且还会严重破坏您的系统并破坏您的运营。
另外,在网络攻击之后,您可能会丢失大量关键信息和金钱。
Having a cyber essentials checklist, however, will help protect your business from some of the most common, but still considered highly damaging, cyber threats known to man.
但是,拥有一份网络基本要点清单将有助于保护您的企业免受人类已知的一些最常见但仍被认为具有高度破坏性的网络威胁。
The question is, is it practical for you to go the DIY route to achieve your cyber essentials accreditation, or should you outsource to an external certifying body?
That’s what we’re here to find out.
问题是,您通过DIY途径获得网络必需品认证是否可行,还是应该外包给外部认证机构?
这就是我们在这里找到的。
总体网络安全状况 (The state of cybersecurity in general)
As a business owner, you need to learn more about how the whole cybersecurity thing works — otherwise, you could run the risk of losing thousands of dollars in the event of a cyber attack.
作为企业主,您需要了解更多有关整个网络安全的工作原理的信息,否则,您可能会遭受网络攻击而损失数千美元的风险。
After all, when you have a good understanding of cybersecurity, you’ll be better equipped to establish the right security measures to deal with potential security risks to your business.
毕竟,当您对网络安全有了很好的了解后,就可以更好地制定正确的安全措施,以应对企业的潜在安全风险。
Here are a few resources you can check out to help you learn more about cybersecurity in general.
您可以查看以下一些资源,以帮助您全面了解有关网络安全的更多信息。
- Cyber essentials: https://www.bulletproof.co.uk/blog/understanding-cyber-essentials 网络要素 : https : //www.bulletproof.co.uk/blog/understanding-cyber-essentials
- Preventing data breaches: http://foundersguide.com/preventing-a-data-breach-in-your-business-tips-for-2020/ 防止数据泄露: http : //foundersguide.com/preventing-a-data-breach-in-your-business-tips-for-2020/
- Cybersecurity best practices: https://readwrite.com/2020/01/24/cybersecurity-best-practices-7-ways-to-secure-your-data-in-2020/# 网络安全最佳实践: https : //readwrite.com/2020/01/24/cybersecurity-best-practices-7-ways-to-secure-your-data-in-2020/#
- Tips from industry experts on safeguarding data: https://data-economy.com/data-privacy-day-2020-10-tips-from-industry-experts-on-safeguarding-data/ 来自行业专家的有关保护数据的提示: https : //data-economy.com/data-privacy-day-2020-10-tips-from-industry-experts-on-safeguarding-data/
- Common cybersecurity measures: https://www.nibusinessinfo.co.uk/content/common-cyber-security-measures 常见的网络安全措施: https : //www.nibusinessinfo.co.uk/content/common-cyber-security-measures
Understanding cybersecurity will help you assess the risks, set the right security measures in place, and strengthen your existing technical controls to protect your business-critical data.
了解网络安全将帮助您评估风险,制定正确的安全措施并增强现有的技术控制以保护您的关键业务数据。
One way of achieving this is by getting the cyber essentials accreditation to help your business establish preventive measures against attacks and strengthen your cybersecurity.
实现此目标的一种方法是获得网络基本要素认证,以帮助您的企业制定预防攻击的措施并增强网络安全性。
常见网络威胁的危险 (The dangers of common cyber threats)
Even some of the most common cyber attacks can lead to severe consequences for your business.
甚至某些最常见的网络攻击都可能对您的业务造成严重后果。
For instance, a piece of malware delivered to your system can lead to loss of your company and customer data, including disruptions to your service delivery and operations.
例如,传递给您系统的恶意软件可能导致公司和客户数据丢失,包括服务交付和运营中断。
The aftermath of a cyber attack can also damage your hard-earned reputation and customer relationships — and you’d have to face the potential legal implications of data breaches.
网络攻击的后果还可能损害您来之不易的声誉和客户关系,而且您将不得不面对数据泄露的潜在法律隐患。
This is why establishing baseline security controls against common cyber threats is crucial to help ensure that your data and assets are not vulnerable to attacks.
因此,建立针对常见网络威胁的基准安全控制对于确保确保您的数据和资产不容易受到攻击至关重要。
With the cyber essentials scheme, you can protect against the vast majority of cyber threats by highlighting five key security controls that you need to assess and maintain to a good standard.
借助网络基本计划,您可以通过突出评估和保持良好标准所需的五个关键安全控制措施,来抵御绝大多数网络威胁。
The cyber essentials technical controls include using firewalls, security configurations, malware protection, patch management, and setting user access controls.
网络基本技术控制包括使用防火墙,安全配置,恶意软件防护,补丁程序管理和设置用户访问控制。
Having these security controls in place can help you address some of the most common internet-based cyber threats, especially those that use widely available tools but require little skill to execute.
部署这些安全控制措施可以帮助您解决一些最常见的基于Internet的网络威胁,尤其是那些使用广泛使用的工具但几乎不需要技能即可执行的网络威胁。
自己动手做 (The Do-It-Yourself way)
The cyber essentials scheme has two compliance standard levels you can apply for to get certification: Cyber Essentials, which is the basic level, and the Cyber Essentials Plus.
该网络要领方案有两个符合标准水平,你可以申请获得认证: 网络要点,这是基本的水平,以及网络基础增强。
The two levels are based on the same set of requirements outlined in the five technical controls that you need to comply with to achieve certification.
这两个级别基于在获得认证所需遵循的五个技术控制中概述的同一组要求。
First, you’ll need to answer a self-assessment questionnaire regarding the five security controls mentioned earlier.
首先,您需要回答有关前面提到的五个安全控制措施的自我评估调查表。
Questions can include things like, “Are your system admin access privileges restricted to a limited number of authorized individuals?” and more.
问题可能包括诸如“您的系统管理员访问权限是否仅限于有限数量的授权人员?”之类的问题。 和更多。
Next will be an external vulnerability scan of your internet-facing devices and networks, including your servers, website, and firewalls.
接下来是对面向Internet的设备和网络(包括服务器,网站和防火墙)的外部漏洞扫描。
This part of the certification process will determine any critical or high-risk areas in your cybersecurity that will affect whether your business passes or fails – along with a report of the findings.
认证过程的这一部分将确定网络安全中任何会影响您的企业成败的关键或高风险领域,以及调查结果报告。
The third step is a cloud service assessment to help ensure that you conduct due diligence checks on providers that your business uses — including web tools and services used by top companies and professionals.
第三步是云服务评估,以帮助确保您对业务使用的提供商进行尽职调查,包括顶级公司和专业人员使用的Web工具和服务 。
You’ll need to provide proof of the type of security standards that your providers adhere to, including the kind of relationship you have with them.
您需要提供提供商所遵循的安全标准类型的证明,包括您与他们之间的关系类型。
Once you pass these three main stages, you can earn your cyber essentials certificate and show your customers, investors, and suppliers your commitment to upholding cybersecurity best practices.
通过这三个主要阶段后,您可以获得您的网络必备证书,并向您的客户,投资者和供应商表明您对坚持网络安全最佳做法的承诺。
外包认证流程 (Outsourcing the certification process)
Cyber essentials plus is everything the standard level is, except it requires that any certification body independently assess the five technical controls.
网络要素加是标准级别的所有要素,除了它要求任何认证机构独立评估五项技术控制。
You’ll still need to go through the three main stages to achieve cyber essentials certification PLUS two extra items: a device or workstation assessment and an internal vulnerability scan.
你仍然需要经过三个主要阶段,实现网络要领认证加两个额外的项目:一个设备或工作站评估和内部漏洞扫描。
The device/workstation assessment is a series of tests conducted on your devices like laptops and desktops to check for things like whether or not your antivirus software is working and if your OS is up-to-date.
设备/工作站评估是在笔记本电脑和台式机等设备上进行的一系列测试,以检查诸如杀毒软件是否正常工作以及操作系统是否最新。
The purpose of an internal vulnerability scan is to check your internal system.
内部漏洞扫描的目的是检查您的内部系统。
Critical and highly vulnerable areas will then be flagged — letting you know you’ll need to fix the uncovered vulnerabilities first before becoming cyber essentials plus compliant.
然后将标记严重和高度脆弱的区域-让您知道您首先需要解决已发现的漏洞,然后才能成为网络必备软件和合规软件。
Although the cyber essentials plus certification requires a bit more work to achieve, the extra level of checking will give your accreditation more weight since it means that security experts verified your security controls.
尽管网络基本要件和认证需要完成更多工作,但是额外的检查级别将使您的认证更加重要,因为这意味着安全专家已验证了您的安全控制。
The extra steps will also help make your business more secure.
额外的步骤还将帮助您提高业务安全性。
评估最适合您的业务的认证级别。 (Assessing the certification level that works best for your business.)
There are some things you need to consider when choosing whether to self-assess to achieve the standard cyber essentials or outsource to get the cyber essentials plus accreditation.
在选择是否进行自我评估以实现标准的网络要素还是外包以获取网络要素和认证时,需要考虑一些事项。
Getting cyber essentials plus, for instance, can be more expensive since your certifying body does most of the work.
例如,由于认证机构完成了大部分工作,因此获得网络必需品的成本可能更高。
You can also check on the needs and motivations of your business for seeking certification.
Is getting certified your way of showing your customers you take data privacy and protection seriously?
您也可以检查企业寻求认证的需求和动机。
通过认证可以向客户展示您对数据隐私和保护的重视吗?
Are you considering the self-assessment part of the process as a way to build a learning mindset in your company about cybersecurity?
Or is getting cyber essentials certified a means to meet your supply chain and contract criteria?
您是否将流程中的自我评估视为建立公司关于网络安全的学习心态的一种方式?
还是获得网络必需品认证可以满足您的供应链和合同标准?
Getting accredited can also be your way of complying with cybersecurity regulations and standards.
By identifying the reasons you have for getting cyber essentials, you can assess which of the two levels will work best to help protect your business from common cyber attacks.
You can also try engaging with certifying bodies and providers first before engaging in a full-blown project to try and check which cyber essentials certification level will work for you.
获得认证也可以成为您遵守网络安全法规和标准的方式。
通过确定获取网络必需品的原因,您可以评估两个级别中的哪一个最有效,以帮助保护您的企业免受常见的网络攻击。
您还可以先尝试与认证机构和提供者进行接触,然后再参与一个成熟的项目,以尝试检查哪种网络基础知识认证级别对您有用。
底线 (Bottomline)
In a nutshell, both the cyber essentials and cyber essentials plus are the same standard since they are based on the same set of requirements.
简而言之,网络要素和网络要素加都是相同的标准,因为它们基于相同的要求集。
The only basic difference is how certifying bodies verify that your business meets the requirements — whether you choose to do a self-assessment or outsource to cybersecurity experts.
唯一的基本区别是,认证机构如何验证您的企业符合要求-无论您选择进行自我评估还是外包给网络安全专家。
Whichever you choose, getting cyber essentials is an excellent way to ensure you have the right security controls in place, protect your business from common cyber threats, and show customers that you take cybersecurity seriously.
无论您选择哪种方式,获取网络必需品都是确保您具有适当的安全控制,保护您的企业免受常见网络威胁以及向客户表明您认真对待网络安全的绝佳方法。
Did you find this post useful? Please take three seconds to share if you agree. Cheers!
您觉得这篇文章有用吗? 如果您同意,请花三秒钟分享。 干杯!
翻译自: https://www.journaldev.com/36910/cyber-essentials-certification-diy-or-outsource
离岸外包的理论基础
扫一扫
258
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
