Following on from our last blog on “Does your IT Cabinet/Network Room look like this” this post will alleviate any fears you may have on what might/could be lurking behind your closed network equipment rooms, Data Centres, Buildings or Campuses. Here we explain how you should assess your Infrastructure for Cyber Assurance compliance within the ‘Real’ and ‘Network’ layers.
Client Engagement: The first element is about you. Through proactive questioning, listening, advising and reacting to your needs, coupled with your assessment of your own infrastructure and what you hope to gain, a specialist will explain the stages of a Cyber Assurance assessment.
Inspect and Audit: Secondly, agreeing to undertake an onsite inspection and thorough audit of your Cabinets, Network Rooms, Buildings and Campuses. This can be done in tandem with your infrastructure team working alongside engineering consultants, allowing mutual learning, and gaining an understanding of what is being assessed. This should be done using qualified and experienced consultant engineers, ideally with a wealth of defence, private and public sector experience of designing, installing and certifying fully compliant CIS Infrastructure solutions. The consultant will focus on the following six objectives of Cyber Assurance through inspection, auditing, checking compliance, and assurance:
Availability – Flexibility – Economy – Confidentiality – Integrity – Resilience
Report: Thirdly, once all facets of the audit are completed, the compilation and submission of a detailed written ‘Audit and Compliance’ report. This report will highlight findings against a myriad of standards (Joint Services Publications, SDIP-29/2, British Standards), submitted in a Red, Amber, Green (RAG) format with easily digestible reasons for and means to mitigate any issues found. The standards of this should be agreed upon with you beforehand, based on the depth and level of ‘Assurance’ you require for your infrastructure.
Remediate, Support and Certification: Lastly, you wouldn’t expect a post-survey report for your auditor just to walk away and leave you to try to unpick and remediate what has been highlighted as serious issues and non-compliances. They should work with you throughout the process, supporting, advising, mentoring and guiding you through until remediation is completed and certification of your infrastructure is provided to the ‘Assured’ industry certification. Once assurance/certification is obtained the work doesn’t stop there. Employing rigour and discipline to maintain the assured status thereafter is paramount.
This approach is how we engage and undertake our cyber assurance audits, leading to certification that your infrastructure and services are compliant with, and assured to industry standards.