Compliance generally refers to the conformance to a set of laws, regulations, policies, best practices, or service-level agreements. Compliance governance refers to the set of procedures, methodologies, and technologies put in place by a corporation to carry out, monitor, and manage compliance. Compliance governance is an important, expensive, and complex problem to deal with. (Silveira, P. et al. (2012) ‘Aiding Compliance Governance in Service-Based Business Processes’, in Handbook of Research on Service-Oriented Systems and Non-Functional Properties: Future Directions, pp. 524–548.)
Compliance relates to the conformance to a set of laws, regulations, policies or best practices. Compliance is an important, expensive, and complex problem to deal with. \cite{ComplianceGovernance} These sets of rules are known as standards. Organisations can be required to take steps to put policies and controls in place that ensure conformity with the regulations outlined in the given compliance standard(s). The purpose of the compliance standards is to safeguard the organisation against security threats.
\subsection{Cyber Security}
Cyber security is the body of technologies, processes, and practices designed to protect networks, computers, programs, and data from attack, damage, or unauthorized access. \cite{CSCRM}
\subsection{Compliance in Cyber Security}
Cybersecurity standards have existed over several decades as users and providers have collaborated in many domestic and international forums to effect the necessary capabilities, policies, and practices - generally emerging from work at the Stanford Consortium for Research on Information Security and Policy in the 1990s. (National Institute of Standards and Technology; Technology Administration; U.S. Department of Commerce., An Introduction to Computer Security: The NIST Handbook, Special Publication 800-12.)
Cybersecurity standards have existed for a long time, affecting the necessary policies and practices of individuals and organisations over the last several decades. \cite{StanfordConsortium} Various legislation and regulations often struggle to keep up with the latest cyber threats due the rapid evolution of the field. \cite{GDPR} As a result of the expanding pool of available tools, there is an ever-increasing number of people able to access the world of cyber crime. This makes it all the more crucial that conforming to the latest standards becomes an imperative for every company, regardless of the size of each enterprise. The hope for this project is that it will enable organisations to achieve this in a cost effective manner.
\section{The State of Compliance in the UK: Cyber Essentials}
\section{The State of Compliance in the UK}
\subsection{Cyber Essentials}
The Government worked with the Information Assurance for Small and Medium Enterprises (IASME) consortium and the Information Security Forum (ISF) to develop Cyber Essentials, a set of basic technical controls to help organisations protect themselves against common online security threats. (CyberEssentials Scheme: overview (2014) GOV.UK.)
The UK Government worked with the Information Assurance for Small and Medium Enterprises (IASME) consortium and the Information Security Forum (ISF) to develop Cyber Essentials, a set of basic technical controls to help organisations protect themselves against common online security threats. \cite{CyberEssentials} The scheme is design to prevent unskilled individuals from being able to find basic vulnerabilities in an organisation, by providing advice and 2 levels of certification; \textquotedblleft Cyber Essentials\textquotedblright\ and \textquotedblleft Cyber Essentials Plus\textquotedblright. The former is a self-assessment designed to be light-weight and easy to follow, the latter is similar, but the verification of the organisation\textquoteright s cyber security is carried out by a certification body instead of the organisation itself.
\subsection{Crime}
We have seen a significant growth in cyber criminality in the form of high-profile ransomware campaigns over the last year. Breaches leaked personal data on a massive scale leaving victims vulnerable to fraud, while lives were put at risk and services damaged by the WannaCry ransomware campaign that affected the NHS and many other organisations worldwide. Tactics are currently shifting as businesses are targeted over individuals. (Cyber Crime (no date) NCA National Crime Agency.)
We have seen a significant increase in cyber criminal activity in recent years. The methods used by criminals are currently changing as businesses begin to be targeted more frequently than individuals. Cyber crime is growing at a rapid rate, making it increasingly troublesome for regulations and legislation to keep pace, resulting in outdated laws that are often unfit for purpose. \cite{GDPR}
\section{Supply Chains}
\subsection{Supply Chain Management}
Supply chain management is an integrating function with primary responsibility for linking major business functions and business processes within and across companies into a cohesive and high-performing business model. It includes all logistics management activities as well as manufacturing operations, and it drives coordination of processes and activities within and across marketing, sales, product design, finance, and information technology. \cite{CSCRM}
\subsection{Supply Chain Security}
Supply chain security is a program that focuses on the potential risks associated with an organization’s suppliers of goods and services, many of which may have extensive access to resources and assets within the enterprise environment or to an organization’s customer environments, some of which may be sensitive in nature. (Shackleford, D. (2015) ‘CombattingCyberRisks in the Supply Chain’. SANS Whitepaper.)
Supply chain security focuses on the potential threats associated with an organisation’s suppliers of goods and services, many of which may have extensive access to resources and assets within the enterprise environment or to an organisation’s customer environments, some of which may be sensitive in nature. \cite{CombattingCyberRisks}
\section{Impacts}
\subsection{Security Breaches}
Cyber attacks are financially devastating and disrupting and upsetting to people and businesses. (Cyber Crime (no date) NCA National Crime Agency.)
\subsection{Loss of Confidence}
Cyber attacks are financially devastating and disrupting to people and businesses. Security breaches have the potential to leak personal information on a large scale, leaving victims vulnerable to fraud \cite{CyberCrime} and further attacks using the information gained by attackers, which could be sold on to others.
\subsection{Effect on Business}
\subsection{The Effect on Business and Loss of Confidence}
According to a survey by Ping Identity (a company that sells a number of cloud and software identity security solutions), 75\% of people would stop engaging with a brand online following a data breach, as well as 59\% saying they were not willing to sign up to use an online service or application that recently experienced a data breach. However, 56\% said they are not willing to pay anything to application or online service providers for added security to protect their personal information. \cite{ITGovernance}