The UK government has published a set of security standards that all departments and their suppliers are expected to comply with as a minimum. However, the measures are set to increase over time in order to address new threats or classes of vulnerabilities and to incorporate the use of new Active Cyber Defence measures according to the ‘Minimum Cybersecurity Standard’ document. Whilst these measures pertain to government, they could equally apply and be adopted by the private sector.
The measures follow a similar approach to GDPR where the emphasis is on mandating outcomes rather than recommending specific solutions, although certain requirements are required such as implementing TLS 1.2 encryption standards for email.
The standards comprise of ten sections covering five categories: Identify, Protect, Detect, Respond and Recover. Each section outlines specific criteria, some of the key elements are outlined below
(1) Departments shall put in place appropriate cyber security governance processes.
Departments must have clear lines of responsibility and accountability to named individuals for the security of sensitive information and key operational services. There is a requirement to identify and manage the significant risks to sensitive information and key operational services. In addition, departments need to ensure that their external suppliers also conform to the standards by having them attain security certifications such as Cyber Essentials. Appropriate training and guidance on cyber security and risk management should also be provided for individuals.
(2) Departments shall identify and catalogue sensitive information they hold.
Departments need to know and record what information they hold or process, why they hold or process it, what computer systems or services process it and the impact of its loss, compromise, or disclosure
(3) Departments shall identify and catalogue the key operational services they provide.
Departments need to know and record what their key operational services are, what technologies and services their operational services rely on to remain available and secure, what other dependencies the operational services have (such as power, cooling, data and people) and the impact of loss of availability of the service.
(4) The need for users to access sensitive information or key operational services shall be understood and continually managed.
Users shall be given the minimum access to sensitive information or key operational services necessary for their role and access shall be removed when individuals leave their role or the organisation. Periodic reviews should also take place to ensure appropriate access is maintained.
(5) Access to sensitive information and key operational services shall only be provided to identified, authenticated and authorised users or systems.
Users and systems need to be identified and authenticated prior to being provided access to information or services. Depending on the sensitivity of the information or criticality of the service, authentication and authorisation of the device being used for access may be required.
(6) Systems which handle sensitive information or key operational services shall be protected from exploitation of known vulnerabilities.
This section covers four main areas of technology: enterprise technology, end-user devices, email systems and digital services. It is the most detailed and prescriptive section and covers a range of requirements such as auditing of all hardware and software assets, implementing TLS encryption for e-mail, registration and use of the NCSC’s Web Check service, implementation of Domain-based Message Authentication Reporting and Conformance (DMARC), using the UK Public Sector DNS Service to resolve internet DNS queries and running operating systems and software packages which are patched regularly. A full list is outlined in the document.
(7) Highly privileged accounts should not be vulnerable to common cyberattacks.
Highly privileged users should not use their highly privileged accounts for high-risk functions, such as reading email and web browsing. Multi-factor authentication shall be used where technically possible, such as where administrative consoles provide access to manage cloud-based infrastructure, platforms or services. Multi-factor authentication shall be used for access to enterprise level social media accounts. Passwords which would on their own grant extensive system access, should have high complexity, be changed from default values and be not easy to guess.
(8) Departments shall take steps to detect common cyberattacks.
Departments shall have a clear definition of what must be protected and why. A monitoring system should be implemented particularly for digital services and attackers attempting to use common cyber-attack techniques should not be able to gain access to data or any control of technology services without being detected.
(9) Departments shall have a defined, planned and tested response to cyber security incidents that impact sensitive information or key operational services
Departments shall develop an incident response and management plan, with clearly defined actions, roles and responsibilities. It should be tested at regular intervals. Relevant bodies need to be informed of any incident or breach.
(10) Departments shall have well defined and tested processes in place to ensure the continuity of key operational services in the event of failure or compromise.
Departments shall identify and test contingency mechanisms to continue to deliver essential services in the event of any failure, forced shutdown, or compromise of any system or service. Restoring the service to normal operation should be a well-practised scenario.
Exertis offer a wide range of data and security services to ensure your customers and business is always protected. Contact your account manager to find out more.