Cyber Resilience Framework for Scottish Public Bodies
Cyber Resilience Framework for Scottish Public Bodies
Public Sector Action Plan
In advance of this they have set out a Public Sector Action Plan to help Scottish Public bodies take an initial, significant step towards establishing that wider culture of cyber resilience in Scotland.
As a certified member of the Scottish Business Resilience Centre, a certified CREST provider and a cyber security specialist, MTI see the value and importance of this upcoming framework and the steps contained in the action plan are familiar areas of focus for us.
We’ve reviewed the action plan and summarised the key actions required by Scottish public bodies;
Key Action: Governance – by end June 2018
Scottish public bodies will need to demonstrate cyber risk governance arrangements, by end June 2018 that specify Board/Senior Management commitment to managing the risks arising from the cyber threat. This includes a nominated board/senior manager responsible for cyber resilience and regular board / senior management consideration for cyber security and resilience.
Key Action: Cyber Security Information Sharing Partnership (CiSP) – by end June 2018
To promote greater awareness of cyber threat intelligence across the Scottish public sector, the Scottish Government will encourage Scottish public bodies that are responsible for managing their own networks to become active participants in the Cyber Security Information Sharing Partnership (CiSP) by end June 2018.
Key Action: Cyber Essentials Scheme Participation – by end Oct 2018
The guidelines recommend that Scottish Public bodies have in place appropriate independent assurance that critical technical controls are in place to protect against the most common internet-borne threats by end October 2018. They recommend the Cyber Essentials certification scheme, as it is widely recognised (inc the NCSC), comprehensive and accessible. There is dedicated funding available to support bodies during the pre-assessment phase (up-to £1000)
Key Action: Active Cyber Defence (ACD) Programme – by end June 2018
Scottish public bodies are encouraged to be aware of, and implement appropriately, services available under the National Cyber Security Centre’s Active Cyber Defence (ACD) Programme by end June 2018. There are 4 main focus areas under this programme; Protected DNS, DMARC anti-spoofing, Web & network security and phishing and malware protection.
Key Action: Training and Awareness – by end June 2018
The Scottish Government will seek assurances from Scottish public bodies that they have in place appropriate staff training, awareness-raising and disciplinary processes with regard to cyber resilience for staff at all organisational levels. Initially, staff should be supported by relevant documentation this should in place by end June 2018, but in the medium term, the aspiration is to develop e-learning and interactive toolkits to support this initiative.
Key Action: Incident response – by end June 2018
The Scottish Government will work with the NCSC, Police Scotland and other key partners to ensure that Scottish public bodies have cyber incident response policies and processes in place, and that these can integrate with robust, clear, central cyber incident notification and coordination protocols by end June 2018.
Key Action: Monitoring and Evaluation – by end June 2018
As part of this action plan, the Scottish Government seek an effective monitoring and evaluation framework to help assess progress against this action plan and will request all Scottish public bodies provide one-off written updates, setting out progress on implementing key actions included in this action plan. The first round of requests will be by the end of June 2018.
Pen Testing
Penetration testing proactively assesses not only the IT equipment such as servers, work stations, mobile devices, web applications and network design but also the working practices of IT staff and users to identify any vulnerabilities or weaknesses.
Cyber Essentials
MTI provides a Cyber Essentials Scheme assessment service with everything you need to achieve CREST accredited Cyber Essentials Plus certification.
Professional Services
MTI offers professional services that guide your organisation through the most challenging IT projects. With over 20 years experience in helping our customers design, implement and maintain IT infrastructure, we can make sure that your organisation realises the greatest value from your investment in new technology.