Protecting Scotland’s digital networks and infrastructure, and ensuring they are resilient to cyber attacks, is essential to the country’s prosperity and reputation.
The Scottish government therefore launched Safe, secure and prosperous: a cyber resilience strategy for Scotland in 2015 to help develop a culture of cyber resilience across the country.
As part of this initiative, the government launched the Public Sector Action Plan in November 2017.
This action plan set out 11 key actions that the Scottish government, public bodies and key partners must take before the end of 2018 to enhance cyber resilience in the public sector. Further action plans for the private and third sectors were published in June 2018.
How does the public-sector action plan affect my organisation?
All public-sector bodies in Scotland are required to take urgent measures to develop cyber resilience and become “exemplars” of online security.
A number of the key deadlines have already passed, so all Scottish public bodies must now have:
- Implemented minimum cyber risk governance arrangements; and
- Become members of the NCSC’s (National Cyber Security Centre) CiSP (Cybersecurity Information Sharing Partnership) to promote cyber threat intelligence sharing.
The next stage is for all public bodies to achieve independent assurance of their critical cyber security controls through certification to the Cyber Essentials scheme by the end of October 2018.
Cyber Essentials certification
The Cyber Essentials scheme is a UK government initiative that provides a set of five controls that organisations can implement to achieve a baseline of cybersecurity:
- Secure configuration
- Boundary firewalls and Internet gateways
- Access control
- Malware protection
- Patch management
There are two levels of certification: Cyber Essentials and Cyber Essentials Plus.
- Cyber Essentials requires an organisation to complete a self-assessment questionnaire, which must be signed off by a senior representative of the organisation and then verified by an external certification body. An external vulnerability scan is also required if the organisation chooses to be certified by a CREST-accredited certification body such as IT Governance.
- Cyber Essentials Plus requires a more advanced level of assurance. In addition to meeting the requirements of Cyber Essentials, organisations must undergo an internal assessment and internal scan conducted on-site by the certification body.
Certification to the scheme provides numerous benefits, including reduced insurance premiums, improved investor and customer confidence, and the ability to tender for business where certification to the scheme is a prerequisite.
IT Governance is a CREST-accredited Cyber Essentials certification body.
Why work with IT Governance?
- IT Governance is a leading provider of IT governance, risk management and compliance solutions.
- We have been advising global businesses and government bodies for the last 15 years.
- We are known for delivering cost-saving and risk reducing solutions based on international best practice and frameworks.
- We offer everything you need to achieve cyber resilience – from standards, books, free resources, webinars, policies and procedure templates, gap analysis tools, PCI DSS (Payment Card Industry Data Security Standard) compliance, ISO 27001 certification, business continuity and incident response management consultancy, training, penetration testing, staff awareness courses and software.
- Find IT Governance in Lot 3 of the new Scottish government’s Dynamic Purchasing System.
Free webinar: 16 October 2018, 15.00-16.00 BST
On 16 October, we’ll be hosting a free webinar which will focus on Cyber Resilience and the role Cyber Essentials plays in the Cyber Resilience Strategy for Scotland.