The Cyber Resilience Strategy for the Scottish public sector was launched in November 2017 and aims to promote cyber resilience. The framework is a response to the impact of large-scale cyber attacks, such as WannaCry and its effect on various NHS organisations across Scotland, as well as impending regulatory changes with the introduction of the Directive on security of network and information systems (NIS Directive) (transposed into UK law as the NIS Regulations).
The framework was developed in partnership with the Scottish Government and the National Cyber Resilience Leaders’ Board (NCRLB), and urges all public sector bodies in Scotland to take cyber resilience measures. The action plan lists 11 requirements and minimum cyber risk governance arrangements that public bodies must implement by the end of June 2018.
The list of requirements set out in the action plan and deadlines are available in our free green paper. Download our free green paper, Scottish Public-Sector Action Plan 2017-18: Summary and compliance guidance. >>
Digital Scotland’s strategy document defines cyber resilience as “being able to prepare for, withstand, and rapidly recover and learn from deliberate attacks (or accidental events) that have a disruptive effect on interconnected technologies”. Cyber resilience brings together information security and cyber security with cyber incident response and business continuity management.
Cyber resilience tries to protect an organisation from attacks, but also recognises that this is not always possible. Consequently, it also puts plans in place to prepare the organisation for responding effectively to a disruption and ensuring its survival.
Cyber resilience in healthcare
All Scottish public sector bodies are required to comply with the Cyber Resilience Strategy; this includes health boards and the NHS.
In addition to the Cyber Resilience Strategy for Scotland, healthcare organisations face a number of other obligations in 2018:
- The EU General Data Protection Regulation (GDPR): All organisations that process EU residents’ data are required to comply. More information on the GDPR for healthcare organisations >>
- The Directive on security of network and information systems (NIS Directive): Operators of essential services (OES) – which includes health boards and Scottish Water – and digital service providers (DSPs) must align their activities with the Directive’s requirements. Health boards must be compliant by November 2018. More information on the NIS Directive >>
- The Data Security and Protection (DSP) Toolkit: Recently released by NHS Digital, the DSP Toolkit is a requirement of all organisations that access NHS networks. More information on the DSP Toolkit >>
Cyber Essentials: a key role in the Cyber Resilience Strategy for Scotland
Cyber Essentials is a scheme that addresses five key security controls and is suitable for any organisation in any sector. It is highlighted as one of the key activities that organisations must complete to demonstrate that they have achieved a basic level of cyber security. Two of the key actions outlined in the plan reference Cyber Essentials as a requirement.
With Cyber Essentials, organisations can focus on core business objectives, drive business efficiency, and improve productivity through streamlining processes, while protecting themselves from the most common cyber attacks.
IT Governance’s free webinar explains what the Cyber Essentials scheme is and the role that it plays within the Cyber Resilience Strategy for Scotland and the rest of the UK. It also outlines the expectations and deadlines for achieving Cyber Essentials certification.