Scottish Public Sector Cyber Resilience Framework
Find IT Governance in Lot 3 of the new Scottish Government Dynamic Purchasing System
The Scottish Public Sector Cyber Resilience Framework is aimed at improving cyber security and promoting cyber resilience in public sector organisations.
The impact of recent large-scale cyber attacks (such as WannaCry) and the impending General Data Protection Regulation (GDPR) and NIS Directive require decisive action to ensure continuity of service delivery. Non-compliance with these two key pieces of legislation may hold significant ramifications from May 2018.
All public sector bodies in Scotland are required to take urgent measures to develop cyber resilience and to become "exemplars" in online security. One of the first requirements is to get a Cyber Essentials pre-assessment by March 2018.
Jump to find out what you need to do >>
Download Now >>
Find out about Cyber Essentials now
What is cyber resilience?
“Cyber resilience” means being able to prepare for, withstand, and rapidly recover and learn from deliberate attacks (or accidental events) that have a disruptive effect on interconnected technologies. Cyber security is a key element of being resilient, but cyber resilient people and organisations recognise that being safe online goes far beyond just technical measures.” - http://www.gov.scot/Resource/0051/00515583.pdf
Get started with a Cyber Resilience programme now >>
Public Sector Action Plan on Cyber Resilience
A Public Sector Action Plan on Cyber Resilience was launched in November 2017 which outlines how Scottish public bodies can improve cyber security and be more secure online.
It sets out the 11 key actions that the Scottish Government, public bodies and key partners will take up to the end of 2018 to further enhance cyber resilience in Scotland’s public sector.
The action plan lists 11 requirements and minimum cyber risk governance arrangements are required to be in place by the end of June 2018.
Stages of Progression
There will be three stages of progression – initial baseline, target and advanced.
The initial baseline stage must be achieved by end June 2018 “or end October 2018 in the case of Cyber Essentials certification and independent assurance of critical controls”.
The target stage is for public bodies to work towards a new Security Policy Framework Technology Security Standard, on a risk-based and proportionate basis.
The Advanced stage will align with the NIS Directive legislation and guidance. “Scottish public bodies in the health and water sectors will automatically be subject to these requirements under relevant legislation”.
Key Actions and Timelines:
All Scottish public bodies will be asked to provide written assurance at Board level, by end March 2018, to the Scottish Government in line with key monitoring and evaluation measures that have been introduced.
“The Information Commissioner has, for example, noted publicly that achieving Cyber Essentials accreditation can assist with preparing for GDPR. Public bodies should consider how work on cyber resilience aligns with their wider work on GDPR compliance.” (Public Sector Action plan on Cyber Resilience)
- The Scottish Government aims to develop a common cyber resilience framework for Scottish public bodies and update the Public Finance Manual by June 2018.
- The Scottish Government aims to implement a dynamic purchasing system for procuring digital services, including cyber security (by October 2017).
All Scottish public bodies must:
- Implement minimum cyber risk governance arrangements, by end June 2018.
- Ensure membership of the NCSC’s Cybersecurity Information Sharing Partnership (CiSP) to promote cyber threat intelligence sharing by end June 2018.
- Adopt independent assurance of critical cyber security controls by end October 2018 through Cyber Essentials certification.
- Cyber Essentials pre-assessments must be undertaken by March 2018.
- A board-level decision must be taken on whether to pursue Cyber Essentials or Cyber Essentials Plus certification by end April 2018.
- The organisation must achieve Cyber Essentials or Cyber Essentials Plus certification by end October 2018.
See more >>
- Implement the NCSC Active Cyber Defence Programme by June 2018.
- Institute initial arrangements for cyber resilience staff training and awareness by end June 2018, and adopt these as resources become available from March 2018 – 2020.
- Adopt effective cyber incident response plans by end June 2018.
- Implement the Scottish Procurement Policy Note and grant funding guidance as part of Scottish Public Sector Cyber Resilience Framework by June 2018.
- Start reporting against a new Cyber Resilience Framework from the end of June 2018.
- Provide informal, working-level responses to enquiries regarding progress from the Scottish Government Cyber Resilience Unit, including one-off written assurance at Board level on specific actions.
Cyber Resilience Best Practice Guidelines
A set of best-practice guidelines (view draft) has been developed to support the Cyber Resilience Action Plan.
The Scottish government has listed a range of existing standards, guidelines and controls that can contribute to increased cyber resilience, including the ISO 27001, Cyber Essentials and the PCI DSS.
Scottish public bodies should have regard to these best practice guidelines when providing governance statements and certificates of assurance under the requirements set out in the Scottish Public Finance Manual.
See more >>
The guidelines cover the following areas:
A. Governance and Risk Management
- Board-level commitment/ awareness and involvement
- Risk management, (inc. ID, ownership and management of critical assets and cyber risks)
B. Prepare for and withstand cyber threats and risks
- Action to improve knowledge, actions and behaviours (inc. education)
- Secure configuration
- Network security
- Managing user privileges
- Malware protection
- Removable media controls
- Home and mobile working
- Supply chain risk management
C. Respond to, and recover from, cyber incidents
- Incident response policy/plan
- Incident response team staffing and structure (inc. out of hours)
- Defining, detecting, triaging and triggering
- Containment, investigation, eradication and recovery
- Information sharing and coordination
- Business continuity plans
- Lessons learned
- Exercising Overall Governance and Risk
Funding will be made available for public bodies to undergo Cyber Essentials “pre-assessments”, by the end of March 2018.
Implications for non-public sector organisations
The Action plan on Cyber Resilience mentions that other action plans for private and third sectors will be developed too, and organisations from these sectors will be encouraged to align these action plans.
Reference to these guidelines will be included in amendments made to the Scottish Public Finance Manual, which applies to many key Scottish public bodies. Those amendments will make clear the expectation that public bodies subject to the SPFM are adhering to these best practice guidelines on a risk-based and proportionate basis.
Monitoring and Evaluation
For Scottish Public Sector Cyber Catalysts, a bespoke monitoring and evaluation framework has been developed to provide assurance to Scottish Ministers, the public and the Scottish Parliament with regard to progress towards best practice in cyber resilience in their organisations.
Complete range of Cyber Resilience resources
Why work with IT Governance?
- IT Governance is a leading provider of IT governance, risk management and compliance solutions.
- We have been advising global businesses and government bodies for the last fifteen years.
- We are known for delivering cost-saving and risk reducing solutions based on international best practice and frameworks.
- We offer everything you need to achieve cyber resilience – from standards, books, free resources, webinars, policies and procedure templates, gap analysis tools, PCI DSS compliance, ISO 27001 certification, business continuity and incident response management consultancy, training, penetration testing, staff awareness courses and software.
- Find IT Governance in Lot 3 of the new Scottish Government Dynamic Purchasing System
Speak to an expert
Get cyber resilient today with comprehensive solutions aligned to international best practice.