The UK Government has set out a new minimum set of cyber security standards that Government expects departments to meet, and exceed wherever possible.
Developed with the NCSC (National Cyber Security Centre), the Cabinet Office says that the measures will be raised gradually to ‘raise the bar’, address new threats or classes of vulnerabilities and to include the use of new ‘Active Cyber Defence’ measures.
For example, ‘departments shall ensure that senior accountable individuals receive appropriate training and guidance on cyber security and risk management and should promote a culture of awareness’ in cyber. Departments should regularly be testing for the presence of known vulnerabilities or common configuration errors, and shall develop an incident response and management plan. And departments should be running operating systems and software packages which are patched regularly. The document covers governance, identifying and listing sensitive information held; protection from and detection of threats, and recovery from attacks. View the standard at gov.uk.
Comments
Javvad Malik, security advocate at AlienVault, said: “Unfortunately, many government departments lack the funding or expertise to implement even a baseline set of security controls. With that in mind, this minimum cybersecurity standard is a positive move that will hopefully raise the bar consistently across government departments and organisations. While ideal, it is probably not feasible to force this across all organisations outside of government bodies, but it could be used as a baseline for third parties wanting to do business with government departments.
“A good next step would be to extend the scope of minimum cybersecurity standards to apply to vendors, particularly IoT or smart device manufacturers.”
Martin Jartelius, CSO at Outpost24, said success or failure will depend on the implementation. “The danger is whether this becomes another compliance ‘checkbox’, where the regulation does set a clear baseline or bare minimum requirement, resulting in organisations doing as little as possible to be compliant, rather than to become secure.”
Mark Adams, regional VP for the UK and Ireland at business continuity software company Veeam, also welcomed the step. “With GDPR and the NIS Directive now in force, the cost of cyber attacks, breaches and network outages is now nothing short of eye-watering. The new Minimum Cyber Security Standard announced today demonstrates that the Government is aware any other alternative simply isn’t worth the risk to their operations, and sets a great example for other industries to follow.
“The emphasis on recovery (section 10), often an unsung hero with data management, is especially welcome. No matter who you are or where you work, it has never been more important to ensure that your digital lives are permanently ‘on’. The ability to seamlessly move data to the best location across multi-cloud environments is now crucial for business continuity, compliance, security, and optimal use of resources for business operations.
“This ‘hyper-availability’ not only helps us ensure data and applications are always there when we need them, it helps maintains reliability, reduces costs of manual processes, minimises downtime, ensure the continuous delivery of production IT services, and satisfy compliance requirements. All totally essential for the public sector. We’re happy to see the UK Government has recognised the need to prepare for all of this today, to avoid the fines or threats of tomorrow.”
