Mark SayManaging EditorWednesday 8 November 2017

Scottish Government to develop cyber resilience framework

Action plan includes taking up NCSC initiatives, response plans for cyber incidents, independent assurance and the creation of a new procurement channel for digital services

The Scottish Government has announced plans to develop a cyber resilience framework as part of an action plan for the public sector announced today.

It is one of a series of measures aimed at leading all public bodies in the country to implement common baseline standards of cyber security, including the active sharing of threat intelligence, cyber incident response protocols and independent assurance that protection is in place against common forms of attack.

John SwinneyAnnouncing the publication of the action plan, Deputy First Minister John Swinney (pictured) said: “The Scottish Government recently committed to developing a range of action plans to help meet this ambition, including in the key areas of learning and skills, economic opportunity, and public, private and third sector cyber resilience.

“Today marks the first of those plans being published. Our Public Sector Action Plan will encourage all public bodies, large or small, to achieve common standards of cyber resilience.

“I want our public sector to lead by example on strengthening cyber security, to help ensure Scotland is ready to deal with all emerging threats.”

Risk based approach

The framework will be developed with the National Cyber Security Centre (NCSC), the Scottish Public Sector Cyber and other partners, and will be aimed at promoting a risk based approach to cyber security.

Its starting point will be the new EU directive on the security of network and information systems, extending to four domains. These comprise setting up the organisational structures and policies for risk management; taking proportionate security measures against cyber attack and system failures; creating capabilities to detect threats; and taking steps to minimise the impacts of any incidents.

The framework is scheduled to completed by the end of June next year, at which time public bodies in Scotland will also be expected to have minimum cyber risk governance arrangements in place.

Other actions include public authorities becoming active members of the NCSC’s Cybersecurity Information Sharing Partnerships (CiSPs), implementing its Active Cyber Defence Programme, setting up cyber incident response plans, and arranging independent assurance of critical controls.

Requirements also extend to the supply chain, with the need for a proportionate, risk based policy for cyber security, and guidance for any recipients of public funding to take appropriate measures.

Dynamic purchasing

All this will be supported by the creation of dynamic purchasing system for digital services including those for cyber security. This will provide a procurement framework which makes it possible for new suppliers to join during the lifetime of a contract, providing the scope to add new technology solutions.

In addition, the Scottish Government will coordinate the Public Sector Cyber Catalyst scheme, under which a number of organisations will aim to become exemplars in the field, and put in place a monitoring and evaluation framework.

The announcement won the support of Hugh Aitken, director of CBI Scotland, who said: “The Public Sector Action Plan on Cyber Resilience marks an important step on the journey to making Scotland a more cyber secure country. Ensuring all public bodies have a baseline standard for cyber resilience could be the difference between repelling an attack or having to deal with a raft of legal and reputational consequences.”

Image from Scottish Parliament under Open Scottish Parliament Licence