Cyber resilience: public sector action plan 2017-2018

Key actions that the Scottish Government, public bodies and key partners will take to further enhance cyber resilience in Scotland's public sector.


Footnotes

1. See Key Action 10 in the action plan.

2. http://www.gov.scot/publications/safe-secure-prosperous-cyber-resilience-strategy-scotland/

3. https://www.gov.uk/government/publications/national-cyber-security-strategy-2016-to-2021

4. http://www.gov.scot/Resource/0047/00479632.pdf

5. An accompanying implementation toolkit, available at www.gov.scot/cyberresilience, provides further detail on the applicability of this plan to public bodies. Arrangements in respect of Scottish health boards and Scottish Water must align with the requirements of the new EU NIS Directive as implemented at UK level, details of which are still being developed. As these requirements become clearer in early 2018, the Scottish Government Cyber Resilience Unit will work closely with the new Competent Authority/ies set up under the NIS Directive to consider how best to apply this action plan to the health and water sectors.

6. https://ico.org.uk/for-organisations/data-protection-reform/

7. http://www.gov.scot/Resource/0051/00515583.pdf

8. Available at: www.gov.scot/cyberresilience

9. See Key Action 10.

10. https://www.gov.uk/government/consultations/consultation-on-the-security-of-network-and-information-systems-directive

11. See Key Action 10.

12. Including the new Technology Security Standard under the Security Policy Framework and the GDPR.

13. Alignment with wider, non-cyber security focused requirements under the Security Policy Framework will also be taken into consideration where appropriate.

14. With the requirement for Cyber Essentials certification or, exceptionally, alternative independent assurance of critical controls by end October 2018.

15. https://www.ncsc.gov.uk/guidance/10-steps-cyber-security

16. Available at www.gov.scot/cyberresilience

17. https://www.ncsc.gov.uk/guidance/10-steps-information-risk-management-regime

18. Eligibility rules may exclude certain regulatory bodies.

19. Available at www.gov.scot/cyberresilience

20. See: https://www.cyberaware.gov.uk/cyberessentials/files/scheme-summary.pdf

21. http://www.research.lancs.ac.uk/portal/en/publications/cyber-security-controls-effectiveness(a09a2d28-d121-41dc-86d6-cc24595d8968)/export.html

22. Evidence suggests this process can help significantly with achieving Cyber Essentials or Cyber Essentials Plus certification.

23. Discussions with local authorities and the college and university sectors have indicated that a targeted and phased approach to achievement of Cyber Essentials may be appropriate for these sectors with very complex networks. Achievement of Cyber Essentials within the timelines set out above may, for example, only be feasible or desirable for the central or "core" networks of these organisations, assuming the scoping requirements of the Cyber Essentials scheme as applied to these specific organisations' networks permits this. The Scottish Government will work closely with bodies such as the Local Government Digital Office, HEIDS and UCSS to support the development of an appropriately targeted and phased approach for the wider public sector.

24. Available at www.gov.scot/cyberresilience

25. Available at www.gov.scot/cyberresilience

26. Available at www.gov.scot/cyberresilience

27. https://www.ncsc.gov.uk/guidance/cyber-security-risks-supply-chain

28. Available at www.gov.scot/cyberresilience

29. As noted in the action plan, it is possible that, in exceptional cases and for some particularly complex public bodies, the pre-assessment will make clear that Cyber Essentials or Cyber Essentials Plus is not an appropriate standard to work towards. It is also possible that, as the process of undergoing Cyber Essentials/Plus pre-assessments or certification for public bodies proceeds, wider issues or challenges in the operation of the scheme will be identified. Where this is the case, public bodies will be encouraged to raise this with the Scottish Government Cyber Resilience Unit who will draw these issues to the attention of the NCSC, and alternatives to Cyber Essentials may be considered.

30. See Key Action 10 in the action plan.

31. Including the new Technology Security Standard under the Security Policy Framework and the GDPR.

32. As noted in the action plan, it is possible that, in exceptional cases and for some particularly complex public bodies, the pre-assessment will make clear that Cyber Essentials or Cyber Essentials Plus is not an appropriate standard to work towards. It is also possible that, as the process of undergoing Cyber Essentials/Plus pre-assessments or certification for public bodies proceeds, wider issues or challenges in the operation of the scheme will be identified. Where this is the case, public bodies will be encouraged to raise this with the Scottish Government Cyber Resilience Unit who will draw these issues to the attention of the NCSC, and alternatives to Cyber Essentials may be considered.

33. The SCOTS network is the Scottish Government's IT network. A range of non-core Scottish Government Scottish public bodies also connect to the network.

Contact

Back to top