Cyber resilience: public sector action plan 2017-2018

• Provide contact details for (i) Board/Senior Management, (ii) working-level, and (iii) incident response to SG Cyber Resilience Unit.

1

Scottish Government

• Finalise Scottish Public Sector Cyber Resilience Framework, taking account of developments with NIS Directive and Security Policy Framework.

• Update Scottish Public Finance Manual to reflect Framework requirements.

End June 2018

2

• Ensure minimum cyber risk governance arrangements in place.

• Ensure membership of Cybersecurity Information Sharing Partnership.

• Undergo Cyber Essentials "pre-assessment" funded (to defined limits) by Scottish Government.

• Take Board/Senior Management level decision on whether to pursue Cyber Essentials or Cyber Essentials Plus Certification.

• Achieve Cyber Essentials or Cyber Essentials Plus certification. ^[29]

End April 2018

End October 2018

• Ensure appropriate implementation of Active Cyber Defence measures

Scottish Government

All Scottish public bodies

• Ensure initial arrangements for appropriate training and awareness raising in place.

• Develop and disseminate core training and awareness raising approach, materials, etc. for use by public sector, as part of wider security training and awareness raising package.

• Adapt and implement core training and awareness raising approach, materials, etc. as it becomes available.

From March 2018-2020

From March 2018-2020

B and C

All Scottish public bodies

• Finalise and disseminate central cyber incident reporting and coordination protocols and template cyber incident response plans.

• Ensure cyber incident response plans in place and aligned with central protocols.

End June 2018

Scottish Government

Scottish Government

All Scottish public bodies

• Seek views of Scottish business organisations on draft supply chain cyber security policy on procurement.

• Publish Scottish Procurement Policy Note as part of Scottish Public Sector Cyber Resilience Framework.

• Align grant funding guidance and SPFM.

• Implement Scottish Procurement Policy Note and grant funding guidance as part of Scottish Public Sector Cyber Resilience Framework.

Early 2018

End May 2018

End May 2018

From June 2018

• Put in place Dynamic Purchasing System for Digital services (including cyber security) for Scottish public sector.

All Scottish public bodies, inc. Cyber Catalysts

Public Sector Cyber Catalysts

• Work with Scottish Government, NCSC and NCRLB to finalise Scottish Public Sector Cyber Resilience Framework, and identify key challenges facing Scottish public sector.

• Begin implementation of, and (in line with final arrangements) reporting against, Framework.

• Share learning and knowledge with wider public sector.

By end June 2018

From end June 2018

In line with progress

Scottish Government

• Informal, working-level responses to enquiries on progress from Scottish Government Cyber Resilience Unit.
• Provide one-off written assurance at Board/Senior Management level on the following:
  • confirmation of (i) having undergone a Cyber Essentials pre-assessment, (ii) having taken a decision on whether to seek Cyber Essentials or Cyber Essentials Plus, and (iii) the expected timelines for achieving this.
  • Board/Senior Management level commitment and basic governance arrangements.
  • CiSP membership.
  • Appropriate use of Active Cyber Defence measures.
  • Appropriate training and awareness raising processes.
  • Cyber incident response protocols, aligned with central mechanisms.
• Provide one-off written confirmation that Cyber Essentials or Cyber Essentials certification has been achieved.
• Develop and implement appropriate monitoring and evaluation arrangements as part of Scottish Public Sector Cyber Resilience Framework, and communicate these to public bodies.

Ongoing

End October 2018

End June 2018

29

12-14