Cyber resilience: public sector action plan 2017-2018

Key actions that the Scottish Government, public bodies and key partners will take to further enhance cyber resilience in Scotland's public sector.


Annex A: Key Actions and Timelines

Summary

Summary of key actions for Scottish public bodies

Key action no.

Action required of:

Requirements

Deadline

Page no. action plan

Page no. toolkit

Preparatory

All Scottish public bodies
  • Provide contact details for (i) Board/Senior Management, (ii) working-level, and (iii) incident response to SG Cyber Resilience Unit.
End Nov '17 N/a

1

1

Scottish Government, NCRLB, NCSC, Cyber Catalysts

Scottish Government

  • Finalise Scottish Public Sector Cyber Resilience Framework, taking account of developments with NIS Directive and Security Policy Framework.
  • Update Scottish Public Finance Manual to reflect Framework requirements.
End June 2018

End June 2018

12-14

2

2

All Scottish public bodies
  • Ensure minimum cyber risk governance arrangements in place.
End June 2018 15-16 2-3

3

All Scottish public bodies managing networks
  • Ensure membership of Cybersecurity Information Sharing Partnership.
End June 2018 16 3-4

4

All Scottish public bodies
  • Undergo Cyber Essentials "pre-assessment" funded (to defined limits) by Scottish Government.
  • Take Board/Senior Management level decision on whether to pursue Cyber Essentials or Cyber Essentials Plus Certification.
  • Achieve Cyber Essentials or Cyber Essentials Plus certification. [29]
End March 2018

End April 2018

End October 2018

16-20 4-10 and Annex A

5

All Scottish public bodies
  • Ensure appropriate implementation of Active Cyber Defence measures
End June 2018 20-21 10-11

6

All Scottish public bodies

Scottish Government

All Scottish public bodies

  • Ensure initial arrangements for appropriate training and awareness raising in place.
  • Develop and disseminate core training and awareness raising approach, materials, etc. for use by public sector, as part of wider security training and awareness raising package.
  • Adapt and implement core training and awareness raising approach, materials, etc. as it becomes available.
End June 2018

From March 2018-2020

From March 2018-2020

21-22 11 and Annexes

B and C

7

Scottish Government, NCSC, Police Scotland

All Scottish public bodies

  • Finalise and disseminate central cyber incident reporting and coordination protocols and template cyber incident response plans.
  • Ensure cyber incident response plans in place and aligned with central protocols.
End 2017

End June 2018

23-24 12

8

Scottish Government

Scottish Government

Scottish Government

All Scottish public bodies

  • Seek views of Scottish business organisations on draft supply chain cyber security policy on procurement.
  • Publish Scottish Procurement Policy Note as part of Scottish Public Sector Cyber Resilience Framework.
  • Align grant funding guidance and SPFM.
  • Implement Scottish Procurement Policy Note and grant funding guidance as part of Scottish Public Sector Cyber Resilience Framework.

Early 2018

End May 2018

End May 2018

From June 2018

24-26 N/a

9

Scottish Government
  • Put in place Dynamic Purchasing System for Digital services (including cyber security) for Scottish public sector.
End Oct 2017 26 N/a
10 Public Sector Cyber Catalysts

All Scottish public bodies, inc. Cyber Catalysts

Public Sector Cyber Catalysts

  • Work with Scottish Government, NCSC and NCRLB to finalise Scottish Public Sector Cyber Resilience Framework, and identify key challenges facing Scottish public sector.
  • Begin implementation of, and (in line with final arrangements) reporting against, Framework.
  • Share learning and knowledge with wider public sector.

By end June 2018

 

From end June 2018

In line with progress

27-29 N/a
11 All Scottish public bodies

Scottish Government

  • Informal, working-level responses to enquiries on progress from Scottish Government Cyber Resilience Unit.
  • Provide one-off written assurance at Board/Senior Management level on the following:
    • confirmation of (i) having undergone a Cyber Essentials pre-assessment, (ii) having taken a decision on whether to seek Cyber Essentials or Cyber Essentials Plus, and (iii) the expected timelines for achieving this.
    • Board/Senior Management level commitment and basic governance arrangements.
    • CiSP membership.
    • Appropriate use of Active Cyber Defence measures.
    • Appropriate training and awareness raising processes.
    • Cyber incident response protocols, aligned with central mechanisms.
  • Provide one-off written confirmation that Cyber Essentials or Cyber Essentials certification has been achieved.
  • Develop and implement appropriate monitoring and evaluation arrangements as part of Scottish Public Sector Cyber Resilience Framework, and communicate these to public bodies.

Ongoing

End June 2018

 

 

End October 2018

End June 2018

29

12-14

Key milestones

Key milestones flowchart

Contact

Back to top