Summary of key actions for Scottish public bodies |
Key action no. |
Action required of: |
Requirements |
Deadline |
Page no. action plan |
Page no. toolkit |
Preparatory |
All Scottish public bodies |
- Provide contact details for (i) Board/Senior Management, (ii) working-level, and (iii) incident response to SG Cyber Resilience Unit.
|
End Nov '17 |
N/a |
1 |
1 |
Scottish Government, NCRLB, NCSC, Cyber Catalysts Scottish Government |
- Finalise Scottish Public Sector Cyber Resilience Framework, taking account of developments with NIS Directive and Security Policy Framework.
- Update Scottish Public Finance Manual to reflect Framework requirements.
|
End June 2018 End June 2018 |
12-14 |
2 |
2 |
All Scottish public bodies |
- Ensure minimum cyber risk governance arrangements in place.
|
End June 2018 |
15-16 |
2-3 |
3 |
All Scottish public bodies managing networks |
- Ensure membership of Cybersecurity Information Sharing Partnership.
|
End June 2018 |
16 |
3-4 |
4 |
All Scottish public bodies |
- Undergo Cyber Essentials "pre-assessment" funded (to defined limits) by Scottish Government.
- Take Board/Senior Management level decision on whether to pursue Cyber Essentials or Cyber Essentials Plus Certification.
- Achieve Cyber Essentials or Cyber Essentials Plus certification. [29]
|
End March 2018 End April 2018 End October 2018 |
16-20 |
4-10 and Annex A |
5 |
All Scottish public bodies |
- Ensure appropriate implementation of Active Cyber Defence measures
|
End June 2018 |
20-21 |
10-11 |
6 |
All Scottish public bodies Scottish Government All Scottish public bodies |
- Ensure initial arrangements for appropriate training and awareness raising in place.
- Develop and disseminate core training and awareness raising approach, materials, etc. for use by public sector, as part of wider security training and awareness raising package.
- Adapt and implement core training and awareness raising approach, materials, etc. as it becomes available.
|
End June 2018 From March 2018-2020 From March 2018-2020 |
21-22 |
11 and Annexes B and C |
7 |
Scottish Government, NCSC, Police Scotland All Scottish public bodies |
- Finalise and disseminate central cyber incident reporting and coordination protocols and template cyber incident response plans.
- Ensure cyber incident response plans in place and aligned with central protocols.
|
End 2017 End June 2018 |
23-24 |
12 |
8 |
Scottish Government Scottish Government Scottish Government All Scottish public bodies |
- Seek views of Scottish business organisations on draft supply chain cyber security policy on procurement.
- Publish Scottish Procurement Policy Note as part of Scottish Public Sector Cyber Resilience Framework.
- Align grant funding guidance and SPFM.
- Implement Scottish Procurement Policy Note and grant funding guidance as part of Scottish Public Sector Cyber Resilience Framework.
|
Early 2018 End May 2018 End May 2018 From June 2018 |
24-26 |
N/a |
9 |
Scottish Government |
- Put in place Dynamic Purchasing System for Digital services (including cyber security) for Scottish public sector.
|
End Oct 2017 |
26 |
N/a |
10 |
Public Sector Cyber Catalysts All Scottish public bodies, inc. Cyber Catalysts Public Sector Cyber Catalysts |
- Work with Scottish Government, NCSC and NCRLB to finalise Scottish Public Sector Cyber Resilience Framework, and identify key challenges facing Scottish public sector.
- Begin implementation of, and (in line with final arrangements) reporting against, Framework.
- Share learning and knowledge with wider public sector.
|
By end June 2018 From end June 2018 In line with progress |
27-29 |
N/a |
11 |
All Scottish public bodies Scottish Government |
- Informal, working-level responses to enquiries on progress from Scottish Government Cyber Resilience Unit.
- Provide one-off written assurance at Board/Senior Management level on the following:
- confirmation of (i) having undergone a Cyber Essentials pre-assessment, (ii) having taken a decision on whether to seek Cyber Essentials or Cyber Essentials Plus, and (iii) the expected timelines for achieving this.
- Board/Senior Management level commitment and basic governance arrangements.
- CiSP membership.
- Appropriate use of Active Cyber Defence measures.
- Appropriate training and awareness raising processes.
- Cyber incident response protocols, aligned with central mechanisms.
- Provide one-off written confirmation that Cyber Essentials or Cyber Essentials certification has been achieved.
- Develop and implement appropriate monitoring and evaluation arrangements as part of Scottish Public Sector Cyber Resilience Framework, and communicate these to public bodies.
|
Ongoing End June 2018 End October 2018 End June 2018 |
29 |
12-14 |