Annex B: High-level concept for Scottish Public Sector Cyber Resilience Framework
1. This annex sets out a high level concept for the development of a Scottish Public Sector Cyber Resilience Framework.
2. The Scottish Government will work with the NCRLB, the NCSC, the Scottish public sector cyber catalysts  and other key partners to develop this concept by end June 2018, with a view to implementing it thereafter. It will be subject to change as UK Government plans for implementation of the NIS Directive become clearer in early 2018.
3. The Framework will aim to:
- Provide a common, effective approach for Scottish public bodies to assess their levels of cyber resilience, ensure they adhere to minimum cyber resilience requirements, and progress towards achieving higher levels of cyber resilience on a risk-based and proportionate basis.
- Align with the new NIS Directive legislation and guidance and other key measures,  to ensure consistency with forthcoming developments. Clarity on the key requirements of these initiatives is expected to have been achieved by early in 2018.
- Take account of foreseeable technological developments, such as a move to greater reliance on cloud systems and the further development of Smart City technologies and the Internet of Things.
- As far as possible, minimise any additional burdens on Scottish public bodies, including by making clear how the Framework relates to existing standards or requirements, and taking account of these when providing guidance on compliance. Wherever possible, the Scottish Government will work closely with the UK Government to promote rationalisation and alignment of different standards, although this will take time to achieve.
- Help to provide clarity and assurance to individual organisations, Ministers, Parliament and the public that appropriate levels of cyber resilience are in place across Scottish public bodies. Appropriate monitoring and evaluation arrangements will be put in place to align with the Framework (see Key Action 11). Consideration will be given to clarifying appropriate penetration testing and audit requirements under the framework, and aligning these with existing requirements such as PSN accreditation.
- Seek to align with a similar framework/hierarchy under development as part of the development of private and third sector action plans on cyber resilience by the Scottish Government and the NCRLB.
Overview of key proposed features
4. The concept framework takes as its starting point the new NIS Directive legislation and guidance (which itself draws on existing frameworks such as the NIST Cyber Security Framework). Subject to the final shape of the NIS Directive legislation, it is expected that it will cover the following 4 key domains of cyber resilience:
- Identify (Governance and Risk Management): Appropriate organisational structures, policies and processes are in place to understand, assess and systematically manage risks to the network and information systems supporting essential services. Specific requirements will be set out in respect of:
- Risk management
- Asset management
- Supply chain risk management
- Protect: Proportionate security measures should be in place to protect essential services and systems from cyber-attack, system failures, or unauthorised access. Specific requirements will be set out in respect of:
- Service protection policies and processes
- Identity access and control
- Data security
- System security
- Resilient Networks and systems
- Staff awareness and training
- Detect: Appropriate capabilities should be in place to ensure network and information system security defences remain effective and to detect cyber security events affecting, or with the potential to affect, essential services/public services. Specific requirements will be set out in respect of:
- Security monitoring
- Anomaly detection
- Respond and recover: Capabilities to minimise the impacts of a cyber security incident on the delivery of essential services/public services, including the restoration of those services where necessary.
- Response and recovery planning
5. Within and across these 4 key domains, the concept framework proposes clear stages of progression that Scottish public bodies can work towards. These will be as follows:
- Initial baseline: These will be the initial baseline requirements that all Scottish public bodies will be expected to meet as a minimum by end June 2018 (or end October 2018 in the case of Cyber Essentials certification/independent assurance of critical controls). These requirements will aim to ensure that all Scottish public bodies have in place a common baseline of good cyber resilience practice in the short term.
It is expected that the majority of Scottish public bodies will already in effect be meeting these requirements. However, the requirements set out under the initial baseline stage will provide clarity and assurance that this is the case.
These initial baseline requirements form part of the public sector action plan. Key Actions 2 to 7 set out how Scottish public bodies will be asked to make progress towards meeting these initial baseline standards.
- Target: The requirements under this stage of progression will be those that all Scottish public bodies will be expected to work towards meeting, on a risk-based and proportionate basis. They are expected to be aligned with the new Security Policy Framework Technology Security Standard and other key existing standards and guidelines, and should, when met, help ensure that good practice in respect of cyber resilience is in place across Scottish public bodies.
- Advanced: These requirements will align with the NIS Directive legislation and guidance. Scottish public bodies in the health and water sectors will automatically be subject to these requirements under relevant legislation. However, the Scottish Government will also encourage other public bodies that form part of critical infrastructure in Scotland to work towards achieving the requirements under this highest stage of progression.
6. The Scottish Government will work closely with key partners to ensure a clear understanding of the way in which existing standards, requirements and guidelines can contribute to assurance that requirements under the Framework's different domains and stages of progression are being met. In particular, in view of the landscape within which Scottish public bodies are currently operating, it will be made clear how the following standards, requirements and guidelines can offer guidance or assurance in respect of each domain and progression level:
- Cyber Essentials (Plus)
- Public Service Network ( PSN) Information Assurance Obligations
- Public Service Network for Policing ( PSNP) Information Assurance Obligations
- The NHSScotland Information Security Policy Framework
- The 10 Steps to Cyber Security
- The IASME Governance Standard
- ISO 27001
- The SANS Top 20 Critical Controls
- The NIS Directive Legislation requirements and guidelines
7. To support this, the Scottish Government will explore the potential for the development of a self-assessment and reporting tool, that, as well as supporting Scottish public sector organisations to assess and report on their organisational progress against the Scottish Public Sector Cyber Resilience Framework, could make clear the links between other standards, requirements or guidelines (including the Competent Authority NIS Assessment process), and assist in "translating" these into a self-assessment against the Framework (see also Annex C – Key monitoring and evaluation measures for Scottish public bodies).
8. The Scottish Government will also work with the NCRLB and key partners to make clear how the 4 domains and 3 stages of progression relate to similar hierarchies that are currently under development by the NCRLB in respect of the private and third sectors. The aims of this alignment will be to:
- assist with benchmarking and example-setting across different sectors; and to
- promote an understanding of levels of cyber resilience across Scotland as a whole.
9. The following pages provide an early example of what the NCRLB and the Scottish Government aim to achieve in respect of the overarching framework.