Publication - Publication

Cyber security: guidance for public sector suppliers

Published: 15 Jan 2020
Directorate:
Safer Communities Directorate
Part of:
Law and order, Public sector
ISBN:
9781839601392

Guidance setting out best practice from the National Cyber Security Centre, the UK technical authority on cyber security.

30 page PDF

997.8 kB

30 page PDF

997.8 kB

Contents
Cyber security: guidance for public sector suppliers
Introduction

30 page PDF

997.8 kB

Introduction

1. The Scottish Public Sector Action Plan on Cyber Resilience (PSAP) was published in November 2017 and set out a commitment to develop a proportionate, risk-based policy in respect of supply chain cyber security for Scottish public sector organisations. This Supplier Cyber Security Guidance Note has been developed to meet that commitment.

2. This guidance note forms part of the Scottish Public Sector Cyber Resilience Framework. It is intended for use by public sector organisations that are implementing the PSAP[1] and the Framework. The Framework is expected to be embedded in a number of audit and compliance requirements that apply to different parts of the Scottish public sector including the Scottish Public Finance Manual and Certificates of Assurance processes, with the aim of improving consistency and trust across the Scottish public sector.

3. In line with previous discussions and agreements between Scottish Ministers and key public sector partners, while it is ultimately for individual public sector organisations to decide on and adopt an approach to supplier cyber security that best meets their risk profile/appetite, wherever possible the adoption of a consistent approach to this issue is encouraged across the Scottish public sector. For the purposes of this guidance note, the Scottish public sector is broadly defined, and includes NDPBs, Non-Ministerial Departments, local authorities, health boards and universities and colleges.

4. This guidance note has benefited from advice from key partners in the Scottish public, private and third sectors, including public sector centres of procurement expertise. The Scottish Government works closely with the National Cyber Security Centre (NCSC), the UK-wide authority on cyber security, to ensure its work on cyber resilience is informed by appropriate technical expertise. As a result, the note aligns closely with NCSC supply chain guidance. Where appropriate, it also references guidance from the Centre for the Protection of National Infrastructure (CPNI), the UK-wide authority which provides protective security advice to businesses and organisations across the UK national infrastructure.

5. Cyber security arrangements for systems processing personal data form a key aspect of compliance with the new General Data Protection Regulation (GDPR), which took effect on 25th May 2018. However, the data protection obligations placed on organisations and their supply chains by GDPR go wider than technical measures to protect personal data. Public sector organisations are asked to consider carefully how this guidance note can/should be embedded in wider measures to support compliance with GDPR. The decision-making support tool described at Key Point 4 of this guidance note (The Scottish Cyber Assessment Service or “SCAS”), has been designed to encompass GDPR requirements in respect of technical protections for personal data.

6. It must be clearly understood that cyber security can also be important in contexts not involving personal data, such as arrangements involving sensitive official information, industrial control systems or the “Internet of Things” (where computing devices are embedded in everyday physical objects, which are then enabled to communicate, be controlled, etc. via the Internet).

The Importance of Supplier Cyber Security

7. Most Scottish public sector organisations rely on suppliers or other partners to deliver products, systems, and services and require exchange of information to deliver those services effectively. Often these relationships form part of public sector organisations’ supply chains. Supply chains can be large and complex, involving many suppliers doing many different things.

8. Effectively securing suppliers and the supply chain against cyber-attacks can be difficult because vulnerabilities can be inherent in suppliers’ systems, or introduced and exploited at any point in the supply chain. The NCSC notes that a vulnerable supply chain can cause significant damage and disruption to organisations. Examples of supply chain attacks can be found here.

9. A series of high profile, very damaging attacks has demonstrated that attackers have both the intent and ability to exploit vulnerabilities in supply chain security. This trend is real and growing. There is a clear need for Scottish public sector organisations to understand the cyber threat to supply chain security and to take appropriate, proportionate action to mitigate it.

The Key Aims of This Guidance

10. The key aims of this Supplier Cyber Security Guidance Note are:

  • To support Scottish public sector organisations to put in place consistent, proportionate, risk-based policies that effectively reduce the risk of Scottish public services being damaged or disrupted by cyber threats as a result of supplier cyber security issues;
  • To minimise any necessary additional burdens on Scottish public sector organisations (as purchasers) and private and third sector organisations (as suppliers), whilst ensuring the presence of proportionate cyber security controls in the public sector supply chain. This includes a requirement to avoid discouraging SMEs, in particular, from bidding for public sector contracts. This latter aim will be supported by ensuring greater uniformity of the requirements placed on suppliers (thus minimising the number of conflicting demands they face), and by providing a decision-making support tool to aid consistent, proportionate implementation by public sector organisations; and
  • To ensure alignment where possible with key requirements in respect of supply chain cyber security that have implications for the Scottish public sector and its supply chains. These include the EU Security of Network and Information Systems (NIS) Directive as transposed into UK-wide legislation and guidance[2].

Questions And Feedback

11. Public sector organisations with questions around implementation of this guidance note should write to cyberresilience@gov.scot for advice. Feedback is welcomed, and this guidance note will be updated on an ad hoc basis as required.

Scottish Public Sector Supplier Cyber Security – Guidance Note

1. This section describes the broad policy approach that Scottish public sector organisations are encouraged to take to supplier cyber security.

Summary

2. In summary, Scottish public sector organisations are encouraged to adhere to 4 Key Points when managing cyber risks in their supply chains:

i. Key Point 1: They should follow the cyber security principles (the 12 Principles of Supply Chain Security) endorsed by the NCSC;

ii. Key Point 2: In particular, public bodies should broadly align their approach to NCSC Principle 5 (“Set and communicate minimum security requirements for suppliers”) with the “Use Cases” provided by the NCSC. These “Use Cases” (or Case Studies) provide examples of how the principles can be applied in practical supply chain scenarios;

iii. Key Point 3: when implementing these principles, public bodies should embed in their procurement processes an appropriate and proportionate information/cyber security assurance process. This process can be used to help public bodies assess levels of cyber risk when procuring. It may take the form of a questionnaire or some other method to support local decision making. It can help to determine, for example, whether any personal data processing is involved as part of a contract or framework agreement, and also the technical protections that might be needed as a result.

iv. Key Point 4: In some circumstances, an information/cyber assurance process may indicate that accreditations and certification such as Cyber Essentials, IASME and ISO27001 (allowing also for equivalent standards) may be appropriate to provide additional assurance. The need for accreditations/certifications should continue to be judged on a case-by-case-basis by public bodies, with judgements as to proportionality supported by the information/cyber assurance process. Understanding the scope (and expiry date) of any certification is important.

Annex A describes types of accreditations and associated costs to help public bodies with this assessment. Public bodies are encouraged to note that Scottish Government support in the form of a voucher scheme is being made available to SME and third sector organisations to help them achieve Cyber Essentials certification where this is needed. Public bodies should consider promoting this support to their suppliers as appropriate[3].

A beta version of a decision-making support tool called the Scottish Cyber Assessment Service is being made available to support local information assurance processes used by public bodies, and to help promote greater consistency of application of this guidance note across the Scottish public sector.

The tool is being tested as an “open beta”. This means it is available for general use in a “live environment”, to allow for the gathering of feedback to improve performance. Any public sector organisation can make use of the tool to support their decision-making on supplier cyber security where they judge it appropriate to do so. Information on the beta version of the SCAS tool, and how to use it in Scottish public procurement processes, is available here.

Scottish Government procurement processes have been strengthened in line with these Key Points.

3. Overall this guidance note advocates a proportionate approach to cyber security. It is intended to enable public organisations to manage cyber risks while mitigating any possible unintended impacts, particularly on SME suppliers, for example by making procurements uncompetitive due to disproportionate barriers to entry for firms.

Applicability And Timelines

“Supplier Cyber Security” – In Which Situations Does This Guidance Note Apply?

4. This guidance note uses the terminology “supplier cyber security” throughout, as it is primarily intended to be relevant to situations in which public sector organisations are relying on suppliers – whether they be public (e.g. “shared service”), private or third sector organisations – to deliver goods or services under commercial contractual arrangements (i.e. as part of a supply chain).

5. The broad approach set out in this guidance note may also be appropriate in circumstances where public sector organisations rely on other organisations to deliver services under non-commercial arrangements (e.g. services provided by third sector organisations under grant funding or partnership arrangements).

6. Central guidance on grant funding and proportionate cyber security requirements will be developed on the basis of this guidance note in due course, to ensure clarity around issues of proportionality.

7. In general, public sector organisations are encouraged to consider all relevant circumstances where a cyber risk to their own security may be present as a result of interactions with other organisations, and consider applying the approach set out in this guidance accordingly.

Applicability – New and Existing Contracts - Timelines

8. Scottish public sector organisations are encouraged to begin applying this guidance note to all new contracts and other relevant arrangements with suppliers as soon as they are able to update their processes accordingly, and in any case during Financial Year 2019-20.

9. Scottish public sector organisations are also encouraged to give consideration to applying this guidance to existing contracts or supplier arrangements where appropriate. This could be done by undertaking a contract review process (where possible and appropriate to do so, on the basis of relevant financial, legal and risk management advice). Public sector organisations are encouraged to make judgements around the prioritisation of such work on the basis of risk and criticality of services, adopting an appropriately selective and/or phased approach to implementation. It is for individual public sector organisations to make an assessment of the appropriate scope and timeframe for such review processes, based on their own specific circumstances and assessment of risk.

An example approach of prioritisation of contract review, developed by a UK public sector organisation, is included at Annex B for illustrative purposes.

Where public sector organisations are subject to the Security of Network and Information Systems (NIS) Directive (in Scotland, this currently includes those in the health and water sectors), it is expected that Competent Authorities may wish to work with those bodies to arrive at a view on which existing arrangements should be prioritised to bring them into line with this guidance note and NIS requirements.

Key Point 1 – Adoption of NCSC Supply Chain Principles

10. Scottish public sector organisations are encouraged to have regard to the NCSC’s 12 Principles of Supply Chain Security[4] and consider carefully how best to incorporate the principles into their procurement processes and policies in a proportionate and effective way. This guidance note does not reproduce the principles in full and Scottish public sector organisations should refer to the most up to date version of the NCSC guidance on its website.

11. Some key practical points that public bodies may find helpful when implementing the principles are set out in the table below. Please note that these practical points are intended to complement and promote practical implementation of the NCSC principles, not replace them.

Heading NCSC Principle Practical considerations for Scottish public sector organisations
Understand the risks 1: Understand what needs to be protected and why This principle may be understood by Scottish public sector organisations both in the context of (i) their overall cyber risk governance arrangements and (ii) specific contractual arrangements :

(i) The Public Sector Action Plan asked that all organisations have in place minimum cyber risk governance arrangements by end June 2018. These should already be helping public sector organisations to identify key assets/services that must be protected from cyber threats that may be introduced through supply chains. This understanding should mature over time.

In implementing this principle, public sector organisations may wish to give thought to how the supply chain cyber risk to these assets should be reflected in corporate risk registers.

(ii) This principle can also be understood in the context of risk assessment of specific contractual or other service-provision arrangements with suppliers – i.e. understanding what needs to be protected in specific circumstances and why. Adoption of information/cyber assurance processes can therefore help support application of this principle.

The beta version of the decision-making support tool (SCAS) can support consistent implementation of information/cyber assurance processes. Information on what SCAS is and how to use it can be found here.
2: Know who your suppliers are and build understanding of what their security looks like The first part of this principle represents broader good practice in the context of supplier arrangements. It is good practice for Scottish public sector organisations to build, over time, clear central records that help them understand who is supplying what goods or services to their organisations. They may wish to view this as a process of continuous improvement, and approach it in a proportionate way. They may, for example, wish to focus on areas of high risk identified as a result of governance processes (e.g. prioritising an understanding of which suppliers have access to personal data or sensitive information for which the organisation is responsible).

The requirement to understand suppliers’ security arrangements in the context of specific contracts can be supported by the development of appropriate information/cyber assurance processes as outlined later in this guidance.

Scottish public sector organisations are encouraged to make proportionate judgements, on the basis of risk, as to “how far down” the supply chain they should go (1st tier, 2nd tier, etc.) to build a picture of their supply chain and their security arrangements. For example, where supplier arrangements involve access to personal data or sensitive information for which the organisation is responsible, they may wish to require “Tier 1” suppliers as part of contractual arrangements to provide information on relevant sub-contracting and to apply consistent minimum security requirements.

The beta version of the decision-making support tool (SCAS) can support implementation of this principle, by helping public bodies to seek proportionate information from suppliers about their security arrangements in the context of specific contracts, and to build up an overarching picture of supplier cyber security over time. Consideration is also being given to extending SCAS in due course, to allow contracting authorities to manage risk further down the supply chain (the first iteration of the tool only supports consideration at the Tier 1 level). Information on what SCAS is and how to use it can be found here
3: Understand the security risk posed by your supply chain The NCSC guidance provides helpful links to relevant resources aimed at supporting consideration of risk, which may help to strengthen public sector organisations’ overall governance arrangements.

The beta version of the decision-making support tool (SCAS) can also support effective application of this principle, by helping to build an overview of all contracts an organisation has where a cyber risk is present. Information on what SCAS is and how to use it can be found here
Establish Control 4: Communicate your view of security needs to your suppliers The Scottish Government is working with the Supplier Development Programme to raise awareness of this guidance note amongst suppliers to the public sector, and to help promote a general understanding of how they can comply with minimum cyber security requirements.

The Scottish Government has also produced a supplier communications toolkit and associated materials – available here – that can be used to support awareness raising about this policy and cyber resilience generally amongst suppliers. Organisations are free to make use of this toolkit and associated materials to support general communication with their suppliers if they wish to do so.

The beta version of the decision-making support tool (SCAS) can also support effective application of this principle in the context of specific contractual arrangements. Information on what SCAS is and how to use it can be found here
5: Set and communicate minimum security requirement for your providers This principle is key to the effective application of the guidance note. It is explicitly linked to the NCSC use cases, which provide examples of the sorts of minimum security requirements that may be appropriate in different scenarios. This guidance note encourages public sector organisations to align their approach to minimum security requirements with the NCSC use cases.

Responsibility for ensuring appropriate minimum security requirements are in place rests with individual public sector organisations.

The beta version of the decision-making support tool (SCAS) has been produced to help support effective, consistent application of this principle. It is intended to align with the broad approach set out in the NCSC Use Cases. Information on what SCAS is and how to use it can be found here
6: Build security consideration into your contracting processes and require that your suppliers do the same. This guidance note encourages Scottish public sector organisations to build consideration of cyber risk and minimum cyber security requirements into their procurement processes at appropriate stages, via the proportionate incorporation of information/cyber assurance processes.

Scottish Government procurement processes have been updated where relevant, so that they promote the appropriate, proportionate use of information/cyber assurance assessments. The model contractual terms and conditions made available by the Scottish Government to the wider public sector have been updated to reflect the Guidance Note and (where appropriate) to support use of SCAS.

The Procurement Journey and Supplier Journey have also been updated to reflect the contents of this guidance note, and to promote use of SCAS.

The Scottish Government has produced some example wording that public sector organisations can incorporate into Invitations to Tender, reflecting the contents of this guidance note and use of SCAS. Information on what SCAS is and how to use it can be found here

Scottish public sector organisation should consider including contractual requirements for Tier 1 suppliers to provide information on relevant sub-contracting, and to apply consistent minimum security requirements that the public sector organisation requires.

Scottish public sector organisations should consider requiring contracts to be renewed at appropriate intervals, with reassessment of associated risks at the same time.
7: Meet your own security responsibilities as a supplier and consumer Scottish public sector organisations may in particular wish to view this principle in the context of:

their achievement of Cyber Essentials or Cyber Essentials Plus under the PSAP – demonstrating to stakeholders the importance they place on having basic technical controls in place across the public sector, and ensuring the ability to say to suppliers in appropriate circumstances: “We do this, so we expect you to do it too”; and

their obligations when receiving data from other public sector organisations, taking care to demonstrate what controls are in place that can give the sharing organisation confidence that the data will be appropriately handled and protected.
8: Raise awareness of security within your own supply chain. The information/cyber assurance assessment process and the beta version of the decision-making support tool (SCAS) will help support communication of minimum security requirements in the context of specific contracts.

The Scottish Government is working with the Supplier Development Programme to help raise awareness of this guidance note amongst suppliers to the public sector, and to help promote a general understanding of how they can comply with minimum cyber security requirements.

The Scottish Government has also produced a communications toolkit and associated materials – here – that can be used to support awareness raising about this policy and cyber resilience generally amongst suppliers. Organisations are free to make use of this toolkit and associated materials to support general communication with their suppliers if they wish to do so.

Scottish public sector organisations should encourage suppliers that manage their own networks to join the Cybersecurity Information Sharing Partnership (CiSP) to help raise awareness of cyber threats.
9: Provide support for security incidents. Suppliers should have clear contractual obligations placed upon them in appropriate circumstances to monitor and respond to cyber security incidents. The model terms and conditions made available by the Scottish Government for use by the wider public sector include requirements in this respect.

Scottish public sector organisations should also think carefully about what support they may reasonably need to provide to deal with security incidents, particularly those involving networks or systems that, if affected, could have a significant impact on their operations.

All Scottish public sector organisations should have developed Cyber incident response plans under the PSAP, which should detail procedures when cyber incidents occur as a result of supplier arrangements.

Scottish public sector organisations are encouraged to share any key lessons learned from incidents with the SG Cyber Resilience Unit (CRU). CRU will facilitate sharing of these with the wider public sector as appropriate.
Check your arrangements 10: Build assurance activities into your supply chain management. Model terms and conditions (available here) and example wording (available here) for inclusion in ITTs include requirements around upward reporting and management of cyber incidents and the “right to audit”.

Principle 5 of the NCSC supply chain guidance also covers recommended approaches to the use of certification that may require an element of independent testing and assurance (e.g. Cyber Essentials Plus).
Continuous improvement 11: Encourage the continuous improvement of security within your supply chain. Scottish public sector organisations are encouraged to note the pragmatic, proportionate approach that is set out later in this guidance note with respect to minimum security requirements, and encapsulated in the beta version of the decision-making support tool (SCAS).

The Scottish Government has also produced a communications toolkit and associated materials – here – that can be used to support awareness raising about this policy and cyber resilience generally amongst suppliers. Organisations are free to make use of this toolkit and associated materials to support general communication with their suppliers if they wish to do so.
12: Build trust with suppliers. Scottish public sector organisations are encouraged generally to build good relationships with suppliers, and to view cyber security as a shared concern.

Key Point 2 – Alignment of Minimum Security Requirements (Principle 5) With NCSC Use Cases

1. As noted above, Principle 5 of the NCSC’s Supply Chain Cyber Security Principles requires organisations to “Set and communicate minimum security requirements for suppliers”. The NCSC provides a set of “Use Cases” that offers examples of appropriate minimum security requirements for different circumstances.

2. Scottish public sector organisations are encouraged to consider these “use cases” as their starting point for consideration of minimum security controls. They cover four scenarios:

  • Protecting information shared with suppliers (Use case A)
  • Specifying security requirements to a supplier who is delivering something to you (Use case B)
  • Connecting a supplier’s systems (Use case C)
  • National security cases (Use case D)

3. One way for public bodies to implement this principle effectively and align with the NCSC Use Cases is to build appropriate requirements into organisational information/cyber assurance assessment processes.

A beta version of a decision-making support tool (the Scottish Cyber Assessment Service – SCAS) has been made available to the Scottish public sector to help support this, and to ensure consistent application by public sector organisations in Scotland. Further information on the SCAS tool, and how its use can help support the effective implementation of NCSC Principle 5, can be found here.

Key Point 3 – Implementing The Principles: Information/Cyber Assurance Processes

4. One effective way of implementing many of the NCSC principles, and Principle 5 in particular, is to ensure that an information/cyber assurance assessment is undertaken. The purpose of this is to help public bodies to understand the levels of cyber risk present in specific contractual or other arrangements with suppliers, and identify the appropriate minimum cyber security requirements to address that risk.

5. Information/cyber assurance processes will generally involve a questionnaire to help determine whether there is likely to be a cyber risk to a specific contract, and how significant the level of risk is. The outcome of that initial assessment should then generally inform the cyber security requirements that are placed on suppliers, and the questions asked of them to demonstrate they can appropriately mitigate risk.

6. The Procurement Journey and Supplier Journey, which facilitate best practice and consistency in procurement activity across the Scottish public sector, have been updated to reflect this guidance note and to prompt public sector buyers and suppliers to ensure consideration of cyber risks.

7. Scottish Government procurement processes have been updated so that they:

i. promote the use of information/cyber assurance assessments at the strategy development stage for individual procurements, to help understand what cyber risks may be present;

ii. encourage consultation with expert cyber colleagues where available and appropriate. Internal cyber resilience and/or data protection colleagues within organisations are often well-placed to help “sense-check” an initial risk assessment outcome, and help provide guidance as to what cyber security requirements should be placed on suppliers based on the outcome of the information/cyber assurance assessment. Where such expertise is available, this can greatly assist with ensuring appropriate application of cyber security standards based on the specific circumstances of the case. Where such expertise is not available internally, and the cyber risks associated with a procurement appear significant, public bodies may wish to consider procuring external cyber security advice in appropriate circumstances (for example, via Lot 3 of the Dynamic Purchasing System);

iii. encourage (where appropriate) the identification and communication of clear, proportionate minimum cyber security requirements when procuring. Bidders will then be required, where appropriate, to demonstrate how they meet these requirements when responding to tendering opportunities; and

iv. in order to ensure proportionality, allow for buyers to opt to manage cyber risks in a proportionate way. This may include requiring suppliers to achieve compliance with minimum security requirements over a certain timeframe on condition of contract award (thus preventing automatic exclusion of suppliers that do not initially have appropriate protections in place, but who are willing to work towards achieving these).

Where appropriate, these processes make use of the beta version of the decision-making support tool (the Scottish Cyber Assessment Service), in order to ensure greater consistency of application, and to minimise the additional necessary burdens placed on buyers and suppliers. Further information on SCAS, and how to use it in procurement processes, can be found here.

8. Where public sector organisations are using their own procurement or other processes to secure goods or services from suppliers, they are encouraged to consider incorporating their own information/cyber assurance processes as appropriate. They may also make use of the decision-making support tool described below to facilitate this.

Key Point 4 – Proportionate Use of Certification and Accreditation

9. Some of the NCSC Use Cases propose the use of certification or accreditation as evidence of compliance with cyber security requirements. Some Scottish public sector organisations already ask suppliers to demonstrate that they hold cyber security certifications in certain circumstances.

10. Certification should be seen as one way of gaining greater assurance around a supplier’s cyber security, beyond assertions made by the supplier. Others include the incorporation of cyber security requirements into contractual terms and conditions, and audit.

While the beta version of the SCAS tool provides a way for suppliers to self-assess against a contract’s cyber security requirements, and answers can be incorporated into terms and conditions and audited where appropriate, certification can provide another type of independent confirmation that a supplier’s answers are accurate.

11. Scottish public sector organisations are encouraged to adopt the following broad approach to cyber security accreditation and certification when procuring goods and services:

  • They should judge the need for accreditation or certification on the basis of an appropriate information/cyber security assurance process. Judgements should be made on a case-by-case-basis, in view of the organisation’s need for independent assurance that appropriate cyber security controls are in place.
  • Questions around the scope of certification , any expiry date, and ensuring ongoing good practice are vitally important.
  • Certification/accreditation should be viewed as one way of achieving independent assurance that cyber security requirements are in place. It should not be viewed as a “silver bullet” – good cyber security is fundamentally a cultural issue. Wider measures such as adherence to the 12 NCSC supply chain principles, use of contract requirements and use of audit are equally important.
  • The use of certification/accreditation can impose costs on both suppliers and purchasers and this means that cost effectiveness and proportionality must always be taken into account. However, certification/accreditation can also offer benefits to both suppliers and purchasers. For example, it can reduce the number of times suppliers and purchasers have to ask and answer detailed questions around compliance as they may be able to rely on their certification for multiple procurements. It may also provide reputational benefits.
  • Public sector bodies should also consider accepting assurances from a supplier that they will work towards achieving any certification/accreditation by an agreed date.
  • Public sector bodies should be willing to accept equivalent evidence that demonstrates a level of cyber security that equates to or exceeds the requirements of certification/accreditation. They may wish to ask suppliers to provide concise, accessible evidence that this is the case (e.g. clear “mapping” of the controls under the actual certification produced by the supplier against the controls under the certification requested by the public sector organisation). The decision-making support tool has been designed to help “translate” the requirements of 3 key standards widely used in public and private sector procurement: Cyber Essentials, IASME Gold and ISO27001.

12. Scottish public sector organisations are encouraged to note the Scottish Government voucher scheme that is being made available to SME and third sector organisations to help them achieve Cyber Essentials certification. Scottish public sector organisations are encouraged to promote this scheme to their suppliers as appropriate, as one way of alleviating burdens on smaller potential suppliers and encouraging them to work towards meeting minimum security requirements.

13. Annex A provides further information on the likely costs and benefits of certification and accreditation.

Other Important Issues

Requirement To Ensure Proportionality

14. Scottish public sector organisations are encouraged to take a proportionate approach to the application of security controls in line with this guidance note. Where a cyber risk has been identified, any decisions about minimum cyber security requirements should be risk-based and proportionate to your organisation’s risk appetite. This is to avoid an overly prescriptive approach to cyber security.

The beta version of the decision-making support tool, SCAS, is intended to help inform these judgements, and ensure that appropriate, but not overly prescriptive or expensive security controls, are considered. In particular, it supports and encourages the use of Cyber Improvement Plans for suppliers who do not, at the time of bidding, meet minimum cyber security requirements. More information on these issues can be found in “Using SCAS in Procurement”, which is available here.

Responsibility For Cyber Risk Management

15. It is for individual Scottish public sector organisations (with appropriate independent oversight from audit and competent authorities where applicable) to ensure they are working to identify cyber security risks in their supplier arrangements (or requiring suppliers to do so) and to interpret and implement the guidance set out in this document and elsewhere accordingly.

16. This guidance note and the beta version of the decision-making support tool (SCAS) are not intended to replace formal assessment processes or expert advice where this may be required. It is ultimately the responsibility of the individual public sector organisation to satisfy themselves that cyber risk has been adequately assessed and mitigated, and that where appropriate they seek expert advice from IT/information/cyber security/data protection professional colleagues or external consultants.

17. This responsibility includes assessing how best to incorporate the 12 NCSC principles into existing third party/supply chain/procurement policies and processes in a proportionate, effective way.


Contact

Email: CyberResilience@gov.scot