Publication - Advice and guidance

Cyber security: guidance for public sector buyers

Published: 15 Jan 2020
Directorate:
Safer Communities Directorate
Part of:
Law and order, Public sector
ISBN:
9781839601392

Guidance setting out best practice from the National Cyber Security Centre, the UK technical authority on cyber security.

Cyber security: guidance for public sector buyers
Annex B – Review of Existing Contracts – Prioritisation – Illustrative Example

Annex B – Review of Existing Contracts – Prioritisation – Illustrative Example

1. An example approach of how to conduct a review of cyber risks in existing contracts is set out below. This approach was adopted by a public sector organisation, and has been shared for illustrative purposes only.

Overarching approach

  • All relevant areas should conduct a Risk Assessment on any contract which is currently live but has not had a Risk Assessment completed. The Risk Assessment is conducted using [the online decision-making support tool], and should take no more than [1 – 2 hours] to complete.
  • Suppliers should then be requested to complete a Supplier Assurance Questionnaire in line with the prioritisation approach set out below (which proposes a series of Tranches and Steps). This will identify compliance, the need for risk acceptance, or the requirement to discuss the implementation of a Cyber Improvement Plan to address non-compliance where the risk is deemed not acceptable.
  • The review process is complete once all Risk Assessments and SAQs are complete for each contract.

Prioritisation

  • A logical and risk-based approach will be adopted. It will use Tranches and Steps to prioritise work to address the contracts with the greatest risk first.
  • Contracts with fewer than 2 years left to run are out-of-scope (unless a ‘wild card’ – see below).
  • Older contracts which still have more than 2 years left to run are assessed as being at greater risk and are prioritised for risk assessment and remediation/acceptance of risk.
  • Remediation will be effected via contract change. Cyber risk in existing contracts can be accepted via a defined process.
  • Contracts may be identified as a ‘Wild Card’ and prioritised at discretion of the risk owner, despite not meeting the relevant criteria set out above.

Tranches and steps

  • Tranche 1 will begin on [X date] with a target completion date of [Y date]. It will focus on contracts that are more than five years old but which still have more than 2 years left to run, and which are assessed by the decision-making support tool as being [moderate/high risk]. Within this class of contracts:
    • The first step will be to address any contract which supports a TOP SECRET (or above) capability or contains TOP SECRET (or above) information.
    • The second step will be to address any contract which supports a SECRET capability or contains SECRET information.
    • The third step will be to address any contract which processes sensitive personal data as defined by the GDPR.
    • The fourth step will be to address any contract which supports an OFFICIAL SENSITIVE capability or contains OFFICIAL SENSITIVE (this includes any personal data) data.
    • The fifth step will be to address any other relevant contract.

The diagram below presents a visual representation of this process.

Step-by-step approach to prioritising work

  • Tranche 2 will begin on [X date] with a target completion date of [Y date]. It will focus on contracts that are fewer than five years old but which still have more than 2 years left to run, and which are assessed by the decision-making support tool as being [moderate/high risk]. Prioritisation of steps will be as for Tranche 1.
  • Tranche 3 will begin on [X date] with a target completion date of [Y date]. It will focus on contracts that are more than five years old but which still have more than 2 years left to run, and which are assessed by the decision-making support tool as being [low risk]. Prioritisation of steps will be as for Tranche 1.
  • Tranche 4 will begin on [X date] with a target completion date of [Y date]. It will focus on contracts that are fewer than five years old but which still have more than 2 years left to run, and which are assessed by the decision-making support tool as being [low risk]. Prioritisation of steps will be as for Tranche 1.
  • Tranche 5 will begin on [X date] with a target completion date of [Y date]. It will address any remaining contracts.

Process completion and outcomes

  • The review process is complete once all risk assessments and SAQs are complete for each Tranche.
  • A successful outcome will be to illuminate, understand and manage the cyber risk exposure across the department’s supply chain; not to mitigate every single risk.

This guidance note has been produced by the Scottish Government Cyber Resilience Unit to support implementation of the Scottish Public Sector Cyber Resilience Framework.

Please send all comments, questions or additions to cyberresilience@gov.scot


Contact

Email: CyberResilience@gov.scot