Cyber Resilient Scotland: strategic framework

Annex C: Action Plans 2021-23

The Scottish Government will work with its partners to implement the action plans.

Public Sector Action Plan

Overarching aims/Actions

1. Increase public sector organisations' understanding of cyber risks that may affect them

1.1 Increase access to, and use of, threat intelligence, situational awareness reports and alerts to inform understanding of risk

1.2 Promote the use of NCSC's Cyber Security Information Sharing Partnership (CiSP)

1.3 Review and improve the processes for alerting the public sector organisations to cyber threats, risks and incidents

1.4 Include information on cyber threat and risk into the advice and guidance from advisory/regulatory bodies

1.5 Support organisations to make use of research and innovation and engage with academia and innovation centres

2. Improve cyber resilient behaviours within public sector organisations

2.1 Promote staff awareness raising and workplace learning as a significant defence against cyber threats

3. Improve and increase opportunities for professional development of IT and cyber security staff across the public sector

3.1 Promote skills development opportunities within the workplace including:

• increasing the uptake of cyber security apprenticeship training
• ensuring skills development opportunities are inclusive
• ensuring that cyber security upskilling and reskilling opportunities are available nationwide
• supporting the cyber security profession by promoting the adoption of best practice and professional standards

3.2 Encourage employer engagement with education in order to inspire young people into careers in cyber security

4. Embed cyber security standards, regulations and compliance across public sector organisations

4.1 Promote the range of cyber security standards and regulations available to support informed choices for the public sector based on their exposure to risk and their risk appetite

4.2 Promote a baseline security standard, incorporating Cyber Essentials and Cyber Essentials Plus, to protect against the most common non-targeted cyber attacks

4.3 Encourage the cyber resilience of the public sector's supply chains, including their adoption of a secure by design approach

4.4 Influence the development of the NCSC's Cyber Essentials standard to ensure it stays relevant and appropriate for Scottish organisations

5. Embed cyber resilience into the governance, policies and processes of public sector bodies

5.1 Embed cyber resilience into governance arrangements to ensure decision-makers are equipped and supported to manage cyber risk

5.2 Support organisations to continue to identify and increase their cyber resilience maturity, including exploring options for an online self-assessment tool to enable organisations to assess their own cyber resilience maturity and provide assurance to the Scottish Government on an annual basis

5.3 Encourage organisations to progress past the baseline standards of the Scottish Government's Public Sector Cyber Resilience Framework and aim to align with a higher progression stage (Target or Advanced)

5.4 Review the Scottish Public Sector Cyber Resilience Framework every two years to ensure relevance in light of changing technologies and standards

5.5 Seek to embed the Scottish Public Sector Cyber Resilience Framework into the Scottish Public Finance Manual and Scottish Government grant processes

6. Raise awareness of the cyber security services available to public sector organisations

6.1 Support cyber security and managed IT service providers to become more secure and resilient

6.2 Support organisations to understand what services they need from cyber security and managed IT service providers

6.3 Maintain and promote the use of the Dynamic Purchasing Scheme to enable the public sector to have rapid access to cyber security expertise

6.4 Encourage Scotland-based cyber security companies to provide goods and services that can meet the cyber resilience needs of our public sector and digital public services

7. Support public sector organisations to prepare for, respond to and recover from cyber incidents

7.1 Increase good incident response arrangements across the public sector including:

• promoting testing and exercising, and in particular expanding the take up of the NCSC's Exercise in a Box Toolkit
• encouraging the use of NCSC Response and Recovery guidance

7.2 Promote and actively encourage uptake of the range of tools and services within the NCSC Active Cyber Defence programme and explore options for increasing accessibility for all public sector organisations

7.3 Embed cyber resilience into procurement and audit process

7.4 Explore options to migrate to an online incident reporting mechanism, as an evolution of the current central incident notification and reporting policy

7.5 Explore options for improving the cyber security operations (SOC) capabilities for the public sector as a whole

7.6 Use current evidence to inform effective and innovative approaches for improving cyber resilience across the public sector, engaging with innovation centres and academia

8. Ensure effective national cyber incident response

8.1 Establish an annual national cyber exercise to ensure effective ongoing cross-agency co-ordination arrangements

8.2 Raise awareness of national cyber incident management arrangements across government and its agencies to ensure preparedness

8.3 Review national cyber incident management arrangements on an annual basis

8.4 Improve cyber threat intelligence across agencies

9. Protect the digital systems that underpin Scotland's essential services

9.1 Ensure a secure by design approach is adopted across the supply chain and aligns with the UK Government's proposal for regulating the cyber security of smart products

10. Ensure that developments relating to Smart Cities are secure

10.1 Work with Smart Cities policy leads to ensure a secure by design approach is adopted in policy and aligns with the UK Government's proposal for regulating the cyber security of smart products as well as the uptake of NCSC's guidance to help authorities to build awareness and understanding of the security needed to design, build, and manage their connected places

Private Sector Action Plan

Overarching aims / Actions

1. Increase businesses' understanding of cyber risks that may affect them

1.1 Increase access to, and use of, threat intelligence, situational awareness reports and alerts to inform understanding of risk and improve the co-ordination and amplification of cyber threat messaging

1.2 Increase senior leaders' understanding and management of cyber risk to their organisations through a range of engagement activities

1.3 Promote the use of NCSC's Cyber Security Information Sharing Partnership (CiSP)

1.4 Work with key business touchpoints such as Banks, Solicitors, Accountants Managed Service Providers, Enterprise Agencies & Insurance Brokers to improve knowledge and awareness of Client/Business Relationship Managers on the range of cyber resilience resources in order that they can improve their portfolio of advice and guidance being offered to businesses/clients

1.5 Support businesses to make use of research and innovation and engage with academia and innovation centres

2. Improve cyber resilient behaviours within businesses

2.1 Promote staff awareness raising and workplace learning as a significant defence against cyber threats

3. Improve and increase opportunities for professional development of IT and cyber security staff across the private sector

3.1 Promote skills development opportunities within the workplace including:

• increasing the uptake of cyber security apprenticeship training
• ensuring skills development opportunities are inclusive
• ensuring that cyber security upskilling and reskilling opportunities are available nationwide
• supporting the cyber security profession by promoting the adoption of best practice and professional standards

3.2 Encourage employer engagement with education in order to inspire young people into careers in cyber security

4. Encourage the embedding of cyber security standards, regulations and compliance across the private sector

4.1 Promote the range of cyber security standards and regulations available to support informed choices for businesses, based on their exposure to risk and their risk appetite

4.2 Promote Cyber Essentials and Cyber Essentials Plus as the baseline security standards to protect against the most common non-targeted cyber attacks

4.3 Encourage the cyber resilience of the private sector's supply chains, including their adoption of a secure by design approach

5. Embed cyber resilience into the governance, policies and processes of businesses in Scotland

5.1 Embed cyber resilience into governance arrangements to ensure decision-makers are equipped and supported to manage cyber risk

5.2 Support organisations to continue to identify and increase their cyber resilience maturity, including exploring options for an online self-assessment tool to enable organisations to assess their own cyber resilience maturity

5.3 Explore options to adapt the Scottish Government's Public Sector Cyber Resilience Framework for businesses, particularly SMEs

6. Raise awareness of cyber security services and expertise available to businesses

6.1 Encourage Scotland-based cyber security companies to provide goods and services that can meet the cyber resilience needs of our public sector and digital public services. Support cyber security and managed IT service providers to ensure they are secure and resilient

7. Support businesses to prepare for, respond to and recover from cyber incidents

7.1 Increase good incident response arrangements of SMEs including:

• promoting testing and exercising and in particular expanding the take up of the NCSC's Exercise in a Box Toolkit
• encouraging the use of NCSC's Response and Recovery guidance

7.2 Encourage cyber resilience into procurement and audit processes

7.3 Use current evidence to inform effective and innovative approaches for improving cyber resilience across the private sector, engaging with innovation centres and academia

Third Sector Action Plan

Overarching aims / Actions

1. Increase third sector organisations' understanding of cyber risks that may affect them

1.1 Increase access to, and use of, threat intelligence to inform understanding of risk

1.2 Promote the use of NCSC's Cyber Security Information Sharing Partnership (CiSP)

1.3 Include information on cyber threat and risk in advice and guidance from third sector advisory and regulatory bodies

1.4 Support organisations to make use of research and innovation and to engage with academia and innovation centres

2. Improve cyber resilient behaviours within third sector organisations

2.1 Promote staff awareness raising and workplace learning as a significant defence against cyber threats

3. Improve and increase opportunities for professional development of IT and cyber security staff across the Third Sector

3.1 Promote skills development opportunities within the workplace including:

• ensuring skills development opportunities are inclusive
• ensuring that cyber security upskilling and reskilling opportunities are available nationwide
• supporting the cyber security profession by promoting the adoption of best practice and professional standards

3.2 Encourage employer engagement with education in order to inspire young people into careers in cyber security

4. Embed cyber security standards, regulations and compliance across third sector organisations

4.1 Promote the range of cyber security standards and regulations available to support clearer choices for the Third Sector based on their exposure to risk and their risk appetite

4.2 Promote Cyber Essentials and Cyber Essentials Plus as the baseline security standards to protect against the most common non-targeted cyber attacks

4.3 Encourage the cyber resilience of the third sector's supply chains, including their adoption of a secure by design approach

4.4 Work to simplify the complexity of the range of standards/regulation around information security

5. Embed cyber resilience into the governance, policies and processes of third sector organisations

5.1 Embed cyber resilience into governance arrangements to ensure decision-makers are equipped and supported to manage cyber risk

5.2 Support organisations to continue to identify and increase their cyber resilience maturity, including exploring options for an online self-assessment tool to enable organisations to assess their own cyber resilience maturity

6. Raise awareness of cyber security services and expertise available to third sector organisations

6.1 Support third sector organisations to understand what services they need from cyber security and managed IT service providers

6.2 Encourage Scotland-based cyber security companies to provide goods and services that can meet the cyber resilience needs of our Third sector

7. Support third sector organisations to prepare for, respond to and recover from cyber incidents

7.1 Increase good incident response arrangements across the Third sector including:

• promoting testing and exercising and in particular expanding the take up of the NCSC's Exercise in a Box Toolkit
• encouraging the use of NCSC Response and Recovery guidance

7.2 Promote and actively encourage uptake of the range of tools and services within the NCSC Active Cyber Defence programme Work with NCSC to promote their Active Cyber Defence (ACD) Programme of tools and measures, and explore options for increasing accessibility for all third sector organisations

7.3 Encourage the embedding of cyber resilience into procurement and audit processes

7.4 Explore options for improving the cyber security operations (SOC) capabilities for the Third Sector as a whole

7.5 Use current evidence to inform effective and innovative approaches to improving cyber resilience across the Third Sector, engaging with innovation centres and academia

Learning and Skills

Overarching aims / Actions

1. Increase people's cyber resilience through awareness raising and engagement

1.1 Disseminate general and targeted cyber awareness messages to individuals, groups and communities, and ensure these are in accessible/alternative formats where possible

1.2 Monitor changes and improvements in cyber resilience behaviours among the general population

2. Explicitly embed cyber resilience throughout our education and lifelong learning system

2.1 Build capacity across school education for teachers to embed cyber resilience learning across the curriculum, with the support of training, resources and tailored guidance/support

2.2 Work with key community learning and development (CLD) partners to further embed cyber resilience learning and skills development in non-formal learning

2.3 Embed cyber resilience within initial training for education professionals

2.4 Work with colleges, universities and training providers to embed cyber resilience across their delivery

2.5 Support parents and carers to help with their children's cyber resilience

2.6 Work with care providers whose staff are well placed to support their clients to be more cyber resilient

3. Increase people's cyber resilience at work

3.1 Increase workers' cyber resilience across all roles, levels and sectors

3.2 Embed cyber resilience across multiple vocational and occupational areas

4. Support the development of accessible cyber security skills training pathways and effective careers guidance to help ensure that skills supply meets demand

4.1 Maintain research evidence, updating knowledge where appropriate, in order to underpin an effective approach to cyber security skills development in Scotland, including understanding best practice globally

4.2 Promote cyber security careers and a range of training pathways

4.3 Grow numbers of people studying cyber security in Scotland at all levels

4.4 Increase the uptake of cyber security apprenticeship training and provision

4.5 Ensure education professionals have access to support and materials to enable them to deliver cyber-related qualifications, recognising the wider digital learning landscape

4.6 Ensure cyber security skills development opportunities are inclusive, particularly of women and girls, people from disadvantaged backgrounds, people from BAME backgrounds, and neurodivergent people, including championing skills development opportunities for under-represented groups

4.7 Ensure that cyber security upskilling and reskilling opportunities are available nationwide as part of wider strategies to reskill and upskill, especially to areas that have had historically low take up/access to opportunities

4.8 Co-ordinate and shape added-value/extra-curricular programmes in cyber security for effective rollout in Scotland so that they are part of a coherent offer

4.9 Support the cyber security profession by promoting the adoption of best practice and professional standards

4.10 Support both individuals and employers navigate a complex cyber security profession, to help talent enter and develop a career in cyber security, working alongside the new UK Cyber Security Council to develop a career pathways framework built on the Cyber Security Body of Knowledge

4.11 Work with partners at UK level to ensure appropriate alignment of cyber skills development plans

4.12 Increase cyber security and cyber resilience research and innovation in our university sector

4.13 Strengthen our ecosystem by better linking cyber security skills development, academia and innovation with industry

4.14 Strengthen interaction between all parts of our education and lifelong learning system around cyber security skills development to grow new pathways and opportunities

4.15 Co-ordinate, prioritise and target industry/employer engagement in education in order to promote cyber security careers and add value to cyber security skills development for young people