Annex B – Scottish Third Sector Cyber Resilience Framework/Pathway – Concept
1. This annex sets out a broad concept for the development of a Scottish Third Sector Cyber Resilience Framework or "Pathway".
2. The concept has been developed by the Scottish Government and members of the National Cyber Resilience Leaders Board, in consultation with the NCSC and key third sector partners.
In line with Key Action 1 in the action plan, work will be undertaken to finalise and pilot this Framework/Pathway (on the condition that further work confirms its feasibility) on the basis of initial analytical work to develop a stronger understanding of the core cyber resilience requirements that are currently encompassed by NCSC schemes and guidance, other common standards and key supply chain policies as they apply to the Scottish third sector (particularly small and medium sized third sector organisations), and how these relate to progressive levels of cyber threat.
3. The Framework/Pathway would aim to provide a common point of departure for Scottish third sector organisations to assess the cyber threat to their assets, and identify the key measures they should consider implementing to help manage these threats in view of the impact on their operations.
The Framework/Pathway could be used by small and medium sized third sector organisations to benchmark themselves against progressively more demanding or holistic approaches to cyber threat management. It would also provide a way for organisations in the early stages of their cyber resilience journey to identify key sources of guidance and assurance in order to improve their capacity to manage progressively more targeted and sophisticated cyber threats.
4. In view of the fact that many larger third sector organisations operating in Scotland will already be working to a range of UK and international regulatory requirements, it is expected that any such Framework/Pathway would most likely be of use for smaller organisations (especially small or medium sized third sector organisations). However, larger third sector organisations that are not currently subject to cyber security regulation may also find such a tool useful in identifying the levels of cyber resilience they should be aiming for based on the likely cyber threat to their assets.
5. Work would be undertaken to align any Framework/Pathway with similar frameworks under development as part of the public and private sector action plans on cyber resilience by the Scottish Government and the NCRLB.
Overview of key potential features
6. The starting point for any potential Framework/Pathway would be an agreed common way of assessing the broad cyber threat to an organisation’s networks and assets, either in general or in the context of specific contracts or undertakings.
7. These cyber threat profiles should be organised in a progressive hierarchy, based on broadly defined increases in the expected targeting and sophistication of cyber threats. It should also take into account the likely organisational impact of breaches.
8. There should then be a clear hierarchy of guidance, standards or controls that is "mapped" directly to the relevant threat level, thus ensuring greater consistency of application of appropriate standards and controls.
9. These cyber threat profiles and the hierarchy of standards or
to the greatest extent possible, be aligned with or incorporate the following key existing or planned measures:
- Existing standards, guidance or initiatives, particularly those endorsed by the National Cyber Security Centre such as Cyber Essentials, the 10 Steps to Cyber Security, NIS Directive Technical Guidance, NCSC Supply Chain Guidance, the NCSC ’s cloud security principles, the NCSC ’s Cyber Security Information Sharing Partnership, and ICO guidance on protecting personal data; and
- Existing and planned practice in respect of supply chain cyber security amongst larger public, private and third sector organisations.
10. The potential for development of a freely accessible online tool to support small or medium sized third sector organisations, in particular, to undertake a cyber threat assessment against the Framework/Pathway, and be directed to appropriate guidance or standards, would likely be key to the success of this work.
11. A basic visual representation of this proposed approach is set out on the following page. It should be noted that the contents of this proposed Framework/Pathway will be subject to further work and discussion, and are included only for illustrative purposes at this stage.
Annex B – Scottish Third Sector Cyber Resilience Framework/Pathway – Basic Concept (indicative draft only)