This week has seen the release of a new baseline of mandatory cyber security requirements for UK government departments. Known as the Minimum Cyber Security Standard, it creates a minimum set of measures which all government departments will need to adhere to, although the hope is that as a baseline, they will in fact seek to exceed these at all times.
There are 10 main requirements in the standard, partitioned into five key domains: identify, protect, detect, respond and recover.
Departments shall put in place appropriate cyber security governance processes by:
Departments shall identify and catalogue sensitive data they hold. They should document and know:
Departments shall identify and catalogue the key operational services they provide. Including:
The need for users to access sensitive data or key operational services shall be understood and continually managed. For example:
Achieve all of this and more using a solution such as GRPC Hub. A cloud based GRC solution which has been used by countless public and private organisations for managing ISO 27001, cyber essentials, the DSP toolkit and the GDPR. Would you like to learn more? - Book an online meeting today.
Access to sensitive data and key operational services shall only be provided to identified, authenticated and authorised users or systems. Such as:
Systems which handle sensitive data or key operational services shall be protected from exploitation of known vulnerabilities.
To protect servers, network devices and centralised services:
Consider using a secure configuration assessment solution. NNT change tracker can assess servers and network devices, on an automated basis, against common security standards such as the CIS benchmarks - Book an online meeting today to learn more.
To protect end-user devices such as smartphones and laptops:
To protect email deliver and access systems:
EmailAuth is a DMARC solution which can provide unrivalled insight into spoofing attempts and email domain usage - Book and online meeting to learn more.
To protect digital services:
Highly privileged accounts should not be vulnerable to common cyber attacks by:
Departments shall take steps to detect common cyberattacks. At a minimum they should:
Departments shall have a defined, planned and tested response to cyber security incidents that impact sensitive information or key operational services. Including:
Our services partner Cyber Management Alliance are specialists in incident response and planning training. Having trained the likes of Sony, Adobe and the United Nations - Visit their website to learn more.
Departments shall have well defined and tested processes in place to ensure the continuity of key operational services in the event of failure or compromise. For example: