This week has seen the release of a new baseline of mandatory cyber security requirements for UK government departments. Known as the Minimum Cyber Security Standard, it creates a minimum set of measures which all government departments will need to adhere to, although the hope is that as a baseline, they will in fact seek to exceed these at all times.
What are the Requirements?
There are 10 main requirements in the standard, partitioned into five key domains: identify, protect, detect, respond and recover.
Departments shall put in place appropriate cyber security governance processes by:
- Creating clear lines of responsibility and accountability for cyber security.
- Creating management policies to direct and advise departments on their overall approach to cyber security.
- Identifying significant risks to sensitive data and key operational services.
- Understanding the risk associated with utlising third-parties; and mitigating this by ensuring third-parties also adhere the minimum cyber security standard or cyber essentials.
- Ensuring that senior accountable individuals are trained on cyber security matters, risk and are promoting a culture of awareness about cyber security.
Departments shall identify and catalogue sensitive data they hold. They should document and know:
- What sensitive data they hold or process.
- Why they hold or process sensitive data.
- Where sensitive data is stored.
- Which computer systems process it.
- The likely impact of disclosure, compromise or loss.
Departments shall identify and catalogue the key operational services they provide. Including:
- What their key operational services are.
- Which technologies and services their key operational services rely on for availability and security.
- What other dependencies they have. For example utilities and key personnel.
- The impact resulting in a loss of availability.
The need for users to access sensitive data or key operational services shall be understood and continually managed. For example:
- Users should only have access to sensitive data and systems which are necessary for their role.
- Where a user ceases employment or leaves a department, their access should be revoked immediately.
- Periodic reviews of access should be conducted.
Achieve all of this and more using a solution such as GRPC Hub. A cloud based GRC solution which has been used by countless public and private organisations for managing ISO 27001, cyber essentials, the DSP toolkit and the GDPR. Would you like to learn more? - Book an online meeting today.
Access to sensitive data and key operational services shall only be provided to identified, authenticated and authorised users or systems. Such as:
- Access to sensitive data and services should only be authorised for known and referenced individuals and systems.
- Users accessing sensitive data and services must complete some form of authentication. In cases of high risk, so should the device or system accessing sensitive data or systems.
Systems which handle sensitive data or key operational services shall be protected from exploitation of known vulnerabilities.
To protect servers, network devices and centralised services:
- Track and record all hardware and software assets; and their configurations.
- Have a program of vulnerability detection and patching to prevent common exploitation based cyber attacks. Where this is not possible, mitigating controls such as network segregation should be undetaken.
- Validate through regular testing that device configurations are optimal and secure.
- Use the UK public sector DNS servers for name resolution to avoid DNS poisoning and redirection attacks.
- Ensure that authoritative DNS changes can only be made by authenticated administrators.
- Understand and record all IP ranges.
- Where services are outsourced, understand and document the security responsibilities of both outsourced party and the department using the outsourced service.
Consider using a secure configuration assessment solution. NNT change tracker can assess servers and network devices, on an automated basis, against common security standards such as the CIS benchmarks - Book an online meeting today to learn more.
To protect end-user devices such as smartphones and laptops:
- Identify and record all end-user devices and removable media in use.
- Manage end-user devices which have access to sensitive data and key operational services; and applies technical and security controls.
- Run operating systems and software which are regularly patched and supported by the vendor.
- Apply encryption at rest where physical security cannot be guaranteed, such as a smartphone which moves inside and outside the protected network environment.
- Have the ability to revoke access or wipe an end-user device.
To protect email deliver and access systems:
- Use TLS 1.2 (Transport Layer Security) for sending and receiving email.
- Have DMARC (Domain-based Message Authentication Reporting and Conformance), DKIM (Domainkeys Identified Mail) and SPF (Sender Policy Framework) records in place to reduce spoofing effectiveness..
- Implement spam and mail filtering; and require DMARC for inbound mail.
EmailAuth is a DMARC solution which can provide unrivalled insight into spoofing attempts and email domain usage - Book and online meeting to learn more.
To protect digital services:
- Ensure web applications are not exploitable by common vulnerabilities, for example those listed by OWASP (Open Web Application Security Project).
- Ensure the underlying infrastructure is secure, including verifying that the hosting environment is maintained securely and that you have appropriately exercised your responsibilities for securely configuring the infrastructure and platform.
- Protect data in motion using TLS 1.2.
- Regularly test for the presence of known vulnerabilities and common configuration errors.
Highly privileged accounts should not be vulnerable to common cyber attacks by:
- Account segregation for anyone with a privileged account. Administrator accounts should not be used for tasks such as internet browsing or email receipt
- Multi-factor authentication should be used wherever is technically possible. Including cloud accounts, department social media accounts and administrative accounts.
- Passwords for privileged system accounts, social media accounts and infrastructure components must be changed from default values and should not be easy to guess. Passwords which would on their own grant extensive system access, should have high complexity.
Departments shall take steps to detect common cyberattacks. At a minimum they should:
- Capture all events which can be combined with a common threat intelligence service.
- Be able to detect any attackers or cyber attacks using common or known exploits.
- Protect digital services, which are attractive to cyber attackers, using transactional protection techniques and technology.
Departments shall have a defined, planned and tested response to cyber security incidents that impact sensitive information or key operational services. Including:
- Having a clear defined incident response plan, with clear defined actions and responsibilities. All incidents should be recorded.
- Having a communication plan detailing who should be contacted in the event of an incident. Including key stakeholders and national regulators.
- A plan to test an implemented incident response plan and modify it based on the test outcome.
- A detailed plan on how to evaluate incidents post-event and how to improve defenses and detection capabilities as a result.
Our services partner Cyber Management Alliance are specialists in incident response and planning training. Having trained the likes of Sony, Adobe and the United Nations - Visit their website to learn more.
Departments shall have well defined and tested processes in place to ensure the continuity of key operational services in the event of failure or compromise. For example:
- Departments should have plans to test contingencies and availability systems to ensure they will function as expected during an incident.
- Any plan should be well rehearsed to ensure disruption is kept to a minimum.
- Post recovery, the department should learn from the disruption and factor in changes will which prevent a repeat of the same incident.