Minimum Cyber Security Standard
20th November 2019
With the breadth and sophistication of cyber threats growing on a daily basis, new initiatives are frequently published to encourage improvements in levels of cyber resilience.
During the last week of June in 2018, the UK Government Cabinet Office, in conjunction with the National Cyber Security Centre (NCSC), published the “Minimum Cyber Security Standard” (MCSS).
What is MCSS?
MCSS provides a mandatory framework of ten areas where a minimum acceptable approach is required to protect the sensitive data and supporting systems of UK public sector organisations.
MCSS follows the theme of achieving “security outcomes”, but does not detail the specific approach or security controls, which should be used to achieve them. These remain with each organisation to determine for themselves.
It also allows for the progressive development of the minimum acceptable levels over time, which will allow the Standard to further evolve to address new and emerging threats and vulnerabilities.
How does MCSS affect you?
With many government departments having some element of their IT provision outsourced, one requirement of MCSS mandates that public sector organisations are responsible for conducting appropriate due diligence of their vendors. This is to ensure that unacceptable risks are not present within their supply chain.
The Standard also calls out minimum levels of access to sensitive data, special consideration for the management and use of privileged accounts; effective vulnerability management and patching; and monitoring for events which may indicate a data breach has occurred.
It goes further to require an acceptable approach to the identification and management of cyber security incidents – including communication plans, investigative and remediation activities, and requiring that affected IT services should be recovered as quickly as possible.
The full set of MCSS requirements can be reviewed here.
Organisations which have already implemented an effective Information Security Management System, and perhaps progressed to formal ISO27001 certification with a credible assessment organisation, will have already addressed many of the examples noted above. They will routinely be identifying, assessing and managing the risks as an integral part of their ISMS.
Our popular risk management solution on the InfoSaaS platform helps organisations to identify and mitigate a wide variety of cyber threats. Our range of documentation templates provide a solid foundation for the development and communication of effective security policies and procedures – another requirement of MCSS.
Andrew Beverley, CTO of InfoSaaS Limited noted:
“We welcome the introduction of the Minimum Cyber Security Standard. It’s a significant step in protecting the UK’s sensitive data and the systems which deliver them. It will extend out to the many commercial organisations who support the public sector in some way.”
“With our industry-leading expertise and innovative information security and data protection solutions, we’re well placed to help our customers exceed these minimum requirements and improve their cyber-security capabilities.”