With the breadth and sophistication of cyber threats growing on a daily basis, new initiatives are frequently published to boost levels of cyber resilience. During the last week of June, the UK Government Cabinet Office, in conjunction with the National Cyber Security Centre, published the “Minimum Cyber Security Standard” (MCSS) which provides a mandatory framework of ten areas where a minimum acceptable approach is required to protect the sensitive data and supporting systems of UK public sector organisations. MCSS follows the theme of achieving “security outcomes”, but does not specify the approach or controls which should be used to achieve them – that remains with each organisation to determine for themselves. It also allows for the progressive development of the minimum acceptable levels over time, which will allow the Standard to further evolve to address new and emerging threats and vulnerabilities.
With many government departments having some element of their IT provision outsourced, one requirement of MCSS mandates that public sector organisations are responsible for conducting appropriate due diligence of their vendors to ensure that unacceptable risks are not present within the supply chain. The Standard also calls out minimum levels of access to sensitive data, special consideration for the management and use of privileged accounts, effective vulnerability management and patching, and monitoring for events which may indicate a data breach has occurred. It goes further to require an acceptable approach to cyber security incidents, including communication plans, investigative and remediation activities, and requiring that affected IT services should be recovered as quickly as possible. The full set of MCSS requirements can be reviewed here.
Organisations which have already implemented an effective Information Security Management System, and perhaps progressed to formal ISO27001 certification with a credible assessment organisation will have already addressed many of the examples noted above, and will routinely be identifying and assessing the risks as an integral part of their ISMS. Our popular InfoSaaS Assure risk management solution helps organisations to identify and mitigate a wide variety of cyber threats, and our range of documentation templates provides a solid foundation for the development and communication of effective security policies and procedures – another requirement of MCSS.
Andrew Beverley, CTO of InfoSaaS Limited noted: “We welcome the introduction of the Minimum Cyber Security Standard, which is a significant step in protecting the UK’s sensitive data and the systems which deliver them, and will extend out to the many commercial organisations who support the public sector in some way. With our industry-leading expertise and innovative information security and data protection solutions, we’re well placed to help our customers exceed these minimum requirements and improve their cyber-security capabilities”.
For more information, visit the InfoSaaS website.