Home » Security Bloggers Network » The UK’s Minimum Cyber Security Standard: What You Need to Know

The UK’s Minimum Cyber Security Standard: What You Need to Know

In June 2018, the UK Government, in collaboration with NCSC (National Cyber Security Centre), produced a new security standard that all Government “Departments”, including organisations, agencies, arm’s length bodies, and contractors must adhere to without exception. These measures will continue to increase over time in order to ‘address new threats or classes of vulnerabilities’ and to ‘incorporate the use of new Active Cyber Defence measures.’

The standard has been broken down into 10 measures lumped into five sections: Identify, Protect, Detect, Respond and Recover.

This article will give a brief overview into the content of these measures. If you want to read the entire standard, the PDF on the gov.uk website can be found here.

IDENTIFY

Section 1 – ‘Departments shall put in place appropriate cyber security governance processes.’

Departments are obligated to have clear lines of responsibility and accountability to named individuals for the security of sensitive information and key operational services.

Appropriate management policies and processes must be in place to direct the departments overall approach to cyber security. In addition, Departments are required to identify and manage the significant risks to sensitive information and key operational services.

Departments also need to understand and manage the security issues that could arise due to dependencies on external suppliers or through their supply chain. These suppliers must also conform to the standard, which can be demonstrated by having them attain a valid Cyber Essentials certificate or just demonstrate their compliance. At that time, the Department can then determine whether this is a sufficient risk assessment.

Section 2 – ‘Departments shall identify and catalogue sensitive information they hold.’

Departments need to know and record what information they hold or process, why they hold or process it, what computer systems or services process it and the impact of (Read more...)