The New Minimum Cyber Security Standard set out by the government in June has had mixed reactions from industry professionals.
What the document is for
The document, which was developed in collaboration with the National Cyber Security Centre (NCSC) and is to be incorporated into the Government Functional Standard for Security, will affect government departments and its suppliers.
It covers five categories (Identify, Protect, Detect, Respond and Recover) and it is comprised of 10 sections in just seven pages.
The good, the bad and the cloud
There are advantages and disadvantages for such a succinct document. On the one hand, it is a good place to start when it comes to structuring and managing cyber security in the public sector, as well as implementing new digital practises.
On the other, as the standard follows the European approach of focusing on the outcomes rather than detailing the means to which these outcomes will be achieved, there is room for organizations to do the bare minimum or implement measurements that are “just for show” but are at heart ineffective.
This is open approach is done deliberately, as it is stated by the standard: "As far as possible the security standards define outcomes, allowing Departments flexibility in how the standards are implemented, dependent on their local context."
The document can be compared to GDPR, in the sense that both give organisations the flexibility to have their own implementation processes, depending on what works best in each case.
When it comes to working with the cloud, the adaptable nature the New Minimum Cyber Security Standard provides can be advantageous, as cloud technology’s innovations and advancements make it an everchanging landscape to work with.
There are, however, more detailed sections in the document such as 6_d, where it declares that websites should register for NCSC’s Web Check service. This service checks for vulnerabilities on public sector sites and is a part of the Active Defence Program. This is can be one of the most important ongoing measures as it allows the NCSC to periodically scan the organisation’s website against any threats.
You’ve got to own it – and plan it
The standard also makes a case for accountability, demanding training in security and risk for the organisation’s “senior accountable individuals”, so it is clear who are the responsible people in the organisation. It is curious that the government chose to use the word “senior”, perhaps this was an effort to avoid organisations blaming non-conformances on their more junior staff?
Now there is also the need for an “incident response plan” to be in place in the event of an incident – which should be tested before implementation and continued to be tested regularly after.This plan needs to set clear and defined actions, also making it explicit the roles and responsibilities of each person in the incident response team, giving it again a big focus on ownership. Communication protocols are also a must and should be included in the plan. In case any personal data has been breached, the ICO (Information Commissioner’s Office) should be contacted.
Continuous testing is not only for the incident response plan but also for the contingency mechanisms each department should have. These mechanisms will ensure the department’s ability to keep delivering essential services in case of an incident and the constant testing of these mechanisms and plans make it for a “well-practised scenario” to ensure fast and effective threat identification and remediation.
Will it be worth it though?
The New Minimum Cyber Security Standard’s flexibility (or lack of clarity as others would say) makes many IT professionals question the document’s efficiency in real-life scenarios.
Bearing in mind the constant technological advances, the government informed they intend for the document to be amended from time to time to “continually address new threats or classes of vulnerabilities”, as well as incorporating the use of new Active Cyber Defence Measures. If the measures will actually work in the long term, only time will tell.