The Government has set out a series of minimum cyber-security standards which will now be incorporated into the Government Functional Standard for Security, obliging government departments and suppliers to comply.
The Standards comprise 10 sections, covering five broad categories: Identify, Protect, Detect, Respond and Recover, and also set expectations for governance, such as obliging government departments to create "clear lines of responsibility and accountability to named individuals for the security of sensitive information and key operational services".
Matt Lock, director of sales engineers, UK, Varonis, welcomed the move: “The minimum standards may sound simple and common-sense for cyber-security pro's, but even the largest of organisations could struggle to implement these into their security practices. Many organisations have found it difficult to create a systematic approach to deal with cyber-security and this new standard should help.
“The Standard calls out “senior accountable individuals” to be trained on security and risk – no longer will it be possible to blame junior staffers for a security incident. Organisations that outsource to third-parties must ensure these providers are up to speed on security risks – which is a particularly timely recommendation with the Ticketmaster breach news this week.”
Other elements of the Standard include the requirement for departments to identify and catalogue sensitive information they hold, implement access controls, and also implement TLS encryption standards for email - albeit to the older TLS 1.2 standard. Moreover, departments will be required to have cyber-incident response plans, as well as cyber-attack detection measures, and departments themselves will be responsible for ensuring that suppliers meet the Standard too.
Mike Trevett, director, UK & Ireland, Mandiant at FireEye told SC Media UK that although similar guidelines from industry bodies (such as (NIST: Cyber essentials, and 10 Steps to Cyber Security) already exist, the focus of the new Standard will prove important: “There are similar guidelines that have been in place and go into greater or lesser detail but critically drive towards similar outcomes. This Standard is particularly helpful because it is focused on Government and bringing it together in a UK focused package. The standard requires departments to implement these minimum security measures, so it's not a case of departments ‘signing up' to them. I do think wider organisations will adopt them, either in part or all together because they describe the sorts of security outcomes that any organisation could / should aspire to. However, while I don't think enterprises will follow them ‘verbatim' they may well adapt the elements that best suit their organisation and circumstances.”
The 'Minimum Cybersecurity Standard' (PDF) was published earlier this week, and will be regularly updated in order to continually ‘raise the bar', address new threats or classes of vulnerabilities and to incorporate the use of new Active Cyber Defence measures, according to the Cabinet Office.