The Cabinet Office (in collaboration with the National Cyber Security Centre) published the “Minimum Cyber Security Standard” (MCSS), clearly communicating the minimum set of cyber security controls expected of UK Government departments. The aim is to ensure that the nation’s information, technology and digital services are being properly protected in accordance with the National Cyber Security Strategy’s requirements.
In line with similar recent documentation, these new requirements are focused upon the delivery of “security outcomes” without specifying how such outcomes are to be achieved, and each Department has the responsibility of ensuring that the security outcome is being effectively achieved. It is pleasing to note that each of the MCSS component areas will be progressively incremented over time, to ensure that standards rise as the cyber threat landscape continues to evolve.
Cloud infrastructure and platform providers must now confirm that existing information security framework and controls exceed the minimum stated requirements within each of the ten areas of the new standard:
- Cyber security governance: clear responsibilities and accountabilities, effective policies and processes, risk management, supply chain security and training and awareness
- Sensitive information: a full understanding of sensitive information assets, why and where it is being processed and stored, and the impact if it were to be breached
- Operational service: details of key operational services being provided, knowledge of technology and other dependencies which they rely upon, and the impact of unavailability
- User and access management: ensuring users have only minimum access to sensitive data, that such access is regularly reviewed, and access is removed when a user leaves
- Protecting access: ensuring only authorised and known users can access sensitive data and associated systems, and that appropriate authentication mechanisms are in place
- Vulnerability management: protecting enterprise technology, end-user devices, digital services and email communications through effective organisational and technical controls
- Protecting privileged accounts: ensuring privileged accounts are not used for daily tasks, and that their use is protected by multi-factor authentication and complex passwords
- Detecting common cyber-attacks: by monitoring and capturing events, which can then be assessed using threat intelligence sources such as CISP
- Responding to cyber security incidents: implementing effective plans to response to incidents including defined responsibilities, communication plans, investigation and mitigation actions, incident reporting and plan testing
- Recovery of services: ensuring contingency plans are in place for unavailability of services or cyber security breaches, that prompt restoration of normal service is well rehearsed, and that post incident reviews effectively remediate the cause to prevent recurrence
Credible IT service providers such as UKCloud who have designed, implemented and manage their organisation from a solid foundation of information security, data protection and technical resilience will have no issues with achieving the requirements of MCSS. However, the fact that this new Standard has been created and published at all suggests that there are departments and functions which have an identified need to urgently improve their cyber resilience posture.
All UK Public Sector organisations will need to demonstrate compliance with MCSS, and section 1(d) notes that they need to understand and manage the risks within their supply chain – for example their choice of cloud service provider – by completing sufficient due diligence. A provider like UKCloud welcomes the opportunity to discuss its cybersecurity capabilities: from evidencing the numerous independent security accreditation and certification activities which we are regularly subject to, to explaining the advanced security features and controls which are at the heart of our portfolio of cloud services.
This blog was originally published by TechUK for its Cloud Week.