1

Safe, secure and prosperous: a cyber-resilience

strategy for Scotland

Best Practice Guidelines for Scottish Public Bodies

DRAFT FOR COMMENT BY SCOTTISH PUBLIC SECTOR

ORGANISATIONS

These draft best practice guidelines have been produced by the National Cyber Resilience Leaders’ Board in partnership with the

Scottish Government. They constitute ANNEX B to the draft public sector action plan that is being circulated along with these guidelines.

Comments from Scottish public sector organisations are now invited

in respect of implementation issues by 15th September 2017.

Please send all comments to cyberresilience@gov.scot.

2

Cyber Resilience: best practice guidelines for Scottish public

bodies (draft) (Annex B to draft public sector action plan)

Introduction and background

1. “Safe, Secure and Prosperous”, a Cyber Resilience Strategy for Scotland, sets out the Scottish Government’s vision for Cyber Resilience in Scotland. It sets a goal for Scotland to be a world leader in cyber resilience by 2020.

2. As part of this, the strategy identified the following key outcome:

We have confidence in, and trust, our digital public services.

3. Appropriate standards of cyber resilience1 in Scottish public bodies are fundamental to achieving this confidence and trust. The importance of ensuring cyber resilience in Scotland’s public services has never been greater. A number of factors make this so. They include: (i) The scale and nature of the cyber threat, and the risks it presents to our ambitions for Scotland’s digital public services and our overall security and resilience: Scotland’s refreshed digital strategy2 makes clear that digital connectivity offers huge opportunities to redefine the relationship between the Scottish public sector and the people it serves. We are committed to establishing all new government organisations as digital businesses, designed around the needs of their users, in order to make the most of new technologies. But with these opportunities come new threats and vulnerabilities, and it is imperative that we take these seriously and take action to address them. The global cyber attack on 12th May 2017, which affected more than 150 countries worldwide and impacted some areas of the NHS in Scotland and England, underlined the potential seriousness of the cyber threat. The UK Government assesses that the number and severity of cyber incidents affecting public (and private and third) sector organisations will continue to increase. These threats come from a variety of sources, including hostile state actors, cyber criminals, political activists and others. (ii) Forthcoming legislative changes and their potential legal, financial and reputational impact: the new General Data Protection Regulation (GDPR), which is due to come into force in May 2018, places significant new duties on public (and private and third) sector organisations to ensure the protection of personal data, and to report personal data breaches. Public sector data controllers face significantly increased administrative fines of up to Euros 20,000,000 for failing to comply with certain articles of the regulation. One of the factors that can be taken into account when deciding the level of fine is a failure to implement appropriate cyber security

1 “Cyber resilience” means being able to prepare for, withstand, and rapidly recover and learn from deliberate attacks

or accidental events in the online world. Cyber security is a key element of being resilient, but cyber resilient people and organisations recognise that being safe online goes far beyond just technical measures. By building understanding of cyber risks and threats, they are able to take the appropriate measures to stay safe and get the most from being online. 2 http://www.gov.scot/Resource/0051/00515583.pdf

3

measures. The UK Government has indicated its intention to implement GDPR in full despite the UK leaving the EU.

4. These best practice guidelines have been developed to assist the Boards of Scottish public bodies to ensure their organisations are working on a risk-based and proportionate basis towards achieving appropriate standards of cyber resilience. They have been endorsed by the National Cyber Resilience Leaders’ Board. They draw heavily on the National Cyber Security Centre’s 10 Steps to Cyber Security. As such, Scottish public bodies that conform to this guidance are expected to meet the requirements set out in the 10 Steps to Cyber Security.

Who are these guidelines for?

5. It is expected that all Scottish public bodies will work towards implementing these best practice

guidelines in their organisations on a risk-based and proportionate basis.

6. To help provide leadership and develop knowledge and experience of the challenges of implementing the guidelines, a number of key Scottish public bodies have formed the Scottish Public Sector Cyber Catalyst scheme. These public bodies have committed to moving forward at pace with implementing the guidelines during 2017-18, and sharing knowledge and learning with the wider Scottish public sector to help drive higher standards of cyber resilience over time.

7. Reference to these guidelines will be included in amendments made to the Scottish Public Finance Manual (SPFM - see paragraph 10 below), which applies to many key Scottish public bodies. Those amendments will make clear the expectation that public bodies subject to the SPFM are adhering to these best practice guidelines on a risk-based and proportionate basis. Where other Scottish public bodies are not subject to the SPFM, the Scottish Government will nevertheless seek to work with them to promote the adoption of a similar approach to that outlined in these best practice guidelines. Where the guidelines state what is expected of “Scottish public bodies”, these references should be read in this context.

Relationship to other guidance, standards, controls and processes

8. These best practice guidelines are not intended to replace existing guidance, standards,

controls or processes, and Scottish public bodies should continue to have regard to these existing requirements when taking forward work on cyber security and cyber resilience.

9. The best practice guidelines are intended to complement existing guidance, standards, controls and processes, and provide a framework to bring greater coordination and coherence to work on cyber resilience in Scotland’s public bodies. They are expected to be of particular use to Boards, Executive Teams and Audit Committees who wish to provide challenge and direction within their own organisations. They are also expected to provide a framework for relevant staff in public bodies to take forward practical arrangements to ensure robust levels of cyber resilience.

4

10. Other key guidance, standards, controls and processes that Scottish public bodies should continue to have regard to when taking forward work on cyber security and cyber resilience include the following:

The Scottish Public Finance Manual (SPFM)3: The SPFM is issued by Scottish Ministers to provide guidance to the Scottish Government and other relevant bodies on the proper handling and reporting of public funds. It includes key provisions on:

o Risk management: The SPFM requires Scottish public bodies to adopt appropriate risk

management processes, with identification, ownership, assessment, management and monitoring of risks forming a key part of this. It also makes clear that it is essential to consider “risk appetite” before moving on to consideration of how risks can be addressed.

o Accountability: The SPFM (Memorandum to Accountable Officers4) makes clear that

Accountable Officers must ensure that the assets for which they are responsible are properly managed and safeguarded, with appropriate checks. They are also required to ensure that risks to the achievement of business objectives are identified, that their significance is assessed, and that systems appropriate to the risks are in place in all relevant areas to manage them. They must ensure that managers at all levels have the information, training and access to the expert advice they need to exercise their responsibilities effectively.

o Governance statements, certificates of assurance and internal control checklists: To give effect to these accountability arrangements, Accountable Officers are required to prepare governance statements as part of the annual accounts for which they are directly responsible. To enable them to sign governance statements, Accountable Officers are provided with certificates of assurance on the maintenance and review of internal control systems within or affecting their area of responsibility. These internal control systems comprise the whole network of systems established in an organisation to provide assurance that organisational objectives will be achieved. The internal control checklist includes sections on risk management, the proper management and safeguarding of assets, and the integrity and reliability of information and data.

o Best value: The SPFM makes clear that a Best Value organisation will show that it is conscious of being publicly funded in everything it does. The organisation will be able to show how its effective management of all resources (including staff, assets, information and communications technology (ICT), procurement and knowledge) is contributing to delivery of specific outcomes.

These provisions should effectively mean that Scottish public bodies subject to the SPFM are already putting in place robust standards of cyber resilience. However, the Scottish Public Finance Manual and its associated Certificates of Assurance scheme will be amended to make clear that Scottish public bodies and their audit committees should have reference to

3 http://www.gov.scot/Topics/Government/Finance/spfm/Intro

4 http://www.gov.scot/Topics/Government/Finance/spfm/Accountability/aomemoother

5

these best practice guidelines when taking forward work on cyber resilience in their organisations.

The Security Policy Framework5, which describes how HMG organisations and third parties handling HMG information and other assets will apply protective security to ensure HMG can function effectively, efficiently and securely. The SPF includes the following key provisions that are relevant to these best practice guidelines: o Overarching principles: These set out the principles common to every aspect of security,

and include robust protection of sensitive assets, support for delivery of public services (including digital services), risk management (taking account of the Data Protection Act), people and behaviours (achieving the right security culture), and policies and processes to report, manage and resolve any security incidents.

o Good governance: Including requirements for an appropriate security governance structure that includes a Senior Information Risk Owner (SIRO), a Departmental Security Officer (DSO), Information Asset Owners across distinct business units, information risk assessments and risk management specialists, and other specialists relevant and specific to the organisation’s needs. The SPF also requires Board-level oversight of security compliance and auditing processes, and arrangements to determine and satisfy themselves that delivery partners, service providers and third party suppliers apply proper security controls too.

o Culture and awareness: Including requirements to have a security culture that supports business and security priorities, training which encourages personal responsibility and good security behaviours, processes, systems and incentives to deliver this, and mechanisms to drive continuous improvement and tackle poor behaviour.

o Risk management: Requiring organisations to have a mature understanding of security risks throughout the organisation, a clearly-communicated set of security policies and procedures, mechanisms and trained specialists to analyse threats, vulnerabilities, and potential impacts, arrangements to determine and apply cost-effective security controls to mitigate identified risks within agreed appetites, and assurance processes to make sure that mitigations are, and remain effective.

o Information: Requirements to maintain the confidentiality, integrity and availability of information, including: having staff who are well trained to exercise good judgement, take responsibility and be accountable for the information they handle; mechanisms and processes to ensure assets are properly classified and appropriately protected; and an overarching programme of information assurance driven by the Board, to give confidence that security controls are effective and that systems and services can protect the information they carry.

5 https://www.gov.uk/government/publications/security-policy-framework/hmg-security-policy-framework. Note

that work is currently underway on transforming Government Security, meaning that many of the ‘traditional’ security roles will be updated to better suit today’s business needs.

6

o Technology and controls: Noting the importance of modern and functional technology being resilient to cyber threats, with security integral to design and implementation. Including requirements to identify whether technology and services are Critical National Infrastructure, and risk manage accordingly, and implement risk-informed security controls that ensure critical technology and services are resilient to disruptive challenges such as cyber attacks, and have the means to recover from these.

o Preparing for and responding to security incidents: Setting out the requirement to have well-tested plans, policies and procedures that will reduce organisations’ vulnerability to security incidents (especially from the most serious threats of terrorism or cyber attack) and other disruptive challenges.

Preparing Scotland Guidance6, which is guidance to assist Scotland plan, respond and recover from emergencies. It has a 'Hub' which sets out the philosophy, principles and good practice, and 'Spokes' that provide detailed guidance on specific matters. A “spoke” on cyber resilience is currently under preparation, and will align with the best practice guidance set out in this document.

NHS Scotland Resilience Guidance7, which includes Standards for Organisational Resilience8. These include requirements for Health Boards to have adequate information security management arrangements that conform to the NHSS Information Security Policy Framework (2015), and an appropriate level of resilience within its Information and Communication Technologies (ICT) service portfolio. Health Boards are also required to develop and implement awareness-raising programmes that alert staff to information security risks and encourage them to adopt safer practices in relation to information handling and the equipment used on-site and off-site.

Stakeholder Impact Assessments for Critical Infrastructure9: The delivery of the Scottish Government’s Critical Infrastructure strategy “Secure and Resilient,” is based on a 5-stage Continuous Improvement Model, the first element of which is Stakeholder Impact Assessments (SIAs). These in-depth assessments cover all three elements of security and resilience (physical, personnel and cyber), with the aim of helping organisations to secure a picture of their resilience and take action to address any areas for improvement. The assessments have been adapted to include questions that can support organisational thinking in respect of cyber resilience, aligned to this best practice guidance.

Public Service Network obligations10: These set out the technical security requirements for organisations connected to the public service network (PSN).

Cyber Essentials and Cyber Essentials Plus11, which recommend the adoption of five critical controls to help mitigate the most common forms of cyber attack, and offer NCSC-endorsed

6 http://www.readyscotland.org/ready-government/preparing-scotland/

7 http://www.readyscotland.org/ready-government/nhsscotland-resilience/

8 http://www.readyscotland.org/media/1157/nhsscotland-standards-for-organisational-resilience-1st-edition-may-2016.pdf

9 http://www.gov.scot/Publications/2011/03/21095856/0

10 https://www.gov.uk/guidance/public-services-network-psn-obligations-for-connectivity-services

11 See: https://www.cyberaware.gov.uk/cyberessentials/files/scheme-summary.pdf

7

accreditation for organisations to demonstrate to customers, investors, insurers and others that they have taken these essential precautions. Scottish Ministers have made clear that, in order to comply with obligations under the Scottish Public Finance Manual and other provisions, all Scottish public bodies should achieve accreditation to Cyber Essentials Plus standard as a minimum. The SPFM and its associated guidance will be amended to reflect this.

10 Steps to Cyber Security12, which are endorsed by the National Cyber Security Centre and which encompass, but go wider than, the controls set out under the Cyber Essentials scheme. The 10 steps cover:

o Risk management o Secure configuration o Network security o Managing user privileges o User education and awareness o Incident management o Malware prevention o Monitoring o Removable media controls o Home and mobile working

ISO27001, which is the international standard that describes best practice for an information security management system. Achieving accredited certification to ISO 27001 demonstrates that an organisation is following information security best practice, and delivers an independent, expert assessment of whether data is adequately protected.

Monitoring and Evaluation

11. Scottish public bodies should have regard to these best practice guidelines when providing

governance statements and certificates of assurance under the requirements set out in the Scottish Public Finance Manual.

12. In view of the pressing nature of the cyber threat, Scottish Ministers have also requested Scottish public bodies to provide them with direct assurance that they: (i) have secured the Cyber Essentials Plus accreditation by end March 2018; (ii) are aware of, and can make appropriate use of, the NCSC’s Active Cyber Defence Programme by end March 2018; (iii) become active participants in the CiSP intelligence sharing network by end March 2018; (iv) have adopted appropriate procurement provisions in respect of cyber security accreditation in their supply chains, in line with a Scottish Procurement Policy Note to be issued by end 2017; and

12

https://www.ncsc.gov.uk/guidance/10-steps-cyber-security

8

(v) have ensured they are meeting their responsibilities in respect of staff training, awareness-raising and disciplinary processes with regard to cyber resilience by end March 2018.

13. For Scottish Public Sector Cyber Catalysts, a bespoke monitoring and evaluation framework has been developed to provide assurance to Scottish Ministers, the public and the Scottish Parliament with regard to progress towards best practice in cyber resilience in their organisations. That monitoring and evaluation framework is set out at Annex D of the action plan to which this best practice guidance is attached (circulated separately).

14. These guidelines will be reviewed and updated regularly to ensure they remain relevant and take account of developments in respect of cyber resilience. Any questions or comments with regard to these guidelines should be directed to the Scottish Government Cyber Resilience Unit (cyberresilience@gov.scot).

_______________________

9

Cyber Resilience - Best Practice Guidelines Section (i) – Governance and risk management

Scottish public bodies should ensure that the management of risks arising from cyber threats and incidents forms an integral part of robust governance and risk management structures.

There should be continuous Board-level commitment to, awareness of, and involvement in the management of risks arising from cyber threats and incidents.

15. The Scottish Public Finance Manual requires Scottish public bodies to adopt appropriate risk

management processes, with identification, ownership, assessment, management and monitoring of risks forming a key part of this.

16. Bodies to whom the Security Policy Framework applies are required to have Board-level oversight of security compliance and auditing processes, and arrangements to determine and satisfy organisations that delivery partners, service providers and third party suppliers apply proper security controls.

17. The National Cyber Security Centre advises that the lack of an effective risk management and governance structure may lead to the following:

Exposure to risk: Without effective governance processes the Board will be unlikely to understand and manage the overall risk exposure of the organisation.

Missed business opportunities: Risk decisions taken within a dedicated security function, rather than organisationally, will be motivated by achieving high levels of security. This may promote an overly cautious approach to risk leading to missed business opportunities or additional cost.

Ineffective policy implementation: The board has overall ownership of the corporate security policy. Without effective risk management and governance processes the Board won't have confidence that its stated policies are being consistently applied across the business as a whole.

18. It is vital that these processes have appropriate regard to the risks arising to public services and assets (including physical, personnel, digital and information assets) as a result of cyber threats and incidents. Failure to manage such risks effectively can lead to:

possible fatalities and physical casualties (in the event of loss of critical services);

loss of availability, by denying legitimate access to systems and information services;

loss of confidentiality, through information being stolen or released;

loss of integrity, where data is damaged or corrupted;

possible disruption to critical services, such as telecommunications or energy;

10

economic damage; and

damage to the reputation of Scotland’s public bodies and the public’s trust in Scottish public services.

19. To ensure they are adhering to best practice, Scottish public bodies should have regard to the

following provisions.

a) Board-level commitment, awareness and involvement

20. There should be a board level commitment within Scottish public bodies to:

Ensuring that the organisation is working on a continuous basis to understand the cyber threats/risks to the organisation and its critical assets, including physical, personnel, digital and information assets; and

Providing the sustained leadership and resources necessary to drive continuous improvement in organisational cyber resilience in the face of those threats/risks.

21. There should be an identified senior official at Board level who has overall responsibility for the

cyber resilience of the organisation, and the status of this role should be equivalent to the status of similar roles in respect of physical and personnel resilience. This is likely to be the organisation’s Senior Information Risk Owner (SIRO), although it is important that appropriate consideration is given to the fact that the cyber threat increasingly applies to physical assets as well as information.

22. Maintaining board engagement is important. The board should have oversight of, and regularly review, risks that may arise from an attack on technology or systems used. To ensure senior ownership and oversight, the risks resulting from cyber incidents should be documented in the corporate risk register and regularly tabled for discussion at board meetings as part of wider risk management processes.

23. To help the Board dispense their duties in respect of cyber resilience and management of cyber risks, mechanisms should be established or updated to ensure Board members are regularly provided with information on such things as:

Whether key assets (physical, personnel, digital or information) that may be vulnerable as a result of cyber threats have been identified and thoroughly assessed as to their vulnerability to attack;

Intelligence on what the key threats and risks to the organisation’s cyber resilience are - ;

The likelihood of cyber risks/threats materialising and the impact on the organisation if they do;

The action being taken to mitigate these risks/threats and ensure an appropriate response is in place if they materialise.

Entering into knowledge sharing partnerships with other companies and law enforcement, and joining the CiSP Information Sharing Platform, can help Scottish public bodies understand new and emerging threats as well as share approaches and mitigations that might work.

11

b) Incorporation of cyber into governance and risk management processes (including identification, ownership and management of critical assets and risks/threats)

24. Scottish public bodies should ensure that appropriate consideration of cyber risks and threats

forms an integral part of the governance and risk management processes and policies they adopt in line with the requirements of the Scottish Public Finance Manual and (where applicable) the Security Policy Framework. Governance frameworks should enable and support a consistent and empowered approach to risk management across the organisation, with ultimate responsibility residing at board level.

25. An overarching technology and security risk policy should be created and owned by the board to help communicate and support risk management objectives, setting out the risk management strategy for the organisation as a whole. Because of the reliance Scottish public bodies place on digital infrastructure to support our information assets, risk management processes and policies should include an information risk management policy. However, cyber threats can also affect physical (e.g. through digital access to control systems), personnel and digital assets, and this should be reflected in relevant risk management policies covering those areas.

26. Risk management policies and processes should ensure identification of key physical, personnel, digital and information assets, and an assessment of their vulnerability to cyber risks and threats. This may be achieved through conducting periodic cyber-risk assessments to determine the organisation’s level of exposure to cyber-risk. This includes understanding:

the extent to which the organisation’s assets (physical, personnel, digital, information, etc.) are exposed to the internet

the business assets (including information assets) that are critical to the organisation

the risks from targeted and opportunist cyber risks

the exposure to supply chain or customer interface risk

how informed the organisation’s staff are in relation to cyber risk

whether the organisation has sufficient resources to deal with a cyber-attack

assessing digital transformation risks. Conducting a cyber-risk assessment enables an organisation to map out their existing profile, to better understand their exposures and potentially lower or offset the risks identified.

27. As part of this work, public bodies should ensure an ongoing and regularly refreshed picture of cyber risks and threats.13 This may be achieved by:

13

[TBC – At the time of writing, consideration is being given to whether public bodies connected to the SCOTs and SWAN networks can be provided with regular, fit-for-purpose information on threats and cyber security in relation to these networks, to allow their Boards to incorporate this information into their risk management processes.]

12

Ensuring processes or systems for monitoring ICT systems, network traffic, and unauthorised user activity (see section ii below) and including relevant information gleaned from this activity in risk management reporting; and

identifying key officials to play an active role in the CISP network14, monitoring and sharing information on potential threats, and including relevant information gleaned from this activity in risk management reporting.

28. Risk management policies and processes should ensure that ownership of assets and cyber

risks throughout the organisation is made clear, with ultimate responsibility resting at Board level.

29. In line with the Scottish Public Finance manual, public bodies should consider and define their “risk appetite” in respect of cyber risks and threats before moving on to consideration of how risks can be addressed. Boards should agree what risks they are prepared to tolerate in pursuit of business objectives, and produce guidance and statements that helps individuals throughout the organisation make appropriate risk based decisions.

30. Risk management policies and processes should include a systematic approach to prioritising and managing risks, with appropriate, proportionate mitigation put in place in line with the organisation’s risk appetite.

31. Cyber risks and threats should be monitored on an ongoing basis, with arrangements for managing them updated as appropriate. A life-cycle approach to risk management should be adopted - technology changes, as does the threat, and therefore risks change over time. A continuous through-life process needs to be adopted to ensure security controls remain effective and appropriate.

___________________________________

14

https://www.ncsc.gov.uk/cisp

13

Cyber Resilience - Best Practice Guidelines

Section (ii) – Specific measures to prepare for and withstand cyber threats and risks

Scottish public bodies should have in place specific measures (on a proportionate risk management basis) to ensure they are prepared for and can withstand identified cyber threats and risks.

These measures should take into account the state of the art, the costs of implementation, and the likelihood and potential impact of risks materialising. They should include appropriate action in respect of: o improving knowledge, attitudes and behaviours (including education) o secure configuration o network security o managing user privileges o malware protection o monitoring o removable media controls o home and mobile working o supply chain risk management

32. The Scottish Public Finance Manual requires Scottish public bodies to ensure the proper

management and safeguarding of assets, and the integrity and reliability of information and data. The associated internal controls checklist makes express reference to the importance of access control mechanisms in respect of information systems.

33. The Security Policy Framework requires relevant organisations to have in place risk-informed security controls that ensure critical technology and services are resilient to disruptive challenges such as cyber attacks, and have the means to recover from these. Organisations should be able to maintain the confidentiality, integrity and availability of information, with an overarching programme of information assurance driven by the Board to give confidence that security controls are effective and that systems and services can protect the information they carry. There should be security culture in place that supports business and security priorities, training which encourages personal responsibility and good security behaviours, processes, systems and incentives to deliver this, and mechanisms to drive continuous improvement and tackle poor behaviour.

34. Taking into account the state of the art, the costs of implementation, and the likelihood and potential impact of risks materialising, Scottish public bodies should take proportionate, risk-based action in line with these requirements to prevent the risks from cyber threats materialising. They should adopt a “secure by default” approach to all new digital public services. To ensure they are adhering to best practice in this respect, Scottish public bodies should have regard to the following provisions.

14

a) Action to improve knowledge, attitudes and behaviours (inc. education)

35. Guidance from the National Cyber Security Centre15 makes clear that Scottish public bodies that

users of technology have a critical role to play in helping to keep the organisation secure, but they must also be able to effectively do their jobs. Organisations that do not effectively support employees with the right tools and awareness may be vulnerable to the following risks:

Removable media and personally owned devices:Without clearly defined and usable policies on the use of removable media and personally owned devices, staff may connect devices to the corporate infrastructure that might lead to the inadvertent import of malware or compromise of sensitive information.

Legal and regulatory sanction: If users are not aware and supported in how they handle particular classes of sensitive information, the organisation may be subject to legal and regulatory sanction.

Incident reporting culture: Without an effective reporting culture there will be poor dialogue between users and the security team. This is essential to uncovering near misses and areas where technology and processes can be improved, as well as reporting actual incidents.

Security Operating Procedures: If security operating procedures are not balanced to support how users perform their duties, security can be seen as a blocker and possibly ignored entirely. Alternatively, if users follow the procedures carefully this might damage legitimate business activity.

External attack: Since users have legitimate system accesses and rights, they can be a primary focus for external attackers. Attacks such as phishing or social engineering attempts rely on taking advantage of legitimate user capabilities and functions.

Insider threat: Changes over time in an employee’s personal situation could make them vulnerable to coercion, and they may release personal or sensitive commercial information to others. Dissatisfied employees may try to abuse their system level privileges or coerce other employees to gain access to information or systems to which they are not authorised. Equally, they may attempt to steal or physically deface computer resources.

36. As part of wider security arrangements, Scottish public bodies should undertake work to educate staff at all levels and maintain their awareness to ensure they understand cyber risks and threats and can take action to manage and respond to them on a proportionate basis.

37. All staff should be assisted to understand their responsibility to manage the risks to the organisation’s assets that may be vulnerable to cyber risks/threats. A risk management culture should be promoted on an organisation-wide basis, driven by corporate governance from the top down, with user participation demonstrated at every level of the business. Staff should be incentivised to adopt appropriate behaviours to mitigate cyber risks/threats.

15

https://www.ncsc.gov.uk/guidance/10-steps-user-education-and-awareness

15

38. Scottish public bodies should:

produce user security policies as part of the overarching corporate security policy. Security procedures for all systems should be produced with consideration to different business roles and processes. A 'one size fits all' approach is typically not appropriate for many organisations. Policies and procedures should be described in simple business-relevant terms with limited jargon.

establish appropriate staff induction processes (including for contractors and third parties), making new users aware of their personal responsibility to comply with corporate security policies. The terms and conditions for their employment (contracts for contractors and third party users) must be formally acknowledged and retained to support any subsequent disciplinary action. Ideally, the initial user registration process should also be linked to the organisation’s technical access controls. Users should be required to sign off user security policies as read and understood.

Maintain user awareness of the security risks faced by the organisation: All users should receive regular refresher training on the security risks to the organisation and to staff (as both employees and individuals), and on incident response plans. Consider providing a platform for users to enquire about security risks and discuss the advice they are given. On the whole, users want to do the right thing, so giving them guidance to put security advice into practice will help.

Support the formal assessment of security skills: Staff in security roles should be encouraged to develop and formally validate their security skills through enrolment on a recognised certification scheme. Some security related roles such as system administrators, incident management team members, security architects, designers of digital services and forensic investigators may require specialist training.

Monitor the effectiveness of security training: Establish mechanisms to test the effectiveness and value of the security training provided to all users. This might be done by including questions in staff surveys, or by assessing staff responses to penetration testing. This will allow training improvements and the opportunity to clarify any possible misunderstandings. Ideally the training provided will allow for a two-way dialogue between the security team and users.

Promote knowledge sharing: Encourage and support key staff to participate in knowledge and intelligence sharing exchanges in respect of cyber resilience with peers across the Scottish public, private and 3rd sectors.

Promote a no-blame incident reporting culture: The organisation should enable a security culture that empowers staff to voice their concerns about poor security practices and security incidents to senior managers, without fear of recrimination. This should be reciprocated with a culture where security professionals acknowledge that security-related effort by non-security staff is time away from their work, and is helping to protect the organisation. Whistleblowing policies and procedures should take appropriate account of cyber resilience issues.

16

Establish a formal disciplinary process: All staff should be made aware that any abuse of the organisation’s security policies will result in disciplinary action being taken against them. All sanctions detailed in policy should be enforceable at a practical level.

39. Consideration should be given to running exercises to assess the organisation’s readiness in

respect of cyber-threats and to raise awareness of any areas for improvement. The Scottish Government Cyber Resilience Unit is, at the time of writing, developing a series of presentations, workshops and walk-through exercises that could support public bodies in this. Enquiries about this should be made to cyberresilience@gov.scot.

b) Secure configuration 40. Guidance from the National Cyber Security Centre16 makes clear that Scottish public bodies

should establish and then actively maintain the secure configuration of systems as a key security control. Systems that are not effectively managed will be vulnerable to attacks that may have been preventable. Failure to implement good configuration and patch management can lead to the following risks:

Unauthorised changes to systems: The protections Scottish public bodies believe they have in-place may be changed by unauthorised individuals, either internal or external, leaving information at risk.

Exploitation of software bugs: New patches are released almost daily, and the timely application of security patches is critical to preserving the confidentiality, integrity and availability of systems. Attackers will attempt to exploit unpatched systems to provide them with unauthorised access to system resources and information. Many successful attacks exploit vulnerabilities for which patches have been issued but not applied.

Exploitation of insecure system configurations: An attacker could exploit a system that has been poorly configured by: o Gaining access to information they are not authorised to see, or importing malware o Taking advantage of unnecessary user rights or system privilege o Exploiting unnecessary functionality that has not been removed or disabled to conduct

attacks and gain unauthorised access o Connecting unauthorised equipment that is then able to compromise information or

introduce malware o Creating a back door to use in the future for malicious purposes

Increases in the number of security incidents: Without an awareness of vulnerabilities that have been identified and the availability (or not) of patches and fixes, the business will be increasingly disrupted by security incidents.

16

https://www.ncsc.gov.uk/guidance/10-steps-secure-configuration

17

41. Scottish public sector bodies should have in place corporate policies and processes to develop (or procure) secure baseline builds and manage the configuration and the ongoing functionality of all systems. They should adopt a “secure by default” approach to the organisation’s ICT.

42. Scottish public bodies should ensure they have put in place measures to minimise the risk of poor system configuration. The following security controls should be considered by Scottish public bodies or their network/system suppliers:

Use supported software: Wherever possible, use versions of operating systems, web browsers and applications that are vendor (or community) supported.

Develop and implement policies to update and patch systems: Implement policies to ensure that security patches are applied in an appropriate time frame, such as 14 days for critical patches. Automated patch management and software update tools may be helpful. In cases where it is not possible to patch a vulnerability steps should be taken to make it very difficult to exploit. This might include making it difficult for an attacker to communicate with the system.

Create and maintain hardware and software inventories: Create inventories of all authorised hardware and software used across the organisation. Ideally the inventory should capture the physical location, business owner and purpose of hardware together with the version and patch status of all software. Tools can be used to help identify unauthorised hardware or software.

Manage operating systems and software: Implement a secure baseline build for all systems and components, including hardware and software. Any functionality or application that does not support a user or business need should be removed or disabled. The secure build profile should be managed by a configuration control process and any deviation from the standard build should be documented and approved.

Conduct regular vulnerability scans: Regularly run automated vulnerability scanning tools against all networked devices and remedy or manage any identified vulnerabilities within an agreed time frame.

Establish configuration control and management: Implement policies that set out a configuration control and change management process for all systems.

Disable unnecessary peripheral devices and removable media access: Assess the need for access to peripheral devices and removable media. Disable ports and system functionality that does not support a user or business need.

Implement white-listing and execution control: Create and maintain a whitelist of authorised applications and software that can be executed. In addition, systems should be capable of preventing the installation and execution of unauthorised software by employing process execution controls.

18

Limit user ability to change configuration: Provide users with the permissions that they need to fulfil their business role. Users with ‘normal’ privileges should be prevented from installing or disabling any software or services running on the system.

Limit privileged user functionality: Ensure that users with privileged system rights (administrators) have constrained internet and email access from their privileged account. This limits exposure to spear phishing and reduces the ability of an attacker to achieve wide system access through exploiting a single vulnerability.

c) Network security

43. Guidance from the National Cyber Security Centre17 makes clear that the connections from Scottish public bodies’ networks to the Internet, and other partner networks, expose systems and technologies to attack. By creating and implementing some simple policies and appropriate architectural and technical responses, Scottish public bodies can reduce the chances of these attacks succeeding (or causing harm to the organisation).

44. Organisations’ networks almost certainly span many sites, and the use of mobile / remote working, and cloud services, makes defining a fixed network boundary difficult. Rather than focusing purely on physical connections, Scottish public bodies should think also about where their data is stored and processed, and where an attacker would have the opportunity to interfere with it.

45. Scottish public bodies that fail to protect their networks appropriately could be subject to a number of risks, including:

Exploitation of systems: Ineffective network design may allow an attacker to compromise systems that perform critical functions, affecting the organisations ability to deliver essential services or resulting in severe loss of customer or user confidence.

Compromise of information: A poor network architecture may allow an attacker to compromise sensitive information in a number of ways. They may be able to access systems hosting sensitive information directly or perhaps allow an attacker to intercept poorly protected information whilst in transit (such as between organisations’ end user devices and a cloud service).

Import and export of malware: Failure to put in place appropriate security controls could lead to the import of malware and the potential to compromise business systems. Conversely users could deliberately or accidentally release malware or other malicious content externally with associated reputational damage.

Denial of service: Internet-facing networks may be vulnerable to Denial Of Service (DOS) attacks, where access to services and resources are denied to legitimate users or customers.

17

https://www.ncsc.gov.uk/guidance/10-steps-network-security

19

Damage or defacement of corporate resources: Attackers that have successfully compromised the network may be able to further damage internal and externally facing systems and information (such as defacing organisations’ websites, or posting onto social media accounts), harming the organisation’s reputation and customer confidence.

46. Scottish public sector organisations (or, where appropriate, their ICT providers) should produce, implement and maintain network security designs and policies that align with the organisation’s broader risk management approach. NCSC advice is that it may be helpful to follow recognised network design principles (eg ISO 27033) to help define an appropriate network architecture including both the network perimeter, any internal networks, and links with other organisations such as service providers or partners.

47. Specifically on network security, Scottish public sector organisations (or, where appropriate,

their ICT providers) should:

Manage the network perimeter: Manage access to ports, protocols and applications by filtering and inspecting all traffic at the network perimeter to ensure that only traffic which is required to support the business is being exchanged. Control and manage all inbound and outbound network connections and deploy technical controls to scan for malicious content:

Use firewalls: Use firewalls to create a buffer zone between the Internet (and other untrusted networks) and the networks used by the business. The firewall rule set should deny traffic by default and a whitelist should be applied that only allows authorised protocols, ports and applications to exchange data across the boundary. This will reduce the exposure of systems to network based attacks. Ensure effective processes for managing changes to avoid workarounds.

Prevent malicious content: Deploy malware checking solutions and reputation-based scanning services to examine both inbound and outbound data at the perimeter in addition to protection deployed internally. The antivirus and malware solutions used at the perimeter should ideally be different to those used to protect internal networks and systems in order to provide some additional defence in depth.

Protect the internal network: Ensure that there is no direct routing between internal and

external networks (especially the Internet), which limits the exposure of internal systems to network attack from the Internet. Monitor network traffic to detect and react to attempted or actual network intrusions.

Segregate networks as sets: Identify, group and isolate critical business systems and apply appropriate network security controls to them.

Secure wireless access: All wireless access points should be appropriately secured, only allowing known devices to connect to corporate Wi-Fi services. Security scanning tools may be useful to detect and locate unauthorised or spoof wireless access points.

20

Enable secure administration: Administrator access to any network component should properly authenticated and authorised. Make sure default administrative passwords for network equipment are changed.

Configure the exception handling processes: Ensure that error messages returned to internal or external systems or users do not include sensitive information that may be useful to attackers.

Monitor the network: Network intrusion detection and prevention tools should be deployed on the network and configured by qualified staff. The capabilities should monitor all traffic for unusual incoming and outgoing activity that could be indicative of an attack. Alerts generated by the system should be promptly managed by appropriately trained staff.

Assurance processes: Conduct regular penetration tests of the network architecture and undertake simulated cyber attack exercises to ensure that security controls have been well implemented and are effective.

d) Managing User Privileges

48. Advice from the National Cyber Security Centre18 makes clear that if users are provided with unnecessary system privileges or data access rights, then the impact of misuse or compromise of that user’s account will be more severe than it need be. All users should be provided with a reasonable (but minimal) level of system privileges and rights needed for their role. The granting of highly elevated system privileges should be carefully controlled and managed. This principle is sometimes referred to as ‘least privilege’.

49. Scottish public bodies should understand what level of access employees need to information, services and resources in order to do their job, otherwise it won't be possible to manage rights appropriately. Failure to effectively manage user privileges could result in the following risks being realised:

Misuse of privileges: Users could either accidentally or deliberately misuse the privileges assigned to them. This may result in unauthorised access to information to either the user or a third party or to unauthorised system changes having a direct security or operational impact.

Increased attacker capability: Attackers may use redundant or compromised user accounts to carry out attacks and, if able, they may return to reuse the compromised account or possibly sell access to others. The system privileges provided to the original user of the compromised account will be available to the attacker to use which is why they particularly seek to gain access to highly privileged or administrative accounts.

18

https://www.ncsc.gov.uk/guidance/10-steps-managing-user-privileges

21

Negating established security controls: Where attackers have privileged system access they may make changes to security controls to enable further or future attack or might attempt to cover their tracks by making changing or audit logs.

50. Scottish public bodies (or, where appropriate, their ICT providers) should determine what rights

and privileges users need to effectively perform their duties and implement a policy of 'least privilege'.

51. Specifically on managing user privileges, Scottish public bodies (or, where appropriate, their ICT

providers) should:

Establish effective account management processes: Manage user accounts from creation, through-life and eventually revocation when a member of staff leaves or changes role. Redundant accounts, perhaps provided for temporary staff or for testing, should be removed or suspended when no longer required.

Establish policies and standards for user authentication and access control: A corporate password policy should be developed that seeks an effective balance between security and usability, as set out in the NCSC’s password guidance. For some accounts an additional authentication factor (such as a token) may be appropriate.

Limit user privileges: Users should be provided with the reasonable minimum rights and permissions to systems, services and information that they need to fulfil their business role.

Limit the number and use of privileged accounts: Strictly control the granting of highly privileged system rights, reviewing the ongoing need regularly. Highly privileged administrative accounts should not be used for high risk or day to day user activities, for example web browsing and email. Administrators should use normal accounts for standard business use.

Monitor: Monitor user activity, particularly access to sensitive information and the use of privileged account actions. Respond where activities are outside of normal, expected bounds (such as access to large amounts of sensitive information outside of standard working hours).

Limit access to the audit system and the system activity logs: Activity logs from network devices should be sent to a dedicated accounting and audit system that is separated from the core network. Access to the audit system and the logs should be strictly controlled to preserve the integrity of the content and all privileged user access recorded.

Educate users and maintain their awareness: All users should be aware of the policy regarding acceptable account usage and their personal responsibility to adhere to corporate security policies.

22

e) Malware protection 52. Malicious software, or “malware”, is an umbrella term to cover any code or content that could

have a malicious, undesirable impact on systems. Advice from the National Cyber Security Centre19 makes clear that any exchange of information carries with it a degree of risk that malware might be exchanged, which could seriously impact systems and services. This might include disruption of public services, unauthorised export of sensitive information or loss of access to critical data (e.g. caused by ransomware).

53. The range, volume and source of information exchanged (as well as the technologies used) provide a range of opportunities for malware to be imported. Examples include:

Email: Email still provides a primary path for internal and external information exchange. Malicious email attachments can cause their payload to be executed when the file is opened or otherwise processed. Email with malicious content may be specifically targeted at known individuals (known as spear phishing) with access to sensitive information, or at roles with elevated privileges. Alternatively malicious email may include embedded links that direct users to websites hosting malicious content.

Web browsing: Users could browse (or be directed to) websites that may contain malicious content which seeks to compromise applications (such as the browser) that interact with that content.

Web services: User access to social media and other web based services could provide an ability for users to import a variety of data formats .

Removable media and personally owned devices: Malware can be transferred to a corporate system through the uncontrolled introduction of removable media or the direct connection of untrusted devices. This might include (for example) connecting a smartphone via a USB port, even if intended only to charge the device.

54. Scottish public bodies can reduce these risks by implementing appropriate security controls as

part of an overall 'defence in depth' approach. They (or, where appropriate, their ICT providers) should:

Develop and implement anti-malware policies: Develop and implement corporate anti-malware policies and standards and ensure that they are consistently implemented across your infrastructure. The approach should be applicable and relevant to all business areas.

Manage all data import and export: All data should be scanned for malicious content at the network perimeter, whether internet gateways or facilities to introduce removable media.

Blacklist malicious web sites: Ensure that the perimeter gateway uses blacklisting to block access to known malicious web sites.

19

https://www.ncsc.gov.uk/guidance/10-steps-malware-prevention

23

Provide dedicated media scanning machines: Stand-alone workstations can be provided and equipped with appropriate anti-virus products. The workstation should be capable of scanning the content contained on any type of media and inspect recursive content within files. Ideally every scan should be binded to a known user.

Establish malware defences: Malware can attack any system process or function so a technical architecture that provides multiple defensive layers (defence in depth) should be considered. This should include the following controls: o End user device protection: On many platforms host based malware protection is

provided by using antivirus applications. However several platforms (such as some smartphones) meet the need to protect against malware using other mechanisms such as application whitelisting.

o Deploy antivirus and malicious code checking solutions to scan inbound and outbound objects at the network perimeter. Where host based antivirus is used it may be sensible to use different products to increase overall detection capability. Any suspicious or infected malicious objects should be quarantined for further analysis.

o Deploy a content filtering capability on all external gateways to try to prevent attackers delivering malicious code to common desktop applications such as the web browser.

o Install firewalls where appropriate, configuring them to deny traffic by default.

o If the business processes can support it, consider disabling certain browser plugins or scripting languages.

o Where possible, disable the autorun function to prevent the automatic execution of malicious code from any type of removable media. Equally, if removable media is introduced, the system should automatically scan it for malicious content.

o Ensure systems and components are well configured according to the secure baseline build and kept up to date.

Ensure user education and awareness raising includes a focus on malware: Users should understand the risks from malware and the day-to-day processes they can follow to help prevent a malware infection from occurring. The user instructions should contain the following: o Try to stop and think before clicking on links, but don't worry if you think you've clicked

on something harmful. Tell your security team as soon as possible and they will help.

o Do not connect any unapproved removable media or personally owned device to the network.

o Report any strange or unexpected system behaviour to the appropriate security team.

24

o Maintain awareness of how to report a security incident.

f) Monitoring

55. System monitoring provides a capability that aims to detect actual or attempted attacks on systems and business services. Good monitoring is essential in order to effectively respond to attacks. In addition, monitoring allows organisations to ensure that systems are being used appropriately in accordance with organisational policies. Monitoring is often a key capability needed to comply with legal or regulatory requirements.

56. Guidance from the National Cyber Security Centre20 makes clear that, without the ability to monitor systems, Scottish public bodies may not be able to:

Detect attacks: Either originating from outside the organisation or attacks as a result of deliberate or accidental user activity. Attacks may be directly targeted against technical infrastructure or against the services being run. Attacks can also seek to take advantage of legitimate business services, for example by using stolen credentials to defraud payment services.

React to attacks: An effective response to an attack depends upon first being aware than an attack has happened or is taking place. A swift response is essential to stop the attack, and to respond and minimise the impact or damage caused.

Account for activity: You should have a complete understanding of how systems, services and information are being used by users. Failure to monitor systems and their use could lead to attacks going unnoticed and/or non-compliance with legal or regulatory requirements.

57. Scottish public bodies (or, where appropriate, their systems providers) should ensure they

monitor systems to better detect attacks and react to them appropriately, whilst providing a basis upon which lessons can be learned to improve the overall security of the organisation. They (or, where appropriate, their systems providers) should:

Establish a monitoring strategy and supporting policies: Develop and implement a monitoring strategy based on business need and an assessment of risk. The strategy should include both technical and transactional monitoring as appropriate. The incident management plan as well as knowledge of previous security incidents should inform the approach.

Monitor all systems: Ensure that all networks, systems and services are included in the monitoring strategy. This may include the use of the use of network, host based and wireless Intrusion Detection Systems (IDS). These solutions should provide both signature-based capabilities to detect known attacks, and heuristic capabilities to detect unusual system behaviour.

20

https://www.ncsc.gov.uk/guidance/10-steps-monitoring

25

Monitor network traffic: Inbound and outbound traffic traversing network boundaries should be monitored to identify unusual activity or trends that could indicate attacks. Unusual network traffic (such as connections from unexpected IP ranges overseas) or large data transfers should automatically generate security alerts with prompt investigation.

Monitor user activity: The monitoring capability should have the ability to identify the unauthorised or accidental misuse of systems or data. Critically, it should be able to tie specific users to suspicious activity. Take care to ensure that all user monitoring complies with all legal or regulatory constraints.

Fine-tune monitoring systems: Ensure that monitoring systems are tuned appropriately to only collect events and generate alerts that are relevant to your needs. Inappropriate collection of monitoring information and generation of alerts can mask the detection of real attacks as well as be costly in terms of data storage and investigatory resources required.

Establish a centralised collection and analysis capability: Develop and deploy a centralised capability that can collect and analyse information and alerts from across the organisation. Much of this should be automated due to the volume of data involved, enabling analysts to concentrate on anomalies or high priority alerts. Ensure that the solution architecture does not itself provide an opportunity for attackers to bypass normal network security and access controls.

Provide resilient and synchronised timing: Ensure that the monitoring and analysis of audit logs is supported by a centralised and synchronised timing source that is used across the entire organisation to support incident response and investigation.

Align incident management policies: Ensure that policies and processes are in place to appropriately manage and respond to incidents detected by monitoring solutions.

Conduct a 'lessons learned' review: Ensure that processes are in place to test monitoring capabilities, learn from security incidents and improve the efficiency of the monitoring capability.

g) Removable Media Controls 58. The NCSC21 notes that removable media provide a common route for the introduction of

malware and the accidental or deliberate export of sensitive data. The failure to manage the import and export of information using removable media could expose Scottish public bodies to the following risks:

Loss of information: Removable media is very easily lost, which could result in the compromise of large volumes of sensitive information stored on it. Some media types will retain information even after user deletion, placing information at risk where the media is used between systems (or when the media is disposed of)

21

https://www.ncsc.gov.uk/guidance/10-steps-removable-media-controls

26

Introduction of malware: The uncontrolled use of removable media can increase the risk of introducing malware to systems.

Reputational damage: The loss of media can result in significant reputational damage, even if there is no evidence of any specific data loss.

59. Scottish public sector organisations should carry out a risk-benefit analysis of the use of

removable media, and apply appropriate and proportionate security controls in the context of their business and risk appetite.

60. Specifically on removable media controls, Scottish public bodies (or, where appropriate, their systems providers) should:

Produce corporate policies: Develop and implement policies and solutions to control the use of removable media. Do not use removable media as a default mechanism to store or transfer information. Under normal circumstances information should be stored on corporate systems and exchanged using appropriately protected mechanisms.

Limit the use of removable media: Where the use of removable media is required to support the business need, it should be limited to the minimum media types and users needed. The secure baseline build should deny access to media ports by default, only allowing access to approved users.

Scan all media for malware: Removable media should be automatically scanned for malware when it is introduced to any system. The removable media policy could also require that any media brought into the organisation is scanned for malicious content by a standalone machine before any data transfer takes place.

Formally issue media to users: All removable media should be formally issued to individual users who will be accountable for its use and safe keeping. Users should not use unofficial media, such as USB sticks given away at conferences.

Encrypt information held on media: Sensitive information should be encrypted at rest on media. If encryption is not employed then appropriate physical protection of the media is critical.

Actively manage the reuse and disposal of removable media: Where removable media is to be reused or destroyed then appropriate steps should be taken to ensure that previously stored information will not be accessible. The processes will be dependent on the value of the information and the risks posed to it and could range from an overwriting process to the physical destruction of the media by an approved third party.

Educate users and maintain awareness: Ensure that all users are aware of their personal responsibilities for following the removable media security policy.

27

h) Home and mobile working 61. Mobile working and remote system access offer great business benefits, but they expose

organisations to new risks that need to be managed. Mobile working and remote access extend the transit and storage of information (or operation of systems) outside of the corporate infrastructure, typically over the Internet. Mobile devices will also typically be used in spaces that are subject to additional risks such as oversight of screens, or the theft/loss of devices. NCSC guidance22 notes that Scottish public bodies that do not establish sound mobile working and remote access practices might be vulnerable to the following risks:

Loss or theft of the device: Mobile devices are highly vulnerable to being lost or stolen, potentially offering access to sensitive information or systems. They are often used in open view in locations that cannot offer the same level of physical security as your own premises.

Being overlooked: Some users will have to work in public open spaces, such as on public transport, where they are vulnerable to being observed when working. This can potentially compromise sensitive information or authentication credentials.

Loss of credentials: If user credentials (such as username, password, or token) are stored with a device used for remote working or remote access and it is lost or stolen, an attacker could use those credentials to compromise services or information stored on (or accessible from) that device.

Tampering: An attacker may attempt to subvert the security controls on the device through the insertion of malicious software or hardware if the device is left unattended. This may allow them to monitor all user activity on the device, including authentication credentials.

62. Scottish public bodies should establish risk-based policies and procedures that cover all types

of mobile devices and home and flexible working. They should also plan for an increase in the number of security incidents.

63. Specifically on home and mobile working, Scottish public bodies (or, where appropriate, their systems providers) should:

Assess the risks and create a mobile working policy: Assess the risks associated with all types of mobile working and remote access. The resulting mobile security policy should determine aspects such as the processes for authorising users to work off-site, device provisioning and support, the type of information or services that can be accessed or stored on devices and the minimum procedural security controls. The risks to the corporate network or systems from mobile devices should be assessed and consideration given to an increased level of monitoring on all remote connections and the systems being accessed.

Educate users and maintain awareness in respect of home and mobile working: All users should be trained on the use of their mobile device for the locations they will be working in.

22

https://www.ncsc.gov.uk/guidance/10-steps-home-and-mobile-working

28

Users should be supported to look after their mobile device and operate securely by following clear procedures. This should include direction on:

o secure storage and management of user credentials o incident reporting o environmental awareness (the risks from being overlooked, etc.)

Apply the secure baseline build: Develop and apply a secure baseline build and configuration for all types of mobile device used by the organisation.

Protect data at rest: Minimise the amount of information stored on a mobile device to only that which is needed to fulfil the business activity that is being delivered outside the normal office environment. If the device supports it, encrypt the data at rest.

Protect data in transit: If the user is working remotely the connection back to the corporate network will probably use the Internet. All information exchanged should be appropriately encrypted.

Review corporate incident management plans with regard to mobile working: Mobile working attracts significant risks and security incidents will occur even when users follow the security procedures. Corporate incident management plans should be sufficiently flexible to deal with the range of security incidents that could occur, including the loss or compromise of a device. Ideally, technical processes should be in place to remotely disable a device that has been lost or at least deny it access to the corporate network.

i) Supply chain risk management

64. Scottish public bodies contract with a wide range of suppliers in the private and third sectors to

help support the delivery of vital public services. The NCSC23 notes that, when information and security arrangements are shared across a supply chain, the cyber-security of any one organisation within the chain is potentially only as strong as that of the weakest member of the supply chain. Cyber criminals can make use of this by identifying the organisation with the weakest cyber-security within the supply chain, and using the vulnerabilities present in their systems to gain access to other members of the supply chain. Whilst not always the case, it is often the smaller organisations within a supply chain who, due to more limited resources, have the weakest cyber-security arrangements.

65. Scottish Procurement will issue a Scottish Procurement Policy Note by end 2017, updating procurement policy in respect of supply chain cyber security as it applies to Scottish public bodies that are subject to the Scottish Public Finance Manual. This policy will set out clear requirements in respect of supply chain cyber security accreditation for suppliers under certain contracts. Cyber Essentials accreditation will form a core part of this policy.

23

https://www.ncsc.gov.uk/guidance/cyber-security-risks-supply-chain

29

66. The Scottish Government Procurement Journey, the online best practice manual available to the whole Scottish public procurement community, will be amended to reflect these requirements.

67. Scottish public bodies should ensure they are aware of and are adhering to procurement policy as set out in this procurement policy note at the end of 2017.

68. Where Scottish public bodies are not required to comply with Scottish Procurement Policy Notes, it is nevertheless recommended that they adopt a similar policy in respect of supply chain cyber security accreditation, to minimise complexity and burdens on industry.

___________________________________

30

Cyber Resilience - Best Practice Guidelines

Section (iii) – Specific measures to respond to, and recover from, cyber incidents

Scottish public bodies should have in place specific measures (on a proportionate risk management basis) to ensure they have an incident response capability in place to deal with and recover from cyber-incidents.

These arrangements should align with, and link in to, response arrangements in a range of other key organisations and include the following key elements: o Written incident response policies/plans that are fit for purpose for cyber incidents o Clarity on staffing and team structure (inc. roles and authority and out of hours

arrangements) o Arrangements to define, detect and triage cyber-incidents, and trigger incident

management plans appropriately o Systems to contain, investigate, eradicate and recover from cyber-incidents o Information sharing and coordination o Business continuity plans o Lessons learned and improvement o Exercising

69. It is almost impossible for Scottish public bodies to prevent all cyber risks materialising. There

will almost inevitably be some cyber attacks that manage to evade preventative measures, and cause disruption to public services. When this happens, Scottish public bodies must ensure they have appropriate incident management capabilities in place, so that they can rapidly recover and learn from the incident.

70. Scottish public sector organisations should ensure they have an incident response capability in place to deal with cyber-security incidents. These arrangements should align with, and link in to, response arrangements within the organisation for wider threats. They should also align with, and link in to, response arrangements in a range of other key organisations and include the following key elements.

a) Incident response policy/plan 71. Scottish public bodies should have written incident response policies/plans in place, which are

fit for purpose to deal with cyber incidents. These policies/plans should form part of overall incident management policies/plans within the organisation, and provide the roadmap for implementing the incident response capability.

72. Policies/plans may include the following key elements (this is not an exhaustive list):

Purpose of the policy/plan (mission/goals)

Scope of the policy/plan (to whom and what it applies)

31

Organisational approach to incident response

How the incident response team/those responsible for managing cyber incidents will communicate with the rest of the organisation and with other organisations

Metrics for measuring the incident response capability and its effectiveness

Roadmap for maturing the incident response capability

How the incident response plan fits into overall organisational plans

73. Overall responsibility for ensuring the organisation has such policies/plans, and is well placed to implement them, should rest at Board level within the organisation.

74. Plans should be reviewed at least annually. b) Staffing and team structure (inc. roles and authority, & out of hours arrangements) 75. Scottish public bodies should ensure they have identified and allocated the staff and resources

necessary to implement cyber incident response policies/plans effectively, and ensure a timely response to any cyber incidents.

76. While the arrangements for each organisation will be different, consideration should be given to ensuring departments/individuals with appropriate expertise in the following areas are involved appropriately in any cyber incident response, depending on its severity/reach:

ICT

Resilience

Security

Business continuity

Legal (including in respect of data protection)

Policy/operational teams with expertise in affected areas

Internal and External Communications

Human resources

Coordination with external partners (e.g. law enforcement, etc.) where necessary should also be built into the plan.

77. The incident response plan should make clear the organisational structure and definition of

roles in respect of key staff/departments.

78. The plan should be clear on responsibilities and levels of authority when dealing with a cyber incident, e.g. in respect of confiscating or disconnecting equipment, monitoring suspicious activity, requirements for reporting certain types of incidents, requirements for internal and external communications (what can be shared with whom, etc.) and the handover and escalation points in the incident management process.

79. There is the potential for cyber threats/risks to materialise at any time of the day or night. The longer an incident lasts, the more potential there is for damage or loss. Consideration should therefore be given to how key staff involved in any incident response plan can be contacted and

32

activated out of hours where necessary, with arrangements proportionate to the risk or incident.

c) Defining, Detecting, Triaging and Triggering 80. Defining incidents: Scottish public bodies should ensure they have in place definitions that

allow them to identify and categorise cyber-security “incidents”. Broadly speaking, incidents will be cyber security-related events that have an adverse consequence for the organisation, its goals and its stakeholders. These may include a violation or imminent violation24 of computer security policies, acceptable use policies, or standard security practices. Examples include ransomware, DDoS attacks, phishing attacks or insider threat.

81. Individual organisations will be best placed to identify which definitions are most appropriate to their day-to-day business, in order to ensure an appropriate basis for response. However, definitions should broadly align with the definitions of an “incident” used by key coordinating authorities in the Scottish, UK and EU landscapes. These include:

NCSC: The National Centre for Cyber Security have developed definitions of cyber security “incidents” and “threats”. They have also developed definitions to assist with triage of incidents that are reported to them into one of 3 categories – C1 (a national emergency under the National Cyber Incident Response Policy), C2 (a significant incident or threat requiring a coordinated, cross-government response) or C3 (incidents which do not meet the threshold of a C1 or C2 incident will be managed as C3 ‘business as usual’).

The Scottish Government: Beyond incidents that meet the NCSC criteria above that impact on Scotland, cyber incidents that should be reported to Police Scotland and the Scottish Government include the following:

Cyber incidents in which multiple Scottish Government departments or Scottish public bodies are involved/need to be involved in responding

Cyber incidents in which multiple networks are impacted

Cyber incidents in which the reputation of Scotland, the Scottish Government or the Scottish public sector might be significantly impacted

Cyber incidents where there is likely to be significant Scottish Parliament or media interest

Cyber incidents where Ministerial comment is likely to be required, or the media profile is sufficient to have an effect on public confidence in the government response.

82. As well as defining what is meant by an “incident”, organisations should develop clear criteria

to underpin “triaging” of incidents. Again, individual organisations will be best placed to identify an approach to triage that is most appropriate to their day-to-day business. However, in developing definitions for triage, Scottish public sector organisations should have regard to a number of factors including:

24

NCSC defines a “threat” as a “specific and imminent knowledge of a potential event or set of events which fit the definition of a cyber security incident.”

33

Impact of the incident: Which asset(s) (including physical, personnel, digital and information

assets) is this activity affecting or likely to affect? What is the associated known or likely

impact of the incident on the organisation, its stakeholders, the public and Scotland/UK as a whole, both in the immediate term and in the future if not contained? “Impact” should be

defined broadly, and may include a detrimental impact on:

o the organisation’s ability to deliver public services

o security of physical, personnel, digital and information assets o finances

o reputation

o legal obligations and individual rights (e.g. privacy) o public safety

Factors that could affect judgements around the known or likely impact of an incident may

include the actors responsible for the attack (and what this tells us about their potential

capability) and intent (for example financial gain, disruption, data theft). But it is also important to recognise that error or accident can cause a significant cyber incident.

Recoverability from the incident: The size of the incident and the type of resources it

affects will determine the amount of time and resources that must be spent on recovering from that incident. In some cases it may not be possible to “recover” from the incident (e.g.

if sensitive information has leaked), and judgements around resource should focus on the

need to minimise impact, learn from the incident and prevent future such incidents occurring.

Wider Scottish and UK trends: Based on their activities in respect of information sharing on

emerging threats and trends, Scottish public sector organisations should also have regard to

whether the incident may form part of a wider emerging threat to other Scottish and UK

assets. If so, their triage definitions should support appropriate decision-making in respect of information sharing or coordination with national partners such as NCSC and Police

Scotland as part of any incident response.

Legal and regulatory requirements: Organisations should have regard to legal or regulatory

requirements to report data breaches, and categorise incidents accordingly.

Definitions should permit action to be taken around prioritisation of subsequent activities,

such as formation of an appropriately configured incident response team, containment of the

incident, deeper analysis of the effects of the incident, etc.

83. Detecting incidents: Scottish public bodies should ensure they have an understanding of the likely routes for detection of actual or imminent cyber security incidents. Detection of incidents by Scottish public bodies may be by both proactive and reactive means, and include:

Monitoring and information sharing: As part of their preventative arrangements, Scottish

public bodies should ensure they have in place the resources and expertise required to

monitor assets to detect cyber incidents and share information with other organisations to

34

ensure they have a picture of wider threats, etc. All Scottish public bodies are required to

participate in the CiSP intelligence sharing network, 25 which provides users with access to threat intelligence from a wide array of sources and provides incident reporting mechanisms

to the NCSC.

Publicly available information or media reporting: E.g. media reports of a threat to the

integrity of Scottish public assets. Such reports may first come into the organisation via

media enquiries, or via Ministers or officials noting such reports.

Internal or external users: Staff in Scottish public bodies may report signs of incidents.

External service users may report other indicators, such as a defaced web page or an

unavailable service.

84. Triaging: Scottish public sector organisations should ensure they have in place arrangements

that will allow incidents, once detected, to be analysed and triaged on the basis of previously agreed definitions. A named individual or team should be allocated clear responsibility for undertaking this initial analysis and triage of incidents.

85. Analysis and triage should be clearly documented and facilitate decision-making re: which additional actions to take.

86. Triggering: Unless there is a standing, dedicated incident response team, Scottish public bodies

should ensure they have in place clear arrangements or algorithms to trigger the formation of incident response teams on the basis of initial incident analysis and triage. This is likely to require notification of an incident (and its initial analysis and triage) to key actors whose involvement in any incident response team is required as a result. The precise shape of the incident response team may depend on the initial analysis and triage – for minor incidents, it may be that only a minimal incident response team with mainly technical expertise is required. For more significant incidents, an incident response team with wider membership may require to be formed.

d) Containment, Investigation, Eradication and Recovery

87. Scottish public bodies should ensure that key individuals with appropriate technical expertise in the incident response team have responsibility and authority for developing and implementing plans to contain, investigate, eradicate and recover from the incident. Consideration should be given to the skills level each organisation has in place to support this phase and, if required, a list of external partners with the appropriate skills should be maintained in order to call on for support:

Containment: This is vital before an incident overwhelms resources or increases damage.

Decision-making authority is required in respect of shutting down systems, disconnecting from networks, disabling certain functions, etc. These decisions are made easier if there are

25

https://www.ncsc.gov.uk/cisp

35

pre-determined strategies and procedures for dealing with common types of incident, and

criteria for the containment response to each one.

Investigation: Appropriate forensic tools and skills may be required to identify evidence of

cyber-attack and the impact on the organisation’s network. Where skills and tools are not available in-house, the cyber incident management plan should identify the outsourced

professional body who can be called upon to undertake this critical role.

Eradication and recovery: After an incident has been contained, eradication may be

necessary to eliminate components of the incident, such as malware, etc. and mitigating all

vulnerabilities exploited. In recovery, administrators restore systems to normal operation,

often in a phased approach.

Procedures and algorithms should make clear when and on what basis there will be liaison

with external service providers (e.g. ISPs) or with external organisations (such as NCSC) with appropriate technical expertise to support these activities.

Evidence should be gathered and retained appropriately, to resolve the incident, to satisfy

any legal requirements, and to assist Police Scotland should they initiate a criminal investigation.

e) Information sharing and coordination

88. Scottish public sector organisations should ensure they have in place clear procedures/algorithms for sharing information and coordinating any necessary activity with key areas inside and outside their organisation, either as part of a wider incident response team or as part of the wider organisational response.

89. Internal information sharing may be for the purposes of:

Triggering key areas/individuals to take part in the incident response team, depending on initial incident analysis and triage (e.g. ICT, Resilience, Security, Business continuity, Legal, Policy/operational teams with expertise in affected areas, Internal and External Comms professionals, Human resources, etc.), and coordinating the response accordingly.

Informing senior stakeholders (e.g. Ministers or elected officials) of the incident and providing information on the planned response, including any proposed public statements.

Informing staff of any impact on them or the organisation, and providing appropriate advice.

Scottish public bodies should consider planning and preparing several communication methods for these purposes, including methods that do not rely on technology, and select the method

that is appropriate to the incident. These may include:

Email (organisations should consider developing templates and mailing lists based on the

most common incident types)

36

Intranet

Telephone calls

Paper (e.g. post notices on bulletin boards and doors, hand out notices at all entrance

points)

SMS messages

Tannoy systems

90. External information sharing may be for the purposes of:

helping coordinate wider action in response to an incident (e.g. with NCSC, Police Scotland, the Scottish Government, SGoRR, ICO, etc.).

providing information to those affected or potentially affected by an incident (e.g. stakeholders or the wider public).

providing the media with information, either proactively or in response to enquiries.

sharing threat intelligence with other organisations, enabling them to take appropriate mitigation action. As noted previously, all Scottish public bodies should use the Cybersecurity Information Sharing Partnership (CiSP) to share threat intelligence to the wider community.

Scottish public sector organisations should identify the key external stakeholders they are

likely to need to share information or coordinate with in response to specific incidents. Note

that serious incidents should be reported to NCSC, Police Scotland and Scottish Government Resilience. Depending on severity, incidents involving personal data may require to be notified

to the ICO under the GDPR from May 2018.

Scottish public sector organisations should ensure they have established partnerships with key

external partners with whom a coordinated response may be required, and that relevant contact information (including for out of hours) for external partners is available to the incident

response team.

Consideration should be given to the types of information that would be shared with each

broad class of external stakeholder, and potential methods of sharing. Potential legal issues

should be identified and considered beforehand.

Scottish public sector organisations should consider how they would interact with central coordinating functions such as COBR or SGoRR in the event of a major incident.

91. At the time of writing, work is ongoing to develop and improve Scotland’s response to major

cyber incidents. Scottish public bodies should contact the Scottish Government Cyber Resilience Unit (cyberresilience@gov.scot) to discuss how their individual incident response arrangements can best align with coordinating functions in SGoRR.

37

f) Business continuity 92. Scottish public sector organisations should ensure that, to complement any incident response

plan, they have in place business continuity plans that will allow critical business to continue in the event that a cyber-incident results in public services or assets becoming unavailable.

93. This should include planning on the basis that ICT assets are unavailable in support of all or some critical functions, and set out clear plans for how business would continue under these circumstances.

g) Lessons learned 94. Scottish public sector organisations should ensure that incident response plans include a clear

requirement for lessons learned exercises to take place, in order to learn from incidents and improve the organisation’s cyber resilience. These exercises should be proportionate to the incident, but they may cover such questions as:

Exactly what happened, at what times?

How well did staff and management perform in dealing with the incident? Were the documented procedures followed? Were they adequate?

What information was needed sooner?

Were any steps or actions taken that might have inhibited the recovery?

What would staff and management do differently the next time a similar incident occurs?

How could information sharing and coordination with other organisations have been improved?

What corrective actions can prevent similar incidents in the future?

What precursors or indicators should be watched for in the future to detect similar incidents?

What additional tools or resources are needed to detect, analyse and mitigate future incidents?

The organisation’s board and other key areas should be provided with relevant information gleaned from lessons learned exercises as part of overall risk management in respect of cyber risks.

h) Exercising 95. Scottish public sector organisations should, on a proportionate basis, ensure that incident

response plans are exercised regularly, so that key actors understand their roles and any deficiencies in the response plans can be identified ahead of incidents actually occurring.

______________________________

38