In June 2018, the UK Government, in collaboration with NCSC (National Cyber Security Centre), produced a new security standard that all Government “Departments,” including organisations, agencies, arm’s length bodies, and contractors must adhere to without exception. These measures will continue to increase over time in order to ‘address new threats or classes of vulnerabilities’ and to ‘incorporate the use of new Active Cyber Defence measures.’
The standard has been broken down into 10 measures lumped into five sections: Identify, Protect, Detect, Respond and Recover.
This article will give a brief overview into the content of these measures. If you want to read the entire standard, the PDF on the gov.uk website can be found here.
Section 1: “Departments shall put in place appropriate cyber security governance processes.”
Departments are obligated to have clear lines of responsibility and accountability to named individuals for the security of sensitive information and key operational services.
Appropriate management policies and processes must be in place to direct the department’s overall approach to cyber security. In addition, Departments are required to identify and manage the significant risks to sensitive information and key operational services.
Departments also need to understand and manage the security issues that could arise due to dependencies on external suppliers or through their supply chain. These suppliers must also conform to the standard, which can be demonstrated by having them attain a valid Cyber Essentials certificate or just demonstrate their compliance. At that time, the Department can then determine whether this is a sufficient risk assessment.
Section 2: “Departments shall identify and catalogue sensitive information they hold.”
Departments need to know and record what information they hold or process, why they hold or process it, what computer systems or services process it and the impact of its loss, compromise, or disclosure.
Section 3: “Departments shall identify and catalogue the key operational services they provide.”
Departments need to know and record what their key operational services are, what technologies and services their operational services rely on to remain available and secure, what other dependencies the operational services have (such as power, cooling, data and people) and the impact of loss of availability of the service.
Section 4: “The need for users to access sensitive information or key operational services shall be understood and continually managed.”
Departments need to understand and continually manage the need for users to access sensitive information or key operational services. In particular, they need to remember that users need to be given the minimum access to sensitive information or key operational services necessary for their role and that access needs to be removed when individuals leave the organisation. As a result, periodic reviews should also take place to ensure appropriate access is maintained.
Section 5: “Access to sensitive information and key operational services shall only be provided to identified, authenticated and authorised users or systems.”
Access of sensitive information and key operational services shall only be provided to identified, authenticated and authorised users or system. Depending on the sensitivity of the information or criticality of the service, departments may also need to authenticate and authorise the device being used for access.
Section 6: “Systems which handle sensitive information or key operational services shall be protected from exploitation of known vulnerabilities.”
This section covers four main areas of technology: enterprise technology, end-user devices, email systems and digital services. It discusses various requirements ranging from full audit of all hardware and software assets to ensuring that technologies such as the UK Public Sector DNS Service and TLS 1.2 be used. For more information, refer to the full version that’s available on the gov.uk website.
Section 7: “Highly privileged accounts should not be vulnerable to common cyber-attacks.”
Highly-privileged users shall not use their highly-privileged accounts for ‘high-risk functions’ such as ‘reading email and web browsing’. Multi-factor authentication shall be used where technically possible, including enterprise-level social media accounts. Passwords that would on their own grant extensive system access should be highly complex and are required to be changed from their default values.
Section 8: “Departments shall take steps to detect common cyber-attacks.”
Attackers using common cyber-attack techniques should not be able to gain access to data or any control of technology services without being detected. Transactional monitoring techniques should be implemented for digital services that are attractive to ‘cyber criminals.’ Departments are required to clearly define what must be protected and why, and a monitoring system should be implemented to detect known threats.
Section 9: “Departments shall have a defined, planned and tested response to cyber security incidents that impact sensitive information or key operational services.”
An incident response and management plan, with clearly defined actions, roles and responsibilities, must be implemented. It should include communication protocols that activate in the event of an incident’s discovery. If the event involves personal data, the Information Commissioner’s Office must be informed. This plan should be tested regularly.
Section 10: “Departments shall have well defined and tested processes in place to ensure the continuity of key operational services in the event of failure or compromise.”
Departments shall have contingency mechanisms to ensure their ongoing ability to deliver essential services in case of a failure or compromise. They must make sure to test these processes, thereby making recovery via those procedures a ‘well-practised scenario.’ To ensure that the same issue cannot arise in the same way again, vulnerabilities shall be identified and remediated.
A lot of the requirements covered in this standard relate to basic foundational controls which organisations should be looking to adopt. Recently, the Center for Internet Security (CIS) released its next revision of the Top 20 Security Controls.
Initially developed by the SANS Institute, these controls have been used by organisations both large and small. By adopting these sets of controls, organisations can prevent the majority of attacks.
Tripwire offers an integrated suite of foundational controls that deliver integrity assurance. Our solutions for vulnerability management, asset management, configuration management, and change monitoring address the integrity management needs of IT Security. They also help IT in many other ways:
- Know what assets you have and which ones to fix first
- Know the environment is in a known and trusted state—detect changes in real-time
- Detect and correct integrity drift
- Automate compliance on a continuous basis and reduce related costs
- Reduce MTTR (Mean Time To Repair) by quickly identifying root causes of incidents
About the Author: Ben Emmons is a 15-year-old student at Reading University Technical College studying computer science. This week, he is working at Tripwire’s office in Maidenhead where he is learning about organizational management, coding and the information security community. Recently, Ben attained 12 Microsoft Technology Certifications.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.