Cyber resilience: private sector action plan 2018-2020

Plan to develop a common, aligned approach to cyber resilience across the private sector in Scotland, so that all sections of society and business benefit from being digitally safe and secure.


Annex B – Scottish Private Sector Cyber Resilience Framework or Pathway – Concept

1. This annex sets out a broad concept for the development of a Scottish Private Sector Cyber Resilience Framework or "Pathway".

2. The concept has been developed by the Scottish Government and members of the National Cyber Resilience Leaders Board, in consultation with the NCSC and key private sector partners.

In line with Key Action 2 in the action plan, work will be undertaken to finalise and pilot this Framework or Pathway (on the condition that further work confirms its feasibility) on the basis of initial analytical work to develop a stronger understanding of the core cyber resilience requirements that are currently encompassed by NCSC schemes and guidance, other common standards and key supply chain policies as they apply to the Scottish private sector (particularly SMEs), and how these relate to progressive levels of cyber threat.

Aims

3. The Framework or Pathway would aim to provide a common point of departure for Scottish private sector organisations to assess the cyber threat to their assets, and identify the key measures they should consider implementing to help manage these threats in view of the impact on their operations.

The Framework or Pathway could be used by SMEs and other organisations to benchmark themselves against progressively more demanding or holistic approaches to cyber threat management. It would also provide a way for organisations in the early stages of their cyber resilience journey to identify key sources of guidance and assurance in order to improve their capacity to manage progressively more targeted and sophisticated cyber threats.

4. In view of the fact that many strategic companies operating in Scotland will already be working to a range of UK and international regulatory requirements, it is expected that any such Framework or Pathway would most likely be of use for smaller organisations (especially SMEs). However, larger organisations in key sectors of the Scottish economy that are not currently subject to cyber security regulation may also find such a tool useful in identifying the levels of cyber resilience they should be aiming for based on the likely cyber threat to their assets.

5. Work would be undertaken to align any Framework or Pathway with similar frameworks under development as part of the public and third sector action plans on cyber resilience by the Scottish Government and the NCRLB.

Overview of key potential features

6. The starting point for any potential Framework or Pathway would be an agreed common way of assessing the broad cyber threat to an organisation’s networks and assets, either in general or in the context of specific contracts or undertakings.

7. These cyber threat profiles should be organised in a progressive hierarchy, based on broadly defined increases in the expected targeting and sophistication of cyber threats. It should also take into account the likely organisational impact of breaches.

8. There should then be a clear hierarchy of guidance, standards or controls that is "mapped" directly to the relevant threat level, thus ensuring greater consistency of application of appropriate standards and controls.

9. These cyber threat profiles and the hierarchy of standards or controls should, to the greatest extent possible, be aligned with or incorporate the following key existing or planned measures:

  • Existing standards, guidance or initiatives, particularly those endorsed by the National Cyber Security Centre such as Cyber Essentials, the 10 Steps to Cyber Security, NIS Directive Technical Guidance, NCSC Supply Chain Guidance, the NCSC’s cloud security principles, the NCSC’s Cyber Security Information Sharing Partnership, and ICO guidance on protecting personal data; and
  • Existing and planned practice in respect of supply chain cyber security amongst larger public, private and third sector organisations.

10. The potential for development of a freely accessible online tool to support SMEs, in particular, to undertake a cyber threat assessment against the Framework or Pathway, and be directed to appropriate guidance or standards, would likely be key to the success of this work.

11. A basic visual representation of this proposed approach is set out on the following page. It should be noted that the contents of this proposed framework or pathway will be subject to further work and discussion, and are included only for illustrative purposes at this stage.

Annex B – Scottish Private Sector Cyber Resilience Framework or Pathway – Basic Concept (indicative draft only)

Annex B – Scottish Private Sector Cyber Resilience Framework or Pathway – Basic Concept (indicative draft only)

Contact

Back to top