Scottish public sector cyber resilience framework v2.0

Introduction and context

1. This document sets out the second iteration of the Scottish public sector cyber resilience framework. The framework is intended to support Scottish Public Sector Organisations (PSOs), to improve their cyber resilience and to comply with a range of legislative, regulatory, policy and audit requirements in respect of cyber security.

2. The framework is formally issued to all PSOs by Scottish ministers. The requirements set out in the framework should be considered as applicable guidance for the purposes of audit and assurance in relation to the Scottish public finance manual.

3. PSOs are encouraged to align their cyber security and resilience posture to the framework. PSOs should achieve implementation that aligns with their risk appetite and organisational circumstances as soon as practicable.

4. The strategic framework for a cyber resilient Scotland includes a commitment to periodically review this document. Requests from the Scottish government for high level monitoring and evaluation information should be expected annually.

Aims

5. The aim of the Scottish Public Sector Cyber Resilience Framework is to provide a common, effective way for all PSOs to:

• Assess their current cyber resilience arrangements
• Identify areas of strength and weakness
• Align with minimum cyber resilience requirements
• Take decisions on how/whether to achieve higher levels of cyber resilience on a risk-based and proportionate basis.

6. In doing so, the framework seeks to:

• Align with key wider cyber-related requirements under the general data protection regulation (GDPR), the security of network and information systems (NIS) regulations and other standards
• Minimise any additional burdens on Scottish PSOs, through clarity on how the framework relates to existing standards or requirements, and taking account of these when providing guidance on compliance
• Provide a clear basis for internal and external audit and inspection activity, promoting greater consistency in the areas and issues covered by audit and inspection bodies when assessing Scottish PSOs, and
• Provide clarity and assurance to individual organisations, ministers, the Scottish parliament and the public that appropriate levels of cyber resilience are in place across the Scottish public sector and its individual subsectors.

Relationship to individual standards and requirements

7. The framework has been developed on the basis of, and mapped to, existing “core” standards and requirements that generally apply to the Scottish public sector. A companion “public sector cyber resilience framework (version 2): mapping of standards” spreadsheet provides a detailed mapping of the different standards that have been analysed to produce this framework.

8. The framework represents all of the requirements outlined in these diverse standards in a single document. If an organisation is already required to comply with these diverse requirements (or opts to do so as a matter of good practice), there should be nothing new or additional in the framework – the main difference is that they may now rely on a single source document to gain reasonable confidence that they are achieving compliance.

9. The development process for the framework was not designed to take a single standard as its primary reference point. This increases the framework’s flexibility and allows further development and incorporation of other standards based on feedback from Scottish PSOs.

10. While common phrases and terms are employed across the categories of many of the core individual standards and guidelines, these do not always correspond to the same meaning or control requirement. Where individual standards are highly prescriptive, the binary compliant/non-compliant analysis is straightforward. However, most standards are written generically, and PSOs will need to interpret the applicability of the criteria and the appropriateness of any solution. The Scottish government has employed a level of interpretation when mapping equivalency.

11. The NIS regulations have made it necessary for PSOs operating in the drinking water sector to meet separate requirements, to remain in line with operators in the rest of the UK. Organisations in this sector should already know about these requirements but should contact their competent authority for further information if required.

Keeping the framework up to date

12. Cyber resilience is a fast-moving area, and standards are frequently updated or amended. The framework will be reviewed periodically in response to any significant developments with the core cyber standards. This will be reflected in version control for the document and communicated to relevant PSOs.

Self-assessment tool

13. This framework is accompanied by a basic self-assessment spreadsheet tool. This tool is intended for use by PSOs in combination with the framework, to:

• Help them track compliance levels
• Identify key areas of strength and weakness in their current cyber resilience arrangements
• Communicate these to senior decision-makers
• Take action to address areas for improvement

Who are the framework and self-assessment tool intended for?

14. The framework and self-assessment tool are intended for use by a range of individuals within Scottish PSOs, including (but not limited to):

• Cyber security practitioners – the framework document and reference lookup document will help them cover all key requirements from core standards. The self-assessment tool will help them track areas of strength and concern, and highlighting areas where additional investment or resource are required for the attention of senior management.
• Senior risk owners and boards – both the framework document and the self-assessment tool will help senior risk owners (with responsibility for cyber risks) to identify areas of potential compliance/non-compliance against a range of different standards or requirements, identify strengths and weaknesses in organisational cyber resilience, benchmark against other organisations across the Scottish public sector, and highlight areas where greater investment or resource may be required.
• Audit and inspection bodies – Scottish public sector audit and inspection bodies may wish to align their cyber audit and inspection activities with the framework. Individual organisations contracting with private sector audit organisations may also wish to ask that they align their approach with the framework. This will promote greater consistency in the audit demands made of Scottish PSOs.
• Central coordinating bodies, competent authorities, etc. – the framework and the self-assessment tool will generate information that could be requested by the Scottish government, competent authorities and other central coordinating or representative/membership bodies (such as the local government digital office, APUC, HEFESTIS, NHS, NSS, etc.) With an interest in understanding areas of strength and weakness in cyber resilience in the Scottish public sector, with a view to targeting central support and activity appropriately.