Scottish public sector cyber resilience framework v2.0

Section 1 – Framework overview

Public sector action plan key actions (2023)

The strategic framework for a cyber resilient Scotland sets out several actions for the public sector. Relevant actions are highlighted below and should be considered alongside the framework controls as a vital element in improving the cyber maturity of the sector.

Key action:

1. All PSOs include cyber resilience within their governance structures, by managing cyber risk as part of business risk processes and by designating a board member/senior manager responsible for the cyber resilience of the organisation.

2. All PSOs become active members of the Scottish public sector group within NCSC’s cyber security information sharing partnership (CiSP) (where eligible).

3. All PSOs put in place regular and appropriate independent assurance of critical technical controls (particularly those established under the cyber essentials scheme).

4. All PSOs implement NCSC's active cyber defence measures (where eligible), including

• Early warning
• Mail check
• Web check
• Protective domain name service (pDNS)

5. All PSOs provide appropriate and relevant training and awareness raising for staff at all levels

6. All PSOs use the Scottish public sector cyber incident notification procedure, where appropriate.

7. All PSOs have effective cyber incident response plans in place and test them at least annually. PSOs should consider developing a relationship or retainer contract with a cyber incident response company.

8. All PSOs exercise against the most common cyber attack scenarios at a technical, operational and strategic level (annually). The critical functions mapping template can be used to aid considerations of the impacts of common cyber attack scenarios on an organisation’s critical functions and services

9. All PSOs secure their supply chains, building in appropriate cyber assurance as part of their procurement practices, contract management and grant making processes. The critical functions mapping template can be used to identify and map out the critical functions and the suppliers critical to the delivery of these.

10. All PSOs, with consideration of their risk and threat environment, align with the most appropriate tier of the public sector cyber resilience framework, self-assess and report on their cyber maturity to the Scottish government annually.

Core standards

1. The contents of the Scottish public sector cyber resilience framework are drawn from, or aligned with, the following “core” requirements that apply to elements of the public sector:

• Cyber essentials: 2022
• The NCSC’s 10 steps to cyber security
• NCSC and ICO guidance on technical security outcomes under the general data protection regulations (GDPR)^[1]
• Security of network and information systems (nis) directive – NCSC cyber assurance framework (NIS-CAF v3.2)
• ISO 27001:2013^[2] (alignment with requirements)
• ISO 27002:2022
• Bs 31111:2018 cyber risk and resilience. Guidance for the governing body and executive management
• Cloud star cloud security alliance cloud controls matrix (CSA CCM)
• ETSI EN 303 645 v2.1.1 cyber security for consumer internet of things: baseline requirements

These standards were selected based on how widespread their use is currently in the Scottish public sector, whether their application is required by law or regulation, and/or whether they have been endorsed or produced by the NCSC. Many of these standards are in widespread use in the private and third sectors, and will help with broader efforts to align cyber resilience practice across these sectors in Scotland.

Several specialist standards are not included in this version of the PSCRF because they are only relevant for a smaller subset of public sector bodies. A new regulatory compliance sub-category has been introduced within the PSCRF for organisations to record their alignment with standards such as the PSN, PCI, DSS v4.0 and IEC 62443 security of industrial automation and control systems.

2. No specific standard was favoured when undertaking the analysis to develop the framework. This approach avoids distorting the resultant model towards a particular framework or standard, to develop a flexible model in the future (as standards change over time or new frameworks become the preferred option for PSOs).

3. The resulting framework represents “100%” of the requirements that apply to Scottish PSOs under these combined “core” standards or requirements. It is important to note that, while some individual standards (e.g. NIS and ISO27001) are more comprehensive than others, no single standard incorporates the full 100% of requirements represented by the framework. Although the standards were developed at different times and for a range of purposes – this does not mean that individual standards are not fit for the purposes for which they have been developed.

4. There is no expectation that an organisation will meet 100% of the requirements of the framework, or achieve an “end state”. This is because cyber resilience is a process of continuous improvement based on evolving risks and responses.

5. Assessments against PSCRF v2 and PSCRF v1 are not directly comparable – any attempt to do this is likely to result in confusing and misleading results.

Domains, categories and sub-categories

6. The framework has extracted 5 overarching domains and 17 common categories, 68 sub-categories and 427 security controls and requirements from the core standards (with one additional information-only control regarding relevant certifications/accreditations).

7. The 5 overarching domains are focused on organisational roles with relevant control categories underneath.

8. The role-based domains are shown with their associated control categories below:-

• Senior management: this domain covers areas likely to be considered by senior management within a PSO:
  • Organisational governance
  • Risk management
• Procurement/contracts/legal: this domain covers the requirement for managing the supply chain.
  • Supplier management
• Technical team: this domain covers technical considerations, including:
  • Asset management
  • Information security management
  • Services resilience
  • Access control
  • Media management
  • System management
  • Operational security
  • Network security
  • Incident detection
  • Incident management
  • Business continuity
• Human resources / organisational development: this domain brings together controls to improve cyber resilience and security through activities of human resource teams.
  • Human resources
• Facilities/estates: this domain covers measures to improve environmental, physical and building security:
  • Environmental security
  • Physical / building security

Tiered approach

9. The controls within the framework are broken down into two tiers, with tier 2 building on the solid foundation established in tier 1. This reflects the changing cyber security and threat landscape and the ambition for the Scottish public sector to move beyond the previous baseline progression stage (which is unlikely to be adequate for the sector in the current threat landscape). The controls also highlight that direct comparisons between assessments against PSCRF v1 and PSCRF v2 cannot be made.

10. Tier One: Scottish PSOs should align themselves with tier one as soon as possible to secure themselves against the most common internet-borne cyber threats and attacks.

11. Tier one brings together the technical requirements of GDPR and cyber essentials along with key elements of NCSC 10 steps to cyber security, CSA star cloud control matrix and the BS31111 cyber security standard.

12. Tier Two: this is the tier that Scottish PSOs who provide the most essential public services, or face the most advanced cyber and/or network and information security threats, will be required or encouraged to align with on a risk-based and proportionate basis.

13. Tier two builds on the tier one controls and brings in additional controls from NCSC 10 steps, BS31111, CSA star cloud control matrix, ISO27001/2 and the NCSC NIS CAF.

Comparisons of maturity assessed under different versions of the framework

14. Compliance assessments against this version of the framework are best viewed on their own merit, they are not directly comparable with assessments against PSCRF v1.

Approach to risk and proportionality

15. The framework should be implemented by PSOs on a risk-based and proportionate basis. In practice this means:

• Where organisations are legally or otherwise required to comply with elements of the framework (e.g. Because they are operators of essential services under the nis directive, because they handle personal data, or because they connect to the PSN), they must continue to do so.
• Organisations should select and work to the tier of the framework which provides confidence that:
  • Legal or other obligatory requirements are met; and
  • The threats and risks they are likely to face in view of their sector, their profile, the data they handle and the services they offer are appropriately mitigated.
• It is open to organisations to decide that they will not meet the requirements of specific control categories under the progression stages they are working to, e.g. Because they judge it to be unnecessary or disproportionate to do so or because they have proportionate mitigations in place. In these cases, organisations should document clearly why they have taken this decision.