Publication - Advice and guidance

Scottish public sector cyber resilience framework v2.0

Published: 10 December 2024
From: Cabinet Secretary for Justice and Home Affairs
Directorate: Digital Directorate
Topic: Public sector
ISBN: 9781836910299

Sets out the second iteration of the Scottish public sector cyber resilience framework. The framework supports Scottish public sector organisations, to improve their cyber resilience and to comply with a range of requirements.

Supporting documents

Section 3 – The Framework

1. The following tables set out the tier one and tier 2 requirements under the Scottish public sector cyber resilience framework.

2. The framework is not intended to be technically prescriptive– for example, no requirements are set out on the type of firewall that must be chosen for a particular risk environment. This must be a judgement of the organisation, informed by its own expertise and risk appetite.

3. The framework supports a continuous improvement cycle aimed at improving cyber resilience and security as the cyber risks and threats evolve.

Senior Management

1. Organisational governance Appropriate organisational structures, policies, and processes are in place to understand, assess and systematically manage security risks to the organisation’s network and information systems.
1.1 governance framework: There is effective organisational security management led at board level and articulated clearly in corresponding policies.
Tier 1	1. There is a board/senior management-level commitment to manage the risks arising from the cyber threat.
	2. There are appropriate data protection and information security policies and processes in place to direct the organisation’s overall approach to cyber security.
	3. There are clear lines of responsibility and accountability to named individuals for the security of sensitive information and key operational services.
	4. Senior accountable individuals have received appropriate training and guidance on cyber security
Tier 2	1. Significant risks to sensitive information and key operational services have been identified and are managed.
	2. The organisation has established roles and responsibilities for the security of networks and information systems at all levels.
	3. The security issues that arise because of dependencies on external suppliers or through the supply chain are detailed, organised and managed.
1.2 leadership & responsibility: There is a board-level individual who has overall accountability for the security of networks and information systems.
Tier 1	1. A named board and senior management member of staff have been identified as responsible for organisational cyber resilience arrangements.
Tier 1	2. There is a written information security policy in place, which is championed by senior management.
Tier 2	1. Direction set at board level is translated into effective organisational practices that direct and control the security of the organisation’s networks and information systems.
	2. The board shall ensure that the organisation has planned and budgeted for adequate resources for the delivery, maintenance and improvement of cyber resilience and network and information security, and that these activities are supported by senior management.
	3. All key stakeholders required for the delivery of a successful cybersecurity programme are identified and involved.
	4. There is senior-level accountability and responsibility for the security of networks and information systems with delegated decision-making authority.
1.3 adoption audit and assurance of security standards: There are in place procedures to provide assurance on the effectiveness of security of systems, services, people and processes.
Tier 1	1. There is demonstrable and appropriate independent assurance that five critical network controls are in place: a) Firewalls b) Secure configuration c) User access control d) Malware protection e) Patch management
Tier 2	1. Security as it relates to technology, people, and processes can be demonstrated and verified by a third-party audit at least annually and after any security event(s).
	2. There are procedures to check security measures that are in place to protect the networks and information systems are effective and remain effective for the service lifetime.
	3. The assurance methods available are recognised and appropriate methods to gain confidence in the security of essential services are adopted and implemented.
	4. Audit requirements and activities involving verification of operational systems shall be carefully planned and agreed to minimise disruptions to business processes.
	5. The organisation’s approach to managing information security and its implementation (i.e. Control objectives, controls, policies, processes and procedures for information security) shall be reviewed independently at planned intervals or when significant changes occur.
	6. Managers regularly review the compliance of information processing and procedures within their area of responsibility with the appropriate security policies, standards and any other security requirements.
1.4 regulatory compliance: The organisation can demonstrate independent accreditation any additional relevant compliance requirements.
Tier 1	1. If relevant, the organisation can demonstrate compliance with the current PSN controls.
	2. If relevant, the organisation can demonstrate compliance with the current PCI standard and controls.
	3. If relevant, the organisation can demonstrate compliance with current relevant operational technology standards and controls.
	4. If relevant, state any specific services that have been accredited to a specific standard.
Tier 2	No additional requirements.

2. Risk management Appropriate steps are in place to identify, assess and understand security risks to the network and information systems. This includes an overall organisational approach to risk management.
2.1 policy & processes: The organisation has effective internal processes that manage and mitigate risks to the security of network and information systems and services.
Tier 1	1. There are information risk management policies and assessment procedures in place.
	2. Organisations shall identify and manage the significant risks to sensitive information and key operational services.
	3. Senior management and boards regularly review the organisational cyber risks and threats.
	4. Executive management should establish key risk indicators (kris) in order to monitor any changes in the risk profiles.
Tier 2	1. The organisational process ensures that security risks to networks and information systems relevant to essential services are identified, analysed, prioritised, and managed.
	2. Risk owners are identified.
	3. The output from the risk management process is a clear set of security requirements that will address the risks in line with the organisational approach to security.
	4. Significant conclusions reached during the risk management process are communicated to key security decision-makers and accountable individuals.
	5. The effectiveness of the risk management process is reviewed periodically and improvements made as required.
2.2 cyber / information risk assessment: The organisation has effective and robust risk assessment methodology and processes that identify and prioritise threats and vulnerabilities.
Baseline	1. Key information and it assets have been identified, risk assessed and prioritised for their vulnerability to cyber-attack.
	2. Organisations should establish a process to identify security vulnerabilities and rank them according to their level of risk.
	3. A systematic risk-based approach is taken to information security, data protection and the security of systems and services. This risk assessment takes into consideration: the technology available; cost of implementation; the nature, scope, context and purpose of any data processing; the probability and impact of the risk being realised.
	4. The criteria for performing risk assessments are well defined to ensure risk assessments produce consistent, valid and comparable results.
Tier 2	1. The risk assessments are based on a clearly articulated set of threat assumptions; these are kept up to date through an understanding of changing security threats.
	2. Risk assessments are conducted when significant events potentially affect the essential service, such as replacing a system or a change in the cyber security threat.
	3. The risk assessments are dynamic and are updated in the light of relevant changes, which may include technical changes to networks and information systems, change of use and new threat information.
2.3 risk treatment & tolerance: The organisation has risk treatment policies and procedures in place with defined risk appetite and mitigation controls documented.
Tier 1	1. The information and cyber risk that the organisation is prepared to tolerate is defined, understood and communicated.
Tier 1	2. A risk appetite statement shall be produced and used to guide risk management decisions.
Tier 2	1. The organisation shall define and apply an information security risk treatment process that identifies appropriate risk treatment options and associated mitigation controls.
	2. A risk treatment plan shall be produced
	3. A statement of applicability shall be prepared to document the risk treatment and controls adopted.
	4. The senior management shall assess and sign-off the risk treatment regime, policies and procedures.
2.4 risk governance: Risks to network and information systems are effectively managed, communicated, and regularly considered throughout the organisation and led by senior management.
Tier 1	1. Responsibility for cyber security risks has been allocated appropriately to named individuals.
	2. Cyber security risks are on the organisational risk register.
	3. Knowledge sharing of risk management through peer-networks is actively undertaken.
	4. The board regularly reviews cyber risks.
	5. All executive and non-executive board members are made aware of the cyber risks of the organisation.
	6. There is board-level accountability for cyber risk with a named individual.
	7. Staff members are trained in cyber risk assessment and management relevant to their role.
	8. An organisation-wide risk management culture is promoted by the senior management with demonstrable participation at all levels.
Tier 2	1. Senior accountable officers receive appropriate training and guidance on risk management.
	2. There are clear and well-understood channels for communicating and escalating risks
	3. Senior management regularly reviews the resource allocations to ensure these are sufficient to permit prioritised information security and cyber risk mitigation measures to be implemented.

Procurement, Contracts, and Legal

3. Supplier management The organisation understands and manages security risks that arise as a result of dependencies on external suppliers and third-party services.
3.1 supply chain assurance: The organisation has a deep understanding of the security provisions and assurances around systems and services provided by third parties and their supply chain.
Tier 1	1. Develop and maintain an inventory of all supply chain relationships critical to the operation of the organisation.
	2. Organisations shall adopt a proportionate, risk-based policy in respect of supply chain cyber security.
	3. The organisation has assessed, understands and has procedures in place to manage security risks that may arise as a result of dependencies on third party suppliers.
	4. Documented and suitable assurances have been obtained from suppliers and their immediate supply chain that proportionate and appropriate security measures to protect systems, services, data and information are in place and these are certified or aligned with recognised standards or their equivalent. (e.g. Cyber essentials, iso 27001).
	5. Suppliers and other third parties shall periodically attest and evidence through independent assurance their ability to meet cybersecurity requirements.
	6. The security requirements and stipulations necessary to ensure GDPR and other relevant regulatory compliance are incorporated into supplier contracts, are mutually agreed and understood.
Tier 2	No additional requirements
3.2 roles and responsibilities: The organisation has defined the respective duties and responsibilities of third-party suppliers and the supply chain, and these are understood and agreed by all parties.
Tier 1	1. Where services are outsourced (for example by use of cloud infrastructure or services), which security related responsibilities remain with the organisation and which are the supplier’s responsibility shall be defined and accurately recorded.
Tier 2	1. There is a clear and documented shared-responsibility model with suppliers for incident management.
3.3 access control: There is visibility and control on third-party users (or automated functions) that can access organisational systems, services, data and information data and these are appropriately verified, authenticated and authorised.
Tier 1	1. Only individually authenticated and authorised users can connect to or access the organisation networks or information systems.
Tier 2	1. Both electronic and physical access requires individual authentication and authorisation.
	2. Third party user access to all networks and information systems is limited to the minimum necessary.
	3. Additional authentication mechanisms, such as two-factor or hardware-backed certificates are employed, to individually authenticate and authorise all third-party remote access to all networks and information systems that support essential services.
	4. The list of external users with access to essential service networks and systems is reviewed on a regular basis, e.g. Every 6 months.
3.4 security in procurements: The organisation has security embedded within procurement procedures.
Tier 1	1. Ensure implementation of security considerations as part of procurement processes.
Tier 2	1. Cyber risk and information security related requirements shall be considered as an integral part of the procurement process and, where relevant, included in tender requirements for new systems, services or enhancements to existing provisions.
	2. Organisations shall regularly monitor, review and audit supplier service delivery and associated security provisions
	3. Changes to the provision of services by suppliers, including maintaining and improving existing information security policies, procedures and controls, shall be managed, taking account of the criticality of business information, systems and processes involved and re-assessment of risks.
3.5 security in cloud services: The organisation has security embedded in cloud-based services.
Tier 1	1. It is essential, where cloud services are employed (particularly with respect to IaaS and PaaS), that there is clarity (whether through contractual agreement or other arrangements) whether the responsibility to carry out certain actions (i.e. Patching) lies with the organisation or the cloud supplier, and defined in a shared security responsibility model (SSRM).
	2. Cloud service providers appropriately sanitise data storage areas before reallocating to another user.
	3. Multi-factor authentication shall be used for access to all cloud-based accounts and services.
	4. Periodically backup data stored in the cloud. Ensure the confidentiality, integrity and availability of the backup, and verify data restoration from backup for resiliency.
	5. Contracts should include provisions limiting changes directly impacting CSCS-owned environments/tenants to explicitly authorised requests within service level agreements between CSPs and CSCS.
	6. CSPs must provide the capability for CSCS to manage their own data encryption keys.
	7. The CSP must have in place, and describe to CSCS, the procedure to manage and respond to requests for disclosure of personal data by law enforcement authorities according to applicable laws and regulations. The CSP must give special attention to the notification procedure to interested CSCS, unless otherwise prohibited, such as a prohibition under criminal law to preserve confidentiality of a law enforcement investigation.
	8. The CSP must define and implement, processes, procedures and technical measures to specify and document the physical locations of data, including any locations in which data is processed or backed up.
	9. The organisation should establish a formal, documented, and leadership-sponsored enterprise risk management (erm) program that includes policies and procedures for identification, evaluation, ownership, treatment, and acceptance of cloud security and privacy risks.
	10. The organisation should establish and maintain contact with cloud-related special interest groups and other relevant entities in line with business context.
	11. The CSP should provide application interface(s) to CSCS so that they programmatically retrieve their data to enable interoperability and portability.
	12. Agreements must include provisions specifying CSCS access to data upon contract termination and will include: a. Data format b. Length of time the data will be stored c. Scope of the data retained and made available to the CSCS d. Data deletion policy
	13. Design, develop, deploy and configure applications and infrastructures such that CSP and csc (tenant) user access and intra-tenant access is appropriately segmented and segregated, monitored and restricted from other tenants.
	14. Use secure and encrypted communication channels when migrating servers, services, applications, or data to cloud environments. Such channels must include only up-to-date and approved protocols.
	15. Service agreements between CSPs and CSCS (tenants) must incorporate at least the following mutually agreed upon provisions and/or terms: scope, characteristics and location of business relationship and services offered information security requirements (including SSRM) change management process logging and monitoring capability incident management and communication procedures right to audit and third-party assessment service termination interoperability and portability requirements data privacy
Tier 2	1. Where cloud-based services are employed, there is sufficient separation of the organisation’s data and service from other users of the service.

Technical Team

4. Asset management Everything required to deliver, maintain or support networks and information systems and services is determined and understood.
4.1 hardware assets: The organisation has visibility and effective management of all hardware assets.
Tier 1	1. All hardware assets are in support and their configuration are managed, tracked and recorded, including all end user devices.
Tier 1	2. End user devices are managed to enable organisational controls to be applied over software or applications
Tier 2	1. All assets are identified and inventoried (at a suitable level of detail). The inventory is kept up to date.
	2. Assets are securely managed throughout their lifecycle, from creation through to eventual decommissioning or disposal.
	3. All items of equipment containing storage media shall be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use.
	4. Assets are prioritised according to their importance to the delivery of the essential service.
	5. Responsibility for managing the physical assets has been assigned
	6. Assets management is in place; assets shall not be taken off-site without prior authorisation with associated documentation.
	7. Security is applied to all assets used off-site.
4.2 software assets: The organisation has visibility and effective management of all software assets.
Tier 1	1. Software running on computers and network devices is kept up-to-date and has the latest security patches installed. Specifically: a) Software running on computers and network devices that are connected to or capable of connecting to the internet is licensed and supported (by the software vendor or supplier of the software) to ensure security patches for known vulnerabilities are made available. b) Updates to software (including operating system software and firmware) running on computers and network devices that are connected to or capable of connecting to the internet are installed in a timely manner (e.g. Within 14 days of release or automatically when they become available from vendors). c) Out-of-date software (i.e. Software that is no longer supported) is removed from computer and network devices that are connected to or capable of connecting to the internet.
	2. All software and application assets with licence and configuration details must be tracked and recorded
	3. Software vulnerabilities monitoring, including using in-support software, must be implemented.
Tier 2	No additional requirements.
4.3 infrastructure management: The organisation recognises critical infrastructure assets and dependencies.
Tier 1	1. The installation of software shall be controlled and shall not be permitted by general users.
Tier 1	2. Minimum configuration baselines are established for critical network assets and applied during deployment.
Tier 2	1. Network assets shall be regularly maintained to ensure service continuity.

5. Information security management Proportionate security measures are in place to protect information, data, services and systems from cyber-attack.
5.1 security policy & processes: The organisation has developed and continues to improve a set of protection policies and processes that manage and mitigate the risk of security-related service disruption or data loss.
Tier 1	1. Appropriate policies and processes that direct the organisation’s overall approach to securing systems are defined, implemented, communicated and enforced.
	2. Security governance, risk assessment and technical security practices are documented.
	3. Each organisation shall determine the boundaries and scope of its security policy. This should be defined to cover all relevant operations, which shall include interfaces and dependencies between activities performed by the organisation and those that are performed by other organisations.
	4. Information security shall be addressed in project management, regardless of the type of project.
	5. Key security performance indicators are defined with relevant metrics and targets and reported to the executive management.
	6. Acceptable usage policies that define the proper use of technology by all personnel are in place. (these include remote access, wireless, removable electronic media, laptops, tablets, handheld devices, email and internet.)
	7. The security policy and procedures clearly define information security responsibilities for all personnel.
Tier 2	1. Policies and processes are reviewed at suitably regular intervals to ensure they remain relevant to threats, business processes, accommodate lessons learned and remain appropriate and effective.
	2. Security policies and processes are integrated with other organisational policies and processes.
	3. All relevant legislative statutory, regulatory, contractual requirements and the organisation’s approach to meet these requirements shall be explicitly identified, documented and kept up to date (e.g. GDPR security outcomes; nis regulations).
5.2 lifecycle management: Information assets are managed throughout their lifecycle, from creation through to eventual decommissioning or disposal.
Tier 1	1. Information and data should be classified according to retention and disposal policies and legal requirements.
	2. Personal data processed should be catalogued, adequate, relevant and limited to what is necessary for the purpose of the processing, and it should not be kept for longer than is necessary.
	3. Technical controls are in place to prevent unauthorised or unlawful processing of personal data that might remain in memory when technology is sent for repair or disposal.
	4. Information and data records shall be protected from loss, destruction, falsification, unauthorised access and unauthorised release, in accordance with legislation, regulatory, contractual or business requirements.
Tier 2	1. Information, data and media destruction and disposal processes should have assurance procedures and have an audit trail from collection to destruction.
5.3 storage: The organisation knows where data and information are stored and has security in place whether on premise, mobile, removable or cloud-based storage is employed.
Tier 1	1. There are suitable physical or technical means including encryption to protect stored data from unauthorised access, modification or deletion through unauthorised access to storage media.
Tier 2	1. There is a detailed understanding and mapping of data and information flows from creation, transit, processing and storage.
	2. The organisation has processes to remove or minimise unnecessary copies or unneeded historic records.
	3. Where outsourced or third-party storage is employed, appropriate secured measures are in place and enforced, with appropriate assurance procedures consistent with data retention policies.
	4. All data is sanitised from all devices and equipment before disposal.
5.4 information / data classification: Information is classified in terms of legal requirements, value, criticality and sensitivity to unauthorised disclosure or modification, to ensure it receives an appropriate level of protection in accordance with its importance to the organization.
Tier 1	1. All data and information assets have been identified and classified.
Tier 2	1. Information has been classified in terms of legal requirements, value, criticality and sensitivity to unauthorised disclosure or modification.
Tier 2	2. An appropriate set of procedures for information labelling has been developed and implemented in accordance with the information classification scheme adopted by the organization
5.5 information asset register: Data and information assets are identified and an inventory of these assets is created and maintained.
Tier 1	1. Key information assets have been identified and recorded.
	2. Key information assets have been assessed for their vulnerability to cyber-attack.
	3. All data and information assets have been catalogued by type and classification and recorded in an information assets register.
	4. The information asset register records where the information/data are held and which computer systems or services process it.
	5. The purpose for processing the personal data held by the organisation has been described and recorded.
	6. Organisations shall know and record: a) What sensitive information they hold or process b) Why they hold or process that information c) Where the information is held d) Which computer systems or services process it e) The impact of its loss, compromise or disclosure
Tier 2	1. Procedures for handling assets shall be developed and implemented in accordance with the information classification scheme.
	2. The register maintains a current understanding of the location, quantity and quality of data and information stored.
	3. Hardware and software assets associated with information and information processing have been identified
	4. An inventory of information assets has been established and is maintained through recognised process.
	5. Assets maintained in the inventory have ascribed owners.
5.6 information / data transfer controls: The organisation has an understanding of information / data flows including the transfer of data to third parties and the associated security protocols that are in place.
Tier 1	1. Data at rest on all devices and in databases is protected by appropriate measures including physical protection (when hosted within a secure data centre) and encryption.
	2. There are technical controls in place (such as appropriate encryption) to prevent unauthorised or unlawful processing of personal data, whether through unauthorised access to user devices or storage media, backups, interception of data in transit or at rest.
	3. Data in transit accessed by remote workers and third parties is protected by encryption and the application of a virtual private network (VPN).
	4. Protect data in transit using well-configured TLS (e.g. V. 1.2 or above).
Tier 2	1. There is a current understanding and record of the data links and routes used to transmit data.
	2. Appropriate physical or technical means are applied to protect data that travels over an untrusted carrier.
	3. Formal transfer policies, procedures and controls shall be in place to protect the transfer of information through the use of all types of communication facilities.
	4. Agreements shall address the secure transfer of business information between the organization and external parties.

6. Services resilience Network and information systems are designed to be resilient to cyber security and operational adverse incidents.
6.1 services resilience: Systems are appropriately segregated and resource limitations are mitigated.
Tier 1	1. Key operational services have been identified with resource, technology and service dependencies defined (e.g. Power, bandwidth, cooling, data, people).
Tier 2	1. Key operational systems are segregated from other business and external systems by appropriate technical and physical means (e.g. Separate network and system infrastructure with independent user administration).
	2. Geographical constraints or weaknesses (e.g. Single communications line or channel) have been identified and mitigated.
	3. Systems that key services depend upon have redundancy and are replicated to an alternative location.
	4. There are alternative physical paths and service providers for network connectivity with known separacy and diversity of bearers.
	5. Dependencies, resource and geographical limitation assessments are regularly reviewed with update mitigations when required.
	6. Organisations annually conduct and document an organisational resilience assessment.

7. Access control Access to information, services and systems is controlled, managed and monitored through policies and procedures.
7.1 account management: User accounts are effectively managed throughout their lifecycle to provide minimum access to sensitive information or key operational services.
Tier 1	1. All user account creation is subject to a provisioning and approval process.
	2. All default passwords are removed and changed to an alternative, strong password.
	3. There is a robust password policy which avoids users having weak passwords, such as those trivially guessable.
	4. Password or account sharing between users is not permitted.
	5. User accounts and special access privileges are removed or disabled when no longer required (e.g. When an individual changes role or leaves the organisation) or after a pre-defined period of inactivity (e.g. 3 months).
	6. Unnecessary user accounts (e.g. Guest accounts and unnecessary administrative accounts) should be removed or disabled.
	7. There should be no generic or common accounts accessed by multiple individuals.
Tier 2	No additional requirements.
7.2 identity authentication: Procedures are in place to verify, authenticate and authorise access to the organisational networks and information systems.
Tier 1	1. Each user authenticates using a unique username and strong password before being granted access to applications, computers and network devices.
	2. Users that can access personal data are appropriately authenticated.
	3. Users who have privileged access are strongly authenticated by multi-factor or device authentication measures.
	4. Multi-factor authentication shall be used for access to enterprise level social media accounts.
Tier 2	1. Additional authentication mechanisms, such as multi-factor or hardware-backed certificates are employed for all systems that operate or support key services.
	2. There is an auditable, robust procedure in place to verify each user and issue minimum required access rights.
	3. Attempts by unauthorised users to connect to systems are alerted, promptly assessed and investigated.
7.3 privilege management: The allocation and use of privileged access rights to networks and information systems is restricted and controlled.
Tier 1	1. Special access privileges are restricted to a limited number of authorised individuals.
	2. Details about special access privileges (e.g. The individual and purpose) are documented, kept in a secure location and reviewed on a regular basis (e.g. Quarterly).
	3. Special access privileges are controlled, periodically reviewed and removed or disabled when no longer required.
	4. Users who have privileged access accounts are strongly authenticated by two-factor or hardware authentication measures.
	5. Access to sensitive information and services is only provided to authorised, known and individually referenced users or systems.
	6. Access to logging data is limited to those with business need and no others. Legitimate reasons for accessing logging data are given in use policies and users are trained on this.
Tier 2	1. Systems and devices supporting the delivery services are only administered or maintained by authorised privileged users.
	2. Privileged access (e.g. To systems controlling the essential service or system administration) is carried out with separate accounts that are closely monitored.
	3. All privileged access to networks and information systems is routinely validated and subject to real-time security monitoring, with all privileged user sessions recorded and stored for offline analysis and investigation.
	4. Temporary, time-bound rights for privileged access and external third-party support access are employed where appropriate.
	5. The use of utility programs that might be capable of overriding systems and applications shall be restricted.
	6. Access to program source code shall be restricted.
7.4 administrator account management: System administrator accounts are controlled and monitored with the activity logs protected and regularly reviewed.
Tier 1	1. Administrative accounts should only be used to perform legitimate administrative activities and should not be granted access to email or the internet.
	2. Administrative accounts should have complex passwords different from standard user accounts.
	3. Highly privileged administrative accounts should not be used for high risk or day to day user activities, for example web browsing and email.
	4. Administrators do not conduct ‘normal’ day-to-day business from their high privilege account and use normal accounts for standard business use.
Tier 2	1. The list of system administrators is regularly reviewed, e.g. Every 3-6 months.

8. Media management Fixed and portable storage media and devices are managed, and data / information is appropriately protected.
8.1 storage media: Policies and procedures are in place to protect stored data and prevent unauthorised disclosure, modification, removal or destruction of information stored on media.
Tier 1	1. The organisation can identify and account for all removable media.
	2. Tracking and recording of all assets that store personal identifiable information, including end user devices and removable media is in place.
	3. Where removable media is to be reused then appropriate steps should be taken to ensure that previously stored information will not be accessible
	4. All data important to the delivery of the essential service is sanitised from all removable media before disposal.
Tier 2	No additional requirements.
8.2 mobile media / devices: The organisation can identify and account for all mobile end-user devices and removable media and monitors the data protection measures that are in place on mobile devices.
Tier 1	1. Where the use of removable media is required to support the business need, it is limited to the minimum media types and users needed.
	2. Removable media is automatically scanned for malware when it is introduced to any system.
	3. Any media brought into the organisation is scanned for malicious content before any data transfer takes place.
	4. All removable media is formally issued to individual users who are accountable for its use and safe keeping.
	5. Users do not use unofficial media, such as USB sticks given away at conferences.
	6. Sensitive information is encrypted on removable media.
	7. Where removable media is to be reused or destroyed then it will be done securely with appropriate steps taken to ensure that previously stored information is not accessible.
	8. All users are made aware of their personal responsibilities for following the removable media security policy.
	9. A secure baseline build and configuration is applied to all mobile devices.
	10. The organisation can remotely wipe and/or revoke access from all mobile devices.
Tier 2	1. Mobile devices are catalogued, tracked and configured according to best practice for the platform, with appropriate technical and procedural policies in place.
	2. The data held on mobile devices is minimised.
	3. Some data may be automatically deleted off mobile devices after a certain period.
	4. Procedures are implemented for the management of removable media in accordance with the classification scheme adopted by the organisation.
8.3 cryptography: There is proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information at rest, in transit and on mobile devices or removable media.
Tier 1	1. Sensitive information should be encrypted at rest on devices, databases and media and when transmitted electronically, especially over an untrusted carrier.
Tier 2	1. There is a policy on the adoption of cryptography including the use and protection of cryptographic keys and their lifetime management.
Tier 2	2. Cryptographic authentication, integrity, and non-repudiation controls such as digital signatures and message authentication codes, and cryptographic key management is implemented as and where required as per the policy.

9. System management Information systems are protected from cyber-attack throughout their lifecycle.
9.1 secure configuration: The network and information systems that support the delivery of essential services are securely configured.
Tier 1	1. Unnecessary software (including application, system utilities and network services) should be removed or disabled.
	2. The auto-run feature should be disabled (to prevent software programs running automatically when removable storage media is connected to a computer or when network folders are accessed).
	3. A personal firewall (or equivalent) should be enabled on desktop pcs and laptops, and configured to disable (block) unapproved connections by default.
	4. A secure baseline build is implemented for all systems, platforms and components, including hardware and software to reduce the level of inherent vulnerability.
	5. Any functionality or application, services or ports not required to support a user or business need is removed or disabled.
	6. The secure build profile is managed by a configuration control process and any deviation from the standard build is documented and approved.
	7. Automatic session locking is configured on enterprise assets after a defined period of inactivity
	8. Default vendor system security credentials, unsecure configurations and unnecessary services are update or disabled to reduce potential risk and vulnerabilities
Tier 2	1. Network and system configurations changes are managed, secure and documented.
	2. Network and information systems are regularly reviewed and validated to ensure that they have the expected, secured settings and configuration.
	3. There are regular reviews and updates to technical knowledge about networks and information systems, such as documentation and network diagrams, and these are securely stored.
	4. Only permitted software can be installed and standard users cannot change settings that would impact security or business operation.
9.2 secure design / development: Information security is designed and implemented within the development lifecycle of information systems and networks.
Tier 1	1. The exception handling processes is configured to ensure that error messages returned to internal or external systems or users do not include sensitive information that may be useful to attackers.
Tier 2	1. A secure development policy with guidance is in place that defines rules for the development of software and systems and is applied.
	2. Appropriate procedures shall be implemented to ensure compliance with legislative, regulatory and contractual requirements related to intellectual property rights and use of proprietary software products.
	3. The organisation shall supervise and monitor the activity of outsourced system development.
	4. Change control procedures are in place to manage the development lifecycle.
	5. Appropriate expertise is employed to design and review network and information systems.
	6. The networks and information systems are designed to have simple data flows between components to support effective security monitoring.
	7. The networks and information systems are designed to be easy to recover.
9.3 change control procedures: Changes to systems and software configurations are controlled by formal change control procedures.
Tier 1	1. Policies that set out configuration control and change management processes for all systems are in place.
	2. Define and implement a process to proactively roll back changes to a previous known good state in case of errors or security concerns.
	3. The ability of users to change configuration is restricted. Users with ‘normal’ privileges are prevented from installing or disabling any software or services running on the system.
Tier 2	1. Modifications to software are restricted and all changes are subject to change control procedures.
	2. Only permitted software can be installed and standard users cannot change settings that would impact security or business operation.
	3. Change management is in place to control changes to business processes, information processing facilities and systems with alerts of changes deviating from the established baseline.
9.4 system testing: Testing of security functionality shall be carried out during development of new systems, upgrades and new versions or configurations.
Tier 1	1. Regular automated testing is undertaken to evaluate the effectiveness of security measures, including virus and malware scanning, vulnerability scanning and penetration testing.
	2. The results of any testing and remediating action plans are recorded.
	3. Regular penetration testing for the presence of known vulnerabilities or common configuration errors is undertaken with third-parties to ensure that security controls have been well implemented and are effective
Tier 2	1. Regular testing by third parties is undertaken to identify vulnerabilities in the networks and information systems.
	2. Penetration testing is undertaken following changes to operating systems, business applications and software development and deployment; this is recorded in a penetration test protocol.
	3. Test data shall be securely marked, protected and controlled.
	4. Acceptance testing programs and related criteria shall be established for new information systems, upgrades and new versions.

10. Operational security Appropriate technical and organisational measures are in place to protect systems and digital services from cyber attack.
10.1 malware policies & protection: Detection, prevention and recovery controls to protect against malware shall be implemented.
Tier 1		1. Malware protection software is: a. Installed and actively running on all computers that are connected to or capable of connecting to the internet and generates audit logs b. Kept up to date (e.g. At least daily, either by configuring it to update automatically or with centrally managed deployment). c. Configured to i. Scan files automatically upon access (including when downloading and opening files, accessing files on removable storage media or a network folder) ii. Scan web pages when being accessed (via a web browser). iii. Prevent connections to known malicious websites on the internet (e.g. By using website blocklisting). d. Configured to perform regular scans of all files (e.g. Daily). e. Preventing connections to malicious websites on the internet (e.g. By using website blocklisting).
		2. Content filtering capability is present on all external gateways to prevent malicious code being deployed to common desktop applications such as the web browser. The antivirus and malware solutions used at the perimeter are different to those used to protect internal networks and systems in order to provide some additional defence in depth.
		3. Anti-malware policies and standards are developed and implemented across the organisational infrastructure.
		4. End user device protection is in place through anti-virus software and application allowlisting.
		5. If stand-alone workstations are present, these are provided as required, equipped with appropriate anti-virus software capable of scanning the content on any type of media.
Tier 2		No additional requirements.
10.2 email security: Information involved in electronic messaging shall be appropriately protected.
Tier 1		1. The NCSC active cyber defence (ACD) programme is implemented where appropriate and available.
		2. Transport layer security version 1.2 or above (TLS v. 1.2) is used for sending and receiving email securely.
		3. Domain-based message authentication reporting and conformance (DMARC) is in place along with domain keys identified mail (DKIM) and sender policy framework (SPF) records.
		4. Spam and malware filtering is present and DMARC is enforced on inbound email.
Tier 2		No additional requirement.
10.3 application security: Applications are tested for susceptibility to security vulnerabilities on development and following system changes.
Tier 1		1. The NCSC’s web check service has been adopted.
		2. Policies and procedures with baseline requirements for application security have been developed; these should include multi-factor authentication.
		3. Critical and data-sensitive applications are identified and are subjected to penetration testing to identify business logic vulnerabilities after code scanning and automated security testing.
		4. Web applications are routinely scanned and regularly penetration tested for the presence of known security vulnerabilities (such as described in the top ten open web application security project (OWASP) vulnerabilities) and common configuration errors.
Tier 2		No additional requirements.
10.4 vulnerability management & scanning: Network and information systems are managed to prevent exploitation of technical vulnerabilities.
Tier 1	1. The NCSC active cyber defence (ACD) programme is implemented where appropriate and available.
	2. There is a defined policy and supporting process to identify vulnerabilities, prioritise and mitigate those vulnerabilities.
	3. Regular vulnerability scans are conducted via automated vulnerability scanning tools against all networked devices and any identified vulnerabilities are remedied or managed within an agreed time frame.
	4. Regular discovery scans to detect unknown devices are undertaken and any anomalous findings are investigated.
	5. Antivirus and malicious code checking solutions are deployed to scan inbound and outbound objects at the network perimeter. Any suspicious or infected malicious objects are quarantined for further analysis.
Tier 2	1. Information about vulnerabilities for all software packages, network equipment and operating systems is obtained in a timely fashion.
Tier 2	2. Vulnerabilities are prioritised and subject to a risk assessment to determine the organisation’s exposure and vulnerability.
10.5 data exfiltration monitoring: Network traffic is monitored to identify unusual activity.
Tier 1	1. Network traffic, services and content is limited to that required to support business need (for example, by setting effective firewall rule sets).
Tier 2	1. Data leakage prevention measures should be applied to systems, networks and any other devices that process, store or transmit sensitive information.
10.6 browser management: Web browsers should be configured to minimise security vulnerabilities and risk.
Tier 1	1. Browsers are kept current and configured to mitigate against code exploits.
Tier 1	2. Unnecessary browser plugins or scripting languages are disabled
Tier 2	No additional requirements.
10.7 monitor / audit user activity: User access and activity are monitored to identify unauthorised access attempts, policy violations and unusual behaviour.
Tier 1	1. All user access and activity is monitored, particularly access to sensitive information and the use of privileged account actions.
	2. The monitoring capability can identify unauthorised or accidental misuse of systems or data. It can tie specific users to suspicious activity.
	3. Activities that are outside of normal, expected bounds; policy violation; suspicious or undesirable behaviour (such as access to large amounts of sensitive information outside of standard working hours) are recorded and investigated.
Tier 2	1. All user’s access is logged and monitored for offline analysis and investigation as required.
	2. Logging facilities and log information shall be protected against tampering and unauthorised access.
	3. All actions involving all logging data (e.g. Copying, deleting or modification, or even viewing) can be traced back to a unique user.
	4. Audit logs recording user activities, exceptions, faults and information security events are created, maintained securely and regularly reviewed.
	5. Attempts by unauthorised users to connect to systems are alerted, promptly assessed and investigated where relevant.

11. Network security Appropriate measures are in place to ensure the protection of information systems and information held in networks.
11.1 patch management: Operating systems and software packages on networks and devices are kept up to date with the latest security patches installed.
Tier 1	1. All security patches for software running on computers and network devices that are connected to or capable of connecting to the internet are installed in a timely manner (e.g. Within 14 days of release or automatically when available from vendors).
	2. There is a defined policy and supporting process to identify vulnerabilities, prioritise and mitigate those vulnerabilities. The policy specifies specific patch application periods and a process for auditing compliance.
	3. Critical vulnerabilities are patched within 14 days.
	4. Where a vulnerability is being actively exploited then mitigating action (e.g. Patch applied) is immediately taken.
	5. Where a patch is not deployed (or available) within the timescales above there is alternative mitigating actions employed, such as disabling or reducing access to the vulnerable service.
Tier 2	No additional requirements.
11.2 end-point device management: Devices that are used to access organisational networks, information systems and data are known and recorded with integrated security management policies and systems.
Tier 1	1. Unnecessary peripheral devices are disabled.
	2. Technical policies are applied and controls exerted on devices over software and applications.
	3. Devices used to access sensitive information and data or key operational services are authenticated and authorised.
Tier 2	1. Dedicated devices are used for privileged actions (such as administration or accessing the essential service's network and information systems). These devices are not used for directly browsing the web or accessing email.
	2. Device identity management which is cryptographically backed is performed and only known devices can access systems.
	3. Privileged access is only granted on owned and managed devices that are technically segregated and secured to the same level as the networks and systems being maintained.
11.3 internal segregation: Networks and information systems are segregated into appropriate security zones.
Tier 1	1. Information services, sensitive data, users and information systems are segregated into appropriate security zones on networks.
Tier 1	2. Key operational systems are segregated in a highly trusted, more secure zone isolated with appropriate network security controls.
Tier 2	1. Development, testing, and operational environments shall be separated to reduce the risks of unauthorised access or changes to the operational environment.
	2. Internet services are not accessible from operational systems
	3. Logging data is segregated from the rest of the network, and is not affected by disruption or corruption of network data.
11.4 wireless security: Wireless access points should be securely configured and segregated as appropriate.
Tier 1	1. Wireless access points are securely configured.
	2. All wireless access points only allow known devices to connect to corporate wi-fi services.
	3. Security scanning tools are in place to detect and locate unauthorised or spoof wireless access points.
Tier 2	No additional requirements.
11.5 boundary / firewall management: Manage access to ports, protocols and applications by filtering and inspecting all traffic at the network perimeter.
Tier 1	1. One or more firewalls (or equivalent network device) are installed on the boundary of the organisation’s internal network(s).
	2. The default administrative password for any firewall (or equivalent network device) is changed to an alternative, strong password.
	3. Each rule that allows network traffic to pass through the firewall (e.g. Each service on a computer that is accessible through the boundary firewall) is subject to approval by an authorised individual and documented (including an explanation of business need).
	4. A high-risk ports, protocols and services block list should be written and added to firewall policy as a default ruleset. Unapproved services, or services that are typically vulnerable to attack (such as server message block (SMP), netBIOS, TFTP, RPC, rlogin, RSH or REXEC), are disabled (blocked) at the boundary firewall by default.
	5. Firewall rules that are no longer required (e.g. Because a service is no longer required) are removed or disabled in a timely manner.
	6. The administrative interface used to manage boundary firewall configuration is not accessible from the internet. (the interface is protected by additional security arrangements, which include using multi-factor authentication, a strong password, encrypting the connection (e.g. Using SSL), restricting access to a limited number of authorised individuals and only enabling the administrative interface for the period it is required.)
	7. The firewall rule set should deny traffic by default and an allowlist should be applied that only allows authorised protocols, ports and applications to exchange data across the boundary.
Tier 2	1. Traffic crossing the network boundary (including IP address connections as a minimum) is monitored.
11. 6 administrator control: System administrators are strongly authenticated and authorisation is reviewed.
Tier 1	1. Administrator access to any network component is properly authenticated and authorised.
	2. Default administrative passwords for network equipment are changed.
	3. Changes to the authoritative DNS entries can only be made by strongly authenticated and authorised administrators.
Tier 2	1. The list of system administrators is regularly reviewed, e.g. Every 6 months.
11.7 IP & DNS management: Organisational IP ranges are known, recorded and managed; DNS changes and queries are effectively managed.
Tier 1	1. The NCSC’s ACD p-DNS service is implemented where appropriate and available.
	2. The UK public sector DNS service is used to resolve internet DNS queries.
	3. Organisational IP ranges are known and recorded.
Tier 2	No additional requirements.
11.8 IoT management: Internet-facing devices should be securely configured and segregated as appropriate.
Tier 1	1. There is an inventory of all internet-facing devices.
	2. There is the discovery capability to identify and profile every device on the network.
	3. Data access and data flows from devices are known, understood and documented.
	4. Devices are monitored with alerting to identify any anomalous behaviour or compromise.
Tier 2	1. Devices are categorised based on risk profile and criticality.
	2. Devices are grouped based on risk profile with appropriate security policies applied.
	3. High-risk or critical devices are hosted on segmented networks which are secured from the corporate infrastructure.
	4. Assurances have been provided from suppliers of IoT devices that these confirm to the UKG code of practice for consumer IoT security and the ETSI cyber security for consumer internet of things: baseline requirements.
	5. Bluetooth IoT devices are set up as non-discoverable mode
	6. IoT devices' firmware are patched with the security measures issued by manufacturers

12. Incident detection Organisations shall have in place monitoring systems and procedures to detect cyber-attacks.
12.1 detection capability: Attempts to access or compromise systems are alerted, promptly assessed and investigated.
Tier 1	1. Attackers attempting to use common cyber-attack techniques should not be able to gain access to data or any control of technology services without being detected.
Tier 2	1. Detection (and prevention and recovery) controls to protect against malware are in place.
	2. Policy violations are detected against an agreed list of suspicious or undesirable behaviour.
	3. There is the capability to investigate AV alerts.
	4. Threat intelligence services are in place and used to enable risk-based and threat-informed decisions based on business needs and inform anomalous activity profiles.
	5. There is a sufficient understanding of normal system activity (e.g. Which system components should and should not be communicating with each other) to ensure that searching for system abnormalities is an effective way of detecting malicious activity.
	6. Descriptions of some system abnormalities that might signify malicious activity are maintained and updated, informed by past attacks and threat intelligence that takes into account the nature of attacks likely to impact on the networks and information systems.
	7. Routine searches for system abnormalities are undertaken and alerts generated.
12.2 security monitoring: Risk-based organisational monitoring policy and procedures are in place for the timely identification of security events.
Tier 1	1. The network is monitored with intrusion detection and prevention solutions that are configured by qualified staff. These solutions should provide both signature-based capabilities to detect known attacks, and heuristic capabilities to detect unusual system behaviour. Coverage includes internal and host-based monitoring.
	2. Inbound and outbound traffic traversing network boundaries is monitored to identify unusual activity or trends that could indicate attacks. Unusual network traffic (such as connections from unexpected IP ranges overseas) or large data transfers automatically generate security alerts.
	3. Policies and processes are in place to promptly manage and respond to incidents detected by monitoring solutions.
	4. Alerts generated by the system monitoring strategy are based on business need and an assessment of risk. This includes both technical and transactional monitoring as appropriate.
	5. The monitoring capability can identify the unauthorised or accidental misuse of systems processing personal data and user access to that data, including anomalous user activity. It can tie specific users to suspicious activity.
	6. A centralised capability has been deployed that can collect and analyse information and alerts from across the organisation. This is automated due to the volume of data involved, enabling analysts to concentrate on anomalies or high priority alerts.
	7. The monitoring and analysis of audit logs is supported by a centralised and synchronised timing source that is used across the entire organisation to support incident response and investigation.
	8. Processes are in place to test monitoring capabilities, learn from security incidents and improve the efficiency of the monitoring capability.
Tier 2	1. As well as the network boundary, monitoring coverage includes internal and host-based monitoring.
	2. The process for bringing new systems online includes considerations for access to monitoring data sources.
	3. Monitoring staff: a) Are responsible for investigating and reporting monitoring alerts. b) Have roles and skills that covers all parts of the monitoring/investigation workflow. c) Have workflows that address all governance reporting requirements, internal and external. d) Are empowered to look beyond fixed workflows to investigate and understand non-standard threats, by developing their own investigative techniques and making new use of data.

13. Incident management Well-defined incident management processes are in place, documented and regularly tested.
13.1 incident response protocol: A risk-based and up-to-date incident response plan is in place.
Tier 1	1. Cyber incident response policies and process are in place and these integrate with central cyber incident reporting, notification and coordination protocols.
	2. Staff are trained in incident response with assigned roles and responsibilities and the organisation carries out exercises to test response plans.
	3. There is an incident response capability and management plan in place, documented, with clear pre-defined processes, actions, roles and responsibilities and clear terms of reference for decision-making and incident management.
	4. Specialist training is provided as required to the incident response team.
	5. In the event of an incident the response team is provided with audit logs holding user activities, exceptions and information security events to assist in investigations.
	6. The contact details of key personnel are readily available to use in the event of an incident.
	7. The supporting policy, processes and plans are risk based and cover any legal or regulatory reporting requirements.
	8. All incidents are recorded regardless of the need to report them.
	9. All plans supporting security incident management (including business continuity and disaster recovery plans) are regularly tested.
	10. The outcome of the tests and knowledge from incident management events are used to inform the future development of the incident management plans.
Tier 2	1. The incident response plan is communicated and understood by the wider organisational business and integrated with supply chain response plans.
	2. Thresholds for incident definitions, classifications and assessments are in place.
	3. Alternative communication arrangements and critical document response plans are available in alternative secure locations in the event of the primary channels not being available.
	4. Procedures for the identification, collection, acquisition and preservation of evidence have been defined and implemented
13.2 incident reporting procedure: Security events are reported through defined procedures known to staff.
Tier 1	1. The organisation promotes an incident reporting culture that empowers staff to voice their concerns about poor security practices and security incidents to senior managers, with positive recognition and without fear of recrimination.
	2. Users (employees and contractors) are security aware, know their responsibilities, and understand how to report any observed or suspected security weaknesses in systems or services and how to respond to incidents.
	3. Users are encouraged to report any security weaknesses or incident as soon as possible, without fear of recrimination.
	4. There are communication plans in place in the event of an incident and all internal and external reporting requirements are identified in the incident management plan. This includes notifying the relevant supervisory body, senior accountable individuals, the National Cyber Security Centre (NCSC), the Information Commissioner’s Office (ICO) and law enforcement as applicable.
	5. The effectiveness of security training and awareness activities in incident management is monitored and tested.
Tier 2	No additional requirement.
13.3 post-incident review & learning: The organisation reviews incidents and uses lessons learned from incidents to improve security measures.
Tier 1	1. The senior team should take ownership of the lessons process to ensure that any actions required to improve the organisation’s cyber resilience are undertaken.
	2. Post-incident evidence is collected, preserved and analysed to identify and remedy the root cause.
	3. Root cause analysis is conducted routinely as a key part of the lessons learned activities following an incident. This is comprehensive, covering organisational process issues, as well as vulnerabilities in networks, systems or software.
	4. Lessons-learned reviews are conducted: actions taken during an incident are logged and reviewed to evaluate the performance of the incident management process.
	5. Post incident lessons are assessed and lessons implemented into future iterations of the incident management plan and the monitoring capability.
Tier 2	1. There is a documented incident review process/policy which ensures that lessons learned from each incident are identified, captured, and acted upon.
	2. Lessons learned cover issues with reporting, roles, governance, skills and organisational processes as well as technical aspects of networks and information systems.
	3. Improvements identified through “lessons learned” exercises are prioritised, with the highest priority improvements completed quickly.

14. Business continuity Information security continuity shall be embedded in the organisation’s business continuity management systems.
14.1 data recovery capability: Recovery controls are in place and tested to protect against information /data being lost or compromised.
Tier 1		1. A data recovery capability is in place that includes a systematic approach to the backup of essential data.
Tier 2		1. The organisation has applied suitable physical or technical security to protect this backup stored data from unauthorised access, modification or deletion.
14.2 backup policies & procedures: Backup copies of information, software and system images shall be taken and tested regularly.
Tier 1		1. There is a backup policy, and measures are in place to routinely maintain backup media.
		2. The ability to recover archived data for operational use is regularly tested.
		3. Physical backup media (where used) is held in a physically secure location, offsite.
Tier 2		1. Backup copies of information, data, software and system images are taken, tested, documented and routinely reviewed.
		2. There are secured backups of data to allow services to continue should the original data not be available.
		3. Automatic and tested technical and procedural backups are secured at centrally accessible or secondary sites to recover from an extreme event.
14.3 disaster recovery policies & procedures: The organisation has well defined and tested processes in place to ensure the continuity of key operational services in the event of failure or compromise.
Tier 1		1. A disaster recovery plan is in place and updated at least annually or upon significant changes.
Tier 1		2. Contingency mechanisms to continue to deliver services in the event of any failure, forced shutdown, or compromise of any system or service have been identified, documented and tested.
Tier 2		1. Restore times to operational service are known and documented.
		2. The resources needed to carry out any required response activities are known, with arrangements in place to make these resources available.
		3. The types of information that will likely be needed to inform response decisions, and arrangements are in place to make this information available, including with third-party suppliers as appropriate and where required.
		4. Disaster response team members have the skills and knowledge required to decide on the response actions necessary to limit harm, and the authority to carry them out.
		5. Back-up mechanisms are available that can be readily activated to allow continued delivery of essential services (although possibly at a reduced level) if primary networks and information systems fail or are unavailable.
14.4 BC/DR testing policies & procedures: Scenario-based exercises and processes to test recovery response plans are planned and performed.
Tier 1		1. Restoring the service to normal operation is a well-practised scenario.
Tier 2		1. The established and implemented information security continuity controls are tested and reviewed at regular intervals to ensure that they are valid and effective.
		2. Business continuity and disaster recovery plans are tested annually for practicality, effectiveness and completeness to ensure they remain valid.
		3. Exercise scenarios are based on incidents experienced by the organisation, other organisations, or are composed using experience or threat intelligence.
		4. Exercise scenarios are documented, regularly reviewed, and validated.
		5. Exercises are routinely run, with the findings documented and used to refine incident response plans and protective security, in line with the lessons learned.
		6. Exercises test all parts of the response cycle relating to particular services or scenarios (e.g. Restoration of normal service levels).
14.5 data protection impact assessments (DPIA): DPIAs are undertaken to determine the impact of the intended processing on the protection of personal data where the processing is likely to result in a high risk to the rights and freedoms of individuals. The DPIA should consider the technical and organisational measures necessary to mitigate that risk.
Tier 1	1. The business impact of loss of availability of the service is known, understood and mitigated.
Tier 1	2. Conduct a data protection impact assessment (DPIA) to evaluate the origin, nature, particularity and severity of the risks upon the processing of personal data.
Tier 2	1. The impact on services of all relevant scenarios, including unauthorised data access, modification or deletion, or when authorised users are unable to appropriately access this data, are understood and documented.
Tier 2	2. These impact statements are validated regularly, e.g. Annually.
14.6 BC contingency plan: Contingency mechanisms are in place to continue to deliver services in the event of any failure or compromise of any system or service.
Tier 1	1. Organisation-wide contingency mechanisms and plans to continue to deliver services in the event of any failure, forced shutdown, or compromise of any system or service have been identified, documented, and implemented.
Tier 2	1. Business impact analysis is undertaken to identify critical systems and information assets and suitable arrangements are in place to protect then recover to agreed objectives (RPO/RTOs).
	2. Suitable alternative transmission paths are available where there is a risk of impact on the delivery of the essential service due to resource limitation (e.g. Transmission equipment or service failure, or important data being blocked or jammed).
	3. Information security continuity is embedded in the organisation’s wider business continuity management planning.
	4. Key roles are duplicated and operational delivery knowledge is shared with all individuals involved in the operations and recovery of the essential service.
	5. The resources that will be needed to carry out any required response activities, and arrangements are in place to make these resources available.
	6. The types of information that will likely be needed to inform response decisions are known and documented and arrangements are in place to make this information available.
	7. Where necessary, arrangements are in place to augment incident response capabilities with external support (e.g. Specialist providers of cyber incident response capability).

Human Resources

15. People The organisation has policies and procedures in place to ensure staff and contractors are screened, trained and know their security responsibilities.
15.1 prior to employment: Employees and contractors understand their responsibilities and are suitable for the roles for which they are considered.
Tier 1	1. Pre-employment checks have been performed on all candidates proportional to the role and responsibilities, the classification of the information to be accessed and the perceived risks.
Tier 1	2. Employee and contractor contract terms and conditions shall state their responsibilities for information security.
Tier 2	No additional requirements.
15.2 during employment: Staff and contractors are aware of and fulfil their information and cyber security responsibilities.
Tier 1	1. A staff induction process is in place for new users (including contractors and third-party users).
	2. As part of the induction process staff are made aware of their personal responsibility and obligations to comply with the corporate security policies with regards to system security, data handling, and acceptable use.
	3. The terms and conditions for their employment, or contract, should be formally signed or otherwise acknowledged and retained to support any subsequent disciplinary action.
Tier 2	1. There is an established workflow processes that reviews, adds or revokes the access controls and permissions of staff that join, leave or move roles.
	2. Information security responsibilities and duties that remain valid after termination or change of employment shall be defined, communicated to the employee or contractor and enforced.
	3. All employees and external party users shall return all of the organisational assets in their possession upon termination of their employment, contract or agreement.
	4. Conflicting duties and areas of responsibility shall be segregated to reduce opportunities for unauthorised or unintentional modification or misuse of the organisation’s assets.
	5. Users shall ensure that unattended equipment has appropriate protection.
	6. A clear desk policy for papers and removable storage media and a clear screen policy for information processing facilities shall be adopted.
15.3 staff training & awareness culture: All employees and contractors receive appropriate awareness education and training with regular assessments and updates as relevant for their job function.
Tier 1	1. Appropriate staff training, awareness-raising and disciplinary processes about cyber resilience are in place for staff at all organisational levels.
	2. All employees receive regular training on cyber security risks to the organisation. This is tracked and refresher training is completed at suitable intervals.
	3. There is a culture of awareness and education about cyber security across the organisation.
	4. All users should be aware of the policy regarding acceptable account usage and their personal responsibility to adhere to corporate security policies including removable media security and mobile device utilisation.
	5. The effectiveness of security training is monitored through user feedback to determine the effectiveness and value of the security training provided to all users.
	6. Employees receive appropriate training, support and technology to help them manage personal data securely.
	7. Senior accountable individuals promote a culture of awareness and education about cyber security across the organisation.
	8. Cyber security information and good practice guidance is easily and widely available.
Tier 2	1. Individuals’ cyber security training is monitored to ensure update training is completed and delivered at regular intervals.
Tier 2	2. Cyber security training and awareness activities are evaluated for efficacy through staff testing programmes (e.g. Phishing exercises).
15.4 staff skills assessment: Staff, including SMT and board members, are appropriately trained in cyber security and risk assessment.
Tier 1	1. A formal assessment of security skills is undertaken.
Tier 1	2. Staff in security roles should be encouraged to develop and formally validate their security skills through enrolment on a recognised certification scheme.
Tier 2	1. Necessary roles for the security of networks and information systems have been identified and appropriately capable and knowledgeable staff fill those roles.
15.5 mobile / remote working policy: The organisation has in place policies and security measures to manage the risks introduced by people using mobile devices and remote working.
Tier 1	1. A policy and supporting security measures shall be adopted to manage the risks introduced by using mobile devices including BYOD to protect information and data accessed, processed or stored at remote sites.
Tier 2	1. Where working arrangements allow for remote or hybrid working, routers provided by the organisation for homeworking are renamed with new passwords to prevent unauthorised access via default settings.

Facilities / Estates

16. Environmental security Appropriate procedures are in place to reduce the risks from internal and external environmental threats and hazards.
16.1 equipment location: Equipment shall be sited and protected to reduce environmental impacts on information systems and service delivery.
Tier 1	1. Equipment on premise and with third parties is sited and protected to reduce the risks from physical and environmental threats and hazards.
Tier 1	2. Network and connectivity cabling is resilient, and protected from interception, interference or damage with redundancy in place.
Tier 2	No additional requirements.
16.2 power resilience: Equipment shall be protected from power failures and other disruptions caused by failures in supporting utilities.
Tier 1	1. Dependencies on supporting infrastructure (e.g. Power, cooling) are identified and recorded.
Tier 1	2. Equipment is protected from power failures and surges and other disruptions caused by failures in supporting utilities such as telecommunications with redundancy in place.
Tier 2	No additional requirements.

17. Physical / building security To prevent unauthorised physical access, damage and interference with the organisation’s information systems and services.
17.1 access control: Building and secure areas access shall be protected by appropriate entry controls to ensure that only authorised personnel are allowed admittance.
Tier 1	1. Appropriately secure accommodation, and appropriate policies and practices governing its use, are in place to protect personnel, hardware, programs, networks and data from loss, damage or compromise.
Tier 2	1. Delivery and loading areas and other access points are controlled.
17.2 internal security: Internal security perimeters shall be defined with policies and active alerting systems used to protect areas that contain sensitive data, critical information and essential information systems.
Tier 1	1. Secure accommodation areas are defined and segregated to protect areas that contain either sensitive data or information processing facilities.
Tier 1	2. Appropriate policies and practices governing use of the secure accommodation and access are in place.
Tier 2	1. Secure areas are protected by entry controls to ensure that only authorised personnel are allowed access.
Tier 2	2. Physical security for offices, rooms and facilities shall be defined and implemented; to include, for example, intruder detection, fire and flood alarms and alerting systems.

This document has been produced by the Scottish Government Cyber Resilience Unit

Please send all comments, questions or suggested amendments to cyberresilience@gov.scot

Contact

Email: cyberresilience@gov.scot

There is a problem

Thanks for your feedback

Was this helpful?

Yes

Your comments

Your feedback helps us to improve this website. Do not give any personal information because we cannot reply to you directly.

Choose a reason for your feedback

Your comments

Your feedback helps us to improve this website. Do not give any personal information because we cannot reply to you directly.

Yes, but

Choose a reason for your feedback

Your comments

Your feedback helps us to improve this website. Do not give any personal information because we cannot reply to you directly.

Information

Section 3 – The Framework

Senior Management

Procurement, Contracts, and Legal

Technical Team

Human Resources

Facilities / Estates

Contact

There is a problem