Recently, the UK government’s Cabinet Office published the Minimum Cyber Security Standard (MCSS); the first technical standard that they plan to incorporate into the Government Functional Standard for Security.
Otherwise known as the HMG Security Policy Framework (SPF), the policy sets out the mandatory protective security outcomes that all Departments of the UK government are required to achieve. However, just because this policy applies solely to UK Government, this does not mean that valuable lessons cannot be learned from going through this new standard. In fact, in many ways it sets out a clear framework for other organizations, not just in the UK, to follow in order to improve their cyber security posture.
The standard itself isn’t actually that long and is split into five main categories that we will go through below; Identify, Protect, Detect, Respond and Recover.
Identify – Who is Responsible?
This section is all about identifying those individuals who have responsibility and accountability for the security of sensitive information and ensuring that clear policies are in place to direct specific Departments in their approach to securing such data.
This section also places significant emphasis on Departments that rely on third-party suppliers or supply chains. Departments must hold these third-parties to the same cyber-security standards that they are bound to themselves. This means either ensuring that they are compliant with the new policy or that they hold valid Cyber Essentials.
The process by which Departments improve their data access governance is not dealt with in this standard in any detail. Although, one area which the Cabinet Office are strict on is that Departments must ensure that their senior staff, or anyone with a role in securing sensitive data, receive training and actively promote a culture of security across the organization. This emphasises the importance of cyber-security awareness training as a valuable tool for improving data security.
Identify – Where is Your Sensitive Data?
In a similar way to the GDPR framework, the MCSS requires organizations to know exactly what sensitive information they store or process, the reasons why they store or process it, where that data is and the potential impact a breach involving that data would have.
This is not an easy task for those organizations or Departments that do not have data discovery and classification solutions in place, although it is not impossible. The in-built File Classification Infrastructure in File Server does provide you with the ability to discover, tag and classify your sensitive data; which many Departments of the UK government may well utilise to meet this point.
Identify – Who Has Access to This Data?
The MCSS makes it clear that Departments must ensure that users be given the absolute minimum access to sensitive information or key operational services, in what is otherwise known as a policy of least privilege. Furthermore, should users leave the organization or change roles, regular reviews of permissions are required to ensure that appropriate access remains, and excessive permissions are revoked.
Protect – Authentication and Vulnerability Patching
This section, as you can imagine, is all about ensuring that Departments are taking actionable steps to protect the sensitive data they store and process. A large section of this point is about access rights; specifically, ensuring that access is only provided to “authorised, known and individually referenced users or systems.”
Authentication and identification should be required before users or systems are able to access sensitive information. In cases where the sensitivity of the data is critical (trade secrets, for example), the MCSS also suggests that the device accessing the data require authentication.
The important lesson to take from this is the importance of knowing who is accessing your data and what changes they are making to it. If a user copies, moves or modifies a file/folder containing sensitive data, you need to ensure that this action was authorised.
The second half of this section revolves around ensuring that the systems and accounts surrounding sensitive data aren’t vulnerable to known cyber-security threats. There are a number of very specific ways the MCSS requires Departments to ensure that systems and services are protected, but the common theme appears to revolve around ensuring the latest software updates are installed and regularly scanning for vulnerabilities.
Highly privileged accounts are singled out in this section as being an area where special attention must be placed. These accounts should be closely monitored, require multi-factor authentication wherever possible and have highly complex and regularly rotated passwords. Users of these accounts also need to ensure that they are not used for “high-risk functions”, such as clicking links in emails or browsing unknown web pages.
Detect – Spot Cyber Attacks Before Damage is Done
Now, we know there is no way to completely eliminate the risk of a cyber-attack. Attackers are just too clever and attack threats evolve too quickly for this to be possible. However, organizations that are serious about cyber-security are able to spot potential attacks in progress and take action.
The MCSS requires that government Departments capture events and investigate them against known cyber security threats. Departments need to have an auditing and monitoring solution in place and know exactly what must be protected and why. The monitoring solution needs to evolve with the organization. For example, should sensitive data be moved over to cloud platforms, the monitoring solution needs to be able to detect changes occurring in the cloud.
Attackers should not be able to get access to sensitive data, or make any changes to it, without being detected by a monitoring solution. How Departments choose to monitor changes taking place to their data is left up to them, but the MCSS seems to indicate that Departments will require third-party auditing software to fulfil the requirements.
Respond – Quick Response to Cyber Attacks is Necessary
Government Departments need to develop what’s known as an incident response and management plan. Such a plan needs to clearly outline all the key roles, responsibilities and actions that need to take place in the event of an incident.
The most important thing is being able to notify supervisory bodies, the Departmental Press Office, the National Cyber Security Centre, Government Security Group, the ICO or law enforcement – as well as those individuals affected by the breach.
The incident response plan needs to be updated regularly, and any incidents that do occur need to affect and inform changes to the plan, as required. Other organizations can take important lessons from this section on the importance of having a worst-case scenario plan in place. Record every incident, regardless of severity, and use it to improve your incident response plan and overall cyber-security strategy.
Recover from Cyber Attacks Quicker
In the event of a system failure, or massive data breach, you need to ensure that contingency mechanisms are in place to reduce downtime and restore business continuity as soon as possible. Immediately after incidents, Departments must use the lessons learned from the attack or failure to improve their strategy for the future.
How Has the MCSS Been Received by the Cyber-Security Industry?
The publication of the MCSS has largely been well received by cyber-security professionals. Ilia Kolochenko, CEO of High-Tech Bridge, said of the standard; “Simplicity and efficiency are successfully combined in the document. Today, many governmental entities don’t even know where and how to start cybersecurity, and this document will certainly help them structure and manage their digital risks and implement proper cybersecurity processes.”
However, not everyone is convinced. Cyber-security expert, Ian Birdsey of Pinsent Masons remains optimistic, but sceptical: “The question of cybersecurity standards commonly arises when dealing with data breaches. When regulators assert at the enforcement stage that the organisation concerned has not met the appropriate standard, it is often difficult to benchmark the organisation against a common minimum standard. Whilst the government’s new minimum standard applies to UK government departments, over time it will be interesting to observe the extent to which it influences regulators in other spheres.”
Aidan Simsiter, CEO of Lepide (provider of auditing and monitoring solution; LepideAuditor) worries that Departments of the “UK government may struggle to meet the vague requirements, regardless of how simple they may sound on paper. However, organizations could take some valuable lessons from the standards, especially where the education, training and continuous monitoring fits into your overall security plan.”
For more information on how LepideAuditor can help you meet compliance standards through continuous and proactive auditing, click here.