The UK government has launched a new cybersecurity standard designed to set a baseline of mandatory security outcomes for all departments.
The Minimum Cyber Security Standard announced this week presents a minimum set of measures which all government departments will need to follow, although the hope is that they will look to exceed these at all times.
There is some flexibility in how they achieve these measures, depending on “local context.”
“Over time, the measures will be incremented to continually ‘raise the bar’, address new threats or classes of vulnerabilities and to incorporate the use of new Active Cyber Defence measures that Departments will be expected to use and where available for use by suppliers,” the document states.
There are 10 elements to the standard, divided into five key domains: identify, protect, detect, respond and recover.
These start with putting in place “appropriate cybersecurity governance processes,” identifying and cataloging sensitive information and operational services, and continuous management of access rights.
Next comes strict authentication of all users who want access to sensitive info and key services; protection of key systems from exploitation of known vulnerabilities; security for highly privileged accounts; detection of common cyber-attacks; well-defined incident response plans; and well-tested processes to ensure continuity of services in the event of compromise.
Security experts welcomed the best practice security standard.
“Over the past decade, the UK government has been aiming to simplify security — moving away from proscriptive mandatory requirements in security standards, towards describing the minimum security outcomes that need to be achieved,” explained FireEye director, Mike Trevett. “This standard helps do exactly that. For mature organizations it provides a solid framework for managing their information risk. For less mature organizations, it will help them structure how they manage information risk and guide their cybersecurity process development.”
Mark Adams, regional VP for UK and Ireland at Veeam, argued that the standard would help government departments manage risk in a new era of GDPR and NIS Directive, and sets a good example for other industries to follow.
“The emphasis on recovery, often an unsung hero with data management, is especially welcome,” he added. “No matter who you are or where you work, it has never been more important to ensure that your digital lives are permanently ‘on’. The ability to seamlessly move data to the best location across multi-cloud environments is now crucial for business continuity, compliance, security, and optimal use of resources for business operations.”