How to create cyber risk profiles for different procurement types
We know that councils are different and have different needs and priorities so we have tried not to adopt a one-size-fits-all approach. Instead, these resources offer a series of four pillars which each council might wish to use as a basis for creating their own framework: assets, impact, contract scale and supplier risks.
Assets are comprised of data, networks, and systems, each of which are described in greater detail in the section How to identify the assets in your council that need to be protected. The other two components are impact, contract scale and supplier risks, which are described below.
Impact
While there are numerous ways to evaluate impact, a commonly used model is the CIA Model (Confidentiality, Integrity, Availability). When the vulnerability of an asset is exploited in a cyber incident, the asset can be compromised in one of three key ways:
Confidentiality: Has the confidentiality of the asset been impacted? For example, has sensitive data been made available to someone that should not have access to that data? Has an unauthorised individual been able to access a system that they should not be able to access?
Integrity: Has the integrity of the asset been compromised? An example might be a system within your council that records council tax exemptions, for example, if a cyber incident changes a database that records council tax exemptions, it could record ineligible households as being exempt.
Availability: Do the right people have access to the asset at the right time? This is often one of the most impactful elements of a cyber incident. If a digital system is attacked, and is then unavailable for several months, this can create a large backlog.
Contract scale
Contract scale refers to a variety of factors relating to the contract, including but not limited to: length of contract, value of contract, complexity of contract, etc. It serves to give a scope of what the contract will entail and where potential risks could derive from over time.
Supplier risks
Risks associated with the supplier usually have to do with the location of the supplier, its supply chain, and any links or ties to or previous breaches from governments or organisations that might be hostile to the UK or local governments.
Sample risk profiles
It is essential that each council creates its own risk profiles based on its own risk appetite - the samples shared in this guide are only illustrative examples. When considering a service or procurement, it is critical to understand its associated cyber risk, so that you can apply an appropriate risk profile and subsequently implement the right controls to mitigate and manage that risk.
Using the cyber risk evaluation framework, you can create different cyber risk profiles. These are defined standard risk levels with associated and proportionate minimum cyber security requirements that the supplier is expected to meet. These would typically range from low to high or very low to very high. There is no explicit rule, but it is generally recommended to have three to five risk levels to ensure your levels are neither too broad nor too prescriptive.
Here are some contract features that may suggest a lower risk profile. It is important to have a process to revisit this assessment as the conditions may change over time. Critically, being lower risk does not mean that there is no risk. Even lower risk contracts should have basic cyber security and resilience.
Impact
No or limited trust / reputational damage
No or limited disruption to business operations and/or local services
No or minimal financial/legal consequence
Assets
Third party access to publicly disclosable information/data only
Third party access to no or minor systems only
No third party access/connection to organisation’s network
Supplier Risk
Based within the UK
No links to governments or organisations that might be hostile to the UK or local governments
No known breaches with the supplier
Contract Scale
Short-term contract
Low-value contract
Low contract complexity
Here is an example of a moderate risk profile. If a procurement/contract is assessed to be of moderate risk, you should apply additional cyber security controls, in addition to the basic set of cyber security requirements within your council. It is important to have a process to revisit this assessment as the conditions may change over time.
Not all of these conditions need to be met to imply a moderate risk profile. Depending on your council’s risk appetite, you may want to weigh some of the criteria more heavily than others. Typically, you should focus on the impact, assets and supplier risk ahead of the contract scale. Even low value short term contracts could pose a significant impact in the event of a cyber attack.
Impact
Some trust / reputational damage
Some disruption to business operations and/or local services
Some financial/legal consequence
Assets
Third party access to personally identifiable data
Third party access to major systems (standard access only
Third party access/connection to organisation’s network
Supplier Risk
Based within the EU or in foreign states friendly to the UK
Some links to governments or organisations that are not in EU or friendly foreign states
Some previous breaches that were adequately identified, responded to and recovered from
Contract Scale
Medium-term contract
Moderate-value contract
Moderate contract complexity
If a procurement/contract is assessed to hold a higher risk profile, you should seek additional support and apply more comprehensive cyber security controls, in addition to the basic set of cyber security requirements within your council. These additional controls may vary depending on the cyber risk and system. It is important to have a process to revisit this assessment as the conditions may change over time.
In the same way as described for Moderate risk, you do not need all of these criteria to apply to assess a contract as higher risk.
Impact
High trust / reputational damage
High level of disruption to business operations and/or local services
High financial/legal consequence
Assets
Third party access to personally identifiable/commercially sensitive data
Third party access to major/business critical systems (privilege access)
Third party access/connection to organisation’s network with privileged rights
Supplier risk
Based in a foreign state which is hostile to the UK
Links to governments or organisations that might be hostile to the UK or local governments
Many previous breaches that were not adequately addressed