The LGA Cyber 360 Framework

Cover of portrait-oriented publication (featuring the logos of the Local Government Association and Dionach) with the title 'The LGA Cyber 360 Framework' in hot pink text over a closeup image of a laptop keyboard backlit in green and blue lights
The LGA Cyber 360 Framework uses a sector-led, collaborative method to provide expert guidance and feedback to local authority senior leadership and management – highlighting good practice that councils can employ to improve their cyber security posture and practices.

Introduction

Decorative banner featuring a closeup photo of a laptop keyboard backlit in blue and green light

Overview

The LGA Cyber 360 is a new programme through which we aim to:

  • encourage councils to explore their cyber security culture
  • share fresh perspectives in a safe, friendly and constructive environment.

Recent years have seen a significant rise in cyber security related incidents affecting the public sector across the globe, as well as a marked increase in the number of attacks targeting national infrastructure, such as healthcare, local government and even water supplies. Not only are these incidents becoming more frequent, but they are also becoming increasingly sophisticated and appear to be carried out by advanced, persistent threat actors that have access to considerable resources. As a response to this, it is vital that councils ensure that they have the knowledge, means and support to effectively defend themselves against determined adversaries and relentless cyber-attacks.

The LGA Cyber 360 Framework therefore aims to provide a sector-led, collaborative method of providing expert guidance and feedback to senior leadership and management in relation to good practice that councils can employ to improve cyber security posture and practices across their organisations. The framework relies heavily on advice and guidance from the National Cyber Security Centre (NCSC) as the technical authority for cyber security in the UK.

The LGA Cyber 360 Framework is not intended to be a technical guide but instead has been designed to support councils as they work to reduce cyber risk. By assisting in building understanding and capability across the organisation as a whole, rather than treating cyber security as a set of technical directives, the ambition is that the council can focus on softer changes that foster a culture of cyber security awareness and continuous improvement.

The LGA Cyber 360 Framework is a ‘living resource’, which will be continuously refined and updated to reflect changes to the threat landscape, technology, and best practice guidance. The LGA also welcomes input and feedback from reviewers and councils to bring about improvement and ensure that councils can get the most value out of the framework.


Aims and objectives

The LGA Cyber 360 framework aims to provide councils with the tool to see cyber security through an alternative lens as compared to the more IT focused principles of similar frameworks. It looks at cyber security from the more holistic perspective of the organisation's people, culture, and processes rather than simply promoting conformity to a rigid set of compliance rules. 

By assessing the council's services and relationships as a whole, and engaging with council leaders, heads of department, councillors, and those responsible for business continuity, as well as IT, the LGA Cyber 360 framework seeks to fulfil the following aims and objectives:

  • Provide an extensive set of indicators of good practice across a wide range of areas
  • Point to 'how-to' guidance in relation to best practice implementation
  • Provide reference to existing and related cyber security frameworks
  • Offer a comprehensive system of review and feedback
  • Signpost to further implementation and best practice guidance
  • Create a culture of continual improvement within the council.

Key assessment areas

The framework focuses on the following key areas:

1. Leadership and governance

Effective leadership will allow the council to develop a strategic approach to improving its cyber security posture, while effective governance demonstrates that an organisation has appropriate management policies and processes in place to govern its approach to cyber security.

2. Risk management

Effective risk management will allow decision makers to make better, more informed decisions about cyber security.

3. Asset management

Effective asset management will allow the council to identify and track vulnerabilities that may affect their systems, services, and information assets, ensuring that risks to their essential services can be identified and managed.

4. Supply chain

Robust supply chain security practices and processes will allow the council to identify and manage information and cyber security risks throughout the relationship with external suppliers and partners throughout the supply chain.

5. Service protection policies and processes

Effective enforcement of appropriate policies and processes ensure that the council directs its overall approach to securing systems and data that support the operation of essential functions and services.

6. Identity and access control

Effective implementation of appropriate methods for authenticating and authorising users, devices, or systems, will reduce the likelihood of threat actors gaining unauthorised access to sensitive information.

7. Data security

Effective data security ensures that any information that is stored, processed, or transmitted electronically is protected from actions such as unauthorised access, modification, or deletion that may cause an adverse impact on essential services.

8. System security

Effective security controls protect networks, information systems and technology that is critical to the council's essential services from cyber-attack.

9. Resilient networks and systems

Resilient networks and systems protect and defend against cyber-attack and failure of systems that support the operation of essential council functions and services.

10. People management

Effective people management successfully integrates cyber security with normal business and promotes a culture of continual improvement.

11. Security monitoring

Effective security monitoring allows the council to detect potential security events, to track the ongoing effectiveness of protective security measures, and assist with incident or forensic investigations.

12. Proactive security event discovery

Effective proactive security event discovery ensures that malicious activity within the council's network and information systems with the potential to affect the operation of essential services can be detected.

13. Response and recovery planning

A comprehensive cyber security incident response and recovery framework will guide and streamline the council's incident response and recovery processes and help mitigate the impact of a cyber-attack.

14. Lessons learned

It is essential that councils learn from incidents and cyber incident response test exercises to understand the root cause of the incident, how the response process can be improved and where appropriate take steps can be taken to prevent recurrence.


A note on referencing

In the framework below, you will find two types of references:

  1. References for each 'indicator of good practice' are listed in the References section at the bottom of the webpage.
  2. Guidance documents for each 'principle' are collated below each 'principle' section.

About this publication

The Local Government Association worked in partnership with global information security experts Dionach to produce The LGA Cyber 360 Framework.

The Local Government Association owns all intellectual property rights relating to The LGA Cyber 360 Framework.

Topic 1: Leadership and governance

Decorative banner featuring a closeup photo of a laptop keyboard backlit in blue and green light

 

Effective leadership will allow the council to develop a strategic approach to improving its cyber security posture. Cyber security should be championed by senior management and improvements driven by cultural change, allowing cyber security activities to be embedded into day-to-day activities.

Effective governance demonstrates that an organisation has appropriate and effective management policies and processes in place to govern its approach to cyber security. An effective governance framework will ensure that procedures, personnel, physical and technical controls deliver a comprehensive approach to cyber security. This will ensure that a council is ready to respond to changes in the local services, technological developments and the appearance of new cyber threats.

Principle 1.1. Executive leadership and direction
 

What is it?

The Executive Board of the organisation provides clear direction, prioritisation, and management of cyber practices and are actively involved in defining risk appetite and the operational delivery of cyber protection measures.

Why is it important?

Effective engagement from the Executive Leadership can provide clear direction for cyber security and demonstrate leadership in promoting defined cultures and values. Effective Executive Leadership engagement leads to better cyber security practices and better outcomes for residents and the local community.

Indicators of good practice

  • Executive leadership understands that systems cannot be 'completely secure'. Cyber security is, rather, viewed as a continuous process that is regularly adapting to address newly emerging threats and vulnerabilities.
  • The executive board is involved in the development and sign-off of the council’s cyber security strategy, and they champion its delivery. (See references 1 and 2)
  • The executive board has adopted a strategic approach to improving the cyber security of the council. (See reference 2)
  • All senior leaders are equipped with the necessary skills, information and good cyber security advice which will allow them to perform their duties effectively and ensuring positive impact on business processes, service delivery and team behaviours. (See reference 3)
  • The executive board regularly discusses the cyber security of information systems supporting the council’s essential services. (See reference 4)
  • The executive board ensures that the council has planned and budgeted for adequate resources for the delivery, maintenance, and improvement of cyber security, and that these activities are supported by senior management across the council. (See reference 1)
  • The executive board are engaged in setting the council’s risk appetite, identifying types and level of risk and setting acceptable tolerance levels for each. (See reference 5)
  • The executive board receives a regular update on cyber risks as part of corporate risk reporting. (See reference 5)
  • The executive board takes an active role in leading and championing the need for behavioural change in staff and the council’s attitude to cyber security. (See reference 2)
  • The council has established a 'no-blame' culture across the organisation in reporting cyber risks and near misses and incidents, and promotes a ‘learning culture’. (See reference 5)
  • The executive board has committed the council to take appropriate care of personal information provided by employees and by the public. (See reference 2)

Guidance

Board Toolkit | National Cyber Security Centre

Protective Security Management Systems (PSeMS) Guidance, Checklist and Case Studies | Centre for the Protection of National Infrastructure (CPNI)


Principle 1.2. Political leadership and direction
 

What is it?

Councillors and cabinet in particular own the policies that define the governance, practices and priorities for cyber security. They scrutinise the delivery and management of cyber resilience planning and execution, particularly in relation to business continuity, service design, emergency planning and risk monitoring.

Why is it important?

Effective political leadership is essential to ensure cyber policy, priorities, and acceptable risks are understood and adopted in wider risk and contingency planning. It ensures that the design of digital services protects citizens and operational activities from cyber risk.

Indicators of good practice

  • The impact of cyber security on emergency planning, business continuity design, and IT resilience are scrutinised routinely by councillors.
  • The cabinet is involved in championing the priority of cyber security as part of broader corporate risk management. (See reference 2)
  • Political leadership understands that systems cannot be 'completely secure'. Cyber security is, rather, viewed as a continuous process that is regularly adapting to address newly emerging threats and vulnerabilities.
  • Councillors are engaged in the leadership and governance of the council’s cyber security strategy. (See reference 3)
  • A cabinet-level lead is appointed with overall accountability for cyber security, steering discussions at cabinet-level, and ensuring support from all councillors. (See reference 1)
  • Councillors understand their personal and corporate responsibilities in complying with cyber security legislation and regulations. They receive the support, training and advice that allows them to perform their duties effectively. (See reference 3)
  • Councillors are equipped with the necessary skills, information and good cyber security advice which will allow them to perform their duties effectively. (See reference 3)
  • Councillors are engaged in setting the council’s risk appetite and risk tolerance regarding cyber security, and monitor this in the context of wider corporate risks. (See reference 5)
  • Councillors take an active role in leading and championing the right culture, behaviours, priorities, understanding and attitudes to cyber security in the council. (See reference 2)

Guidance

A councillor’s guide to cyber security | Local Government Association

The Good Councillor's Guide to Cyber Security | National Association of Local Councils (NALC)

Board Toolkit | National Cyber Security Centre


Principle 1.3. Cyber security strategy and governance framework
 

What is it?

The council has endorsed an overarching cyber security strategy that links corporate risk planning and emergency planning with the council’s overall information management strategy.

The council has an appropriate and tested framework for cyber governance, covering all aspects of cyber protection, from data and information management to civic resilience and business continuity – both strategic and operational.

Why is it important?

An effective cyber security strategy and governance framework that are endorsed by councillors and senior management will ensure that cyber security is embedded as part of normal business activities. It helps to ensure clear accountabilities for cyber risk control, and that cyber security decisions are taken with appropriate consideration of how they support the council in meeting its obligations and overarching objectives (not just in IT delivery teams). It also helps to define a cohesive cyber security programme that is part of corporate and service management.

Indicators of good practice

  • The council’s commitment to effective cyber security is communicated in a top-level policy statement which is championed by senior management. (See references 1 and 2)
  • The council has a cyber security strategy which has been clearly defined and communicated, and has board-level ownership and reporting. (See reference 1)
  • The cyber security strategy is fully aligned to the overall council strategy (for example, corporate strategy, service planning, risk management, emergency planning) and its implementation is actively managed to ensure that sustainable improvements in cyber security are made that deliver real business benefits. (See reference 2)
  • The Council has a cyber security programme which promotes continual improvement, security awareness, technical readiness, and aligns with the Council’s strategy and business needs. (See reference 2)
  • A documented cyber security governance framework which coordinates and directs the council’s cyber security strategy has been developed, approved, and communicated to all relevant internal and external parties. (See reference 6)
  • The cyber security governance framework defines all relevant roles and responsibilities, from the executive board and councillors to staff and partners, including responsibility for compliance with legislation, standards, policies, regulation, and contractual commitments. (See reference 6)
  • Scrutiny forms an integral part of the council’s governance framework.
  • Councillors and senior leadership recognise that information is a vital business asset, and that cyber security is an integral requirement of corporate governance.
  • The council published a privacy policy, which acknowledges the need for information security, and sets out how the council handles information, adhere to relevant legislations and how members of the public can address any concerns that they have. The policy is readily accessible by staff, partners, suppliers, and the public. (See references 1 and 2)
  • A process has been established to identify and ensure compliance with applicable legislations, standards, policies, and regulatory and contractual requirements. These include but not limited to HMG Security Policy Framework (SPF), Data Protection Act (DPA), and Data Security and Protection Toolkit (DSPT).
  • Councillors have directed and resourced the work needed to address weakness in the organisation’s cyber security programme in a strategic way that assures the effective use of information to support the Council. (See reference 2)
  • The Council has a good understanding of the evolving cyber-threat landscape, vulnerabilities and risks which shape its broader cyber security road map for all its information, systems, and processes. (See reference 2)
  • The CISO/SIRO adopts a business-focused approach to cyber security which ensures that security supports and enables the business. (See references 7 and 5)
  • Cyber security is fully integrated as an aspect of normal business and the culture of the business is such that cyber security is seen as a business enabler. (See reference 2)
  • Direction set at board level is translated into effective organisational practices that direct and control the security of the organisation’s networks and information systems. (See reference 1)
  • The Council’s governance framework and cyber security strategy ensure the effective engagement with the delivery chain partners and suppliers in order to identify and manage supply chain risks. (See reference 2)
  • There is good communication between those that are responsible and accountable for cyber security, and those who are empowered to make decisions on their behalf. (See reference 8)
  • The status of high-level cyber security-related activity is regularly communicated to senior management and the Cabinet to inform cyber security and risk management activities. (See reference 5)

Guidance

National Cyber Strategy 2022 | Cabinet Office

Board Toolkit | National Cyber Security Centre

Risk management guidance: Introduction to security governance | National Cyber Security Centre

10 Steps to Cyber Security | National Cyber Security Centre

Cyber risk – the challenge for local government (Inform Report) Part 1: The local government context | Socitm

Cyber risk – the challenge for local government (Inform Report) Part 3: Taking advantage of external resource | Socitm

Cyber risk – the challenge for local government (Inform Report) Part 4: Where to start cyber planning | Socitm

Cyber risk – the challenge for local government (Inform Report) Part 5: Cyber risk futures | Socitm


Principle 1.4. Roles and responsibilities
 

What is it?

Roles and responsibilities for the security of technology, people, processes, and information should be established within the organisation, with clear and well-understood channels for both communicating and escalating risks internally and externally.

Why is it important?

Clearly defined roles, along with their corresponding definitions, duties and responsibilities clarify the purpose of the role, and how the role supports the organisation’s approach for protecting its key information and digital assets.
Ownership of cyber risk by senior managers ensures that the senior management group and their teams understand their role and responsibility with regards to cyber security, and encourages directorates and departments to work together to ensure the council’s cyber security aims are achieved.

Indicators of good practice

  • The council has appointed a senior officer who is responsible for the implementation of the council’s cyber security strategy and has personal responsibility for the council’s overall information risk policy and compliance framework. (See reference 1)
  • The role and responsibilities of the scrutiny committee with regards to challenging the council’s cyber security strategy is clearly defined and communicated.
  • There is clarity on who in the council has overall accountability for data protection and security.
  • Necessary roles and responsibilities for data protection and security of critical systems supporting the council’s essential services have been identified. Appropriately capable and knowledgeable staff are appointed to these roles and are given the time, authority, and resources to carry out their duties. (See reference 1)
  • Senior accountable individuals have received appropriate training and guidance on cyber security and risk management. (See reference 1)
  • The cabinet members and senior managers understand and accept their responsibility for the effective application of cyber security measures across the council. (See reference 2)
  • Councillors and senior managers are proactively engaged in leading and championing cyber security awareness across the organisation so that the essential behavioural changes needed to embed the council’s security policy become rooted in the culture of the organisation. (See reference 2)
  • There is a culture of awareness and education about cyber security across the organisation which ensures that staff attitudes and behaviours towards cyber security are aligned to the needs of the council. (See references 1 and 2)
  • All staff and councillors understand their personal responsibilities in how data is used, to protect the council and the public from data misuse.

Guidance

Board Toolkit | National Cyber Security Centre

Cyber risk – the challenge for local government (Inform Report) Part 2: People, teams and cyber roles | Socitm

Cyber risk – the challenge for local government (Inform Report) Part 3: Taking advantage of external resource | Socitm


Principle 1.5. Due diligence
 

What is it?

Cyber security due diligence is the review and audit of the governance, processes and security controls that are implemented to deliver the council’s security strategy and so to protect its critical business assets and information from cyber risks.

Why is it important?

Cyber security due diligence will allow the council to identify, quantify and remediate security weaknesses or failings in its cyber strategy and practices, especially as threat landscapes change.

Effective cyber security due diligence will ensure that cyber security programmes provide continuous improvement and meet the security strategy and direction set by the cabinet while minimising cost and delivering real business benefits.

Indicators of good practice

Councillors exercise due diligence with regard to the effective implementation of cyber security activities within the council. (See reference 2)

Senior councillors monitor the progress the cyber security program across the council and re-direct efforts where appropriate to deliver its cyber security strategy. (See reference 2)

The scrutiny committee is involved in due diligence activities by challenging and scrutinising the council’s cyber security strategy as well as ensuring the cyber security programme reduces risks, delivers continual improvement, and provides real business benefits.

The scrutiny committee challenges the council’s risk management activities to ensure that the senior councillors and senior management are taking appropriate steps to minimise the council’s cyber risk exposure.

The chief information security officer (CISO) / senior information risk owner (SIRO) / chief information officer (CIO) has oversight of the processes that evaluate the effectiveness of the council’s governance structure and cyber security activities to ascertain whether they meet the council’s need, are aligned with other business areas and are flexible enough to accommodate business change, without significantly increasing effort and costs. (See reference 2)

Security and information security are part of the council’s financial and operational risk reporting mechanisms, ensuring that the cabinet and councillors are kept informed of security and information risk.

Managers regularly review their departments compliance with the appropriate security policies, standards, and any other security requirements. (See reference 1)

There is demonstrable confidence in the effectiveness of the security of the organisation’s technology, people, and processes. (See reference 1)

Regular assurance activities and independent audits are undertaken to prove that good practice is being maintained and that security measures protect networks and information systems are effective and remain effective for the systems’ lifetime. (See reference 1)

Security weaknesses uncovered by assurance activities are assessed, prioritised, and remedied when necessary in a timely and effective way. (See reference 4)

Assurance activities are regularly reviewed to ensure they are working as intended and remain the most appropriate. (See reference 4)

The results of audits and assurance activities are communicated to both the executive board and to cabinet.

Guidance

Board Toolkit | National Cyber Security Centre

Cyber Essentials Overview | National Cyber Security Centre

Penetration Testing | National Cyber Security Centre

IT Health Check (ITHC): supporting guidance | Cabinet Office

Data Security and Protection Toolkit | NHS Digital

Topic 2: Risk management

Decorative banner featuring a closeup photo of a laptop keyboard backlit in blue and green light

 

A robust cyber security risk management process will ensure that risks to essential services are identified, assessed, prioritised and managed in line with the council’s defined risk appetite. Effective risk management will allow decision-makers to make better, more informed decisions about cyber security.

Principle 2.1. Cyber security risk governance
 

What is it?

Cyber security risk governance defines the council’s approach for identifying, managing, monitoring, and communicating cyber security risks. 

Why is it important?

A robust cyber security risk governance process will ensure that cyber security risks are effectively managed, communicated, and regularly considered throughout the council and led by senior management within and outside IT.

Indicators of good practice

  • Cyber risk management processes are established, managed, and agreed to by the cabinet and senior leadership. (See reference 9)
  • The council’s risk tolerance, risk appetite and risk acceptance criteria have been defined, documented, and communicated to all relevant stakeholders. (See reference 9)
  • The council’s risk tolerance, risk appetite and risk acceptance criteria are regularly reviewed to ensure they align with the council’s need, Government guidelines, and the Government Security Policy Framework.
  • There is cabinet-level accountability for cyber risk with a named individual who has received appropriate cyber security and risk management training. (See reference 1)
  • The cabinet has visibility of key cyber security risk decisions made throughout the organisation. (See reference 4)
  • Cyber security risks are on the council’s organisational risk register. (See reference 1)
  • A council-wide risk management culture is promoted by senior management with demonstrable participation at all levels. (See reference 1)
  • Risk management decision-makers understand their responsibilities for making effective and timely decisions in the context of the risk appetite regarding the essential function, as set by senior management. (See reference 4)
  • Risk management decision-making is delegated and escalated where necessary, across the organisation, to people who have the skills, knowledge, tools, and authority they need. (See reference 4 and 10)
  • Staff members are trained in cyber risk assessment and management relevant to their role. (See reference 1)
  • Risk management decisions are periodically reviewed to ensure their continued relevance and validity. (See reference 4)
  • Senior management regularly review resource allocations to ensure that they are sufficient to permit prioritised information security and cyber risk mitigation measures to be implemented. (See reference 1)
  • Knowledge sharing of risk management through peer-networks with other councils, public sector partners and government departments is actively undertaken. (See reference 1)

Guidance

Board Toolkit | National Cyber Security Centre

Risk management guidance | National Cyber Security Centre

Protective Security Risk Management | Centre for the Protection of National Infrastructure (CPNI)

Management of risk in government: framework | Cabinet Office and Civil Service

The Orange Book: Management of Risk – Principles and Concepts | HM Government

Risk management assessment framework: a tool for departments | HM Treasury

10 Steps to Cyber Security | National Cyber Security Centre

National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) | National Institute of Standards and Technology (NIST) U.S. Department of Commerce

Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy (SP 800-37 Rev. 2) | National Institute of Standards and Technology (NIST) U.S. Department of Commerce


Principle 2.2. Cyber security risk assessment framework
 

What is it?

A comprehensive cyber security risk assessment framework documented in policies and procedures will allow councils to establish a systematic and consistent process of identifying, managing, monitoring, and communicating cyber security risks within the organisation and with partners and suppliers as required.

Why is it important?

A documented cyber security risk assessment framework will enable individuals who are responsible for risk assessment activities to identify key information risks, evaluate them and determine the treatment required to keep those risks within acceptable limits.

Indicators of good practice

  • The council has effective information risk management policies and assessment procedures that have been approved and communicated to all relevant stakeholders. (See reference 1)
  • The cyber security risk management processes ensure that security risks to networks and information systems relevant to essential services are identified, analysed, prioritised, and managed. (See reference 1)
  • The framework has a documented and structured risk assessment methodology that allows risk assessors to conduct systematic risk assessments which produce consistent, valid, and comparable results. (See references 1 and 5)
  • The cyber risk management framework defines the council’s risk appetite including the maximum level of risk that the organisation is prepared to accept in any given situation and reflects the council’s risk tolerance. (See references 1 and 5)
  • The framework has a documented and structured risk management process that includes risk acceptance, risk escalation, and aligns with the council’s risk appetite. (See reference 1)
  • The cyber security risk management framework ensures that significant conclusions reached in the course of the risk management process are communicated to key security decision-makers and accountable individuals. (See reference 1)
  • The effectiveness of the cyber security risk management process is reviewed periodically, and improvements made as required. (See reference 1)
  • The cyber risk management framework defines when and how often a risk assessment must be conducted as well as the frequency for reviewing risks and risk treatment plans. (See reference 5)
  • Materials and information required to support each stage of information risk assessments should be developed, approved, and made available throughout the organisation. (See reference 5)

Guidance

Board Toolkit | National Cyber Security Centre

Risk management guidance | National Cyber Security Centre

Protective Security Risk Management | Centre for the Protection of National Infrastructure (CPNI)

Management of risk in government: framework | Cabinet Office and Civil Service

The Orange Book: Management of Risk – Principles and Concepts | HM Government

Risk management assessment framework: a tool for departments | HM Treasury

10 Steps to Cyber Security | National Cyber Security Centre

National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) | National Institute of Standards and Technology (NIST) U.S. Department of Commerce

Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy (SP 800-37 Rev. 2) | National Institute of Standards and Technology (NIST) U.S. Department of Commerce

National Institute of Standards and Technology (NIST) Risk Management Publications | National Institute of Standards and Technology (NIST) U.S. Department of Commerce


Principle 2.3. Cyber security risk assessment
 

What is it?

The council conducts regular cyber security risk assessments using both internal and external expertise to identify, assess and understand security risks to the network and information systems supporting the operation of essential services. 

Why is it important?

Cyber risk assessments that are conducted on a regular basis or after significant changes will help the council identify and prioritise threats and vulnerabilities and their associated risks. This will help decision-makers understand the council’s overall risk exposure and allow them to make informed decisions about cyber security.

Indicators of good practice

Asset vulnerabilities are identified, documented, and linked to the council’s asset inventories. (See reference 9)

Threat intelligence and threat assessment reports are used to identify internal and external threats. (See reference 9)

The scope of risk assessments is clearly defined, covering business and technical elements of the target environment, before assessments are started. (See reference 5)

All relevant internal and external stakeholders are engaged during the risk assessment process. (See reference 5)

Risk assessment activities utilise up-to-date threat and vulnerability assessments that take into account changes to the threat landscape. (See reference 2)

Risk assessments consider internal and external factors related to the council’s operations, compliance requirements, objectives, data classification, and historical data. (See references 2 and 5)

The cyber security risk assessment includes a business impact assessment (BIA) to identify the potential business impact should the confidentiality, integrity or availability of information associated with the target environment be compromised. (See reference 5)

Risk assessments are conducted using the defined cyber security risk assessment framework and risk assessment methodology. 

The results of risk assessments clearly document the key risks identified, the risk owners, their level of potential business impact and likelihood of the threat events materialising. (See references 1 and 5)

Risk assessments are conducted on a regular basis or following significant events that could potentially affect the council’s essential services. (See reference 1)

Results from cyber security risk assessments are reported to key stakeholders and used to inform cyber security activities. (See reference 5)

Guidance

Board Toolkit | National Cyber Security Centre

Risk management guidance | National Cyber Security Centre

Protective Security Risk Management | Centre for the Protection of National Infrastructure (CPNI)

Management of risk in government: framework | Cabinet Office and Civil Service

The Orange Book: Management of Risk – Principles and Concepts | HM Government

Risk management assessment framework: a tool for departments | HM Treasury

10 Steps to Cyber Security | National Cyber Security Centre

National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) | National Institute of Standards and Technology (NIST) U.S. Department of Commerce

Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy (SP 800-37 Rev. 2) | National Institute of Standards and Technology (NIST) U.S. Department of Commerce

National Institute of Standards and Technology (NIST) Risk Management Publications | National Institute of Standards and Technology (NIST) U.S. Department of Commerce


Principle 2.4. Cyber security risk treatment
 

What is it?

Identified risks are treated (mitigated, avoided, transferred, or accepted), in line with the council’s defined risk appetite and security objectives.

Why is it important?

Effective risk treatment will allow the council to prioritise its cyber security efforts and reduce its overall risk exposure, ensuring that this is performed using recognised and proven methods for cyber security risk treatment.

Indicators of good practice

The cyber risk that the council is prepared to tolerate is defined, understood and communicated to all relevant stakeholders. (See reference 1)

Risk treatment options for each individual risk are identified, reviewed, prioritised and agreed; and associated risk treatment plans approved by the respective risk owner. (See reference 5)

The views of external stakeholders are taken into account when managing risks related to shared information. (See reference 5)

The risk exposure of the organisation is within the risk appetite and threshold defined in the cyber risk management framework. (See reference 2)

Unacceptable risks (for example, outside agreed risk appetite and risk tolerance levels) are escalated within the council and its partners so that they are owned and managed at a level appropriate to their potential impact on council services. (See reference 2)

The cabinet has accepted the aggregated cyber security risk that the council carries, and the way that it is managed. (See reference 2)

Guidance

Board Toolkit | National Cyber Security Centre

Risk management guidance | National Cyber Security Centre

Protective Security Risk Management | Centre for the Protection of National Infrastructure (CPNI)

Management of risk in government: framework | Cabinet Office and Civil Service

The Orange Book: Management of Risk – Principles and Concepts | HM Government

Risk management assessment framework: a tool for departments | HM Treasury

10 Steps to Cyber Security | National Cyber Security Centre

National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) | National Institute of Standards and Technology (NIST) U.S. Department of Commerce

Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy (SP 800-37 Rev. 2) | National Institute of Standards and Technology (NIST) U.S. Department of Commerce

National Institute of Standards and Technology (NIST) Risk Management Publications | National Institute of Standards and Technology (NIST) U.S. Department of Commerce

Topic 3: Asset management

Decorative banner featuring a closeup photo of a laptop keyboard backlit in blue and green light

 

Asset management encompasses the processes used to manage and maintain an organisation’s hardware, software, and information assets. Effective asset management will allow an organisation to identify and track vulnerabilities that may affect their systems, services, and information assets, ensuring that risks to their essential services can be identified and managed.

Principle 3.1. Asset inventory
 

What is it?

An asset inventory is used to record and to manage accurate information related to the council’s hardware, software, and information assets, including critical components of external services and the dependency between key digital assets such as systems and services.

Why is it important?

A comprehensive asset inventory will allow the council to ensure that assets are managed with cyber security in mind throughout their lifecycle, from creation through to eventual decommissioning or disposal, recognising any interdependencies that carry cyber risks.

Indicators of good practice

  • The council has a documented asset management policy and procedure which define how assets are recorded and managed. (See reference 5)
  • The council maintains asset inventories that record hardware assets, software assets, critical and sensitive information assets, supporting infrastructure and suppliers, and identify the interactions and interdependencies between these assets. (See references 1, 4, 5 and 9)
  • The asset inventories record important business and operational information, such as:
    • information asset owner (IAO)
    • asset classification
    • how and what information is stored, processed and transmitted
    • business purpose and its criticality to the delivery of essential services
    • compliance requirements
    • licensing information
    • version number and dependencies
    • key suppliers and stakeholders (See references 1, 4, 5 and 9)
  • The asset inventories are regularly reviewed in order to ensure that they are accurate and up to date. (See references 1, 4 and 5)

Guidance

Asset management | National Cyber Security Centre

IT Asset Management (NIST Special Publication 1800–5) | National Institute of Standards and Technology (NIST) U.S. Department of Commerce


Principle 3.2. Asset security
 

What is it?

The implementation of appropriate and proportionate policies, procedures, and security controls to protect assets throughout their lifecycle, from creation through to eventual decommissioning or disposal.

Why is it important?

Implementing appropriate security controls to protect the organisation’s assets will reduce the organisation’s risk exposure and improve its security posture.

Indicators of good practice

  • A process is established to integrate security into the procurement or acquisition of hardware, software, and infrastructure assets from external suppliers or partners. This provides assurance that security requirements for external suppliers are identified and addressed. (See reference 5)
  • Information asset owners (IAOs) are aware of their role and responsibility for managing and protecting the assets under their control, and have received appropriate training which would allow them to perform their responsibilities. (See reference 2)
  • The council has an approved acceptable use policy that has been communicated to all relevant stakeholders.
  • Assets relevant to essential services are managed with cyber security in mind throughout their lifecycle, from creation through to eventual decommissioning or disposal. (See reference 4)
  • The council has robust configuration management and secure hardening processes that ensure that systems are hardened in line with NCSC best practices. (See references 1, 4 and 5)
  • Locations containing critical assets are protected against unauthorised access. (See reference 1)
  • Appropriate controls are in place to limit unauthorised physical access to assets located in public spaces. (See reference 1)
  • Additional security controls are implemented to protect mobile devices, removable media and assets taken offsite. (See reference 1)
  • Equipment and devices have robust controls in place to protect against external and internal environmental threats and ensure the continuity of essential services. (See reference 1)
  • All software and hardware assets are monitored, maintained, licensed and kept up to date throughout their lifecycle. (See reference 1)
  • Upon termination of employment or contracts, internal and external individuals are required to return assets that belong to the council. Once assets are returned the asset inventory list is updated. (See reference 5)
  • The council has robust processes for the secure disposal and/or sanitisation of physical and digital information assets which adhere to National Cyber Security Centre (NCSC) and Government guidelines. (See reference 1)
  • The council has robust processes for managing shadow IT which promote innovation while minimising the council’s risk exposure. (See reference 11)

Guidance

Asset management | National Cyber Security Centre

IT Asset Management (NIST Special Publication 1800–5) | National Institute of Standards and Technology (NIST) U.S. Department of Commerce

Indispensable baseline security requirements for the procurement of secure ICT products and services | European Union Agency for Cybersecurity (ENISA)

Device Security Guidance – Platform Guides | National Cyber Security Centre

Topic 4: Supply chain

Decorative banner featuring a closeup photo of a laptop keyboard backlit in blue and green light

 

Supply chains can be large and complex which may lead to vulnerabilities being introduced into the environment and an increase in the council’s exposed attack surface. A series of high-profile attacks have exploited vulnerabilities in supply chain security.

Robust supply chain security practices and processes will allow the council to identify and manage information and cyber security risks throughout the relationship with external suppliers and partners throughout the supply chain. This includes embedding cyber security requirements into both the procurement process and formal supplier contracts, and where required, obtaining assurance that they are met.

Principle 4.1. Supplier management framework
 

What is it?

The supplier security management framework guides procurement and supplier management activities which aligns with Government and National Cyber Security Centre (NCSC) best practices. It consists of policies, processes, registers and working groups that ensure a consistency in selecting and working with suppliers to mitigate and understand cyber risks in the supply chain. 

Why is it important?

A formal supplier security management framework will ensure that information and cyber security risks are identified and managed effectively throughout all stages of the relationship with external suppliers, so that cyber risks can remain understood and monitored even in supply chains and external services.

Indicators of good practice

  • The supplier security management framework has been endorsed by senior management, regularly reviewed, and communicated to all relevant stakeholders in corresponding policies and procedures. (See reference 5)
  • The council has a supplier security policy that governs procurement and supplier management activities. (See reference 5)
  • Security is integrated into the procurement process to ensure that security requirements for external suppliers and partners are identified and included in contracts.
  • The cyber security team supports the procurement team by specifying security requirements to be included in tender requirements for new systems, services, or enhancements to existing provisions, and then reviewing the information returned by prospective suppliers and partners. (See references 1 and 5)
  • The council conducts a risk assessment prior to engaging with new suppliers and partners which takes into account the systems, services and information they will have access to, legal and regulatory requirements, and the risk of supply chain attacks. (See references 4 and 5)
  • The council has a process for defining, negotiating, and agreeing contracts with suppliers that includes security requirements, security controls to be implemented by suppliers, and the security assurance processes for these arrangements. (See references 4 and 5)
  • The council maintains a register of suppliers and partners which includes relevant information such as contract owner, description of the product or service provided, point of contact, the information they have access to, defined security requirements and service level agreements. (See reference 5)
  • The council maintains an approved trusted suppliers list. (See reference 5)
  • The council has an approved and documented supplier assurance programme that is used to assess suppliers and partners based on their risk ratings. (See reference 12)
  • The council has developed a set of approved common contract artefacts (such as risk assessment and self-assessment security questionnaire) to support the contracting process. Where required, suppliers are authorised to use them to improve security controls throughout the supply chain. (See reference 13)
  • The council has a comprehensive process for managing the secure acquisition, development, and use of cloud services, which addresses the unique characteristics of a cloud environment and aligns with the National Cyber Security Centre’s cloud security principles. (See references 1 and 5)
  • The council provides supply chain security awareness and education for relevant staff and stakeholders. (See reference 14)

Guidance

Supplier assurance questions | National Cyber Security Centre

Supply chain security collection guidance | Centre for the Protection of National Infrastructure (CPNI) and National Cyber Security Centre

Department for Work and Pensions (DWP) procurement: security policies and standards | Department for Work and Pensions (DWP)

Supplier Assurance Framework: Good Practice Guide Version 1.1 | Cabinet Office

National technological and digital procurement category strategy guidance | Local Government Association

Supply chain security guidance | National Cyber Security Centre


Principle 4.2. Supply chain management
 

What is it?

The use of an approved supplier management framework to manage the relationships with external suppliers and partners throughout the supply chain and its life cycle, ensuring that appropriate security controls are put in place to protect the council’s systems, services, and information.

Why is it important?

Effective supply chain management will ensure that appropriate and proportionate security controls and requirements are implemented to manage the security risks that may arise because of relationships or dependencies on external suppliers and partners – especially those undertaking data processing, data handling or given council systems access.

Indicators of good practice

  • The council has assessed, understands and has procedures in place to manage security risks that may arise as a result of dependencies on third party suppliers and partners. (See reference 1)
  • Each use of an external supplier or partner is supported by a contract or agreement which covers all clauses relevant to the service or product being delivered including service level agreements, flow down requirements, security requirements, and security controls that have been identified during the risk assessment process. (See references 4, 5 and 12)
  • Contracts or agreements include confidentiality or non-disclosure agreements, and require suppliers and partners to meet the requirements for protecting sensitive information in line with the council’s data security and privacy policies. (See reference 5)
  • Contracts and agreements clearly set out specific requirements for the return and deletion of information and assets by a supplier or a partner on termination or transfer of that contract or agreement. (See reference 14)
  • Contracts and agreements with suppliers and partners include requirements for managing and reporting security incidents in a timely manner as well as assisting the council with incident response activities. (See references 4 and 14)
  • Where applicable, agreements with suppliers include the requirement for suppliers to effectively manage technical vulnerabilities relating to systems that they own, manage, or are responsible for. (See reference 13)
  • Where possible, contracts and agreements include the 'right to audit'. (See reference 13)
  • Where justified, contracts and agreements include assurance requirements such as Cyber Essentials Plus, penetration tests, external audit, or formal security certifications. (See references 1, 4, 13 and 15)
  • The council understands which security responsibilities remain with the council and which are the supplier or trusted partner’s responsibility. The relevant roles and responsibilities are documented in contracts or agreements and communicated to all relevant stakeholders. (See references 1 and 4)
  • Physical and digital (electronic) access to the council’s systems, services or information by suppliers and partners is governed by the least privilege and need to know principles. The access is protected using the appropriate security controls identified during the risk assessment process. (See references 1 and 4)
  • The council performs regular cyber security risk assessment on critical suppliers and partners. (See reference 5)
  • The council regularly monitors, reviews and audits suppliers and partners to ensure that key security-related requirements and service level agreements are being met. (See references 1 and 5)
  • The council has contingency arrangements in place to ensure that the essential services can continue if one or more supplier or partners are not available. (See reference 5)
  • High risk contracts providing products or services that support essential services are included in the council’s risk register. (See reference 12)
  • The results of supplier risk assessments, security questionnaires, assurance activities, reviews, audits, and performance reports are communicated to all relevant stakeholders. (See reference 12)
  • Changes to the provision of services by suppliers and partners are risk assessed and managed in line with the council’s change management processes. (See reference 1)
  • Key suppliers are required, via contracts, to provide upward reporting of security performance and to adhere to the agreed security controls. (See reference 13)
  • Key performance indicators (KPIs) are used to measure the performance of key suppliers and their security management practices. Findings and lessons learned are acted upon to improve the security of the supply chain. (See reference 13)
  • The council actively encourages suppliers to promote good security behaviour and culture. (See reference 13)
  • The council maintains continuous and effective communication with external suppliers and partners. (See reference 13)

Guidance

Supplier assurance questions | National Cyber Security Centre

Supply chain security collection guidance | Centre for the Protection of National Infrastructure (CPNI) and National Cyber Security Centre

Department for Work and Pensions (DWP) procurement: security policies and standards | Department for Work and Pensions (DWP)

Supplier Assurance Framework: Good Practice Guide Version 1.1 | Cabinet Office

National technological and digital procurement category strategy guidance | Local Government Association

Supply chain security guidance | National Cyber Security Centre

Topic 5: Service protection policies and processes

Decorative banner featuring a closeup photo of a laptop keyboard backlit in blue and green light

 

The council defines, implements, communicates, and enforces appropriate policies and processes that direct its overall approach to securing systems and data that support the operation of essential functions and services.

Principle 5.1. Policy and process development
 

What is it?

The council has developed and continues to improve a set of cyber security and resilience policies and processes that manage and mitigate the risk of adverse impact on services. This includes ensuring that cyber policy and process development is linked appropriately with wider council policies in areas such as finance, human resources, emergency planning, and corporate risk.

Why is it important?

By ensuring the continuous development and improvement of cyber security policies and procedures, the council can monitor, manage and adapt to emerging threats.

Indicators of good practice

  • The council has an approved set of security policies and procedures that have been communicated to all relevant stakeholders. (See reference 5)
  • The council's policies and processes are developed to be practical, usable, and appropriate for the environment and technologies in use. (See reference 4)
  • The council reviews and updates policies and processes at suitably regular intervals to ensure they remain relevant and accurate. (See reference 4)
  • Changes to an essential service, or the threat it faces triggers a review of policies and processes that support it. (See reference 4)
  • The council's systems are designed so that they remain secure even when user security policies and processes are not always followed, and processes are established to handle deviations and exceptions to the policy. (See reference 5)
  • Protections are in place to prevent unauthorised disclosure and modification of the council’s policies and processes. (See reference 9)

Guidance

How to Develop Good Security Policies and Tips on Assessment and Enforcement (Global Information Assurance Certification Paper) | Global Information Assurance Certifications (GIAC)

Developing Security Policies For Protecting Corporate Assets (White Paper) | SANS Institute

Information Security Management (ISO/IEC 27001) | International Organization for Standardization (ISO)


Principle 5.2. Policy and process implementation
 

What is it?

The council successfully implements the cyber security policies and processes and can demonstrate the security benefits achieved, demonstrating the effective balance of control and flexibility, investment and protection.

Why is it important?

Successful implementation of agreed cyber security policies and processes ensures the council has practical measures in place to mitigate both the risk and impact of cyber-attacks.

Indicators of good practice

  • The council's cyber security policies and processes are integrated with other organisational policies and processes, for example human resources vetting process. They are adhered to and their correct application and security effectiveness is evaluated. (Reference 4)
  • The council's policies and processes are effectively and appropriately communicated across all levels of the organisation resulting in good staff awareness of their responsibilities. (Reference 4)
  • Appropriate action is taken to address all breaches of policies and processes that have the potential to adversely impact essential services including aggregated breaches. (Reference 4)
  • Individuals are able to confirm their understanding and acceptance of, and compliance with, the security policies and procedures and supporting policies when they are issued and updated. (Reference 5)
  • Individuals understand that disciplinary actions may be taken against them if they violate the council’s security policies and processes (including acceptable use policies). (Reference 4 and 5)

Guidance

Building and Implementing an Information Security Policy (White Paper) | SANS Institute

Information Security Management (ISO/IEC 27001) | International Organization for Standardization (ISO)

Topic 6: Identity and access control

Decorative banner featuring a closeup photo of a laptop keyboard backlit in blue and green light

 

Implementing appropriate methods for authenticating and authorising users, devices, or systems, will reduce the likelihood of users gaining unauthorised access to sensitive information, whilst making it as simple as possible for legitimate users to access what they need.

Principle 6.1. Identity verification, authentication and authorisation
 

What is it?

Confidence that the identity of users is correct, the authentication methods in place are robust and that users are only granted access to the systems, services and information they require (and are authorised to use) to perform their role.

Why is it important?

It is important that the council is clear about who (or what in the case of automated services) has access to the council’s systems, services and information. This will ensure that only authorised users with a need to know can access sensitive information stored or processed by the council. This includes suppliers, partners, staff, councillors and citizens.

Indicators of good practice

  • The council has a robust joiners, leavers and movers process which ensures close collaboration between HR, IT, and information asset owners (IAOs).
  • Only authorised and individually authenticated users can physically access or logically connect to the council's networks or information systems on which the essential services depend. (See reference 4)
  • Access permissions and authorisations to the council's networks and information systems are managed by an appropriate business manager or information asset owner (IAO), incorporating the principles of least privilege, need to know, and segregation of duties. (See references 4 and 5)
  • The council has a robust password policy that is in line with National Cyber Security Centre (NCSC) and Government guidelines. (See reference 32)
  • Remote access solutions are protected using additional authentication mechanisms, such as multifactor authentication. (See reference 33)
  • Information asset owners conduct regular user access right reviews. (See references 4 and 14)
  • Users are assigned unique identifiers such as user IDs or unique usernames to provide individual accountability. Group or shared accounts are only used when absolutely necessary. (See reference 5)

Guidance

Introduction to identity and access management | National Cyber Security Centre

Digital Identity Guidelines: Authentication and Lifecycle Management (NIST Special Publication 800–63B) | National Institute of Standards and Technology (NIST) U.S. Department of Commerce

Digital Identity Guidelines: Enrollment and Identity Proofing (NIST Special Publication 800–63A) | National Institute of Standards and Technology (NIST) U.S. Department of Commerce

Zero trust architecture design principles | National Cyber Security Centre

Secure system administration | National Cyber Security Centre

10 Steps to Cyber Security – Identity and access management | National Cyber Security Centre

Digital Identity | Socitm and Inform

Password administration for system owners | National Cyber Security Centre


Principle 6.2. Identity and access management (IDAM)
 

What is it?

The assurance of good management and maintenance of identity and access control for the council's networks and information systems that support essential services.

Why is it important?

Identity and access management provides effective and consistent user administration, identification, authentication, and access control mechanisms across the council. This will restrict access to authorised users and ensure the confidentiality of essentials services and data. Where breaches occur or are attempted, they are quickly identified and resolved.

Indicators of good practice

  • The council has a robust user provisioning process that is regularly reviewed and audited. (See reference 4)
  • Users’ permissions are reviewed when they change their role in order to prevent privilege creep and enforce the least privilege principle. Terminated users should have their access privileges promptly revoked to prevent unauthorised access to the council’s systems and information. (See references 4 and 5)
  • IDAM systems generate audit logs for all user and account management activity. The logs are regularly reviewed to identify malicious activity. (See references 1, 4 and 5)
  • The council regularly reviews access control process and updates them in response to changes to the threat landscape, business requirements or lessons learned from information security incidents. (See reference 5)
  • The council conducts regular password audits to identify weak or shared passwords. (See reference 1)
  • Physical and digital (electronic) access to the council’s systems, services or information by suppliers and partners is governed by the least privilege and need to know principles. The access is protected using the appropriate security controls identified during the risk assessment process. (See references 4 and 16)
  • Unnecessary user accounts (for example, guest accounts and unnecessary administrative accounts) are removed or disabled and all default accounts are removed, or their passwords are changed. (See reference 15)

Guidance

Introduction to identity and access management | National Cyber Security Centre

Digital Identity Guidelines: Authentication and Lifecycle Management (NIST Special Publication 800–63B) | National Institute of Standards and Technology (NIST) U.S. Department of Commerce

Digital Identity Guidelines: Enrollment and Identity Proofing (NIST Special Publication 800–63A) | National Institute of Standards and Technology (NIST) U.S. Department of Commerce

Zero trust architecture design principles | National Cyber Security Centre

Secure system administration | National Cyber Security Centre

10 Steps to Cyber Security – Identity and access management | National Cyber Security Centre

Digital Identity | Socitm and Inform

Password administration for system owners | National Cyber Security Centre


Principle 6.3. Device management
 

What is it?

Device management covers all devices which have access to the council's network. It ensures that only approved devices have access to the network. This includes personal computers, laptops, printers, phones, wearables, 'Internet of Things' (IoT) equipment and any 'bring your own device' (BYOD) technologies.

Why is it important?

By ensuring that only trusted devices that meet the council's security requirements have access to the network, the council can reduce the threats to the confidentiality, integrity and availability of data within the network. It will also ensure consistency in the way different types of technologies are managed in terms of their connectivity and inherent risks.

Indicators of good practice

  • Administrators use trusted, secure and hardened devices for system administration activities. Where required, administrators use dedicated devices that are not used for directly browsing the web or accessing email. (See references 1 and 4)
  • The council obtains independent and professional assurance of the security of third-party devices or networks before they are allowed to connect to the council's systems, or only allow third-party devices or networks dedicated to supporting the council's systems to connect. (See reference 4)
  • Device identity management is performed, and only approved devices are allowed to connect to the Council’s network. (See reference 1)
  • Only authenticated and authorised devices are allowed to access systems used for the delivery of essential services. (See reference 1)
  • The council performs regular scans to detect unknown devices and investigates any findings. (See reference 4)

Guidance

Device Security Guidance | National Cyber Security Centre

Mobile Device Cybersecurity Checklist for Organizations (Capacity Enhancement Guide) | Cybersecurity & Infrastructure Security Agency (U.S.)

Zero trust architecture design principles | National Cyber Security Centre

Secure system administration | National Cyber Security Centre

Securing your devices | National Cyber Security Centre

End user device strategy: security framework and controls | Cabinet Office and Efficiency and Reform Group


Principle 6.4. Privileged user management
 

What is it?

Privileged access to systems and networks supporting essential services are closely monitored and managed.

Why is it important?

Implementing appropriate privileged user management will ensure that only authorised users are able to perform administrative actions which could impact the council’s critical systems and networks.

Indicators of good practice

  • Systems and devices supporting the council services are only administered or maintained by authorised privileged users. (See reference 1)
  • Privileged user access rights are regularly reviewed and always updated as part of the council's joiners, movers and leavers process. (See reference 4)
  • Privileged user access to systems providing essential services is carried out from dedicated separate accounts that are closely monitored and managed. (See reference 4)
  • The issuing of temporary, time-bound rights for privileged user access and external third-party support access is either in place or the council is migrating to an access control solution that implements principles such as 'just-in-time' (JIT) and 'just enough' privileged access. (See references 4 and 10)
  • All remote (non-console) privileged user access to the council's networks and information systems requires strong authentication, such as two-factor, hardware authentication, or additional real-time security monitoring. (See reference 4)
  • Administrative accounts are only used to perform approved administrative activities, and not used for other day-to-day activities such as access email or the Internet. (See reference 1)
  • All privileged user activity is routinely reviewed, validated and recorded for offline analysis and investigation. (See reference 14)
  • Access to audit logs is limited to those with business need. Legitimate reasons for accessing logging data are governed by security policies and users are trained on this. (See reference 1)

Guidance

Secure system administration | National Cyber Security Centre

Preventing Lateral Movement | National Cyber Security Centre

Topic 7: Data security

Decorative banner featuring a closeup photo of a laptop keyboard backlit in blue and green light

 

Data stored, processed, or transmitted electronically is protected from actions such as unauthorised access, modification, or deletion that may cause an adverse impact on essential services. Such protection extends to how authorised users, devices and systems access critical data necessary for the operation of essential services.

Principle 7.1. Understanding data
 

What is it?

The council has a good understanding of the data important to the of its essential services, where it is stored, where it travels and how unavailability or unauthorised access, modification or deletion would adversely impact these services and the wider public. This also applies to third parties storing or accessing data important to the operation of essential services.

Why is it important?

Through understanding the data, its classification and criticality the council will be able to identify and assess the risk to the data and ensure that appropriate controls are put in place to mitigate that risk. Consistent approach can ensure that information asset owners are able to protect the council’s information and data.

Indicators of good practice

  • The DPO, SIRO and CISO work together to ensure that information assets are owned, and appropriately protected. (See reference 5)
  • The council has approved privacy and data protection policies that are communicated to all relevant stakeholders. (See references 1 and 2)
  • The council has identified, classified, and catalogued all data important to the operation of essential services, including that which may fall under legal or compliance regulations such as GDPR or the Data Protection Act. (See references 6 and 17)
  • The council has identified and catalogued who, and what systems, have access to data important to the operation of essential services. Those individuals are aware of their obligation to handle the data securely and in line with the council’s policies. (See references 15 and 18)
  • The council takes steps to remove or minimise unnecessary copies or data that has exceeded its retention period. (See reference 4)
  • The council has identified all mobile devices and media that may hold data important to the operation of essential services. (See reference 4)
  • The council understands the data flows relevant to its sensitive data. (See reference 4)
  • The council understands the context, limitations, and dependencies of its essential data. (See reference 2)
  • The council conducts business impact assessments and data protection impact assessments (DPIA) where required, for all its sensitive and essential data. (See references 5 and 17)
  • The council adheres to the Government Security Classification Policy, or has adopted an appropriate information classification, labelling and handling scheme. (See references 1 and 5)
  • The council has classified all the data important to the operation of essential functions and services to ensure that data is protected in line with its assigned level of classification. (See reference 5)
  • The council has a documented data breach policy and related processes that are integrated with the incident response plan, and compliance and communication plans. (See reference 2)
  • The council understands how information is shared across the organisation’s boundaries and arrangements are in place to work with external stakeholders to achieve shared cybersecurity objectives. (See reference 2)
  • The council understands that personal, confidential data should only be shared for lawful and appropriate purposes. (See reference 15)
  • The council understands the risks to both data and mobile devices owned and used by remote working staff, including BYOD devices, and have adequate protections in place. (See reference 5)
  • Where outsourced or third-party storage is employed, appropriate security measures are in place and enforced, with appropriate assurance procedures consistent with data retention policies. (See reference 1)

Guidance

Protecting bulk personal data | National Cyber Security Centre

Cloud security guidance | National Cyber Security Centre

Government Security Classifications | Cabinet Office

10 Steps to Cyber Security – Data security | National Cyber Security Centre

GDPR security outcomes | National Cyber Security Centre


Principle 7.2. Data in transit
 

What is it?

Data in transit is adequately protected against tampering and eavesdropping. This includes the transfer of data to and from third parties.

Why is it important?

The implementation of appropriate security measures to protect data in transit will ensure that sensitive data cannot be intercepted, accessed, or modified by unauthorised parties.

Indicators of good practice

  • The council has identified and protected (effectively and proportionately) all the data links that carry data important to the operation of its essential services. (See reference 4)
  • The council applies appropriate security controls to protect both the data itself and how the data travels over untrusted networks, with justified confidence in the robustness of the protection applied. (See references 4 and 6)
  • Suitable alternative transmission paths are available where there is a significant risk of impact on the operation of essential services due to resource limitation or failure. (See reference 4)
  • Data transmitted via remote access technologies is secured in line with NCSC best practices. (See reference 1)
  • Formal data exchange policies and agreements shall be in place to protect the exchange of information, both internally and between the council and external parties. (See reference 1)

Guidance

Protecting bulk personal data | National Cyber Security Centre

Cloud security guidance | National Cyber Security Centre

Encryption and data transfer | Information Commissioner's Office (ICO)

GDPR security outcomes | National Cyber Security Centre

Design Pattern: Safely Exporting Data | National Cyber Security Centre

10 Steps to Cyber Security – Data security | National Cyber Security Centre


Principle 7.3. Stored data
 

What is it?

Stored data is protected against unauthorised access, tampering, loss, and damage.

Why is it important?

Safeguarding important data essential to council services helps ensure that it is available for legitimate users, protected against unauthorised access or modification, and available for recovery operations in the event of a cyber-attack or a disaster.

Indicators of good practice

  • The council only stores necessary copies of data. (See reference 4)
  • The council has applied suitable physical and technical means to protect sensitive and/or essential data from unauthorised access, modification, or deletion. Where data is transferred to less secure systems, the data is provided with limited detail and/or as a read-only copy. (See reference 4)
  • Cryptographic controls utilised to protect data at rest, are configured in line with NCSC guidelines and best practices. (See reference 4)
  • The council has adequate methods in place to monitor and log both authenticated and un-authenticated attempts to access stored data, with appropriate alerts configured where applicable. (See reference 5 and 17)
  • The council has suitable, secured backups of essential data that would allow for a quick and prompt recovery of the council’s essential services. This may include encrypted backups held in a secure off-site environment, removable media in physically secure storage, segregated backups, or appropriate alternative forms. (See reference 4)
  • Necessary historic or archive data is secured in suitable storage. (See reference 17)

Guidance

Protecting bulk personal data | National Cyber Security Centre

Cloud security guidance | National Cyber Security Centre

Encryption and data storage | Information Commissioner's Office (ICO)

GDPR security outcomes | National Cyber Security Centre

Design Pattern: Safely Exporting Data | National Cyber Security Centre

10 Steps to Cyber Security – Data security | National Cyber Security Centre


Principle 7.4. Mobile data
 

What is it?

Appropriate security controls are implemented to protect sensitive data stored on mobile devices or removable media. This includes a growing range of devices that are portable and have data storage and processing capacity.

Why is it important?

The protection of data held on mobile devices or removable media ensures that potentially sensitive information cannot be accessed in the event of theft or loss of the device.

Indicators of good practice

  • The council has an approved set of policies or procedures that define which data can be stored on mobile devices or removable media, and the security controls that must be implemented to protect the data. The policies and procedures have been communicated to all relevant stakeholders. (See references 1 and 4)
  • Mobile devices or removable media that hold sensitive data are catalogued, are under the Council's control and are configured according to NCSC’s best practice for the platform. (See references 1 and 4)
  • Sensitive data stored on mobile devices or removable media are protected using appropriate controls that adhere to NCSC guidelines and best practices. (See reference 4)
  • The council can remotely wipe all mobile devices holding sensitive data. (See reference 4)
  • Data imported into the council via a removable media or mobile device is scanned for malicious content by a standalone machine before any data transfer takes place. (See reference 1)

Guidance

Small Business Guide: Cyber Security Step 3 – Keeping your smartphones (and tablets) safe | National Cyber Security Centre

Mobile Device Best Practices | National Security Agency (U.S.)

Protecting bulk personal data | National Cyber Security Centre

Encryption and data storage | Information Commissioner's Office (ICO)

GDPR security outcomes | National Cyber Security Centre

Design Pattern: Safely Exporting Data | National Cyber Security Centre

10 Steps to Cyber Security – Data security | National Cyber Security Centre

Protecting Personal Data and Managing Information Risk (HMG IA Standard Number 6) | Cabinet Office and CESG, the UK National Technical Authority for Information Assurance


Principle 7.5. Media / equipment sanitisation
 

What is it?

Appropriate processes are put in place to sanitise media and equipment storing sensitive data prior to its disposal or reuse.

Why is it important?

The sanitisation of data from media and equipment prevents the disclosure of potentially sensitive information to unauthorised parties.

Indicators of good practice

  • The council catalogue and track all devices that contain sensitive data. (See reference 4)
  • All sensitive data is sanitised from all devices, equipment, or removable media before disposal or reuse using processes that adhere to NCSC and Government guidelines. (See reference 4)
  • The council ensures that cloud service providers appropriately sanitise data storage areas before reallocating to another user. (See references 1 and 6)

Guidance

Secure sanitisation of storage media | National Cyber Security Centre

Guidelines for Media Sanitization (NIST Special Publication 800–88, Revision 1) | National Institute of Standards and Technology (NIST) U.S. Department of Commerce

Protecting Personal Data and Managing Information Risk (HMG IA Standard Number 6) | Cabinet Office and CESG, the UK National Technical Authority for Information Assurance

Topic 8: System security

Decorative banner featuring a closeup photo of a laptop keyboard backlit in blue and green light

 

Appropriate controls must be implemented to protect networks, information systems and technology which is critical to the council's essential services from cyber-attacks. An organisation’s understanding of the risks to essential services would allow it to implement appropriate and propriate security measures to protect against cyber-attacks.

Principle 8.1. Secure by design
 

What is it?

Security is designed into applications and systems ensuring that security is considered at the requirement, design and implementation phases.

Why is it important?

Adopting a secure by design approach will ensure that security is integral to products, systems, and networks rather than bolted on. This will ensure that the products, systems and networks are built to withstand cyber-attacks and minimise their exposed attack surface, with the ability to detect and remedy materialising threats.

Indicators of good practice

  • The council has documented policies and procedures for information systems and network designs that align with NCSC and industry best practices. (See reference 5)
  • The council conducts security planning as part of the initiation and planning phase and employs appropriate expertise to design network and information systems using NCSC and industry good practices. (See references 4, 6 and 19)
  • The networks and information systems supporting the council’s essential services are designed in line with NCSC and industry best practices using a defence in depth strategy which reduces the attack surface, and protects against common and complex attacks. (See references 1, 5 and 10)
  • The networks and information systems supporting the council’s essential services consist of simple, non-complex designs so that the data flows between components can be monitored effectively. (See reference 4)
  • The networks and information systems supporting the council’s essential services are designed to be easy to recover. (See reference 4)
  • The council's network is segregated into different zones based on their criticality and sensitivity. (See references 4 and 5)
  • The council monitors its systems and networks and has robust incident response processes to identify and take necessary actions. (See references 1 and 19)
  • The council has a documented secure software development lifecycle (SDLC) which ensures that all development activities (whether this is in house or outsourced) adhere to secure coding principles and best practices. (See reference 20)

Guidance

Secure design principles | National Cyber Security Centre

Connected Places Cyber Security Principles | National Cyber Security Centre

Protecting bulk personal data | National Cyber Security Centre

Zero trust architecture design principles | National Cyber Security Centre

Device Security Guidance – Network architectures | National Cyber Security Centre

Security architecture anti-patterns | National Cyber Security Centre

Preventing Lateral Movement | National Cyber Security Centre

Security principles for cross domain solutions | National Cyber Security Centre

10 Steps to Cyber Security – Architecture and configuration | National Cyber Security Centre

Secure development and deployment guidance | National Cyber Security Centre

Open Web Application Security Project (OWASP) Cheat Sheet Series | Open Web Application Security Project (OWASP)

Threat Modeling: Uncover Security Design Flaws Using The STRIDE Approach | Microsoft


Principle 8.2. Secure configuration
 

What is it?

Secure configuration processes are used to ensure that systems are configured and hardened in line with NCSC and security best practices, consistently across the council’s technology estate.

Why is it important?

Securely configuring and hardening networks and information systems reduces their risk profile and inherent vulnerabilities. This will also simplify their security management, reducing the costs of security management.

Indicators of good practice

  • The council identifies, documents and actively manages networks and information systems based on NCSC and industry security best practices. (See references 4, 5 and 18)
  • All platforms conform to the council’s defined baseline build, which is secured in line with NCSC and industry best practices. The council regularly validates the security of the environment and non-compliant systems are remediated. (See references 1, 4 and 5)
  • The secure baseline builds and configurations are regularly reviewed and updated to reflect changes to the threat landscape and latest security advice and recommendations. (See references 1, 4 and 5)
  • Controls are in place to ensure that only approved software is deployed on the council’s networks and information systems. (See reference 4)
  • Change control processes and procedures are followed for all configuration changes to council systems and networks. (See references 1 and 4)
  • If automated decision-making technologies are in use, the council ensures that their operation is well understood, and decisions can be replicated. (See reference 4)

Guidance

Mobile Device Cybersecurity Checklist for Organizations (Capacity Enhancement Guide) | Cybersecurity & Infrastructure Security Agency (U.S.)

Device Security Guidance | National Cyber Security Centre

10 Steps to Cyber Security – Architecture and configuration | National Cyber Security Centre

Zero trust architecture design principles | National Cyber Security Centre

Security architecture anti-patterns | National Cyber Security Centre

Preventing Lateral Movement | National Cyber Security Centre

Security principles for cross domain solutions | National Cyber Security Centre

Secure development and deployment guidance | National Cyber Security Centre

Ransomware Protection and Containment Strategies: Practical Guidance for Endpoint Protection, Hardening and Containment (White Paper) | FireEye / Mandiant


Principle 8.3. Secure system management
 

What is it?

Secure system management processes are put in place to support and maintain the security of all technology infrastructure on which the council depends, including network and information systems that support the delivery of essential services.

Why is it important?

Secure system management ensures networks and information systems are protected against threats, intentional or otherwise, which could compromise services, systems, data or individuals.

Indicators of good practice

  • The council’s systems and devices supporting the operation of essential services are only managed by authorised privileged users from secured management devices which are hardened in line with NCSC and industry best practices. (See reference 4)
  • Management devices are secured to the same level as the networks and systems being maintained. (See reference 4)
  • The council regularly reviews and updates technical knowledge about networks and information systems, such as documentation and network diagrams, and ensures they are securely stored. (See reference 4)
  • The council implements appropriate measures to prevent, detect and remove malware or unauthorised software. (See reference 4)
  • The business requirements for systems and devices supporting the delivery of essential services are defined in documented service agreements (e.g. contracts or service level agreements) to ensure that they meet operational, safety and security requirements. (See reference 5)
  • The council ensure that staff who manage or maintain the secure configuration of the council’s systems receive specialist training relevant to their role. (See reference 2)
  • Robust configuration control and change management policies and procedures that cover all systems are in place. The council closely and effectively manages changes in the environment, and regularly reviews and validates that the network and information systems have the expected secured settings and configuration. (See references 1 and 15)
  • Where cloud services are in use, these are assessed against the NCSC Cloud Security Principles. (See reference 1)

Guidance

Device Security Guidance | National Cyber Security Centre

10 Steps to Cyber Security – Architecture and configuration | National Cyber Security Centre

Secure design principles | National Cyber Security Centre

Connected Places Cyber Security Principles | National Cyber Security Centre

Device Security Guidance – Network architectures | National Cyber Security Centre

Security architecture anti-patterns | National Cyber Security Centre

Preventing Lateral Movement | National Cyber Security Centre

Zero trust architecture design principles | National Cyber Security Centre

Security principles for cross domain solutions | National Cyber Security Centre

Secure system administration | National Cyber Security Centre

Ransomware Protection and Containment Strategies: Practical Guidance for Endpoint Protection, Hardening and Containment (White Paper) | FireEye / Mandiant


Principle 8.4. Vulnerability management
 

What is it?

Effective processes are put in place to identify, evaluate, treat and report on security vulnerabilities affecting networks and information systems.

Why is it important?

A robust vulnerability management process will ensure that vulnerabilities and weaknesses are quickly identified to mitigate against newly emerging threats. Without a vulnerability management system, security gaps may be present on the council’s environment and supply chain which could be exploited by attackers.

Indicators of good practice

  • The council has a documented vulnerability management and patch management policy that has been approved by the executive level management. (See reference 16)
  • A comprehensive patching regime, which adheres to NCSC best practices and Cyber Essentials Plus, has been introduced and is being applied to the council’s systems. The council’s leadership and management has assurance that patches are applied in a timely manner. (See reference 14)
  • Network and information systems are secured to prevent exploitation of technical vulnerabilities. (See reference 1)
  • The council maintains a current understanding of the exposure of its essential services to publicly-known vulnerabilities. (See references 4 and 17)
  • Announced vulnerabilities for all software packages, network equipment and operating systems used to support the operation of the council’s essential services are tracked, prioritised and addressed (e.g. by patching) promptly. Where there is a valid business reason not to remediate the vulnerability, this is formally documented, and risk assessed to ensure that appropriate mitigating controls are put in place. (See references 4 and 15)
  • The council conducts regular penetration tests, ITHCs, audits or security assessments by fully qualified experts to fully understand the vulnerabilities affecting the networks and information systems that support the operation of its essential services. (See references 1 and 4)
  • The council conducts regular vulnerability scans to detect misconfigured or vulnerable network components and information systems. (See references 1 and 21)
  • The council scans networks and information systems following significant system changes. (See reference 1)
  • Automated mechanisms are used to detect misconfigured or vulnerable network components and information systems. (See reference 21)
  • The council maximises the use of supported software, firmware and hardware in the council’s networks and information systems that supports its essential services. Where there is a valid business reason to use unsupported systems or software, this is formally documented, and risk assessed to ensure that appropriate mitigating controls are put in place. (See references 1 and 4)
  • The council identifies, tracks and manages third party coding frameworks and libraries used in systems and applications supporting the council’s services to ensure that they are kept up to date and do not introduce vulnerabilities into the council’s environment. (See reference 20)
  • The council implements appropriate security controls to protect its external network perimeter and services exposed on the Internet. The NCSC Active Cyber Defence (ACD) is implemented where appropriate. (See references 1 and 23)

Guidance

Open Web Application Security Project (OWASP) Dependency-Track (component analysis platform) | Open Web Application Security Project (OWASP)

10 Steps to Cyber Security – Vulnerability management | National Cyber Security Centre

10 Steps to Cyber Security – Architecture and configuration | National Cyber Security Centre

Secure design principles | National Cyber Security Centre

Zero trust architecture design principles | National Cyber Security Centre

Security architecture anti-patterns | National Cyber Security Centre

Preventing Lateral Movement | National Cyber Security Centre

Security principles for cross domain solutions | National Cyber Security Centre

Mitigating malware and ransomware attacks | National Cyber Security Centre

Ransomware Protection and Containment Strategies: Practical Guidance for Endpoint Protection, Hardening and Containment (White Paper) | FireEye / Mandiant

Cyber Essentials Overview | National Cyber Security Centre

Penetration Testing | National Cyber Security Centre

IT Health Check (ITHC): supporting guidance | Cabinet Office

Topic 9: Resilient networks and systems

Decorative banner featuring a closeup photo of a laptop keyboard backlit in blue and green light

 

The council builds resilience against cyber-attack and system failure into the design, implementation, operation and management of systems that support the operation of essential functions.

Principle 9.1. Resilience preparation
 

What is it?

Resilience preparation ensures that appropriate measures, such as recovery plans, backups and redundancies, are put in place and tested to minimise the impact of an adverse incident and aid in the recovery of essential services.

Why is it important?

Effective preparation would allow the council to streamline its recovery process and minimise the impact to essential services in the event of a cyber-attack or an adverse incident.

Indicators of good practice

  • The council has business continuity and disaster recovery plans that have been communicated and tested for practicality, effectiveness, and completeness, and that align with both the council’s service delivery, IT and information security strategies. (See references 5 and 15)
  • The council uses different test methods (e.g. manual fail-over or table-top exercises) to assess the effectiveness of its business continuity and disaster recovery plans. Lessons learned from the tests are used to improve the plans. (See references 5 and 15)
  • A representative of the senior management team has been appointed as the business continuity owner, who is ultimately accountable for business continuity across the council. (See reference 5)
  • A review of both existing and potential new threat events, as well as the business continuity and disaster recovery plans themselves are done on a regular basis. (See reference 5)
  • Business continuity and disaster recovery plans include agreed, established, and tested alternative communication channels and protocols for use by both users and systems. (See reference 9)
  • Provisions are in place to ensure that the business continuity and disaster recovery plans do not have a single point of failure (for example, the absence of key personnel) which could hamper the recovery process.
  • Each key role, that is involved in the recovery process, has a deputy that possesses the essential operational delivery knowledge required for the recovery of essential services. (See reference 4)
  • The council uses effective and appropriate security awareness and threat intelligence sources to make immediate and potentially temporary security changes in response to new threats such as a widespread outbreak of very damaging malware or an active cyber-attack. (See reference 4)

Guidance

Cyber resilience – nothing to sneeze at | National Cyber Security Centre

Contingency Planning Guide for Federal Information Systems (NIST Special Publication 800–34 Rev. 1) | National Institute of Standards and Technology (NIST) U.S. Department of Commerce

Effective steps to cyber exercise creation | National Cyber Security Centre

Cyber risk – the challenge for local government (Inform Report) Part 3: Taking advantage of external resource | Socitm


Principle 9.2. Design for resilience
 

What is it?

Network and information systems supporting the council's essential services are designed and built to be resilient to cyber security attacks or incidents. Systems are appropriately segregated, observable and robust, and resource limitations do not compromise this. Solutions from suppliers that do not comply with minimum resilience design requirements are avoided.

Why is it important?

Networks and systems that have been designed with resilience in mind increase the council defences against cyber-attack and aid in the rapid recovery from a security incident.

Indicators of good practice

  • Where required, operational systems that support essential services are designed and built with redundancies sufficient to meet availability requirements. (See reference 1)
  • Where possible, operational systems that support essential services are segregated from other business systems by appropriate technical and physical means. (See references 4 and 5)
  • Internet services are not accessible from operational systems and servers. (See reference 4)
  • The council has identified, documented, and mitigated all resource limitations, e.g. bandwidth limitations and single network paths. (See references 4 and 5)
  • The council has identified, documented, and mitigated any geographical constraints or weaknesses. (e.g. systems that essential services depend upon are replicated in other locations). (See reference 4)
  • The council regularly reviews and updates the resource limitation and geographical constraints assessments to ensure they remain valid and up to date. (See reference 4)

Guidance

Cyber resilience – nothing to sneeze at | National Cyber Security Centre

Contingency Planning Guide for Federal Information Systems (NIST Special Publication 800–34 Rev. 1) | National Institute of Standards and Technology (NIST) U.S. Department of Commerce

Secure design principles | National Cyber Security Centre

Connected Places Cyber Security Principles | National Cyber Security Centre

Zero trust architecture design principles | National Cyber Security Centre

Security architecture anti-patterns | National Cyber Security Centre

Preventing Lateral Movement | National Cyber Security Centre

Security principles for cross domain solutions | National Cyber Security Centre


Principle 9.3. Backups
 

What is it?

Current backups of data and information needed to recover the operation of essential services are maintained, tested, accessible and secured appropriately.

Why is it important?

Secure, current backups will enable the council to recover from a security incident or a disaster and restore essential services within agreed timeframes, using a tested and consistent approach that minimises the risk of data loss and the length of any service outage.

Indicators of good practice

  • Backups of critical data and systems required to recover the council’s essential services are made, tested, documented and routinely reviewed. (See references 4 and 9)
  • Backups processes follow NCSC best practices including using the 3-2-1 rule and offline or cold backups to protect against advanced cyber-attacks. (See reference 24)
  • Restore testing of both business-critical data and systems to a known operational baseline is in place, is consistent with organisation-defined recovery times and recovery points, and is performed at regular intervals. (See references 5) (9)
  • Lessons learned from restore tests are used to improve the backup and recovery processes.
  • Protections are in place to ensure the confidentiality, integrity, and availability of backup information. (See reference 9)

Guidance

Offline backups in an online world | National Cyber Security Centre

Cloud backup options for mitigating the threat of ransomware | National Cyber Security Centre

Contingency Planning Guide for Federal Information Systems (NIST Special Publication 800–34 Rev. 1) | National Institute of Standards and Technology (NIST) U.S. Department of Commerce

Topic 10: People management

Decorative banner featuring a closeup photo of a laptop keyboard backlit in blue and green light

 

Maintain a comprehensive, ongoing security awareness programme to encourage and implement the expected security behaviour for all individuals with access to the organisation's information and systems. The aim of the programme is to fully integrate cyber security with normal business and promote cyber security as a business enabler.

Principle 10.1. Cyber security culture
 

What is it?

Senior management develop and promote a positive cyber security culture whereby people are aware of their role in maintaining security and actively take part and contribute to improving security.

Why is it important?

A positive cyber security culture instils the importance of cyber security and the role every individual has in helping to protect the council. It will ensure that staff view cyber security as a business enabler rather than a hindrance and is understood by councillors and staff. It also gives people the confidence that they can openly speak out and contribute to improving security, reporting breaches and near misses without fear.

Indicators of good practice

  • The council’s executive management clearly and effectively communicate the council’s cyber security strategy and objectives to all staff. The council displays positive cyber security attitudes, behaviours and expectations. (See reference 4)
  • The council's management is seen to be committed to and actively involved in cyber security. (See reference 4)
  • Senior management develop and promote a positive cyber security culture that is designed to foster positive change in people’s attitude towards cyber security.
  • Responsibilities are assigned from senior management and leadership downwards to ensure that appropriately trained staff are held accountable for their decisions and actions. The result is a culture that values information as a business asset where cyber security is viewed as a business enabler. (See reference 2)
  • Staff understand the council’s cyber security strategy and policies.
  • Staff are aware of their cyber security roles and responsibilities and how they can contribute towards the overall security of the council.
  • Senior leaders lead by example, adhere to cyber security policies and processes and do not ask for “special treatment”. (See reference 14)
  • People in the council raising potential cyber security incidents and issues are treated positively. (See reference 4)
  • Individuals at all levels in the council routinely report concerns or issues about cyber security and are recognised for their contribution to keeping the council secure. (See reference 4)
  • The council communicates openly about cyber security, with any concern being taken seriously. (See reference 4)
  • Staff participate in cyber security activities and improvements, building joint ownership and bringing knowledge of their area of expertise. (See reference 4)

Guidance

Board Toolkit – Developing a positive cyber security culture | National Cyber Security Centre

You shape security | National Cyber Security Centre

Growing positive security cultures | National Cyber Security Centre

10 Steps to Cyber Security – Engagement and training | National Cyber Security Centre


Principle 10.2. Cyber security training
 

What is it?

The council staff and councillors receive appropriate cybersecurity training. Various approaches are used to educate, raise awareness, and communicate with staff frequently.

Why is it important?

Effective security training and awareness will ensure that staff understand their responsibilities and how to perform their job securely, and councillors can be confident in their contribution.

Indicators of good practice

Guidance

NCSC cyber security training for staff | National Cyber Security Centre

NCSC Certified Training | National Cyber Security Centre

Professional skills & training | National Cyber Security Centre

10 Steps to Cyber Security – Engagement and training | National Cyber Security Centre

Board Toolkit – Growing cyber security expertise | National Cyber Security Centre


Principle 10.3. Remote working
 

What is it?

Appropriate policies, procedures and technical controls are implemented to manage the risk introduced by using mobile devices and remote working, including data, access methods, authentication and monitoring tools.

Why is it important?

Robust remote working controls will ensure that critical and confidential information accessed or processed by staff, Councillors and third party, working in remote environments is protected against unauthorised access, tampering and loss.

Indicators of good practice

  • The council has documented policies and procedures covering remote working that have been approved and communicated to all relevant stakeholders. (See reference 5)
  • Individuals who work in remote environments are made aware of the additional risks associated with remote working (including the increased likelihood of theft of equipment, accidental unauthorised disclosure of sensitive information or being overlooked). (See references 1 and 5)
  • The council provides appropriate training for staff members working remotely. Training includes guidance to help users securely configure their home network infrastructure and physically secure Council equipment that have been entrusted to them. (See references 18 and 26)
  • Council staff know what to do and who to report to if their device is lost or stolen or if any other incident happens while working remotely. The Council encourages users (in a positive, blame-free manner) to report any losses as soon as possible. (See reference 26)

Guidance

Home working: preparing your organisation and staff | National Cyber Security Centre

Secure home working on personal IT | National Cyber Security Centre

CNI system design: Secure Remote Access | National Cyber Security Centre

Device Security Guidance – Bring your own device (BYOD) | National Cyber Security Centre

End user device strategy: security framework and controls | Cabinet Office and Efficiency and Reform Group

Device Security Guidance – Virtual Private Networks (VPNs) | National Cyber Security Centre

Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security (NIST Special Publication 800–46 Revision 2) | National Institute of Standards and Technology (NIST) U.S. Department of Commerce

Topic 11: Security monitoring

Decorative banner featuring a closeup photo of a laptop keyboard backlit in blue and green light

 

The council monitors the security status of the networks and information systems supporting the operation of essential services to detect potential security events, track the ongoing effectiveness of protective security measures, and assist with incident or forensic investigations.

Principle 11.1. Monitoring coverage
 

What is it?

Monitoring solutions provide sufficient coverage across the environment which would allow timely identification of security events which might affect the operation of essential services.

Why is it important?

Effective and adequate coverage of the council's networks and systems aids in the early detection and eradication of potential threats to essential functions and services.

Sufficient breadth and depth of monitoring and observability of systems and their associated cyber risks, typically through automated systems, provides real time and continuous protection.

Indicators of good practice

  • Monitoring is based on an understanding of the council networks, common cyber-attack methods, and specific events that could affect the delivery of essential services (for example, presence of malware, malicious emails, user policy violations). (See reference 4)
  • The council's monitoring data provides enough detail to reliably detect security incidents that could affect the operation of essential functions and services. (See reference 4)
  • The monitoring solutions allow the council to easily detect the presence or absence of indicators of compromise on essential services, such as known malicious command and control signatures. (See reference 4)
  • The council monitors user and network activity in order to detect policy violations and an agreed list of suspicious or undesirable behaviour, such as data exfiltration, and potential insider threats. (See references 1, 4 and 9)
  • The council has extensive monitoring coverage that includes host-based monitoring and network gateways. (See reference 4)
  • Coverage is reviewed regularly to ensure new and existing systems and processes are effectively monitored. (See references 4 and 5)
  • There is a sufficient understanding of normal system activity (for example, which system components should and should not be communicating with each other) which would allow the council to easily detect malicious activity. (See reference 1)
  • Monitoring solutions cover Cloud environments and systems hosted externally by third parties.

Guidance

Device Security Guidance – Logging and protective monitoring | National Cyber Security Centre

Protective Monitoring for HMG ICT Systems (GPG 13) | National Cyber Security Centre

IT Security Protective Monitoring Guide | Ministry of Justice (MoJ)

10 Steps to Cyber Security – Logging and monitoring | National Cyber Security Centre

What exactly should we be logging? | National Cyber Security Centred

Introduction to logging for security purposes | National Cyber Security Centre


Principle 11.2. Securing logs
 

What is it?

Audit logs are stored securely, retained for a sufficient period, with access restricted to authorised users. Audit logs are adequately protected against loss and modification and are readily available for audit purposes when required.

Why is it important?

Securing audit logs prevents the disclosure and unauthorised access of sensitive information. It also ensures that log information is available in the event of an investigation, and it is forensically sound.

Indicators of good practice

  • The council has logging and monitoring policies that define legitimate reasons for accessing logging data. (See reference 4)
  • Access to logging data is limited to a subset of privileged users with business need. (See reference 2)
  • The integrity of logging data is protected, and any modification is detected and attributed. (See reference 4)
  • The logging solution has appropriate security controls to protect itself and the data against cyber-attacks. (See reference 4)
  • All actions involving logging data (for example, copying, deleting or modification, or even viewing) can be traced back to a unique user. (See reference 4)
  • Log data analysis and normalisation is only performed on copies of the data, keeping the master copy unaltered. (See reference 4)
  • Logging datasets are synchronised, using an accurate common time source, so separate datasets can be correlated and provide an accurate timeline of events. (See reference 4)
  • The council has documentation that identifies systems or devices on which logging should be enabled and what type of audit event should be collected. (See reference 5)
  • Logs are stored securely to support possible forensic investigations and meet record retention requirements. (See reference 5)
  • The logging system has adequate resources and capacity to ensure that there are no disruptions to the logging process as a result of resource exhaustion. (See reference 5)

Guidance

Device Security Guidance – Logging and protective monitoring | National Cyber Security Centre

Protective Monitoring for HMG ICT Systems (GPG 13) | National Cyber Security Centre

IT Security Protective Monitoring Guide | Ministry of Justice (MoJ)

10 Steps to Cyber Security – Logging and monitoring | National Cyber Security Centre

What exactly should we be logging? | National Cyber Security Centred

Introduction to logging for security purposes | National Cyber Security Centre


Principle 11.3. Generating alerts
 

What is it?

Evidence of potential security incidents contained in monitoring data is reliably identified and triggers alerts in a timely and useable fashion.

Why is it important?

The generation of security related alerts acts as an early warning system, allowing the council to investigate and detect suspicious activity or errors that carry cyber risks.

Indicators of good practice

  • Logging datasets can be easily queried with search tools to aid investigations. (See reference 4)
  • Logging data is enriched with other network knowledge and data when investigating certain suspicious activity or alerts. (See reference 4)
  • A wide range of signatures and indicators of compromise are used for investigations of suspicious activity and alerts. (See reference 4)
  • Alerts can be easily resolved to network assets using asset inventories and knowledge of networks and systems. (See reference 4)
  • Security alerts relating to essential services are prioritised and promptly investigated. (See reference 4)
  • Logs are reviewed, in real time using automated tools that trigger alerts when certain events occur. (See reference 4)
  • Alerts are tested and finetuned to ensure that they are generated reliably and that it is possible to distinguish genuine security incidents from false alarms. (See reference 4)

Guidance

Device Security Guidance – Logging and protective monitoring | National Cyber Security Centre

Protective Monitoring for HMG ICT Systems (GPG 13) | National Cyber Security Centre

IT Security Protective Monitoring Guide | Ministry of Justice (MoJ)

10 Steps to Cyber Security – Logging and monitoring | National Cyber Security Centre

What exactly should we be logging? | National Cyber Security Centred

Introduction to logging for security purposes | National Cyber Security Centre


Principle 11.4. Identifying security incidents
 

What is it?

The council can quickly and easily contextualise alerts using knowledge of the environment and the threat landscape, with intelligent and capable tools, to identify security incidents.

Why is it important?

Successful identification of suspicious activity and the early detection of potential compromises could help minimise the potential impact of a cyber-attack or unintentional cyber incident.

Indicators of good practice

  • The council has selected threat intelligence feeds using risk-based and threat-informed decisions based on the business needs and sector (for example, vendor reporting and patching, strong anti-virus providers, NCSC, community-based information sharing). (See reference 4)
  • The council applies all new signatures and indicators of compromise within a reasonable (risk-based) time of receiving them. (See reference 4)
  • The council ensures that all protective technologies, such as antivirus software and intrusion detection system, are kept up to date with the latest signatures. (See reference 4)
  • The council tracks the effectiveness of its intelligence feeds and actively shares feedback on the usefulness of the information with other councils, threat intelligence providers, the wider public sector. (See reference 4)
  • The council shares detected malware with malware protection software vendors to enable the creation of signatures that can be widely distributed. (See reference 5)
  • The council incorporates lessons learned from previous security incidents in to current procedures to create a process of ongoing improvement. (See reference 9)

Guidance

Device Security Guidance – Logging and protective monitoring | National Cyber Security Centre

Protective Monitoring for HMG ICT Systems (GPG 13) | National Cyber Security Centre

IT Security Protective Monitoring Guide | Ministry of Justice (MoJ)

10 Steps to Cyber Security – Logging and monitoring | National Cyber Security Centre

What exactly should we be logging? | National Cyber Security Centred

Introduction to logging for security purposes | National Cyber Security Centre


Principle 11.5. Monitoring tools and skills
 

What is it?

Monitoring staff, including third party suppliers, have the right skills, knowledge, tools, and roles required to monitor the environment and investigate potential incidents.

Why is it important?

Ensuring the monitoring staff have the right skills and tools ensures that the council is well- equipped to detect and respond to potential cyber-attacks.

Indicators of good practice

  • The council has trained monitoring staff, who are responsible for the analysis, investigation and reporting of alerts covering both security and performance. (See references 4 and 7)
  • Monitoring staff have defined roles and skills that cover all parts of the monitoring and investigation process and have a clear escalation path to senior management. (See reference 4)
  • Monitoring staff follow process and procedures that address all governance reporting requirements, internal and external. (See reference 4)
  • Monitoring staff are empowered to look beyond the fixed process to investigate and understand non-standard threats, by developing their own investigative techniques and making new use of data. (See reference 4)
  • Monitoring tools make use of all logging data collected to pinpoint activity within an incident. (See reference 4)
  • Monitoring staff and tools drive and shape new log data collection based on their knowledge and expertise. (See reference 4)
  • Monitoring staff are aware of the systems used to support the delivery of the council’s essential services, and can identify and prioritise alerts or investigations that relate to them. (See reference 4)
  • Monitoring tools, skills and processes are regularly tested by utilising the council’s own security assessments (such as automated vulnerability scans, penetration tests and PSN ITHCs) to find out if the current configurations detect such activities. (See references 17 and 29)
  • Monitoring staff follow the council’s cyber security incident response policies, procedures, and plans. (See references 6, 7 and 17)

Guidance

Device Security Guidance – Logging and protective monitoring | National Cyber Security Centre

Protective Monitoring for HMG ICT Systems (GPG 13) | National Cyber Security Centre

IT Security Protective Monitoring Guide | Ministry of Justice (MoJ)

10 Steps to Cyber Security – Logging and monitoring | National Cyber Security Centre

What exactly should we be logging? | National Cyber Security Centred

Introduction to logging for security purposes | National Cyber Security Centre

NCSC Certified Training | National Cyber Security Centre

Topic 12: Proactive security event discovery

Decorative banner featuring a closeup photo of a laptop keyboard backlit in blue and green light

 

Proactive security event discovery ensures that malicious activity within the council's network and information systems with the potential to affect the operation of essential services can be detected, even when the activity evades standard signature-based security prevention and detection solutions.

Principle 12.1. System abnormalities for attack detection
 

What is it?

Abnormalities in system behaviour easily and quickly identified, understood, and tackled. The sophistication of cyber-attacks and growing complexity of cyber risks on systems requires a commensurate response that can provide practical ways of detecting malicious activity that is otherwise hard to identify.

Why is it important?

Successfully identifying system abnormalities and keeping pace with changing threats and types of risks will allow system administrators and monitoring staff to detect, analyse and understand potentially malicious activity quickly.

Indicators of good practice

  • The council has the capability to detect abnormal security events and malicious or anomalous behaviour. (References 5 and 10)
  • User access and activity are monitored to identify abnormal activities such as out of hours logins or logins from a foreign country. (Reference 1)
  • Normal system behaviour, such as which systems should and should not communicate and when, is understood to such an extent that searching for system abnormalities is a potentially effective way of detecting malicious activity. (References 4 and 10)
  • System abnormality descriptions from past attacks and threat intelligence, are used to enrich monitoring solutions and the detection of malicious activity on the council’s networks. (Reference 4)
  • The system abnormality descriptions the council uses are updated to reflect changes in the council’s networks and information systems and current threat intelligence feeds. (Reference 4)
  • Normal network traffic is assessed against deviations such as sudden spikes in data transfer. (Reference 30)
  • The council reviews the audit records of all maintenance and diagnostic sessions to detect anomalous behaviour.
  • A process is in place to ensure the council's anomalous activity detection and cybersecurity monitoring does not violate agreed user privacy policies. (Reference 9)

Guidance

Protective Monitoring for HMG ICT Systems (GPG 13) | National Cyber Security Centre

IT Security Protective Monitoring Guide | Ministry of Justice (MoJ)

10 Steps to Cyber Security – Logging and monitoring | National Cyber Security Centre

Cyber Security Information Sharing Partnership (CiSP) | National Cyber Security Centre

What exactly should we be logging? | National Cyber Security Centred

Introduction to logging for security purposes | National Cyber Security Centre

ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) | MITRE


Principle 12.2. Proactive attack discovery
 

What is it?

An informed understanding of more sophisticated attack methods and of normal system behaviour to monitor proactively for malicious activity.

Why is it important?

Proactive attack discovery will allow the council to detect malicious activity even when the activity or threat actors' evasive techniques are in use to bypass standard signature-based security solutions and typical network perimeter defences.

Indicators of good practice

  • The council establishes and maintains a Security Operation Centre (SOC), or an equivalent resource, which defends and monitors systems and networks on an ongoing basis. (28)
  •  
  • The proactive monitoring function provided by the SOC aligns with NCSC best practices defined in GPG 13 – Protective Monitoring for HMG ICT Systems.
  • The SOC generates and distributes performance reports that are delivered proactively, and report observed activity (for example, detected threats, indicators of compromise, vulnerabilities and security incidents). (5)
  • The council routinely searches for system abnormalities indicative of malicious activity on the networks and information systems supporting the operation of its essential services, generating alerts based on the results of such searches. (4)
  • The council has justified confidence in the effectiveness of its searches for system abnormalities indicative of malicious activity. (4)
  • The council performs advanced capabilities, such as threat hunting or trend analysis, to identify indicators of compromise or malicious activity. (5) (21)
  • The council has heuristic-based malware protection software deployed, which detects malware based on unusual or abnormal behaviour. (5)
  • Controls to detect unusual queries, attempted large scale exports of data or unauthorised administrator access to data raise an alert. These controls are regularly tested and an established procedure to investigate the alerts is in place. (17)
  • Inbound and outbound traffic traversing network boundaries is monitored to identify unusual large data transfers which automatically generate security alerts that are promptly investigated. (1)

Guidance

Protective Monitoring for HMG ICT Systems (GPG 13) | National Cyber Security Centre

IT Security Protective Monitoring Guide | Ministry of Justice (MoJ)

10 Steps to Cyber Security – Logging and monitoring | National Cyber Security Centre

Cyber Security Information Sharing Partnership (CiSP) | National Cyber Security Centre

What exactly should we be logging? | National Cyber Security Centred

Introduction to logging for security purposes | National Cyber Security Centre

ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) | MITRE

Topic 13: Response and recovery planning

Decorative banner featuring a closeup photo of a laptop keyboard backlit in blue and green light

 

A comprehensive cyber security incident response and recovery framework, including policies, procedures, playbooks, and technical capabilities, that will guide and streamline the organisation’s incident response and recovery processes.

Well-defined and tested cyber security incident response and recovery processes will help organisations mitigate the impact of a cyber-attack and aid in the recovery of essential services in the event of system or service failure or compromise.

Principle 13.1. Incident response policies and procedures
 

What is it?

Response and recovery policies and procedures cover the expectations and processes concerned with detection, containment, eradication, and recovery from a cyber security incident. 

Why is it important?

Maintaining policy and procedural documentation addressing and regularly testing the range of most likely incident scenarios can prove pivotal in the orchestration of departments involved in reacting promptly and appropriately to a cyber security incident or threat, and can ensure an efficient handling of time sensitive, often high pressure, security incidents.

Indicators of good practice

  • Cyber security incident response plan including relevant policy and procedures are established and well understood by all relevant stakeholders, including the incident response team and the departments involved with the delivery of essential services. (See reference 1)
  • There is a comprehensive incident response plan in place, with clear pre-defined processes covering the complete lifecycle of an incident, actions, roles and responsibilities and clear terms of reference for decision-making and incident management. (See reference 1)
  • The supporting policy, processes and plans are risk based and cover any legal or regulatory reporting requirements. (See references 1 and 4)
  • The council has developed and approved, at the executive level, a communication strategy that includes press materials and statements that could be used in the event of a data security incident. (See reference 5)
  • The council has a set of playbooks that cover a range of common scenarios such as phishing, data exfiltration, suspicious account activity, and ransomware. (See reference 5)
  • Stages of the incident response lifecycle are defined with considerations and relevant guidance for decision making at each phase. (See references 5 and 31)
  • Staff clearly understand not only their role in incident response but the structure and roles within the incident response team. (See reference 31)
  • The contact details of key personnel are readily available to use in the event of an incident. (See reference 1)
  • All incidents are recorded are reported consistently in line with established criteria. (See references 1 and 9)
  • Processes are defined for post-incident review, allowing feedback of positive and negative aspects of the incident handling process to improve response planning. (See reference 31)

Guidance

Incident management | National Cyber Security Centre

Computer Security Incident Handling Guide: Recommendations of the National Institute of Standards and Technology (NIST Special Publication 800–61 Revision 2) | National Institute of Standards and Technology (NIST) U.S. Department of Commerce

Cyber resilience: incident management | Scottish Government

10 Steps to Cyber Security – Incident management | National Cyber Security Centre

Board Toolkit – Planning your response to cyber incidents | National Cyber Security Centre

Association of Chief Police Officers (ACPO) Good Practice Guide for Digital Evidence | Association of Chief Police Officers (ACPO)

IT Security Forensic Readiness Guide | Ministry of Justice (MoJ)


Principle 13.2. Response and recovery capability
 

What is it?

Response and recovery capability represents the council's ability to act upon their incident policies and procedures with resources dedicated to effective cyber incident response and restoring normal operations of critical council services safely and quickly. Relevant information is easily accessible to support the cyber incident decision making process throughout the incident response cycle, and all steps are formalised and documented throughout recovery to support 'lessons learned' and follow up actions.

Why is it important?

Effective response and recovery capability lessens the impact of a cyber incident, reducing financial and reputational impacts and allows normal business operations to be resumed as quickly as possible with the minimum impact to the public, staff, and suppliers. It can also provide the basis for future protection improvements and any criminal or disciplinary actions required through evidence-based and systematic recovery processes.

Indicators of good practice

  • The council has a core cyber security incident response team which includes IT and cyber security staff. An extended team is also established and includes representatives from key departments such as business continuity, PR, communications, HR and legal. (See reference 31)
  • The CSIR team members have been assigned and understand their role and responsibilities. The team has been delegated authority to make decisions designed to minimise the impact of an incident or aid the recovery process, with clear escalation paths defined. (See references 4 and 31)
  • Specialist training is provided as required to the incident response team. (See references 1 and 31)
  • The executive leadership have received the required training and awareness that will guide them when making urgent or critical decisions in response to an incident. (See reference 31)
  • The council has developed an incident response forensic readiness capability that will allow the CSIR team to triage incidents, collect and analyse evidence, and contain and recover from incidents. (See reference 31)
  • Appropriate processes are put in place to improve the CSIR team’s capability based on lessons learned and changes to the threat landscape. (See reference 31)
  • The resources and tools that will likely be needed to carry out any required response activities are understood and arrangements are in place to ensure that they are available. (See references 4, 5 and 31)
  • The council understands the types of information that will likely be needed to inform response decisions and arrangements are in place to make this information available (for example, contractual obligations, details about affected business environments, technical details, security event log data, network configuration diagrams, and information classification details, threat intelligence). (See references 4 and 5)
  • In the event of an incident, the response team is provided with access to all relevant data, evidence and audit logs that will assist in the triage and analysis process. (See references 1, 4 and 31)
  • The incident response team has methods of involving internal and external stakeholders (for example, legal department, public relations, human resources, law enforcement agencies, media and industry regulators). (See reference 5)
  • Back-up mechanisms are available that can be readily activated to allow continued operation of essential services (although possibly at a reduced level) if primary networks and information systems fail or are unavailable. (See references 4 and 31)
  • Arrangements exist to augment the council’s incident response capabilities with external support if necessary (for example, specialist cyber incident responders). (See references 4 and 31)

Guidance

Incident management | National Cyber Security Centre

Computer Security Incident Handling Guide: Recommendations of the National Institute of Standards and Technology (NIST Special Publication 800–61 Revision 2) | National Institute of Standards and Technology (NIST) U.S. Department of Commerce

Cyber resilience: incident management | Scottish Government

10 Steps to Cyber Security – Incident management | National Cyber Security Centre

Board Toolkit – Planning your response to cyber incidents | National Cyber Security Centre

Association of Chief Police Officers (ACPO) Good Practice Guide for Digital Evidence | Association of Chief Police Officers (ACPO)

IT Security Forensic Readiness Guide | Ministry of Justice (MoJ)


Principle 13.3. Testing and exercising
 

What is it?

Regular tabletop and simulation exercises to test response plans are undertaken to identify potential gaps and ensure that plans remain up to date, accounting for changes to the environment and threat landscape.

Testing can be real but partial such as recovering from an incident, IT disaster recovery testing, or business-led simulated exercises linked to business continuity tests.

Why is it important?

Cyber incident exercising helps councils establish their resilience to cyber-attack and practice their response in a safe environment. Practising response plans ensures staff know how to respond during an incident and can also highlight any problem areas in the council’s planned response.

Indicators of good practice

  • The council conducts regular exercises to test the incident response plan with the findings documented and used to refine incident response plans and protective security controls, in line with the lessons learned. (See references 1, 4 and 15)
  •  
  • Exercise scenarios are based on past incidents that affected the council (or other councils), and scenarios that draw on threat intelligence and risk assessment. (See references 1, 4, 15 and 25)
  • Appropriate stakeholders, for example, members of the executive leadership team and relevant operational teams are appropriately briefed, trained and involved in the test. (See reference 15)
  • Exercises test all parts of the response cycle relating to cyber-attacks impacting essential services. (See references 1 and 4)

Guidance

Incident management | National Cyber Security Centre

Computer Security Incident Handling Guide: Recommendations of the National Institute of Standards and Technology (NIST Special Publication 800–61 Revision 2) | National Institute of Standards and Technology (NIST) U.S. Department of Commerce

Effective steps to cyber exercise creation | National Cyber Security Centre

Cyber resilience: incident management | Scottish Government

10 Steps to Cyber Security – Incident management | National Cyber Security Centre

Board Toolkit – Planning your response to cyber incidents | National Cyber Security Centre

Topic 14: Lessons learned

Decorative banner featuring a closeup photo of a laptop keyboard backlit in blue and green light

 

It is essential that organisations learn from incidents and cyber incident response test exercises to understand the root cause of the incident, how the response process can be improved to reduce the impact on essential services and where appropriate take steps to prevent recurrence.

Principle 14.1. Using incidents to drive improvements
 

What is it?

Learning from incidents and implementing these lessons to improve the cyber security incident response process and the resilience of essential services.

Why is it important?

Understanding how an incident happened and what could have prevented it allows the council to update and improve incident response plans to reduce the risk of similar incidents occurring again.

Indicators of good practice

  • The council has a documented incident review process which ensures that lessons learned from each incident and test exercise are identified, captured, and acted upon. (See reference 4)
  •  
  • Details of the information security incident are documented in a post-incident report with evidence is collected, preserved and analysed to identify and remedy the root cause or systemic weaknesses. (See references 1, 4 and 5)
  • The executive leadership team takes ownership of the lessons learned process to ensure that any actions required to improve the council’s cyber resilience are undertaken. (See reference 1)
  • Root cause analysis is conducted routinely (where required, involving an information security specialist) as a key part of the lessons learned activities following an incident. The process is comprehensive, covering skills gaps, gaps in the response plan, organisational process issues, as well as weaknesses in networks and information systems. (See references 1, 4 and 5)
  • The council uses lessons learned to improve security measures, including updating and retesting response plans when necessary. (See references 4 and 5)

Guidance

Incident management | National Cyber Security Centre

Computer Security Incident Handling Guide: Recommendations of the National Institute of Standards and Technology (NIST Special Publication 800–61 Revision 2) | National Institute of Standards and Technology (NIST) U.S. Department of Commerce

Cyber resilience: incident management | Scottish Government

10 Steps to Cyber Security – Incident management | National Cyber Security Centre

Board Toolkit – Planning your response to cyber incidents | National Cyber Security Centre

Definition of terms

Decorative banner featuring a closeup photo of a laptop keyboard backlit in blue and green light

acceptable risk

The level of residual risk that has been determined to be a reasonable level of potential loss / disruption for a specific IT system.

antivirus

Software that is designed to detect, stop and remove viruses and other types of malicious software.

attack surface

The set of services and interfaces available on a system or an environment which an attacker can use to try to enter, cause an effect on, or extract data from, that system or environment.

attacker

Malicious actor who seeks to exploit computer systems with the intent to change, destroy, steal or disable their information, and then exploit the outcome.

breach

An incident in which data, computer systems or networks are accessed or affected in a non-authorised way.

bring your own device (BYOD)

An organisation's strategy or policy that allows employees to use their own personal devices for work purposes.

cloud

Where shared compute and storage resources are accessed as a service (usually online), instead of hosted locally on physical services. Resources can include infrastructure, platform, or software services.

councillors

While councillors have distinct different roles, the framework uses the following four key distinctions:

  • leader of the council or chair of risk committee – should be actively aware of an engaged in policy and risk management
  • scrutiny committee and audit committee members – will be providing the appropriate level and timeliness of critical analysis of cyber risk
  • cabinet members and portfolio-holders – to be broadly aware of cyber, but in relation to business continuity of the specific areas of interest in particular
  • all other councillors – should be digitally equipped to understand and to follow good cyber practice.

Cyber 360

A combination of interviews, document review and other activities in relation to the LGA Cyber 360 framework indicators of good practice.

cyber attack

Malicious attempts to damage, disrupt or gain unauthorised access to computer systems, networks or devices, via cyber means.

cyber incident

A breach of the security rules for a system or service such as:

  • attempts to gain unauthorised access to a system and / or to data
  • unauthorised use of systems for the processing or storing of data
  • changes to a systems firmware, software or hardware without the system owners consent
  • malicious disruption and/or denial of service.

cyber security

The protection of devices, services and networks, and the information on them, from theft or damage.

cyber security

Cybersecurity risk is the probability of exposure or loss resulting from a cyber attack or data breach.

data at rest

Describes data in persistent storage such as hard disks, removable media, or backups.

defence in depth

An information / cyber security strategy integrating people, technology, and processes to establish variable defensive mechanisms across multiple layers and dimensions in order to protect valuable data and information.

DPA (Data Protection Action 2018)

Data Protection Act 2018

DSPT (data security and protection toolkit)

For example, NHS Digital's Data Security and Protection Toolkit

encryption

A mathematical function that protects information by making it unreadable by everyone except those with the key to decode it.

EUD (end user device)

Collective term to describe modern smartphones, laptops and tablets that connect to an organisation's network.

essential services

Processes and services which, if interrupted, will cause adverse effects to the public.

executive team (the ‘board’, the ‘directors’, executive leadership)

This is assumed to be a relatively small group, led by the chief executive, chief operating officer or, in unusual circumstances, the leader of the council. This framework uses the following three key distinctions:

  • the chief executive – ultimately responsible for ensuring appropriate interrogation, management, and mitigation of risks, of which cyber is a key part
  • the executive board – the small group of directors responsible for the major parts of the council operations who must receive regular risk reports, and make judgements about appropriate practices and interventions regarding cyber
  • the wider leadership team – typically directors and assistant directors covering all of the main service areas of the council (They will often be the owners of business continuity plans, as well as line of business systems and data. Their understanding of data handling, cyber risk, IT disaster recovery and it’s linked to business continuity, is key.)

exploit

May refer to software or data that takes advantage of a vulnerability in a system to cause unintended consequences.

framework

'Framework' or 'the framework' is used to describe the collection of documents and process that make up the entirety of the LGA Cyber 360 Framework which includes, but is not limited to, the following:

  • LGA Cyber 360 Framework (this document)
  • LGA Cyber 360 application methodology 
  • CSIR (Council of Scientific & Industrial Research) tabletop template.

governance

The policies, procedures, and processes to manage and monitor the organisation’s regulatory, legal, risk, environmental, and operational requirements.

HMG SPF

Her Majesty's Government Security Policy Framework

information security

The protection of information and information systems from unauthorised access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.

insider threat

The potential for damage to be done maliciously or inadvertently by a legitimate user with access to systems, networks, or data.

IT resilience

The ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by IT resources.

Just-in-Time access

Just-in-Time (JIT) access is a fundamental security practice where the privilege granted to access applications or systems is limited to predetermined periods of time, on an as-needed basis.

malware

Malicious software – a term that includes viruses, trojans, worms or any code or content that could have an adverse impact on organisations or individuals.

mitigation

Steps that organisations and individuals can take to minimise and address risks.

multi-factor authentication (MFA)

An authentication system that requires more than one distinct authentication factor for successful authentication.

network

Two or more computers linked to share resources.

patching

Applying updates to firmware or software to improve security and/or enhance functionality.

penetration test (pentest)

An authorised test of a computer network or system designed to look for security weaknesses so that they can be fixed.

phishing

A technique for attempting to acquire sensitive data, such as bank account numbers, through a fraudulent solicitation in email or on a web site, in which the perpetrator masquerades as a legitimate business or reputable person.

platform

The basic hardware (device) and software (operating system) on which applications can be run.

policy

Statements, rules or assertions that specify the correct or expected behaviour of an entity.

ransomware

Malicious software that makes data or systems unusable until the victim makes a payment.

risk appetite

The types and amount of risk, on a broad level, an organisation is willing to accept in its pursuit of business activities.

risk assessment

The process of identifying, estimating, and prioritizing risks to organisational operations (including mission, functions, image, reputation), organisational assets, individuals, other organisations, and the Government.

risk management

The process of managing risks to organisational operations (including mission, functions, image, reputation), organisational assets, individuals, other organisations, and the Government, resulting from the operation of an information system, and includes:

  • the conduct of a risk assessment
  • the implementation of a risk mitigation strategy
  • employment of techniques and procedures for the continuous monitoring of the security state of the information system.

risk mitigation / risk treatment

Prioritising, evaluating, and implementing the appropriate risk-reducing controls/countermeasures recommended from the risk management process.

risk reporting

Risk reporting is a method the method of communicating risks and the results of risk mitigation activities to decision makers and relevant stakeholders.

risk tolerance

The level of risk or the degree of uncertainty that is acceptable to an organisation.

security incident

A breach of the security rules for a system or service, such as:

  • attempts to gain unauthorised access to a system and/or data
  • unauthorised use of systems for the processing or storing of data
  • changes to a systems firmware, software, or hardware without the system owner's consent
  • malicious disruption and/or denial of service.

sanitisation

Using electronic or physical destruction methods to securely erase or remove data from memory.

secure baseline builds

A documented set of specifications, settings and configurations for an information system build that are designed to protect against threats and vulnerabilities.

social engineering

Manipulating people into carrying out specific actions, or divulging information, useful to an attacker.

two-factor authentication (2FA)

The use of two different components to verify a user's claimed identity. Also known as multi-factor authentication (MFA).

virus

Programs which can self-replicate and are designed to infect legitimate software programs or systems. A form of malware.

vulnerability

A weakness, or flaw, in software, a system or process. An attacker may seek to exploit a vulnerability to gain unauthorised access to a system.

whaling

Highly targeted phishing attacks (masquerading as a legitimate emails) that are aimed at senior executives.

References

Decorative banner featuring a closeup photo of a laptop keyboard backlit in blue and green light

 

1.  Cyber resilience: framework and self assessment tool, Scottish Government | 15 January 2021

2.  HMG IA Maturity Model (IAMM), National Cyber Security Centre (NCSC) | 8 March 2018

3.  National Procurement Strategy for Local Government in England 2018, Local Government Association

4.  NCSC CAF guidance v3.0, National Cyber Security Centre (NCSC) | 30 September 2019

5.  Standard Of Good Practice for Information Security 2020, Information Security Forum (ISF)

6.  Cloud security guidance, National Cyber Security Centre (NCSC) | 17 November 2018

7.  Cyber Security Toolkit for Boards, National Cyber Security Centre (NCSC)

8.  Risk management guidance, National Cyber Security Centre (NCSC) | 8 August 2016

9.  Framework for Improving Critical Infrastructure Cybersecurity, National Institute of Standards and Technology (NIST) | 16 April 2018

10.  Connected Places Cyber Security Principles, National Cyber Security Principle (NCSC) | 7 May 2021

11.  Asset management, National Cyber Security Centre (NCSC) | 28 May 2021

12.  Supplier Assurance Framework: Good Practice Guide v1.1, Cabinet Office | May 2018

13.  Supply chain security guidance, National Cyber Security Centre (NCSC) | 28 January 2018

14.  10 Steps to Cyber Security, National Cyber Security Centre | 11 May 2021

15.  Data Security and Protection Toolkit (DSPT), NHS Digital

16.  Spray you, spray me: defending against password spraying attacks, National Cyber Security Centre (NCSC) | 15 May 2018

17.  Protecting bulk personal data, National Cyber Security Centre | 25 September 2018

18.  CIS Critical Security Controls v8, Center for Internet Security (CIS)

19.  Secure design principles, National Cyber Security Centre (NCSC) | 21 May 2019

20.  Secure development and deployment guidance, National Cyber Security Centre (NCSC) | 22 November 2018

21.  NIST Special Publication 800–172: Enhanced Security Requirements for Protecting Controlled Unclassified Information, National Institute of Standards and Technology (NIST) | February 2021

22.  NIST Special Publication 800–172: Enhanced Security Requirements for Protecting Controlled Unclassified Information, National Institute of Standards and Technology (NIST) | February 2021

23.  Active Cyber Defence (ACD), National Cyber Security Centre (NCSC)

24.  Offline backups in an online world, National Cyber Security Centre (NCSC) | 13 August 2019

25.  NIST Special Publication 800–171 rev2: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, National Institute of Standards and Technology (NIST) | February 2020

26.  Home working: preparing your organisation and staff, National Cyber Security Centre (NCSC) | 17 March 2020

27.  Whaling: how it works, and what your organisation can do about it, National Cyber Security Centre (NCSC) | 6 October 2016

28.  NIST Special Publication 800–53 rev5: Security and Privacy Controls for Information Systems and Organizations, National Institute of Standards and Technology (NIST) | September 2020

29.  ATT&CK, MITRE

30.  Protective Monitoring for HMG ICT Systems (GPG 13), National Cyber Security Centre (NCSC) | 8 August 2016

31.  Incident management, National Cyber Security Centre (NCSC) | 19 September 2019

32.  Password administration for system owners, National Cyber Security Centre (NCSC) | 19 November 2018

33.  Multi-factor authentication for online services, National Cyber Security Centre | 14 June 2018