Embed Size (px)
Citation preview
Scottish Cyber Assessment Service
Presentation for Suppliers
v 1.0 October 2019
Introduction
Scottish Cyber Assessment Service
The Scottish Cyber Assessment Service
This presentation is for current or prospective suppliers to the Scottishpublic sector.
It provides basic information on:
• Why improving cyber security and resilience is important for yourorganisation and for the Scottish public sector; and
• What you will need to do about cyber security and resilience whensubmitting tenders for public sector work, using a new service calledthe Scottish Cyber Assessment Service.
Scottish Cyber Assessment Service
Important
• Completing a SCAS questionnaire can require time and effort, depending on (i) therisk profile of a contract and (ii) how well you understand your organisation’scyber resilience arrangements.
• It is vital that you leave sufficient time for your organisation to complete the SCASquestionnaire ahead of any procurement deadlines.
• Your answers can be re-used for contracts with the same (or similar) risk profiles forany public authority using SCAS, thus reducing significantly the amount of timespent answering questions on cyber resilience overall.
• SCAS may also be useful as a cost-free way of assessing to what extent yourorganisation currently meets the requirements of cyber security certifications andauthoritative National Cyber Security Centre guidance.
• It is therefore worth investing some time and effort in getting your answers to anSCAS questionnaire right the first time you complete it.
Why isCyber Security and Resilience
Important?
Scottish Cyber Assessment Service
The Cyber Threat
You may be wondering why you need to be concerned about cybersecurity and resilience.
Smaller businesses and charities often ask: “Why would anyone attackme?”
But if you rely on Internet-connected digital services or products todeliver your business objectives, you are at risk.
Scottish Cyber Assessment Service
The Cyber Threat
Many cyber attacks are untargeted – they look for vulnerabilities indevices connected to the Internet, and take advantage of them.
Cyber attackers may never have heard of your business or organisationuntil the day they manage to get access to your networks.
Because of this, the Scottish Government believes it’s vital that allbusinesses and charities in Scotland understand the cyber threat andcan take action to mitigate it.
Scottish Cyber Assessment Service
The Supply Chain Cyber Threat
Increasingly, attackers that want to target larger or more sensitiveorganisations (or sectors) are making use of supply chain attacks.
In simple terms, rather than targeting the better protected or “harder”targets directly, they target those organisations’ less well-protectedsuppliers.
Attackers can then use various methods to gain access to the moresensitive targets “higher up” the supply chain.
Scottish Cyber Assessment Service
The Supply Chain Cyber Threat
Against this background, the Scottish public sector wants to ensure itssuppliers have appropriate cyber security in place. That’s because:
• We have a duty to prevent our public services from being disruptedby cyber attacks on suppliers; and
• We want to support our suppliers to improve their cyber security,because it’s good for the sustainability and resilience of our digitaleconomy and society.
The Scottish Cyber Assessment Service
Scottish Cyber Assessment Service
The Scottish Cyber Assessment Service
To help improve supply chain cyber security, the Scottish public sector isbeing encouraged to adopt a more consistent approach. This willinvolve them implementing:
• A guidance note, which has been produced for all public sectororganisations, setting out best practice from the National CyberSecurity Centre (the UK technical authority on cyber security).
• A support tool called the Scottish Cyber Assessment Service, whichall suppliers bidding for public sector contracts may be asked to use.
Scottish Cyber Assessment Service
How does the Scottish Cyber Assessment Service work? (1)
• Public sector organisations will use the tool to complete a Cyber RiskProfile Assessment for all contracts before they issue Invitations toTender.
• This will generate a Cyber Risk Profile for the contract, and aSupplier Assurance Questionnaire that is proportionate to the risk.
• All suppliers bidding for a contract will then be given a RiskAssessment Reference. They can use this to log onto the Tool,complete the relevant Supplier Assurance Questionnaire, anddownload a report to submit alongside all other tender documents.
Scottish Cyber Assessment Service
How does the Scottish Cyber Assessment Service work? (2)
• Public sector organisations will then assess the answers provided aspart of their evaluation of tenders.
• The tool helps to manage supplier burdens in two main ways:
• The questions asked of suppliers by Scottish public sectororganisations should be much more consistent – avoiding“spreadsheet fatigue”; and
• Suppliers can reuse many/all of the answers they have suppliedpreviously when a contract has the same risk profile asanother contract they have applied for.
Scottish Cyber Assessment Service
How does the Scottish Cyber Assessment Service work? (3)
• The core measures that suppliers will be asked to have in place for different risk levels arebroadly aligned with the following wider pieces of NCSC Guidance:
• Very Low – NCSC Small Business/Charity Guides• Low – additional controls under NCSC Cyber Essentials/Plus• Moderate – additional controls under the NCSC 10 Steps to Cyber Security• High – additional controls under the NCSC NIS Technical Guidance, and aligned with
ISO27001.• Special “triggers” are also present for question sets around personal data, cloud
services, payment card data and product security.
• Public sector organisations may choose to supplement these measures with furtherrequirements, depending on their risk appetites.
Scottish Cyber Assessment Service
A note on cyber security certification and accreditation (1)
• Some of the risk profiles align broadly with specific certifications oraccreditations available to suppliers. For example:
• The low risk profile requirements include elements aligned with CyberEssentials/Plus.
• The moderate risk profile requirements include elements aligned withIASME Governance certification.
• The high risk profile requirements include elements aligned withISO27001 certification.
Scottish Cyber Assessment Service
A note on cyber security certification and accreditation (2)
• Achieving such certification may have benefits for your organisation. It candemonstrate that you take cyber security seriously, and that you havealready been independently assessed as meeting certain requirements.
• It can also reduce the number of questions you have to respond to whenusing SCAS (because SCAS will automatically award “credit” for yourcertification).
• Public sector organisations are encouraged to have regard to costs andproportionality when setting out specific requirements re: certification andaccreditation. They should be willing to consider equivalent evidence ofcyber security controls/maturity where available.
This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to [email protected]. Crown Copyright © 2017
These are the Common Core Cyber Resilience Requirements that suppliers are expected to meet in order to manage cyber risk in Scottish public sector contracts. These requirementsbroadly align with NCSC Supply Chain Guidance, and are embodied in the SCAS decision-making support tool available at www.cyberassessment.gov.scot.
Public sector organisations may choose to supplement these common core requirements with additional controls or requirements depending on the circumstances of the contract andrisk appetite. By ensuring they meet these common core requirements, suppliers can ensure they are well placed to manage cyber risk to an appropriate level when dealing with publicsector contracts.
Advanced approaches to cyber resilience, most likely to be appropriate for organisations facing sophisticated threats with
high potential impact.
Holistic approaches to cyber resilience, provide greater assurance that targeted attacks can be resisted or dealt
with when they occur.
Very low risk profile
Public bodies encouraged to signpost suppliers to good
practice
LOW RISK PROFILE
MODERATE RISK PROFILE
HIGH RISK PROFILE
N/A – No cyber risk identified in contract.
VERY LOW RISK PROFILECyb
er
risk
pro
file
ass
ess
me
nt
Specialist requirements(e.g. List X, etc.)
Certification options
TriggersWhere organisations areusing cloud services orcloud - enabled products,they will be asked toconfirm compliance withNCSC Cloud SecurityPrinciples.
TriggersWhere personalinformation is processed,organisations will beasked to confirmcompliance withICO/NCSC guidance forprotecting personal data.
Membership of the Cyber Security Information Sharing
Partnership (CiSP) will be encouraged to ensure threat intelligence awareness and
sharing.
Incident reportingOrganisations are requiredto report significant cyberincidents to NCSC, PoliceScotland, and appropriateauthorities dependent onstatus (e.g. NIS CompetentAuthorities, ICO, etc.)
TriggersWhere payment card datais processed, organisationswill be asked to confirmcompliance with PCI DSSrequirements forprotecting payment carddata.
Public sector buyer uses Risk Profile Assessment Tool to generate risk
profile.
Supplier presented with Supplier Assurance Questionnaire aligned to risk
profile.
NIS +ISO
NCSC 10 Steps +GDPR controls
Signpost suppliers to good practicee.g. NCSC Guidance
Controls for Very Low risk profile PLUS Cyber Essentials
Basic Controls aligned withNCSC Small Business Guide
Basic Controls +Controls from Cyber Essentials
Scottish Cyber Assessment Service
What if a supplier doesn’t currently meet the requirements of acontract’s risk profile? Are they excluded from bidding?
• The Guidance Note and SCAS are designed to encourage a proportionate approachto supply chain cyber security.
• That involves recognising that improved cyber resilience is a continuous processrequiring the public sector to support suppliers.
• That approach includes an ability for public sector organisations to opt (at theirdiscretion) not to exclude suppliers that do not meet a SCAS risk profile’s minimumrequirements at the time of bidding.
• In such circumstances, they can opt to accept an accompanying CyberImplementation Plan, in which the supplier commits to achieving the minimumrequirements by a specified future date (e.g. contract award).
