WIREDGOV

Guidance setting out best practice from the National Cyber Security Centre, the UK technical authority on cyber security.

Introduction

1. The Scottish Public Sector Action Plan on Cyber Resilience (PSAP) was published in November 2017 and set out a commitment to develop a proportionate, risk-based policy in respect of supply chain cyber security for Scottish public sector organisations. This Supplier Cyber Security Guidance Note has been developed to meet that commitment.
2. This guidance note forms part of the Scottish Public Sector Cyber Resilience Framework. It is intended for use by public sector organisations that are implementing the PSAP and the Framework. The Framework is expected to be embedded in a number of audit and compliance requirements that apply to different parts of the Scottish public sector including the Scottish Public Finance Manual and Certificates of Assurance processes, with the aim of improving consistency and trust across the Scottish public sector.
3. In line with previous discussions and agreements between Scottish Ministers and key public sector partners, while it is ultimately for individual public sector organisations to decide on and adopt an approach to supplier cyber security that best meets their risk profile/appetite, wherever possible the adoption of a consistent approach to this issue is encouraged across the Scottish public sector. For the purposes of this guidance note, the Scottish public sector is broadly defined, and includes NDPBs, Non-Ministerial Departments, local authorities, health boards and universities and colleges.
4. This guidance note has benefited from advice from key partners in the Scottish public, private and third sectors, including public sector centres of procurement expertise. The Scottish Government works closely with the National Cyber Security Centre (NCSC), the UK-wide authority on cyber security, to ensure its work on cyber resilience is informed by appropriate technical expertise. As a result, the note aligns closely with NCSC supply chain guidance. Where appropriate, it also references guidance from the Centre for the Protection of National Infrastructure (CPNI), the UK-wide authority which provides protective security advice to businesses and organisations across the UK national infrastructure.
5. Cyber security arrangements for systems processing personal data form a key aspect of compliance with the new General Data Protection Regulation (GDPR), which took effect on 25th May 2018. However, the data protection obligations placed on organisations and their supply chains by GDPR go wider than technical measures to protect personal data. Public sector organisations are asked to consider carefully how this guidance note can/should be embedded in wider measures to support compliance with GDPR. The decision-making support tool described at Key Point 4 of this guidance note (The Scottish Cyber Assessment Service or “SCAS”), has been designed to encompass GDPR requirements in respect of technical protections for personal data.
6. It must be clearly understood that cyber security can also be important in contexts not involving personal data, such as arrangements involving sensitive official information, industrial control systems or the “Internet of Things” (where computing devices are embedded in everyday physical objects, which are then enabled to communicate, be controlled, etc. via the Internet).

The Importance of Supplier Cyber Security

7. Most Scottish public sector organisations rely on suppliers or other partners to deliver products, systems, and services and require exchange of information to deliver those services effectively. Often these relationships form part of public sector organisations’ supply chains. Supply chains can be large and complex, involving many suppliers doing many different things.
8. Effectively securing suppliers and the supply chain against cyber-attacks can be difficult because vulnerabilities can be inherent in suppliers’ systems, or introduced and exploited at any point in the supply chain. The NCSC notes that a vulnerable supply chain can cause significant damage and disruption to organisations. Examples of supply chain attacks can be found here.
9. A series of high profile, very damaging attacks has demonstrated that attackers have both the intent and ability to exploit vulnerabilities in supply chain security. This trend is real and growing. There is a clear need for Scottish public sector organisations to understand the cyber threat to supply chain security and to take appropriate, proportionate action to mitigate it.

The Key Aims of This Guidance

10. The key aims of this Supplier Cyber Security Guidance Note are:

• To support Scottish public sector organisations to put in place consistent, proportionate, risk-based policies that effectively reduce the risk of Scottish public services being damaged or disrupted by cyber threats as a result of supplier cyber security issues;
• To minimise any necessary additional burdens on Scottish public sector organisations (as purchasers) and private and third sector organisations (as suppliers), whilst ensuring the presence of proportionate cyber security controls in the public sector supply chain. This includes a requirement to avoid discouraging SMEs, in particular, from bidding for public sector contracts. This latter aim will be supported by ensuring greater uniformity of the requirements placed on suppliers (thus minimising the number of conflicting demands they face), and by providing a decision-making support tool to aid consistent, proportionate implementation by public sector organisations; and
• To ensure alignment where possible with key requirements in respect of supply chain cyber security that have implications for the Scottish public sector and its supply chains. These include the EU Security of Network and Information Systems (NIS) Directive as transposed into UK-wide legislation and guidance.

Click here for the full press release