1 of 13

Policy & Guidance

Policies & Guidance

C-TAG and other useful guidance

From the linked pages on the left, you can read and download various guidance and policy documents. These have either been produced directly by C-TAG or through the WARPs etc.

Remote Working Guidance January 2023

Data Handling Guidelines Version 6

Local Public Services

Data Handling Guidelines

Sixth Edition

March 2021

Foreword

Since the previous edition of these guidelines were published much has happened, not least the revised Data Protection Act 2018. The Public Services Network (PSN) is now referred to as a legacy network. The UK Government has an Internet First approach, which will see the move towards a set of processes which support the Cabinet Office Minimum Cyber Security Standard. The PSN has a baseline compliance regime. The compliance does not provide any level of information assurance. The PSN was never meant to be used as an assurance regime.

The National Cyber Security Centre (NCSC), continues to provide technical and policy support to the Local Public Sector, this support is dependent on strong information governance, supported by the Senior Information Risk Owner (SIRO) and Information Asset Owners (IAOs). There has to be a local information risk management regime in place, which supports a written information risk appetite for the organisation, managed and scrutinised by a Corporate Information Governance Group.

Organisations must have a robust training regime in place for all staff, contractors and suppliers, to ensure they know how to protect personal data. Organisations need a general awareness raising campaign to support The Data Protection Act and Cyber Resilience. Training records need to be kept in case there is a data breach to provide evidence to the ICO. Organisations must have a robust and well-rehearsed Incident Response capability in place, this needs to be fit for purpose to support The Data Protection Act, working to prevent breaches and Cyber Security incidents. The National Cyber Security Programme (NCSP), continues to provide valuable additional support and initiatives to enhance cyber security and capability in the UK.

Local Cyber Resilience and the protection of frontline government services is becoming a new priority area, this extends to securing local democracy through the protection of local and national elections. Local Authority security officers will strengthen their ties with Local resilience forums (LRFs), through the Ministry of Housing, Communities and Local Government (MHCLG), National Cyber Security Programme (NCSP) Local programme. The MHCLG NCSP-Local Programme has introduced information repositories offering good practice and advice as well as the Pathfinder programme, which has brought a complete series of funded Cyber Security training places across local government and delivered a series of Cyber Resilience Coordination exercises, in partnership with the NCSC and the Emergency Planning College.

The recognition of cyber resilience as a focus area moving forward, along with the additional requirements for the revised Data Protection Act (2018), should highlight the need for Local Public Services to plan, prepare and exercise for when things go wrong. This has always been a background requirement of the Civil Contingencies Act (2004), but as we move forward, those engaged in the work of the local resilience forums (LRFs), will start to focus on and plan for cyber incidents.

The regional WARPs continue to provide a strong community of practice and a platform for shared learning, collaboration and knowledge sharing, over fifteen years after their creation they are as relevant now as they ever were to help local public services prepare and respond to the ever emerging threat of cyber attacks. Organised crime remains the number one external threat to organisations, we are also seeing some escalation in state interest in the UK Public Sector, as highlighted by the incident in Salisbury. The insider threat is still the number one cause of data breaches, though staff error and negligence, which can be largely addressed through training and awareness raising. We continue to improve as a sector, but still have much work to do. These guidelines help by providing a wide range of relevant information brought together into a common narrative. We are also very pleased with the establishment and operation of C-TAG the Cyber Technical Advisory Group on behalf of the NCSC, facilitated by Socitm.

Mark Brett

Programme Director NLAWARP / C-TAG April 2021

Background

Information continues to be the key business asset and is fundamental to the delivery of Public Services - are you doing enough to protect the data entrusted to your organisation? The UK Government has decided to include the obligations of data controllers and data processors identified in The Data Protection Act 2018. Messages and assistance from the ICO continue to help organisations prepare for the prevention of data breaches. It is essential for Councils to have a published, tracked and monitored implementation plan and a register that contains details of all the organisation’s processing activities, it is a requirement under the DPA to have a Register Of Processing Activities, (ROPA), with respect to personal data. If something untoward should happen, you will then have evidence of action in the form of your plan.

In further detail, that processing register must contain:

1. the name and contact details of the controller and, where applicable, the joint controller and any data protection officer;
2. the purposes of the processing;
3. a description of the categories of data subjects and of the categories of personal data;
4. the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;
6. where possible, the envisaged time limits for erasure of the different categories of data;

The reliance and use of cloud services have increased, applications such as Microsoft Office 365, is now becoming the preferred option in many organisations, this improves resilience as it removes the reliance around on premise email exchange servers, but needs to also have the active directory services to be cloud based as well. Directory services will be another increasing growth area, which will need digital certificates to back up and protect device encryption and access control.

The threat from cyber attack has increased. “Bring Your Own Device” and remote connectivity have increased in popularity and availability and the Government has begun to implement a new protective marking scheme. The PSN (Public Services Network), has changed its emphasis from being an eco-system, to just focussing on just being a network.

Protecting personal data is a legal requirement under The Data Protection Act. The Act establishes a framework of rights and duties which are designed to safeguard personal data and balances the legitimate needs of organisations to collect and use personal data for business and other purposes against the right of individuals to respect for the privacy of their personal details.

The added complexity of off-shoring cloud services and the demise of international agreements such as Safe Harbour which allowed transfers to the USA (and possible issues with its replacement, Privacy Shield), has also brought new challenges, requiring management decisions to be made.

The emphasis moving towards the Senior Information Risk Owners (SIROs) making and being accountable for local risk management decisions within their organisations and scope of authority. Although central government is moving away from the SIRO job title, the responsibility and function will remain. It is essential local public services keeps and maintains the SIRO function, at a senior level, to ensure local information governance and leadership. Under the DPA public authorities must appoint a Data Protection Officer (DPO).

The DPO has certain minimum tasks that are defined within the DPA and requires that they have professional knowledge and experience of data protection law (although no particular qualifications are specified). Organisations should consider whether the DPO will be the same person as the SIRO or whether this will be a separate role. We recommend it being a separate role.

There could be a conflict of interest between the SIRO and the DPO if the SIRO accepts a serious risk decision affecting personal data that a truly independent DPO would find unacceptable.

The drive to improve Local Public Services demands that the public sector delivers services in ways that bring benefits to citizens, businesses, staff and taxpayers alike; it is only through the better use and exploitation of information and data sharing that Local Public Services will be able to provide efficient services that meet this objective.

The continuing high profile losses of data by public and private sector organisations reduces the confidence in the public sector. Many of the data losses are wholly preventable, being the result of failings in both technical and organisational measures.

If Local Public Services are to deliver the efficient, personalised – and often shared services that they aspire to, they will need to build public confidence and ensure that the public not only trust that their privacy is protected and their personal data is handled professionally but that Local Public Services can provide appropriate assurance that it is. DPA/THE DATA PROTECTION ACT requires organisations to be able to demonstrate their compliance

Back in November 2007 the Cabinet Secretary, Sir Gus O’Donnell, was asked to review the Government’s procedures for data handling, and in June 2008 published `Data Handling Procedures in Government’. The Cabinet Office guidance focuses on central Government bodies but recognises the crucial role of Local Public Services - thus the Local Government Association (LGA) and the Welsh Local Government Association (WLGA) agreed to lead on producing equivalent standards for local government. Since then there have been a number of changes in infrastructure and the general approach to Information Assurance. The austerity agenda, (although coming to an end) has and will drive transformation and change towards shared services. Whereas the PSN compliance regime is was based around commercial good practice. Moving forward, we need a regime that supports Cyber Hygiene and industry good practice. Much has changed over the past twelve year since the first edition of this guidance=dance was published.

The compliance regime of the future needs to focus on more than just technical controls. This guidance has always promoted the importance of holistic Information Management, Assurance and Governance (IMAG ™)

The IMAG ™ approach encourages Corporate Information Governance, Corporate Risk Management and the inclusion of suppliers and supply chain protection, which is critical in a cloud first Internet driven world.

Articles 40-49 of the THE DATA PROTECTION ACT, as amended by Schedule 6 of The Data Protection Act covers the law with respect to off-shoring.

This new edition of the Local Public Services Guidance reflects those changes and highlights the progress made. We acknowledge that there has been progress. However, the number of monetary penalties issued by the ICO to local public service organisations clearly demonstrates that there is still some way to go. Whilst there haven’t been many fines to Local Authorities under The Data Protection Act, the DPA/THE DATA PROTECTION ACT 2018.This document develops an approach to help organisations to move towards an Information Governance regime that is fit for purpose for a Local Public Services environment including Public Services Network (PSN). The guidance is equally valid for those organisations not directly connected to the PSN.

This document recognises that Local Public Services are best placed to assess their own risk and put in place the necessary safeguards. This guidance aims to serve as a checklist, highlighting best practice and referencing useful resources whilst acknowledging that Local Public Services will often maintain standards which are equivalent to, or exceed those set out in this document. The PSN now has a much simplified compliance regime, which whilst making compliance simpler to attain, the bar has not been lowered and there is an element of trust that organisations will mitigate the risks they have identified to the PSN compliance team.

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
1. the pseudonymisation and encryption of personal data;
2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
3. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
In assessing the appropriate level of security, account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.

Scope

Structure

The standard that Local Public Services are setting themselves in this document is challenging but necessary to maintain public confidence.

If Local Public Services are to meet this challenge it will only be through first creating the right culture, and second by having the right policies and procedures in place to provide accountability and scrutiny. Therefore, the core of this report continues to be structured around five headings:

People
Places
Policies
Processes
Procedures

No public service organisation can ever say it will not lose information - but by ensuring the standards in your organisation are equivalent to, or exceed, the best practice identified in each of these sections, the public and Local Public Service Organisations can be assured that steps were taken to prevent and mitigate such an occurrence.

The General Data Protection Regulation is underpinned by a set of principles and the key to complying with the DPA/THE DATA PROTECTION ACT is to follow the principles If you make sure you handle personal data in line with the principles you will go a long way towards ensuring you comply with the law.

Following the specific check list of best practice there are two further sections: ‘Top 10 Data Handling Tips’ produced by the Society of Information Technology Management and a Useful Resources section which, covers offshoring, increasingly relevant for cloud computing.

People

All organisations should seek to develop a culture so that ALL staff (including your suppliers) properly value, protect and use information for the public good. Local Public Services should reinforce that information is a key business asset and that its proper use is not simply an IT issue.

As services are delivered remotely and, in time, using personal devices, training and awareness raising will significantly increase in its importance. For those using mobile devices, contextual awareness training is essential. The training needs to be backed up by policy and regularly audited and monitored.

There should be clear lines of accountability for all levels of staff throughout the organisation together with a programme of staff awareness raising - starting at induction but continually updated - on an annual basis, clearly setting out the expectations of staff.

Ensure all staff working remotely in the field, and from home, are appropriately trained.

This becomes increasingly important as more staff are mobile and often work from home. Some Local Public Services have explored “Bring Your Own Device to Work (BYOD)” or issuing staff with individual portable devices for data storage in the field and at home. BYOD specifically refers to consumer devices, which are not owned, managed or controlled by the organisation.

The use of Consumer type devices which are owned and managed by the organisation, is covered in the Government Digital Service End User Device Guidance, which is on the gov.uk public website. This guidance covers a wide range of popular devices. In addition, specific context awareness training is essential. The organisation’s boundary is no longer its buildings, it is now the mobile device.

Appropriate staff vetting and background checks, should be carried out as part of the recruitment process, especially where staff will be accessing government networks and personal data. The Centre for the Protection of National Infrastructure (CPNI) is the government department responsible for advice relating to personnel and physical security, part of the Security Services (MI5).

The BPSS (Baseline Personnel Security Standard document is available at:

Personnel security is also a vital component of any information risk management regime. Insider threat is a credible and increasing attack vector, whether accidental or deliberate, through disgruntled staff, blackmail or through coercion. Organisations such as the Department of Work and Pensions (DWP), may still have specific vetting requirements to access their systems, aside from any PSN requirements. CPNI offer further advice on their website. Most data breaches are caused through staff negligence, (insider threat). Training and awareness raising are the best line of defence to reduce this. Think before you click.

Governance roles and responsibilities

Ensure a Senior Manager fulfils the function of Senior Information Risk Owner (SIRO) to ensure there is accountability

The Public Services Network (PSN) compliance, assumes a SIRO is appointed and is accountable for Risk Management, within the organisation. Even with the demise of the PSN compliance regime, we wholly recommend the retention of the SIRO role moving forward.

The SIRO should be a senior manager who is appropriately trained and familiar with the information risk and the organisation’s response. They should provide written judgement of the security and use of the business assets at least annually to support the audit process and provide advice to the accounting officer on the content of their statement of internal control. SIROs must also be briefed and aware on Cyber Threats and Cyber Incident Coordination requirements. SIROs must ensure their organisation has a regular Cyber Exercising regime in place.

This sits along side the appointment of other roles such as the Data Protection Officer, Information Asset Owners and Information Assurance/Security Manager. The Information Asset Owners should be clearly identified, and their responsibilities set in line with SIRO requirements. The Information Assurance/Security manager should also have a reporting line to the SIRO. The Data Protection Manager needs to be independent with a reporting line to the SIRO and Chief Executive or senior director. Whilst the SIRO could be the DPO, it’s not a good idea as there could be a conflict of interest. Each organisation will have to make their own decision.

The NLAWARP can provide CPD certified SIRO advice training through the WARP network.

It is recommended that Local Authority security managers should be appropriately qualified and hold recognised industry qualifications.

The Local Public Services organisation must establish an appropriate framework of cyber security management and organisation (supported with appropriate staffing and training) with clear lines of responsibility and accountability at all levels of the organisation.

This must include a Board-level lead with authority to influence investment decisions and agree the organisation’s overall approach to security. Each system should have an Information Asset Owner

These are Business Managers who operationally own the information contained in their systems. Their role is to monitor the use of portable devices to understand what information is held, how it is used and transferred, and who has access to it and why, in order for business to be transacted within an acceptable level of risk.

It is a requirement of the DPA/THE DATA PROTECTION ACT that the Data Protection Officer is experienced; this infers that some specialist training of the Data Protection Officer may be required.

Identify Users and their access rights

As part of the corporate risk management regime, it should be understood that some information threats of can emanate from staff, suppliers and contractors. Insider threats, whether malicious or accidental are a major source of data breaches and should not be ignored or over looked. Fraud is a malicious insider threat and action.

Access to information needs to be controlled, audited and pro-actively managed. All of these aspects form part of an information risk management regime.

Users (in the context of ‘personal data’ are those staff, contractors and suppliers who access and process any information (e.g. personal data) for and on behalf of the Local Public Services. By default, no member of staff should have access to systems containing personal protected information without prior authorisation. Where access is authorised, such authorisation should be set to the minimum needed for staff to perform their authorised work functions. Information Asset Owners should regularly review all user access rights.

When staff or contractors, leave, transfer or change roles, their system and security access needs to be reviewed and revoked where necessary.

Looking to the future, the Data Minimisation Principle and data protection by design functionality in the software will help ensure that staff only gain access to the personal data they need to perform their functions.

Foster a culture that properly values, protects and uses information

Local Public Services/Councils should have, and execute, plans to lead and foster a culture that values, protects and uses information for the public good. Such a culture has to be embedded with ALL staff including ALL levels of management.

Local Public Services/Councils should also:

Ensure awareness raising and training is conducted at the appropriate level. Audit and record who has been trained. Regular updates should be scheduled for all employees. The ICO may expect to see these records, should a breach be notified.
Create and enforce Human Resource policies, starting with recruitment training and induction, around information management, in particular making clear that failure to apply the Local Public Services procedures is a serious matter and, in some situations, can amount to gross misconduct.
Develop mechanisms through which individuals may bring concerns about information risk to the attention of senior management; and also develop processes to demonstrate that those concerns are taken seriously.

Maximising public benefit

Local Public Services, and specifically the SIRO, Corporate Information Governance Group (CIGG) and information Asset Owners, should consider how better use could be made of their information assets within the law. They should consider how public protection and public services can be enhanced through greater access to information held by others. Efficient and effective use of personal data processed by public bodies is a good catalyst for driving transformation and efficiency; however such uses must demonstrate that they have complied with data protection law.

Publish an information charter

Sources of help and assistance

Being a member of a regional WARP will also ensure the Security Manager is able to advise, and keep the SIRO updated with current issues and best practice.

The LGA and Welsh LGA are committed to supporting better information Governance and Management, through the LGA Local Government PSN Board.

Information Assurance continues to be a priority issue for the Local Public Services CIO Council and the Local Government PSN Board. Cyber resilience is now a key priority and is regularly discussed at these governance boards. The work of the boards is disseminated out through the regional warps.

Places

All Local Public Services should ensure the security of their information through the physical security of their buildings, premises and systems. There should be regular assessments of physical risks to information, which are then discussed by senior management. Physical security should be layered so that the most important processes are undertaken in the most secure areas.

Undertake regular risk assessments

Information risks should appear on the corporate risk register; this is a resource for highlighting information risk being cross-organisation, and not just an ICT issue.

In addition, risks can be reduced by:

Recording all visitors to buildings and, wherever feasible, ensure that they are accompanied whilst on the premises.
Including your physical security requirements in all supplier contracts.
Implementing a clear desk/clear screen policy to reduce the risk of unauthorised access, loss of, and damage to information during and outside normal working hours or when areas are unattended.
Ensuring rigorous adherence to all security policies (e.g. access control, password use, homeworking, data sharing, equipment disposal, Business Continuity Management etc)
Ensure you have business continuity plans in place. Carry out an annual exercise.
Ensuring where personal data is held on paper, it is locked away when not in use or the premises are secured. Sensitive Paper files should be transported appropriately and securely.
Ensuring the secure disposal of information, whether electronic or paper based.
All personal data and confidential files should be securely destroyed: paper records by incineration, pulping or cross-cut shredding so that reconstruction is unlikely and electronic media by overwriting, erasure or degaussing before re-use. This is in accordance with government guidelines. Where possible a CESG approved product or service should be used. The CESG Product Assurance Scheme (CPA) will help with this.

Wherever possible avoid the use of removable media.

Where personal data is involved, Local Public Services must avoid the use of unencrypted portable media including laptops, removable discs, CDs, USB memory sticks, PDAs and smartphones, where personal data is being stored. Failure to do so would almost certainly be a reportable data breach under The Data Protection Act, which is likely to result in formal enforcement action being taken. There needs to be a practical and pragmatic approach to this issue.

The widespread introduction or cloud services now negates the need for USB devices for data transfer. The use of secure cloud transfer services should be considered. All cloud solutions should be enterprise editions of the service, to facilitate proper audit controls and encryption.

Always seek assurances about where cloud data is stored. This is your local responsibility. Check G-Cloud assurances and accreditations. Where it is unavoidable, for personal data and other confidential files, encryption must be used for data in transit and at rest.

Those using smartphones and tablets, must be aware of the risks involved. The information transferred to these devices should be the minimum necessary to achieve the business objective (barest minimum = minimum). All personal data stored in the cloud must be encrypted by default. This equally applies to processing, storage at rest and archiving.

Policy

A comprehensive set of policies should form the heart of any information governance regime. Policies need to be monitored and audited, to ensure they are being effectively enacted.

A minimum set of policies should cover:

Acceptable usage policy
End user awareness training
Business continuity and Cyber Resilience
DPA/THE DATA PROTECTION ACT Breach notification and incident management and response.
E-mail usage
E-Mail protection, configuration and testing
DNS Protection, configuration and testing
Use & control of portable media
Home & mobile working
Secure document printing
Manual (paper) document handling
Handling of faxes (They are still a useful fall back capability for emergency use).
Secure disposal and destruction of Information Assets
Log Collection, processing, storage and management and analysis
Disclosure of information by telephone, face to face and in writing.
Information asset valuation
Risk management regime
Protective marking of key information, especially personal information
Use and control of personal devices
Network, System and Device Configuration and Management
The use and control of encryption software
Forensic readiness
Cyber Incident response, reporting and management
The use of Social Media
Network Protective Monitoring and Situational Awareness
Management control and monitoring of wireless networks
Management, control and monitoring of web services
Intrusion detection and monitoring
System Access Control
Patching systems, devices and network equipment
Configuration management and change control
Ensuring browsers are secure (inc. TLS levels in use)
The configuration, operations and backup of Cloud Services.

It is essential that as the complexity and volume of threats increases, that the 6 core areas of Network Security are addressed;

Boundary devices / Firewalls
Access Control
Patch Management
Secure Configuration
Malware Protection
Backups of core critical data, systems and configurations.

Whilst the issue around boundary protection is addressed, it should be especially noted that most attacks occur either through email payloads or through website attacks. Specialist attacks are aimed at applications and through the exploitation of vulnerabilities in software, exposed through poor patching. Patching continues to remain the single biggest defence against attack.

Processes

All Local Public Services should ensure that all processes, relating to systems operation and interfacing are properly documented with up to date information; such processes should be included in a risk assessment. It is essential that the SIRO and IAO, understand fully, where information is created, processed, stored and finally destroyed. Cloud services will highlight this problem further, where service assurance will be given through a robust assurance process. The service will be accredited once and used many times thereafter. This is explained in the PSN Security Model.

In addition, Local Public Services should ensure that:

1. a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
3. a systematic monitoring of a publicly accessible area on a large scale.

The same controls apply for all third party provided systems; suppliers and contractors must be subject to the organisation’s policies and procedures. These arrangements should be formalised in contracts. Cyber Essentials / IASME can help.

Looking forward, under THE DATA PROTECTION ACT, processors will also have their own legal responsibilities and can themselves be liable for enforcement action. Both Cyber Essentials and IASME have optional THE DATA PROTECTION ACT top-up compliance available.
Monitor and audit the effectiveness of their policies and, where appropriate, engage independent experts to test ICT systems and make recommendations.

Local Public Services should also:

Use all of the available security options for cloud services. (Encryption of storage and databases).
All data should be routinely encrypted, especially where cloud services are in use and when using portable media.

A standards based approach to service management is recommended. The Information Technology Infrastructure Library (ITIL) contains a set of practices for IT Service Management (ITSM) that focuses on aligning IT services with the needs of business. ITIL describes procedures, tasks and check lists that are non-organisation specific that can be used by an organisation for establishing a minimum level of competency.

ITIL also allows an organisation to establish a baseline from which it can plan, implement, and measure. It can be used to demonstrate compliance and to measure improvement. ISO 20000 is the certification standard, for ICT service management, it works in close conjunction with the ISO 27000 series of Information security standards, which are the baseline for PSN services.

Agile Development

The Cyber Essentials scheme can help your suppliers achieve a level of compliance, to bring confidence that their organisations take Information Assurance seriously.

Personal data should be kept within secure premises and systems

Local Public Services should take care to ensure that their information is transmitted, stored and processed on systems which offer adequate levels of assurance, security and protection for the information in use. All personal data is subject to The Data Protection Act; the ICO can issue civil penalties for failing to adequately protect personal data.

It is essential from the SIRO down through IAOs that all staff are trained on protecting information. This training needs to be refreshed annually and detailed training records need to be maintained. If there is a data breach, the ICO may expect to see training records. As mentioned above, public authorities will be required to appoint a DPO under THE DATA PROTECTION ACT, who must have appropriate knowledge and experience of data protection.

Being able demonstrate adequacy of staff training will also be part of THE DATA PROTECTION ACT’s requirements to demonstrate compliance

You will need to maintain records and keep evidence.

The ICO will expect to see evidence in the event of a breach or incident and if this is in place, it could help reduce the potential of a fine or size of fine under The Data Protection Act.

There are a number of major providers for PSN connectivity, which offers a choice and variety in the market place. Whilst the NHS digital network is an untrusted network, there are ways to ensure the safe transit of information using encryption and other technologies. Organisations still need to assure themselves that any assertions made by PSN providers are valid, robust and fit for purpose. A supplier simply being on the PSN or G-Cloud is not itself sufficient assurance at OFFICIAL.

There is work being undertaken to explore alternative compliance regimes for those organisations leaving the PSN. The direction of travel (March 2021) is the use of the Cabinet Office’s Minimum Cyber Security Standard. This will be combined with other measures and will in due course move towards continuous automated network posture scanning.

These approaches are a step towards collaboration between Local Public Services and other public sector partners to reduce risk and to lead greater efficiency. Organisations should pay particular attention to the security of the systems on which their bulk and aggregated data is stored and the mechanisms used to access and transfer that data by users and business partners. Assurances should be sought from providers about their security processes and posture.

Where it is not possible to access information on secure premises and systems, the following should apply:

Next best is secure transfer of information to a remote encrypted computer on a secure site on which it can be permanently stored
Decisions on handling/transfer of information should be approved in writing by the relevant Information Asset Owner
User rights to transfer information to removable media should be carefully considered and strictly limited. If removable media has to be used, and supported by a business case, the media must be encrypted.
Wherever possible, the bulk transfer of information should only be carried out via a secure network, using VPN and encrypted transfer methods.
Whenever possible, we strongly recommend two factor authentication be deployed for access control, whether at the system level or on access devices.
Where information needs to be shared between public sector organisations, the Public Services Network (PSN) will be used wherever possible. This will facilitate the transfer of information across the wider PSN and interlinks with other secure Government Networks including Health and Criminal Justice. Encryption should be used with VPN links. Assurance across the connection should be sought.

It is never acceptable to transfer bulk personal data via normal email services – even when encryption is used. Properly designed and configured bulk file transfer services should be used.

There are now approved G-Cloud assured services that can facilitate secure file transfer. Some of these services in addition to G-Cloud are also CPA approved. Always seek assurances about the type and level of assurance or accreditation a product or service offered.

Get written assurances about where the information is stored and processed. Ask to see the assurance certificate and residual risk statement. Although the product may be assured, it does not mean it is automatically fit for purpose for your organisations needs or requirements.

Your SIRO will need to agree the application is applicable to your organisation and within your organisations risk appetite.

Engage independent experts to carry out penetration testing

The PSN, PNN, Health and other networks require annual network security health checks (‘Penetration Testing’). These annual tests need to be carried out, reviewed and acted upon.

We strongly recommend always using a CHECK based, fully credentialed IT Health Check for PSN connected services. As we move from the PSN regime, independent testing is still critical.

This ensures the correct scoping of the test and will give you the confidence the CHECK team is testing your network and systems against the latest threats. Any organisation processing personal data (including charities), should undertake appropriate testing.

The scope of IT Health Checks must as a minimum include;

Web Services, including Websites
A sample of end user devices
Wireless networks
e-mail services
Cloud services
DNS Services
Email security
Mobile devices
Servers
VPN Servers / Proxy Servers
Network gateways
Access controls systems
Active Directory, Directory Services

Because of the prevalence of malware and cyber attacks, credentialed internal tests should also be carried out, that is full white box testing.

The scope of the IT Health Check and the report produced, should clearly identify all vulnerabilities and make recommendations for mitigations and remedial actions. These should reference the code of connection controls the vulnerability relates to. IT Health Check reports should be easy to read and understand, to assist the SIRO in ensuring the required remedial action plan is carried out and completed during the current year.

The detailed relevant and consistent reporting is another reason why we strongly recommend specifying a CHECK based IT Health Check. It is possible for a CHECK company to undertake an IT Health Check outside of the CHECK scheme, which is why you need to be specific. We cannot emphasise enough the need to continue independent penetration testing and regular internal vulnerability scanning, post PSN.

The checks should also cover the Personnel and Physical security aspects of the corporate network and its controlled devices. In addition, the Code of Connection requirements, should ensure that all inter-connected third party networks are at least as secure as the main network. All networks are to be properly documented, and diagrammed, with a robust change control and patching regime in place.

Network Service Configuration

Since the last edition, much has changed with the sheer volume and complexity of cyber attacks. We are now recommending that e-mail and DNS services be reviewed and secured. We recommend all organisations to register for the full suite of NCSC Active Cyber Defence products, especially the PDNS service and the NEWS service.

Secure e-mail Services

Secure web browsers

You also need to ensure you use the latest browser technologies and configurations.

IP Reputation

DNS Services

Conduct Data Protection Impact Assessments

Conducting Data Protection Impact Assessments for new systems, should be one of the first considerations. This applies to new systems being implemented or old ones that are being updated. Data Protection Impact Assessments are supported by the Information Commissioner and are:

“…..a process whereby a project’s potential privacy issues and risks are identified and examined from the perspectives of all stakeholders (primarily data subjects) and a search is undertaken for ways to avoid or minimise privacy concerns….”.

See: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-The Data Protection Act/accountability-and-governance/data-protection-impact-assessments/

New ICT systems should be assured to Government standards

For new systems containing personal data or other confidential information, Local Public Services should aim to have services accredited to Government standards, for use in a PSN environment. Whilst formal assurance for new systems in Local Government is not mandatory, there does need to be an understanding of the value and impact of information stored and processed in a system to ensure proper technical controls are applied to protect that information. Ensure appropriate and adequate technical measures to safeguard personal data. There is also a requirement to have organisational structures in place, covering Information Governance, Technical Controls and Information Sharing Agreements.

When procuring new systems, Local Public Services should also consider putting in place arrangements to log activity of users in respect of protected personal data and for asset owners to check it is being properly conducted.

Ensure that your suppliers and contractors adopt equivalent standards

Local Public Service organisations should mandate equivalent standards where they can and seek to influence others where they cannot mandate in all instances when suppliers are handling information on their behalf. There are contractual obligations in The Data Protection Act that require the contracting authority to be satisfied as to the standard of security offered by suppliers who process personal data, and to assess that those standards are maintained throughout the period of the contractual relationship.

The data processor must provide sufficient guarantees in respect of the technical and organisational measures they take to protect personal data, and the data controller (in this paragraph the contracting authority) must take reasonable steps to ensure compliance with those measures. There must be a contract (in writing) which requires the data processor to act only on the instructions of the data controller.

Procedures

All Local Public Services should work towards producing a Corporate Information Risk Policy which sets out how they will implement the measures in this document, as well as produce policies for risk reporting and risk recovery. They should ensure that there are mechanisms in place to test, monitor and audit the policies and procedures of the Local Public Services.

Produce a Corporate Information Risk Policy

The policy should set out how to implement the measures in this document in relation to Local Public Services activities and that of delivery partners, and monitor compliance with the policy and its effectiveness.

Complete Corporate Information Risk Plans (review and forward looking)

At least once a year, the SIRO, or a nominated individual on their behalf, should complete a Corporate Information Risk Plan. This plan should be reviewed through the Corporate Information Governance Group (CIGG). Review all assessments and examine forthcoming potential changes in services, technology and threats. This should form the basis of the Corporate Information Governance work plan for the following year.

A brief note for charities and Schools

Eduwarp

Produce an Information Recovery Policy

Risk reporting mechanisms

Local Public Services should regularly review, test, monitor and audit their policies and procedures. This should include a range of measures from testing awareness and the understanding of policies among staff, to testing the implementation of specific procedures such as correct use of encryption, appropriate user rights, use of removable media and correct disposal and destruction of information. Consider the implications for cloud and mobile service.

The Information Commissioner has published a statutory Code of Practice on data sharing which is available on the ICO website; failure to adhere to this guidance will become an important factor in any breach of procedure in connection with data sharing. Chapter 14 of the Data Sharing Code of Practice covers this in detail.

Sharing personal data about people is central to effective care and service provision across the whole service sector, both public and private. Several high profile national failures where organisations have not shared information many news stories have highlighted this. It is generally recognised that sharing information can bring many benefits in providing integrated services and in safeguarding and promoting those services.

These threats continue to emerge, and the same mistakes continue to be repeated. Child Protection remains a critical issue. CEOP (Child Exploitation Online Protection), can provide help and guidance. CEOP is now part of the National Crime Agency (www.nca.gov.uk).In particular, it concerns those organisations that hold information about individuals and who may consider it appropriate or necessary to share that information with others.

The Data Sharing Agreement should provide a framework for staff to work with to identify what information they need to share, and should be sharing, with partner agencies and document agreed terms for that sharing.

Data Sharing Agreement

A Data Sharing Agreement should set out the purposes for sharing specific sets of information, for a specific business purpose. It is aimed at operational management and staff, to provide them with details of:

The processes for sharing information
The specific purposes served
The people it impacts upon
The relevant legislation powers
What information is to be shared and with whom
Where the information will be stored, processed and transmitted
Any operational procedures
The process for review
How and when the information will be destroyed
How a breach will be notified and managed
Adherence with other recommendations in the statutory data sharing code of practice
Any consent process involved
Where and how long the information will be kept for
How the data will be destroyed and all parties informed
If a party of the agreement is succeeded or disbanded, what will happen to any information held

The Accord is a common set of principles and standards under which partner organisations will share information. WASPI is part of the Sharing Personal Information (SPI) programme. The programme was established to enable public sector services, as well as third party and private sector providers, where appropriate, to share personal data on individuals; legally, safely and with confidence. Its aim is to ensure that the public receive services that are coherently and collaboratively delivered and effectively based on need and safeguard the individual when necessary. In Wales, organisations need to jointly develop supporting information sharing protocols using the Guidance, template and checklist provided on the WASPI website.

Cyber Resilience

http://www.stgeorgeshouse.org/wp-content/uploads/2016/04/Local-Leadership-in-Cyber-Society-Report.pdf

Cyber Incident Response

We have produced a Cyber Incident Response Primer which will help organisations to develop and write their Cyber Response Plans. The primer can be downloaded from:

There is a cyber incident response golden hour guide at:

Appendices

NLAWARP DPA/THE DATA PROTECTION ACT Top 10 Tips

Train your staff, raise awareness and keep records of all training carried out.
Appoint a Data Protection Officer – You can share one, you do need one.
Oversee DPA/THE DATA PROTECTION ACT implementation – Corporate Governance Group - have a plan.
Ensure supplier contracts protect your personal data - are they adequate?
Know where all of your personal data resides. Produce an information asset register.
Record Data Protection Impact Assessments for all systems. Manual and electronic.
Manage all devices whether corporate or personal, that process your personal data.
Maintain records and evidence of all DPA/THE DATA PROTECTION ACT related contracts and activities.
Be clear about all off-shoring decisions – where is the data is protection adequate?
Implement and exercise incident plans. Breach management and notifications.

Top Ten Tips for Mobile Devices

Understand and evaluate the risks of the use of such devices.
Have policies in place, which require contextual awareness training.
Each person signs a personal undertaking to protect the information on the device.
When staff leave, they should sign an undertaking that Local Public Services data has been deleted from their personal devices and have a full leavers policy in place
All device security features should be enabled, firewall, password, pin and encryption.
The device should be regularly patched / updated. Limit device features.
Ensure devices and corporate personal data is encrypted, use two factor Authentication wherever possible.
Use a shell/secure application environment on the device to protect corporate information.
Review the risks associated with the use of the at least device annually, or when a significant change occurs, if sooner.
Aftercare, ensure the ongoing delivery of updated information and training on device risks, including a Help Desk and incident reporting process.

NLAWARP Top tips for Home working

At the start of a remote call, check who’s there, do a roll call.
Always get permission before recording calls.
Always be on mute when not talking.
Be aware of what’s visible on camera.
Is it a Public or internal meeting.
Ensure any chat is erased after the call.
Always check and know the security settings of the platform your using.
Always lock your screen when leaving your machine unattended.
Always be vigilant about clicking links in emails. Think before you click.
Report anything suspicious you notice. (Slow machine unusual pop-ups) etc.

Useful resources

The Information Commissioner's Office

The ICO enforces and oversees The Data Protection Act, Freedom of Information Act, the Environmental Information Regulations, The Privacy and Electronic Communications Regulations. They provide information and advice, and their website contains useful sources of best practice documentations and practitioner guides.

WARP (Warning, Advice and Reporting Point) www.nlawarp.net

Regional Local Authority WARPs are communities of practice delivering subscription based services where members meet face to face and share up-to-date advice on information security threats, incidents and solutions. The WARPs also support training and professional development for their members and undertake an annual risk survey, for benchmarking IA maturity.

C-TAG (Cyber Technical Advisory Group)

Hosted by Socitm and reporting into the Socitm Local CIO Council, it is a UK wide independent collaboration group. The C-TAG membership has representation from the Regional WARPs across the UK. The LGA, MHCLG, NCSC, Cabinet Office and the devolved administrations. C-TAG undertakes projects for common good across the Local Government sector. There are also representatives from the Police and NHS. C-TAG is able to accept project funding and grants to enable projects.

The National Cyber Security Centre NCSC

The NCSC website can be found at http://www.ncsc.gov.uk

A framework used in Wales for service providing organisations directly concerned with the wellbeing and safety of an individual, to share personal data between them in a lawful and intelligent way. It applies to all public sector organisations, voluntary sector organisations and those private organisations contracted to deliver relevant services to the public sector who provide services involving the health, education, crime prevention and social wellbeing of people.

Digital Ethics

Ethics and Data Protection in Artificial Intelligence

The UK is playing through official bodies like the Office for Artificial Intelligence, Centre for Digital Ethics and Information Commissioner's Office are working closely with Digital Ethics Lab, Alan Turing Institute, Open Data Institute and Digital Catapult in championing digitally ethical practice across the UK public sector.

Taken together, we are seeing an emerging set of common core values or attributes that built upon the combined disciples of bioethics and responsible AI (see Fig 1 below) that can inform wider digital and cyber ethical practice:

Figure 1

Beneficence: do good. Benefits of work should outweigh potential risks.
Non-maleficence: do no harm. Risks and harms need to be considered holistically, rather than just for the individual or organisation.
Autonomy: preserve human agency. To make choices, people need to have sufficient knowledge and understanding.
Justice: be fair. Specific issues include algorithmic bias and equitable treatment.
Explicability: operate transparently so as to explain systems working and its outputs

ICDPPC Declaration on Ethics and Data Protection in Artificial Intelligence

1. Artificial intelligence and machine learning technologies should be designed, developed and used in respect of fundamental human rights and in accordance with the fairness principle, in particular by:

Considering individuals’ reasonable expectations by ensuring that the use of artificial intelligence systems remains consistent with their original purposes, and that the data are used in a way that is not incompatible with the original purpose of their collection,
taking into consideration not only the impact that the use of artificial intelligence may have on the individual, but also the collective impact on groups and on society at large,
ensuring that artificial intelligence systems are developed in a way that facilitates human development and does not obstruct or endanger it, thus recognizing the need for delineation and boundaries on certain uses,

2. Continued attention and vigilance, as well as accountability, for the potential effects and consequences of, artificial intelligence systems should be ensured, in particular by:

promoting accountability of all relevant stakeholders to individuals, supervisory authorities and other third parties as appropriate, including through the realization of audit, continuous monitoring and impact assessment of artificial intelligence systems, and periodic review of oversight mechanisms;
fostering collective and joint responsibility, involving the whole chain of actors and stakeholders, for example with the development of collaborative standards and the sharing of best practices,
investing in awareness raising, education, research and training in order to ensure a good level of information on and understanding of artificial intelligence and its potential effects in society, and
establishing demonstrable governance processes for all relevant actors, such as relying on trusted third parties or the setting up of independent ethics committees,

3. Artificial intelligence systems transparency and intelligibility should be improved, with the objective of effective implementation, in particular by:

investing in public and private scientific research on explainable artificial intelligence,
promoting transparency, intelligibility and reachability, for instance through the development of innovative ways of communication, taking into account the different levels of transparency and information required for each relevant audience,
making organizations’ practices more transparent, notably by promoting algorithmic transparency and the auditability of systems, while ensuring meaningfulness of the information provided, and
guaranteeing the right to informational self-determination, notably by ensuring that individuals are always informed appropriately when they are interacting directly with an artificial intelligence system or when they provide personal data to be processed by such systems,
providing adequate information on the purpose and effects of artificial intelligence systems in order to verify continuous alignment with expectation of individuals and to enable overall human control on such systems.

4. As part of an overall “ethics by design” approach, artificial intelligence systems should be designed and developed responsibly, by applying the principles of privacy by default and privacy by design, in particular by:

implementing technical and organizational measures and procedures – proportional to the type of system that is developed – to ensure that data subjects’ privacy and personal data are respected, both when determining the means of the processing and at the moment of data processing,
assessing and documenting the expected impacts on individuals and society at the beginning of an artificial intelligence project and for relevant developments during its entire life cycle, and
identifying specific requirements for ethical and fair use of the systems and for respecting human rights as part of the development and operations of any artificial intelligence system,

5. Empowerment of every individual should be promoted, and the exercise of individuals’ rights should be encouraged, as well as the creation of opportunities for public engagement, in particular by:

respecting data protection and privacy rights, including where applicable the right to information, the right to access, the right to object to processing and the right to erasure, and promoting those rights through education and awareness campaigns,
respecting related rights including freedom of expression and information, as well as non-discrimination,
recognizing that the right to object or appeal applies to technologies that influence personal development or opinions and guaranteeing, where applicable, individuals’ right not to be subject to a decision based solely on automated processing if it significantly affects them and, where not applicable, guaranteeing individuals’ right to challenge such decision,
using the capabilities of artificial intelligence systems to foster an equal empowerment and enhance public engagement, for example through adaptable interfaces and accessible tools

6. Unlawful biases or discriminations that may result from the use of data in artificial intelligence should be reduced and mitigated, including by:

ensuring the respect of international legal instruments on human rights and non-discrimination,
investing in research into technical ways to identify, address and mitigate biases,
taking reasonable steps to ensure the personal data and information used in automated decision making is accurate, up-to-date and as complete as possible, and
elaborating specific guidance and principles in addressing biases and discrimination, and promoting individuals’ and stakeholders’ awareness.

National Data Strategy: adopting a responsible data approach

The strategy notes that government has a responsibility to ensure that there is a clear and predictable legal framework for data use that can both spur the innovative use of data, especially for purposes in the public interest, and earn people’s trust. It also recognises the government has a further responsibility to ensure that the infrastructure on which data relies is secure, sustainable and resilient enough to support ongoing digitalisation, economic growth and changes to the way that we live and work, together with a clear commitment that the public sector must also be transparent and prepared to open itself up to scrutiny over its own use of data.

The government strategy recognises that it will only be able to build and maintain public trust by ensuring and clearly demonstrating that its approach to data is rooted in appropriate levels of transparency, robust safeguards and credible assurances. To do this the public sector is seen as needing to open themselves up to scrutiny, increase public engagement and improve the publishing of data by which progress can be measured.

Principles into practice: What can help

those with a compliance focus, such as data protection officers (DPOs), general counsel, risk managers, senior management, and the ICO's own auditors; and
technology specialists, including machine learning experts, data scientists, software developers and engineers, and cybersecurity and IT risk managers.

The guidance also clarifies how to assess the risks to rights and freedoms that AI can pose from a data protection perspective; and the appropriate measures you can implement to mitigate them. It corresponds to data protection principles, and is structured as follows:

The guidance emphases the importance of the wider accountability principle makes individuals and originations responsible for complying with data protection and for demonstrating that compliance in any AI system. In an AI context, it sees accountability as requiring you to:

be responsible for the compliance of your systems;
assess and mitigate its risks; and
document and demonstrate how your systems are compliant and justify the choices you have made.

auditing tools and procedures that we will use in audits and investigations;
this detailed guidance on AI and data protection; and a
forthcoming toolkit designed to provide further practical support to organisations auditing the compliance of their own AI systems

The ICO guidance is also supplemented by the following online resources:

In addition, a number of expert institutions have produced guidance around the need for greater algorithmic transparency, particularly within the public sector.

Cyber Incident Response Primer

Background

Things go wrong in ICT systems, either accidentally, a wrong parameter or filename used or a deliberate act of maleficence, to cause harm to the system, such as an attack, often through the Internet which we now refer to as a Cyber Attack.

Modern computer networks and system, can be defended automatically to deal with the majority of low level attacks, where these attacks are mitigated and solved, they are referred to as events. Where an attack or event actually causes a physical outcome (System crash, malware infection etc.), that leads to an Incident. The overall monitoring systems for dealing with systems and networks is referred to as a SEIM (Security Event & Incident Monitoring) system.

Prerequisites

Defining Incident Response

We’ve discussed events and what leads to an incident. When an incident happens, the first thing that needs to happened is to actually be aware of the attack. Some attacks can go undetected for months. This is why we ensure that systems are secure by design, this is the who purpose of Information Assurance and Risk Management. The only objective of Incident Response is to get to the make safe point, where the unwanted systems / network behaviour is stopped in its tracks. Once at make safe, the next and longer phase is Incident Recovery. The objective of the recovery phase itself is to get the system / network back to a stable state, that is how the network or system was at the point the incident happened. Incident recovery is not about improvement. Both Incident response and Incident recovery have clearly defined boundaries.

An incident can be thought of as a fast time resource intensive project. and if thought of as such, with a start, middle and end it becomes far easier to know when and incident is concluded. Open ended Incidents are not good practice and allow non-incident related issues to be introduced, causing complications and additional complexities.

Where to start?

Planning

Plan and prepare: establish an information security incident management policy, form an Incident Response Team etc.
Detection and reporting: someone has to spot and report “events” that might be or turn into incidents;
Assessment and decision: someone must assess the situation to determine whether it is in fact an incident;
Responses: contain, eradicate, recover from and forensically analyze the incident, where appropriate;
Lessons learnt: make systematic improvements to the organization’s management of information risks as a consequence of incidents experienced.

The figure above shows the types of attack vectors, how the malicious code / data gets into the network / system.

The NIST approach discusses;

Preparation (Planning)
Detection and Analysis (Response)
Containment (Make safe)
Post-incident action (Recovery)

The Erez Dasa table above shows how these can map across to technologies in the cloud.

Exercising

Responding

The guide also discusses the NLAWARP / Silverthorn SIRO Risk framework © , with it’s six stages, mapping

Identify and map out key systems / services /suppliers
Identifying how we get assurance for key systems services / suppliers
Identifying Key Information Risks (to develop Key Risk Indicators (KRIs)
Articulating Information Risk Statements (Risk / Threat/ Vulnerability/Exploit)

Source Isaca [23]

Recovering

Procuring help to recover from an incident (NE WARP Case study)

our objectives:

To have a ready-to-go incident response service to hand for whenever required
To have the option of annual readiness check in terms of required documentation etc. that would be requested by an incoming response service

options:

procure up front and have on standby
procure at the time of need
use CCS (Crown Commercial Services) dynamic purchasing system for cyber which includes NCSC CIR (Cyber Incident Response) providers
conduct a local procurement

In the event of a critical incident requiring incident response it is likely emergency procurement would be possible. However, we’d still need to find and identify potential suppliers, explain our situation and what we think we need, enquire of their availability and costs.

Preferred route – CCS DPS

CCS DPS has minimum 10-day turnaround, clearly not appropriate for Incident Response at the time of need. NE WARP is looking to discuss with suppliers to agree to reduce this.

Buyers would need to follow the DPS buying process, complete necessary documents and be happy with the 'legal basis'- this would require procurement resource at the time of need - however templates etc could be developed. This is something that needs to be factored in to the planning assumptions.

References

21 Catergorising Cyber Incidents: Uma, M. and Padmavathi Ganapathi. “A Survey on Various Cyber Attacks and their Classification.” I. J. Network Security 15 (2013): 390-396.

Information Asset Registers

Introduction

Information Asset Registers are nothing new, the original concepts go back to the ICL 2900 series mainframes under VME/B and the ICL Data Dictionary model [5]. The Data dictionary was revolutionary as it recorded both the physical real world practices and procedures and mapped them to their logical programs and processes. This meant that Business analysts could design systems and services seamlessly in the real world, then map the data attributes into data schemas and taxonomies.

We focus on confidentiality, we're always thinking about access control and encryption. When we talk about integrity, we're thinking about the information on the systems and services being accurate, not tampered with and non-repudiation. And when we're thinking about availability, this is actually about availability of systems and services, which covers the areas around backups, disaster, recovery, and disaster recover. In pulling together asset registers, we are also concerned with network components with manufacturers. We things like operating system types, versions and patch levels within them. We further need to consider how long it is since the configuration information has been updated, if indeed an information asset register exists in the organisation.

We need to understand how long it will be until these systems are due to be replaced. The main reason for wanting this is that if we find a particular vulnerability or exploit appertaining to a certain manufacturer or type of kit, Knowing who has that specific equipment and what the patching level, will help quickly determine if an organisation is at risk of a systems breach or comprise is attacked with a certain exploit. If they are adequately patched, they may not be vulnerable.

Knowing the profile of equipment deployed and the relevant patching and software versions and how they configured will help network defenders. Also those challenged with national network defence will be able to quickly and efficiently contact those organizations and tell them about vulnerabilities and provide actionable intelligence to help them defend their networks and infrastructure.

Context

The main international standard for Information Security is ISO27001, which covers a number of domains relating to Information Security. We must however consider other aspects such as Information Risk Management, Assurance and Governance. Other ISO standards cover these areas and so even the standards are many and complex. There is a hierarchy which covers elements from the physical network, through to servers, operating systems, applications, data and access control. These elements are all interlinked and it is proposed that you should consider them in isolation. This paper proposes an approach and flags some of the core issues and questions.

This paper is also a foundation for further research in the area and explores a novel deployment of some social science research methods and approaches. The overall information system, comprises all of the components (attributes) necessary for it’s operation, the hub of the system is the server which hosts the application. There will be a number of supporting components, including the file storage, the access control system and the supporting operating system.

Many systems today are run and supported on databases. Servers themselves need to be accessed. In the old days terminals were hard wired to servers. Today, we generally access a server through a network. This can be a local network (LAN) or a wide area network (WAN). Today, we tend to use the Internet as an integrated part of the Corporate infrastructure, by deploying VPNs (Virtual Private Networks). These VPNs then connect to either on-premises servers or to cloud services, such as Amazon, Microsoft or Google. There is an emergent theme of multi-cloud and hybrid cloud (both on premises and Public Cloud based). [7] When we mention Public Cloud we mean a Virtual Private Cloud (VPC). [8].

All of the network and infrastructural components need to be identified, quantified, risk assessed and assured. This is especially important in the context of Zero Trust Computing and as an aid to Operational Cyber Resilience and Response planning and coordination.

This paper proposes an approach to identify, quantify and report on the components in an organisations infrastructure. The proposed approach covers both the hardware (whether logical, physical or conceptual) and the software systems, to provide a heterogeneous taxonomy, for planning, Cyber defence, assurance and incident management.

The reason for this type of granular consideration is to ensure all components of the system are taken into account, because attackers will try to exploit any available attack vector. Whilst most attacks are predicated through emails, websites and direct attacks on Internet facing servers. Good documentation and asset registers will enable rapid identification of vulnerable information assets. We refer to network and infrastructure equipment as information assets as they are configurable and therefore can be assessed against Confidentiality, Integrity, Avaibility and Non-Repudiation.

Asset Descriptions and Registers

Information Asset Registers have been in use for some time, they are acknowledged by the Information Commissioners Office (ICO) [1]. In the context of this paper, we propose a wider and deeper use of Information Asset Registers to annotate and record the network and Infrastructure components deployed within an organisation. The concept was first explored by the author in a previous paper in 2021 [2].

Methodology

There are a number of academic research methodologies that are useful in this space and an mixed-methods approach is being taken to undertake and understand this work. The overarching approach is to use qualitative methods within a practice based research framework [15].

As the actual project around the replacement of the PSN (Public Sector Network) compliance is a effectively a live real world problem, requiring tools and techniques to understand, analyse and work towards solving the problem. An Agile approach to the process is being used, whilst not a formal research method, it does provide a useful for context and will foster better understanding of the constructs and issues by stakeholders, namely Local Authority compliance and security managers.

The Agile methodology is widely used an understood in central and local government in England and Wales[9]. MHCLG Digital [10] use agile as their delivery method, so any proposals we make will be of greater use if they interface with agile. The NCEF (NLAWARP Cyber Exploitation Framework), developed and presented at the Cyber Practitioners Conference in York 2017, is one such Conceptual Framework, which acts as an aide memoir to security architects and network defenders in an agile environment. These frameworks were developed after consulting with a number of regional WARPs (Warning, Advice and Reporting Points) from 2013-17 [51].

Figure 1 The NCEF Framework

The NCEF framework is predicated on a number of questions to help shape and refine the infrastructure design. This approach helps walk the architect or agile product designer through the landscape to build a profile and ensure all necessary steps are covered to form an holistic approach to zero trust design from a information security / assurance perspective.

NCEF1 What does the network look like, discovery, diagrams and documentation?

NCEF2 What's happening on the network, logs and monitoring?

NCEF3 What does normal network traffic look like (SIEM)?

NCEF4 What bad stuff is out there on the network (detection)?

NCEF5 Do we have bad stuff? - Use tools for NCEF3 & Mitre Att&ck Framework

NCEF6 How do we remove our bad stuff from the network?

NCEF7 How do we keep bad stuff out of the network?

NCEF8 How do we respond to the bad staff, through incident response (Develop playbooks)?

NCEF9 How do we report bad activity (Security Incident & Event Management (SIEM)?

NCEF10 How do we prepare and practice dealing with bad stuff (Cyber Resilience Exercising)?

Figure 2. NCEF enquiry questions

A Conceptual Framework[11] is a way of mapping and showing the relationship between a collection of variables, some are fixed and some are dynamic. In this case the variables are network components and information governance issues. Once you’ve identified your variables, they can be assembled, mapped and clustered together. This clustering starts to show relationships and help the formation of categories. Using Grounded Theory[12], to produce data clusters. Management students will be familiar with the Business Model Canvas [13] and the similar canvasses and approaches [16]. Many modern tools, such as the agile “Kanban” [17] approach, software like Trello [18] and MIRO[19] all fit beautifully with Grounded Theory and conceptual frameworks. These in turn fit with Systems Thinking [20], Wicked Problems [21], Wardley Maps [22] and weak signals [23], which in Grounded Theory are outlier variables. I’ve explored some of there issues in a paper on Horizon Scanning [24].

Quantification of information assets, using Grounded Theory [25], allows for the categorisation of Information Assets in a way that Grounded Theory allows for the categorisation of issues within a community. It is hoped that the introduction of these Social Science research methodologies [27] into areas traditionally serviced by Software engineering [28] and other Computer Science methodologies [29] will prove innovative and useful to other researchers. In developing this work I’ve been influenced by the Deep Work approach[30] [31] and the ZettleKasten [32] which has helped to shape the structure. I believe this approach, brings a whole range of Qualitative Social Science tools into play in a novel and innovative way that not only helps map the landscape, but also helps to identify some of the soft cultural issues that affect information management and governance. The Covid-19 pandemic of 2020/21 has forced many organisations to work from home and to collaborate and operate in a virtual environment.

The SCRAPE Framework

It is contented that Information Asset Registers are an essential part of Cyber Security, Information Assurance and Cyber Incident Response moving forward. There is anecdotal evidence in some Local Authorities that Information Asset Registers do not exist for this purpose. This view has been formed over the past few years, through discussions with Local Authorities during Cyber Incidents, through on-line forum discussions and during Cyber Incident Response Training.

Therefore the proposal is to offer an approach to Local Authorities, to develop an Information Asset Register approach and to implement it as part of their Cyber Incident Response Planning.

As we are advocating an approach to move from static plans to dynamic playbooks, Information Asset Registers will be a very useful planning and response tool.

Whilst thinking about this problem and a practical approach to implementation,

Systems
Cartography
Registers
Attributes
Patterns
Ethics

Systems

When we talk about systems in this context, we are referring to the discrete system for instance Housing Benefits, Council Tax. The Systems can also be a service, such as Microsoft 365. Systems and services will be made up of a number of elements, for instance servers, Operating System, Data Base, Programming language, scripting, configuration files, data files. The systems f today are very different in their composition than those of twenty years ago. The most simple Information Asset Register will comprise a series of linked records, which describe the functional layout and composition of the system. This could physically be a text document, spreadsheet or database.

We must think about the not only the structure and layout of the Information Asset Register, but how it will be constituted, stored and published. These Information Asset Registers could potentially be a valuable asset for attackers and those who wish to cause harm or disruption.

Thought must therefore be given to the creation, storage, publication and use of these Information Asset Registers.

There are a number of useful descriptors and approaches that may be of use to researchers in this field and could be the subject of further research and reporting, these include;

Systems Thinking [20]
Complexity [33]
Weak Signals [23]
Nudge Theory [34]
Cynefin [35]
Wicked Problems [21]
Wardley Maps [22]

Cartography

When the term cartography is used in this context we mean mapping, that is the visual and textual documentation, illustration and recording of the Physical, Logical and Conceptual layout of the information that forms the Focus of Interest, in this case the Service of System, being documented in the Information Asset Register. Some very useful work in this area is the Domain Based Security, referred to as “DBSy” [14], a process extensively used in the Ministry of Defence and although now thought of a legacy approach it is still worth reading and understanding.

Mapping complex interlinked systems is even more important as we move to a cloud based eco system, which can comprise a hybrid multi cloud approach, that is components of physical servers on premise, inter-linked with public cloud services of multiple different vendors. Mapping these interconnections and keeping the documentation up to date, ideally this is done automatically through the use of metadata and automated module communication.

Many systems components can be open source and these utilise platforms and tools such as GitHub. The modern systems development process, referred to as “DevOps” ,in the agile world [36] also has a security approach called DevSecOps (Development, Security Operations) [37] these processes in turn mean that program code is developed, tested and deployed through a federated approach called CI (Continuous Integration). Much of this is automated and te whole code to production (Live running and Operations), is carried out at scale and often is fully automated.

There are a number of concepts and approaches that have formed the thinking around the Cartography element of this model, these are worth further investigation;

Mind Maps
Architectural Diagrams
Symbols & Lexicons
Systems Mapping
Documentation
Domain based security.
Security Domain and mapping.

Registers

Registers are also extensible, like postcodes. Once components have been declared, other organisations with the same components would be able to copy the entries, this would speed up the whole process up enabling fast and accurate data base population of asset components. This would in turn lead to a standardisation of threat profiles and compensating controls and architectural patterns. This could make a huge difference to local authorities, through standard threat profiles. The contention being all Council Tax Systems have the same data and asset value. Once a systems has been profiled, all councils would be able to use the same profile. Any variations would also be recorded and a huge amount of effort can be saved. Defining and saving these threat profiles and in time asset register entries in XML or similar makes them machine readable and this opens the possibilities for further work to look at the use of agent and API based automated approaches.

Attributes

The mapping of attributes will it is contended be a journey of iteration. To start with key components will be identified to form the core of a taxonomy. For instance;

Application Servers

Web Servers

Mail Servers

Firewalls

Routers

Proxy Servers

Active Directory Servers

Network Area Storage Devices

A detail of this approach is laid out in the NIST SP 1800-5 document:

Taking a firewall as an example;

CUON: 654/21/9874

Entity: Firewall

Owner: ICT Network Team / Team Leader Ext 5434 ICTNetork@dovedale.gov.uk

Location: Server Room 102b

Asset number: 21/45634

Classification Level: OFFICIAL

Manufacturer: Cyber Sure

Model: 345/t

Build level: 34.9.8.7

Last patched: 12/02/2021

IP Address or identifier: 10.3.4.56

Record Date: 210215

Record version 1.0

Notes

Figure 3 Example Information Asset Register record format

The above is a simple example but it means there is a definitive record for the asset.

The CUON being: [654] The organisation ID [21] Year of allocation [9874] the unique reference number for the firewall. The key being that a CERT or other authorised entity, could search for

Cyber Sure model 345/t firewalls and find all of the organisations that have them recorded. A further refined search could be on build level [34.9.8.7], that could be an old build and subject to a zero day CVE exploit.

Other areas for further consideration are;

Cataloguing Functional and non-functional requirements.

Patterns

When we discuss patterns in this context we propose that a pattern show the linkages between elements of an Information Asset Register and how the individual components form a coherent system or service. The DBSy references [14] previously discussed and the Data Dictionary reference [39] are both good examples of elemental linkages. The rationale for needing these descriptors is that ultimately we need to follow the data [40]. A Data Protection Impact Assessment (DPIA) may well have a diagram showing the flow of information through a system. Service.

When systems were written in house, it was possible for the programmer to understand the entire system. Today systems are far more complex and can be distributed and inter-linked. This is why documentation is so important.

There are various standards and approaches to security architecture that may be of interest for further research;

Ethics

Following on from the authors Dec 2020 Horizon Scanning paper [53] which referenced the work of William Barker [54] describing the implications for Digital Ethics we need to consider these in the context of information assets and Cyber Security.

Taken together, we are seeing an emerging set of common core values or attributes that built upon the combined disciples of bioethics and responsible AI (see Fig 4 below) that can inform wider digital and cyber ethical practice:

Figure 4 Ethics Framework (Barker 2020)

Beneficence: do good. Benefits of work should outweigh potential risks.
Non-maleficence: do no harm. Risks and harms need to be considered holistically, rather than just for the individual or organisation.
Autonomy: preserve human agency. To make choices, people need to have sufficient knowledge and understanding.
Justice: be fair. Specific issues include algorithmic bias and equitable treatment.
Explicability: operate transparently so as to explain systems working and its outputs

A further exploration of Architectural patterns

Pulling this all together, the mapping of components, their inter relationship, implementation, configuration and protective controls can all be pulled together in the form of a security architectural pattern.

The Information Asset Eco system

Back in 2017, some work was undertaken to consider the key questions relating to network protection and defence. These questions were designed to be an aide memoir for Information Governance professionals to understand Information Assurance issues. This has how been developed on to help visualise what an information asset eco system may look like.

Figure 5 Information Asset Eco-System

Lego building Blocks

This approach is very good for explaining to senior leaders and non technical people how components link together. This can be used for Risk Management modelling and as an planning aide for Cyber Security exercises [41].

ISACA have also published a useful article that discusses the use of Lego models for Cyber decision making and risk management [42].

Implementation Approach The 5 D’s

This methodology was developed by the author and was tested by a group of London Boroughs in 2009 [43] through the LGA. The approach take you through Information Asset Identification and classification. This helps determine the relative value of an Information Asset.

© Mark Brett 2009-21

Figure 6 The 5 D’s of Information Asset Registers

Discovery

A trawl of Information Assets – This is the difficult bit and the SCRAP process already discussed can help with this.
What assets exist. You need to understand what you have and how they physically or logically exist, where are they and if they are backed up against cyber-attack.
What are their inputs / outputs. Asset and Systems linkages are critical to enabling incident managed and recovery. Linked assets need to be viable, that is all of their linked parts exist and are accessible.
What linkages exist, without the linkages, you can’t restore a working system.

Determination

Who owns the asset? Every Information Asset must have an owner. The acid test is, who would miss it most if it were permanently destroyed?
Who is responsible for the asset? As above, along with the Owner is the team responsible for it’s maintenance, operation and use.
Who controls the asset? How is it delivered, through a system or service.?
Who can authorise the processing and disclosure?

Decision

What is the business impact level of the asset? That means if it’s lost how much “harm” would it cause? [REF] to Harm modelling….
What is it’s Data Protection Status? Does the Asset contain Personal Data?
Who is authorised to process the asset? Again Data Protection status.
What protective measures are required? This is about the Information Assurance of the asset.

Deployment

Where will the asset be created, stored and processed?
Will the asset be transmitted?
Will the asset be copied?
Will the asset be controlled?
Who will process it?
Where?
How?
Compliance/monitoring/audit regime??

Destruction

Who will authorise the destruction of the asset?
How will you know if all copies are destroyed?
Do you need to retain a copy for legal/compliance purposes?
How will you destroy the asset?

Linking Information Risk, Information Assurance and Incident Management

These tools and techniques are part of wider Cyber Incident Management, a detailed approach is explored in the authors incident response policy primer and guide [44]. The SCRAP approach previously discussed provides a practical framework and approach to facilitate the scoping and identification phase to enable Cyber Incident Planning. Likewise the 5Ds provides a structured approach to augment Cyber Incident planning and management. Public Sector organisations can make full use of the National Cyber Security Centre (NCSC) Active Cyber Defence (ACD) tools and services [45].

Logs / Time Sources / Network Diagrams / Documentation

The SCRAPE approach above was devised to draw together the key non-functional requirements for Cyber Indent Managing and Response. Making artefacts unique (Developing a descriptive Taxonomy for asset identification, version control and management). Further applications for Incident reporting. These are discussed in detail in the NIST incident Response Guide [46]. Once you have identified the assets and catalogued them, you can then start to evaluate the Assets and their inter relationship. All of the attributes are as discussed, causal variables. Identifying and documenting the attributes, will lead to the creation of. Taxonomy [47] and the NSIT Asset implementation guide [48] , which can then be mapped against the Mitre Att&ck Framework [49], which will expose the vulnerabilities and attack vectors that can be exploited through the Cyber kill chain [50]. We mitigate these attack vectors through compensating controls [51].

Conclusion

Information Asset Registers aren’t new, the Data Protection Act, The Freedom of Information Act and the work of the Information Commissioners Office has highlighted the need for them. The ITIL framework too has a asset registers at its heart. Many Councils claim to have them, yet they are not understood. We believe they are highly valuable artefacts to better understand Information Risk, Assurance and to aid incident response. Automated discovery tools such as NMAP & Spiceworks [56] can help make the job a lot easier.

Future Work

The next article will explore an approach to address the changing dynamic and need to remote coordination and response.

Future studies may well confirm an acceleration towards cloud provisioned software and zero trust computing services. I am also concerned with the need to review and change Cyber resilience plans, Incident response and Crisis Management may well need to be delivered remotely rather than in the traditional face to face manner. There is a need to understand fast time communications, using various channels and software applications. An approach to fast time communications for incident response and Cyber resilience in the context of UK Local Government will be discussed in the article. This will concentrate on the formation of Cyber Technical Advisory Cells (C-TACs) and an exploration of adapting the JESIP Framework [55] to Cyber.

References (All accessed April 2021)

[2] Brett(2021) An overview of current issues and practice relating to local government cyber security in England and Wales Henry Stewart Publications Cyber Security: A Peer-Reviewed Journal Vol. 4, 4 1–13

[3]IMAG:https://www.researchgate.net/publication/342804953_An_Overview_of_Local_Government_Cyber_Security_in_England_and_Wales_Emergent_Threats_and_Practice

[4] ITIL CMDB: https://www.axelos.com/best-practice-solutions/itil/what-is-itil

[7] Mulder J. (2020) Multi-Cloud Architecture and Governance, Packt Publishing

[8] Shrivastwa A. (2018) Hybrid cloud for Architects, Packt Publishing

[9] Agile Methodology in UK Govt: https://www.gov.uk/service-manual/agile-delivery

[10] MHCLG Cyber: https://mhclgdigital.blog.gov.uk/category/cyber/

[14] DBSy: S. Katam, P. Zavarsky and F. Gichohi, "Applicability of Domain Based Security risk modeling to SCADA systems," 2015 World Congress on Industrial Control Systems Security (WCICSS), London, UK, 2015, pp. 66-69, doi: 10.1109/WCICSS.2015.7420327.

[31] Newport C. (2016) Deep Work. Rules for Focused Success in a Distracted World, Grand Central Publishing

[47] NIST Asset Registers: http://doi.org/10.6028/NIST.SP.1800-5

Post PSN Assurance Process (P2AP) - Strawman

June 2021 Version 0.6 – Status: DRAFT FOR COMMENT – NOT POLICY

Background

The Local Government Information Assurance regime has its roots in the GSi Code of Connection which goes back over fifteen years. The world has moved on towards using the Internet [1] and the government policy is now Internet First[2], with a move away from the PSN, which is now considered a legacy network.

Traditional ICT is also moving to a cloud first approach [3]. Cyber related assurance is also moving to the Minimum Cyber Security Standard (MCSS) [12] owned by Government Security Group in Cabinet Office[3a] which will replace Local Government Information Assurance for central government departments connected to PSN by April 2023.[11]

At some point in the future PSN will no longer be used, therefore Local Government Information Assurance will no longer exist and the standard for cyber will be the MCSS. In the meantime there are opportunities to prepare the local sector for this eventuality and one such opportunity is to take on responsibility, through a local body, for Local Government Information Assurance whilst the PSN is still operational as a stepping stone for moving towards MCSS

This is a component part of a bigger picture which covers the whole legacy ICT issue, which is being driven by the Cabinet Office for Central Government, that will in due course impact on Local Government. Todays leading edge technology will become tomorrows legacy. We are also now seeing the introduction of both hybrid and multi-cloud technologies and approaches being introduced in organisations. [10]

Issue

The Compliance at present is gained through a code of connection submission, which comprises a network diagram detailing what is in scope, a penetration test, a remedial action plan and a statement of compliance, being a set of assertions, detailing how the Local Government Information Assurance conditions are met through the code of connection. This process is a compliance regime, not an assurance regime.

The current process is still time intensive to administer and is being used by other government bodies, the police and NHS as a level of assurance to facilitate a baseline on which they share information and interact. The current approach is a once a year snapshot, like the MOT on a car. Taxis and other police vehicles have a different regime, which is on-going. Police vehicles are constantly services and reviewed. Police Traffic cars have their speedometers calibrated and are subject to stringent checks[13].

Network and systems assurance is only one component of a wider requirements. There are issues around legacy ICT systems, where the platforms, applications and operating systems are being legacy, (deprecated and going obsolete.) This paper can only focus on this aspect, it is however an integral part of the whole. There needs to be consideration for applications which rely on components that are obsolete, that is no longer supported [5] (old JAVA / FLASH, Internet Explorer etc.).

Councils with legacy equipment are likely to be subjected to more cyber attacks. This increases their need to be even more vigilant in protecting their network boundaries, running their platforms and supporting their applications. Local Authorities are all sovereign democratic entities. Any directed government intervention is termed as a “new burden” [6], there is a mechanism to do it but the cost would need to be picked up by central government. This is further complicated by devolution.

An alternative Local Government Information Assurance process

Background

In an ideal world all PSN connected organisations would have the whole network and infrastructure assured through ISO 27001. This is however very expensive and would

not be cost effective, if however Councils have ISO 27001 covering the required scope,

that would be acceptable to cover 1 & 3 below, subject to scope.

The PSN network is designed for the OFFICIAL level within the HMG protective marking scheme [9] the threat profile and risk appetite of the PSN is OFFICIAL, using the baseline security controls that reflect commercial good practice. The same applies to the baseline encryption where applicable being commercial good practice.

Currently the PSN relies on an historic penetration testing regime, historically was called an Information Technology Health Check (ITHC), this is an independent penetration test carried out annually. Over the past few years a whole industry has grown up to mechanize and automate this process, using freely available tools and techniques. The NCSC CHECK scheme, when used for this purpose is robust, and fit for purpose, but is also expensive. The monthly scanning requirements will highlight issues in a more effective way than a single annual test. We continue advocate penetration testing for applications and infrastructure as best practice.

Greyscale approach to Threat Profiles at OFFICIAL

All of this approach for use across either just Local Government or the Wider Public Sector (WPS) will be at the OFFICIAL protective marking level. The OFFICIAL level has a grey scale from unclassified white to the more sensitive Black end of the slider within OFFICIAL, often wrongly referred to as OFFICIAL-SENSAITIVE being a separate level “Stripping OFFICIIAL”, that’s not the case. OFFICIAL_SENSITIVE is a handling caveat, not a separate level however there is a need for nomenclature to describe the top end of the OFFICIAL protective marking which is still below the threshold for SECRET. We therefore need to think of the sliding grey scale as a useful analogy.[14] The point being OFFICIAL-SENSATIVE can be used for need to know where the threat profile is towards the unclassified end of the scale, (say a Personnel issue or investigation etc.) not just at the High Treat end. SECRET is a whole different tier. The

Problem was caused in 2014, when the Asset Classification Scheme went from six to three levels, loosing CONFIDENTIAL that was used extensively by the Police and others. The move has since been to use “OFFICIAL-SENSITIVE” as a proxy for CONFIDENTIAL, below SECRET.

Suggested approach (Requirements) requiring evidence and assertions

The proposed alternative process will require a number of components which will provide

An equivalent to the existing PSN code of connection.

The Post PSN Assurance Process (P2AP) would comprise of:

1) IASME Cyber Essentials Plus as a minimum covering.

1.1 The Corporate ICT Core Network

1.2 The Social Care systems

1.3 The Corporate CRM System

1.4 The Corporate websites

1.5 Corporate email

1.6 remote network access services

1.7 Wireless network access

1.8 BYOD

1.9 Remote (Home) working

2) Adherence to and reporting on the Minimum Cyber Security Standard [8]

3) Monthly internal vulnerability scans of the core network and servers.

Ensuring core network components are not legacy, especially firewalls.

Scanning all core network devices;

3.1 Firewalls including configuration, patching, whitelists and rulesets.

3.2 Core routers, configurations and patching.

3.3 Ensuring servers are properly managed (if legacy) and patched.

4) Monthly external network scans of websites, services and publicly exposed

Endpoints, including API endpoints.

5) Monthly scanning and reporting of;

5.1 All digital certificates in use.

5.2 The DNS servers, services and configurations.

6) Deployment, reporting and active use of NCSC Active Cyber Defense (ACD);

6.1 Webcheck

6.2 Mailcheck

6.3 PDNS (or acceptable alternative if not technically possible).

6.4 NEWS Network Early Warning Service

6.5 Logging Made Easy (or Acceptable alternative)

6.6 Have an NCSC point of contact (POC) email box in place.

6.7 Have an active NCSC CISP account.

7) Have carried out a Cyber Incident exercise within the last twelve months.

8) Have suitable Information Governance, training and awareness regime in place

8.1 SIRO/ IAO / DPO appointed.

8.2 Adherence to the Local Public Services Data Handling Guidelines Version 6.

8.3 Member of Regional WARP.

9) Documented Cyber Incident Response process and plan in place.

10) Key data backup / isolation processes in place.

The proposed process

Continue to accept the PSN community documents including the code of connection.
Provide evidence of Cyber Essentials Plus.
Provide evidence of monthly internal and external scans with an agreed mitigation plan and evidence of improvement against the plan through the monthly scans evidencing the patching and other compensating controls and mitigations are in place and being implemented.
Evidenced return against the Minimum Cyber Security Standard.
Evidence of information governance regime.
Evidence of NCSC ACD take up.
Evidence of Cyber exercise.
Evidence of key data backup compensating controls.

Supporting future Strategy

This process will encourage a move towards proactive information assurance and cyber resilience. We are encouraging the take up of the NCSC ACD and supporting the minimum cyber security standard. Monthly vulnerability scanning will drive improvement and encourage a robust patching regime. Focusing on the automation of scanning and reporting will eventually get to a point of near real time reporting and posture checking.

Glossary

DWP Department of Work and Pensions

LDS CIC Local Digital Services Community Interest Company

LGD Lead Government Department

ICT Information and Communications Technology

MOU Memorandum of Understanding

New Burdens - Where central government instruct a local authorities to do something and picks up the associated costs for doing it.

NHS National Health Service

References (Accessed February 2021)

Local Authority Cyber Resilience Planning Guide

This guide is to assist managers in preparing and implementing Business Continuity Plans, to aid Cyber Resilience.

June 2021 Version 3

Background

Following the events of 11th September 2001, and the London bombings of 7th July 2005, and the WannaCry malware incidents across the NHS, have caused many organisations to consider an annual review process for their Business Continuity Planning.

The guide aims to mitigate the impact of unforeseen events on the business. Subsequently, the Civil Contingencies Act 2004 and the events of 7thJuly 2005 have also heightened the need for a robust Business Continuity planning framework. In todays interconnected Internet driven world such planning is even more important. The shift to Cloud computing is making this even more difficult.

This guide was originally written in 2003 and has been updated over the years. The approach is still sound and this is continued work in progress.

Mark Brett MRes CITP CMngr FICPEM FBCS FCMI MCIIS MEPS MSyI

Honorary Visiting Fellow (Cyber Security)

Cyber Centre London Metropolitan University

Your welcome to make use of the contents of this document for non-commercial purposes including Public Sector use. However I would ask that you acknowledge the fact in your derived work.

INTRODUCTION

Every year unforeseen emergencies take their toll on business and industry -- in lost business and escalated costs. Something can be done. Business and industry can limit the impact and losses, returning quickly to normal operations if they plan ahead.

This guide provides step-by-step advice on how to create and maintain a comprehensive Business Continuity Planning Programme.

To begin, you need not have in-depth knowledge of Cyber Resilience. What you need is the authority to create a plan and a commitment from the Chief Officer to make Business Continuity Planning part of the corporate culture If you already have a plan, use this guide as a resource to assess and update your plan. The guide is organised as follows:

Section 1: 4 Steps in the Planning Process -- how to form a planning team; how to conduct a vulnerability analysis; how to develop a plan; and how to implement the plan. The information can be applied to virtually any type of business or industry.

Section 2: Business Continuity Planning Considerations -- how to build such Business Continuity Planning capabilities as Health & Safety, Property Protection, Communications and Community Outreach.

Section 3: Hazard-Specific Information -- technical information about specific hazards your building or site may face.

Section 4: Information Sources -- where to turn for additional information.

Appendix A BCM plan and risk assessment toolkit

What Is an Emergency?

An emergency is any unplanned event that can cause disruption or significant injuries to employees, customers or the public; or that can shut down your business, disrupt operations, cause physical or environmental damage, or threaten the facility's financial standing or public image. Obviously, numerous events can be "emergencies," including:

1.Fire 

2.Hazardous materials incident 

3.Flood or flash flood 

4.Terrorist Incident 

5. Malicious Incident (public or Employee)

6.Winter storm (Weather) 

7.Communications failure 

8.Civil disturbance (Transport strikes) 

9.Loss of key supplier or customer 

10.Explosion (Gas etc)

The term "disaster" has been left out of this document because it lends itself to a preconceived notion of a large-scale event, usually a "natural disaster." In fact, each event must be addressed within the context of the impact it has on the authority and the community. What might constitute a nuisance to the Council in general could be a "disaster" to a section or department.

What Is Cyber Resilience?

Cyber Resilience is the process of ; preparing for, mitigating, responding to and recovering from an emergency, which involves Cyber, that is a system or service, which is delivered by a network or the Internet, to a remote device, often through a web browser.

Business Continuity Planning is a dynamic process. Planning, though critical, is not the only component. Training, conducting exercises, testing equipment and co-ordinating activities with the community are other important functions.

Making the "Case" for Cyber Resilience

To be successful, Business Continuity Planning requires senior management support. The chief executive sets the tone by authorising planning to take place and directing senior management to get involved.

When presenting the "case" for Cyber Resilience, avoid dwelling on the negative effects of an emergency (e.g., deaths, fines, and criminal prosecution) and emphasise the positive aspects of preparedness. For example:

1. It helps the Council fulfill its’ moral responsibility to protect employees, the community and the environment.

2. It facilitates compliance with regulatory requirements such as Health & Safety.

3. It enhances the Council’s ability to recover from financial losses, regulatory fines, complaints from members and the public, damage to equipment and business interruption.

4. It reduces exposure to civil or criminal liability in the event of an incident.

5. It enhances the Council’s image and credibility with employees, customers, suppliers and the community.

SECTION 1

4 STEPS IN THE PLANNING PROCESS

Having established what your planning for (the scope)

Step 1 -- Establish a Planning Team 

Step 2 -- Analyse Capabilities and Hazards

Step 3 -- Develop the Plan 

Step 4 -- Implement the Plan

STEP 1 -- ESTABLISH A PLANNING TEAM.

There must be an individual or group in charge of developing the Business Continuity Plan. The following is guidance for making the appointment.

1. Form the Team.

The size of the planning team will depend on the department’s operations, requirements and resources. Usually involving a group of people is best because:

a. It encourages participation and gets more people invested in the process. b. It increases the amount of time and energy participants are able to give. c. It enhances the visibility and stature of the planning process. d. It provides for a broad perspective on the issues.

Determine who can be an active member and who can serve in an advisory capacity. In most cases, one or two people will be doing the bulk of the work.

Some of the planning and co-ordination, could be out sourced to the Emergency Planning .At the very least, you should obtain input from all functional areas. Remember:

Senior management  
Line management  
Personnel and Occupational Health  
Engineering and maintenance  
Health & Safety

f. Public information officer (Press & Publicity)

Security  
Community relations and groups  
Councillors as appropriate  
Departmental Representatives (Operational Service Delivery)  
Legal Services  
Finance and purchasing

Have participants appointed in writing by senior management. Their job descriptions could also reflect this assignment and extra duties.

2. Establish Authority.

Demonstrate management's commitment and promote an atmosphere of empowerment by "authorising" the planning group to take the steps necessary to develop a plan. The Chief Officer or the Business Unit Manager should lead the group. Establish a clear line of authority between group members and the group leader, though not so rigid as to prevent the free flow of ideas.

3. Issue a Mission Statement – Which quantifies the purpose and scope of the plan.

Have the Chief Executive or Service/Business Unit Manager issue a mission statement to demonstrate the authority’s commitment to Cyber Resilience. The statement should:

Define the purpose of the plan and indicate that it will involve the entire organisation. Define the authority and structure of the planning group

4. Establish a Schedule and Budget

Establish a work schedule and planning deadlines. Timelines can be modified as priorities become more clearly defined.

Develop an initial budget for such things as research, printing, seminars, consulting services and other expenses that may be necessary during the development process.

STEP 2 -- ANALYSE CAPABILITIES AND HAZARDS.

This step entails gathering information about current capabilities and about possible hazards and emergencies, and then conducting a vulnerability analysis to determine the facility's capabilities for handling emergencies.

1. WHERE DO YOU STAND RIGHT NOW? Establishing a baseline

Review Internal Plans and Policies. Documents to look for include:

a. Evacuation plan

Fire protection plan  
Health &Safety procedures

d Environmental policies

Security procedures  
Insurance programs  
Finance and purchasing procedures  
Quality Procedures  
Personnel Handbook  
Internal SLAs and External Contracts.  
Health & Safety risk assessments  
Risk management plan

m Capital improvement program n. Mutual aid agreements

Business Continuity Planning Guide

2. Establish Partnerships

Meet with external agencies, community organisations and utilities. Ask about potential emergencies and about their plans and available resources for responding

Sources of information include:

Local Resilience Forum Cooridnator
Emergency Planning Officer
Local Hospital 
Local Community
Liaison Groups Fire Brigade
Local Police Ambulance Emergency Planning Officer 
Telecommunications Companies
Cellular providers
Electric,
Gas and Water Utilities 
Neighbouring Authorities

Emergency Planning Society :http://www.emergplansoc.org.uk/

3. Identify Codes and Regulations

Identify applicable legislation and local regulations such as:

Occupational Health & Safety regulations Environmental regulations Fire procedure codes Corporate policies

4. Identify Critical Services and Operations

You'll need this information to assess the impact of potential emergencies and to determine the need for backup systems. Areas to review include:

Council services and the facilities and equipment needed to produce them  
Products and services provided by suppliers, especially sole source vendors  
Lifeline services such as electrical power, water, sewer, gas, telecommunications  and transportation  
Operations, equipment and personnel vital to the continued functioning of the  facility

5. Identify Internal Resources and Capabilities

Resources and capabilities that could be needed in an emergency include:

a. Personnel -- Fire, Police and Ambulance Council Emergency services response team, security, Business Continuity Planning group, Fire wardens, First Aid, Public Information Officers. Computer Emergency Response Team

b. Equipment -- fire protection and suppression equipment, communications equipment, first aid supplies, emergency supplies, warning systems, emergency power equipment.

c. Facilities – Establish a Crisis Management Centre (, media briefing area, survivor reception centres, first-aid stations. Communications point, internal and external. An emergency website, either part of the corporate one or separate. Make sure people know the address of it.

d. Organisational capabilities -- training, evacuation plan, employee support system (Counselling)

e. Backup systems -- arrangements with other facilities to provide for: Identify your Business critical processes and systems.

(1) Payroll  
(2) Communications  
(3) Production  
(4) Customer services  
(5) Post room services and receiving i.e. CFM print runs  
(6) Information systems support  
(7) Emergency power  
(8) Recovery support

6. Identify External Resources

There are many external resources that could be needed in an emergency. In some cases, formal agreements may be necessary to define the facility's relationship with the following:

Local Resilience Forum (LRF) 
Fire Brigade  
Hazardous materials Health & Safety Executive  
Emergency medical services
Hospitals  
Local Police liaison
Community service organisations  
Utilities  
Key Contractors & Suppliers

7. Suppliers of emergency equipment

Insurance companies

Do an Insurance Review

Meet with Insurance Officer (Finance Dept) to review all policies and cover. (See Section 2: Recovery and Restoration.) Insurance is not a substitution to proper planning and preparedness.

8. Conduct A Vulnerability (Risk) Analysis

The next step is to assess the vulnerability of your site -- the probability and potential impact of each emergency. Use the Vulnerability (Risk) Analysis Chart in the appendix section to guide the process, which entails assigning probabilities, estimating impact and assessing resources, using a numerical system. The lower the score the better.

9. Brainstorm Potential Emergencies & Scenarios to plan for

In the first column of the chart, list all emergencies that could affect your department, including those identified by the Emergency Planning officer. Consider both:

a. Emergencies that could occur within your Site / Department b. Emergencies that could occur in your community

Historical -- What types of emergencies have occurred in the community, at this facility and at other facilities in the area?

a. b. c. d. e. f. g. h.

Fires Severe weather Hazardous material spills Transportation accidents Bomb threats

Transport strikes Terrorism and Industrial action

Utility outages

Geographic -- What can happen as a result of the facility's location?

Keep in mind:

Proximity to flood spots, electrical lines, railways, major roads etc.  
Proximity to companies that produce, store, use or transport hazardous material  
Proximity to major transportation routes and airports  
Proximity to terrorist targets.

Technological -- What could result from a process or system failure? Possibilities include:

Fire, explosion, hazardous materials incident - storage batteries  
Safety system failure  
Telecommunications failure  
Computer system failure  
Power failure  
Heating/cooling system failure  
Emergency notification system failure

Human Error -- What emergencies can be caused by employee error? Are employees trained to work safely? Do they know what to do in an emergency? Human error is the single largest cause of workplace emergencies and can result from:

Poor training  
Poor maintenance  
Carelessness  
Misconduct  
Substance abuse

f. Fatigue

Physical -- What types of emergencies could result from the design or construction of the facility? Does the physical facility enhance safety? Consider:

a. The physical construction of the facility b. Hazardous processes or by-products c. Facilities for storing combustibles 

d. Layout of equipment

e. Lighting

Evacuation routes and exits  
Proximity of survivor reception centres

Regulatory -- What emergencies or hazards are you regulated to deal with? Analyse each potential emergency from beginning to end. Consider what could happen as a result of:

Prohibited access to the facility  
Loss of electric power  
Communication lines down  
Ruptured gas mains  
Water damage  
Smoke damage  
Structural damage  
Air or water contamination  
Explosion  
Building collapse  
Trapped persons  
Chemical release

10. Estimate Probability

In the Probability column, rate the likelihood of each emergency's occurrence. This is a subjective consideration, but useful nonetheless. Use a simple scale of 1 to 5, with 1 as the lowest probability and 5 as the highest.

11. Assess the Potential Human Impact (HARM Modelling)

Analyse the potential human impact of each emergency -- the possibility of death or injury.

Assign a rating in the Human Impact column of the Vulnerability Analysis Chart. Use a 1 to 5 scale with 1 as the lowest impact and 5 as the highest.

12. Assess the Potential Property Impact

Consider the potential property for losses and damages. Again, assign a rating in the Property Impact column, 1 being the lowest impact and 5 being the highest. Consider:

Cost to replace  
Cost to set up temporary replacement  
Cost to repair

13. Assess the Potential Business Impact

Consider the potential loss of market share. Assign a rating in the Business Impact column. Again, 1 is the lowest impact and 5 the highest. Assess the impact of the following. This applies to your Department and your external (CCT) suppliers if applicable. Check your SLA’s and Contracts.

Business interruption  
Employees unable to report to work  
Customers unable to reach facility  
Authority in violation of contractual agreements  
Imposition of fines and penalties or legal costs  
Interruption of critical supplies  
Interruption of Service Delivery

14. Assess Internal and External Resources

Next assess your resources and ability to respond. Assign a score to your Internal Resources and External Resources. The lower the score the better. To help you do this, consider each potential emergency from beginning to end and each resource that would be needed to respond. For each emergency ask these questions:

Do we have the needed resources and capabilities to respond?

Will external resources be able to respond to us for this emergency as quickly as we may need them, or will they have other priority areas to serve?

If the answers are yes, move on to the next assessment. If the answers are no, identify what can be done to correct the problem. For example, you may need to:

Develop additional emergency procedures  
Conduct additional training  
Acquire additional equipment  
Establish mutual aid agreements  
Establish agreements with specialised contractors

15. Add the Columns

Total the scores for each emergency. The lower the score the better. While this is a subjective rating, the comparisons will help determine planning and resource priorities -- the subject of the pages to follow.

STEP 3 -- DEVELOP THE PLAN

You are now ready to develop a Business Continuity Planning plan. This section describes how.

PLAN COMPONENTS

Your plan should include the following basic components.

1. Executive Summary

The executive summary

Gives management a brief overview of the purpose of the plan Details the Business Continuity Planning policy Authorises the facilities and responsibilities of key personnel; Details the types of emergencies that could occur

Explains how and where response operations will be managed.

 2. Business Continuity Planning Elements This section of the plan briefly describes the facility's approach to the core elements

Cyber Resilience, which are:

Command and control Communications Life and Limb - protecting your staff and the public. Property protection Community outreach Recovery and restoration Administration and logistics.

These elements, which are described in detail in Section 2, are the foundation for the emergency procedures that your facility will follow to protect personnel and equipment and resume operations.

3. Emergency Response Procedures

The procedures spell out how the facility will respond to emergencies. Whenever possible, develop them as a series of checklists that can be quickly accessed by Senior Management, Department heads, response personnel and employees.

Determine what actions would be necessary to:

Assess the situation  
Protect employees, customers, visitors, equipment, vital records and other  assets, particularly during the first phase of the emergency  
Get the business back up and running.

Specific procedures might be needed for any number of situations such as bomb threats or fire, and for such functions as:

Warning employees and customers Communicating with personnel and community responders Conducting an evacuation and accounting for all persons in the facility Managing response activities Activating and operating an emergency operations centre Fighting fires Shutting down operations Protecting vital records Restoring operations

4. Support Documents

Documents that could be needed in an emergency include:

Emergency call lists -- lists (wallet sized if possible) of all persons on and off site who would be involved in responding to an emergency, their responsibilities and their 24-hour telephone numbers.

Building and site maps that indicate:

Utility shutoffs  
Water hydrants  
Water main valves  
Water lines  
Gas main valves  
Gas lines  
Electrical cut-offs  
Electrical substations  
Storm drains  
Sewer lines  
Location of each building (include name of building, street name and number)  
Floor plans  
Alarm and communicators  
Fire extinguishers  
Fire suppression systems  
Exits  
Stairways  
Designated escape routes  
Restricted areas  
Hazardous Materials (including cleaning supplies and chemicals)  
Copies of building plans  
Copies of telecommunication route plans (Telephone and fibre cables)  
Location of High-value items; (Deeds, Bonds, Contracts, evidence etc.)

5.Resource lists

Lists of major resources (equipment, supplies, and services) that could be needed in an emergency; mutual aid agreements with other companies and government agencies.

Emergency escape procedures and routes  
Procedures for employees who perform or shut down critical operations before an evacuation  
Procedures to account for all employees, visitors and contractors after an evacuation is completed  
Rescue and medical duties for assigned employees  
Procedures for reporting emergencies  
Names of persons or departments to be contacted for

THE DEVELOPMENT PROCESS

The following is guidance for developing the plan.

1. Identify Challenges and Prioritise Activities

Determine specific goals and milestones. Make a list of tasks to be performed, by whom and when. Determine how you will address the problem areas and resource shortfalls that were identified in the vulnerability analysis.

2. Write the Plan

Assign each member of the planning group a section to write. Determine the most appropriate format for each section.

Establish an aggressive timeline with specific goals. Provide enough time for completion of work, but not so much as to allow assignments to linger. Establish a schedule for:

First draft  
Peer review (include other sections)  
Second draft  
Tabletop exercise (invite other sections/departments to participate)  
Final draft  
Printing  
Distribution publish widely including intranet – share best practise  
Amendments procedures

3. Establish a Training Schedule

Have one person or department responsible for developing a training schedule for your facility. For specific ideas about training, refer to Step 4.

4. Coordinate with Outside Agencies and Organisations

Meet periodically with other government agencies and community organisations. Inform appropriate government agencies that you are creating a Business Continuity plan. While their official approval may not be required, they will likely have valuable insights and information to offer.

Determine central government and local requirements for reporting emergencies, and incorporate them into your procedures. Appoint a ‘logist’ to keep detailed records of all executive orders, actions and operations. Number and time record all options. This will include actions, outcomes and costs incurred, along with details of who authorised the actions.

Trigger Points and Protocols

The CRASH Gates Protocol Trigger Points can be thought of a pre-defined Consequence Relevance Acceleration Severity and Harm (CRASH) Gates.

The CRASH Gate model for assessing Cyber incident trigger points;

Consequence Scaling

Locally contained within the Organisation at a Sub-Departmental / Directorate Level
Locally contained within the Organisation at Departmental / Directorate Level
Local contained within the Organisation
Affecting multiple Organisations Sub-Regionally
Affecting multiple Organisations Regionally
Affecting multiple Organisations Nationally

Relevance Scoring

We do not have this technology in our infrastructure
We have this technology, we are fully patched.
We have this technology, we are partially patched
We have this technology, we are not patched
We have this technology, we are compromised

Severity Scoring

Not affecting our infrastructure directly
Affecting some of our infrastructure
Affecting most of our infrastructure
Affecting all of our infrastructure
Our infrastructure is over run and non-functioning

HARM Levels

The organisation is unaffected
The organisation is affected, but fully operational
The organisation is affected, and is partially operational
The organisation is compromised essential services still functioning
The organisation is compromised essential services lost.

Determine protocols and trigger points for turning command and control of a response over to outside agencies.

Some details that may need to be worked out are:

Which gate or entrance will responding emergency service units use?  
Where and to whom will they report?  
How will they be identified? How will they know you? (tabards/ID)  
How will facility personnel communicate with outside responders?  
Who will be in charge of response activities?

Determine what kind of identification authorities (Police/Fire) will require to allow your key personnel into your facility during an emergency. Develop and agree special ID cards and tabards etc. Ensure everyone is thoroughly briefed.

Produce A4 laminated cards which detail the key roles and responsibilities for each job.

Produce a pocket size card, with emergency contact numbers, and the five major points of the job role, where to report to etc.

Determine the needs of disabled persons and non-English-speaking personnel. For example, a blind employee could be assigned a partner in case an evacuation is necessary.

A disabled person is anyone who has a physical or mental impairment that substantially limits one or more major life activities, such as seeing, hearing, walking, breathing, performing manual tasks, learning, caring for oneself or working.

Be mindful of language barriers, written and verbal.

Your emergency planning priorities may be influenced by government regulation. To remain in compliance you may be required to address specific Business Continuity Planning functions that might otherwise be a lower priority activity for that given year.

5. Maintain Contact with Other Departments

Communicate with other offices and departments within the authority to learn:

Their emergency notification requirements 
The conditions where mutual assistance would be necessary 
How offices will support each other in an emergency 
Names, email, telephone numbers and mobile numbers of key personnel Incorporate this information into your procedures.

6. Conduct Training and Revise plans and procedures as necessary.

Share review information with other Departmental representatives. Use the Intranet server to publish timely information

Distribute the first draft to group members for review. Revise as needed.

For a second review, conduct a tabletop exercise with management and personnel who have a key Business Continuity Planning responsibility. In a conference room setting, describe an emergency scenario and have participants discuss their responsibilities and how they would react to the situation. Based on this discussion, identify areas of confusion and overlap, and modify the plan accordingly.

7. Seek Final Approval

Arrange a briefing for the Chief Officer and Senior Management and obtain written approval.

8. Distribute the Plan

Place the final plan in four-ring binders and number all copies and pages. Document control procedures are essential for quality and auditing.

Each individual who receives a copy should be required to sign for it and be responsible for posting subsequent changes.

Ensure the plan is published on the Intranet and kept up to date. Consider storing the plan on a secure Internet facility, this will ensure authorised people can access the plan from anywhere.

Determine which sections of the plan would be appropriate to show to other agencies (some sections may refer to Confidential Corporate or Departmental Information or include private listings of names, telephone numbers or access codes and passwords). Distribute the final plan to:

Chief Officers and Senior Managers  
Key members of the authority's emergency response organisation  
Chief Executives Office,  
Emergency Planning Unit.  
Community emergency response agencies (appropriate sections)  
Key external suppliers. Ensure you figure in their emergency plans.

Have key personnel keep a copy (paper or electronic) of the plan in their homes? Inform employees about the plan and

Consolidate emergency plans for better co-ordination. Stand-alone plans, such as Computer Disaster Recovery Plans, Fire Protection plan or Health and Safety plan, should be incorporated into one comprehensive plan.

STEP 4 -- IMPLEMENT THE PLAN

Implementation means more than simply exercising the plan during an emergency. It means acting on recommendations made during the vulnerability analysis, integrating the plan into authority operations, training employees and evaluating the plan.

INTEGRATE THE PLAN INTO DEPARTMENTAL OPERATIONS

Emergency planning must become part of the corporate culture.

Look for opportunities to build awareness; to educate and train personnel; to test procedures; to involve all levels of management, all departments and where appropriate the community in the planning process; and to make Business Continuity Planning part of what personnel do on a day-to-day basis.

Include the emergency procedures into induction training. Ensure the emergency procedures are discussed at a quarterly management

meeting as an agenda item. Build the process into all project plans.

Test how Completely the Plan has been Integrated by Asking:

How well does senior management support the responsibilities outlined in the plan?

Have emergency planning concepts been fully incorporated into the Department’s accounting, personnel and financial procedures?

How can the Council’s processes for evaluating employees and defining job classifications better address Business Continuity Planning responsibilities?

Are there opportunities for distributing emergency preparedness information through corporate newsletters, employee manuals or employee mailings?

What kinds of safety posters or other visible reminders would be helpful? Do personnel know what they should do in an emergency? 

CONDUCT TRAINING, EXERCISES AND EXERCISES

Everyone who works at or visits (Contractors) the site requires some form of training. This could include periodic employee discussion sessions to review procedures, technical training in equipment use for emergency responders, evacuation exercises and full-scale exercises. Below are basic considerations for developing a training plan.

1. Planning Considerations

Assign responsibility for developing a training plan. Consider the training and information needs for employees, contractors, visitors, managers and those with an emergency response role identified in the plan. Determine for a 12 month period:

Who will be trained?  
Who will do the training?  
What training activities will be used?  
When and where each session will take place?  
How the session will be evaluated and documented?

Use the Training Exercises and Exercises Chart in the appendix section to schedule training activities or create one of your own.

Consider how to involve community responders in training activities. Conduct reviews after each training activity. Involve both personnel and community responders in the evaluation process.

2. Training Activities

Training can take many forms:

a. Orientation and Education Sessions (Discussion Exercises) These are regularly scheduled discussion sessions to provide information, answer questions and identify needs and concerns.

b. Tabletop Exercise -- Members of the Business Continuity Planning group meet in a conference room setting to discuss their responsibilities and how they would react to emergency scenarios. This is a cost-effective and efficient way to identify areas of overlap and confusion before conducting more demanding training activities.

c. Walk-through Exercise -- The Business Continuity Planning group and response teams actually perform their emergency response functions. This activity generally involves more people and is more thorough than a tabletop

d. Functional Exercises -- These exercises test specific functions such as medical response, emergency notifications, warning and communications procedures and equipment, though not necessarily at the same time. Personnel are asked to evaluate the systems and identify problem areas.

e. Evacuation Exercise -- Personnel walk the evacuation route to a designated area where procedures for accounting for all personnel are tested. Participants are asked to make notes as they go along of what might become a hazard during an emergency, e.g., stairways cluttered with debris, smoke in the hallways. Plans are modified accordingly.

f. Full-scale Exercise -- A real-life emergency situation is simulated as closely as possible. This exercise involves authority emergency response personnel, employees, management and community response organisations.

3. Employee Training

General training for all employees should address:

Individual roles and responsibilities  
Information about threats, hazards and protective actions  
Notification, warning and communications procedures  
Means for locating family members in an emergency  
Emergency response procedures  
Evacuation, shelter and accountability procedures  
Location and use of common emergency equipment  
Emergency shutdown procedures

The scenarios developed during the vulnerability analysis can serve as the basis for training events.

4. Evaluate and Modify the Plan

Conduct a formal audit of the entire plan at least once a year. Among the issues to consider are:

How can you involve all levels of management in evaluating and updating the plan?  
Are the problem areas and resource shortfalls identified in the vulnerability analysis being sufficiently addressed?  
Does the plan reflect lessons learned from exercises and actual events?  
Do members of the Business Continuity Planning group and emergency response team understand their respective responsibilities? Have new members been trained?  
Does the plan reflect changes in the physical layout of the facility? Does it  reflect new facility processes?
Are photographs and other records of facility assets up to date?  
Is the facility attaining its training objectives?  
Have the hazards in the facility changed? (H&S Risk Assessments)  
Are the names, titles and telephone numbers in the plan current?  
Are steps being taken to incorporate Business Continuity Planning into the business processes?  
Have community agencies and organisations been briefed on the plan? Are they involved in evaluating the plan?

In addition to a yearly audit, evaluate and modify the plan at these times:

After each training exercise  
After each emergency  
When personnel or their responsibilities change  
When the layout or design of the facility changes  
When policies or procedures change  
Remember to brief personnel on changes to the plan.

Audit:

Conduct a formal audit of the entire plan at least once a year

Appendix A

Business Continuity Planning Toolkit with Risk Assessment diagnostics

Organisation Name [BUSINESS CONTINUITY PLAN COMPONENTS]

[Change all headings as required]

Directorate / Department:

Contact Name: 

E-Mail:

Business Continuity Planning Outline  
Business Continuity Plan Template

III. Business Continuity Plan Worksheets A. Checklist

B. Business Process Template C. Recovery Procedures Template D. Risk Assessment Worksheets

Date Completed:

Phone:

Written by: _____________________________________Date:____________ Written by: _____________________________________Date:____________

Review Date: [. ]

I. Business Continuity Planning Outline Phase One

Identify Current Mission-Critical Business Processes (See Operations Plan for starting point)  
Assess Impact or Importance of Business Processes, considering:  
Health and Safety  
Revenue or Cash Flow (Treasury) implications  
Number of Citizens, Businesses, or Employees Impacted  
Central Government Reporting Requirements

Public Perception

Identify Resources and Dependencies  
Evaluate Risk or Likelihood of Failure  
Application Systems and Interfaces  
IT Infrastructure

Third Party Products

Supply Chain  
Infrastructure (Facilities, Telecom, Utilities)

Establish Priority Based upon Impact and Risk

Phase Two

Develop Business Continuity Plan Based upon Available Resources and Time Make Assumptions to Focus Plan

Devise Alternatives to Complete Core Business Processes, considering: Roles & Responsibilities Communication Channels Manual Work arounds

Triggering Events Who Invokes the Plan Required Training & Preparation How & Who Maintains the Plan Needed Supplies & Equipment Additional Staffing Needs What Ends the Plan Clean-Up

Review for Completeness

Phase Three

Exercise the Plan Make Modifications as Needed

II. Business Continuity Plan Template

The following sections are included in a Contingency Plan Template. It is a sample template, therefore, sections may be added or deleted as appropriate.

Phase I

PROCESS: Provide the name and a brief overview of the critical business function as it

currently exists. PRIORITY:

Determine the priority of this contingency plan relative to the other contingency plans, if multiple failures occur within an authority. Use this section if applicable.

RISK DESCRIPTION:

Describe in simple terms the risk concern and the impact to the authority. Include the nature and likelihood of expected disruptions or impacts. For example:- Electrical power is unavailable. If processing cannot be resumed within 3 days, Client checks will be late.  
Describe briefly any significant dependencies or linkages of the business process with programs within the authority, with other authorities, or with other parties either inside or outside of central or regional or place based partnership  
State explicitly any assumptions, which your Directorate or Business Unit is making in this contingency plan.  MITIGATING STRATEGIES:

Provide a brief conceptual description of how the contingency plan for the business process is intended to work.

For example:- Conduct additional quality assurance review of documents prior to mailing.

Set up account in advance with alternate supplier(s) and establish procedures for using the alternate supplier.

Investigate feasibility and cost of an uninterruptible power supply.

Describe the level of services to be provided during the disruption.

For example:

Provide continuation of normal operations.

Provide continuation of service in a degraded mode.

Provide complete departure from normal functions as quickly

Business Continuity Planning Guide

Phase 2

ACTIVATION TRIGGER(S): Describe the specific events or conditions that will trigger or invoke the plan.

For example:

Employees can’t access building entry via electronic access cards or tokens.

RECOVERY PROCEDURES:

Describe the expected life or duration of the contingency plan.  For example: How long it might be necessary to operate under the plan.  Any special timing-related constraints, e.g., back-up batteries need re-charging after 10 hours.  
Provide detailed, step-by-step procedures for initiating and executing contingency operations, and for transitioning back to normal (non-contingency) operations with the names of the persons who are to serve specific roles regarding the plan.  For example: Initiate internal and vendor list notification procedures – Responsibility: Ms. X Get backup listings from off-site storage – Responsibility: Mr. Y Contact alternate supplier to provide needed supplies – Responsibility:

IMPLEMENTATION:

Name BCP Coordinator and Team

Provide the name and contact information of the person who will give the order to invoke the plan.

Provide the name of the person who will give the order to return to normal operations.

Provide a brief description of significant resources needed to implement, execute, and transition out of contingency operation. Also identify the person who is responsible for acquiring these resources, as events may warrant.

For example: Staffing and scheduling of personnel. Equipment, temporary hardware and software, forms and supplies, etc. Possible temporary working facilities. Communications, both verbal and data.

Phase 3

Provide a brief description of any training or exercising of the plan that will be necessary.

For example: Perform a structured walk-through to ensure that all the processes will work as expected.

Perform an exercise or “dry-run” to ensure that all the processes work.

Perform a “mock” exercise with required staff and vendors on a non-work day.

In continuity planning, the maintenance process ensures that people and process aspects of the plan which need additional work are properly addressed and corrected.

The following types of maintenance should be conducted for every business continuity plan in your Directorate or Business Unit:

o Scheduled o Unscheduled o Post exercised

BUSINESS CONTINUITY PLANNING WORKSHEETS

A. Checklist 

B. Business Process Template 

C. Recovery Procedures Template

D. Risk Assessment Worksheets

COMPONENTS OF A Cyber Resilience Plan

CHECKLIST

Checklist Components

AUTHORITY: Authority Name * PROCESS: Business Process Name * Business Process Overview PRIORITY:

Priority within authority

RISK DESCRIPTION:

Risk Description Impact of Risk on Authority Nature and likelihood of disruptions Dependencies upon business process Assumptions MITIGATING STRATEGIES: Mitigating Strategies description Level of service to be provided

ACTIVATION TRIGGER(S): Activation Trigger(s) * 

RECOVERY PROCEDURES: Duration of contingency plan Recovery Procedures/Work-Around * Responsible person for each action

IMPLEMENTATION: Person invoking plan Person ordering return to normal operations Resources Required *

MAINTAINING/EXERCISING PLAN Training Required Exercising Required Person responsible to obtain resources Maintenance Required

Business Process [Title]

Process:

Priority:

Risk Description:

Mitigating Strategies:

Activation Trigger(s):

CONTINGENCY PLAN

RECOVERY PROCEDURE ACTION PLAN Recovery Procedures (Action Plan):

Duration:

Implementation: Person Responsible:

Invokes Plan:

Return to Normal Operations:

Resources Required:

(Staff, supplies, etc.)

Sample Risk Assessment Worksheet

Purpose and Directions Purpose:

This worksheet is intended to provide a framework for answering the following questions for a particular business process:

Where could a potential failure occur?  
Does it impact this business process? If so, how much?  
What has been done or is in progress to mitigate the threat of a failure?

Based on the answers to the above questions: 4. What is the remaining risk?

By answering the last question, you should be in a better position to focus your contingency planning efforts, particularly which business processes are most in need of contingency planning and what specific failures do the contingency plans need to address and at what level of detail.

Directions:

Choose a particular business process.

Review the areas of concern to determine if any need to be added or expanded upon that are specific to the business process. Modify spreadsheet as

appropriate. Note: the Remediation or Mitigation Status Values are stored in columns E-I, which are hidden.

For each area of concern, assign a level of dependency of High, Medium, Low, or Not Applicable (or blank).

Choose from the drop-down list of choices for the Remediation or Mitigation Status. This information will most likely come from the individuals within your authority that are responsible for status reports. If the choices do not properly reflect your status, type in your own status description.

Based on the level of dependency and the remediation or mitigation status, assess the remaining risk and assign a value of High, Medium, or Low. Alternatively, you may choose to comment on your analysis rather than assign a specific level of risk.

Once you have determined the highest remaining risk areas, focus your Contingency Planning initiative to address the risk areas. This would include which business processes need contingency plans, how detailed the plans should be, and

RISK ASSESSMENT WORKSHEET

Directorate/ Business Unit

Business Process:

Areas of Concern Mitigation status

Risk Assessment (H/M/L)

Level of Dependency (H/M/L)

Hardware Operating System 

Third Party Software 

Utilities/Macros Date-Impacted

Custom Source Code/SCL 

Internal Interfaces 

External Interfaces (Banks, Government Agencies, Other NC)

Shared Data  Communications/Network

Hardware Operating System Third Party Software

Telephone Switches

Voice Mail Voice Response Units Customer Service Centre reliance Mobile Phones Pagers Fax

Power Water/Sewer Fire Alarm Systems Security Systems Building Control Systems Parking Control Systems

Application Interfaces Hardware Infrastructure Supplier Support

PC/LAN

COMMUNICATIONS

FACILITIES

DEPENDENCIES

Fast Time Cyber Collaboration & Communications

This paper brings together some concepts and ideas to support organisations in implementing Cyber Incident collaboration and Coordination, focussing on the need for fast time communications.

Fast Time Cyber Collaboration & Communications

Background

This prime contains a wide range of references to be used in preparing your own plans, processes and approaches. The approach is aligned to ISO27010:2015[80].

Fast time collaboration context

This paper highlights outputs from the Welsh Government Cyber Security work programme (2017-2020) and augments them with reflections on the Fast Time Communications required to coordinate a multiagency cyber incident within the Wider Public Sector these approaches support ISO 27010, the standard for sharing information security advice and guidance, which is also supported by MISP[ 80].

A Cyber Incident, its planning, response and recovery can be treated and operated as an unplanned project, therefore we contend project planning methods and approaches can be applied to Cyber Incident Response, this covers complex large scale enterprise project planning, using PRINCE[77], through to the dynamic iterating approach of agile[78]. Likewise Emergency Planners gain a lot of their insight and thought processes from Military Planners, which explains why military Planning and doctrine isn’t just applicable in warfare, it also works in other situations such as Cyber incident Response [79] and as seen during the logistical planning of the Covid-19 pandemic.

Understanding the context for fast time collaboration

Cyber Incidents are fast moving, dynamic and complex. Your often trying to resolve a situation without know what has actually happened and what it actually is. You find yourself responding to the symptoms, trying to stop the outbreak spreading, against a backdrop of continued operational service delivery. In short you want help, often peer support “Phone a friend”, through your WARP or similar. The NCSC will advise and assist, they have to focus on their “C3” and above type incidents, this means you need to put your own measures and coordination in place.

Systems Dynamics have been successfully used as an approach and methodology for mapping complex cyber attacks and to understand the evolving “Battle Space” of a Cyber incident. [9,10,11]. Cyber is referred to as the fifth battle domain of armed conflict, as far back as 2011, [13] even though most cyber attacks are against businesses, we mustn’t lose sight of the fact that nation states do now have cyber offensive capabilities [14].

Cyber attacks are fast moving dynamic and remotely orchestrated. The initiating actors, could be on the other side of the world and can instantly initiate a polymetric attack from multiple locations, this in itself can cause confusion and necessitate the need for a Common Operating Picture [15]. To build a common operating picture, requires all of the actors, operations, locations, techniques and processes to be quantified and documented. This approach allows for Situational Awareness to be developed, quantified, prioritised and communicated [16].

Slow-time V Fast Time

The heart of the collector-funnel model is the 2x2 grid that considers Slow time / Fast time communications coupled with Manual and Automated interventions. This we’ve called the Temporal Actions Matrix. This paper is focussing on the fast time aspects of communications, which can be thought of as dynamic and evolving. Slow time is often referred to a Busines As Usual “BAU”. Fast time operations and response are more dynamic, less predictable and may even mean that you can’t use your normal ICT channels as they are themselves affected.

Figure 1 © Author NLAWARP Information Flow Funnel showing the embedded Temporal Actions Matrix

Figure 2. The slow time / fast time event matrix

Planned Unplanned event matrix

This work was started in the London Resilience team in 2003. The main point of this whole paper is to understand the two distinct modes of operation. That is business As Usual (BAU), which we refer to as slow time and when we “Flip the Switch or Push the Big RED Button”, which takes us into fast time response mode. It is also useful to think about planned and unplanned events and how those affect the response to a Cyber Incident. This is where Systems Dynamics can also help being able to produce causal maps to show interventions in Cyber Incident response and to be able to map out the causal variables and how they apply to systems, services, and processes [9]. Most business entities and organisations are accustomed in to dealing with ad hoc incidents. The Emergency Services (Often referred to as “Blue Light Services”, in the UK are accustomed to flipping constantly from BAU to Incident Response, every time they get an emergency call. IT departments are dealing with incidents on a daily basis. For the purposes of this paper, we are talking about larger tangible incidents, their response and mitigation. Fast Time Communications in the context of this paper are talking about groups of individuals and organisations outside of a single entity [29]. This phenomenon is looking at a “Trans Boundary Crisis” [29]. The response to a trans boundary crisis is often referred to as “Crisis Management” in businesses and “Major Incidents” in the Emergency Services. The Emergency Services have a standardised approach to a Major Incident, it is clearly defined [24];

“An event or situation with a range of serious consequences which requires special arrangements to be implemented by one or more emergency responder agency”.

Cyber Incidents do not have such a clear definition. The NCSC defines a cyber incident as [25];

“A breach of a system's security policy in order to affect its integrity or availability and/or the unauthorised access or attempted access to a system or systems; in line with the Computer Misuse Act (1990).In general, types of activity that are commonly recognised as being breaches of a typical security policy are:

1. Attempts to gain unauthorised access to a system and/or to data.

2. The unauthorised use of systems for the processing or storing of data.

3. Changes to a systems firmware, software or hardware without the system owners consent.

4. Malicious disruption and/or denial of service.”

(It should be noted the Computer Misuse Act(1990), is under review as of June 2021 [26].

This is linked to the Integrated Review [27], which is a review of Defence, including Cyber, reviewing the Computer Misuse Act will be a key to the next Cyber Strategy for the UK [28], due in Autumn 2021, which must include further defence measures. The need for Fast time communications policy and guidance for Public Sector Organisations in the UK is therefore a requirement. This will include the development of Cyber Specific Guidance to support the Doctrine element of JESIP framework [28] to enable it to be used for Incident Response in support of the Emergency Services.

Anatomy of a Cyber Incident

You cannot control every element of a cyber attack. However, having good asset registers and diagrams, understanding your environment and being able to quantify what you can deal with goes a long way.

For instance, if you lose access to a system or service through a communications network outage, then you may be wholly reliant on an external utility provider to be able to restore the service for you. If you were notified about planned maintenance a week in advance, it would be a planned slow time event, whilst the actual outage would still likely present some unforeseen issues to be resolved. Knowing who is critical in a process and who has to be informed, goes a long way towards lowering the impact of an incident. This is where the RACI matrix comes in useful. [17]

The use of the RACI Matrix

The acronym RACI stands for

Responsible - these people undertake the work. They complete the task or objective or make the decision.

Accountable - the “owner” of the work. They sign off or approve when the task, objective or decision is complete. They make sure that responsibilities are assigned in the matrix for all related activities. One person is accountable.

Consulted - the people who need to give input before the work can be done and signed-off on. These people are active participants.

Informed - these people need to be kept “in the picture.” They need updates on progress or decision, but they do not need to be formally consulted, nor do they contribute directly to the task or decision.

The RACI approach has been used successfully to develop Incident Play books, in a dynamic fast time environment. It is contended the RACI Matrix can improve fast time communications during an incident and the mitigation of threats [20]. Being able to triage ahead of time WHO needs to be told WHAT, WHEN, HOW and WHY will same precious time and encourage effective Crisis Management.

One of the first actions in responding to an incident is to establish the facts, at that time, understand the damage to date, and to mitigate further damage. Ahead of an incident happening we achieve this through careful planning and communication, especially through articulating and agreeing a shared understanding and acceptance of the Information risks. [17]

Next being able to analyse, quantify and record those information risks amongst the senior managers in the organisation. Next to articulate, brief and communicate the information risks, including the business impacts and the mitigations to all stakeholders [10]. This has to be done in slow time as part of the Education and Training regime with key stakeholders ahead of any cyber incident happening. This approach will put the Board and the whole organisation in a better place. The amount of resource, training and communication carried out is proportionate to the understanding, analysis, and articulation of the risk appetite [18][19]. Likewise, the better prepared an organisation is through training and exercising, the more effective and efficient the Crisis Management Response will be [29].

Organisational structures, need to be defined and understood, one way of to do this is through block diagrams, depicting formal and informal hierarchies and relationships. Design Science [30] and Systems Dynamics are particularly useful to enable this, these are a set of Variables to decide where you are in the equation [21]. Causal variables are used widely in Systems Dynamics and Grounded Theory [22]. We explored the use of variables to describe Information Assets in the authors Previous paper [23]. These aspects of planning contribute to the efficiency and effectiveness of fast time communication.

Scoping Fast Time Communications

The approach is offered in the context of Cyber incident coordination and the need for Fast time secure information sharing, collaboration and coordination. The contents of this document could be useful for other applications but they are outside of the scope and detail of this report. Cyber Incidents are not permanent situations, they can therefore be thought of as fast time projects, with a start, middle and an end.

Scoping a Cyber Incident

Incident scope and severity, who is affected, how many people need to be on the Incident call? Consider activating the Local Cyber Coordination Cell (LCCC), this is the internal team, which provides coordination and initial analysis for Cyber Incident Response team. We have adapted this in the CRASH Gate approach detailed later in the paper.

Source: Scope Patterns for Projects Modelled as Sociotechnical Systems Bryan R Moser (MIT) [8]

Fast Time Comms and Collaboration Tools to consider

There are many software communications tools in use. Many of these software products are available in both desktop and portable mobile/tablet versions. Some are free and some are subscription / licence based and many have a “free tier”. The most common ones from our research through the Cyber Technical Advisory Group (CTAG) and from work conducted by the Local Government Association (LGA) are (in no particular order are;

SLACK/WhatsApp/Signal/Mobile text messaging/ Instant Messenger. Common video conferencing tools are also being used, Microsoft Teams, Zoom, Google hangouts, Cisco WebEx. Other products are by Adobe [35], Amazon Web Services [36] and Zello [37], which have some limited use. From our findings, the preference is for WhatsApp [38] and Teams [39]. However, there is a lot of unease about perceived security configuration issues with WhatsApp, with Signal [40] being app of choice for the savvier technical users.

C-TAG provides a SLACK feed through the NLAWARP and has a facilitated C-TAG node on the NCSC CISP platform. The NCSC provides a web form for reporting Cyber incidents;

Microsoft Teams is their Walkie Talkie app [41], which is very much like Zello [37], to enable a push to talk broadcast capability, turning the mobile phone into a Push to Talk (PTT) radio handset using Wi-Fi/4G networks (it is consuming 4G data when being used). The PTT approach gives an always on capability, to listen and monitor an audio channel. There is specific Android type hand held radios [42], which we believe will proved very useful to Cyber Incident Responders. This enables mesh and point to point communication in a way that is more flexible than the use of mobile phones, giving the capability of hand held radios to non-technical users.

The use of mobile devices utilising the mobile phone and internet networks greatly extends the reach of these emergency communications. This means that Teams is readily available and is pervasive. As we have discussed there is a real issue that if the MS365 tenant is not available, there has to be an alternative, this would normally be regarded as “Shadow IT” [46] which is where an alternative toolset for emergency communications should be available.

Types and format of text and documents required

We have found that the norm is in slow time to monitor a WhatsApp group then move to a more appropriate secure channel of communications such as Signal. There is a distinct need to have multiple comms which we describe as;

Instant unstructured messaging – ephemeral text in WhatsApp / Txt / Instant Messenger.
More structure text communications with email / Slack / Chat in Teams
Video / Voice Communications via Teams / Zoom
Decision recording templates in Teams using OneNote as a primary tool.
Decision logs maintained by structure reference numbers stored locally and a central permanent record which all key decisions comprising Data/timestamp/reference etc/.
Document repositories such as NCSC CISP [51] Resilience Direct [52], other private group collaboration platforms which include KHUB[53].

The overarching finding of the desk research and ad hoc enquiries through the Cyber Technical Advisory Group (CTAG) [54] has been that there are multiple platforms and repositories in existence managed and maintained by various groups and entities. We content this is fine, so long as there is a standard template approach for interoperability between templates, message structures and referencing.

Templates and updates

The authors Cyber Golden Hour Guide [73] details the roles and responsibilities required to effectively coordinate a Cyber Incident within and organisation. This paper is focussing on the next level down, below the Governance and coordination or Crisis Management into the tactical tools and techniques that can be used by Incident Coordination Teams (Cyber Coordination Cell) or Fusion Cell.

Many organisations do not have staff trained to respond. In Wales, the Welsh Government Cyber Programme funded a serios of Cyber Exercises and tactical training workshops. The Lessons learned from live incidents, exercises and the tactical workshops clearly demonstrate that whilst exercising, training and awareness raising help, they do not completely solve the problem. Apart from responding to campaigns (common Cyber attacks at a given time, like WannaCry and the Microsoft Exchange attacks[71]), all other incidents are different depending on the infrastructure in place. Therefore the approach needs to be generic, supported by specific playbooks. [72]

An example set of initial questions to help a first responder

1) What is the believed nature of the incident? 2) How many locations (Sites/Schools etc) do you believe are affected at this time. 3) Which of these locations are directly maintained and supported by internal ICT? 4) When was the incident first detected? 5) How was it detected? 6) What mitigations have been implemented already? 7) Do you believe the incident is contained? 8) Have you prepared press, media and PR lines? 9) What are your planned next actions 10) Have you established a timeline and decision log?

National Cyber Security Centre (NCSC) Cyber Incident Categories

The NCSC have defined six categories of Cyber Incident [70].

Category 1 National cyber emergency

Category 2 Highly significant incident

Category 3 Significant incident

Category 4 Substantial incident

Category 5 Moderate incident

Category 6 Localised incident

The NCSC generally will only intervene at category three or above. Organisations will need to make their own support arrangements and work with partners for lower level attacks. The approaches in this paper would be useful for localised attacks from categories 6-4. Much effort goes into planning for very serious attacks, whereas lower level attacks at category 5/4 can still be debilitating for organisations.

Trigger Points in Cyber Incident Escalation and Fast Time Communication

The work to date has highlighted a the need for pre-agreed ”Trigger Points”, especially for the lower NCSC categories above covering categories 6/5/4. In the context of Cyber Incident Response and the need for Fast time Communications, many incidents are known as “Rising Tide Events” [63]. This means that the impact, severity and harm of the initial incident isn’t always obvious. Understanding Cyber Incidents in terms of Harm [64] [68] is a valuable way to gauge the possible final damage state of and incident. As further intelligence is received, through shared situational awareness, from differing sources, multiple organisations of through proliferation of a threat vector, (such as WannaCry in 2017) [61], the situation increases in seriousness, where it may not be immediately apparent locally. This is where, Filtered Warnings, Advice Brokering and Trusted Information Sharing [65] the key WARP (Warning, Advice & Reporting Point [66] services come into their own.

Trigger Points [32] can be thought of a pre-defined Consequence Relevance Acceleration Severity and Harm “CRASH” Gates. A gate in this context being a phase or stage where an incident escalates to the next level. The key being the baseline starting position that can be quickly and easily identified through honestly and objectively completed the CRASH index.

Ticking the Boxes on the CRASH Index Matrix gives an immediate baseline to help Situational Awareness, impending shifts in the threat profile and is especially useful in a Dynamic Rising Tide event scenario as described in the JESIP doctrine used by the Emergency Services[67].

One of the areas organisation struggle with in writing plans is the definition of trigger points and their articulation. They are discussed in medical and paramedic literature [74], however they are sparse in

The CRASH Gate matrix model for assessing Cyber incident escalation (Trigger Points)

Consequence Scaling

Locally contained within the Organisation at a Sub-Departmental / Directorate Level
Locally contained within the Organisation at Departmental / Directorate Level
Local contained within the Organisation
Affecting multiple Organisations Sub-Regionally
Affecting multiple Organisations Regionally
Affecting multiple Organisations Nationally

Resilience Scoring

We are fully prepared and have exercised in the last six months
We are fully prepared and have exercised in the last 12 months
We have some plans in place and have not exercised recently.
We have few plans in place some training no exercising.
We have few plans haven’t trained or exercised in over 12 months.

Applicability Scoring

We do not have this technology in our infrastructure
We have this technology, we are fully patched.
We have this technology, we are partially patched
We have this technology, we are not patched
We have this technology, we are compromised

Severity Scoring

Not affecting our infrastructure directly
Affecting some of our infrastructure
Affecting most of our infrastructure
Affecting all of our infrastructure
Our infrastructure is over run and non-functioning

HARM Levels

The organisation is unaffected
The organisation is affected, but fully operational
The organisation is affected, and is partially operational
The organisation is compromised essential services still functioning
The organisation is compromised essential services lost.

The “CRASH Gate” matrix model, provides a granular set of indicators that can be used like the 5x5 intelligence model [33] to instantly give a significance score to a situation.

Example CRASH Gate matrix trigger point annotation

C (1) Locally contained within the Organisation at a Sub-Departmental / Directorate Level

R (3) We have some plans in place and have not exercised recently.

A (4) We have this technology, we are not patched

S (2) Affecting some of our infrastructure

H (2) The organisation is affected, but fully operational

Looking at the example above you would write a plan or playbook with particular actions relating to the narrative in the CRASH Gate statements above. This remove ambiguity and allows for delegated actions, to be clearly documented and authorised. In the example above a change especially for (C1) to (C2) and H(2) to H(3) would both be of huge concern. Whilst action to move from A(4) to A(2) would greatly reduce the risk. As a tool for Situational Awareness sharing a CRASH Gate Status (CGS) string of: CGS1,3,4,2,2 transmitted or shared as: CGS13422 If this was prefixed with a Cyber Unique Organisation Reference Number (CUON)[34]

Example CCGS (CUON Crash Gate Status) 654/21/9874/13422

The above is a simple example but it means there is a definitive record for a shared CRASH Gate status for the current situation .The CUON being: 654 (The organisation ID) [21] Year of allocation [9874] the unique reference number for the CRASH Gate 13422 so if intercepted, the CRASH Gate status could be decoded but the organisation number could not be traced back and the validation code of 9874 would be updated during the acknowledgement. By

Parsing the CRASH Gate trigger status a search for those with A4/5 would be the organisations requiring priority support. This system of simple numeric reporting wholly relies on the honesty, truthfulness and transparency of participating organisations to be of use for information sharing. As an internal planning tool for baselining, it would be of value.

This standard provides guidance in relation to sharing information about information risks, security controls, issues and/or incidents that span the boundaries between industry sectors and/or nations, particularly those affecting “critical infrastructure”. ISO/IEC 27010 [81] provides guidance on information security interworking and communications between industries in the same sectors, in different industry sectors and with governments, either in times of crisis and to protect critical infrastructure or for mutual recognition under normal business circumstances to meet legal, regulatory and contractual obligations. Sometimes it is necessary to share confidential information regarding information-related threats, vulnerabilities and/or incidents between or within a community of organizations, for example when private companies, governments, law enforcement and CERT-type bodies are collaborating on the investigation, assessment and resolution of serious pan-organizational and often international or pan-jurisdictional cyberattacks.

Such information is often highly sensitive and it may need, for example, to be restricted to certain individuals within the recipient organizations. Information sources may need to be protected by remaining anonymous. Such information exchanges typically happen in a highly charged and stressful atmosphere under intense time pressures - hardly the most conducive environment for establishing trusted working relationships and agreeing on suitable information security controls. The standard should help by laying out common ground-rules for security.

References: (All references accessed July 2021)

[2]https://www.researchgate.net/publication/342804953_An_Overview_of_Local_Government_Cyber_Security_in_England_and_Wales_Emergent_Threats_and_Practic

[9]https://www.researchgate.net/publication/267972043_System_Dynamics_Based_Insider_Threats_Modelin

[11] 2014 6th International Conference on Cyber Conflict

P.Brangetto, M.Maybaum, J.Stinissen (Eds.) 2014 © NATO CCD COE Publications, Tallinn

[20] https://www.ncsc.gov.uk/news/rusi-lecture

[23] Brett M 2021 [Information Assets paper from previous journal edition]

[71] https://www.ncsc.gov.uk/news/security-updates-released-microsoft-exchange-server

Cyber Incident Response Playbooks

Attached are a series of Incident Response Playbooks that were created on behalf of C-TAG

ChatGPT & AI

Chat-GPT is an example of an Artificial Intelligence “AI” programme. These “Large Language Models” (LLMs) are continuing to develop at an ever-accelerating rate. There are several key issues to consider. The UK Government AI Strategy is a good starting point to understand the context and background [5]. It’s also very useful to understand where AI fits into the wider Data Science and Information Management disciplines [6].

Key issues to consider

· Ethics

· Bias

· Privacy

· Copyright infringement

· Extensibility

· Secondary mining of the Metadata

· Access Control

· Consistency of output

· Data Protection (GDRR) – Giving the right to query automated decisions.

· The right to be forgotten.

· Legal implications – vicarious responsibility for Chatbot-GPT generated answers and advice.

A few initial thoughts

· AI is the single most exciting and terrifying technology to emerge for some time.

· Whilst AI has been around for years, there is a paradigm shift underway.

· The machine learning models bring a whole new meaning to “Built on the shoulders of giants”. LLM’s will multiply, the pervasiveness of AI will be logarithmic.

· Consider AI, it in terms of AI & Moore’s Law. We’ve saturated CPU growth, we’ve increased power of processors, made RAM and storage cheaper. Energy costs are the limiting factor!

· As the LLM & AI snowball starts, the momentum will exponentially accelerate, potentially in a logarithmic fashion.

· We may not be ready for it.

· Think Blue/Red=Purple Teaming, consider both the opportunities and the threats.

ChatGPT is a chatbot powered by Generative Pre-trained Transformer 3 (GPT-3), which is a deep-learning language model. The release of ChatGPT took the world by storm in November 2022 due to its impressive ability to write in a human-like way.[3]

Artificial intelligence (AI) powered chatbot ChatGPT is being used for a wide range of applications that require natural language processing and text-based conversation. The large-scale language model developed by OpenAI uses deep learning techniques to generate human-like responses to text-based conversations. It can be used as Chatbot, virtual assistant, language translation, content creation, educational resource, solving complex problems, and evening writing codes.

However, there have been instances when ChatGPT’s servers have been overloaded with users. This has locked users out of using the bot. On February 27th February 2023, , ChatGPT reportedly went down for over three hours.

OpenAI said that the outage was due to “database instabilities,” and it started rolling out a couple of hours after the servers were taken offline.

This is the second major outage ChatGPT has seen in the last 90 days. The service experienced another outage on February 21, which brought down the chatbot for four and a half hours. With increasing popularity and user base these outages may become a regular occurrence. With the increasing need for AI writing tools like ChatGPT, people are looking for ChatGPT alternatives to help them be more creative. [1]

We’ll consider some of the issues and key questions. Is this a useful new technology, something to be trusted? Here to stay of. Passing trend.

Cyber Risks & Cyber Opportunities

So some interesting issues around Chat-GPT and inputting sensitive data – beware, understand any data protection concerns and other privacy, copyright type issues. How do we assess the risks (Confidentiality, Integrity, and Availability)? The technologies use is currently novel, just like when WhatsApp appeared and other Cloud Software as a Service (SaaS) applications. When you ask it questions, are those questions then processed on and stored? Adding to the collective consciousness. How will be known about innate bias in the questions or mor importantly, the intrinsic bias built into the answers, who controls those? The issues of ethics will be a real concern.

As the name indicates, Open AI is an open platform that millions of users from all over the world use. This carries several security risk. For one, it gathers a lot of personal data that users, unassumingly, might provide. This, in turn, makes ChatGPT very attractive for hackers. While one could argue that private users interact with ChatGPT at their own risk, as a company, you could become liable.

After all, you have to ensure user data privacy. If your customers’ personal data somehow because public through ChatGPT, you’re not only in violation of privacy laws. It can also damage the trust customers put in your company.

In addition, depending on what type of information you put into ChatGPT, you run the risk of making sensitive company information public. For instance, if your marketing team is playing around with the chat technology to come up with a good copy for sending out a customer e-mail about a new product that hasn’t been released yet, this information might become public before you even launch the product.

Or, ChatGPT might come up with a text that is protected by copyright laws. If your marketing team then uses this text, you could face legal charges.

Summing up, ChatGPT is a very promising and enticing technology, but it’s not quite ready for business use yet. However, there are safer alternatives!

Security Implications

Unsurprisingly, news of ChatGPT’s ability to write malicious code furrowed brows across the industry. It’s also seen some experts move to debunk concerns that an AI chatbot could turn wannabe hackers into full-fledged cybercriminals.

“ChatGPT and AI in Cyber Security

Here are five key areas of cyber security that ChatGPT and AI could impact, for better and worse.

1 - High-Volume Spear Phishing

Spear phishing emails are malicious emails targeted at a specific person or organisation. Threat actors often deploy this social engineering technique to gain access to an account or initiate fraudulent transactions. A large variety of online sources, from company websites to social networking platforms, arm attackers with useful information about people and companies that can help them craft more convincing spear phishing emails.

The targeted nature of these emails normally makes them hard to scale to the level of normal email spam. Part of the reason for this lack of scalability is the research required, but it’s also that increased levels of cyber security awareness make people more likely to spot obvious signs of mass email phishing, such as spelling errors or clunky language. And with many hackers not hailing from native-English destinations, these mistakes appear often in the mass phishing emails that they write.

However, advanced chatbots like Chat-GPT could change the game and enable high-volume, targeted, and effective spear phishing email campaigns. Research carried out separately by two different security companies in December 2022 found ChatGPT could write a plausible and well-written phishing email impersonating a web hosting company and a CEO.

Asking ChatGPT to write a phishing email now gets flagged as unethical activity, which suggests OpenAI paid attention to the concerns of security researchers. But similarly advanced AI text-based tools will likely emerge, and not all of them will flag requests or queries as unethical. Scaling these difficult-to-detect spear phishing emails might become far more feasible for hackers in the not-too-distant future.

2 - Malware-as-a-Service

ChatGPT’s programming prowess sets a worrying precedent in lowering the barriers to creating malware. It’s trivial, for example, to get ChatGPT to write VBA code that downloads a resource from a specified URL any time an unsuspecting user opens an Excel workbook containing that code. Such a request would make it very easy to weaponise a phishing email with a malicious Excel attachment without requiring in-depth skills or knowledge.

The resource downloaded onto an end user’s computer could be a keylogger or a remote access trojan that provides access to a system or network and sensitive assets. Some security researchers were even able to get the bot to write malicious PowerShell scripts that delivered post-exploitation payloads (ransomware).

While ChatGPT’s coding skills are a concern, it still requires at least some degree of cyber security knowledge to manipulate queries in a way that produces working malicious code. A perhaps more pressing issue is that generating malware from text commands alone opens up more opportunities for malware-as-a-service. Cybercriminals with real hacking skills could easily use ChatGPT to automate the creation of working malware and sell the end product as a scalable service.

3- Propagating Fake News

With its impressive writing abilities, ChatGPT comes with a lot of abuse potential in the context of spreading fake news. Eloquent yet false stories can be generated with a simple sentence prompt. Media outlets such as Sky have already experimented with letting ChatGPT write articles.

Fake news stories about personal data breaches or security vulnerabilities could be written by malicious insiders or published by hackers that infiltrate journalists’ or users' accounts at high-profile publications and organisations. While unlikely, the possibility of this Orwellian outcome of not being able to decipher fact from fiction would lead to chaos and a loss of trust. At worst, a complete undermining of consumer confidence in the digital economy could ensue.

4 - Enhanced Vulnerability Detection

Turning to a more positive perspective, ChatGPT (and AI in general) show great promise in improving vulnerability detection. Try the following experiment: copy a snippet of code from this Github page of vulnerable code snippets and ask ChatGPT to examine the code for security vulnerabilities. You’ll notice that the tool quickly flags whatever happens to be wrong with the code and even suggests how to fix the security weaknesses.

Turning to the broader field of AI rather than just ChatGPT, the powerful machine learning models that underscore these technologies can also enhance vulnerability detection. As a network and the number of endpoints on it grows, detecting anomalies and weaknesses becomes more challenging. AI-powered tools are far more effective at unearthing vulnerabilities because they can use enormous sets of training data to establish what’s normal while reducing the time to find what is abnormal on a network.

5 - Automating Security Team Tasks

Cyber security skills gaps continue to place an excessive burden on security teams. The UK government’s 2022 report found 51 per cent of businesses have a basic skills gap in tasks like configuring firewalls, and detecting and removing malware. This skills gap places a heavy burden on existing teams to the point where alert fatigue and burnout are common issues.

Automation has a critical role to play in easing the impact of cyber skills shortages and helping security teams defend their organisations in today’s threat landscape. ChatGPT excels at rapidly writing programs and code that could prove beneficial for automating a range of security tasks. As an example, it takes a few seconds to produce a simple Python program that will scan for open ports on a given hostname.

You’re aware by now that ChatGPT can be manipulated to write malicious code, but the flip side of this is its usefulness in analysing malicious code to help figure out what it does. From explaining how various Windows registry keys can be used by malware to describing what large chunks of malicious code are attempting to do on a system, speeding up and strengthening the tricky area of malware analysis is invaluable for many organisations.

Getting prepared

While it’s still early days in understanding the full implications of ChatGPT and AI in cyber security, the ideas here offer a snapshot of what’s possible. Getting prepared for both the good and the bad of AI requires a smart cyber security strategy that accounts for these technologies’ increasing influence.” [3].

Annex A

A few of the alternatives:

ChatSonic

India's Chatsonic can be one of the alternatives to ChatGPT. It was introduced in 2021, far earlier than Open AI's ChatGPT. Contrary to ChatGPT, ChatSonic incorporates text-to-speech and Google Search into its operation, making it effective enough to provide the most recent responses to your inquiries. processing to provide accurate summaries of current events, trends, and conversations.

Jasper AI

The Jasper AI programme, originally known as Jarvis, is one of the best AI writing tools. It is a recent addition to the Large Language models-based AI chatbot. It is an AI writing assistant that is powered by OpenAI's GPT-3.5 model. month or $588 per year. The creation of Jasper AI enables individuals and teams to scale their content initiatives using AI.

Jasper claims that because it has read the majority of the public internet, it is fluent in over 25 languages and is knowledgeable about almost every niche. It makes the claim that it can assist users with translating the text as well as writing "blog articles, social media postings, marketing emails, and more." Jasper also promises to deliver content that is “word-by-word original” and “plagiarism-free”.

Authoring services like Headline and Shortly AI have been acquired by Jasper. These programmes aim to be fully integrated with Jasper, however, they are currently standalone solutions. In Jasper AI, the content is produced for you when you select a topic and fill out a form with the necessary information.

Bard AI

Like ChatGPT, Bard AI, Google's newest and most innovative AI-powered chatbot, is being developed on the company's LaMDA AI platform. It is an experimental conversational AI service that is expected to have a significant impact on the AI industry.

LaMDA eliminates the limitation of having data confined to a specific year and revolutionises Bard's natural language processing capabilities by enabling it to interpret and respond to human input with more precision. Google claims that Bard can generate texts and answer questions. This new conversational AI chatbot project by Google is also known to summarize texts. The company began testing the bot on February 6, 2023.

Microsoft Bing AI

Recently, Microsoft added artificial intelligence to their search engine, which is now referred to as Bing AI. The OpenAI large language model, which is far more potent than ChatGPT and GPT-3.5, is the foundation of Bing AI, which was created with the express purpose of elevating search to a new level. It has been optimised to maximum speed, accuracy, and efficiency. To guarantee customers receive the greatest results, it makes advantage of the important developments and lessons learned from its forerunners.

Microsoft unveiled new, AI-enhanced features for their Edge browser called "Chat" and "Compose." In addition to their current Bing feature, this development. Additionally, Microsoft just released Bing and Edge mobile apps for iOS and Android users.

Bing gives users the ability to ask queries with up to 1,000 words and get AI-powered responses. Its capacity to process complex inquiries makes looking up information faster. If ChatGPT-powered Bing can't provide a direct response to your query, it will give you a selection of related results. Bing AI as of now has no upfront cost. 1000 transactions are free per month.

DialoGPT

Microsoft's DialoGPT is a large-scale pre-trained dialogue response generation model specifically built for multi-turn conversations. DialoGPT is a significant pre-trained system for producing replies that can be used in multiple dialogue exchanges. It was trained using a massive dataset of 147 million multi-turn discussions extracted from Reddit discussion threads between 2005 and 2017.

Similar to the outputs of GPT-2, the sentences that DialoGPT generates are astonishingly diverse and include information that relates to the initial prompt. According to Microsoft, DialoGPT is more conversational, animated, frequently lighthearted, and generally extremely dynamic — qualities that might be appropriate for the use you're considering. DialoGPT, however, does not offer voice search, voice response, or personalities. Since this is a brand-new launch, there is no specific information about the pricing structure available.

NeevaAI

NeevaAI combines the efficiency and most recent data of the Neeva search engine with the strength of ChatGPT and other large language models.

Two former technology executives, Vivek Raghunathan, vice president of monetization at YouTube, and Sridhar Ramaswamy, former senior vice president of ads at Google, designed the search engine.

The system developed by NeevaAI is capable of searching and sorting through hundreds of millions of web pages to produce a single, comprehensive response that includes pertinent sources. Neeva can be compared to a search engine that has been given AI enhancements, but it is not yet a fully functional chatbot that is powered by AI. Neeva AI also provides references in its outcomes.

CoPilot

If you've been creating codes on ChatGPT and want to look at websites that provide the same or even better results, you can check out GitHub’s CoPilot. CoPilot, uses the GPT-3 model from OpenAI Codex for auto-completion.

This application supports various well-known coding environments, including VS Code, Neovim, and JetBrains. It also supports cloud workflows via GitHub Codespaces. It can produce syntax in up to 12 languages, including JavaScript, Go, Perl, PHP, Ruby/Swift/TypeScript, and BASH. In addition, it supports multi-language scripting, and the model is powered by trillions of lines of open-source code from the public domain, such as those found on GitHub repositories.

Character AI

Character AI is based on neural language models and has been trained from the ground up with conversations in mind. Instead of talking with a single AI chatbot, Character AI allows users to select from a variety of personas. Elon Musk, Tony Stark, Socrates, Joe Biden, and Kanye West are just a few of the many characters and people that may be found on the home page. The AI adjusts its conversational style according to the person you selected, which is the finest part. Creating a character is quite fun as you can go along, designing it according to yourself.

The AI has a built-in image generator for avatar creation. Once done, you can start chatting right away and even share it with others. Character AI is free to use, but you do need to make an account since the chat gets locked after a few messages.

YouChat

Another conversational AI model called YouChat was introduced by the search engine You.com. It functions similarly to ChatGPT and essentially performs what other generic chatbots do.

Artificial intelligence and natural language processing are used by YouChat's AI to mimic human speech. It can create emails, write code, translate, summarise, and react to general inquiries. It offers average responses because it is still in the development phase.

While you can just talk to it, YouChat can also write code, give advice, break down complicated concepts, summarize books, and a lot more. It claims to provide the latest information; however, it sometimes commits errors there as well. YouChat is completely free to use, so you need only visit the website and start chatting.

Elsa Speak

Elsa Speak is a language-learning programme powered by AI. It analyses the user's voice using AI and creates a set of tasks that are simple for the user to understand. Elsa Speak is thus another of the best ChatGPT alternatives to consider.

Elsa as an English-speaking speech assistant may aid you in translating between many tongues and English. The AI system used by ELSA was developed using voice recordings of English speakers with a variety of accents. This gives ELSA an advantage over most other voice recognition algorithms by allowing it to recognise the vocal patterns of people who do not speak with a native level of ability.

Useful additional background articles and resources

https://www.digitaltrends.com/computing/how-to-use-openai-chatgpt-text-generation-chatbot/

https://www.digitaltrends.com/computing/google-launches-chatgpt-rival-bard-ai/

https://www.digitaltrends.com/computing/the-best-chatgpt-alternatives-according-to-chatgpt/

https://www.digitaltrends.com/computing/microsoft-chatgpt-bing-launch/

https://www.nytimes.com/2023/01/12/technology/microsoft-openai-chatgpt.html

https://www.digitaltrends.com/computing/microsoft-might-put-chatgpt-ai-into-outlook-word-powerpoint/

Other outcomes, novel applications:

Voice actors https://www.digitaltrends.com/computing/voice-actors-seeing-an-increasing-threat-from-ai/

https://medium.com/@colin.fraser/chatgpt-automatic-expensive-bs-at-scale-a113692b13d5

https://www.darkreading.com/endpoint/scammers-mimic-chatgpt-steal-business-credentials

References

[2] https://techcrunch.com/2023/04/17/chatgpt-everything-you-need-to-know-about-the-ai-powered-chatbot/

[5] https://www.gov.uk/government/publications/national-ai-strategy

Horizon Scanning 2023

Overview of current issues relevant to the Wider Public Sector

Introduction

Horizon Scanning Definition:

Horizon scanning is a technique for detecting early signs of potentially important developments through a systematic examination of potential threats and opportunities, with emphasis on new technology and its effects on the issue at hand.

Source: https://www.oecd.org/site/schoolingfortomorrowknowledgebase/futuresthinking/overviewofmethodologies.htm

Horizon Scanning exists with a proper method that gets used within the commercial world, in the Government [1], Health [2], Military [4] and Intelligence communities.

We’ve seen a lot of this work during the COVID-19 pandemic in the Health sector, referenced in [2] above, it’s a valid and useful model, for planning and understanding the word and the surrounding complexity.

There is an excellent detailed handbook on Horizon Scanning [3], which will help you if you wish to dive deeper into the subject.

You can't do horizon scanning within the constructs of a static system, it is dynamic thing. It is a moving fluid events driven paradigm and things change. So what does this mean on a day-to-day basis? That means monitoring what's on the news, the big global and macro issues;

The War in Ukraine

The Energy Crisis / Prices

Cost of Living Concerns

Climate Change,

On-Going Cyber Threats & Scams

Tiger Economies in Asia [5], trade and Global Economies of China, Russia, the US, and Asia-Pacific Countries.

There are the issues raised in the Green Economy, new emergent issues like Doughnut Economics [6].

These are all things, which have nothing to do with Cyber Security and Resilience, but everything to do with the economy and the way the criminals, hackers and foreign hostile states think. Foreign states and even our own all driven by a “Doctrine” [7]. This includes the UK Cyber Doctrine [8], that drive the military objectives, which on the civic side through the work of the Cabinet Office National Cyber Security Programme [9], and the NCSC [10]. Making sure you've got a good source of rich knowledge in terms of newsfeeds blogs, push content (Podcasts / blogs/ news feeds) notes and qualitative research memos[11] from conversations, things you come across, reports that get written and just generally understanding your environment.

Horizon scanning can take account of major news events and things happening in the country and globally. Obviously, you can’t track everything, but you’ll develop a set of “Lenses”, we refer to as Contexts. A few big issues to consider that could affect Cyber Security are

• global warming

• pandemics political elections,

• political takeovers in countries,

• insurrections,

• civil unrest,

Things that are going on within the environment of your own organisation. Horizon scanning is about looking at asset & risk management, threats,

facilities, vulnerabilities and exploits. Risk analysis and risk management and risk planning is all about understanding the current threats that you're facing vulnerabilities and In a complex computer system, there might be 50 vulnerabilities, but 49 of those vulnerabilities, remain unexploited. However, if more of those vulnerabilities start to get exploited. we often refer to zero-day exploits, that means someone has

taken a theoretic vulnerability and turned it into an actual exploit and have been able to affect

the cause that they were seeking to do in relation to that vulnerability. that's when you've got a problem,

that's when companies like Microsoft, Amazon, Google, release patches against current detected and reportedbvulnerabilities, hopefully before they become exploitable, but sometimes an exploit happens and it quickly industry has to move to patch that vulnerability.

This has happened recently for instance attacks on Citrix and VM-ware, it is these are zero day (unpatched) vulnerabilities that are dangerous. Sometimes known vulnerabilities are kept secret and these are known as “equities”[12], which can be used by foreign state actors for cyber-attacks, surveillance and espionage.

We can change our world view[13] when new information comes to light. In fact refusing to change your worldview for political or organisational reasons in the light of new knowledge and information can lead to real world problems.

There is much to learn from Systems Theory[14] and complex systems that can inform the horizon scanning process and approach.

We're constantly retraining, rechecking, reassessing, everything that's going on. We don't often know

how critical a vulnerability, or a thing is. So, what we do is we use a five-by-five classification approach to help inform the process. The 5x5 intelligence classification system[15] is used widely in the Police and Intelligence services.

These are known as sometimes as intelligence assessments[16] or referred to as an Intelligence Estimate, by our American colleagues. An output from the intelligence process, becomes a product[17], it means

it's gone through the whole assessment machinery.

Part of that assessment machinery is the horizon scanning and validation of facts. So, using a five-by-five matrix gives a level of confidence and these assessments are constantly changing as well. So, I hope

that basic introduction to riser scanning has been useful. And we will look at some of these areas now in more detail.

Section One – Horizon Scanning Update January 2023

Exploring weak signals[18] exploring things, which already exist, but their relevance has changed or increased. But it's actually trying to put the contextual single intelligence picture[19] together, Situational Awareness[20] is everything in the Intelligence world, along with Context[21]. Remove Context and an assessment or product is useless, inaccurate and potentially dangerous. The objective is to discuss a few topics and to drill down on them.

Cloud computing

Cloud computing [22], it's a mature market, with Microsoft, Google and Amazon Web Services leading the way. Working with the cloud requires a slightly different skill set [24]. It is important to remember that in the context of cloud computing you need to understand which type of service you have brought.

If you think of a pyramid[25]. The top of the pyramid[26], with the least amount of work for you to do is “software as a service” SaaS underneath that is “platform as a service” PAAS and underneath that is “Infrastructure as a service” IaaS.

If you buy a Software as a Service (SaaS), then absolutely means that everything's done for you.

All the software patching the operating system, the platform, everything is all taken care of for you.

When you buy a Platform as a Service (PaaS), you're buying the, the infrastructure and the server part

with the operating system and the patching gets done for you. You are responsible for the software you

put on top of that and keeping all that software patched and maintaining that.

When you buy Infrastructure as a Service (IaaS), you're literally buying flat tin. So that means you've got

to be responsible for putting the operating system on it, including the licensing, configuration and patching. You've got to be responsible for patching the systems, the software and everything above it. So,

you need to understand all of that. Also bear in mind that itreally important is the configuration.

So, the main thing that's consider is all the configurations. If you deploy something of Amazon, you just

push a button and it just does it for you. it's, it's all there. you need to really think that stuff through.

Software Defined Networks

Software Defined Networks [27] (SDN), based around the core concept of infrastructure as code[28]. This comes up in many ways because you've got the cloud

infrastructure [23] we were just talking about, but also, you've got things like VMware.

You're actually running software, which is emulating hardware. This is becoming far more

commonplace now with appliances that we used to have physical “tin” including firewalls.

You can have a completely software defined network within your virtual private cloud. The only real exceptions, used to be the PKI encryption HSMs (The Hardware Security Modules used to calculate and run software encryption) [30], even GCHQ has finally moved away from Paper Tape!! [31] yes, paper tape for cryptographical encryption.

Cisco firewalls etc. have a Unix core in the middle of it. So, you need to really think through how this

is being deployed. Who's checking the, the configurations and how it fits together. Containerisation [32] has been around for a few years and which you're going to hear an excellent presentation about shortly,

but once you get containers in place, basically then you're no longer worrying about any of the operating system, the patching or anything else, cause it's all frozen. It's put in a container and it's deployed. But these

containers with software development are getting continuously integrated[33].

So that's, what's known as continuous integration and above the container layers is the orchestration layer [34]. The configuration files are what you need to be really aware of, especially around the assurance

and the configuration side. You mustn't forget about penetration testing, the configuration and system.[35] You mustn't forget about code reviews[36] and Business Continuity Plans[37], and which is

absolutely critical.

Zero Trust Networks

Zero Trust Networks[38] have been around for some considerable time. It's not, it's not anything new, but a Zero trust network is where potentially you don't mind who's actually floating around in your

network because they can't access anything[39]. The biggest one that we're all used to without necessarily

realising it is their NHS network, because the NHS network, all of the access control to their services and

systems is through their smart card. It's all controlled for their access and identification management.

So access and identity management is really important is something that's emergent. And what it does ultimately is it, the zero trust network takes a nice fat, attractive attack surface and turns it into something that's a knife edge. The zero trust network has got very little that you can attack. And whilst it won't be

dwelling on it this afternoon as, and when details come out about the recent London Borough that was attacked, they are moving towards zero trust network. The zero trust part of the infrastructure was not

affected by the attack. The legacy part of their network part of their network was affected. The zero trust

stuff they're putting in is very robust. This is a good point to mention Network Architecture the NCSC[40] Network Architecture Guidance is a good starting point[40], we suggest that you implement Security Zones[41], which can really help to break a network up into the Conceptual, logical and Physical domains, as recommended by Zachman[42] and the TOGAF[43] and SABSA[44] methodologies . It's got a very, thin attack surface works on micro services[45], and it's far easier to control, but access control becomes

very important when you're looking at, zero trust networks [46].

Internet of Things (IOT)

The Internet of things, this is the big emergent technology[47] which is going to affect everybody.

We've already got an awful lot of devices on our networks, which all sort of working around IOT.

Whereas we've been used to dozens of servers, hundreds of connected enduser devices, you know, thousands of packets of information, indeedmillions of packets of information flying around the internet.

IOT is going to start bringing sensors[48] and a whole range of different things into your core network

potentially. So what you need to do is think long and hard about network security architecture and

introducing multiple in-securities into your network.

Looking at cloud computing, building out software defined networks, zero trust security around it will

get you to a point where you can deal with the internet things. It's very much about internet zoning. Also known as “Security Zones”. This is a Security Architectural Approach, advocated by the NCSC [40] you need to also understand with all the devices you're going to connect, what is the “Providence” of the

device Where's it come from Who's manufactured it, what code is there in it It is critically important that

you understand these things and actually monitor what's going on. Supplier provenance [49], will become another very important factor moving forward, as will supplier assurance. The MOD have done much leading work in this area and are developing a supplier product assurance scheme, which will be of great benefit and use moving forward.

Some of the work we've been doing my with C-TAG and other groups through the warps, looking at

things like LoRaWAN [50], is also very useful.

IOT is going to be here and it's going to come in and anger. This is relevant especially for things for instance adult social care and allowing people to be able to live independently really important as we

move forward. But you do need to think about things differently with IOT.

You sould ensure that you put security zones in place and you do need to making the network harder to attack thorough segmentation, security domains and zones.

Artificial Intelligence (AI)

Artificial intelligence[51], machine learning and algorithms builds on what I've just been talking about

because with both artificial intelligence and machine learning, you're going to be

doing stuff at scale. We'll start seeing, things like, CRM(Customer Resource Management Systems),

which have been around for 25 years where you've Integrated telephony and web services for payment processing and customer service, where it's press one for this press two, for that, we're going to

start seeing chatbots more and more. Some of you using them already. You're going to see far more,

artificial intelligence engines behind applications. Automated workflow channels, called funnels,

they are already being used all over the web for marketing and sales.

There've been great advances in medical science around this where hospital doctors and GP’s have

been using artificial intelligence, not instead of, but actually to help them with diagnosis. Because by

understanding certain things, you can build up a massive volume body of knowledge, way beyond

our own understanding. We can leverage that extra knowledge through the sorts emergent technologies around the automated translation of voice and video files into text, this complements the existing text to speech technologies.

It's amazing some of the software out there and what's capable now, but you've got to remember that

machine learning is collecting a lot of information that wasn't being collected before. It's all anonymised.

for instance, things like Apple iPhones, Apple track finger movements on the screen. So they know when

they're designing products and software and things, how to actually help make these things better because

they know which parts of the screen you touch most often. And what sort of, behavioral gestures you use, how you use applications together, how you're using workflow. All of this enhances and improves the user experience (UX) through improving the user interface (UI).

If I was starting my career now, I'd be a data scientist now because data science is actually the future. I'm

looking at all the stuff, the NCSC working on active cyber defense and all those sorts of products[52].

We're now starting to see a lot more stuff around, log analysis as and emergent mainstream topic. The warps have been discussing log files and their relevance and use in cyber security for a long time.

Information and network asset management, are newly emergent themes. To gain situational awareness of your network, the systems your running and the infrastructure your supporting to provide accurate context for network defenders. There may be a dozen new Apple MAC vulnerabilities identified, no use if you only run Windows. Palo Alto patches are useless to a Fortinet site.

The types of equipment you're running, the versions you have and critically their patch levels. By having this detailed information we are then able to tailor solutions to particular problems.

Artificial intelligence is growing into a very, very large thing. And it's becoming far more

pervasive.

Digital Ethics

Digital Ethics[53] are something you might not consider. It might not have heard of, but it is

really important. Why are ethics so important then? Ultimately ethics define the moral boundaries that we need to stay within, through policy and consideration of societal acceptability. We all know about Human Rights, well that’s what ethics are. My philosophy has always been “At what price?” That relates to how badly you want something and the lengths your prepared to go to get them, “At what cost” to friends, relationships and consequences. The law also reflects a set of societal norms, in terms of our criminal laws and the punishments we have for breaking them. There are many ethical concerns at this time around Covid-19, Social distancing, lock downs, the acceptable way to behave and of course the vaccines being developed, who get them first, prioritisation and the order of events, these are all ethically driven [54]decisions. That set’s the context for ethics, as we turn to digital ethics, they are the rules and algorithms that drive machine learning and artificial intelligence[55]. We are getting use to the idea of driverless autonomous cars and vehicles, we hope they are programmed to do the right thing. Would we be as happy knowing a car had a peace and as war mode?....

When cybernetics first started and robots were the stuff of science fiction stuff, right back in the days

of guy Norbert Wiener[29] a brilliant MIT Student in the 1950’we know that some of you might never

have heard about him, he was an MIT student and went on to doing some of the founding work

on cybernetics. It was always the intention to design machines that must not hurt the creator[56].

So if you think about the Terminator film and the robots, not to destroy their creators. That's called non malfeasance, do no harm. Digital Ethics is looking at how machine learning and artificial

intelligence is actually helping shape how these things work, Tesla cars, you don't own the software, you licence it. I'll talk about it more a bit later, but you're actually licensing the software. So when you get

into a car and it's driving itself, it's been driven by algorithms. The algorithms get to make we hope ethical decisions all the time about what to do and what not to do. Is it a good thing trusting our lives to hope? you really need to have an understanding about digital ethics.

Smart Cities

Smart Cities[57]. Again, it's something that's emerging is bringing all the bits together. Because if you look at the internet of things, that's given us far more contextual information.

If you look at some machine learningartificial intelligence and algorithms it, then culminates in what we're doing is smart cities . Aren't anything new, but bringing them all together actually is we're getting

far more integrated around our CCTV and transport networks. We've got travel cards.

It's the Oyster card down in London.

There are lots of other travel cards. Now, bike hire school, scooter hire all those fobs. Every time you get

one of these higher bikes out, you “touch-in” your smart token on NFID device (such as your smart phone). Your then charged through your user account. But that token and account is tracking where you

got the bike/scooter from, where you started your journey at what time, where you checked the bike/scooter back in (your Destination), the duration of your travel and likely through Geo-tracking technology in the bike/scooter, your route. This Geo-Temporal information is you leaving a deep, rich, digital footprint everywhere you go. Your journeys are being tracked so this is where ethics and privacy come into play in this poor wifi smart roadsigns smart motorways. It's all really joining everything up. A person, event, location and time. The Law Enforcement, Military and intelligence Agency dream.[58]

People will know where you are, what you're doing. Data protection, privacy and Civil Liberty, and freedom, and everything is going to go far beyond where we've been in the past. In the past, it's all been

about geo temporal information, but in the future, it's all about geospatial information as well. So the

world is moving on at pace, but all of these disparate things are building up into a layered taxonomy. Now through cloud, through the software defined networks, zero trust the algorithms, digital ethics, and then

culminates in smart cities. Not just what building you were in, but the floor, desk and device locations too.

Good security network architectural design, understanding that there are work flows following the

data which we've always been doing with data protection and data privacy impact assessments.

But you do need to understand your suppliers and your third parties, especially those processing your data that they are doing so in an ethical way.

You do need to understand your supply chain, what kit you're buying works come from. Have they tested itYou do need to have dynamic business continuity. Now you need to start making staff aware of all this

new technology and how it affects them. And if you need to have really good detailed documentation and

you need to have a really good detailed diagrams and configuration, that's really important.

Section 2 - Emergent Threats – What we’re seeing on the radar

Introduction

Emerging threats again are some familiar topics that are today coming to the forefront of the threats we are facing on and seeing in our networks and on the Internet. Many of these you will know about, we aim to give you a better context. A quick recap on what we talk about as information assurance.[59]

Confidentiality, keeping information safe and secure accessible to those who are authorised
Integrity – Ensuring the Information is accurate and hasn’t been altered.
Availability – The ability to ensure we can access these systems and services when we need to.

Virtualization.

Virtualization issues haven't gone away. The technology has been with us around forty years, going back to mainframes. The VMware sever is a great product, but it's got to be properly configured it can still be compromised. We need to make sure that the management layer is all completely locked down and is

being monitored. Understanding who's got access to it and all the different workloads are properly segmented and configured [60].

Having remote suppliers providing technical via VPN connections into your network, is fine, but do you monitor their activities and ensure their sessions are terminated and logged afterwards? This issue has been with us for the past fifty years, going back to the days or remote mainframe access via remote dial up terminals and even teletypes, yet in this automated digital Internet, mobile device age, it is still a current problem!

If they're looking after, a server farm on your premises and keep using a VPN to gain access, especially working from home, do you close that session down afterwards? Technical Support with Remote Desktop Access enabled, are the remote access sessions monitored and recorded?

Containers as a technology have been used for a long time, but it's only just beginning to find

its way into local government circles, but certainly been in central government for the past eight years and all the digital transformation stuff we're doing now, as you moved towards cloud and everything,

it's becoming to be very, very pervasive, but a badly configured Docker container is a very dangerous thing

you need to do code reviews and smoke tests. Only then can you trust the container configuration for automated continuous integration and deployment.

I've been playing around with some security tools, which are on Git Hub and downloading other people's

Docker containers. If you're going to play with stuff make sure you trust the source code, use a sandbox machine and monitor what he containers are doing on your systems.

I was looking at some particular containers and what was going on inside it looking at what was going on

behind the scenes, via a command line terminal as they're spinning up, there were all sorts of erroneous

bits of code being spun up in the background. That wasn't necessarily part of the thing that the container

was being used for. So when you start getting into these things, make sure you understand how it works

and make sure you do code reviews and smoke testing and monitoring of the traffic and know what data is going into the containers and what's coming out of it. Continuous integration is the orchestration layer I

was talking about earlier. Software like Jenkins and chef and lots of other new tools that are coming along.

Virtualization you really need to understand it. Quizzing your suppliers on the assurance side, might

not only show you understand your supply chain security. might show, you know, what's happening.

Phishing

Phishing might seem like it was yesterday's news, but it isn't. At the moment, it is the single biggest attack

vector and the problem with phishing is that getting more and more sophisticated, starting to introduce

primary, secondary and tertiary types of attack vectors. You may get an email that might also get an SMS message. You might even get a voice call and an awful lot of financial fraud is happening as the criminals themselves are going on-line because of the Covid restrictions and change of opportunities.

For instance, in the banking sector. Now you're getting it all followed up with a phone call. You're on a

telephone to somebody and their say about this problem, you’re your bank account or they have detected a virus remotely on your computer. It's getting very, very sophisticated.

We're actually seeing things out there now where you're getting SIM takeovers, so they can make their mobile phone look like your to the bank. Spoofing you number or that of your banks.

So you can't even rely on the phone number to be truthful. There is fraud utilising the SIPP IP Protocol, spoofing messages and contact centre details.

SIP is the voiceover IP protocols being used in some of this stuff[61]. And the other thing that's starting

to emerge with phishing attacks, I'm afraid issues and things like that. teams. So even Microsoft Teams[63], is now becoming an attack vector[64]. You need to bear in mind that these attackers

are getting more and more sophisticated. Make sure you are talking to our staff and doing awareness

raising because partially it's it's high, but awareness raising campaigns are the best line of defense. You've got the next slide please.

Blended attacks, are where you're starting to see attackers as I was just saying with phishing building

stuff up. So NCSC National Cyber Security Centres, active cyber defence, ACD tools, come in really useful. The public DNS service (PDNS) [65] is available to all public sector bodies

free of charge. The only problem with not using PSNs is of you running things like Cisco umbrella because NCSC are aware of incompatibilities. But when I was talking about, security zoning and domains earlier on, you might even want to think about splitting up some of your and IP ranges for different parts of

what you're doing and using PDNS, which when connected immediately flags malicious activities.

You have to remember is that the criminals now all starts in with their own pyramid of pain, because a lot of the, people deploying EMOTET[64] at the bottom of the pyramid , the bottom level of these attacks

are script kiddies, low value attackers and hackers. But the minute a machine beacons out after a successful takeover, phone's back and says, yep, I've got into that network. They are then selling those credentials on those IP addresses to the next level of criminals up. Finally that's when you get in a tight spot of really

serious people doing the malware attacks. And there has been a massive prevalence of malware and the

ransomware as an attack vector, especially since we've experienced the Covid lockdown and are working from home. The criminals are sitting at home plenty of time on their hands and they follow the money.

PROINT (Protected Information Intelligence)

A new Provence is Protected Information Intelligence. This is where criminals are trying to steal

protected, credential information, credit card information, you private identity information.

But apart from these identities, the other stuff you've got to be aware of now is location information is becoming to be valuable because criminals know where you are.“I know you're not at home”. That is scary that you need to think through where this stuff's all going and biometric data as well. Biometric facial recognition say for mobile phone or laptop login. It's all new types of information and

credentials that criminals are after.

So you need to think that now it's all about passwords to biometrics, putting multiple lives, the text, Memphis there's personal information and privacy, all the same thing that you've got to remember that youngsters have a very different feel about privacy. And the fact that sometimes convenience can override privacy

and they don't necessarily have the same view about this as we do in our generation.

So you need to bear that in mind, protected information is what people are after, because that's where the money is, wearables, body networks, smartphones, Fitbits etc. It's collecting all sort of information,

proximity networks as well. Cars now have wifi networks or their own Bluetooth. It's always on, it's a new world we're moving into, but the really exciting stuff.

The core of this whole talk for this second part of emerging threats, everything we do, which gives us an

opportunity, brings me challenges and attack vectors. We've augmented reality now (Some will have seen tee new EE mobile phone advert for the iPhone 12) which shows an augmented reality scene over the roof tops of the city of London.

It is as much about geospatial information, not just knowing where you are, but what floor you're on, what

office you're in. You're in, within a building, what shop you're in, in, within a shopping center, it's tracking these metrics. In time as we get more into this augmented reality and Facebook, Google, Apple, they're all working on new sets of super specs. The age of Joe 90 really is upon us.

A whole new world that is going to be a very different place in the next couple of years, what life

boundaries are going to get blurred and working from home is going to be the new normal. So you need to think these issues through. Oculus has now been bought out by Facebook. You can't use the new Oculus

Quest 2 devices unless you've got Facebook account. I've started doing some research on all of this

right now, and it's going to take me a while to synthesize it all. Believe me, sitting there with a virtual

reality headset on and doing work and coming up with all these computer screens from the fiscal world,

moving into that new, augmented reality and virtual reality is going to be a way that if we're going to be

working from home, someone's going to have the bright idea of, Oh, you won't be just about MS teams

anymore.

Should we use the, the new Facebook infinity office that, Facebook's working on right now. If you

haven't do it, go and have a look, but that's where ethics come in. New personas. Will you have a different view for work and virtual reality to your persona at work and in our climate, in the real world, all you start to think about, especially with data protection, for the right speed forgotten. It's a new world of pain trying to manage multiple personas because Facebook won't let you do that. You've got to use your real personal Facebook account with your real personal identity to use the virtual reality stuff. Interesting times ahead.

References: (All accessed November 2020)

The Cyber Maturity Journey

This page explores a suggested approach to Cyber Maturity planning for Local Authorities, using a progressive journey metaphor. This DRAFT work as of November 2021

DRAFT for Comment – Not Policy until approved.

When we first looked at this as a pure Cyber Maturity Modelling exercise, it was a perceived to be a move through the traditional maturity modelling approach. However, when we further explored the problem and what we were being asked to do, it became clear it was actually about mapping out pathways to a destination which was an agreed level of Cyber Maturity.

This journey then is not necessarily linear in a straight line, but more about different pathways and routes with waypoints and bridges to the same destination. For some the journey will be short for others long. There is also the issue of budget and resource, whether you are walking, hitch hiking, taking public transport or being chauffeur driven.

The language of a journey, pathways, and routes, mean that in some cases an organisation may be mature and experienced, further along the pathway while others have barely started out. The length of the journey and some of the route and maybe the transport method will be determined by the relevant profiles discussed later. Part of the journey maybe common to all provided by free public transport in the vestige of taking up and deploying the NCSC Active Cyber Defence programme resources that are free to consume. The last part of the journey for some may be into uncharted territory on foot, of a regional Shared Cyber Operations Centre for instance.

The original thought was a Cyber Maturity Model, however the tasking is to consider the Cyber maturity pathways, to define a journey towards having Cyber especially the defence and resilience aspects fully optimised in the organisation. If we take the journey analogy forwards, the quote from Alice in Wonderland seems apt.

"If you don't know where you're going, any road will take you there." This oft-cited but not-quite-accurate quote is from the Lewis Carroll's classic children's tale, Alice in Wonderland.[1] What’s required at each level? - Why are we doing this in the first place? (The Shared Cyber Doctrine)[2];

To keep the organisations information safe, secure, accurate and available. This is the overarching strategy, that supports a higher shared UK doctrine, the real “Why & How”, things like protecting our freedoms and democracy, keeping the UK safe from Cyber Attacks so that it is a good place to live and transact business using Cyber to do so. This UK Cyber Doctrine, then translates into the UK defence and UK Cyber Strategy, which underpins the entire approach for how we do things.

It is suggested to start with a baseline, a checklist approach for expediency, then the initial findings are baselined and the next steps and gaps can be identified, along with acknowledging good practice that’s already in place.

Deploying through life measures, through the metaphor of a journey, so the language, approach and idiom must use the language of dynamic risk and movement. Language can influence communications immensely, which is the basis of NLP (Neuro Linguistic Programming) [3].

The use of Weak Signals [4] , to pick out the threads of improvement already exist and can be built up, will ensure goal based momentum to the initiative. The use of Nudge [5] to shape all training, education and awareness raising to highlight the good things that exist and then to highlight and clearly focus and re-enforce constantly the areas that need additional work. Nudge is all about constant almost subliminal communication, using briefings, messaging, incorporation into routine communications and social media. We could think of this as a broad-spectrum holistic approach, taking every opportunity. A Rich Picture [6] can help articulate the vision in a visual way. A Wardley Map [7] can help to capture the key steps and stages. Defining the needs and outcomes in terms of a Wicked Problem [8] and Soft systems methodologies and also help [9]. The whole point being this is really a transformational change journey, needing alternative pathways, depending on need. Having these pathways clearly articulated before engagement, then facilitates a predefined set of options that a practitioner can then analyse and apply as appropriate.

Keeping with the journey analogy, the destination is mapped, however it may be necessary to complete some waypoint journeys along the way, these diversions, from the main path will ensure consistency. There is a very famous saying I like from NLP, “The Map is not the Territory” [10]. Using metaphor, stories and parables enables communication of quite poignant technical issues in a simple understandable way. 90% of communication is about knowing the audience and adapting the same massaging to a diverse audience.

“Profiles Principles, Pillars and Pathways”

Profiles

One size does not fit all. UK Councils vary in size and remit. Their common traits are that they administer their locality and are sovereign democratic entities by statue. Their size, systems and services can be quite different. There are other causal variables as well, their political direction, whether they have outsourced their ICT services etc. Therefore, we need several agreed profiles. The Cyber journey through to the destination must be achievable by all organisations regardless of type and size. Appropriateness of the wording of the expectations to realise the required effects are the key.

Principles

The principles detail the outcomes the “Effects” required. The use of “Effects” is a particular phrase that resonates in the Resilience, Cyber and Military world, for instance if COBR/A requires an action to take place, during an emergency or crisis, they will not be prescriptive how it is done, they will however articulate “Required effect” [11] this is the required outcome.

This in turn is a parallel to the articulation of principles, which themselves are stating the actual problem to be solved with a hint (nudge) towards the outcome and how to achieve it. In agile, we use “User Stories”, this too would work well in this part of the journey. Using the previously referenced P3T (Personnel, Physical, Procedural & Technical) approach, which we have updated to a “P4T Model ©” to now include Profiles, which enables organisation specific approaches, according to the type and size of organisation. The Personnel aspect here would be behavioural, I refer to it as “Behaviour Shaping”, that ultimately, the effect we are trying to achieve.

• Personnel

• Physical

• Profiles

• Procedures

• Technical

Pillars

The Pillars are the cyber domains, sometimes referred to as the Underpinning Cyber Aspects (UCA’s) which are detailed below. In articulating to an organisation what good looks like, the UCA’s present several areas and aspects that are tangible and can be measured. This means they can be based-lined and then reported on. This compliance approach would utilise a phrase well known in Local Government Audit, that of Key lines of Enquiry (KLOEs). The pillars support the entire eco system model. They are the supports that hold up the building above (Think of a tower block, the underground car part always has the supporting pillars, holding up the structure above. The building in this case is the network, the systems, services, and data that underpin the organisation and the business. Never forget the overarching objective of all of this is the protection, integrity, and availability of the organisation’s information.

Pathways

The pathways are the route plans for each of the UCAs, The WHAT we need to achieve (The effect), and the HOW we get there. Think of them as a branch line off a main rail link. With a set of points at certain waypoints. The question at that point is “Does the desired effect at the appropriate level for this part of the journey exist? Yes or No”, if “yes” continue on the main pathway forward, if “No”, then switch to the branch line, carry out the required actions to complete that waypoint and return to the main line to continue. This then becomes an iterative continuous improvement process.

Levelling Up

C-TAG were using the phrase an approach recently coined in mainstream politics of “Levelling up” back in the Summer, so we will continue to talk about levelling up., as it describes the effect we want. Levelling up in this context is not having to “Assume” that every Council in the UK is at a certain level of Cyber Maturity on a certain point on the Cyber Resilience Journey, we need to safely “Expect” that is the case. We’ve already discussed and descoped the idea of a level zero “Unknown status, not engaged and unable to contact the organisation to find out”. This means we expect all Councils have made some progress towards Cyber Resilience and the immediate expectation of a baseline starting point is clearly articulated.

Using the Underpinning Cyber Aspects C-TAG and NCSC need to agree what level one looks like. This may be through the work of the LGA Cyber Programme or the combined efforts of the Department of Levelling up, Communities & Housing (DLUCH) along with the Devolved Administrations.

Level or step one, must be a unified agreed and accepted minimum baseline across the UK. Level one will be predicated on statutory and legal requirements such as the Data Protection Act, which cannot be argued against and therefore the “Checklist” will be a baseline that is reasonable to expect any organisation to have in place and at no additional cost. The Roles and responsibilities are a statement of roles being in place that is someone carrying out the function. The NCSC Active Cyber Defence systems and services are available for all UK Local Authorities to consume at no cost, so that is reasonable to expect etc.

The subsequent stages on the journey can be subject to agreement and debate. By the time we are discussing the destination it will require an articulation of what good looks like and a mixture of case studies exemplars, tools, and approaches to agree those principle led effects.

Learning Organisations and Continuous improvement

The last thing we want to do is create a new set of burdens for any organisation. This approach is about being a Learning Organisation [xxx], using proven methodologies such as double loop-learning [xx] which fosters a culture of continuous improvement. Once the momentum is there especially through peer support afforded by the WARPs and C-TAG it becomes easier as the successes and failures are shared with peers in a safe place afforded by the WARPs and C-TAG. Where there are obvious wide gaps identified within specific or general profiles, additional workshops, tools, templates, and good practice sharing can be facilitated. We are familiar with the 1-9-90 social collaboration model [xx] mentioned before, the WARPs especially foster this approach where the WARP is led by a Subject Matter Expert who acts as a trusted catalyst to bring learning and advisory to the group. The group then owns and adapts that learning and the suggested approaches into their own organisations. As far back as the 90’s there were the European Quality Assurance Framework (EQAF) model [12] and the McKinsey MIT 90’s model [13] both of which helped shape collaboration and learning. This was picked up by Osbourne and Gaebler [14] in their work on re-inventing Government and subsequent research undertaken by the author [15] which provided some of the original catalyst ideas that helped form the original WARP services in 2004/5. The work of Senge and his book the Fifth Discipline and its workbook [16] also helped shape a lot of these innovations and the approach discussed by Tom Peters around organisations and innovation “In Search of Excellence” [17]. The LGA has always proposed peer support as a catalyst to service improvements. The introduction of profiles, will help shape what success looks like and set acceptable expectations.

The main thing to get right is what we call each of these labels. The idea of something like “initial” or “Preparing” for stage/level/way point one. The first label needs to reflect the start of the journey. The destination itself, needs to intermate, both arrival at the destination and the continuance of the journey as one thing we know about Cyber is that it’s evolving, dynamic and continuous. Attacks, subversion, and threats are going nowhere.

Cyber Attacks and disruptions, will be a constant moving forward and are likely to increase as the global players realise Cyber Offensive campaigns are highly effective and likely are good value for money, with the real costs of Cyber coming from the Defensive side.

Preparing / Preventing / Progressing / Protecting / Progressive

The above is a throw away thought, not even a suggestion. We need each stage point to have a good narrative to explain that way point. The hard work starts on populating the staps and stages with the Underpinning Cyber Aspects (UCAs). Some of the way points will be hard stops. For instance, you can’t go beyond stage/level/point three, until you’ve all NCSC ACD products and Services in place and progression beyond four requires you have an active trained internal Cyber Coordination Cell to support the LRF CTAC etc.

The need for an Integrated Approach

There is a lot of conflation between Risk Management, Information Security, Information Assurance, and Incident Response. This is where the profiles will come in useful, to shape the different UCAs.

These issues are well documented and well understood. We do not need another maturity model, framework or standard, but a way in which we can match stakeholder engagement and take-up of the various Cyber Programmes and initiatives. Where there are gaps, the journey approach will be able to signpost relevant materials, templates and guidance to help the organisation move forward.

The use of Profiles to provide a meaningful set of metrics, will be useful for strategic decision support in knowing which organisations have a well-developed understanding of Cyber Security according to their appropriate profile.

Having a UK wide Local Authority view will help shape investment and more importantly where gaps exist requiring interventions.

At all levels, we propose a set of profiles, reflecting needs, experience, and knowledge in the people as much as the technology. (In no particular order of precedence);

• Members (Councillors) – The Board in a private organisation

• Senior Management, Corporate Management Team

• Services Consumers [Users in old money]

• Suppliers – supply chain elements.

• Security / ICT Practitioners within the organisation

• Service Managers the SIRO & Information Asset Owners

We must include suppliers and Councillors, especially for the higher maturity tiers as they must be informed and aware.

Services users & suppliers, practitioners & Service Managers (Information Asset Owners) ,

Senior Management (SIRO) and the Corporate Management Team and the Councils Members (Councillors). We must include suppliers and Councillors, especially for the higher maturity tiers as they must be informed and aware. The RACI approach [18], is also useful for analysing the internal communications and posture of Organisations.

For each of the waypoints we propose a set of metrics and measurements that can be clearly articulated across the RACI domains (responsible, accountable, consulted, informed). We also recommend pseudo-anonymisation of organisation details and names, with appropriate NCSC facilitates FOI exemption for this information.

Each of the five levels can have a RAG Status as an organisation could be green at level 3 say but be amber at elements of 5 & 5, therefore an improvement plan is possible.

The Underpinning Cyber Aspects (UCAs) – (Subject to agreement and alteration.)

• Engagement / communications status

• Take up of ACD

• Member of NCSC CISP

• Member of Regional WARP

• Active in C-TAG/ Local CIO Council / Local Delivery Council

• Have a Cyber email address?

• Good Web/email Security

• Good Back UP strategy (Which has been tested!!)

• Cyber Essentials / PSN Compliance

• Following Data Handling guidelines

• Named SIRO / IAOs

• Corporate Information Governance Group meets.

• Suppliers are assessed (Cloud Principles) and aware of their responsibilities

• Regular Cyber Exercising

• Regular vulnerability Scanning

• Written and articulated Risk Appetite Statement • Information Risks part of Corporate Risk Register.

• OWASP Framework used to protect Website.

• MITRE ATT&CK framework used for Risk Analysis ./ network defence.

• Contributions to National Policy etc.

Next Steps

1)The next stage is to agree the Cyber Underpinning Aspects (CUAs) and then defining them with a narrative against step/stages or waypoints 1-5 (zero having been excluded from the conversation, so zero is also one). Define the differences in the profiles (District/Unitary/County Council, Shared Service Partnership, Insourced/outsourced ICT etc.

2)Define a set of profile appropriate user stories or personas, so that the attainment statements are clear and measurable with either assertions (that can be evidenced) or through monitorable artefacts (ACD Take-up, email posture web site security / digital certificates etc). OWASP….

3) Refine the Draft spreadsheet Matrix of levels and CUAs with Narrative and then adapt the matrix for each profile.

4) Agree the labels for the level and the language to be used.

5) Undertake a pilot with the initial artefacts and journey map.

References:

[1] Alice in Wonderland: https://eric.ed.gov/?id=EJ997652

[2] Joint Doctrine https://www.gov.uk/government/collections/joint-doctrine-publicationjdp

[3] NLP https://www.nlpacademy.co.uk/what_is_nlp/

[4] Weak Signals https://sloanreview.mit.edu/article/how-to-make-sense-of-weak-signals/

[5] Nudge https://www.imperial.ac.uk/nudgeomics/about/what-is-nudge-theory/

[6] Rich Picture http://systems.open.ac.uk/materials/T552/pages/rich/richAppendix.html

[7] Wardley Maps https://learnwardleymapping.com

[8] Wicked Problem https://www.stonybrook.edu/commcms/wicked-problem/about/Whatis-a-wicked-problem

[9] Soft systems methodology

https://www.open.edu/openlearn/ocw/mod/oucontent/view.php?id=65641&section=6

[10] Map is not the Territory https://conceptually.org/concepts/the-map-is-not-theterritory

[11]COBR/A Effects

https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_ data/file/192425/CONOPs_incl_revised_chapter_24_Apr-13.pdf

[12] EQAF

https://eua.eu/component/attachments/attachments.html?task=attachment&id=1746

[13] MIT 90s Model https://www.mckinsey.com/business-functions/people-andorganizational-performance/our-insights/the-organization-of-the-90s

[14] Reinventing government https://files.eric.ed.gov/fulltext/ED367424.pdf

[15] MBrett MRes (1999)

https://www.researchgate.net/publication/268517871_User_Led_Innovation_in_Local_Gov ernment_Service_Delivery_September_1999

[16] Senge (Fifth Discipline) https://mitsloan.mit.edu/faculty/directory/peter-m-senge

[17] Tom Peters In Search Of Excellence & Agile

https://blog.crossknowledge.com/excellence-according-to-tom-peters/

[18] RACI https://www.cio.com/article/2395825/project-management-how-to-design-asuccessful-raci-project-plan.html

Digital Ethics and Data Handling

This discussion shows the linkages to the Digital Ethics Framework and the Data Handling Guidelines

Background & Context

The relationship between data ethics and data handling may not be immediately obvious. However. Over the last few years. A lot has changed with automation. Machine learning. and other aspects, we have started to think about a new model that explains what this looks like. The work carried out by William Barker has developed the Digital Ethics model;

The principles of Digital Ethics;

· Beneficence: do good. Benefits of work should outweigh potential risks.

· Non-maleficence: do no harm. Risks and harms need to be considered holistically, rather than just for the individual or organisation.

· Autonomy: preserve human agency. To make choices, people need to have sufficient knowledge and understanding.

· Justice: be fair. Specific issues include algorithmic bias and equitable treatment.

· Explicability: operate transparently so as to explain systems working and its outputs

The latest version of the Data Handling Guidelines includes a more expansive description of this work.

There are a number of conceptual and logical aspects that need to be taken into account traditionally in ICT we started to think about the strategy, which defines the overall objectives and vision and the mission, that is their normally encompassed through policy.

A set of principles or a more defined and specific policy gives us the handrails and defines both the scope and the exclusions (red lines) relating to that policy. A policy when properly defined should always use action centred language, that is verbs and actions, which can then be quantified and turned into key lines of enquiry and measured through defined metrics.

The next stage of the Data Handling Guidelines lead to the processes and procedures. The operational aspects of ICT and finally the tactical aspects, which are about keeping the service running, and dealing with things when they go wrong. The resilience and incident response aspects pick those up.

We have considered the supporting aspects of that traditional view of strategy, policy operations and tactical. This part of the conversation also includes information governance. Information governance is where the data handling guidelines really start. It has become more and more apparent over the last couple of years, with the emergence of artificial intelligence especially, and that being embedded in a number of devices through the Internet to things.

An emergent theme is that of Physical Cyber Systems(PCS). PCS reflects operational capabilities. Digital ethics are now absolutely critical. The Digital Ethics Principles themselves support strategic decision making through the ethics embedded in algorithms and Machine Learning.

The in-built decision logic or machine leaning frameworks have to have gone through an ethical check as many PCSs will be deployed as “Fire and Forget” , maybe in service for many years, sitting in the corner, doing what they are doing without any further though or intervention.

We have to make sure that data. Is accurate, relevant and timely which has always been supported through information assurance(IA). Information Assurance has always considered the confidentiality, integrity, and availability of information. The ethical dimensions make sure that the information does not cause harm and actually protects the individual.

Artificial intelligence generally is encompassed in algorithms, and even the UK Data Protection Act has now got specific protections for citizens, businesses and data users. around the right to challenge automated. Decisions made on your behalf. These aspects having been enshrined in data protection law. These subtle nuances are often miss understood by lay people as to their significance.

To help articulate this the handling guidelines is a good framework, in so far as its overarching principles, which have always been based around people. Places, policies, processes and procedures. The dates handling guidelines were originally written back in 2008, in response to the loss of two data CDs, maintaining a huge UK wide data set.

People

The people aspect reflects the fact that people are often the weakest link in the process, whether that's maliciously or through mistakes and errors.

Places

The places looks at physical security and of course places now is also around smart technologies, place based technology and the like.

Policy

Policy remains the heart and central aspect of the titanium guidelines because from the previous model, that is how we actually hook together the world of strategy in the strategic and the vision driven things to the world of the operational and tactical things.

Processes

The process is aspect is how we engage with the exchange of information exchange of data within systems. Systems are all woven together and interlinked. There are always data flows and that is picked up through data schemas. Information taxonomies and metadata. The interfaces. Likewise, data handling and the Data Protection Act look at cloud based systems as much as they do physical on premise systems. So the process aspect of the Data Handling Guidelines pick up all of the data flows in information flows between systems and technologies.

Procedures

The procedures are the final gritty part where things get. Written down and actually followed and taken on the customer journey. Under the Data Protection Act, we need to have data processing impact assessments and these DPS themselves are the logical. Journey the customer journey through the data sets, so there should always be a data flow diagram.

As we said earlier on if these things are being automated through the through, the Internet of Things (IOT), which encompass Cyber Physical Systems (CPS), then ethics has to come in right at the start, so the contention now is the data. Ethics is as important as information security and assurance in making sure that a system is safe and secure and fit for purpose. In order to facilitate this, a C-TAG paper we produced around information assets has explains the “SCRAPE” framework.

Systems

The systems aspect, to make sure that we undertake. Risk assessments and understand the value of the data and completely layout how a system looks both at the physical and logical level in his components. These are known as high level and low level designs and these are articulated through functional and non functional requirements.

Cartography

This leads onto cartography. Which is basically about diagramming, and making sure that the whole of the data flows, the taxonomy is and the information scheme as a rule map town.

Registers

Register's consider how the information is put together, and you've then got orthogonal data sources that immutable. For instance, if you have a look on the gov.uk website, there is an immutable list of all of the countries that are officially recognised on the planet. That list needs to be. Immutable because it needs to be a final point. It needs to be a single resource of the truth, so we need registers to say what the truth looks like, and then that can be applied against information integrity to make sure that stuff is not been altered.

Attributes

Attributes which looks at information attributes and the way that information is structured, both in terms of. Confidentiality, integrity and availability, but ethical dimensions need to be put in place across the top of those as well.

Patterns

Patterns. When we talk about pattern, that's something like a an architectural diagram or a pattern for actually doing something in a set way. This is going to be especially useful for the Internet of Things, and likewise how not to do things, and those are called anti patterns. So under agile, by putting together user stories. An architectural patterns gives you a rich picture on how to design things, time and time again to make sure that they are safe and secure, and this will be especially useful for the Internet of Things.

Ethics

Ethics. Taking the ethical principles and laying those over. the top of the data and information that needs onto the asset Discovery framework. Which is based around five domains being;

Decision

Decision is to look at whether the information asset needs to exist in the first place.

Discovery

Discovery is working out how the information asset is going to be deployed, where it fits in, and how its integrated.

Determination

Determination is to value it in terms of harm ethics and its information risk and assurance.

Deployment then is about how the information is configured and actually put into the systems and how it will be used on the daily basis. So in other words, that's looking at data protection. Impact assessments. so who's going to have the information where the information is going to be listed and live what it's going to be used for how it's going to be used on why exists in the first place.

Destruction

We should always start with destruction, the end game, after necessary retention, how will you ensure the data is safely and appropriately destroyed, including all backup copies. Remember it may take a year or longer after destruction for all of the backups to be cycled off and destroyed.

Finally we consider the “Underpinning Cyber Aspects” have been developed as a way of mapping through a journey path to look at all of these different things because it's just as important to make sure that information is properly resilient but that goes back to the tactical aspects of Cyber Resilience and Cyber Incident Response.

References

Some of these issues are also discussed in a recent article:

Security Vendors of Concern (SVoC)

The world of cyber security and information security has become a global interest. “Security Vendors of Concern (SVoC)”, are those who may be under the control or influence of hostile states or organ

Data Handling Guidelines Version 6

Local Public Services

Data Handling Guidelines

Sixth Edition

March 2021

Foreword

Mark Brett

Programme Director NLAWARP / C-TAG April 2021

Background

In further detail, that processing register must contain:

1. the name and contact details of the controller and, where applicable, the joint controller and any data protection officer;
2. the purposes of the processing;
3. a description of the categories of data subjects and of the categories of personal data;
4. the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;
5. where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of (1), the documentation of suitable safeguards;
6. where possible, the envisaged time limits for erasure of the different categories of data;
7. where possible, a general description of the technical and organisational security measures referred to in (1).

See:

There could be a conflict of interest between the SIRO and the DPO if the SIRO accepts a serious risk decision affecting personal data that a truly independent DPO would find unacceptable.

The DPO must be independent and can be shared by a number of organisations. The ICO has said they would expect all Local Authorities to have a DPO. For more info, see the ICO’s online DPA/THE DATA PROTECTION ACT guidance on Accountability and Governance:

The Information Commissioner’s Office (ICO) is the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. The ICO will take action where appropriate to ensure compliance with the Act and now has a range of including the power to fine organisations up to £500,000.00 for non-compliance. Under the DPA/THE DATA PROTECTION ACT, the maximum penalties for non-compliance are set to rise significantly, with certain types of breach being subject to heavy fines.

The DPA/THE DATA PROTECTION ACT does provide that Member States should be able to determine the extent to which these fines should apply to public authorities (or indeed whether they should apply at all). However there is at the very least the potential for significantly increased maximum penalties for public sector organisations. Trust needs to be maintained with citizens and business. Any processes implemented need to be proportionate to the information risk. Local Public Services will still face the full financial penalties for any breaches.

Now more than ever there is a need to focus on Information Governance and Risk Management. The PSN is in the process of being closed down and Councils are being urged to leave the PSN, however some systems still require access through it. Work is just starting in 2021, through C-TAG to explore alternative compliance approaches. MHCLG is looking at a for Local Government, which will hope will lead to an acceptable post-PSN assurance regime.

The ever increasing sophistication of cyber attacks will continue, organisations need to be aware of issues relating to off-shoring data into cloud services, trying to ensure cloud data is kept within the EU. New Data Protection regulations from the EU, with the demise of the existing Safe Harbour agreements will further complicate the landscape, for data held in the US, there is now the . It is critical that organisations carry out a Data Protection Impact Assessment on all personal data that is to be processed and stored outside of the EEA. Information outside of the EU and definitely outside of the EEA, MUST demonstrate a level of adequacy to provide sufficient confidence to the Data Controller and SIRO.

See:

Articles 40-49 of the THE DATA PROTECTION ACT, as amended by Schedule 6 of The Data Protection Act covers the law with respect to off-shoring.

See:

The is not mandated for Local Government, but it is relevant. This guidance also details the simplified Classification Scheme and Furthermore this (Data Handling) guidance outlines the roles and responsibilities of Local government SIROs (Senior Information Risk Owners) and IAO’s (Information Asset Owners). Under DPA/THE DATA PROTECTION ACT all public bodies such as Local Authorities will require a ; however for smaller public bodies, there can be shared Data Protection Officers

Whilst not mandated on Local Authorities, the , is recommended and an integrated approach to risk management and Information Governance. This guidance covers the essence of those measures and their applicability in a Wider Public Sector (WPS) environment. A lot of excellent work has already been done but there is still more to do; the pace of technological development means that Local Public Services need to be ever aware of new risks and threats. Likewise the Cyber Essentials framework and the are wholly recommended to organisations to follow, especially their supply chain suppliers.

Finally, the DPA/THE DATA PROTECTION ACT has specific security obligations that need to be evidenced. These are identified in :

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
1. the pseudonymisation and encryption of personal data;
2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
3. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
In assessing the appropriate level of security, account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.

Scope

As with the `Data Handling Procedures in Government’ report, this report considers both use of data within a given organisation and the use of data when shared. It does not seek to explore issues specifically around data sharing. There are links provided later to specific ICO resources that contain the actual guidance and explanations. Likewise, there are links to

Secure data sharing is critical to the success of all electronic information sharing within Local Public Services. This sharing must be balanced and proportionate, according to the business requirement, whilst preserving privacy and transparency whenever necessary, which could include data sharing with law enforcement. Data Controllers must consider how personal data can be kept safe and how it should be handled, rather than 'whether sharing of particular data in a particular way' is desirable. All processing, storage and sharing of personal data under DPA/THE DATA PROTECTION ACT requires a to do so.

Issues around whether personal data should be shared, still continues to be covered by regulatory, statutory and business driven risk decisions. (updated for the new data protection regime) provides a framework for making good quality decisions about data sharing of personal data and includes a series of checklists designed to help organisations decide whether to share data, and what to consider when sharing it.

The material in this document reflects good practice as set out in the (Information Security Management System) series and is also aligned with Central Government Information Assurance policy, produced by formally CESG (the Communications and Electronic Services Group, part of GCHQ). All connections to the PSN are based around the basic technical controls of ISO 27001. Remember PSN is only a network. PSN compliance is NOT a general security assurance certification; it just says your network is compliant, nothing more.

The technical controls are augmented with both Personnel and Physical Security requirements, provided by . CPNI is the part of the UK Government which deals with Physical and Personnel security, in the same way that NCSC deals with Cyber Security. This data handling guidance builds on those controls as specialist advice for Local Public Services and the voluntary sector. We are also seeing the emergence of the agile development methodology, to support digital products, which will help make citizen facing digital services simpler and more cost effective.

Structure

The standard that Local Public Services are setting themselves in this document is challenging but necessary to maintain public confidence.

People
Places
Policies
Processes
Procedures

People

Ensure all staff working remotely in the field, and from home, are appropriately trained.

For ICO Guidance on BYOD see:

See:

There is a lot of very useful guidance material on the CPNI website (). Staff vetting brings confidence to the people aspect of the information assurance process. Whilst it is no longer a mandatory requirement for PSN access to have staff vetted, organisations should understand the value of vetting and where it is appropriate.

The BPSS (Baseline Personnel Security Standard document is available at:

Governance roles and responsibilities

Ensure a Senior Manager fulfils the function of Senior Information Risk Owner (SIRO) to ensure there is accountability

The NLAWARP can provide CPD certified SIRO advice training through the WARP network.

It is recommended that Local Authority security managers should be appropriately qualified and hold recognised industry qualifications.

It is a requirement of the DPA/THE DATA PROTECTION ACT that the Data Protection Officer is experienced; this infers that some specialist training of the Data Protection Officer may be required.

Identify Users and their access rights

Part of the role of Information Asset Owner, is to identify and . This is one of the areas covered in the ity.

Access to information needs to be controlled, audited and pro-actively managed. All of these aspects form part of an information risk management regime.

When staff or contractors, leave, transfer or change roles, their system and security access needs to be reviewed and revoked where necessary.

Foster a culture that properly values, protects and uses information

Local Public Services/Councils should also:

Ensure awareness raising and training is conducted at the appropriate level. Audit and record who has been trained. Regular updates should be scheduled for all employees. The ICO may expect to see these records, should a breach be notified.
Create and enforce Human Resource policies, starting with recruitment training and induction, around information management, in particular making clear that failure to apply the Local Public Services procedures is a serious matter and, in some situations, can amount to gross misconduct.
Maintain mechanisms for reporting and managing information risk incidents; this includes reporting losses of personal data as soon as reasonably practicable in some circumstances, breach reporting will be required under DPA/THE DATA PROTECTION ACT within a time limit. Incidents that pose a “high risk” to data subjects will need to also be reported to data subjects directly. For more information, please see the ICO guidance on .
Develop mechanisms through which individuals may bring concerns about information risk to the attention of senior management; and also develop processes to demonstrate that those concerns are taken seriously.
Ensure that the Local Public Service/Council is a member of the Regional Local Authority WARP (Warning, Advice and Reporting Point) or the Cymru WARP in Wales. It is strongly recommended that a (CIGG), chaired by the SIRO, is established. The CIGG should report back to senior management on a regular basis, at least quarterly.

Maximising public benefit

Publish an information charter

All Local Public Services should publish an information charter, setting out how they handle information and how members of the public can address any concerns that they have. A sample charter is available in the Cabinet Office `’ report. There are also numerous examples on various central and local public service websites.

The ICO’s DPA/THE DATA PROTECTION ACT guidance on should be followed. In particular, it is stressed it is the controller’s responsibility to “implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation” ().

Sources of help and assistance

The National Archives publish various support guidance and documents to help SIROs . All SIROs are urged to register with the . The regional WARPs supported by the NLAWARP, also provide SIRO support, through the WARP members.

The ), is a free to join collaboration portal available to all Local Public Service organisations at we urge all organisations to join CISP. The CiSP is not a substitution for a WARP. The WARP provides much needed face to face contact, training and briefings.

A WARP is a community-based service where members can receive and share up-to-date advice on information security threats, incidents and solutions. See

Being a member of a regional WARP will also ensure the Security Manager is able to advise, and keep the SIRO updated with current issues and best practice.

The LGA and Welsh LGA are committed to supporting better information Governance and Management, through the LGA Local Government PSN Board.

Places

Undertake regular risk assessments

Local Public Services should undertake regular to ensure the confidentiality, resilience, integrity and availability of the information they hold. There should be clear records of the assessments conducted and these should be shared and discussed with senior management and the Corporate Information Governance Group. The quality of all stored information forms an important part of information integrity.

Information risks should appear on the corporate risk register; this is a resource for highlighting information risk being cross-organisation, and not just an ICT issue.

In addition, risks can be reduced by:

Ensuring . Issue all staff with ID cards - ensure that they are worn and staff have the confidence to challenge people that are not wearing them.
Recording all visitors to buildings and, wherever feasible, ensure that they are accompanied whilst on the premises.
Including your physical security requirements in all supplier contracts.
Implementing a clear desk/clear screen policy to reduce the risk of unauthorised access, loss of, and damage to information during and outside normal working hours or when areas are unattended.
Ensuring rigorous adherence to all security policies (e.g. access control, password use, homeworking, data sharing, equipment disposal, Business Continuity Management etc)
Where cloud services are being used, it is essential the personal data is stored within the EU or other recognised domain, Utilising the .
ICO Guide to Cloud Computing:
should be followed.
Cloud services require their own and approach. Many data breaches relate to printed records, letters and faxes etc.
MHCLG (May 2020)
Ensure you have business continuity plans in place. Carry out an annual exercise.
Ensuring where personal data is held on paper, it is locked away when not in use or the premises are secured. Sensitive Paper files should be transported appropriately and securely.
Ensuring the secure disposal of information, whether electronic or paper based.
All personal data and confidential files should be securely destroyed: paper records by incineration, pulping or cross-cut shredding so that reconstruction is unlikely and electronic media by overwriting, erasure or degaussing before re-use. This is in accordance with government guidelines. Where possible a CESG approved product or service should be used. The CESG Product Assurance Scheme (CPA) will help with this.

See also Note: This only applies to materials at OFFICIAL. This guidance is also only suitable for use at OFFICIAL. It should be noted that OFFICIAL also includes which is a handling caveat and NOT a higher level of asset classification.

Wherever possible avoid the use of removable media.

There are NCSC file transfer and sharing cloud services available. Many leading email providers now provide cloud drives, which make file sharing simple, secure and controllable. File sharing should be monitored and auditable. Services like Google apps and Office 365 provide shared file storage. It is for the SIRO to determine whether the level of assurance provided, provides sufficient confidence. This includes taking account of the organisations risk appetite and Information Governance regime. Any Government information will be subject to and constraints. For NHS Guidance on off-shoring, see: .

It should be noted, there is a lack of extant guidance relating to off-shoring of personal information post EU exit. Organisations should do their own due diligence and seek and adequate level of assurance from their . For NHS guidance

see:

The Cloud security Principles can help…..

Policy

A comprehensive set of policies should form the heart of any information governance regime. Policies need to be monitored and audited, to ensure they are being effectively enacted.

Local Public Services should implement a range of security policies, to ensure compliance with the PSN and HSCN regimes. An example selection of policies are available on the NLAWARP website . A number of these policies are freely available for Local Public Services organisations to download, customise and implement, we do ask you share back with the community and updates or additions you make.

A minimum set of policies should cover:

Acceptable usage policy
End user awareness training
Business continuity and Cyber Resilience
DPA/THE DATA PROTECTION ACT Breach notification and incident management and response.
E-mail usage
E-Mail protection, configuration and testing
DNS Protection, configuration and testing
Use & control of portable media
Home & mobile working
Secure document printing
Manual (paper) document handling
Handling of faxes (They are still a useful fall back capability for emergency use).
Secure disposal and destruction of Information Assets
Log Collection, processing, storage and management and analysis
Disclosure of information by telephone, face to face and in writing.
Information asset valuation
Risk management regime
Protective marking of key information, especially personal information
Use and control of personal devices
Network, System and Device Configuration and Management
The use and control of encryption software
Forensic readiness
Cyber Incident response, reporting and management
The use of Social Media
Network Protective Monitoring and Situational Awareness
Management control and monitoring of wireless networks
Management, control and monitoring of web services
Intrusion detection and monitoring
System Access Control
Patching systems, devices and network equipment
Configuration management and change control
, information and configurations
Ensuring browsers are secure (inc. TLS levels in use)
The configuration, operations and backup of Cloud Services.

It is essential that as the complexity and volume of threats increases, that the 6 core areas of Network Security are addressed;

Boundary devices / Firewalls
Access Control
Patch Management
Secure Configuration
Malware Protection
Backups of core critical data, systems and configurations.

These 6 areas are covered in the scheme, hosted by the NCSC.

There is also the Cyber Essentials scheme originally developed for SMEs and other businesses, we believe it provides a simple and effective framework, which will help Shared Services, SME suppliers to Local Public Services and the Third Sector. is owned by the NCSC and is managed by the .

In addition to the basic Cyber Essentials, there is also a more robust IASME standard, which includes full Cyber Essentials certification and additional risk and governance issues see:

Processes

In addition, Local Public Services should ensure that:

All systems containing personal data should have Data Protection Impact Assessments carried out on them. The ICO recommends this and guidance is available in the ICO’s code of practice. DPIAs (which are also known as Privacy Impact Assessments privacy impact assessments (PIAs)), should be an integral part of all project management processes and development, including agile. Under THE DATA PROTECTION ACT, DPIAs will be mandatory whenever the processing is likely to result in a high risk to the rights and freedoms of individuals. For example, when there is:
1. a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
2. processing on a large scale of special categories of data referred to in (1), or of personal data relating to criminal convictions and offences referred to in ; or
3. a systematic monitoring of a publicly accessible area on a large scale.

See:

Looking forward, under THE DATA PROTECTION ACT, processors will also have their own legal responsibilities and can themselves be liable for enforcement action. Both Cyber Essentials and IASME have optional THE DATA PROTECTION ACT top-up compliance available.
Monitor and audit the effectiveness of their policies and, where appropriate, engage independent experts to test ICT systems and make recommendations.

Local Public Services should also:

Work towards a policy of , wherever possible, access to systems should be restricted to only those users that need it. Sharing the minimum information for a transaction or the least viable functionality for a software product, will enhance security.
Limit access to raw data (containing personal data) so that it is strictly controlled and, where possible, only anonymous data should be readily available. should be enabled by default, especially on cloud services. Controlling access to systems, using an approved Authentication Service should be considered. Any decisions on why encryption in transit, at rest was not implemented should be recorded.
Use all of the available security options for cloud services. (Encryption of storage and databases).
All data should be routinely encrypted, especially where cloud services are in use and when using portable media.

Agile Development

We acknowledge an increase in the use and deployment of agile developed products and services, this is fine and appropriate at OFFICIAL, we strongly endorse the and the NCSC . Where agile is being used, it is essential the information risks are fully understood and iterated at each release. Agile is not a reason to ignore Information Assurance. Anti-Personas and other techniques can be used at all staged of development. There is a wide range of supporting guidance in the . It is also worth reading and following the MHCLG Digital for current information relevant to Local Government. The LGA also publishes worth reading. Data Protection Impact Assessments can help with this. The DPIA can be an ongoing processes that is updated as necessary (rather than having to conduct a new DPIA each time) and, as mentioned above, can be built into an organisations normal risk assessment and change management processes

The Cyber Essentials scheme can help your suppliers achieve a level of compliance, to bring confidence that their organisations take Information Assurance seriously.

Personal data should be kept within secure premises and systems

Being able demonstrate adequacy of staff training will also be part of THE DATA PROTECTION ACT’s requirements to demonstrate compliance

You will need to maintain records and keep evidence.

The ICO will expect to see evidence in the event of a breach or incident and if this is in place, it could help reduce the potential of a fine or size of fine under The Data Protection Act.

There is now an official policy to move away from the PSN and to use the Internet. This is explained in a blog:

See

Where it is not possible to access information on secure premises and systems, the following should apply:

See:

Access should be via secure remote access so that information can be viewed or amended without being permanently stored on the remote computer. The use of Microsoft safe-links or similar is suggested or secure messaging portal services examples being , and .
See also Microsoft configuration guidance:
Next best is secure transfer of information to a remote encrypted computer on a secure site on which it can be permanently stored
Decisions on handling/transfer of information should be approved in writing by the relevant Information Asset Owner
User rights to transfer information to removable media should be carefully considered and strictly limited. If removable media has to be used, and supported by a business case, the media must be encrypted.
Wherever possible, the bulk transfer of information should only be carried out via a secure network, using VPN and encrypted transfer methods.
Whenever possible, we strongly recommend two factor authentication be deployed for access control, whether at the system level or on access devices.
Where information needs to be shared between public sector organisations, the Public Services Network (PSN) will be used wherever possible. This will facilitate the transfer of information across the wider PSN and interlinks with other secure Government Networks including Health and Criminal Justice. Encryption should be used with VPN links. Assurance across the connection should be sought.
Where cloud services are being used, it is essential the personal data is stored within the UK or other recognised domain. Post leaving the EU information:
Where personal data is being processed outside the EU where there is not considered to be adequate, the . Another country considered to offer an “adequate” level of protection by the European Commission, then there would be no need for model clauses (although there would also be nothing stopping organisations from using them as long as they were appropriate for the contract in question).

It is never acceptable to transfer bulk personal data via normal email services – even when encryption is used. Properly designed and configured bulk file transfer services should be used.

See:

You should have and in place for all systems containing personal data.

Your SIRO will need to agree the application is applicable to your organisation and within your organisations risk appetite.

Engage independent experts to carry out penetration testing

All Local Public Services should engage independent experts who are appropriately qualified members of , or . The NCSC penetration testing certification scheme. to carry out penetration testing of all ICT systems where it is deemed necessary.

The PSN, PNN, Health and other networks require annual network security health checks (‘Penetration Testing’). These annual tests need to be carried out, reviewed and acted upon.

We strongly recommend always using a CHECK based, fully credentialed IT Health Check for PSN connected services. As we move from the PSN regime, independent testing is still critical.

The scope of IT Health Checks must as a minimum include;

Web Services, including Websites
A sample of end user devices
Wireless networks
e-mail services
Cloud services
DNS Services
Email security
Mobile devices
Servers
VPN Servers / Proxy Servers
Network gateways
Access controls systems
Active Directory, Directory Services

Because of the prevalence of malware and cyber attacks, credentialed internal tests should also be carried out, that is full white box testing.

Network Service Configuration

Secure e-mail Services

Email needs to be securely deployed. Follow the . TLS should be deployed in a secure and well configured way, Including DMARC, DKIM, SPF. Likewise, your email services should now be pen tested as part of the IT Health Check. There is , testing and deployment. See:

Older versions of TLS are now officially deprecated and are removed from some browsers.

Secure web browsers

You also need to ensure you use the latest browser technologies and configurations.

IP Reputation

It is vitally important that is taken into account. The GDS network principles now recommend that IP addresses for e-services are published, through authoritative DNS services.

DNS Services

We recommend that be securely implemented and regularly scanned and checked. DNS Services should be part of the IT Health Check moving forward. DNS will continue to become more valuable to attackers as we progress on the Cyber journey. Organisations must also . Organisations should also consider monitoring their domain names and variations to prevent .

The use of service is recommended.

See:

Conduct Data Protection Impact Assessments

Full documentation and guidance materials to complete ts are freely available on the ICO website.

See: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-The Data Protection Act/accountability-and-governance/data-protection-impact-assessments/

New ICT systems should be assured to Government standards

All of these aspects need to be within a Risk Management framework. This is why both the legal requirements of The Data Protection Act and to some extent the PSN and the appear to cover the same ground. Only an organisation wide strategic approach will be effective to thoroughly protect information. NHS Digital has established an

Ensure that your suppliers and contractors adopt equivalent standards

Procedures

Produce a Corporate Information Risk Policy

Complete Corporate Information Risk Plans (review and forward looking)

A brief note for charities and Schools

The NCSC have published specific . There is also a by the NCSC for charities. There is also useful NCSC guidance for .

Eduwarp

We have recently launched “Eduwarp” to help school IT support staff to better understand Cyber Threats see: (our thanks to Suffolk & Norfolk County Councils and the Welsh Government for their foresight in suggesting the initiative.

Produce an Information Recovery Policy

Local Public Services should have a policy for . This includes losses of protected personal data and ICT security incidents. This plan will need to be updated to include any cloud services that may be deployed. The cloud service provider will not generally provide business continuity services as part of their core offering. Seek assurances of what and how they provide resilience. The policy should cover the Local Public Services’ media and legal response, and should have clearly defined responsibilities. All staff should be made aware of this policy. will grow in importance moving forward. Local Public Services are urged to have an annual training and desktop exercise to test the effectiveness of these plans. These plans should cover Cyber Resilience including Cloud Services. Incident Management processes should also be tested.

Risk reporting mechanisms

Serious Security incidents should initially be . Organisations with a SIRO should also ensure the SIRO is informed as soon as possible. The DPO (Data Protection Officer) should also be informed if organisation has one. Under DPA/THE DATA PROTECTION ACT, public sector controllers must have a DPO and the DPO must be informed. If significant, actual or potential losses of personal data should be notified to the Information Commissioner's Office who would not look favourably on failure to report a serious breach. The Information Commissioner's Office will undertake free on-site data protection audits or information risk reviews to varying levels of mutually agreed detail. The ICO also has a e that advises on all aspects of data protection compliance including responses to data loss incidents. There is .

See:

Data Sharing Agreement

The processes for sharing information
The specific purposes served
The people it impacts upon
The relevant legislation powers
What information is to be shared and with whom
Where the information will be stored, processed and transmitted
Any operational procedures
The process for review
How and when the information will be destroyed
How a breach will be notified and managed
Adherence with other recommendations in the statutory data sharing code of practice
Any consent process involved
Where and how long the information will be kept for
How the data will be destroyed and all parties informed
If a party of the agreement is succeeded or disbanded, what will happen to any information held

The is a framework used in Wales for service providing organisations directly concerned with the wellbeing and safety of an individual, to share personal data between them in a lawful and intelligent way. It applies to all public sector organisations, voluntary sector organisations and those private organisations contracted to deliver relevant services to the public sector who provide services involving the health, education, crime prevention and social wellbeing of people in Wales. It is made up of two parts; the Accord and supporting Information Sharing Protocols. WASPI is an exemplar for Information Sharing Protocols.

Cyber Resilience

With the rise of cyber attacks and the increased sophistication of them, organisations need to prepare for cyber attacks. The “” work implemented by MHCLG under the Nation Cyber Security Programme can help. A good starting point is the strategy report produced as part of the programme.

http://www.stgeorgeshouse.org/wp-content/uploads/2016/04/Local-Leadership-in-Cyber-Society-Report.pdf

The Reform report is also worth reading:

There are a lot of additional useful resources at:

Cyber Incident Response

We have produced a Cyber Incident Response Primer which will help organisations to develop and write their Cyber Response Plans. The primer can be downloaded from:

There is a cyber incident response golden hour guide at:

Appendices

NLAWARP DPA/THE DATA PROTECTION ACT Top 10 Tips

Train your staff, raise awareness and keep records of all training carried out.
Appoint a Data Protection Officer – You can share one, you do need one.
Oversee DPA/THE DATA PROTECTION ACT implementation – Corporate Governance Group - have a plan.
Ensure supplier contracts protect your personal data - are they adequate?
Know where all of your personal data resides. Produce an information asset register.
Record Data Protection Impact Assessments for all systems. Manual and electronic.
Manage all devices whether corporate or personal, that process your personal data.
Maintain records and evidence of all DPA/THE DATA PROTECTION ACT related contracts and activities.
Be clear about all off-shoring decisions – where is the data is protection adequate?
Implement and exercise incident plans. Breach management and notifications.

Top Ten Tips for Mobile Devices

Understand and evaluate the risks of the use of such devices.
Have policies in place, which require contextual awareness training.
Each person signs a personal undertaking to protect the information on the device.
When staff leave, they should sign an undertaking that Local Public Services data has been deleted from their personal devices and have a full leavers policy in place
All device security features should be enabled, firewall, password, pin and encryption.
The device should be regularly patched / updated. Limit device features.
Ensure devices and corporate personal data is encrypted, use two factor Authentication wherever possible.
Use a shell/secure application environment on the device to protect corporate information.
Review the risks associated with the use of the at least device annually, or when a significant change occurs, if sooner.
Aftercare, ensure the ongoing delivery of updated information and training on device risks, including a Help Desk and incident reporting process.

NLAWARP Top tips for Home working

At the start of a remote call, check who’s there, do a roll call.
Always get permission before recording calls.
Always be on mute when not talking.
Be aware of what’s visible on camera.
Is it a Public or internal meeting.
Ensure any chat is erased after the call.
Always check and know the security settings of the platform your using.
Always lock your screen when leaving your machine unattended.
Always be vigilant about clicking links in emails. Think before you click.
Report anything suspicious you notice. (Slow machine unusual pop-ups) etc.

Useful resources

The Information Commissioner's Office

The Information Commissioner’s Office Website is available at

DPA/THE DATA PROTECTION ACT breach notification:

WARP (Warning, Advice and Reporting Point) www.nlawarp.net

C-TAG (Cyber Technical Advisory Group)

The National Cyber Security Centre NCSC

The National Cyber Security Centre (NCSC) is the UK’s authority on cyber security. We are a part of . The NCSC brings together and replaces CESG (the information security arm of GCHQ), the Centre for Cyber Assessment (CCA), Computer Emergency Response Team UK (CERT UK) and the cyber-related responsibilities of the (CPNI).

The NCSC website can be found at http://www.ncsc.gov.uk

Digital Ethics

Ethics and Data Protection in Artificial Intelligence

Most recently GCHQ has published an ethics strategy paper, ,[1] which looks at the future ethical role of the technology in dealing with crimes such as child abuse and human trafficking, and threats from disinformation. Similarly, in the wake of Covid 19 the NHS AI Lab is introducing the [2] to ensure that AI products used in the NHS and care settings will not exacerbate health inequalities.

Figure 1

Beneficence: do good. Benefits of work should outweigh potential risks.
Non-maleficence: do no harm. Risks and harms need to be considered holistically, rather than just for the individual or organisation.
Autonomy: preserve human agency. To make choices, people need to have sufficient knowledge and understanding.
Justice: be fair. Specific issues include algorithmic bias and equitable treatment.
Explicability: operate transparently so as to explain systems working and its outputs

More widely given the global significant of this issue the (which includes the UK ICO) has initiated a declaration on ethics and data protection in artificial intelligence that outlines the following guiding principles, as its core values to preserve human rights in the development of AI and Data analytics:-

ICDPPC Declaration on Ethics and Data Protection in Artificial Intelligence

Considering individuals’ reasonable expectations by ensuring that the use of artificial intelligence systems remains consistent with their original purposes, and that the data are used in a way that is not incompatible with the original purpose of their collection,
taking into consideration not only the impact that the use of artificial intelligence may have on the individual, but also the collective impact on groups and on society at large,
ensuring that artificial intelligence systems are developed in a way that facilitates human development and does not obstruct or endanger it, thus recognizing the need for delineation and boundaries on certain uses,

2. Continued attention and vigilance, as well as accountability, for the potential effects and consequences of, artificial intelligence systems should be ensured, in particular by:

promoting accountability of all relevant stakeholders to individuals, supervisory authorities and other third parties as appropriate, including through the realization of audit, continuous monitoring and impact assessment of artificial intelligence systems, and periodic review of oversight mechanisms;
fostering collective and joint responsibility, involving the whole chain of actors and stakeholders, for example with the development of collaborative standards and the sharing of best practices,
investing in awareness raising, education, research and training in order to ensure a good level of information on and understanding of artificial intelligence and its potential effects in society, and
establishing demonstrable governance processes for all relevant actors, such as relying on trusted third parties or the setting up of independent ethics committees,

3. Artificial intelligence systems transparency and intelligibility should be improved, with the objective of effective implementation, in particular by:

investing in public and private scientific research on explainable artificial intelligence,
promoting transparency, intelligibility and reachability, for instance through the development of innovative ways of communication, taking into account the different levels of transparency and information required for each relevant audience,
making organizations’ practices more transparent, notably by promoting algorithmic transparency and the auditability of systems, while ensuring meaningfulness of the information provided, and
guaranteeing the right to informational self-determination, notably by ensuring that individuals are always informed appropriately when they are interacting directly with an artificial intelligence system or when they provide personal data to be processed by such systems,
providing adequate information on the purpose and effects of artificial intelligence systems in order to verify continuous alignment with expectation of individuals and to enable overall human control on such systems.

implementing technical and organizational measures and procedures – proportional to the type of system that is developed – to ensure that data subjects’ privacy and personal data are respected, both when determining the means of the processing and at the moment of data processing,
assessing and documenting the expected impacts on individuals and society at the beginning of an artificial intelligence project and for relevant developments during its entire life cycle, and
identifying specific requirements for ethical and fair use of the systems and for respecting human rights as part of the development and operations of any artificial intelligence system,

respecting data protection and privacy rights, including where applicable the right to information, the right to access, the right to object to processing and the right to erasure, and promoting those rights through education and awareness campaigns,
respecting related rights including freedom of expression and information, as well as non-discrimination,
recognizing that the right to object or appeal applies to technologies that influence personal development or opinions and guaranteeing, where applicable, individuals’ right not to be subject to a decision based solely on automated processing if it significantly affects them and, where not applicable, guaranteeing individuals’ right to challenge such decision,
using the capabilities of artificial intelligence systems to foster an equal empowerment and enhance public engagement, for example through adaptable interfaces and accessible tools

6. Unlawful biases or discriminations that may result from the use of data in artificial intelligence should be reduced and mitigated, including by:

ensuring the respect of international legal instruments on human rights and non-discrimination,
investing in research into technical ways to identify, address and mitigate biases,
taking reasonable steps to ensure the personal data and information used in automated decision making is accurate, up-to-date and as complete as possible, and
elaborating specific guidance and principles in addressing biases and discrimination, and promoting individuals’ and stakeholders’ awareness.

Source

National Data Strategy: adopting a responsible data approach

Within the UK public sector, the focus around these issues has been around establishing a strategic framework and supporting guidance to underpin ethics and data protection in artificial intelligence. The government’s commits public sector organisations to adopting a approach which means “data is handled in a way that is lawful, secure, fair, ethical, sustainable and accountable, while also supporting innovation and research”.

Whilst at an operational level, organisations are seen as having responsibilities to upskill themselves so that they can both manage and use data efficiently as a strategic resource, and ensure such use is lawful, secure, unbiased and explainable. Likewise, organisations are expected to place a greater value on ensuring that they have the right skills to collect, organise and manage data. To be effective, organisations are encouraged to also ensure that they account for biases arising from data or algorithm use, as identified in the on the issue.

The responsible data approach advocated in the strategy is built around wider research that suggests , and . The strategy notes that ….whilst new technologies may help to create safe and secure environments for sharing data, including personal data; nevertheless, .

Principles into practice: What can help

At an official level the recently refreshed guides appropriate and responsible data use in government and the wider public sector. Whilst in the research and statistics community, the UK Statistics Authority has established the and developed a to help researchers and statisticians consider the ethics of their use of data.

More widely with this regard the has published new aimed at two audiences:

those with a compliance focus, such as data protection officers (DPOs), general counsel, risk managers, senior management, and the ICO's own auditors; and
technology specialists, including machine learning experts, data scientists, software developers and engineers, and cybersecurity and IT risk managers.

addresses accountability and governance in AI, including data protection impact assessments (DPIAs);
covers fair, lawful and transparent processing, including lawful bases, assessing and improving AI system performance, and mitigating potential discrimination;
addresses data minimisation and security; and
covers compliance with individual rights, including rights related to automated decision-making

be responsible for the compliance of your systems;
assess and mitigate its risks; and
document and demonstrate how your systems are compliant and justify the choices you have made.

The ICO has also developed a on best practices for data protection compliance – whether you design your own AI system, or implement one from a third party. It provides a clear methodology to audit AI applications and ensure they process personal data fairly. It comprises:

auditing tools and procedures that we will use in audits and investigations;
this detailed guidance on AI and data protection; and a
forthcoming toolkit designed to provide further practical support to organisations auditing the compliance of their own AI systems

See also the which is divided into 10 categories contains expectations and examples of how your organisation can demonstrate your accountability. The ICO sees accountability is as one of the key principles in data protection law – it makes you responsible for complying with the legislation and says that you must be able to demonstrate your compliance.

The ICO guidance is also supplemented by the following online resources:

and the , for general information about security under data protection law.
Also see the ICO

In addition, a number of expert institutions have produced guidance around the need for greater algorithmic transparency, particularly within the public sector.

The Open Data Institute and helps identify and manage ethical issues – at the start of a project that uses data, and throughout. It encourages you to ask important questions about projects that use data, and reflect on the responses.
The Alan Turing Institute publication is a guide for everyone involved in the design, production, and deployment of a public sector AI project: from data scientists and data engineers to domain experts and delivery managers.
has created a an iterative development tool to help organisations think about the potential impact of their solutions or service on people and society. For anyone directly or indirectly involved with the design of public sector digital and data solutions or services.
The vides an overview of different types of tools that aim at educating citizens about datafication and its social consequences. For anyone working directly or indirectly with data in the public sector, including data practitioners (statisticians, analysts and data scientists), policymakers, operational staff and those helping produce data-informed insight, to ensure the highest ethical standard of their projects.
a NESTA guide for public sector organisations on how to introduce AI tools so that they are embraced and used wisely by practitioners.
A Royal Statistical Society (RSS) and Institute and Faculty of Actuaries (IFoA) - is intended to complement existing ethical and professional guidance and is aimed at addressing the ethical and professional challenges of working in a data science setting.

Local Authority Cyber Resilience Planning Guide

This guide is to assist managers in preparing and implementing Business Continuity Plans, to aid Cyber Resilience.

June 2021 Version 3

Background

This guide was originally written in 2003 and has been updated over the years. The approach is still sound and this is continued work in progress.

Mark Brett MRes CITP CMngr FICPEM FBCS FCMI MCIIS MEPS MSyI

Honorary Visiting Fellow (Cyber Security)

Cyber Centre London Metropolitan University

Your welcome to make use of the contents of this document for non-commercial purposes including Public Sector use. However I would ask that you acknowledge the fact in your derived work.

INTRODUCTION

This guide provides step-by-step advice on how to create and maintain a comprehensive Business Continuity Planning Programme.

Section 3: Hazard-Specific Information -- technical information about specific hazards your building or site may face.

Section 4: Information Sources -- where to turn for additional information.

Appendix A BCM plan and risk assessment toolkit

What Is an Emergency?

1.Fire 

2.Hazardous materials incident 

3.Flood or flash flood 

4.Terrorist Incident 

5. Malicious Incident (public or Employee)

6.Winter storm (Weather) 

7.Communications failure 

8.Civil disturbance (Transport strikes) 

9.Loss of key supplier or customer 

10.Explosion (Gas etc)

What Is Cyber Resilience?

Making the "Case" for Cyber Resilience

1. It helps the Council fulfill its’ moral responsibility to protect employees, the community and the environment.

2. It facilitates compliance with regulatory requirements such as Health & Safety.

3. It enhances the Council’s ability to recover from financial losses, regulatory fines, complaints from members and the public, damage to equipment and business interruption.

4. It reduces exposure to civil or criminal liability in the event of an incident.

5. It enhances the Council’s image and credibility with employees, customers, suppliers and the community.

SECTION 1

4 STEPS IN THE PLANNING PROCESS

Having established what your planning for (the scope)

Step 1 -- Establish a Planning Team 

Step 2 -- Analyse Capabilities and Hazards

Step 3 -- Develop the Plan 

Step 4 -- Implement the Plan

STEP 1 -- ESTABLISH A PLANNING TEAM.

There must be an individual or group in charge of developing the Business Continuity Plan. The following is guidance for making the appointment.

1. Form the Team.

The size of the planning team will depend on the department’s operations, requirements and resources. Usually involving a group of people is best because:

Determine who can be an active member and who can serve in an advisory capacity. In most cases, one or two people will be doing the bulk of the work.

Some of the planning and co-ordination, could be out sourced to the Emergency Planning .At the very least, you should obtain input from all functional areas. Remember:

Senior management  
Line management  
Personnel and Occupational Health  
Engineering and maintenance  
Health & Safety

f. Public information officer (Press & Publicity)

Security  
Community relations and groups  
Councillors as appropriate  
Departmental Representatives (Operational Service Delivery)  
Legal Services  
Finance and purchasing

Have participants appointed in writing by senior management. Their job descriptions could also reflect this assignment and extra duties.

2. Establish Authority.

3. Issue a Mission Statement – Which quantifies the purpose and scope of the plan.

Have the Chief Executive or Service/Business Unit Manager issue a mission statement to demonstrate the authority’s commitment to Cyber Resilience. The statement should:

Define the purpose of the plan and indicate that it will involve the entire organisation. Define the authority and structure of the planning group

4. Establish a Schedule and Budget

Establish a work schedule and planning deadlines. Timelines can be modified as priorities become more clearly defined.

Develop an initial budget for such things as research, printing, seminars, consulting services and other expenses that may be necessary during the development process.

STEP 2 -- ANALYSE CAPABILITIES AND HAZARDS.

1. WHERE DO YOU STAND RIGHT NOW? Establishing a baseline

Review Internal Plans and Policies. Documents to look for include:

a. Evacuation plan

Fire protection plan  
Health &Safety procedures

d Environmental policies

Security procedures  
Insurance programs  
Finance and purchasing procedures  
Quality Procedures  
Personnel Handbook  
Internal SLAs and External Contracts.  
Health & Safety risk assessments  
Risk management plan

m Capital improvement program n. Mutual aid agreements

Business Continuity Planning Guide

2. Establish Partnerships

Meet with external agencies, community organisations and utilities. Ask about potential emergencies and about their plans and available resources for responding

Sources of information include:

Local Resilience Forum Cooridnator
Emergency Planning Officer
Local Hospital 
Local Community
Liaison Groups Fire Brigade
Local Police Ambulance Emergency Planning Officer 
Telecommunications Companies
Cellular providers
Electric,
Gas and Water Utilities 
Neighbouring Authorities

Web sites see: http://www.ukresilience.info/contingencies/cont_index.htm Business Continuity Institute see: www.thebci.org Association of Local Authority Risk Managers http://www.alarm-uk.com/ Society of Information Technology Management SOCITM:

Emergency Planning Society :http://www.emergplansoc.org.uk/

3. Identify Codes and Regulations

Identify applicable legislation and local regulations such as:

Occupational Health & Safety regulations Environmental regulations Fire procedure codes Corporate policies

4. Identify Critical Services and Operations

You'll need this information to assess the impact of potential emergencies and to determine the need for backup systems. Areas to review include:

Council services and the facilities and equipment needed to produce them  
Products and services provided by suppliers, especially sole source vendors  
Lifeline services such as electrical power, water, sewer, gas, telecommunications  and transportation  
Operations, equipment and personnel vital to the continued functioning of the  facility

5. Identify Internal Resources and Capabilities

Resources and capabilities that could be needed in an emergency include:

b. Equipment -- fire protection and suppression equipment, communications equipment, first aid supplies, emergency supplies, warning systems, emergency power equipment.

d. Organisational capabilities -- training, evacuation plan, employee support system (Counselling)

e. Backup systems -- arrangements with other facilities to provide for: Identify your Business critical processes and systems.

(1) Payroll  
(2) Communications  
(3) Production  
(4) Customer services  
(5) Post room services and receiving i.e. CFM print runs  
(6) Information systems support  
(7) Emergency power  
(8) Recovery support

6. Identify External Resources

There are many external resources that could be needed in an emergency. In some cases, formal agreements may be necessary to define the facility's relationship with the following:

Local Resilience Forum (LRF) 
Fire Brigade  
Hazardous materials Health & Safety Executive  
Emergency medical services
Hospitals  
Local Police liaison
Community service organisations  
Utilities  
Key Contractors & Suppliers

7. Suppliers of emergency equipment

Insurance companies

Do an Insurance Review

Meet with Insurance Officer (Finance Dept) to review all policies and cover. (See Section 2: Recovery and Restoration.) Insurance is not a substitution to proper planning and preparedness.

8. Conduct A Vulnerability (Risk) Analysis

9. Brainstorm Potential Emergencies & Scenarios to plan for

In the first column of the chart, list all emergencies that could affect your department, including those identified by the Emergency Planning officer. Consider both:

a. Emergencies that could occur within your Site / Department b. Emergencies that could occur in your community

Historical -- What types of emergencies have occurred in the community, at this facility and at other facilities in the area?

a. b. c. d. e. f. g. h.

Fires Severe weather Hazardous material spills Transportation accidents Bomb threats

Transport strikes Terrorism and Industrial action

Utility outages

Geographic -- What can happen as a result of the facility's location?

Keep in mind:

Proximity to flood spots, electrical lines, railways, major roads etc.  
Proximity to companies that produce, store, use or transport hazardous material  
Proximity to major transportation routes and airports  
Proximity to terrorist targets.

Technological -- What could result from a process or system failure? Possibilities include:

Fire, explosion, hazardous materials incident - storage batteries  
Safety system failure  
Telecommunications failure  
Computer system failure  
Power failure  
Heating/cooling system failure  
Emergency notification system failure

Poor training  
Poor maintenance  
Carelessness  
Misconduct  
Substance abuse

f. Fatigue

Physical -- What types of emergencies could result from the design or construction of the facility? Does the physical facility enhance safety? Consider:

a. The physical construction of the facility b. Hazardous processes or by-products c. Facilities for storing combustibles 

d. Layout of equipment

e. Lighting

Evacuation routes and exits  
Proximity of survivor reception centres

Regulatory -- What emergencies or hazards are you regulated to deal with? Analyse each potential emergency from beginning to end. Consider what could happen as a result of:

Prohibited access to the facility  
Loss of electric power  
Communication lines down  
Ruptured gas mains  
Water damage  
Smoke damage  
Structural damage  
Air or water contamination  
Explosion  
Building collapse  
Trapped persons  
Chemical release

10. Estimate Probability

11. Assess the Potential Human Impact (HARM Modelling)

Analyse the potential human impact of each emergency -- the possibility of death or injury.

Assign a rating in the Human Impact column of the Vulnerability Analysis Chart. Use a 1 to 5 scale with 1 as the lowest impact and 5 as the highest.

12. Assess the Potential Property Impact

Consider the potential property for losses and damages. Again, assign a rating in the Property Impact column, 1 being the lowest impact and 5 being the highest. Consider:

Cost to replace  
Cost to set up temporary replacement  
Cost to repair

13. Assess the Potential Business Impact

Business interruption  
Employees unable to report to work  
Customers unable to reach facility  
Authority in violation of contractual agreements  
Imposition of fines and penalties or legal costs  
Interruption of critical supplies  
Interruption of Service Delivery

14. Assess Internal and External Resources

Do we have the needed resources and capabilities to respond?

Will external resources be able to respond to us for this emergency as quickly as we may need them, or will they have other priority areas to serve?

If the answers are yes, move on to the next assessment. If the answers are no, identify what can be done to correct the problem. For example, you may need to:

Develop additional emergency procedures  
Conduct additional training  
Acquire additional equipment  
Establish mutual aid agreements  
Establish agreements with specialised contractors

15. Add the Columns

STEP 3 -- DEVELOP THE PLAN

You are now ready to develop a Business Continuity Planning plan. This section describes how.

PLAN COMPONENTS

Your plan should include the following basic components.

1. Executive Summary

The executive summary

Explains how and where response operations will be managed.

 2. Business Continuity Planning Elements This section of the plan briefly describes the facility's approach to the core elements

Cyber Resilience, which are:

Command and control Communications Life and Limb - protecting your staff and the public. Property protection Community outreach Recovery and restoration Administration and logistics.

These elements, which are described in detail in Section 2, are the foundation for the emergency procedures that your facility will follow to protect personnel and equipment and resume operations.

3. Emergency Response Procedures

Determine what actions would be necessary to:

Assess the situation  
Protect employees, customers, visitors, equipment, vital records and other  assets, particularly during the first phase of the emergency  
Get the business back up and running.

Specific procedures might be needed for any number of situations such as bomb threats or fire, and for such functions as:

4. Support Documents

Documents that could be needed in an emergency include:

Building and site maps that indicate:

Utility shutoffs  
Water hydrants  
Water main valves  
Water lines  
Gas main valves  
Gas lines  
Electrical cut-offs  
Electrical substations  
Storm drains  
Sewer lines  
Location of each building (include name of building, street name and number)  
Floor plans  
Alarm and communicators  
Fire extinguishers  
Fire suppression systems  
Exits  
Stairways  
Designated escape routes  
Restricted areas  
Hazardous Materials (including cleaning supplies and chemicals)  
Copies of building plans  
Copies of telecommunication route plans (Telephone and fibre cables)  
Location of High-value items; (Deeds, Bonds, Contracts, evidence etc.)

5.Resource lists

Lists of major resources (equipment, supplies, and services) that could be needed in an emergency; mutual aid agreements with other companies and government agencies.

Emergency escape procedures and routes  
Procedures for employees who perform or shut down critical operations before an evacuation  
Procedures to account for all employees, visitors and contractors after an evacuation is completed  
Rescue and medical duties for assigned employees  
Procedures for reporting emergencies  
Names of persons or departments to be contacted for

THE DEVELOPMENT PROCESS

The following is guidance for developing the plan.

1. Identify Challenges and Prioritise Activities

2. Write the Plan

Assign each member of the planning group a section to write. Determine the most appropriate format for each section.

Establish an aggressive timeline with specific goals. Provide enough time for completion of work, but not so much as to allow assignments to linger. Establish a schedule for:

First draft  
Peer review (include other sections)  
Second draft  
Tabletop exercise (invite other sections/departments to participate)  
Final draft  
Printing  
Distribution publish widely including intranet – share best practise  
Amendments procedures

3. Establish a Training Schedule

Have one person or department responsible for developing a training schedule for your facility. For specific ideas about training, refer to Step 4.

4. Coordinate with Outside Agencies and Organisations

Trigger Points and Protocols

The CRASH Gates Protocol Trigger Points can be thought of a pre-defined Consequence Relevance Acceleration Severity and Harm (CRASH) Gates.

The CRASH Gate model for assessing Cyber incident trigger points;

Consequence Scaling

Locally contained within the Organisation at a Sub-Departmental / Directorate Level
Locally contained within the Organisation at Departmental / Directorate Level
Local contained within the Organisation
Affecting multiple Organisations Sub-Regionally
Affecting multiple Organisations Regionally
Affecting multiple Organisations Nationally

Relevance Scoring

We do not have this technology in our infrastructure
We have this technology, we are fully patched.
We have this technology, we are partially patched
We have this technology, we are not patched
We have this technology, we are compromised

Severity Scoring

Not affecting our infrastructure directly
Affecting some of our infrastructure
Affecting most of our infrastructure
Affecting all of our infrastructure
Our infrastructure is over run and non-functioning

HARM Levels

The organisation is unaffected
The organisation is affected, but fully operational
The organisation is affected, and is partially operational
The organisation is compromised essential services still functioning
The organisation is compromised essential services lost.

Determine protocols and trigger points for turning command and control of a response over to outside agencies.

Some details that may need to be worked out are:

Which gate or entrance will responding emergency service units use?  
Where and to whom will they report?  
How will they be identified? How will they know you? (tabards/ID)  
How will facility personnel communicate with outside responders?  
Who will be in charge of response activities?

Produce A4 laminated cards which detail the key roles and responsibilities for each job.

Produce a pocket size card, with emergency contact numbers, and the five major points of the job role, where to report to etc.

Determine the needs of disabled persons and non-English-speaking personnel. For example, a blind employee could be assigned a partner in case an evacuation is necessary.

Be mindful of language barriers, written and verbal.

5. Maintain Contact with Other Departments

Communicate with other offices and departments within the authority to learn:

Their emergency notification requirements 
The conditions where mutual assistance would be necessary 
How offices will support each other in an emergency 
Names, email, telephone numbers and mobile numbers of key personnel Incorporate this information into your procedures.

6. Conduct Training and Revise plans and procedures as necessary.

Share review information with other Departmental representatives. Use the Intranet server to publish timely information

Distribute the first draft to group members for review. Revise as needed.

7. Seek Final Approval

Arrange a briefing for the Chief Officer and Senior Management and obtain written approval.

8. Distribute the Plan

Place the final plan in four-ring binders and number all copies and pages. Document control procedures are essential for quality and auditing.

Each individual who receives a copy should be required to sign for it and be responsible for posting subsequent changes.

Ensure the plan is published on the Intranet and kept up to date. Consider storing the plan on a secure Internet facility, this will ensure authorised people can access the plan from anywhere.

Chief Officers and Senior Managers  
Key members of the authority's emergency response organisation  
Chief Executives Office,  
Emergency Planning Unit.  
Community emergency response agencies (appropriate sections)  
Key external suppliers. Ensure you figure in their emergency plans.