The Government, in collaboration with the National Cyber Security Centre (NCSC) has released guidance on the minimum cyber security standards that all government departments, agencies and contractors must comply with to protect their information, technology and digital services.
It covers five categories: identify, protect, detect, respond, and recover. The measures covered in the document will grow with time to address new threats and vulnerabilities to ensure those who follow it remain secure and compliant.
With 43 percent of businesses surveyed by Ipsos MORI for the Cyber Security Breaches Survey 2018 identifying at least one breach or attack in 2017, it’s a useful framework for organisations to base their cyber security strategy on. Breaches in cyber security not only affect business in downtime and recovery costs, but there may also be huge reputational consequences and GDPR fines to face as a result.
“Departments shall put in place appropriate cyber security governance processes.”
In order to put effective governance processes in place, departments first need to understand the security risks associated with their sensitive information and operational services. According to the Cyber Security Breaches Survey 2018, only 27 percent of businesses have formal cyber security policies, a rather scary statistic given that 74 percent of UK businesses say cyber security is a high priority for their organisation’s senior management.
Office 365 Secure Score analyses security and gives departments an overview of how secure their Office 365 configurations are and the risks they face. Think of it as a credit score for security – it will evaluate and suggest ways to further secure your Office 365 services. Departments can then use this to develop processes and strategies to tackle these risks.
For sensitive information or resources, Azure AD Privileged Identity Management helps manage, control, and monitor privileged user access.
“Departments shall identify and catalogue sensitive information they hold.”
In the age of mobile devices and the cloud it’s important to ensure sensitive information is safe, a key first step in this is identifying the data held. Azure Information Protection helps departments detect sensitive information and secure email, documents and sensitive information no matter where it is stored or who it is shared with. The Azure Information Protection Scanner can also be used to identify what data types reside on-premise, automatically classify it, and protect it.
In addition, Office 365 has discovery features and retention policies to help identify where data is stored across services such as Exchange, SharePoint, and Teams. Retention policies can ensure that there is a valid reason for holding sensitive information.
“Departments shall identify and catalogue the key operational services they provide.”
Departments must know what technologies and services they require to remain secure, what other dependencies the services have, and the impact of loss of service.
Geo-redundant storage (GRS) is designed to ensure at least 99 percent durability of data. It replicates data to a secondary region that is away from the primary area where the data is held. In the event of a regional outage or disaster where the primary region is not recoverable, the GRS will ensure data is not lost.
“The need for users to access sensitive information or key operational services shall be understood and continually managed.”
Often, the first safeguard against threats and breaches is to maintain strict and reliable access control. Privileged Identity Manager provides control and management of your most sensitive accounts, ensuring they have the minimum access to key operational services, ensuring access is only granted based on need.
Azure AD can act as a single authentication platform allowing for effective identity lifecycle management to ensure access is not held for any longer than necessary. It also allows for reviews of group memberships which can be tracked for auditing and compliance to prevent privilege inflation.
“Access to sensitive information and key operational services shall only be provided to identified, authenticated and authorised users or systems.”
Departments need to ensure that only those users who are authorised have access. A key component to a modern authentication solution is multi-factor authentication which is built into Azure AD and provides a single authentication platform that departments can use to provide access to authorised individuals and systems.
Conditional Access provides another level of control based on location, user, application, and device before allowing users access. This allows for efficient, and secure access controls to be put in place, and is particularly important for multi-device employees and departments with BYOD policies.
“Systems which handle sensitive information or key operational services shall be protected from exploitation of known vulnerabilities.”
It’s important to come up with a procedure to track and record all assets and ensure infrastructure is protected. Microsoft InTune and SCCM can be used to track software and hardware assets. InTune can also be used to help manage mobile devices and assets, including remotely wiping data if required.
As an evergreen operating system, Windows 10 is continually kept up to date and patched. Windows Defender ATP allows departments to detect and respond to advanced cyberattacks, as well as spot devices that are missing patches, or have security controls disabled or changed, making them vulnerable.
“Highly privileged accounts should not be vulnerable to common cyberattacks.”
Privileged Identity Manager and Azure AD can control the scope and access of user accounts, including enforcing multi-factor authentication on not just Microsoft services, but third-party services as well.
For social media, system, or infrastructure accounts, Azure AD supports single sign-on, obliviating the need to share or store shared passwords.
“Departments shall take steps to detect common cyberattacks.”
Attackers using common cyberattacks should not be able to gain access to sensitive information without being detected. Departments should clearly define what must be protected and why.
Microsoft 365 ATP can detect advanced cyberattacks across the whole attack kill chain, ensuring that no matter how an attack starts or propagates it can be detected and responded to quickly.
“Departments shall have a defined, planned and tested response to cyber security incidents that impact sensitive information or key operational services.”
An incident response and management plan, with clearly defined actions, roles, and responsibilities must be implemented and tested regularly. Findings from the most recent Cyber Security Breaches Survey suggest that only 13 percent of businesses say they have an incident plan.
Microsoft’s cloud security evolves to protect against the latest threats and technologies. The Intelligent Security Graph, for example, powers real-time threat detection, response, and remediation for Microsoft products and services. Windows Defender Advanced Threat Protection (ATP) allows departments to ingest custom data and correlate this against activity to detect known threats, as well as automatically investigate and remediate a wide range of cyberattacks, ultimately allowing departments to scale their response capabilities.
“Departments shall have well defined and tested processes in place to ensure the continuity of key operational services in the event of failure or compromise.”
There should be contingency plans to ensure departments can deliver essential services in case of a cyberattack. These plans need to be tested and well-practised to ensure they work and would not be affected by any failure or compromise.
Azure Backup is built within the Azure platform, meaning it reduces restoration time if a failure or compromise was to occur. It also helps keep data safe from ransomware with multi-factor authentication, alerts when there is suspicious activity, and counteracts unauthorised retention or deletions. Azure Site Recovery replicates workloads to a secondary location. In the event of a failure or compromise on the primary location, it fails back to the secondary location to minimise downtime in key operational services.
Disclaimer: This document has been drafted with reference to the Minimum Cyber Security Standard (version dated June 2018) which could be updated from time to time and the most recent version can be viewed at https://www.gov.uk/government/publications/the-minimum-cyber-security-standard. This document includes extracts from the June 2018 version of the Minimum Cyber Security Standard which may have been summarized, paraphrased or shortened; there is no substitute for reading those standards in full. Nothing in this document constitutes legal advice, a legal offer or legal representations. It may not contain the most up to date information or guidance.