Cyber Security Strategy

Similar documents
CYBER INCIDENT REPORTING GUIDANCE. Industry Reporting Arrangements for Incident Response

THE STRATEGIC POLICING REQUIREMENT. July 2012

The UK s National Cyber Security Strategy

Cyber Security and Cyber Fraud

Commonwealth Cyber Declaration

Promoting Global Cybersecurity

Member of the County or municipal emergency management organization

NHS Gloucestershire Clinical Commissioning Group. Business Continuity Strategy

Brussels, 19 May 2011 COUNCIL THE EUROPEAN UNION 10299/11 TELECOM 71 DATAPROTECT 55 JAI 332 PROCIV 66. NOTE From : COREPER

Protecting information across government

NEW INNOVATIONS NEED FOR NEW LAW ENFORCEMENT CAPABILITIES

FIRE REDUCTION STRATEGY. Fire & Emergency Services Authority GOVERNMENT OF SAMOA April 2017

Cyber Security in Europe

Leading the Digital Transformation from the Centre of Government

ENISA EU Threat Landscape

Information Security Strategy

National Policy and Guiding Principles

Cyber Security Strategy. February 2017

Cybersecurity in Asia-Pacific State of play, key issues for trade and e-commerce

Financial Crime Data and Information Sharing Solution

NATIONAL CYBER SECURITY STRATEGY. - Version 2.0 -

Cloud First: Policy Not Aspiration. A techuk Paper April 2017

Netherlands Cyber Security Strategy. Michel van Leeuwen Head of Cyber Security Policy Ministry of Security and Justice

HPH SCC CYBERSECURITY WORKING GROUP

National Policing Community Security Policy

Guernsey Police Business Plan

Global Security Advisor

Resolution: Advancing the National Preparedness for Cyber Security

EISAS Enhanced Roadmap 2012

The University of Queensland

Data Governance for Smart City Management

Cyber Security Strategy

Colt Group S.A. (the Group ) publishes its Annual Report for the twelve months ended 31 December 2013

COMESA CYBER SECURITY PROGRAM KHARTOUM, SUDAN

UN General Assembly Resolution 68/243 GEORGIA. General appreciation of the issues of information security

G7 Bar Associations and Councils

COUNCIL OF THE EUROPEAN UNION. Brussels, 24 May /13. Interinstitutional File: 2013/0027 (COD)

Business Continuity Policy

Regulating Cyber: the UK s plans for the NIS Directive

Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013

Information Security Controls Policy

NIS Directive : Call for Proposals

COUNTERING IMPROVISED EXPLOSIVE DEVICES

Commonwealth Telecommunications Organisation Proposal for IGF Open Forum 2017

Aon Service Corporation Law Global Privacy Office. Aon Client Data Privacy Summary

how to manage risks in those rare cases where existing mitigation mechanisms are insufficient or impractical.

Legal and Regulatory Developments for Privacy and Security

RESOLUTION 130 (REV. BUSAN, 2014)

1. To provide an update on the development of the SPA Assurance Map.

The NIS Directive and Cybersecurity in

COUNCIL OF THE EUROPEAN UNION. Brussels, 28 January 2003 (OR. en) 15723/02 TELECOM 78 JAI 307 PESC 593

UNCLASSIFIED. National and Cyber Security Branch. Presentation for Gridseccon. Quebec City, October 18-21

The Key Principles of Cyber Security for Connected and Automated Vehicles. Government

Canada Highlights. Cybersecurity: Do you know which protective measures will make your company cyber resilient?

Implementation Strategy for Cybersecurity Workshop ITU 2016

ICT FUNCTIONAL LEADERSHIP: PROGRESS REPORT OCTOBER 2016 TO MARCH 2017

NATIONAL DEFENSE INDUSTRIAL ASSOCIATION Homeland Security Symposium

December 10, Statement of the Securities Industry and Financial Markets Association. Senate Committee on Banking, Housing, and Urban Development

Digital Health Cyber Security Centre

CYBER RESILIENCE & INCIDENT RESPONSE

Security Director - VisionFund International

ISRAEL NATIONAL CYBER SECURITY STRATEGY IN BRIEF

Privacy Impact Assessment

ANZPAA National Institute of Forensic Science BUSINESS PLAN

TO INSPIRE, CONNECT AND EMPOWER TO TURN BACK CRIME

STRATEGY ATIONAL. National Strategy. for Critical Infrastructure. Government

Cyber Security Issues and Responses. Andrew Rogoyski Head of Cyber Security Services CGI UK

Today s cyber threat landscape is evolving at a rate that is extremely aggressive,

PRC Cyber Security Law --- How does it affect a UK business? Xun Yang Of Counsel, Commercial IP and Technology

EU policy on Network and Information Security & Critical Information Infrastructures Protection

Security and Privacy Governance Program Guidelines

G8 Lyon-Roma Group High Tech Crime Subgroup

Director, Major Projects and Resilience. To: Planning and Performance Committee 6 November 2014

External Supplier Control Obligations. Cyber Security

CLOSING THE DOOR TO CYBER ATTACKS HOW ENTERPRISES CAN IMPLEMENT COMPREHENSIVE INFORMATION SECURITY

RESOLUTION 45 (Rev. Hyderabad, 2010)

M&A Cyber Security Due Diligence

Presentation to the ITU on the Q-CERT Incident Management Team. Ian M Dowdeswell Incident Manager, Q-CERT

SECURING THE UK S DIGITAL PROSPERITY. Enabling the joint delivery of the National Cyber Security Strategy's objectives

Global Alliance Against Child Sexual Abuse Online 2014 Reporting Form

Resolution adopted by the General Assembly on 21 December [on the report of the Second Committee (A/64/422/Add.3)]

Cyber Security Program

Position Description. Computer Network Defence (CND) Analyst. GCSB mission and values. Our mission. Our values UNCLASSIFIED

Critical Infrastructure Protection (CIP) as example of a multi-stakeholder approach.

Cyber Security Roadmap

CYBERSECURITY TRAINING EXERCISE KMU TRAINING CENTER NOVEMBER 7, 2017

Cyber risk management into the ISM Code

ASSEMBLY, No STATE OF NEW JERSEY. 217th LEGISLATURE INTRODUCED FEBRUARY 4, 2016

Securing Europe's Information Society

Outreach and Partnerships for Promoting and Facilitating Private Sector Emergency Preparedness

10025/16 MP/mj 1 DG D 2B

Department of Homeland Security Updates

the steps that IS Services should take to ensure that this document is aligned with the SNH s KIMS and SNH s Change Requirement;

SRM Service Guide. Smart Security. Smart Compliance. Service Guide

Global Wildlife Cybercrime Action Plan1

OVERVIEW FOR ICW EVENT

The challenges of the NIS directive from the viewpoint of the Vienna Hospital Association

Number: USF System Emergency Management Responsible Office: Administrative Services

POSITION DESCRIPTION

Protecting your data. EY s approach to data privacy and information security

Transcription:

Cyber Security Strategy Committee for Home Affairs

Introduction Cyber security describes the technology, processes and safeguards that are used to protect our networks, computers, programs and data from attack, damage or unauthorised access. Guernsey is a digitised society and technology drives, or enables, every part of our life from social interaction, through healthcare to education and business. The transformation brought about by this digitalisation creates new opportunities and regrettably new threats. Our economy, the administration of government and the provision of essential services now rely on the integrity of cyberspace and on the infrastructure, systems and data that support it. Much of the hardware and software originally developed to facilitate this digital environment has prioritised efficiency, cost and the convenience of the user, but has not always had security designed in from the start. Without protection, hostile states, criminal or terrorist organisations and individuals can exploit the gap between convenience and security. To address this we have developed this Cyber Security Strategy.

The Cyber Security Strategy Background We need to make sure that Guernsey continues to be a stable, secure and attractive place to live and do business, including in the rapidly evolving world of increased digitisation, connectivity and with the rapid advances in the availability and use of technology. Our infrastructure needs to help us do this. We need to: Scope This Strategy considers the Cyber Environment in three broad areas. These are: C1 - The Strategic Level Where a cyber incident may cause serious damage to human welfare on a national level. This could affect the core functioning of Government, have a major impact on our critical national infrastructure or have a significant impact across any of our principal business sectors. A major attack of this nature is characterised by Real World Impact and would require a crossgovernment response most likely coordinated by the NCSC. C2 - The Tactical Level Where a cyber incident has a significant and severe impact on a particular sector but not a national level effect. This could include an attack affecting a specific part of government, a targeted attack on a specific business sector or a discrete part of our critical national infrastructure. The Committee for Home Affairs would coordinate a response to a significant attack of this nature; supported by the NCSC where appropriate. Make sure that existing legislation, and any legislation we introduce, is fit for purpose, and has appropriate flexibility to respond to evolving threats. Have the right expertise and capability across the public sector to best respond to threats and embrace evolving opportunities Raise and promote cyber awareness across government, businesses and individuals. C3 - The Operational Level Where a cyber incident has an impact on a discrete group of individuals or businesses. These are likely to be characterised by attacks against an individual, or group of individuals, or a single business. These incidents, the most basic level of routine cyber attacks, do not require formalized ongoing multiagency coordination.

Our Commitment Our Strategic Goals To ensure that Guernsey citizens, business and Government are as safe and secure going about their legitimate lives in cyber space as they are in the physical environment, we commit to the following: Respect the privacy and civil liberties of islanders and ensure our objectives are proportionate and appropriate. Work with partners from the UK, Europe, Jersey, across Government and Business to ensure value for money, and learn from the experience and expertise of others. Deliver a holistic approach [across Islanders, Business and Government] recognising that there is a wider reputational risk to the jurisdiction of a cyber security incident that cannot be confined to a single business, business sector or part of Government. There are eight (8) strategic goals covered in this strategy: Goal one: Legislation and Regulation We will provide proportionate Legislation and Regulation to meet the current threat. This will includes the delivery of the new Data Protection (Bailiwick of Guernsey) Law 2017 and review of other related and relevant legislation to ensure it remains fit for purpose. Goal two: Continuous Assessment We will establish a framework to continuously assess the threat to Government [including Critical national infrastructure], business and islanders. The threat continues to develop and change with remarkable speed. The threat, and therefore our response, will need to be continuously assessed across Government, Business and Islanders and will require ongoing and continuous assessment. Goal three: Partners We will build international cooperation and partnerships with specialist agencies, organisations and businesses from across the UK, the EU and Jersey. We will learn from their expertise, lever their capabilities [where appropriate]. Goal four: Information Sharing We will establish a framework and capability to confidentially share and report cyber security information across Government, Businesses and Islanders to DETER cyber attacks. Goal five: Incident Response We will develop, in partnership, the appropriate incident response capabilities at the strategic, tactical and operational levels to DEFEND from cyber attacks. Goal six: Standards and Policies We will set minimum-security standards for Government and Businesses based on international best practice. We will encourage business to adopt these and, in order to protect the wider supply chain in Government, adherence to these standards will be become part of our procurement process.

Goal seven: Law Enforcement Whilst our response will require support and action from many parts of industry (telecommunications companies and internet service providers) and Government [including but not limited to Education and Trading Standards] we will provide a focus from Law Enforcement as the lead agency for Cyber Security. Goal eight: Education We will work with other committees [primarily the Committee for Education Sport and Culture] and our own agencies [primarily Trading Standards] to provide relevant, timely and accurate education on cyber security. 2.2 The Chief Information Officer will report, on an annual basis, to the Policy and Resources Committee, on the Cyber Security issues affecting the States of Guernsey. 3. Partners 3.1 We will sign a formal Memorandum of Understanding and Cooperation between the UK National Cyber Security Centre (NCSC), Jersey and Guernsey. 3.2 We will continue to work with the States of Jersey to develop a pan-ci cyber strategy. Complete Ongoing To deliver these strategic goals each has a number of smart objectives that are specific, measureable, achievable, relevant and time-bound. These are: Aim Ensure that Guernsey citizens, business and Government are as safe and secure going about their legitimate lives in cyber space as they are in the physical environment. 3.3 We will further develop the relationship between Guernsey Law Enforcement and other agencies [such as City of London Police, the NCA, and South West Regional Organised Crime Unit] 3.4 We will establish a formal Cyber Partnership forum [that will meet on a quarterly basis] to discuss emerging threats, risk and mitigations. This will include [but is not limited to] Government, Law Enforcement, CNI, Business Groups. This forum will be Chaired by the President of the Committee for Home Affairs. Ongoing First Meeting Q1 2018 4. Information 4.1 We will agree access to the UK National Cyber Security Complete Sharing Centre (NCSC) Cyber Information Sharing Partnership (CiSP) Strategic Goal Objective Time and gain formal accreditation as a referring agent so we can approve access to the CiSP for businesses, Government 1. Legislation 1.1 We will deliver new Data Protection (Bailiwick of entities and other bodies. and Regulation Guernsey) Law 2017. 4.2 We will, working with the NCSC, establish a Guernsey Q4 2017 1.2 We will review other relevant laws and bring forward amendments as required. [preferably Channel Islands] CiSP to provide a focus for Tactical and Operational Level Threats. 1.3 We will enhance the Right to be Forgotten in the Data Protection (Bailiwick of Guernsey) Law 2018 to provide 4.3 Enhance the use of THEMIS as a secure reporting and information dissemination tool for financial cyber crime. Complete specific protection for Children. In particular we will provide the measures so that islanders can have their social media pre-18 years old digital footprint deleted. 5. Incident Response 5.1 (C1) Strategic Level Incident - We will develop the procedures and processes to access and utilize the incident response capabilities of the NCSC in response to a Strategic Q1 2018 2. Continuous 2.1 We will conduct annual assessment for Cyber security Level attack. Assessment threats reporting to the Committee for Home Affairs [and other relevant Committees as required].

5.2 (C2) Tactical Level Incident We will develop a Guernsey Q4 2018 7.2 We will develop and maintain effective links with law Q4 2018 [Preferably Channel Islands] Cyber Incident Response enforcement partners in other jurisdictions to ensure Capability to provide the appropriate resources in response that cyber criminality which traverses across traditional to a Tactical Level Attack. boundaries on both a national and international scale is 5.3 (C3) Operational Level Incident We will agree the combatted collectively. extension of the UK National Firewall over the Bailiwick 7.3 We will enhance and augment local, national and Q4 2017 of Guernsey. inter-national understanding of threat and risk through 5.4 (C3) Operational Level Incident We will further enhance [and encourage the enhancement] the capabilities of Law Enforcement, Telecommunication Companies and Local Ongoing engagement with the National Cyber Security Centres CiSP, the National Cyber Crime Unit and other such strategic partners. Internet Service Providers to response to Operational Level 8. Education 8.1 The States of Guernsey will develop a new Cyber Security Q4 2017 Attacks. awareness-training course for all public servants. 5.5 In addition to our Civil Contingencies activities (or aligned 2018 8.2 The States of Guernsey will develop specific digital First with it), we will conduct an annual Cyber Security exercise to test transformation and cyber security training for senior leaders. Course and assure our measures to meet a Cyber Security Incident. 6. Standards 6.1 We will review, and amend if required, the NCSC Cyber Q1 2018 8.3 Law Enforcement will continue to work with national and Policies Essential, Cyber Essential (Plus) and 10 Steps to Cyber partners and key stake holders to ensure that cyber enabled Security policies for use across the Bailiwick of Guernsey. This crime prevention advice is readily available throughout our is in addition to other standards for specialist organisations communities such as ISO 27001. 8.4 The Bailiwick curriculum will have specific actions to Q3 2017 6.2 We will encourage the use and accreditation by From Q2 ensure school-children can use the internet responsibly, businesses of the standards (in 6.1 above). This will include 2018 respectively and safely. a requirement for businesses tendering for work with the States of Guernsey to meet the appropriate standard. 6.3 We will direct the Chief Information Officer to review, Q4 2017 and update if required, all States of Guernsey internal cyber security policies. 6.4 The Chief Information Officer, working with the STSB Q3 2018 incorporated and non-incorporated trading assets, to assess and report on the cyber resilience of our Critical National Infrastructure. 7. Law 7.1 We will develop the High Tech Crime Unit s capability and Q4 2018 Enforcement capacity to investigate and pursue cyber criminals operating within the Bailiwick.

Funding States of Guernsey funding on cyber security has traditionally focused on internal technical security measures. In order to meet the current and future threat of cyber security this strategy deliberately moves Guernsey from a reactive to a proactive stance. In order to provide value for money to tax payers we have taken the following approach to funding the objectives outlined above: Partnerships We will look to establish partnerships to re-use extant capabilities from partners on a no-cost or cost-price basis. For example our MOU with the NCSC will provide access to a range of UK National capabilities that would not be cost-effective for Guernsey to develop on its own. This includes [but is not limited to] Strategic Level Incident Response Capabilities, UK National Firewall, and CiSP Capabilities. Prioritization We will look to prioritize work from Law Enforcement and Information Systems and Services (the States of Guernsey internal IT provider) before we ask for new funding. New Capabilities Despite partnership and prioritization not all Strategic Goals can be delivered within existing resources. As such a gap analysis has been conducted and a funding bid has been prioritised as part of Capital Portfolio within the Medium Term Financial Plan. A full Business case will need to be developed but in general we will look to be investing in: i. C2 - Tactical Level Cyber Incident Response Capability. ii. Enhancements to the Internal States of Guernsey Technical Security Measures.

Committee for Home Affairs For more information go to gov.gg/cybersecurity

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback