Cybercrime: Government Departments and Infrastructure

Cabinet Office written question – answered on 7th October 2019.

Alert me about debates like this

Photo of Lord Harris of Haringey Lord Harris of Haringey Labour

To ask Her Majesty's Government what assessment they have made of the role of privileged access management in protecting the cyber security of (1) government departments, and (2) critical national infrastructure.

Photo of Lord Harris of Haringey Lord Harris of Haringey Labour

To ask Her Majesty's Government how many cyber attacks against government departments have involved the misuse of privileged access credentials.

Photo of The Earl of Courtown The Earl of Courtown Captain of the Queen's Bodyguard of the Yeomen of the Guard (HM Household) (Deputy Chief Whip, House of Lords)

Government departments and Critical National Infrastructure organisations are responsible for managing their own cyber risk effectively.

The high level of importance of privileged access management in cyber security is recognised by the National Cyber Security Centre (NCSC), which is the UK’s national technical authority for cyber security.

For Government, it is documented in the minimum cyber security standard in items 5 and 7. For Critical National Infrastructure (CNI) it is documented in NCSC’s Network and Information Systems guidance in section B2, and there are specific assessment criteria laid out in section B2.c of the Cyber Assessment Framework for use by cyber security regulators.

For wider industry sectors and Small and Medium Enterprises, best practice is contained in the NCSC Board Kit and 10 Steps to Cyber Security.

The Cabinet Office does not require central Government Departments to report all cyber incidents involving the misuse of privileged access credentials and so does not hold this information centrally.

However, The minimum cyber security standard outlines the communications required by a department when there is a security incident that impacts on sensitive information or key operational services. Therefore departments will only be expected to inform the Cabinet Office of an incident involving the misuse of privileged access credentials that met these criteria.

Does this answer the above question?

Yes0 people think so

No0 people think not

Would you like to ask a question like this yourself? Use our Freedom of Information site.