Asked by: Lord Harris of Haringey (Labour - Life peer)
Question to the Cabinet Office:
To ask Her Majesty's Government whether a risk assessment has been carried out to assess the implications of not reviewing the minimum cyber security standards for Government departments.
Answered by Lord True - Leader of the House of Lords and Lord Privy Seal
The Minimum Cyber Security Standard for Government was introduced in 2018, drawing on the expert technical advice of the National Cyber Security Centre (NCSC).
The Government Security Group is working with departments, including NCSC and Government Digital Service, to understand what changes, if any, need to be made to the Minimum Cyber Security Standard. This review is already underway and is intended to be an annual activity with updated standards published on GOV.UK accordingly. Over time, the measures will be incremented to continually ‘raise the bar’ to keep pace with a changing threat and ensure appropriate management of risk.
Asked by: Lord Harris of Haringey (Labour - Life peer)
Question to the Cabinet Office:
To ask Her Majesty's Government how many Government departments meet, or exceed, the current minimum cyber security standards set out for Government departments.
Answered by Lord True - Leader of the House of Lords and Lord Privy Seal
The Minimum Cyber Security Standard for Government was introduced in 2018, drawing on the expert technical advice of the National Cyber Security Centre (NCSC).
The Government Security Group is working with departments, including NCSC and Government Digital Service, to understand what changes, if any, need to be made to the Minimum Cyber Security Standard. This review is already underway and is intended to be an annual activity with updated standards published on GOV.UK accordingly. Over time, the measures will be incremented to continually ‘raise the bar’ to keep pace with a changing threat and ensure appropriate management of risk.
Asked by: Lord Harris of Haringey (Labour - Life peer)
Question to the Cabinet Office:
To ask Her Majesty's Government what length of time they consider reasonable for contractors providing specialist information and advisory services to prepare for service delivery following the award of a contract.
Answered by Earl Howe - Deputy Leader of the House of Lords
The length of time that a contractor has to prepare for service delivery following the award of a contract is dependent on the terms of the specific contract.
Asked by: Lord Harris of Haringey (Labour - Life peer)
Question to the Cabinet Office:
To ask Her Majesty's Government what steps they are taking to ensure that best practice in evaluating the cyber security of supply chains is being shared across government departments.
Answered by Earl of Courtown - Captain of the Queen's Bodyguard of the Yeomen of the Guard (HM Household) (Deputy Chief Whip, House of Lords)
The government takes supply chain security seriously. The requirement to understand and manage cyber security issues arising from a department’s supply chain is detailed in Item 1 of the Minimum Cyber Security Standard.
The use of Cyber Essentials in government procurement is set out in Policy Procurement Notice 09/14. Use of Cyber Essentials demonstrates a supplier has taken necessary steps to obtain an appropriate level of cyber security.
Best practice is promoted through the advice contained in the National Cyber Security Centre and Centre for the Protection of National Infrastructure’s Supply Chain Security guidance.
Asked by: Lord Harris of Haringey (Labour - Life peer)
Question to the Cabinet Office:
To ask Her Majesty's Government how many cyber attacks against government departments have involved the misuse of privileged access credentials.
Answered by Earl of Courtown - Captain of the Queen's Bodyguard of the Yeomen of the Guard (HM Household) (Deputy Chief Whip, House of Lords)
Government departments and Critical National Infrastructure organisations are responsible for managing their own cyber risk effectively.
The high level of importance of privileged access management in cyber security is recognised by the National Cyber Security Centre (NCSC), which is the UK’s national technical authority for cyber security.
For Government, it is documented in the minimum cyber security standard in items 5 and 7. For Critical National Infrastructure (CNI) it is documented in NCSC’s Network and Information Systems guidance in section B2, and there are specific assessment criteria laid out in section B2.c of the Cyber Assessment Framework for use by cyber security regulators.
For wider industry sectors and Small and Medium Enterprises, best practice is contained in the NCSC Board Kit and 10 Steps to Cyber Security.
The Cabinet Office does not require central Government Departments to report all cyber incidents involving the misuse of privileged access credentials and so does not hold this information centrally.
However, The minimum cyber security standard outlines the communications required by a department when there is a security incident that impacts on sensitive information or key operational services. Therefore departments will only be expected to inform the Cabinet Office of an incident involving the misuse of privileged access credentials that met these criteria.
Asked by: Lord Harris of Haringey (Labour - Life peer)
Question to the Cabinet Office:
To ask Her Majesty's Government what assessment they have made of the role of privileged access management in protecting the cyber security of (1) government departments, and (2) critical national infrastructure.
Answered by Earl of Courtown - Captain of the Queen's Bodyguard of the Yeomen of the Guard (HM Household) (Deputy Chief Whip, House of Lords)
Government departments and Critical National Infrastructure organisations are responsible for managing their own cyber risk effectively.
The high level of importance of privileged access management in cyber security is recognised by the National Cyber Security Centre (NCSC), which is the UK’s national technical authority for cyber security.
For Government, it is documented in the minimum cyber security standard in items 5 and 7. For Critical National Infrastructure (CNI) it is documented in NCSC’s Network and Information Systems guidance in section B2, and there are specific assessment criteria laid out in section B2.c of the Cyber Assessment Framework for use by cyber security regulators.
For wider industry sectors and Small and Medium Enterprises, best practice is contained in the NCSC Board Kit and 10 Steps to Cyber Security.
The Cabinet Office does not require central Government Departments to report all cyber incidents involving the misuse of privileged access credentials and so does not hold this information centrally.
However, The minimum cyber security standard outlines the communications required by a department when there is a security incident that impacts on sensitive information or key operational services. Therefore departments will only be expected to inform the Cabinet Office of an incident involving the misuse of privileged access credentials that met these criteria.
Asked by: Lord Harris of Haringey (Labour - Life peer)
Question to the Cabinet Office:
To ask Her Majesty's Government why the Royal Mail has ceased to be an identity provider for GOV.UK Verify; and why Royal Mail is listed on the GOV.UK Verify website.
Answered by Lord Young of Cookham
In the Written Ministerial Statement of 9 October 2018 on the GOV.UK Verify programme, it was confirmed that contracts had been signed with a number of private sector identity providers.
Royal Mail had previously been one of the GOV.UK Verify private sector identity providers. However, Royal Mail did not sign the new contract. Users are therefore unable to create a new GOV.UK Verify account with Royal Mail.
Royal Mail remain listed as a previous identity provider while users who hold an existing account with Royal Mail remain able to sign into GOV.UK Verify with this account. If a user does not have a GOV.UK Verify account, they are not offered Royal Mail as an identity provider to verify their identity.
Asked by: Lord Harris of Haringey (Labour - Life peer)
Question to the Cabinet Office:
To ask Her Majesty's Government how many people have signed up to use GOV.UK Verify; and how many use each identity provider.
Answered by Lord Young of Cookham
The number of GOV.UK Verify accounts (historic and current) is published on the GOV.UK website and is regularly updated. As of 10 February 2019, there were 3,617,585 GOV.UK Verify user accounts. Details of the number of GOV.UK Verify user accounts with each identity provider is commercially sensitive information and cannot be released.
Asked by: Lord Harris of Haringey (Labour - Life peer)
Question to the Cabinet Office:
To ask Her Majesty's Government what steps they are taking to implement Article 110 of the European Electronic Communications Code; and which (1) department, and (2) minister is responsible for leading on its implementation.
Answered by Lord Young of Cookham
The Department for Digital, Culture, Media and Sport (DCMS) is the lead department in relation to implementing the European Electronic Communications Code as a whole. Article 110 refers to a “Public warning system”. As a number of organisations have responsibility for warning and informing the public, the Minister for Implementation has asked the Cabinet Office to coordinate a review to establish whether there is a case for a national mobile alerting scheme, in addition to the systems already in place. Further information about the implementation of the Code and ministerial responsibilities will be made available in due course.
Asked by: Lord Harris of Haringey (Labour - Life peer)
Question to the Cabinet Office:
To ask Her Majesty's Government, further to the Written Answer by Lord Young of Cookham on 4 December (HL11641), which (1) department, and (2) minister, has the lead role in taking the mobile emergency alerting systems programme forward; and what assessment they have made of how other countries who have implemented such systems have resolved any issues.
Answered by Lord Young of Cookham
Those organisations with a key role in responding to an emergency have a duty under the Civil Contingencies Act (2004) to warn and inform the public. To fulfil this duty, a variety of channels are utilised including social and broadcast media and mobile alerting such as the flood warning system. Given the cross-cutting ownership of the issue, the Minister for Implementation has asked the Cabinet Office to coordinate a review on whether there is a case for a national mobile alerting scheme, working with relevant lead departments and interested parties. This work has included a review of schemes used in other countries to inform our thinking.