Asked by: Andrew Gwynne (Independent - Gorton and Denton)
Question to the Department for Digital, Culture, Media & Sport:
To ask the Secretary of State for Culture, Media and Sport, pursuant to the Answer of 28 February 2017 to Question 64527, when the next regular review of all cyber security standards will be conducted.
Answered by Matt Hancock
The Government keeps the material relating to cyber security standards for which it is responsible - such as the Cyber Essentials scheme - under regular review and updates it as and when required.
For example, following industry and customer feedback, the requirements for the Cyber Essentials scheme were recently updated and can be found at:
https://www.ncsc.gov.uk/information/requirements-it-infrastructure-cyber-essentials-scheme
The vast majority of technical standards are owned and driven by industry, for example the ISO 27001 range of standards on cyber security. These standards are usually global in nature, and governments are part of the debate amongst many industry voices when it comes to reviewing and/or amending a given standard.
Asked by: Andrew Gwynne (Independent - Gorton and Denton)
Question to the Department for Digital, Culture, Media & Sport:
To ask the Secretary of State for Culture, Media and Sport, whether the Government plans to ring-fence a proportion of the £1.9 billion funding as part of the National Cyber Security Strategy to support small and medium-sized enterprises to adopt the latest cyber security technology, including the Cyber Essentials scheme.
Answered by Matt Hancock
The £1.9bn of transformational investment from 2016 to 2021 supports the realisation of the thirteen objectives set out in the National Cyber Security Strategy. Although funding is not specifically ring-fenced towards any of these objectives there is investment available which will be used to support small and medium-sized enterprises.
The new National Cyber Security Centre has a dedicated Wider Economy and Society team which will provide bespoke support and advice for small and medium-sized firms. This will supplement a number of our existing programmes, including the Cyber Essentials scheme designed to protect SMEs from the vast majority of internet-borne threats, and the Cyber Aware scheme which offers simple, practical advice to small businesses and consumers.
Asked by: Andrew Gwynne (Independent - Gorton and Denton)
Question to the Department for Digital, Culture, Media & Sport:
To ask the Secretary of State for Culture, Media and Sport, if she will hold discussions with Sport England on the disposal request for the Two Trees High School site in Denton; and if she will meet the hon. Member for Denton and Reddish to discuss that request.
Answered by Tracey Crouch
My officials are in contact with Sport England regarding the Two Trees High School Site in Denton. Sport England have been in regular discussions with Tameside MBC, Andrew Gwynne MP and other key local stakeholders about the future of the site.
Sport England will continue to provide advice on this and I hope this will help to achieve an outcome that provides the local community with sustainable sports facilities that help more people to get active.
My department will continue to monitor the situation with interest and to engage as appropriate.
Asked by: Andrew Gwynne (Independent - Gorton and Denton)
Question to the Department for Digital, Culture, Media & Sport:
To ask the Secretary of State for Culture, Media and Sport, what the average response rate was of her Department to individual Freedom of Information requests in each month since July 2016.
Answered by Matt Hancock
FOI statistics are Official Statistics and are governed by the standards set out by the UK Statistics Authority (UKSA) in their Code of Practice. To publish information outside of the release timetable would be a breach of Protocol 2 of the Code of Practice for Official Statistics.
The latest Freedom of Information statistics were published in December 2016 and are available at:
https://www.gov.uk/government/statistics/freedom-of-information-statistics-july-to-september-2016--2Background
Asked by: Andrew Gwynne (Independent - Gorton and Denton)
Question to the Department for Digital, Culture, Media & Sport:
To ask the Secretary of State for Culture, Media and Sport, pursuant to the Answer of 27 February 2017 to Question 63984, how the Cyber Essentials scheme offers protection to organisations compliant with the scheme in the event that third party organisations that provide (a) email, (b) cloud storage and (c) other similar services to compliant organisations are themselves not compliant with that scheme.
Answered by Matt Hancock
The Cyber Essentials scheme sets out the basic technical controls which all organisations relying on the internet should have in place to prevent common online attacks. The scheme enables organisations themselves to determine which technologies are in scope of their Cyber Essentials assessment: this would not normally include any third party organisations.
The Government recognises the importance of third party risk management and will continue to consider how the Cyber Essentials standard can be improved to better account for cloud based services. In addition, the Government is working with industry to ensure businesses encourage the firms in their supply chains to adopt Cyber Essentials where necessary and appropriate.
Asked by: Andrew Gwynne (Independent - Gorton and Denton)
Question to the Department for Digital, Culture, Media & Sport:
To ask the Secretary of State for Culture, Media and Sport, what the timetable is for updates to the Cyber Essentials scheme.
Answered by Matt Hancock
As part of the regular reviews of all cyber security standards, the Government considers whether Cyber Essentials needs to be updated.
Asked by: Andrew Gwynne (Independent - Gorton and Denton)
Question to the Department for Digital, Culture, Media & Sport:
To ask the Secretary of State for Culture, Media and Sport, what security measures are in place to ensure that suppliers compliant with the Cyber Essentials scheme utilise third party services who are also compliant with that scheme.
Answered by Matt Hancock
The Cyber Essentials scheme sets out the basic technical controls which all organisations relying on the internet should have in place to prevent common online attacks. The scheme does not require organisations certified under the scheme to use third parties which are also compliant with the scheme, though this is something the Government would recommend where appropriate.
The Government itself requires its suppliers to hold a Cyber Essentials certificate where contracts involve the handling of sensitive data, such as personal and financial information, or the provision of certain ICT products and services. The recently published National Cyber Security Strategy set out a success measure that all Government suppliers will meet appropriate cyber security standards by 2021.
In addition, the Government is working with industry to ensure businesses encourage the firms in their supply chains to adopt Cyber Essentials where necessary and appropriate; for example, organisations could work with their supply chains and discuss the best way to add resilience to the end-to-end delivery of a product or service, which could include a third party adopting Cyber Essentials.
Asked by: Andrew Gwynne (Independent - Gorton and Denton)
Question to the Department for Digital, Culture, Media & Sport:
To ask the Secretary of State for Culture, Media and Sport, whether the Cyber Essentials scheme includes protections against (a) structured query language injection and (b) other code vulnerabilities.
Answered by Matt Hancock
The Cyber Essentials scheme sets out the basic technical controls which all organisations relying on the internet should have in place to prevent common online attacks. The scheme requires software running on computers and network devices to be kept up-to-date and have the latest security patches installed: this is designed to protect against known code vulnerabilities.
Although Cyber Essentials is intended to provide a good basic level of cyber security, it does not represent a full cyber risk management regime, which is something set out in the more comprehensive ‘10 Steps to Cyber Security’ guidance. As part of the regular reviews of all cyber security standards, the Government considers whether Cyber Essentials needs to be updated to reflect other risks. The value of Cyber Essentials lies in its simplicity and it is important to balance this against breadth and depth of controls.
Asked by: Andrew Gwynne (Independent - Gorton and Denton)
Question to the Department for Digital, Culture, Media & Sport:
To ask the Secretary of State for Culture, Media and Sport, what (a) financial and (b) other support is provided to small and medium-sized enterprises to support the adoption of the Cyber Essentials scheme.
Answered by Matt Hancock
The Cyber Essentials scheme sets out the basic technical controls which all organisations relying on the internet should have in place to prevent common online attacks. The scheme is designed to be low-cost and suitable for implementation by organisations of all sizes, in all sectors. The Government has offered a range of support and advice since the launch of the scheme in 2014, including:
The new National Cyber Security Centre, part of the Government’s five-year £1.9 billion National Cyber Security Strategy, will engage closely with small businesses to offer support and advice, including support for the adoption of Cyber Essentials. The Government also works closely with industry to ensure Cyber Essentials is embedded in the advice industry partners, such as trade associations, offer to their members.
Asked by: Andrew Gwynne (Independent - Gorton and Denton)
Question to the Department for Digital, Culture, Media & Sport:
To ask the Secretary of State for Culture, Media and Sport, whether the Cyber Essentials scheme includes requirements to educate staff on the risk of (a) phishing attacks through email and (b) other user induced attacks.
Answered by Matt Hancock
The Cyber Essentials scheme sets out the basic technical controls which all organisations relying on the internet should have in place to prevent common online attacks. The scheme requires up-to-date malware protection software to be installed on all internet-connected computers: this is designed to detect and disable the malicious software which an organisation might be exposed to via phishing attacks, and prevent users making connections to malicious websites on the internet.
Cyber Essentials is a technical scheme and staff awareness training is therefore out of scope; however other pieces of guidance from the Government do recommend this. For example, the ‘10 Steps to Cyber Security’, the Government’s key piece of advice for organisations on managing cyber risk, sets out the importance of user education and awareness.
The Government offers a range of free online cyber security training programmes at https://www.gov.uk/government/collections/cyber-security-training-for-business. In addition, the National Cyber Security Centre recently published a blog about phishing and user training, which explains that phishing is best tackled by implementing good technical defences and combining these with reasonable levels of user awareness, education and training: https://www.ncsc.gov.uk/blog-post/im-gonna-stop-you-little-phishie