|
answer text |
<p><strong><em>Clarification and assumption</em></strong></p><p><em>We assume that
this question refers to external supplier digital services and products utilised by
government.</em></p><p> </p><p>The Government enforces a number of controls to ensure
that any supplier to government has adequate cyber security and demonstrates acceptable
protection of government data</p><p><br> Each department is responsible for understanding
and managing the security risks that their supply chain poses. Contracts with government
departments should include cyber security clauses referencing how incidents would
be managed in the event of a cyber attack</p><p><br></p><p><br> This year, the Government
issued a new <a href="https://www.gov.uk/government/publications/the-minimum-cyber-security-standard"
target="_blank">Minimum Cyber Security Standard </a>which outlines a set of protective
measures that departments should implement, and exceed wherever possible. The standard
will be incremented to continually ‘raise the bar’, address new threats, and incorporate
the use of new Active Cyber Defence measures from the National Cyber Security Centre
(NCSC). <br> <br> The standard enables departments and their suppliers to better understand
their cyber security risks and makes clear government’s expectations of suppliers.
The new cyber security standard will be applied to government's strategic suppliers
to assess if they meet the required level, and government will write the standard
into new contracts and enforce full compliance with it</p><p><br> Government will
also pilot the introduction of the cyber security equivalent of a ‘credit check’ on
suppliers, to allow for easy risk assessments of suppliers and to accelerate expansion
of the world-leading <a href="https://www.ncsc.gov.uk/active-cyber-defence" target="_blank">Active
Cyber Defence </a>programme, to better protect our critical national infrastructure
including services such as our hospitals and schools</p><p><br> Departments are also
supported in choosing suppliers through <a href="https://www.cyberessentials.ncsc.gov.uk/"
target="_blank">Cyber Essentials</a>, the government-backed and industry-supported
scheme to guide businesses in protecting themselves against cyber threats. The scheme
is a key element of the UK’s National Cyber Security Strategy 2016-2021 and certification
is available to all organisations, of all sizes and in all sectors</p><p><br> Departments
also use advice from the NCSC to ensure that their supply chain is secure. Examples
of such advice include <a href="https://www.ncsc.gov.uk/guidance/supply-chain-security"
target="_blank">twelve principles</a> for establishing effective control and oversight
of supply chain and <a href="https://www.ncsc.gov.uk/guidance/protecting-bulk-personal-data-main"
target="_blank">fifteen good practice measures</a> for the protection of bulk data
held by digital services</p><p><br> At a national level, all organisations in the
UK must comply with the Data Protection Act 2018 and the General Data Protection Regulation.
This includes government departments and any digital service providers that are helping
to deliver government services. These laws require all parties carrying out processing
operations to hold personal data securely and in accordance with the rights of data
subjects.</p><p> </p>
|
|