| answer text |
<p>Government departments and Critical National Infrastructure organisations are responsible
for managing their own cyber risk effectively.</p><p>The high level of importance
of privileged access management in cyber security is recognised by the National Cyber
Security Centre (NCSC), which is the UK’s national technical authority for cyber security.</p><p>For
Government, it is documented in the minimum cyber security standard in items 5 and
7. For Critical National Infrastructure (CNI) it is documented in NCSC’s Network and
Information Systems guidance in section B2, and there are specific assessment criteria
laid out in section B2.c of the Cyber Assessment Framework for use by cyber security
regulators.</p><p>For wider industry sectors and Small and Medium Enterprises, best
practice is contained in the NCSC Board Kit and 10 Steps to Cyber Security.</p><p>The
Cabinet Office does not require central Government Departments to report all cyber
incidents involving the misuse of privileged access credentials and so does not hold
this information centrally.</p><p>However, The minimum cyber security standard outlines
the communications required by a department when there is a security incident that
impacts on sensitive information or key operational services. Therefore departments
will only be expected to inform the Cabinet Office of an incident involving the misuse
of privileged access credentials that met these criteria.</p><p> </p>
|
|
