Asked by: Lord Harris of Haringey (Labour - Life peer)
Question to the Cabinet Office:
To ask Her Majesty's Government what consideration they have given to including (1) building maintenance engineers, (2) personnel supporting the critical lifeline utilities, and (3) non-police security staff, in the list of essential staff whose children can continue to be admitted to schools during the COVID-19 pandemic.
Answered by Lord True - Shadow Leader of the House of Lords
The position remains, as outlined on gov.uk, that everyone who can work from home should do so.
Where that is not possible, people should go into work where it is safe and they are not symptomatic, isolating or shielding. Relevant guidance including from PHE should be followed.
In terms of the provision of education for certain workers, it is already the case that in certain cases the staff listed above could be eligible as long as "their specific role is necessary for the continuation of this essential public service". This is set out on gov.uk.
The Government has placed restrictions on the operations of certain businesses as part of the strategy of enhanced social distancing. Separate guidance has been published on this and is also available on gov.uk.
Asked by: Lord Harris of Haringey (Labour - Life peer)
Question to the Cabinet Office:
To ask Her Majesty's Government when they intend to review the minimum cyber security standards for Government departments.
Answered by Lord True - Shadow Leader of the House of Lords
The Minimum Cyber Security Standard for Government was introduced in 2018, drawing on the expert technical advice of the National Cyber Security Centre (NCSC).
The Government Security Group is working with departments, including NCSC and Government Digital Service, to understand what changes, if any, need to be made to the Minimum Cyber Security Standard. This review is already underway and is intended to be an annual activity with updated standards published on GOV.UK accordingly. Over time, the measures will be incremented to continually ‘raise the bar’ to keep pace with a changing threat and ensure appropriate management of risk.
Asked by: Lord Harris of Haringey (Labour - Life peer)
Question to the Cabinet Office:
To ask Her Majesty's Government whether a risk assessment has been carried out to assess the implications of not reviewing the minimum cyber security standards for Government departments.
Answered by Lord True - Shadow Leader of the House of Lords
The Minimum Cyber Security Standard for Government was introduced in 2018, drawing on the expert technical advice of the National Cyber Security Centre (NCSC).
The Government Security Group is working with departments, including NCSC and Government Digital Service, to understand what changes, if any, need to be made to the Minimum Cyber Security Standard. This review is already underway and is intended to be an annual activity with updated standards published on GOV.UK accordingly. Over time, the measures will be incremented to continually ‘raise the bar’ to keep pace with a changing threat and ensure appropriate management of risk.
Asked by: Lord Harris of Haringey (Labour - Life peer)
Question to the Cabinet Office:
To ask Her Majesty's Government how many Government departments meet, or exceed, the current minimum cyber security standards set out for Government departments.
Answered by Lord True - Shadow Leader of the House of Lords
The Minimum Cyber Security Standard for Government was introduced in 2018, drawing on the expert technical advice of the National Cyber Security Centre (NCSC).
The Government Security Group is working with departments, including NCSC and Government Digital Service, to understand what changes, if any, need to be made to the Minimum Cyber Security Standard. This review is already underway and is intended to be an annual activity with updated standards published on GOV.UK accordingly. Over time, the measures will be incremented to continually ‘raise the bar’ to keep pace with a changing threat and ensure appropriate management of risk.
Asked by: Lord Harris of Haringey (Labour - Life peer)
Question to the Cabinet Office:
To ask Her Majesty's Government what length of time they consider reasonable for contractors providing specialist information and advisory services to prepare for service delivery following the award of a contract.
Answered by Earl Howe - Shadow Deputy Leader of the House of Lords
The length of time that a contractor has to prepare for service delivery following the award of a contract is dependent on the terms of the specific contract.
Asked by: Lord Harris of Haringey (Labour - Life peer)
Question to the Cabinet Office:
To ask Her Majesty's Government what steps they are taking to ensure that best practice in evaluating the cyber security of supply chains is being shared across government departments.
Answered by Earl of Courtown - Opposition Deputy Chief Whip (Lords)
The government takes supply chain security seriously. The requirement to understand and manage cyber security issues arising from a department’s supply chain is detailed in Item 1 of the Minimum Cyber Security Standard.
The use of Cyber Essentials in government procurement is set out in Policy Procurement Notice 09/14. Use of Cyber Essentials demonstrates a supplier has taken necessary steps to obtain an appropriate level of cyber security.
Best practice is promoted through the advice contained in the National Cyber Security Centre and Centre for the Protection of National Infrastructure’s Supply Chain Security guidance.
Asked by: Lord Harris of Haringey (Labour - Life peer)
Question to the Cabinet Office:
To ask Her Majesty's Government how many cyber attacks against government departments have involved the misuse of privileged access credentials.
Answered by Earl of Courtown - Opposition Deputy Chief Whip (Lords)
Government departments and Critical National Infrastructure organisations are responsible for managing their own cyber risk effectively.
The high level of importance of privileged access management in cyber security is recognised by the National Cyber Security Centre (NCSC), which is the UK’s national technical authority for cyber security.
For Government, it is documented in the minimum cyber security standard in items 5 and 7. For Critical National Infrastructure (CNI) it is documented in NCSC’s Network and Information Systems guidance in section B2, and there are specific assessment criteria laid out in section B2.c of the Cyber Assessment Framework for use by cyber security regulators.
For wider industry sectors and Small and Medium Enterprises, best practice is contained in the NCSC Board Kit and 10 Steps to Cyber Security.
The Cabinet Office does not require central Government Departments to report all cyber incidents involving the misuse of privileged access credentials and so does not hold this information centrally.
However, The minimum cyber security standard outlines the communications required by a department when there is a security incident that impacts on sensitive information or key operational services. Therefore departments will only be expected to inform the Cabinet Office of an incident involving the misuse of privileged access credentials that met these criteria.