Asked by: Lord Harris of Haringey (Labour - Life peer)
Question to the Cabinet Office:
To ask Her Majesty's Government what assessment they have made of the role of privileged access management in protecting the cyber security of (1) government departments, and (2) critical national infrastructure.
Answered by Earl of Courtown - Captain of the Queen's Bodyguard of the Yeomen of the Guard (HM Household) (Deputy Chief Whip, House of Lords)
Government departments and Critical National Infrastructure organisations are responsible for managing their own cyber risk effectively.
The high level of importance of privileged access management in cyber security is recognised by the National Cyber Security Centre (NCSC), which is the UK’s national technical authority for cyber security.
For Government, it is documented in the minimum cyber security standard in items 5 and 7. For Critical National Infrastructure (CNI) it is documented in NCSC’s Network and Information Systems guidance in section B2, and there are specific assessment criteria laid out in section B2.c of the Cyber Assessment Framework for use by cyber security regulators.
For wider industry sectors and Small and Medium Enterprises, best practice is contained in the NCSC Board Kit and 10 Steps to Cyber Security.
The Cabinet Office does not require central Government Departments to report all cyber incidents involving the misuse of privileged access credentials and so does not hold this information centrally.
However, The minimum cyber security standard outlines the communications required by a department when there is a security incident that impacts on sensitive information or key operational services. Therefore departments will only be expected to inform the Cabinet Office of an incident involving the misuse of privileged access credentials that met these criteria.
Asked by: Lord Harris of Haringey (Labour - Life peer)
Question to the Cabinet Office:
To ask Her Majesty's Government why the Royal Mail has ceased to be an identity provider for GOV.UK Verify; and why Royal Mail is listed on the GOV.UK Verify website.
Answered by Lord Young of Cookham
In the Written Ministerial Statement of 9 October 2018 on the GOV.UK Verify programme, it was confirmed that contracts had been signed with a number of private sector identity providers.
Royal Mail had previously been one of the GOV.UK Verify private sector identity providers. However, Royal Mail did not sign the new contract. Users are therefore unable to create a new GOV.UK Verify account with Royal Mail.
Royal Mail remain listed as a previous identity provider while users who hold an existing account with Royal Mail remain able to sign into GOV.UK Verify with this account. If a user does not have a GOV.UK Verify account, they are not offered Royal Mail as an identity provider to verify their identity.
Asked by: Lord Harris of Haringey (Labour - Life peer)
Question to the Cabinet Office:
To ask Her Majesty's Government how many people have signed up to use GOV.UK Verify; and how many use each identity provider.
Answered by Lord Young of Cookham
The number of GOV.UK Verify accounts (historic and current) is published on the GOV.UK website and is regularly updated. As of 10 February 2019, there were 3,617,585 GOV.UK Verify user accounts. Details of the number of GOV.UK Verify user accounts with each identity provider is commercially sensitive information and cannot be released.