Question to the Cabinet Office:

To ask Her Majesty's Government what assessment they have made of the role of privileged access management in protecting the cyber security of (1) government departments, and (2) critical national infrastructure.

Government departments and Critical National Infrastructure organisations are responsible for managing their own cyber risk effectively.

The high level of importance of privileged access management in cyber security is recognised by the National Cyber Security Centre (NCSC), which is the UK’s national technical authority for cyber security.

For Government, it is documented in the minimum cyber security standard in items 5 and 7. For Critical National Infrastructure (CNI) it is documented in NCSC’s Network and Information Systems guidance in section B2, and there are specific assessment criteria laid out in section B2.c of the Cyber Assessment Framework for use by cyber security regulators.

For wider industry sectors and Small and Medium Enterprises, best practice is contained in the NCSC Board Kit and 10 Steps to Cyber Security.

The Cabinet Office does not require central Government Departments to report all cyber incidents involving the misuse of privileged access credentials and so does not hold this information centrally.

However, The minimum cyber security standard outlines the communications required by a department when there is a security incident that impacts on sensitive information or key operational services. Therefore departments will only be expected to inform the Cabinet Office of an incident involving the misuse of privileged access credentials that met these criteria.