The Cyber Technical Advisory Group (C-TAG) has UK wide Government and WARP representation.The C-TAG reports into the Socitm Local CIO Council (LCIOC), supporting the LCIOC standing theme relating to Cyber Resilience, Information Assurance and Security. We also cover wider sectoral issues relating to Information Governance and ethics.

C-TAG works closely with the NCSC, LGA, Cabinet Office, MHCLG and through the UK wide representation C-TAG is also able to engage with the Devolved Administrations who are full C-TAG members. The C-TAG programme is funded through a grant from the LGA, through the Cabinet Office National Cyber Security Programme (NCSP). We remain very grateful for the funding to maintain the work programme.

C-TAG are keen to highlight the work of the DLUHC with their Think Cyber, Think Resilience programme. Presentations from these events can be found here. We would also like to draw your attention to the full report on the outcomes of the Windsor Consultations held at St. George’s House in 2016. This is available to download here.

Standards & Compliance

HMG MCSS The HMG Minimum Cyber Security Standard (MCSS), whilst aimed primarily at central government departments, presents a minimum set of measures which all government should strive to exceed. For more information, see: https://www.gov.uk/government/publications/the-minimum-cyber-security-standard/the-minimum-cyber-security-standard

NCSC Cloud Security Principles The NCSC Cloud Security Principles provide guidance on how to configure, deploy and use cloud services securely. Details on the 14 principles can be found at: https://www.ncsc.gov.uk/collection/cloud-security/implementing-the-cloud-security-principles

HMG Secure Email Blueprint Following the demise of the GC Mail service, this blueprint was developed which outlined the use of TLS, DMARC and SPF to ensure that all .gov.uk domains could be used to share emails safe in the knowledge that data was encrypted, sources were trusted and the ability to spoof was kept to a minimum. The blueprint can be found at: https://www.gov.uk/guidance/securing-government-email

Some tools which can help you on your secure email journey: https://www.ncsc.gov.uk/section/products-services/active-cyber-defence#section_3 – Mail Check, a free service from NCSC which will help you assess your secure email compliance. https://www.1uglycrazyrobot.co.uk/engage/zed/ – zED, a free tool developed as a result of WARP member requirements to check the email domain status of their peers. Recognised by NCSC and C-TAG. Sites such as https://dmarcian.com/ and https://www.hardenize.com/ will help you check domains and configure your own records.

PSN The vast majority of public bodies consume services over the Public Services Network (PSN). Compliance is required in order to connect and use these services and this is achieved by undergoing an annual ITHC and submitting a Code of Connection (CoCo). Despite the fact that the PSN is approaching end of life, compliance is still required until an appropriate alternative is decided upon. For more information, see: https://www.gov.uk/guidance/public-services-network-psn-compliance

NHS DSP All organisations that have access to NHS patient data and systems must use the NHS Data Security and Protection toolkit to provide assurance that they are practising good data security and that personal information is handled correctly. For more information, see: https://www.dsptoolkit.nhs.uk/

To search for organisations holding DSP certification, see: https://www.dsptoolkit.nhs.uk/OrganisationSearch

PCI-DSS Payment Card Industry-Data Security Standard (PCI-DSS) compliance is required if your organisation processes financial transactions via debit or credit card. Compliance is varied depending on exactly what and how you process these transactions. For more information, see: https://www.pcisecuritystandards.org/

CE/CE+ Cyber Essentials is a simple but effective, Government backed scheme that will help you to protect your organisation, whatever its size, against a whole range of the most common cyber attacks. For more information, see: https://www.ncsc.gov.uk/cyberessentials/overview https://iasme.co.uk/cyber-essentials/

To search for organisations holding CE certification, see: https://www.ncsc.gov.uk/cyberessentials/search

ISO27,001 Internationally recognised ISO/IEC 27001 is an excellent framework which helps organisations manage and protect their information assets so that they remain safe and secure. ISO 27,001 provides the foundations upon which most information security standards are based. For more information, see: https://www.bsigroup.com/en-GB/iso-27001-information-security/

Backup

The NCSC’s 10 Steps to Cyber Security includes a step on Data Security which provides very useful guidance on backing up your data. They also provide guidance on Mitigating Malware & Ransomware Attacks where Action 1: Make regular backups is very useful.

This Gartner review details some of the enterprise backup solutions commercially available.

MFA

NCSC Guidance – setting up 2FA for online accounts: https://www.ncsc.gov.uk/guidance/setting-two-factor-authentication-2fa

NCSC Guidance – MFA for online services: https://www.ncsc.gov.uk/guidance/multi-factor-authentication-online-services

NCSC Guidance – End User Device (EUD) Security: https://www.ncsc.gov.uk/collection/end-user-device-security

IT Health Checks

IT Health Checks are a necessary part of evidencing your security in many compliance regimes. Supporting guidance for your PSN ITHC can be found on the gov.uk website here.

NCSC

CiSP The Cyber Security Information Sharing Partnership (CiSP) is a joint industry and government initiative set up to allow UK organisations to share cyber threat information in a secure and confidential environment. https://www.ncsc.gov.uk/section/keep-up-to-date/cisp

ACD The Active Cyber Defence (ACD) programme seeks to reduce the harm from commodity cyber attacks by providing tools and services, free at the point of use, that protect against a range of cyber security threats. https://www.ncsc.gov.uk/section/products-services/active-cyber-defence

NEWS The NCSC Early Warning Service (NEWS) is a free service which informs organisations of threats against their networks. It does this by processing a number of UK-focused threat intelligence feeds from trusted public, commercial and closed sources, which includes several privileged feeds not available elsewhere. https://www.earlywarning.service.ncsc.gov.uk/

CyBOK The Cyber Security Body of Knowledge (CyBOK) is a unique resource, providing for the first time an underpinning body of knowledge encompassing the breadth and depth of cyber security, showing that cyber security encompasses a wide range of disciplines. https://www.ncsc.gov.uk/section/education-skills/cybok

Operating Systems

The Cyber Body of Knowledge (CyBoK) have published a paper which introduces the principles, primitives and practices for ensuring security at the operating system and hypervisor levels. This document is available to download here.

The NCSC have also published guidance on Keeping devices and software up to date which forms part of their Device Security guidance. See also the Vulnerability Management section of their 10 Steps to Cyber Security guidance.

Active Directory

There is some useful information in NCSC’s blog post, Securing Office 365 with better configuration. Microsoft too gives good guidance with the following: https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/best-practices-for-securing-active-directory and https://cloudblogs.microsoft.com/industry-blog/en-gb/government/2021/04/14/updated-office-365-security-and-compliance-guidance-for-the-uk-public-sector/

Logging

NCSC Guidance – an introduction to logging: https://www.ncsc.gov.uk/guidance/introduction-logging-security-purposes

NCSC Guidance – Secure system administration: https://www.ncsc.gov.uk/collection/secure-system-administration

NCSC also provide a free, open-source logging solution called Logging Made Easy (LME). The details for this can be found on their blog post https://www.ncsc.gov.uk/blog-post/logging-made-easy and the source files can be found on their Github repository at https://github.com/ukncsc/lme.

Awareness & Training

WARPReady As part of the C-TAG core work programme, a series of presentations and workshops have been made available to public sector cyber security professionals. These are run online from time to time but downloads are also available.

Staff Training There are a number of different training solutions commercially available such as those from Bob’s Business and Metacompliance. Phishing campaigns are now very popular as organisations strive to make their staff more aware of scams which can result in ransomware attacks. Many industry suppliers offer free solutions such as Trend Micro with their PhishInsight tool. However, any phishing campaign should always be handled very delicately as this blog post from NCSC explains.

The NCSC’s e-learning package Top Tips for Staff is now available for free and can be completed online or built into your own training platform. As part of the Police’s Cyber Griffin programme, free table top exercises are available. These are aimed at senior leaders and help them explore the decisions that need to be made in order to protect their businesses from cyber threats. The LGA have also developed seven free training sessions which are targeted at councillors. One of these covers cyber security.