Cybersecurity Policy

My Department adopts a defence in depth approach to cyber security. This approach uses multiple layers and disparate systems to deliver security which is not dependent on any single component. My department has several policies, plans and procedures in place to deal with significant cyber security and business continuity issues. Given the heightened level of risk, my Department’s technical staff has adopted a posture of increased vigilance and oversight of systems along with adopting enhanced resilience and recovery measures in the event of a significant issue.

For operational and security reasons, we are advised by the NCSC not to disclose details of systems and processes which could in any way compromise cyber security measures in place in public bodies. In particular, it is not considered appropriate to disclose information which might assist criminals to identify potential vulnerabilities in departmental cybersecurity arrangements.

Therefore, it is not considered appropriate to disclose particular arrangements in place in relation to attack vectors, and my Department does not comment on operational security matters.

More broadly, and in line with best practice, my department has a Business Continuity Plan in place. This plan provides structures to mitigate the impact of serious disruptions on the Department and its ability to provide services to the public and wider community. Examples of the kinds of scenarios for which contingency planning is undertaken include responses to a significant cyber incident or a physical or environmental issue affecting a Departmental building. The Business Continuity Plan identifies roles and responsibilities at a senior level throughout the department, as well as response protocols. This plan is updated regularly and is presented to Management Board on an annual basis for their approval.