In June 2020 the Local Digital Cyber team completed a discovery into cyber security at local authorities. We found that:
- There are many cyber standards, but no clear baseline.
- An effective cyber baseline must encompass culture, leadership and 'cyber first' processes.
- Leadership support is vital to embed standards and best practices across the organisation.
- Leaders need to understand cyber risk to inform their decisions.
- Legacy technology is a critical blocker to achieving cyber health.
- There is an opportunity for councils to collaborate in order to achieve greater security.
Read the key findings and outcomes from the discovery.
Identifying a Cyber Health Framework
A clear Cyber Health Framework was identified as one of the main areas of opportunity to progress into an alpha project, supporting council staff to navigate numerous and sometimes overlapping standards.
What we want to achieve
We are developing a framework and self-assessment tool that will support local authorities to achieve a recommended level of cyber health. The framework will support local authorities to apply cyber security standards and guidance, and the tool will allow local authorities to assess where they are against a baseline.
The framework should reflect the wider view of cyber security addressing non-technical and technical practices, such as:
- People: knowledge and behaviours
- Processes: procurement, executive governance
- Technology: standards, architecture, management
If we are successful, local authorities should be able to:
- know and understand the minimum level of cyber security to reach
- determine their own organisation's level of cyber security
- devise a path to build greater resilience
During the alpha phase, we will be testing our riskiest assumptions, which are:
- We assume a single framework & baseline will save Local Authority cyber responsible staff time by giving them a one point of reference for cyber health standards and guidance
- We assume that we can deliver a framework that can be useful for a wide variety of councils
- We assume councils will be able to understand and use this framework independently without support
- We assume we can lower the barrier of entry that will increase councils application of cyber health standards and guidance across the whole organisation
Working openly and collaboratively
In order to better understand how we can help, we want to involve a wide range of local authorities in the process of creating a tool and associated framework that is achievable, actionable, and useful.
We're also aware that we're not the only team working on a project of this nature. The Scottish Government has developed a cyber resilience framework and self assessment tool and the NHS has developed a Data Standards Protection Toolkit. We'll be learning from and building on top of the great work they've already done and sharing our progress along the way.
Take part and help us build a useful framework
We are interested in speaking to those responsible for maintaining cyber resilience and the challenges this poses within their roles and local authorities.
We're also looking for senior decision makers, who are responsible for shaping the culture of their organisation. We'd also like to speak with Service Managers and Chief Information Officers.
If you would like to take part in an interview for the MHCLG Cyber Health Framework project, please complete this short form.
If you're working on a related project and are interested in collaborating with us, please email cyberhealth@localdigital.gov.uk.
Follow our progress
- We will be sharing regular updates on the MHCLG Digital blog and Twitter (@LDgovUK).
- You can read our sprint notes on the LDCU Medium page.
- You can also subscribe to our Cyber newsletter for progress updates and upcoming show and tells, as well as news relevant to those working in and around local government cyber security.