Guidance

DCPP requirements: 'High' cyber risk profile

Updated 24 July 2020

The High Cyber Risk Profile applies to contracts where it has been assessed the cyber risks to the contract may be subjected to Advanced Persistent Threats (APT). Attackers at this level will typically be organised, highly sophisticated, well-resourced and persistent. APT attacks may be sustained over long periods and the attack may lay dormant for months or years after an initial approach.

High cyber risk profile requirements

Security Governance

L.01 Define and implement an information security policy, related processes and procedures.
L.02 Define and assign information security relevant roles and responsibilities.
L.03 Define and implement a policy which addresses information security risks within supplier relationships.
M.01 Define and implement a policy which provides for regular, formal information security related reporting.
M.02 Define and implement a repeatable risk assessment process.

Security culture and awareness

L.04 Define and implement a policy which ensures all functions have sufficient and appropriately qualified resources to manage the establishment, implementation and maintenance of information security.
L.05 Define employee (including contractor) responsibilities for information security.
L.06 Define and implement a policy to provide employees and contractors with information security training.
M.03 Define and implement a policy to detail specific employee and contractor responsibilities for information security before granting access to sensitive assets.

Information asset security

L.07 Define and implement a policy for ensuring sensitive information is clearly identified.
L.08 Define and implement a policy to control access to information and information processing facilities.
M.04 Define and implement a policy for storing, accessing, and handling sensitive information securely.
M.05 Define and implement a policy for data loss prevention.
M.06 Define, implement and test a policy for regular off-line back-up of data off-site.
M.07 Ensure the organisation has identified asset owners and asset owners control access to their assets.

Info-cyber systems security

L.09 Maintain annually renewed Cyber Essentials Scheme Plus Certification.
L.10 Define and implement a policy to control the exchanging of information via removable media.
L.11 Record and maintain the scope and configuration of the information technology estate.
L.12 Define and implement a policy to manage the access rights of user accounts.
L.13 Define and implement a policy to maintain the confidentiality of passwords.
M.08 Undertake administration access over secure protocols, using multi-factor authentication.
M.09 Define and implement a policy to assess vulnerabilities identified for which there are no countermeasures (e.g. a patch) available, undertake risk assessment and management.
M.10 Define and implement a policy to monitor network behaviour and review computer security event logs for indications of potential incidents.
M.11 Define and implement a policy to monitor user account usage and to manage changes of access rights.
M.12 Define and implement a policy to control remote access to networks and systems.
M.13 Define and implement a policy to control the use of authorised software.
M.14 Define and implement a policy to control the flow of information through network borders.
H.01 Maintain patching metrics and assess patching performance against policy.
H.02 Ensure wireless connections are authenticated.
H.03 Deploy network monitoring techniques which complement traditional signature-based detection.
H.04 Place application firewalls in front of critical servers to verify and validate the traffic going to the server.
H.05 Deploy network-based Intrusion Detection System (IDS) sensors on ingress and egress points within the network and update regularly with vendor signatures.
H.06 Define and implement a policy to control installations of and changes to software on any systems on the network.
H.07 Control the flow of traffic through network boundaries and police content by looking for attacks and evidence of compromised machines.
H.08 Design networks incorporating security countermeasures, such as segmentation or zoning.
H.09 Ensure Data Loss Prevention at egress points to inspect the contents of information and take appropriate action to prevent its inadvertent or malicious release.

Personnel security

L.14 Define and implement a policy for verifying an individual’s credentials prior to employment.
L.15 Define and implement a process for employees and contractors to report violations of information security policies and procedures without fear of recrimination.
L.16 Define and implement a disciplinary process to take action against employees who violate information security policies or procedures.
M.15 Define and implement a policy for applying security vetting checks to employees.
M.16 Undertake personnel risk assessments for all employees and contractors and ensure those with specific responsibilities for information security have sufficient appropriate qualifications and appropriate levels of appropriate experience.
M.17 Define and implement a policy to secure organisational assets when individuals cease to be employed by your organisation.

Security Incident Management

L.17 Define and implement an incident management policy, which must include detection, resolution and recovery.
H.10 Proactively verify security controls are providing the intended level of security.
H.11 Define and implement a policy to ensure the continued availability of critical asset(s)/information during a crisis

Online guidance

Cyber essentials scheme
Sans Information Security Policy templates
Staff awareness and training
Staff education and awareness
Training available for staff
Data security
Removable media controls
Managing user privileges
Password policy: updating your approach
Incident management
Protecting bulk personal data
Backing up your data
Backing up your data blog post
Setting up 2 factor authentication
Vulnerability management
Monitoring networks
Security monitoring
Home and mobile working
System security