Guidance

DCPP requirements: 'Moderate' cyber risk profile

Updated 24 July 2020

The Moderate Cyber Risk Profile applies to contracts where it has been assessed the cyber risks to the contract are more advanced. Cyber-attacks may be tailored and targeted with an objective of gaining access to a specific asset(s) or to enable a denial of service.

Moderate cyber risk profile requirements

Security governance

L.01 Define and implement an information security policy, related processes and procedures.
L.02 Define and assign information security relevant roles and responsibilities.
L.03 Define and implement a policy which addresses information security risks within supplier relationships.
M.01 Define and implement a policy which provides for regular, formal information security related reporting.
M.02 Define and implement a repeatable risk assessment process.

Security culture and awareness

L.04 Define and implement a policy which ensures all functions have sufficient and appropriately qualified resources to manage the establishment, implementation and maintenance of information security.
L.05 Define employee (including contractor) responsibilities for information security.
L.06 Define and implement a policy to provide employees and contractors with information security training.
M.03 Define and implement a policy to detail specific employee and contractor responsibilities for information security before granting access to sensitive assets.

Information asset security

L.07 Define and implement a policy for ensuring sensitive information is clearly identified.
L.08 Define and implement a policy to control access to information and information processing facilities.
M.04 Define and implement a policy for storing, accessing, and handling sensitive information securely.
M.05 Define and implement a policy for data loss prevention.
M.06 Define, implement and test a policy for regular off-line back-up of data off-site.
M.07 Ensure the organisation has identified asset owners and asset owners control access to their assets.

Info-cyber systems security

L.09 Maintain annually renewed Cyber Essentials Scheme Plus Certification.
L.10 Define and implement a policy to control the exchanging of information via removable media.
L.11 Record and maintain the scope and configuration of the information technology estate.
L.12 Define and implement a policy to manage the access rights of user accounts.
L.13 Define and implement a policy to maintain the confidentiality of passwords.
M.08 Undertake administration access over secure protocols, using multi-factor authentication.
M.09 Define and implement a policy to assess vulnerabilities identified for which there are no countermeasures (e.g. a patch) available, undertake risk assessment and management.
M.10 Define and implement a policy to monitor network behaviour and review computer security event logs for indications of potential incidents.
M.11 Define and implement a policy to monitor user account usage and to manage changes of access rights.
M.12 Define and implement a policy to control remote access to networks and systems.
M.13 Define and implement a policy to control the use of authorised software.
M.14 Define and implement a policy to control the flow of information through network borders.

Personnel security

L.14 Define and implement a policy for verifying an individual’s credentials prior to employment.
L.15 Define and implement a process for employees and contractors to report violations of information security policies and procedures without fear of recrimination.
L.16 Define and implement a disciplinary process to take action against employees who violate information security policies or procedures.
M.13 Define and implement a policy for applying security vetting checks to employees.
M.15 Undertake personnel risk assessments for all employees and contractors and ensure those with specific responsibilities for information security have sufficient appropriate qualifications and appropriate levels of appropriate experience.
M.16 Define and implement a policy to secure organisational assets when individuals cease to be employed by your organisation.

Security incident management

L.17 Define and implement an incident management policy, which must include detection, resolution and recovery.

Online guidance

Cyber essentials scheme
Sans Information Security Policy templates
Staff awareness and training
Staff education and awareness
Training available for staff
Data security
Removable media controls
Managing user privileges
Password policy: updating your approach
Incident management
Protecting bulk personal data
Backing up your data
Backing up your data blog post
Setting up 2 factor authentication
Vulnerability management
Monitoring networks
Security monitoring
Home and mobile working
System security