National Highways' information security
These are the functions National Highways uses to manage cyber security risks and events.
In this section
Identify
Understanding and managing cyber security risk to National Highways systems, data, assets and overall capabilities.
Requirement
The Supplier must follow National Highways information risk governance processes.
Specification
To govern risk appropriately, the Supplier ensures that:
- named individuals are clearly responsible and accountable for the security of sensitive information and key operational services
- they (the Supplier) have appropriately documented processes to direct the project or service approach to information security, for both build and run
- they (the Supplier) identify, assess and manage risks to sensitive information and key operational services
- they (the Supplier) understand and manage security-related issues arising from dependencies on external suppliers and their supply chains - this includes ensuring that suppliers of third-party services hold valid Cyber Essentials certificates
- they (the Supplier) give appropriate information security and risk management training to all users with access to sensitive information or operational services
- they (the Supplier) promote a culture of awareness
Requirement
The Supplier is required to identify and catalogue sensitive information that they hold or access.
Specification
The Supplier must document:
- what sensitive information is held and accessed and why
- where the information is held and which computer systems or services access it
- an understanding of the impact of loss, compromise or disclosure of the sensitive information
Requirement
The Supplier must identify and catalogue key operational services provided or supported.
Specification
The Supplier must document:
- the key operational services that are provided or supported
- an understanding of the technologies and services the operational services rely on to remain available and secure
- an understanding of the other dependencies that the operational services have (power, cooling, data, people and so on)
- an understanding of the impact of loss of availability, or compromise on the service
Requirement
The Supplier must actively manage access to sensitive information and key operational services.
Specification
To achieve an appropriate level of access management, The Supplier must make sure that:
- users only hold the minimum access to sensitive information or key operational services necessary for their role
- access is removed when individuals leave their role or the organisation
- periodic reviews take place to ensure appropriate access is maintained
Detect
The activities needed to identify the occurrence of an information security event in a timely manner.
Requirement
The Supplier must be able to detect common cyber-attacks.
Specification
The Supplier must make sure that:
- the Supplier captures system events and combines them with threat intelligence sources to detect known threats
- prioritised custom use cases are in place to detect events which might indicate situations National Highways wishes to avoid
- monitoring solutions expand and evolve with business and technology changes, as well as changes in threat
- attackers attempting to use common cyber-attack techniques cannot gain undetected access to National Highways data or any control of National Highways technology services
- digital services that are attractive to cyber criminals for the purposes of fraud have transactional monitoring
Respond
The activities the Supplier must perform once an information security incident has been detected, to contain its negative impact.
Requirement
The Supplier must have a defined, planned and tested response process to information security incidents that impact sensitive information or key operational services.
Specification
The Supplier must have an incident response and management plan with clearly defined actions, roles and responsibilities.
The Supplier must test their incident response and management plan at regular intervals, so all people involved understand their roles and responsibilities as part.
The Supplier must have communication plans for security incidents.
When the Supplier discovers an incident, they must assess and apply mitigating measures as soon as possible. The Supplier must get expert advice where necessary (for example National Highways' Cyber Incident Response (CIR) partner or National Cyber Security Centre (NCSC).
The Supplier must report any incident involving a personal data breach to National Highways Data Protection Officer as soon as it is identified.
The Supplier must assess post incident lessons and remediations and record them in future iterations of the incident management plan.
Recover
Activities needed to maintain organisational resilience and restore any services that have been impaired as a consequence of an information security incident.
Requirement
The Supplier must have defined and tested processes to ensure the continuity of key operational IT services in the event of failure or compromise.
Specification
The Supplier must identify and test contingency mechanisms to deliver essential services in the event of any failure, forced shutdown, or compromise of any system or service. This may include the preservation of out-of-band or manual processes for essential services or critical national infrastructure.
The Supplier must have a tried and tested 'restoring the service to normal' operation and process.
The Supplier must set up post-incident recovery activities to protect the system in future and make sure the same issue cannot arise in the same way again. These activities must identify and remediate systemic vulnerabilities.
