National Highways' information security
These are the functions National Highways uses to manage cyber security risks and events.
In this section
Understanding and managing cyber security risk to National Highways systems, data, assets and overall capabilities.
The Supplier must follow National Highways information risk governance processes.
To govern risk appropriately, the Supplier ensures that:
- named individuals are clearly responsible and accountable for the security of sensitive information and key operational services
- they (the Supplier) have appropriately documented processes to direct the project or service approach to information security, for both build and run
- they (the Supplier) identify, assess and manage risks to sensitive information and key operational services
- they (the Supplier) understand and manage security-related issues arising from dependencies on external suppliers and their supply chains - this includes ensuring that suppliers of third-party services hold valid Cyber Essentials certificates
- they (the Supplier) give appropriate information security and risk management training to all users with access to sensitive information or operational services
- they (the Supplier) promote a culture of awareness
The Supplier is required to identify and catalogue sensitive information that they hold or access.
The Supplier must document:
- what sensitive information is held and accessed and why
- where the information is held and which computer systems or services access it
- an understanding of the impact of loss, compromise or disclosure of the sensitive information
The Supplier must identify and catalogue key operational services provided or supported.
The Supplier must document:
- the key operational services that are provided or supported
- an understanding of the technologies and services the operational services rely on to remain available and secure
- an understanding of the other dependencies that the operational services have (power, cooling, data, people and so on)
- an understanding of the impact of loss of availability, or compromise on the service
The Supplier must actively manage access to sensitive information and key operational services.
To achieve an appropriate level of access management, The Supplier must make sure that:
- users only hold the minimum access to sensitive information or key operational services necessary for their role
- access is removed when individuals leave their role or the organisation
- periodic reviews take place to ensure appropriate access is maintained
This function outlines the safeguards needed to ensure proper functioning and effective delivery of critical infrastructure services.
It helps National Highways limit and contain the impact of an information security event.
The Supplier must only give access to sensitive information and key operational services to identified, authenticated and authorised users or systems.
The Supplier must make sure users and systems are always identified and authenticated before they are granted access to information or services.
Depending on the sensitivity of the information or criticality of the service, the device being used for access may also need to be authenticated and authorised.
The Supplier must make sure systems which handle sensitive information or key operational services are protected from exploitation of known vulnerabilities.
For National Highways systems:
The Supplier must record and track all software and hardware assets and their configuration.
The Supplier must carry out secure configuration and patching to prevent National Highways' infrastructure being vulnerable to common attacks. Where this isn't possible, The Supplier must set up other mitigations (including logical separation).
The Supplier must regularly test for the presence of known vulnerabilities and common configuration errors. The Supplier must remediate any issues.
Only strongly authenticated and authorised administrators must make changes to National Highways authoritative DNS.
The Supplier must understand and document National Highways' IP ranges.
Where applicable, the Supplier must maintain clear documentation recording the security related responsibilities remaining with National Highways and those which are with a Supplier.
For National Highways endpoints:
The Supplier accounts for all end-user devices and removable media.
The Supplier must manage devices that have access to sensitive information, or key operational services, so that they can apply technical policies and exert controls over software that interacts with sensitive information.
The Supplier must regularly patch all operating systems and software packages that are in use and make sure they are still supported by the vendor.
The Supplier must ensure that, where physical protection cannot be assured, data at rest is encrypted.
The Supplier makes sure that they are able to remotely wipe and revoke access from an end-user device.
For National Highways email:
A minimum of Transport Layer Security Version 1.2 (TLS v1.2) for sending and receiving email securely is supported.
The Supplier must ensure that Domain-based Message Authentication Reporting and Conformance (DMARC), Domain Keys Identified Mail (DKIM) and Sender Policy Framework (SPF) records are in place to make email spoofing difficult.
The Supplier must make sure that spam and malware filtering is present, and DMARC is enforced on inbound email.
For National Highways digital services:
The Supplier must ensure that web applications are not susceptible to common security vulnerabilities, such as those in the top 10 Open Web Application Security Project (OWASP) vulnerabilities.
The Supplier must routinely test that the underlying infrastructure is secure. This includes verifying that the hosting environment is maintained securely and that the Supplier takes responsibility for securely configuring the infrastructure and platform.
The Supplier must transit data using a minimum of TLS v1.2.
The Supplier must routinely conduct web app scanning to test for known vulnerabilities and common configuration errors.
The Supplier must make sure that all external URLs are shared with the Security Team and monitored by the NCSC WebCheck Service.
The Supplier must make sure that highly privileged accounts have additional protections and are not vulnerable to common attack techniques.
Users with wide-ranging or extensive system privilege must not use their highly privileged accounts for high-risk functions, particularly reading email and web browsing.
The Supplier must use multi-factor authentication where technically possible, such as where administrative consoles provide access to manage cloud-based infrastructure, platforms or services.
The Supplier must use multi-factor authentication for access to official social media accounts
The Supplier must change passwords for highly privileged system accounts, social media accounts and infrastructure components from their default values. Passwords must not be easy to guess. Passwords which would on their own grant extensive system access must have high complexity.
The activities needed to identify the occurrence of an information security event in a timely manner.
The Supplier must be able to detect common cyber-attacks.
The Supplier must make sure that:
- the Supplier captures system events and combines them with threat intelligence sources to detect known threats
- prioritised custom use cases are in place to detect events which might indicate situations National Highways wishes to avoid
- monitoring solutions expand and evolve with business and technology changes, as well as changes in threat
- attackers attempting to use common cyber-attack techniques cannot gain undetected access to National Highways data or any control of National Highways technology services
- digital services that are attractive to cyber criminals for the purposes of fraud have transactional monitoring
The activities the Supplier must perform once an information security incident has been detected, to contain its negative impact.
The Supplier must have a defined, planned and tested response process to information security incidents that impact sensitive information or key operational services.
The Supplier must have an incident response and management plan with clearly defined actions, roles and responsibilities.
The Supplier must test their incident response and management plan at regular intervals, so all people involved understand their roles and responsibilities as part.
The Supplier must have communication plans for security incidents.
When the Supplier discovers an incident, they must assess and apply mitigating measures as soon as possible. The Supplier must get expert advice where necessary (for example National Highways' Cyber Incident Response (CIR) partner or National Cyber Security Centre (NCSC).
The Supplier must report any incident involving a personal data breach to National Highways Data Protection Officer as soon as it is identified.
The Supplier must assess post incident lessons and remediations and record them in future iterations of the incident management plan.
Activities needed to maintain organisational resilience and restore any services that have been impaired as a consequence of an information security incident.
The Supplier must have defined and tested processes to ensure the continuity of key operational IT services in the event of failure or compromise.
The Supplier must identify and test contingency mechanisms to deliver essential services in the event of any failure, forced shutdown, or compromise of any system or service. This may include the preservation of out-of-band or manual processes for essential services or critical national infrastructure.
The Supplier must have a tried and tested 'restoring the service to normal' operation and process.
The Supplier must set up post-incident recovery activities to protect the system in future and make sure the same issue cannot arise in the same way again. These activities must identify and remediate systemic vulnerabilities.