Vulnerability Co-ordination Pilot

Serviceteam IT Security News

If you’ve been following our blog recently, you’ll be aware of several new measures that the NCSC has launched to help improve the security maturity of organisations, and we’re pleased to be announcing the launch of another: the NCSC Vulnerability Co-ordination pilot.

Since the NCSC opened in October 2016, many of our customers have been asking what role we have to play in handling vulnerabilities disclosed within government systems. Behind the scenes we’ve been working on a pilot that we’re launching today.

Having a recognised process around the handling of vulnerability disclosures is definitely an important part of any organisation’s security maturity. Added to that, many might not realise that there is actually an ISO standard to support what ‘good’ looks like for vulnerability disclosure. This standard is freely available: ISO/IEC 29147: Vulnerability Disclosure.

Where does NCSC fit in?

In this respect, UK Government is no different to any other organisation and should adopt a mature approach to vulnerability disclosures, wherever they come from. We’ve handled disclosed vulnerabilities in the past via GovCert and CERT-UK, but the disclosure process has never been quite as smooth as we would have wanted.  We’re now taking the opportunity to redesign our approach. As part of our Active Cyber Defence work we will be trying out a new way for you to report vulnerabilities to us, so that we can efficiently receive, triage and work to remediate the vulnerabilities that are disclosed to us.

As a pilot, we are going to learn by doing, so want to scope the work so that we’re not initially overloaded. As such, over the next few months we will be working with an invited group of UK-based security practitioners to help us to identify and resolve vulnerabilities across three publicly facing systems used in UK Public Sector. To help us get this right we are working with LutaSecurity for advice and will look to use a recognised platform for vulnerability co-ordination.

One of the key parts of this, for me, is that we can recognise the positive impact of receiving vulnerability reports from the external security community. However, we know this is not a silver bullet and it should definitely not be a substitute for sustained efforts like penetration testing, internal security reviews and patching. All of these other activities will continue to be fully used to help keep our systems secure.

The disclosure pilot will be running for the next few months, and at the end of it we will be presenting back some of the results – and importantly, some of the lessons we learnt along the way.

We’re hoping that this will be the start of a journey to ensure that we have an effective, mature approach, across all of the public sector, to handle the disclosure of security vulnerabilities in our systems and services.

Rob. T

Source: National Cyber Security Centre

With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivity, communication, continuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101, use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!

/by
You might also like
Serviceteam IT Security News Introduction to security governance
Serviceteam IT Security News Emergency Oracle Patch Closes Bug Rated 10 in Severity
Serviceteam IT Security News Free Certs Come With a Cost
Serviceteam IT Security News What is GDPR and why does the UK want to reshape its data laws?
Serviceteam IT Security News You asked…we delivered! The Small Business Guide now has an actions list
Serviceteam IT Security News Cloud Security Principle 7: Secure development