MCSS: Decrypting Minimum Cyber Security Standards Best Practices and Guidelines

Home » Blogs » MCSS: Decrypting Minimum Cyber Security Standards Best Practices and Guidelines

2008 legislation that requires all UK public sector services to report cyber security breaches in real-time revealed some shocking statistics, including 3,557 data breaches in healthcare alone.¹

In June 2018, the UK government and the National Cyber Security Centre (NCSC) attempted to offset these risks across public sector organisations by implementing a new set of Minimum Cyber Security Standards (MCSS).

These standards consider 10 essential requirements and, as their name suggests, constitute a minimum set of measures that should be exceeded when possible. This is reinforced by the fact that after the implementation of the standards in 2019, 33% of UK public sector organisations still reported breaches.²

In this article, we’re going to look at what the MCSS includes in some detail. Then, we will look to explain how organisations can ensure that their processes supercharge those considerations for comprehensive cyber security solutions that withstand threats in the modern threat landscape. Let’s get started.

Suggested reading: To learn more about cyber security within the public sector, check out our blog — Fundamentals of of Public Sector Cyber Security

What are the requirements?

MCSS covers 10 cyber security requirements segmented into five sections of compliance, each of which we’re going to look at individually.

1. Identify

Threat identification should be at the root of any effective cyber security strategy, and is broken down into four subsections in the MCSS:

Departments shall put in place appropriate cyber security governance processes: Management policies should draw clear lines of responsibility to named individuals with regards to the protection of secure information. Risk assessments should also be carried out against existing threats to internal security structures, while the security processes of supply chain partners should always be screened, either through requirements of assurance against HMG Cyber Security Standards or through the supply of a valid Cyber Essentials certificate.³

Departments shall identify and catalogue sensitive information they hold: Records should be made with regards to any sensitive data held within an organisation’s repositories, specifically focusing on:

- - What sensitive data is being processed?

- - Why is that information relevant?

- - Where is sensitive data stored?

- - Which computer systems are being used to process it?

- - What is the potential impact of the loss of that data?

Departments shall identify and catalogue the key operational services they provide: Similar records should also be made regarding the services offered by government departments, outlining:

- - Key operational services;

- - Technologies and services that those operations rely on for availability and security;

- - Other operational dependencies (e.g. power, cooling, data, people); and

- - The impact that a loss of availability could cause.

The need for users to access sensitive information or key operational services shall be understood and continually managed: Access to sensitive data should always be granted to system users in accordance with their roles, but security controls should be revisited periodically to ensure the management and removal of these permissions in the case of role changes or departure.

2. Protect

Putting in place adequate protections is an essential part of a proactive security approach. MCSS breaks these down into three crucial stages as follows:

Access to sensitive information and key operational services shall only be provided to identified, authenticated and authorised users or systems: Authentication (ID, passcode, etc.) should be required before any user or system (in the case of highly sensitive operations) is granted access to sensitive information.

Systems that handle sensitive information or key operational services shall be protected from exploitation of known vulnerabilities: Full software audits, tracking, validation, encryption, and patching among other protections (such as Domain-based Message Authentication and Reporting Conformance (DMRAC), DomainKeys Identified Mail (DKIM), and Sender Policy Framework (SPF)) should be implemented across all systems, spanning four main areas of technology:

- - Enterprise technology

- - End-user devices

- - Email systems

- - Digital services

Highly privileged accounts should not be vulnerable to common cyber-attacks: As well as being subject to complex passwords that change from default values and operate alongside multi-factor authentication where possible, highly privileged accounts for administrators and other high-access individuals should be segregated, and never used across ‘high-risk functions,’ such as web browsing or email access.

3. Detect

Detection ensures that risks are identified before damage is done or a breach occurs. According to MCSS, detection revolves around one primary standard, which is:

Departments shall take steps to detect common cyber-attacks: Departments must define what needs protecting and why, and should capture events that can be combined with common threat intelligence sources to detect known threats. Attackers attempting to use common cyber-attacks should be unable to gain access to technology services without detection, and digital services that are attractive to cyber criminals should implement transactional monitoring techniques at all times.

4. Respond

Adequate and immediate responses should then be implemented, predominantly through one MCSS stipulation:

Departments shall have a defined, planned and tested response to cyber security incidents that impact sensitive information or key operational services: Incident response and management plans should be implemented with clearly defined actions, roles, and responsibilities, including communication protocols in the event of a breach. Plans should also comply with the legal obligation to report all breaches involving personal data to the Information Commissioner’s Office, and should be tested regularly to ensure efficiency.⁴

5. Recover

Fast and efficient recovery from breaches is fundamental to ongoing protection and, according to MCSS, should involve one primary focus:

Departments shall have well defined and tested processes to ensure the continuity of key operational services in the event of failure or compromise: Contingency mechanisms should be identified and tested to ensure the continuation of key operational services in the event of compromised systems. Business continuity plans should be well-practised, inform the immediate future technical protection of the system or service in question, and ensure that systematic vulnerabilities are identified and remediated.

Where should you go above and beyond?

MCSS provides an undeniably crucial baseline for public sector cyber security. However, as threats evolve, organisations need to consider ways to provide security best practices that offer more than these minimum requirements. A robust security strategy that’s even harder for cyber criminals to overcome should look to:

Protecting sensitive information: Work from home arrangements that weren’t particularly relevant during MCSS implementations are now raising security questions for as many as 86% of business executives.⁵ This has highlighted the need for specified work from home security policies and VPN protections that drastically increase protection.

Guarding against all types of cyber-attacks: MCSS stipulates the need to protect against common risks, but cyber crime increases of 31% across the pandemic alone have revolved mainly around new and evolving threats.⁶ This includes increasingly difficult to manage ransomware (as seen in the NHS WannaCry attack), and intelligent, socially engineered phishing scams.⁷ A heightened focus on training and responsive security plans should meet these risks head-on, as well as keeping existing MCSS policies ticking over to avoid long-standing risks.

Penetration testing: Penetration testing outside of compliance expectations enables organisations to identify levels of technical risk that aren’t necessarily considered within MCSS. This makes it possible to account for arising threats during the configuration of security goals, creating a protective barrier with the potential to provide far more comprehensive security resistance.
Understanding risk appetites (and tolerance): To meet their objectives, many public sector organisations will need to accept some level of risk that isn’t considered in MCSS. By taking the time to understand risk appetites and tolerance through comprehensive risk assessments, it’s far easier to align risk with strategic objectives and determine when action should be taken.

Further reading: For more on cyber security best practices, take a look at our blog — Cyber Security Best Practices in 2021: How to Do More With Less

Establish partnerships for the best outcomes

While MCSS guidelines raise the bar in terms of minimum security requirements, in the context of an evolving risk landscape, extensive security processes are essential for public sector organisations in order to avoid the damage that breaches can bring. Achieving this in-house is not only time consuming and costly, but also means the risk of falling behind compliance standards is very real.

Ongoing security protections that adhere to and enhance MCSS rely on adaptable and expansive solutions. Security partnerships like those offered by our team here at Six Degrees are here to make this a reality.

Using our understanding of the threats facing public sector organisations, we’ve developed affordable, easy-to-implement managed security solutions that understand the importance of cyber security as a journey, rather than a destination.

By working with you at every stage, we’ll help enforce policies that not only work alongside MCSS, but also account for new threats outside the scope of these minimum requirements, even in a risk landscape that’s evolving at every turn.

Company No.:	03036806
VAT No.:	135526617
Tel:	0800 012 8060
Tel:	+44(0)20 7858 4000
Email:	info@6dg.co.uk

Cookie	Duration	Description
__cf_bm	30 minutes	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
_cfuvid	session	Cloudflare allows the Cloudflare WAF to distinguish individual users who share the same IP address.
bcookie	1 year	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.
bscookie	1 year	LinkedIn sets this cookie to store performed actions on the website.
lang	session	LinkedIn sets this cookie to remember a user's language setting.
li_gc	5 months 27 days	Linkedin set this cookie for storing visitor's consent regarding using cookies for non-essential purposes.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_UA-26222241-1	1 minute	A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to.
_gcl_au	3 months	Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
AnalyticsSyncHistory	1 month	Linkedin set this cookie to store information about the time a sync took place with the lms_analytics cookie.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
ln_or	1 day	LinkedIn registers statistical data on users' behaviour on the website. Used for internal analytics by the website operator.
lo-uid	2 years	Lucky Orange to provide marketing tracking unique id
lo-visits	2 years	Lucky Orange to provide marketing tracking across pages
vuid	2 years	Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos to the website.

Cookie	Duration	Description
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.

MCSS: Decrypting Minimum Cyber Security Standards Best Practices and Guidelines