Skórzewiak - stock.adobe.com

Crest and IASME to deliver upcoming NCSC Cyber Exercise programme

Crest and IASME have been tasked with assuring that security services providers signing up to a soon-to-launch NCSC Cyber Incident Exercising scheme are up to the job

Security trade association Crest and skills specialist IASME have teamed up with the National Cyber Security Centre (NCSC) to deliver the UK security authority’s new Cyber Incident Exercising (CIE) scheme across the country.

Recognising that the benefits of exercise extend beyond physical health, the NCSC’s programme is designed to help end-user organisations find security providers that can effectively advise and support them to practice their incident response plan. Organisations that regularly test against incident response plans are generally able to get up and running more quickly when a cyber attack happens.

The role played by Crest and IASME will be to manage the assessment, onboarding, monitoring (and offboarding) of managed security services providers (MSSPs) assured under the scheme on the NCSC’s behalf. Participating MSSPs will need to be assessed against the CIE technical standard, which has just been updated by the NCSC.

“We are really looking forward to working with companies of all sizes and in all areas of the UK to deliver this important scheme. We feel strongly about ensuring that the scheme is accessible for smaller cyber security companies to become assured providers and we encourage you to contact us to discuss becoming a provider if this is something that interests you,” said IASME CEO Emma Philpott.

Crest president Rowland Johnson added: “We are delighted to be helping deliver this important new scheme for the NCSC by assessing and onboarding assured service providers. With rising cyber attacks on enterprises of all types, effective cyber incident response is one of the most important parts of building cyber resilience. This will give all organisations who want to test their incident response, access to assured service providers who can support them.”

The NCSC has not yet launched the CIE programme, but is set to do so later before the end of 2023, once a number of MSSPs have been checked out.

The CIE scheme will assures against two types of exercises that end-users may wish to practice. The first is table-top, discussion-based sessions where stakeholders set out their roles, responsibilities, activities and key decision points against a pre-agreed incident scenario.

The second, live play, provides a more in-depth session where stakeholders execute their tasks to respond to events in a real-world scenario tailored to the organisation and taking place in as close to real-time as possible, presenting a realistic incident simulation. This more advanced exercise is better suited for more cyber-mature organisations that want to validate their planning.

Exercises in scope will be incidents that have a significant impact on a single client organisation, but does not cover attacks that might span multiple organisations, or those defined as Category 1 or Category 2 attacks by the NCSC under its 2018 categorising framework,

As a reminder,  a Category 1 incident is defined as a national cyber emergency causing sustained disruption to the UK’s public services or affecting national security, and leading to “severe” economic and social impacts or deaths.

A Category 2 incident is defined as one having a serious impact on central government, essential public services, a large proportion of the population, or the economy.

Both these scenarios would see the NCSC coordinate a national, cross-government response, with the involvement of the Cabinet Office’s Civil Contingencies Committee (COBR or COBRA) a given in a Category 1 scenario.

Read more about incident response planning

  • In this real-world cyber-war game case study, an exercise on ransomware preparedness helped a company discover shortcomings in its incident response plan.
  • Organisations are spending less than 10% of their annual security budgets on trying to solve one of the costliest problems in cyber: insider risk.
  • Global financial services organisations took part in an annual NATO event which simulated cyber attacks on critical infrastructure.

Read more on Data breach incident management and recovery