In order to propose controls that would implement the requirements of the GDPR in UK governed business, EnterpriseGRC Solutions has embarked on mapping the The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU), to the both NIST 800 53 r4 control enhancements and the HM Government (Her Majesty's) NATIONAL CYBER SECURITY STRATEGY 2016-2021. Please download the National Cyber Security document here National Cyber Security Strategy 2016-2021 - Gov.uk

 

Since we found the steps to extract content from the publications for GDPR and NCSC to be so difficult, we've determined it in the best interest of the cyber community to share the well-formed content here.  Please enjoy use of the formatted section "IMPLEMENTATION" that begins at page 28. This implementation guide serves as the backbone to any well considered and comprehensive (UK based or otherwise) cyber security program.  

For the purpose of better understanding the following implementation guidance, please consider use of 

 NCSC Glossary

NCSC Glossary
 

NCSC 5.0 Overview

Overview

The DEFEND elements of this strategy aim to ensure that UK networks, data, and systems in the public, commercial and private spheres are resilient to and protected from cyber attack. It will never be possible to stop every cyber attack, just as it is not possible to stop every crime. However, together with citizens, education providers, academia, businesses and other governments, the UK can build layers of defense that will significantly reduce our exposure to cyber incidents, protect our most precious assets, and allow us all to operate successfully and prosperously in cyberspace. Acting to promote cooperation between states and good cyber security practice is also in the interest of our collective security.

The Government will implement measures to ensure that citizens, businesses, public and private sector organizations and institutions have access to the right information to defend themselves. The National Cyber Security Centre provides a unified source of advice in government for threat intelligence and information assurance, ensuring that we can offer tailored guidance for cyber defense and respond quickly and effectively to major incidents in cyberspace. The Government will work with industry and international partners to define what good cyber security looks like for public and private sectors, for our most important systems and services, and for the economy as a whole. We will build security by default into all new government and critical systems. Law enforcement agencies will collaborate closely with industry and the National Cyber Security Centre to provide dynamic criminal threat intelligence with which industry can better defend itself and to promote protective security advice and standards.

NCSC 5.1 Active Cyber Defense

Active Cyber Defense

Active Cyber Defense (ACD) is the principle of implementing security measures to strengthen a network or system to make it more robust against attack. In a commercial context, Active Cyber Defense normally refers to cyber security analysts developing an understanding of the threats to their networks and then devising and implementing measures to proactively combat, or defend, against those threats. In the context of this strategy, the Government has chosen to apply the same principle on a larger scale: the Government will use its unique expertise, capabilities, and influence to bring about a step-change in national cyber security to respond to cyber threats. The 'network' we are attempting to defend is the entire UK cyberspace. The activities proposed to represent a defensive action plan, drawing on the expertise of NCSC as the National Technical Authority to respond to cyber threats to the UK at a macro level.

In undertaking ACD, the Government aims to:

  • make the UK a much harder target for state-sponsored actors and cybercriminals by increasing the resilience of UK networks;
  • defeat the vast majority of high-volume/low-sophistication malware activity on UK networks by blocking malware communications between hackers and their victims;
  • evolve and increase the scope and scale of Government's capabilities to disrupt serious state-sponsored and cyber criminal threats;
  • secure our internet and telecommunications traffic from hijacking by malicious actors;
  • harden the UK's critical infrastructure and citizen-facing services against cyber threats; and
  • disrupt the business model of attackers of every type, to demotivate them and to reduce the harm that their attacks can cause.

In pursuit of these aims, the Government will:

  • work with industry, especially Communications Service Providers (CSPs), to make it significantly harder to attack UK internet services and users, and greatly reduce the prospect of attacks having a sustained impact on the UK. This will include tackling phishing, blocking malicious domains and IP addresses, and other steps to disrupt malware attacks. It will also include measures to secure the UK's telecommunications and internet routing infrastructure;
  • increase the scale and development of GCHQ, Ministry of Defense and NCA capabilities to disrupt the most serious cyber threats to the UK, including campaigns by sophisticated cyber criminals and hostile foreign actors; and
  • better protect government systems and networks, help industry build greater security into the CNI supply chain, make the software ecosystem in the UK more secure, and provide automated protections for government online services to the citizen.

Where possible, these initiatives will be delivered with or through partnerships with industry. For many, industry will be designing and leading implementation, with the Government's critical contribution being expert support, advice, and thought-leadership.

The Government will also undertake specific actions to implement these measures, which will include:

  • working with CSPs to block malware attacks. We will do this by restricting access to specific domains or web sites that are known sources of malware. This is known as Domain Name System (DNS) blocking/filtering;
  • preventing phishing activity that relies on domain 'spoofing' (where an email appears to be from a specific sender, such as a bank or government department but is actually fraudulent) by deploying an email verification system on government networks as standard and encouraging industry to do likewise;
  • promoting security best practice through multi-stakeholder internet governance organizations such as the Internet Corporation for Assigned Names and Numbers (ICANN) which coordinates the domain name system), the Internet Engineering Task Force (IETF) and the European Regional Internet Registry (RIPE) and engagement with stakeholders in the UN Internet Governance Forum (IGF);
  • working with law enforcement channels in order to protect UK citizens from being targeted in cyber attacks from unprotected infrastructure overseas;
  • working towards the implementation of controls to secure the routing of internet traffic for government departments to ensure that it cannot be illegitimately re-routed by malicious actors; and
  • investing in programs in the Ministry of Defense, the NCA and GCHQ that will enhance the capabilities of these organizations to respond to, and disrupt, serious state-sponsored and criminal cyber activity targeting UK networks.

We will develop these technical interventions as threats evolve to ensure that UK citizens and businesses are protected by default from the majority of large-scale commodity cyber attacks.

The Government will measure its success in establishing effective ACD by assessing progress towards the following outcomes:

  • the UK is harder to 'phish', because we have large-scale defenses against the use of malicious domains, more active anti-phishing protection at scale and it is much harder to use other forms of communication, such as 'vishing' and SMS spoofing, to conduct social engineering attacks;
  • a far larger proportion of malware communications and technical artifacts associated with cyber attacks and exploitation are being blocked;
  • the UK's internet and telecommunications traffic is significantly less vulnerable to rerouting by malicious actors;
  • GCHQ, the Armed Forces' and NCA capabilities to respond to serious state-sponsored and criminal threats have significantly increased.

NCSC 5.2 Building a more secure Internet

Building a more secure Internet

Changing technology provides us with the opportunity to significantly reduce the ability of our adversaries to conduct cyber crime in the UK by ensuring that future online products and services coming into use are 'secure by default'. That means ensuring that the security controls built into the software and hardware we use are activated as a default setting by the manufacturer so that the user experiences the maximum security offered to them unless they actively choose to turn it off. The challenge is to effect transformative change in a way that supports the end user and offers a commercially viable, but secure, product or service - all within the context of maintaining the free and open nature of the Internet.

The Government is well-placed to take a lead role in exploring those new technologies that will better protect our own systems, help industry builds greater security into the supply chain, secure the software ecosystem and provide automated protections to citizens accessing government services online. The Government must test and implement new technologies that provide automated protection for government online products and services. Where possible, similar technologies should be offered to the private sector and the citizen.

The majority of online products and services coming into use become 'secure by default' by 2021. Consumers will be empowered to choose products and services that have built-in security as a default setting. Individuals can switch off these settings if they choose to do so but those consumers who wish to engage in cyberspace in the most secure way will be automatically protected.

We will pursue the following actions:

  • the Government will lead by example by running secure services on the Internet that do not rely on the Internet itself being secure;
  • the Government will explore options for collaboration with industry to develop cutting-edge ways to make hardware and software more 'secure by default'; and
  • we will adopt challenging new cyber security technologies in government, encouraging Devolved Administrations to do likewise, in order to reduce perceived risks of adoption. This will provide proof of concept and demonstrate the security benefits of new technologies and approaches. It will also put security at the heart of new product development, eliminate opportunities for criminal exploitation and thereby protect the end user.

To do this we will:

  • continue to encourage hardware and software providers to sell products with security settings activated as a default, requiring the user to actively disable these settings to make them insecure. Some vendors are already doing this, but some are not yet taking these necessary steps;
  • continue to develop an Internet Protocol (IP) reputation service to protect government digital services (this would allow online services to get information about an IP address connecting to them, helping the service make more informed risk management decisions in real time);
  • seek to install products on government networks that will provide assurance that software is running correctly, and not being maliciously interfered with;
  • look to expand beyond the GOV.UK domain into other digital services measures that notify users who are running out-of-date browsers; and
  • invest in technologies like Trusted Platform Modules (TPM) and emerging industry standards such as Fast Identity Online (FIDO), which do not rely on passwords for user authentication, but use the machine and other devices in the user's possession to authenticate. The Government will test innovative authentication mechanisms to demonstrate what they can offer, both in terms of security and overall user experience.

The Government will also explore how to encourage the market by providing security ratings for new products so that consumers have clear information on which products and services offer them the greatest security. The Government will also explore how to link these product ratings to new and existing regulators, and ways to warn consumers when they are about to take an action online that might compromise their security.

The Government will measure its success in building a secure Internet by assessing progress towards the following outcomes:

  • the majority of commodity products and services available in the UK in 2021 are making the UK more secure because they have their default security settings enabled by default or have security integrated into their design; and
  • all government services provided at national, local and Devolved Administration level are trusted by the UK public because they have been implemented as securely as possible, and fraud levels are within acceptable risk parameters.

NCSC 5.3 Protecting government

Protecting government

The UK Government, Devolved Administrations, and the wider public sector hold large quantities of sensitive data. They deliver essential services to the public and operate networks that are critical to national security and resilience. The Government's systems underpin the functioning of our society. The modernization of public sector services will continue to be the cornerstone of the UK's Digital Strategy - the Government's digital ambition is for the UK to be the world's leading digital nation. To retain the trust of citizens in online public sector services and systems, data held by the government must be protected and all branches of government must implement appropriate levels of cyber security in the face of continuous attempts by hostile actors to gain access to government and public sector networks and data.

We want to achieve the following outcomes:

  • citizens use government online services with confidence: they trust that their sensitive information is safe and, in turn, understand their responsibility to submit their sensitive information online in a secure manner;
  • the Government will set and adhere to the most appropriate cyber security standards, to ensure that all branches of government understand and meet their obligations to secure their networks, data, and services; and
  • the Government's critical assets, including those at the highest classification, are protected from cyber attacks.

The UK Government will continue to move more of its services online so that the UK can become truly 'digital by default'. The Government Digital Service (GDS), the Crown Commercial Service (CCS) and the NCSC will ensure that all new digital services built or procured by the government are also 'secure by default'.

The Government's networks are highly complex and in many cases still incorporate legacy systems, as well as some commercially available software which is no longer supported by the vendor. We will ensure that there are no unmanaged risks from legacy systems and unsupported software.

We will improve government and wider public sector resilience to cyber attack. This means ensuring an accurate and up to date knowledge of all systems, data, and those who have access to them. The likelihood and impact of a cyber incident will be minimized by implementing best practice as set out by the NCSC. The Government will also ensure that it is able to respond effectively to cyber incidents through a program of incident exercises and regular testing of government networks. We will invite Devolved Administrations and local authorities to participate in these exercises, as appropriate. Through automated scanning, we will ensure that we have a better knowledge of government's online security status.

Cyber security is not just about technology. Almost all successful cyber attacks have a contributing human factor. We will, therefore, continue to invest in our people, to ensure that everyone who works in government has a sound awareness of cyber risk. We will develop specific cyber expertise in areas where the risks are heightened and ensure that we have the right processes in place to manage these risks effectively.

The NCSC will develop world leading cyber security guidance which will keep pace with the threat and development of new technologies. We will take steps to make sure government organizations have easy access to threat information to inform their understanding of their own cyber risks and take appropriate action.

We will continue to improve our highest classification networks to safeguard the Government's most sensitive communications.

Health and care systems pose unique challenges in the context of cyber security. The sector employs around 1.6 million people in over 40,000 organizations, each with vastly differing information security resources and capability. The National Data Guardian for Health and Care has set new data security standards for the health and social care systems in England, alongside a new data consent/opt-out model for patients. The Government will work with health and social care organizations to implement these standards.

Cyber security is vital to our defense. Our Armed Forces depend on information and communications systems, both in the UK and on operations around the world. The infrastructure and personnel of the Ministry of Defense (MoD) are prominent targets. Defense systems are regularly targeted by criminals, foreign intelligence services and other malicious actors seeking to exploit personnel, disrupt business and operations, and corrupt and steal information. We will enhance cyber threat awareness, detection, and reaction functions, through the development of a Cyber Security Operations Centre (CSOC) that uses state-of-the-art defensive cyber capabilities to protect the MoD's cyberspace and deal with threats. The CSOC will work closely with the NCSC to confront the MoD's cyber security challenges and contribute to wider national cyber security.

The Government will measure its success in protecting government networks, systems and data by assessing progress towards the following outcomes:

  • the Government has an in-depth understanding of the level of cyber security risk across the whole of government and the wider public sector;
  • individual government departments and other bodies protect themselves in proportion to their level of risk and to an agreed government minimum standard;
  • government departments and the wider public sector are resilient and can respond effectively to cyber incidents, maintaining functions and recovering quickly;
  • new technologies and digital services deployed by the government will be cyber secure by default;
  • we are aware of, and actively mitigating, all known internet-facing vulnerabilities in government systems and services; and
  • all suppliers to the Government meet appropriate cyber security standards.

NCSC 5.4 Protecting our critical national infrastructure and other priority sectors

Protecting our critical national infrastructure and other priority sectors

The cyber security of certain UK organizations is of particular importance because a successful cyber attack on them would have the severest impact on the country's national security. This impact could have a bearing on the lives of UK citizens, the stability and strength of the UK economy, or the UK's international standing and reputation. This premium group of companies and organizations within the public and private sector includes the critical national infrastructure (CNI), which provides essential services to the nation. Ensuring the CNI is secure and resilient against cyber attack will be a priority for the Government. This premium group also includes other companies and organizations, beyond the CNI, that require a greater level of support. They include:

  • the jewels in our economic crown - the UK's most successful companies and also those that hold our future economic strength in the value of their research and intellectual property;
  • data holders - not just organizations that hold large amounts of personal data, but also those that hold data on vulnerable citizens here and abroad, such as charities;
  • high-threat targets - such as media organizations, where an attack could harm the UK's reputation, damage public confidence in the Government, or endanger freedom of expression;
  • the touchstones of our digital economy - digital service providers that enable e-commerce and our digital economy, and who depend on consumer trust in their services; and
  • those organizations that, through market forces and authority, can exert influence on the whole economy to improve their cyber security, such as insurers, investors, regulators and professional advisors.

More needs to be done to protect these vital parts of our economy and support the organizations that heavily influence others. Our CNI - in both the private and public sector - continues to be a target for attack. Across these and many other priority sectors cyber risk is still not properly understood or managed, even as the threat continues to diversify and increase.

the UK Government, working with the Devolved Administrations and other responsible authorities where appropriate, will ensure that the UK's most important organizations and companies, including the CNI, are sufficiently secure and resilient in the face of cyber attack. Neither the Government nor other public bodies will take on the responsibility to manage this risk for the private sector, which rightly sits with boards, owners, and operators. But the Government will provide support and assurance proportionate both to the threat these companies and organizations face and to the consequences of their being attacked.

Organizations and company boards are responsible for ensuring their networks are secure. They must identify critical systems and regularly assess their vulnerability against an evolving technological landscape and threat. They must invest in technology and their staff to reduce vulnerabilities in current and future systems, and in their supply chain, to maintain a level of cyber security proportionate to the risk. They must also have tested capabilities in place to respond if an attack happens. For the CNI, they must do this with government bodies and regulators so we can be confident that cyber risk is being properly managed and - if it is not - intervene in the interests of national security.

The Government will, therefore, understand the level of cyber security across our CNI and have measures in place to intervene where necessary to drive improvements that are in the national interest.

The Government will:

  • share threat information with industry that only the Government can obtain so they know what they must protect themselves against;
  • produce advice and guidance on how to manage cyber risk and, working collaboratively with industry and academia, define what good cyber security looks like;
  • stimulate the introduction of the high-end security needed to protect the CNI, such as training facilities, testing labs, security standards and consultancy services; and
  • conduct exercises with CNI companies to assist them in managing their cyber risks and vulnerabilities.

The NCSC will provide these services for the UK's most important companies and organizations, including the CNI. It will do so in partnership with departments and regulators, who will assure whether the cyber risk is being managed in their sectors to the level demanded by the national interest.

The Government will also make sure that the right regulatory framework for cyber security is in place, one that:

  • ensures industry acts to protect itself from the threat;
  • is outcome focused and sufficiently flexible so that it will not fall behind the threat, or lead to compliance rather than sound risk management;
  • is agile enough to foster growth and innovation, rather than lead it;
  • is harmonized with regimes in other jurisdictions so that UK companies do not suffer from a fragmented and burdensome approach; and
  • delivers, when combined with effective support from the Government, a competitive advantage for the UK.

Many of our industry sectors are already regulated for cyber security. Nonetheless, we must ensure the right steps are taken across the whole economy, including the CNI, to manage cyber security risks.

The Government will measure its success in protecting our CNI and other priority sectors by assessing progress towards the following outcomes:

  • we understand the level of cyber security across the CNI, and have measures in place to intervene, where necessary, to drive improvements in the national interest; and
  • our most important companies and organizations understand the level of threat and implement proportionate cyber security practices.

NCSC 5.5 Changing public and business behaviors

Changing public and business behaviors

A successful UK digital economy relies upon the confidence of businesses and the public in online services. The UK The Government has worked with industry and other parts of the public sector to increase awareness and understanding of the threat. The Government has also provided the public and business with access to some of the tools that they need to protect themselves. While there are many organizations that are doing an excellent job - in places, world-leading - of protecting themselves, and in providing services to others online, the majority of businesses and individuals are still not properly managing cyber risk.

Our objective is to ensure that individuals and organizations, regardless of size or sector, are taking appropriate steps to protect themselves, and their customers, from the harm caused by cyber attacks.

The Government will provide the advice that the economy needs to protect itself. We will improve how this advice is delivered to maximize its effect. For the public, the Government will harness 'trusted voices' to increase the reach, credibility, and relevance of our message. We will provide advice that is easy to act upon and relevant to individuals, at the point they are accessing services and exposing themselves to risk. We will involve the Devolved Administrations and other authorities as appropriate.

For businesses, we will work through organizations such as insurers, regulators, and investors which can exert influence over companies to ensure they manage cyber risk. In doing so, we will highlight the clear business benefits and the pricing of cyber risk by market influencers. We will seek to understand better why many organizations still fail to protect themselves adequately and then work in partnership with organizations such as professional standards bodies, to move beyond raising awareness to persuade companies to take action. We will also make sure we have the right regulatory framework in place to manage those cyber risks the market fails to address. As part of this, we will seek to use levers, such as the GDPR, to drive up standards of cyber security and protect citizens.

Individuals and organizations and organizations in the UK will have access to the information, education, and tools they need to protect themselves. To ensure we deliver a step-change in public behavior, we will maintain a coherent and consistent set of messages on cyber security guidance from both the Government and our partners. The NCSC will provide technical advice to underpin this guidance. It will reflect business and public priorities and practices, and be clear, easily accessible and consistent while keeping pace with the threat. Law enforcement will work closely with industry and the NCSC to share the latest criminal threat intelligence, to support industry to defend itself against threats, and to mitigate the impact of attacks on UK victims.

The Government will measure its success in protecting our CNI and other priority sectors by assessing progress towards the following outcomes:

  • the UK economy's level of cyber security is as high as, or higher than, comparatively advanced economies;
  • the number, severity, and impact of successful cyber attacks against businesses in the UK has reduced because cyber hygiene standards have improved; and
  • there is an improving cyber security culture across the UK because organizations and the public understand their cyber risk levels and understand the cyber hygiene steps they need to take to manage those risks.

NCSC 5.6 Managing incidents and understanding the threat

Managing incidents and understanding the threat

The number and severity of cyber incidents affecting organizations across the public and private sector are likely to increase. We, therefore, need to define how both the private sector and the public engage with the Government during a cyber incident. We will ensure that the UK Government's level of support for each sector - taking into account its cyber maturity - is clearly defined and understood. The Government's collection and dissemination of information about the threat must be delivered in a manner and at a speed suitable for all types of organization. The private sector, government, and the public can currently access multiple sources of information, guidance, and assistance on cyber security. This must be simplified.

We must ensure that the Government offering, both in response to incidents, and in the provision of guidance, does not exist in isolation, but in partnership with the private sector. Our incident management processes should reflect a holistic approach to incidents, whereby we learn from partners and share mitigation techniques. We will also continue to use our relationships with other Computer Emergency Response Teams (CERTs) and our allies as an integrated part of our incident management function.

Current incident management remains somewhat fragmented across government departments and this strategy will create a unified approach. The NCSC will deliver a streamlined and effective government-led incident response function. In the event of a serious cyber incident, we will ensure that the Armed Forces are able to provide assistance, whether in a conventional form addressing the physical impact of an incident or in the form of specialist support from regular or reserve cyber personnel. While we will provide all the support our resources will allow, the Government continues to stress the importance of industry, society and the public acting to safeguard their basic cyber security.

Our objectives are as follows:

  • the Government will provide a single, joined-up approach to incident management, based on an improved understanding and awareness of the threat and actions being taken against us. The NCSC will be a key enabler, as will partnership with the private sector, law enforcement, and other government departments, authorities and agencies;
  • the NCSC defines clear processes for reporting incidents, tailored to the profile of the victim; and
  • we will prevent the most common cyber incidents, and we will have effective information-sharing structures in place to inform 'pre-incident' planning.

It is the responsibility of organization and company management, in both the public and private sector, to ensure their networks are secure and to exercise incident response plans. In the event of a significant incident, the Government incident management process will reflect the three distinct elements of a cyber incident: the precursor causes, the incident itself and the post-incident response.

To deliver incident management that is effective for both government and the private sector, we will work closely to review and define the scope of the Government response to ensure it reinforces cooperation. We will build on our national cyber exercise plan, using our improved understanding and awareness of the threat, to improve our offer of support to public and private sector partners.

We will create a trusted and credible government identity for incident advice, assistance, and assurance. This will increase the cyber security awareness across the UK digital community and will enable us the better to identify trends, take pro-active measures and, ultimately, prevent incidents.

In moving towards automated information sharing (i.e. cyber security systems automatically alerting each other to incidents or attacks), we will deliver a more effective service. This will allow organizations to act swiftly on relevant threat information.

The Government will measure its success in managing incidents by assessing progress towards the following outcomes:

  • a higher proportion of incidents are reported to the authorities, leading to a better understanding of the size and scale of the threat;
  • cyber incidents are managed more effectively, efficiently and comprehensively, as a result of the creation of the NCSC as a centralized incident reporting and response mechanism; and
  • we will address the root causes of attacks at a national level, reducing the occurrence of repeated exploitation across multiple victims and sectors.

NCSC 6.0 Overview

Overview

The National Security Strategy states that defense and protection start with deterrence. This is as true in cyberspace as any other sphere. To realize our vision of a nation that is secure and resilient to cyber threats, and prosperous and confident in the digital world, we have to dissuade and deter those who would harm us and our interests. To achieve this we all need to continue to raise levels of cyber security so that attacking us in cyberspace - whether to steal from us or harm us - is neither cheap nor easy. Our adversaries must know that they cannot act with impunity: that we can and will identify them, and that we can act against them, using the most appropriate response from amongst all the tools at our disposal. We will continue to build global alliances and promote the application of international law in cyberspace. We will also more actively disrupt the activity of all those who threaten us in cyberspace and the infrastructure on which they rely. Delivering this ambition requires world-class sovereign capabilities.

Cyberspace is only one sphere in which we must defend our interests and sovereignty. Just as our actions in the physical sphere are relevant to our cyber security and deterrence, so our actions and posture in cyberspace must contribute to our wider national security.

The principles of deterrence are as applicable in cyberspace as they are in the physical sphere. The UK makes clear that the full spectrum of our capabilities will be used to deter adversaries and to deny them opportunities to attack us. However, we recognize that cyber security and resilience are in themselves a means of deterring attacks that rely on the exploitation of vulnerabilities.

We will pursue a comprehensive national approach to cyber security and deterrence that will make the UK a harder target, reducing the benefits and raising the costs to an adversary - be they political, diplomatic, economic or strategic. We must ensure our capability and intent to respond are understood by potential adversaries in order to influence their decision-making. We shall have the tools and capabilities we need: to deny our adversaries easy opportunities to compromise our networks and systems; to understand their intent and capabilities; to defeat commodity malware threats at scale; to respond and protect the nation in cyberspace.

We need to raise the cost, raise the risk, and reduce the reward of cyber criminals' activity. While we must harden the UK against cyber attacks and reduce vulnerabilities, we must also focus relentlessly on pursuing criminals who continue to target the UK.

Law enforcement agencies will focus their efforts on pursuing the criminals who persist in attacking UK citizens and businesses. We will work with domestic and international partners to target criminals wherever they are located and to dismantle their infrastructure and facilitation networks. Law enforcement agencies will also continue to help raise awareness and standards of cyber security, in collaboration with the NCSC.

This strategy complements the 2013 Serious and Organized Crime Strategy, which set out the UK Government's strategic response to cybercrime, alongside other types of serious and organized crime. The National Cyber Crime Unit (NCCU) that sits within the National Crime Agency (NCA) was established to lead and coordinate the national response to cyber crime. Action Fraud provides a national reporting center for fraud and cyber crime. A network of cyber crime units within Regional Organized Crime Units (ROCUs) provide access to specialist cyber capabilities at a regional level, supporting the NCCU and local forces.

We will reduce the impact of cyber crime on the UK and its interests by deterring cyber criminals from targeting the UK and relentlessly pursuing those who persist in attacking us.

To reduce the impact of cyber crime, we will:

  • enhance the UK's law enforcement capabilities and skills at a national, regional and local level to identify, pursue, prosecute and deter cyber criminals within the UK and overseas;
  • build a better understanding of the cybercrime business model, so we know where to target interventions in order to have the most disruptive effect on criminal activity. We will use this knowledge to:
    • make the UK a high-cost, high-risk environment in which to operate by targeting the UK nexus of criminality, and by working with industry to reduce the ability of criminals to exploit UK infrastructure; and
    • tackle cyber crime upstream, adding friction to the criminal business model by dismantling their infrastructure and financial networks, and wherever possible, bringing offenders to justice.
  • build international partnerships to end the perceived impunity of cybercriminals acting against the UK, by bringing criminals in overseas jurisdictions to justice;
  • deter individuals from being attracted to, or becoming involved in, cyber crime by building on our early intervention measures;
  • enhance collaborations with industry to provide them with proactive intelligence on the threat, and to provide us with the upstream intelligence that they possess, in order to assist with our upstream disruption efforts;
  • develop a new 24/7 reporting and triage capability in Action Fraud, linked to the NCSC, the NCA's National Cyber Crime Unit and the wider law enforcement community, to improve support to victims of cyber crime, to provide a faster response to reported crimes and enhanced protective security advice. A new reporting system will be established to share information in real time across law enforcement on cyber crime and threats;
  • work with the NCSC and the private sector to reduce vulnerabilities in UK infrastructure that could be exploited at scale by cyber criminals; and
  • work with the finance sector to make the UK a more hostile environment for those seeking to monetize stolen credentials, including by disrupting their networks.

The Government will measure its success in reducing cyber crime by assessing progress towards the following outcomes:

  • we have a greater disruptive effect on cyber criminals attacking the UK, with higher numbers of arrests and convictions, and larger numbers of criminal networks dismantled as a result of law enforcement intervention;
  • there is improved law enforcement capability, including greater capacity and skills of dedicated specialists and mainstream officers and enhanced law enforcement capability amongst overseas partners;
  • there is improved effectiveness and increased scale of early intervention measures dissuades and reforms offenders; and
  • there are fewer low-level cyber offenses as a result of cybercriminal services being harder to access and less effective.

NCSC 6.1 Cyber's role in deterrence

Cyber's role in deterrence

We need to bring to bear the full range of government capabilities to counter the threat posed by hostile foreign actors that increasingly threaten our political, economic and military security. Working with international partners will be key to our success, and greater emphasis will be placed on engaging them and working with them to counter the threat. Much of this action will not be in the public domain. Our investment in sovereign capabilities and partnerships with industry and the private sector will continue to underpin our ability to detect, observe and identify this constantly evolving activity against us.

We will have strategies, policies, and priorities in place for each adversary, to ensure a proactive, well-calibrated and effective approach is taken to counter the threat and in order to drive down the number and severity of cyber incidents in the future.

To reduce the cyber threat from hostile foreign actors, we will:

  • reinforce the application of international law in cyberspace in addition to promoting the agreement of voluntary, non-binding norms of responsible state behavior and the development and implementation of confidence-building measures;
  • work with international partners, particularly through the collective defense, cooperative security, and enhanced deterrence that our membership of NATO affords;
  • identify both the unique and generic aspects of our adversaries' cyber activity;
  • generate and explore all available options for deterring and countering this threat, drawing on the full range of government capabilities. We will take full account of other related factors, including country-specific strategies, international cyber priorities, and cyber crime and prosperity objectives;
  • use existing networks and relationships with our key international partners to share information about current and nascent threats, adding value to existing thought and expertise; and
  • attribute specific cyber identities publicly when we judge it in the national interest to do so.

The Government will measure its success in countering the actions of hostile foreign actors by assessing progress towards the following outcomes:

  • the stronger information-sharing networks that we have established with our international partners, and wider multilateral agreements in support of lawful and responsible behavior by states, are substantially contributing to our ability to understand and respond to the threat, resulting in a better defended UK; and
  • our defense and deterrence measures, alongside our country-specific strategies, are making the UK a harder target for hostile foreign actors to act against.

NCSC 6.2 Reducing cyber crime

Reducing cyber crime

The technical capability of terrorists currently remains limited but they continue to aspire to conduct damaging computer network operations against the UK, with publicity and disruption as the primary objective of their cyber activity. The Government will identify and disrupt terrorists using and intending to use cyber for this purpose. In doing so, we will minimize their impact and prevent an uplift in terrorist cyber capability that would further threaten UK networks and national security.

To mitigate the threat of terrorist use of cyber, through the identification and disruption of terrorist cyber actors who currently hold, and aspire to build, a capability that could threaten UK national security.

To ensure the threat posed by cyber-terrorism remains low, we will:

  • detect cyber terrorism threats, identifying actors who are seeking to conduct damaging network operations against the UK and our allies;
  • investigate and disrupt these cyber terrorism actors to prevent them from using cyber capability against the UK and its allies; and
  • work closely with international partners to enable us to better tackle the threat from cyber terrorism.

The Government will measure its success in preventing terrorism by assessing progress towards the following outcomes:

  • a full understanding of risk posed by cyber terrorism, through identification and investigation of cyber terrorism threats to the UK; and
  • close monitoring, and disruption of terrorist cyber capability at the earliest opportunity, with the aim of preventing an increase in such terrorist capability in the long term.

NCSC 6.3 Countering hostile foreign actors

Countering hostile foreign actors

We need to bring to bear the full range of government capabilities to counter the threat posed by hostile foreign actors that increasingly threaten our political, economic and military security. Working with international partners will be key to our success, and greater emphasis will be placed on engaging them and working with them to counter the threat. Much of this action will not be in the public domain. Our investment in sovereign capabilities and partnerships with industry and the private sector will continue to underpin our ability to detect, observe and identify this constantly evolving activity against us.

We will have strategies, policies, and priorities in place for each adversary, to ensure a proactive, well-calibrated and effective approach is taken to counter the threat and in order to drive down the number and severity of cyber incidents in the future.

To reduce the cyber threat from hostile foreign actors, we will:

  • reinforce the application of international law in cyberspace in addition to promoting the agreement of voluntary, non-binding norms of responsible state behavior and the development and implementation of confidence-building measures;
  • work with international partners, particularly through the collective defense, cooperative security, and enhanced deterrence that our membership of NATO affords;
  • identify both the unique and generic aspects of our adversaries' cyber activity;
  • generate and explore all available options for deterring and countering this threat, drawing on the full range of government capabilities. We will take full account of other related factors, including country-specific strategies, international cyber priorities, and cyber crime and prosperity objectives;
  • use existing networks and relationships with our key international partners to share information about current and nascent threats, adding value to existing thought and expertise; and
  • attribute specific cyber identities publicly when we judge it in the national interest to do so.

The Government will measure its success in countering the actions of hostile foreign actors by assessing progress towards the following outcomes:

  • the stronger information-sharing networks that we have established with our international partners, and wider multilateral agreements in support of lawful and responsible behavior by states, are substantially contributing to our ability to understand and respond to the threat, resulting in a better defended UK; and
  • our defense and deterrence measures, alongside our country-specific strategies, are making the UK a harder target for hostile foreign actors to act against.

NCSC 6.4 Preventing terrorism

Preventing terrorism

The technical capability of terrorists currently remains limited but they continue to aspire to conduct damaging computer network operations against the UK, with publicity and disruption as the primary objective of their cyber activity. The Government will identify and disrupt terrorists using and intending to use cyber for this purpose. In doing so, we will minimize their impact and prevent an uplift in terrorist cyber capability that would further threaten UK networks and national security.

To mitigate the threat of terrorist use of cyber, through the identification and disruption of terrorist cyber actors who currently hold, and aspire to build, a capability that could threaten UK national security.

To ensure the threat posed by cyber-terrorism remains low, we will:

  • detect cyber terrorism threats, identifying actors who are seeking to conduct damaging network operations against the UK and our allies;
  • investigate and disrupt these cyber terrorism actors to prevent them from using cyber capability against the UK and its allies; and
  • work closely with international partners to enable us to better tackle the threat from cyber terrorism.

The Government will measure its success in preventing terrorism by assessing progress towards the following outcomes:

  • a full understanding of risk posed by cyber terrorism, through identification and investigation of cyber terrorism threats to the UK; and
  • close monitoring, and disruption of terrorist cyber capability at the earliest opportunity, with the aim of preventing an increase in such terrorist capability in the long term.

NCSC 6.5 Enhancing sovereign capabilities - offensive cyber

Enhancing sovereign capabilities - offensive cyber

Offensive cyber capabilities involve deliberate intrusions into opponents' systems or networks, with the intention of causing damage, disruption or destruction. Offensive cyber forms part of the full spectrum of capabilities we will develop to deter adversaries and to deny them opportunities to attack us, in both cyberspace and the physical sphere. Through our National Offensive Cyber Program (NOCP), we have a dedicated capability to act in cyberspace and we will commit the resources to develop and improve this capability.

We will ensure that we have at our disposal appropriate offensive cyber capabilities that can be deployed at a time and place of our choosing, for both deterrence and operational purposes, in accordance with national and international law.

To do this, we will:

  • invest in our NOCP - the partnership between the Ministry of Defense and GCHQ that is harnessing the skills and talents of both organizations to deliver the tools, techniques, and tradecraft required;
  • develop our ability to use offensive cyber tools; and
  • develop the ability of our Armed Forces to deploy offensive cyber capabilities as an integrated part of operations, thereby enhancing the overall impact we can achieve through military action.

The Government will measure our success in establishing offensive cyber capabilities by assessing progress towards the following outcomes:

  • the UK is a world leader in offensive cyber capability; and
  • the UK has established a pipeline of skills and expertise to develop and deploy our sovereign offensive cyber capabilities.

NCSC 6.6 Enhancing sovereign capabilities - cryptography

Enhancing sovereign capabilities - cryptography

Cryptographic capability is fundamental to protecting our most sensitive information and to choose how we deploy our Armed Forces and national security capabilities. To maintain this capability, we will require private sector skills and technologies that are assured by GCHQ. This is likely to require work to be done in the UK, by British Nationals with the requisite security clearance, working for companies who are prepared to be completely open with GCHQ in discussing the design and implementation details. The MOD and GCHQ are working to establish a sound understanding of the long-term cost implications of maintaining such sovereign cryptographic capabilities, based on prevailing market conditions and in cooperation with those companies currently able to provide such solutions.

We have the confidence that the UK will always have political control over those cryptographic capabilities vital to our national security and, therefore, the means to protect UK secrets.

We will select the means that allow us to share information effectively with our allies, and ensure that trusted information and information systems are available, when and where required. Working closely with other government departments and agencies, GCHQ and MOD will together define sovereign requirements, and how best to meet those requirements when suppliers must be domestic. This will be delivered through a new joint framework for determining requirements for operational advantage and freedom of action.

The Government will measure its success in maintaining our cryptographic capabilities by assessing progress towards the following outcome:

  • our sovereign cryptographic capabilities are effective in keeping our secrets and sensitive information safe from unauthorized disclosure.

NCSC 7.1 Strengthening cybersecurity skills

Strengthening cybersecurity skills

The UK needs to tackle the systemic issues at the heart of the cyber skills shortage: the lack of young people entering the profession; the shortage of current cyber security specialists; insufficient exposure to cyber and information security concepts in computing courses; a shortage of suitably qualified teachers; and the absence of established career and training pathways into the profession.

This calls for swift intervention by the Government to help address the current shortage and develop a coherent long-term strategy that can build on these interventions to close the skills gap. However, it must be recognized that to have any profound impact, this effort must be collaborative, with input from a range of participants and influencers across the Devolved Administrations, public sector, education providers, academia bodies and industry.

The Government's ambition is to ensure the sustained supply of the best possible home-grown cyber security talent, whilst funding specific interventions in the short term to help meet known skills gaps. We will also define and develop the cyber security skills needed across the population and workforce to operate safely and securely online.

This requires action over the next twenty years, not just the next five. We will define the long-term, coordinated set of actions needed by government, industry, education providers, and academia to establish a sustained supply of competent cybersecurity professionals, who meet the requisite standards and certification to practice confidently and securely.

We will close the skills gap in Defense. We will attract cyber specialists to the government who are not only effectively trained but also ready to maintain our national security. This includes an understanding of the impact of cyberspace on military operations.

We will develop and implement a self-standing skills strategy that builds on existing work to integrate cyber security into the education system. This will continue to improve the state of computer science teaching overall and embed cyber security into the curriculum. Everyone studying computer science, technology or digital skills will learn the fundamentals of cyber security and will be able to bring those skills into the workforce. As part of this effort, we will address the gender imbalance in cyber-focused professions, and reach people from more diverse backgrounds, to make sure we are drawing from the widest available talent pool. We will work closely with the Devolved Administrations to encourage a consistent approach across the UK.

We will set out more clearly the respective roles of government and industry, including how these might evolve over time. The UK Government and Devolved Administrations have a key role in creating the right environment for cyber security skills to be developed and to update the education system to reflect the changing needs of industry and government. But employers also have a significant responsibility to clearly articulate their needs, as well as train and develop employees and young people entering the profession. The industry has an important role in building a diverse and attractive career and training pathways in partnership with academia, professional bodies and trade associations.

In recognition of the collective challenge we face in closing the skills gap, we will establish a skills advisory group formed by the government, employers, professional bodies, skills bodies, education providers and academia, which will strengthen the coherence between these key sectors. This group will support the development of a long-term strategy which will take account of developments in the broad field of digital skills, ensuring that cyber security considerations are aligned and incorporated throughout. This group will work with similar bodies across the UK.

Alongside this work, the Government will invest in a range of initiatives to bring about immediate improvements and inform the development of the long-term skills strategy. These include:

  • establishing a schools program to create a step change in specialist cyber security education and training for talented 14-18-year-olds (involving classroom-based activities, after-school sessions with expert mentors, challenging projects and summer schools);
  • creating higher and degree-level apprenticeships within the energy, finance and transport sectors to address skills gaps in essential areas;
  • establishing a fund to retrain candidates already in the workforce who show a high potential for the cyber security profession;
  • identifying and supporting quality cyber graduate and post-graduate education, and identifying and filling any specialist skills gaps - acknowledging the key role that universities play in skills development;
  • supporting the accreditation of teacher professional development in cyber security. This work will help teachers, and others supporting learning, to understand cyber security education and provide a method of externally accrediting such individuals;
  • developing the cyber security profession, including through achieving Royal Chartered status by 2020, reinforcing the recognized body of cyber security excellence within the industry and providing a focal point which can advise, shape and inform national policy;
  • developing a Defense Cyber Academy as a center of excellence for cyber training and exercise across the Ministry of Defense and wider Government, addressing specialist skills and wider education;
  • developing opportunities for collaboration in training and education between government, the Armed Forces, industry, and academia, together with facilities to maintain and exercise skills; and
  • we will work with industry to expand the CyberFirst program to identify and nurture the diverse young talent pool to defend our national security; and
  • embedding cyber security and digital skills as an integral an integral part of relevant courses within the education system, from primary to postgraduate levels, setting standards, improving quality and providing a firm foundation for onwards progression into the field.

As education is a devolved matter, some of these initiatives will apply mainly in England. We will, however, work with the Devolved Administrations to encourage a consistent approach across the UK education systems.

The Government will measure our success in strengthening cyber security skills by assessing progress towards the following outcomes:

  • there are effective and clear entry routes into the cyber-security profession, which are attractive to a diverse range of people;
  • by 2021 cyber security is taught effectively as an integral part of relevant courses from primary to post-graduate level;
  • cyber security is widely acknowledged as an established profession with clear career pathways, and has achieved Royal Chartered Status;
  • appropriate cyber security knowledge is an integral part of the continual professional development for relevant non-cyber security professionals, across the economy; and
  • the Government and the Armed Forces and the Armed Forces have access to cyber specialists able to maintain the security and resilience of the UK.

NCSC 7.2 Stimulating growth in the cyber security sector

Stimulating growth in the cyber security sector

A burgeoning and innovative cyber security sector is a necessity for our modern, digital economy. UK cyber security firms provide world-leading technologies, training, and advice to industry and governments. But whilst the UK is a leading player, it faces fierce competition to stay ahead. There are also barriers that the Government needs to address. UK companies and academics develop cutting-edge technology, but some require support to develop the commercial and entrepreneurial skills required to thrive. There are funding gaps that prevent SMEs from growing and expanding into new markets and territories. The most groundbreaking products and services, that offer the potential to keep us ahead of the threat, struggle to find customers who are willing to act as early adopters. Overcoming these challenges requires government, industry, and academia to work effectively together.

The Government will support the creation of a growing, innovative and thriving cyber security sector in the UK in order to create an ecosystem where:

  • security companies prosper, and get the investment they need to grow;
  • the best minds from government, academia and the private sector collaborate closely to spur innovation; and
  • customers of the Government and industry are sufficiently confident and prepared to adopt cutting-edge services.

To create this ecosystem, we will:

  • commercialize innovation in academia, providing training and mentoring to academics;
  • establish two innovation centers, to drive the development of cutting-edge cyber products and dynamic new cyber security companies, which will sit at the heart of a program of initiatives to give start-ups the support they need to get their first customers and attract further investment;
  • allocate a proportion of the 165m pound Defense and Cyber Innovation Fund to support innovative procurement in defense and security;
  • provide testing facilities for companies to develop their products, together with a fast-track form of assessment for the next generation of cyber security products and services as they emerge, enabling customers to be confident in their use;
  • draw on the collective expertise of the industry-government Cyber Growth Partnership to help shape and focus further growth and innovation interventions;
  • help companies of all sizes scale-up and access international markets; and
  • promote agreed international standards that support access to the UK market.

We will also use the weight of government procurement to spur innovation. The Government faces some of the hardest challenges in cyber security, and some of the biggest threats. We can, and must, pursue the most effective solutions to these problems. That means making it easier for smaller companies to do business with the government. It also means the Government must be less risk averse in testing and using new products. This is a win-win solution: the Government will get the best services, and innovative technology will get an early adopter, making it easier to attract investment and a larger customer base. We will encourage all parts of government, including the Devolved Administrations, to take a similar approach.

The Government will measure its success in stimulating growth in the cyber security sector by assessing progress towards the following outcomes:

  • greater than average global growth in the size of the UK cyber sector year on year;
  • a significant increase in investment in early stage companies;
  • adoption of more innovative and effective cyber security technologies in government.

NCSC 7.3 Promoting cybersecurity science and technology

Promoting cybersecurity science and technology

The UK's thriving science and technology sector and its cutting-edge research underpins our world-leading cyber security capabilities. To maintain and enhance the UK's reputation as a global leader in cutting-edge research, we need our academic research establishments to continue to attract the best and the brightest minds in the field of cyber security. This will require us to foster centers of excellence that attract the ablest and dynamic scientists and researchers and deepen the active partnership between academia, the Government, and industry. This will involve a match-making role for the Government, where we incentivize such collaborations. Success would see us establish a self-sustaining ecosystem that allows ideas - and people - to circulate between the three sectors in a mutually beneficial way.

By 2021, the UK will have strengthened its position as a world leader in cyber science and technology. Flexible partnerships between universities and industry will translate research into commercially successful products and services. The UK will maintain its reputation for innovative excellence, including in those areas of exceptional national strength, such as the financial sector.

To achieve this, the Government will encourage collaboration, innovative and flexible funding models for research, and the commercialization of research. The government will ensure that the human and behavioral aspects of cyber are given sufficient attention and that systems beyond the technical, such as business processes and organizational structures, are included within cyber science and technology.

This will underpin the creation of products, systems, and services that are 'secure by default', with appropriate security considered from the outset and where security becomes a conscious 'opt-out' for users.

We will publish a detailed Cyber Science and Technology Strategy after a thorough consultation with partners and stakeholders. This will include identifying areas of science and technology that the Government, industry, and academia consider to be important and identifying gaps in the UK's current capacity to address them.

The Government will continue to provide funding and support for the Academic Centers of Excellence, Research Institutes, and Centers for Doctoral Training. In addition, we will create a new Research Institute in a strategically important subject area. We will also fund further research in those areas where the upcoming Cyber Science and Technology Strategy identifies capability gaps. Important areas that will be given consideration include big data analytics; autonomous systems; trustworthy industrial control systems; cyber-physical systems and the Internet of Things; smart cities; automated system verification; and the science of cyber security.

We will continue to sponsor UK national Ph.D. students at the Academic Centers of Excellence to increase the number of UK nationals with cyber expertise.

The Government will work with bodies, including Innovate UK and the Research Councils to encourage collaboration between industry, the Government, and academia. To support this collaboration we will review best practice concerning security classifications and identify security-cleared experts, including academics. This will ensure that work from the unclassified space to beyond secret can be as collaborative as possible.

The Government will fund a 'grand challenge' to identify and provide innovative solutions to some of the most pressing problems in cyber security. CyberInvest, a new industry and Government partnership to support cutting-edge cyber security research and protect the UK in cyberspace, will be part of our approach to building the academic-government-industry partnership.

The Government will measure its success in promoting cybersecurity science and technology by assessing progress towards the following outcomes:

  • significantly increased numbers of UK companies successfully commercializing academic cyber research and fewer agreed and identified gaps in the UK's cyber security research capability with effective action to close them; and
  • the UK is regarded as a global leader in cyber security research and innovation.

NCSC 7.4 Effective horizon scanning

Effective horizon scanning

The Government must ensure that policy-making takes account of the changing cyber, geopolitical and technology landscape. To do this, we need to make effective use of broad horizon scanning and assessment work. We need to invest in proofing ourselves against future threats and anticipate market changes that might affect our cyber resilience in five to ten years' time. We need horizon scanning programs that generate recommendations to inform current and future government policy and program planning.

The Government will ensure that our horizon scanning programs include a rigorous assessment of cyber risk and that this is integrated into cyber security and other technology policy development areas, along with all-source assessment and other available evidence. We will join up horizon scanning between national security and other policy areas to ensure a holistic assessment of emerging challenges and opportunities.

We will:

  • identify gaps in current work, and coordinate work across disciplinary boundaries to develop a holistic approach to horizon scanning for cyber security;
  • promote better integration of technical aspects of cyber security with behavioral science;
  • support rigorous monitoring of the cybercriminal marketplace to spot new tools and services that might enable technology transfer to hostile states, terrorists or criminals;
  • analyze emergent internet-connected process control technologies;
  • anticipate vulnerabilities around digital currencies; and
  • monitor market trends in telecommunications technologies to develop early defenses against anticipated future attacks.

We recognize that horizon scanning goes beyond the technical, to include political, economic, legislative, social and environmental dimensions. Cybersecurity is just one aspect of the issues that effective horizon scanning can help to address. Therefore, we will ensure that where we conduct horizon scanning of these other policy areas, we will take into account any cyber security implications.

We will also ensure that cyber policy-making follows an evidence-based approach, taking into account assessments from all available sources. This will include, for example:

  • specific technical evidence, for example on the Internet of Things, or the future role of advanced materials; and
  • international strategic and societal trends and their impact on cyber.

We will ensure that cyber security is considered within the remit of the cross-Government Emerging Technology and Innovation Analysis Cell (ETIAC), which will be established to identify technology threats and opportunities relevant to national security and that cyber is considered by existing horizon-scanning structures, including the Government Futures Group (GFG), and the Cabinet Secretary's Advisory Group on horizon scanning (CSAG).

The Government will measure our success in establishing an effective horizon scanning capability by assessing progress towards the following outcomes:

  • cross-government horizon scanning and all-source assessment are integrated into cyber policy making; and
  • the impact of cyber security is factored into all cross-government horizon scanning.

 Where do we go from here?  EnterpriseGRC is ready to help you map your existing audit program to align with GDPR and NCSC, or with any major recognized Security and Risk Management framework. We are ISC2 Certified mappers and offer Unified Compliance Framework, Common Controls Hub capabilities as well as customized and tailored models used in your company's proprietary systems.

Ready to Serve:

GDPR EnterpriseGRC UniverseMapping

NCSC EnterpriseGRCUniverseMapping