The government has published guidance on best practice cybersecurity requirements as part of an ICT procurement process.
Minister of State at the Department of the Environment, Climate and Communications Ossian Smyth published Guidelines on Cyber Security Specifications (ICT Procurement for Public Service Bodies) in line with the National Cyber Security Strategy 2019-24.
The guidelines have been prepared by Grant Thornton Ireland under contract with the National Cyber Security Centre (NCSC).
The document aims to provide organisations with an improved understanding of cyber security risks and challenges to be addressed when specifying their requirements for ICT goods and services thereby helping raise the level of awareness in this area.
It is the first cybersecurity guidance issued to Irish Public Service Bodies (PSB) in relation to specific best practice cyber security requirements as part of an ICT procurement process.
The NCSC, Grant Thornton and relevant stakeholders worked collaboratively in the compilation of the document, which is being distributed for use throughout the public service, and it will also be available to SMEs to use where similar cybersecurity procurement concerns would apply.
“This marks a new departure in providing specific cyber security guidance to help assist Public Sector Bodies to embed cyber resilience into their ICT procurement planning and delivers on measures previously set out in the current National Cyber Security Strategy,” said Minister Smyth.
“These guidelines build on existing National Cyber Security Centre guidance, to further promote cyber security best practices as an integral consideration for Public Sector Bodies, helping to improve the resilience and security of public sector IT systems to better protect the services and the data that our people rely upon.”
“These guidelines are dynamic in nature and will be subject to amendment and review in line with best practice and technical advances within the ICT ecosystem,” he added.
A range of cybersecurity domains are addressed, including organisational practices, supply chain security (including risks such as data leaks, supply chain breaches, and malware attacks), evaluation considerations.
It also provides attestation information that may be required from suppliers when procuring ICT goods and services throughout the ‘plan, source and manage’ phase of the procurement process.
The guidelines also aim to reinforce the Cyber Security Baseline Standards and current and future EU legislative proposals, including the Network and Information Security (NIS) Directive and the NIS directive revision (NIS2) and the EU Cyber Security Act Regulation.
The publication also considers ongoing EU legislative proposals including the Cyber Resilience Act, which expands cybersecurity rules to increase security on hardware and software products.
(Pic: Getty Images)