The Ministry of Justice (MoJ) is aiming to make every critical justice service resilient to cyber attack, with ‘secure by design’ embedded into everything it does.
It has highlighted these as the strategic vision and aim of its new Cyber Security Strategy for 2023-28, along with eight pillars of its work to make them achievable.
The document says the MoJ technology landscape is complex and fragmented, with over 1,000 IT services of which less than 100 are judged to be modern digital services. In addition, the legacy services have many different support models, commercial arrangements and rely on different underlying technology; and holds over 100 million files and over 350Tb of unstructured data.
This creates the need for some difficult priority decisions about operating existing systems, building required features and undertaking security improvements.
The ministry also has to deal with issues specific to its estate, such as maintaining security along with the In-Cell Technology programme for prisons.
“We know that excellent cyber security will take time to achieve and requires a concerted effort within this environment,” the document says.
Developing the profession
The first of the eight pillars is to establish and develop the cyber security profession inside the ministry, in line with the Government Security Group’s definitions, with professional development and training programmes for adjacent roles such as technical architects and DevOps staff.
It will also look at the potential to help people in prison or on probation to develop cyber skills.
The second pillar involves creating a positive security culture, through the further development of its ‘security champions’ network, joined up training and awareness campaigns appropriate to all roles, and continuing its work on open security policies and guidance.
Thirdly, it is aiming to ensure ‘secure by design’ services, with security architectures that minimise the trust needed for individual components, ensuring the approach is followed by digital teams, and adopting existing common security patterns with automated guardrails. It will also take part in the ‘defend as one’ approach by continuing to share material with other departments.
The fourth pillar is to continue to harden the MoJ’s enterprise estate, by improving identity and access management with most staff able to access critical systems through a single identity enabled by passwordless management. The ministry will also review its enterprise security capabilities and access management practices, and introduce technical solutions for staff to manage their own security
This will be accompanied by migrating the small number of above OFFICIAL systems to the cross-government Rosa platform.
Testing, processes, policies
Pillar five is to run effective security operations, with measures including refreshing the approach to regular security testing of systems, and the processes and policies around incidents. Efforts will also be made to validate that all critical systems are frequently backed up offline and disaster recovery plans are comprehensively tested.
Six is to have confidence in security measures through improving supplier and partner assurance, update policies and procedures to support continuous assurance, and build on the ministry’s GovAssure pilots.
Seventh is effective management of cyber security risks, with specifics including the identification of a senior responsible owner for every IT system, ensuring that they – along with agency chief executives and functional leads – have clear security accountabilities. There will also be refreshed processes and guidance on risks, and automation of insights into security performance.
The eighth pillar is securing the justice community, through developing a roadmap and setting up a small cyber and justice policy team to collaborate with other departments.
Changing landscape
“It is important that we remember the landscape does not remain static,” the document adds. “Cyber threats will come and go, the department will adapt to new challenges and opportunities, the technology we use will evolve, the suppliers and partners we work with will change, as will our people.
“The level of cyber security risk we are willing to tolerate will also change, both within agencies and arm’s length bodies, and at an enterprise level. It is therefore essential that we monitor our cyber resilience, and improvement progress, effectively.”
