Skip to content
An official website of the OECD. Find out more
Created by the Public Governance Directorate

This website was created by the OECD Observatory of Public Sector Innovation (OPSI), part of the OECD Public Governance Directorate (GOV).

How to validate authenticity

Validation that this is an official OECD website can be found on the Innovative Government page of the corporate OECD website.

Achieving Cyber Security Resilience of Public Sector IT Systems and Services

Recognising the need for a high level of Cyber Security across the public sector, the National Cyber Security Strategy (NCSS) called for the creation of a Common Cyber Security Baseline Standard across all Public Sector Bodies and for the establishment of the “CORE Network” to share best practice for cyber security across Government. This project embodies the Irish Civil Service Renewal 2030 Strategy by delivering evidence-informed policy and services, harnessing digital technology and innovation.

Innovation Summary

Innovation Overview

Recognising that the Irish public sector faces a high level of cyber threat this NCSC project set about designing and implementing a Baseline Cyber Security Standard across the entire Public Service. The project also involved the creation of the Government Cyber Security Coordination and Response (CORE) Network, which is a group of senior cybersecurity and ICT professionals throughout the public service to collaborate and share information on cyber security issues and respond to serious cyber incidents as one State. The project aimed to create a single, comprehensive and robust cyber security standard across the entire public service. It aimed to increase the level of cyber security in the public sector, as well as developing a level of mutual trust between Public Service Bodies by outlining the baseline measures all should achieve. In addition, through the creation of the CORE network the project aimed to pool the cyber security resources and expertise of the Government to a single point, providing synergies and strengthening the individual capabilities of each member

The key innovative factor of the project was the extensive collaboration that occurred in delivering this project. Rather than the NCSC creating this Standard itself in a vacuum, it took a whole-of-government approach. It brought together 13 Government Departments and agencies in order to ensure that the framework met their needs and was compatible with the realities of working at the “coalface” of defending public ICT systems. By having the Department of Social Protection chair the group, it created a sense of ownership for the project as being a “Whole of Government” and collaborative effort which allowed the immense digital first expertise of that department come to bear on the project.

The breath of Departments and Agencies and the depth of expert knowledge in the steering group ensured the work was informed by appropriate technical expertise for the establishment and delivery of the Irish Cyber Security Baseline Standard and fit for purpose in Ireland's Public Administration. As the project began work in the early stages of Covid, there was a requirement to quickly adapt work practices to develop the standard using virtual collaboration rather than the original plan of in regular person meetings.

The project made best use of widely accepted international standards but also brought to bear the tremendous expertise of the steering group to create very detailed and practical guidance to create a comprehensive cyber security standard. The group dynamic enabled the innovative approach of the group to look beyond established practices and seek simply to focus on practical solutions to real Cyber Security problems experienced by Public Sector Bodies. The group adopted a trusting and blameless culture, similar to practices in the aviation and healthcare industries, where reviewing real incidents and faults were reviewed and allowed for every identified risk to be seen as an opportunity to strengthen the system and to remove a cyber security blame culture and positively reinforce cyber security best practices.

The Steering Group took a methodical disciplined approach through the different phases of the creative group process that lead to a 360 degree perspective encompassing the five core functions identified in the Baseline Standard (Identify, Protect, Detect, Respond, and Recover). This also ensured that the practical aspects of implementing the Baseline Standards were achievable by Public Sector Bodies. In addition, one of the central creative aspects of the project was the holistic nature of the Cyber Security Baseline Standards. Instead of aligning with one single international standard, the group picked the best ideas from various known international standards to create an efficient, effective forward looking model which can be updated over time in subsequent iterations.

Innovation Description

What Makes Your Project Innovative?

The key innovative factor of the project was the extensive collaboration that occurred in delivering this project. Rather than the NCSC creating this document itself in a vacuum, it took a whole-of-government approach that brought together 13 Government Departments and agencies in order to ensure that the framework met their needs and was compatible with the realities of working at the “coalface” of defending public ICT systems.

The breath of Departments and Agencies and the depth of expert knowledge in the steering group ensured the work was informed by appropriate technical expertise for the establishment and delivery of the Irish Cyber Security Baseline Standard and fit for purpose in Ireland's Public Administration.

What is the current status of your innovation?

The Cyber Security Standards have been published and Public Service Bodies are using this framework to address effectively the multiple public sector ICT challenges and to improve the resilience and security of public sector IT systems. A simple measure in the National Cyber Security Strategy has been developed into an entire cyber security framework and a network of motivated cyber security professionals within the public sector. There have been numerous examples of the Cyber Security Baseline Standards being adopted by both Public Sector Bodies and private organisations. The project also involved the creation of the Government Cyber Security Coordination and Response (CORE) Network which is a group of senior cybersecurity and ICT professionals throughout the public service to collaborate and share information on cyber security issues.

Innovation Development

Collaborations & Partnerships

The "Whole of Government" approach brought together 13 Government Departments and Agencies in order to ensure that the framework met their needs and was compatible with the realities of working at the “coalface” of defending public ICT systems. By having the Department of Social Protection chair the group and not the National Cyber Security Centre, it created a sense of ownership for the project as being a “Whole of Government” and collaborative effort of all involved.

Users, Stakeholders & Beneficiaries

There are over 800 Public Service Bodies in Ireland using this framework to address effectively the multiple public sector ICT challenges and to improve the resilience and security of public sector IT systems. In addition, the establishment of the Government CORE Network shares information, best practice and cyber threat intelligence and prepares for, and will coordinate during, a major cyber security incident affecting Government networks.

Innovation Reflections

Results, Outcomes & Impacts

The publication of the Cyber Security Baseline Standards gives over 800 Public Sector Bodies a process, procedure, a common language and a risk-based approach to Cyber Security. The main goal of improving resilience and security of Public Sector IT systems has been achieved with feedback both publicly and privately to the NCSC and the Government has been overwhelmingly positive. There have been numerous examples of the Cyber Security Baseline Standards being adopted by both Public Sector Bodies and private organisations to develop their ability to defend against malicious activity and cyber threats. There was also praise from the private sector with many multinational companies publicly praising the Irish approach to Cyber Security. Among the further lasting benefits of the Cyber Security Baseline Standards is that it drove the creation of other projects such as Civil Service wide Cyber Security assessment metrics, training for Civil Servants and Public Sector procurement advice.

Challenges and Failures

Key challenges included taking a strategic view on the Cyber Security Baseline Standards and overcoming any technical obstacles and issues by prioritising problem areas and anticipating issues before they arose. The work of the group was directed and facilitated by using workshops to discuss and deal with any outstanding technical issues and the used an iterative process to build upon the collective strengths of the group to develop practical solutions to problems. There is no single solution when it comes to Cyber Security. For instance, "zero day" attacks exploiting previously unknown vulnerabilities are especially problematic. However, using the Baseline Standard to assess and improve management risks will put Public Service Bodies in a much better position to identify, protect, respond to, and recover from a Cyber Security attack, minimising damage. Support and buy-in from senior managers and senior stakeholders was essential to the success of this project.

Another challenge of the group was to agree on an approach which could be applied by all public sector bodies and that the work of the group had to be achievable and have lasting benefits. The work had to be achieved in the first instance by all Public Sector Bodies and as such was seen as the start of an iterative process with the Baseline Standards to be revised and issued every 2 year period. This would reflect the growing level of Cyber Maturity in the sector and adapt for technological innovation and changes within the ICT systems.

Conditions for Success

This project embodies the Irish Civil Service Renewal 2030 Strategy by delivering evidence-informed policy and services, harnessing digital technology and innovation and building the Civil Service workforce, workplace and organisation of the future. Conditions for success included the support of Senior Management across all the 13 Government Departments and key Agencies. There was a general legislative mandate in place which provided the momentum at the start of the project but the key to success was down to the collective vision and drive of all the participants to produce a Cyber Security Standard that would be useful to all Irish Public Sector Bodies and that would stand the test of time.

Replication

This project roadmap can be easily replicated. The key lesson from the project was that a structured pragmatic approach which engages and involves key stakeholders from the start of the project ensures future buy-in from other stakeholders. In addition, one of the central creative aspects of the project was the holistic nature of the Cyber Security Baseline Standards. Instead of aligning with one single international standard, the group picked the best ideas from various known international standards to create an efficient, effective forward-looking model adapted to Ireland and which can be updated over time in subsequent iterations. The group adopted a trusting and blameless culture, similar to practices in the aviation and healthcare industries, where real incidents and faults are reviewed and every identified risk is seen as an opportunity to strengthen the system. This approach prevents cyber security blame culture and positively reinforces cyber security best practices.

Lessons Learned

Following the success of the Baseline Standards, this work has been replicated by establishing a key operational group called The Government Cyber Security Coordination and Response (CORE) Network. All the Government Departments are represented on the CORE Network with additional representation from key agencies and Local Government. In addition, we have been able to use the Baseline Standards and the CORE Network as a solid foundation and a pivot point for many other related projects such as:

  • Public Service Cyber Security self-assessment forms
  • Future alignment of Public Administration with European Legislation
  • ICT Procurement advice
  • Government Instructor Led Cyber Security Training

Anything Else?

The success of the project has been gauged by the high level of reference, interest and enquiries received by the NCSC regarding the Baseline Standards. Many Public Sector bodies have shown their appreciation for the composition and work of the Steering Group and the “Whole of Government” consensus driven model. The Cyber Security Baseline Standards are now used as a “go to” reference point for a Cyber Security Governance with the Public Sector. In addition, the Baseline Standards provide a Cyber Incident Response Plan (CIRP) which was designed to enable all public sector bodies to develop their own CIRP and be straightforward to apply.

Status:

  • Implementation - making the innovation happen
  • Evaluation - understanding whether the innovative initiative has delivered what was needed
  • Diffusing Lessons - using what was learnt to inform other projects and understanding how the innovation can be applied in other ways

Innovation provided by:

Date Published:

27 November 2023

Join our community:

It only takes a few minutes to complete the form and share your project.