UK government still seeking information on data storage and processing infrastructure, security and resilience | Morgan Lewis – Technology and Procurement
The UK Department for Digital, Culture, Media and Sport (DCMS) recently extended the deadline for responding to a guidance document issued on May 26, 2022, calling for advice on infrastructure, security and the resilience of UK data storage and processing (the Call for views). The call for views solicits input from data center operators, cloud platform vendors, managed service providers, data center customers, security and equipment vendors, and cybersecurity experts to better understand risks associated with data storage and processing services.
In particular, DCMS hopes to engage stakeholders who store or process data for multiple organizations, seeking information on what steps they are already taking to address concerns about the security and resilience of data center infrastructure and data centers. cloud platforms. Based on the evidence received through the Invitation to Comment, DCMS will decide whether additional government support or other measures are needed to minimize the risks currently facing data storage and processing infrastructure in the Kingdom. -United.
The Request for Comments is presented in the form of a questionnaire and is divided into three sections.
Part 1: Risks to UK data storage and processing infrastructure
The notice seeks to identify existing and future risks to data storage and processing infrastructure in the UK. Examples of risks identified by the DCMS include Sensitive Access Risks, Concentration Risks, and Status Threats. By highlighting its understanding of the main risks affecting the sector, DCMS recognizes that market participants will have a better understanding of the day-to-day impact of these risks and is seeking feedback on whether to reprioritize its approach to risk.
Part 2: Data Center Security and Resilience
The second part is limited to data centers and business interactions with data center providers on the basis that data center security and resilience is a largely unregulated sector in the UK (e.g. data centers are not directly affected by the Networks and Information Systems Regulations 2018), and therefore specific questions are needed with respect to this area.
The invitation to comment asks participants to provide examples of regulations in place in other countries that could inform any future regulations introduced in the UK. The RFP lists several government initiatives in other industries or countries that DCMS may consider in relation to data center risk management:
- Service continuity requirements
- Security and resilience requirements
- Information Sharing and Incident Cooperation Requirements
- Accountability at board or safety committee level
- Security Penetration Testing by Government or Third Party Competent Authorities
- Increased powers of government to collect information
Part 3: Mapping Risk Impacts
To understand the business impact of the risks identified in Part 1, DCMS is specifically seeking input from the stakeholders they have identified as the most critical: data center operators, cloud platform vendors, and service providers. managed. The intent is to use the answers provided to model who is impacted by compromised data centers and how impacted they are.
The call for advice is part of the whole UK Government National Data Strategy and National cyber strategyworking to ensure a stronger risk management framework to improve protection against cybersecurity disruptions, ensure the continuity of service of data storage and processing infrastructure and protect the UK economy.
The UK government’s recent focus on risks in the context of data and cybersecurity stems from two important considerations: (1) data is strategically important, both domestically and globally; and (2) the UK is highly dependent on the storage and processing of data, including for the proper delivery of essential services and the functioning of the UK economy. It is expected that, consistent with existing strategies, DCMS will continue to focus on data security and resilience over the next few years.
The call for views now ends on August 7, 2022, and DCMS will subsequently publish a summary of the evidence gathered.