Success Stories

4. Risk Management & Accreditation Case Study — National Security

 Risk Management

Accreditation Requirements

We were asked to create a risk management and accreditation documents for a large national security IT infrastructure. The system enables the sharing of large volumes of timely data and risk assessments between several Government agencies.

Work Undertaken

We conducted detailed threat and risk assessments. Thereafter, we developed a risk treatment plan to mitigate the risks identified and mapped this to the system’s countermeasures. Our work convinced reluctant agencies to avail data for exchange.

Value Added

The documents unified the procedures, processes, instructions and plans for maintaining security. The new system enables several government agencies to exchange vast amounts of sensitive, personal and national security data that improves service delivery.

3. Evidential National Security PKI Case Study

PKI Requirements

We were headhunted to rescue a national security PKI implementation. The PKI serves to protect classified data in transit to ensure that it is not tampered with; maintains its privacy and is received from or sent to a known and validated source. PKI also ensures that the data is transferred in a way that supports electronic non-repudiation to preserve its evidential weight and ensure admissibility before Courts of law.

Work Undertaken

Starting from the contract, we compared the PKI solution with the business and PKI technical requirements. In particular, we noted a weak trust model, policy gaps and unclear roles.

Value Added

Our PKI consultancy work mitigated urgent business risks such as duty of care, legal challenges, repudiation, data loss and espionage.  We added value in the following areas:

  • Designed a new and coherent PKI Trust Model;
  • We designed the PKI Policy framework and authored the Certificate Policy (CP); Certification Practices Statement (CPS); Key Generation Ceremony; Subscriber and Rely Party Agreements; and
  • We designed and/or led teams creating PKI High Level Design (HLD) and Low Level Designs (LLD) for HSM Appliances and Smartcard management devices.

2. ISO/IEC 27001 Certification Case Study

Requirements

A critical national infrastructure firm processing over GB£360 billion peak value of monthly automated payments asked us to assist with its ISO/IEC 27001 Certification process.

Work Undertaken

With ISO/IEC 27001 controls as drivers, we undertook a detailed review of the Governance, Delivery and Assurance aspects of the company’s Information Security Management System (ISMS). First, we assessed whether the model defined mandatory security requirements to ensure the consistent governance of security. We then assessed whether the delivery teams had the resources and knowledge to defend the business against technically complex or new cyber threats. Under assurance, we evaluated the adequacy of the tracking and reporting on the effectiveness of security processes. For example, we visited the company’s data centres to assess the adequacy of physical controls against crime, natural disasters and national security threats including terrorist attacks.

Value Added

The assessment outlined areas of weakness and strength and provided a remediation roadmap and action plan that helped the company gain certification as it enabled timely changes to the security organisation; asset handling and personnel controls. In particular, we designed a new Target Operating Model that helped clarify IT security responsibilities and enabled coordination between delivery and assurance teams.

1. Response to nation-wide cyber attack Case Study

Georgia’s Cybersecurity Requirements;

At the request of Georgia’s Ministry of Economic Development, the International Telecommunication Union (ITU) asked us to lead an Expert Group to assess cybersecurity readiness, draft a cybersecurity strategy and action plan. The request came after Distributed Denial-of-Service (DDoS) attacks and the defacement of government and commercial websites in the Georgia-Russia war of 2008.

Work Undertaken

Under our leadership, the Expert Group conducted a thorough review of strategies and plans for securing critical information infrastructure (CII). The Experts spoke to Government Ministries including Foreign Affairs, Economic Development, Justice and Education. The team also spoke to Parliamentary security officials and operators of CII in the sectors such as banking, telecommunications and transport.

Value Added

The Expert Group recommended action on cybercrime legislation; strategic accountability for cybersecurity clarity; naming of a cybersecurity focal point; creation of a national incident response team; greater public-private partnership; ICT skills development and public awareness. Apart from the final report we authored, we wrote a cybersecurity strategy.

Scroll to top