DIAA 2014 Report
DIAA 2014 Report[mpoverlay][/mpoverlay]
Accreditation Requirements
We were asked to create a risk management and accreditation documents for a large national security IT infrastructure. The system enables the sharing of large volumes of timely data and risk assessments between several Government agencies.
Work Undertaken
We conducted detailed threat and risk assessments. Thereafter, we developed a risk treatment plan to mitigate the risks identified and mapped this to the system’s countermeasures. Our work convinced reluctant agencies to avail data for exchange.
Value Added
The documents unified the procedures, processes, instructions and plans for maintaining security. The new system enables several government agencies to exchange vast amounts of sensitive, personal and national security data that improves service delivery.
PKI Requirements
We were headhunted to rescue a national security PKI implementation. The PKI serves to protect classified data in transit to ensure that it is not tampered with; maintains its privacy and is received from or sent to a known and validated source. PKI also ensures that the data is transferred in a way that supports electronic non-repudiation to preserve its evidential weight and ensure admissibility before Courts of law.
Work Undertaken
Starting from the contract, we compared the PKI solution with the business and PKI technical requirements. In particular, we noted a weak trust model, policy gaps and unclear roles.
Value Added
Our PKI consultancy work mitigated urgent business risks such as duty of care, legal challenges, repudiation, data loss and espionage. We added value in the following areas:
Requirements
A critical national infrastructure firm processing over GB£360 billion peak value of monthly automated payments asked us to assist with its ISO/IEC 27001 Certification process.
Work Undertaken
With ISO/IEC 27001 controls as drivers, we undertook a detailed review of the Governance, Delivery and Assurance aspects of the company’s Information Security Management System (ISMS). First, we assessed whether the model defined mandatory security requirements to ensure the consistent governance of security. We then assessed whether the delivery teams had the resources and knowledge to defend the business against technically complex or new cyber threats. Under assurance, we evaluated the adequacy of the tracking and reporting on the effectiveness of security processes. For example, we visited the company’s data centres to assess the adequacy of physical controls against crime, natural disasters and national security threats including terrorist attacks.
Value Added
The assessment outlined areas of weakness and strength and provided a remediation roadmap and action plan that helped the company gain certification as it enabled timely changes to the security organisation; asset handling and personnel controls. In particular, we designed a new Target Operating Model that helped clarify IT security responsibilities and enabled coordination between delivery and assurance teams.