Technical Risk Management, IT Accreditation & Certification
Governments regulate services in the traditional national infrastructure sectors such as energy, food, water and transport to ensure the safe and reliable delivery of services to citizens, consumers, businesses and maintain their own functions. National infrastructure sectors are increasing their reliance on complex critical information infrastructure (CII). Therefore, Governments and regulators now require that ICT systems handling “classified” Government or business critical data formally identify and mitigate technical risks. Furthermore, the systems must undergo an independent assessment to ascertain that residual risks are acceptable to the business. We can assist as follows:
Risk Management Governance Process
We can help national IT authorities design an Information Assurance governance system. Whilst, needs vary across countries, such systems cover Government or designated private sector IT systems handling, storing and processing sensitive data on citizens, businesses and national security. We form governance structures with a hierarchy of security roles including Senior Information Risk Owners (SIRO), Accreditors, Departmental Security Officers and Security Controllers. We also ensure that all officers have adequate training.
Risk Management & Accreditation Document Sets
A Risk Management and Accreditation Document Set (RMADS) is a tool for managing risks to complex public sector IT Systems. We can help you design RMADSs that bring together procedures, processes, instructions and plans required to maintain the security of critical information infrastructure (CII). The RMADS provide relevant stakeholders confidence that systems protect the sensitive data they handle, process and store. Whilst, our clients have different security needs, our RMADSs typically cover the following areas:
Area 1 — Accreditation Requirements
Security involves trade-offs. For example, costs of security measures include monetary, performance and ease-of-use. Thus, we can help you ensure that you the compliance requirements defined for your IT systems are commensurate with the risks the system faces. We help identify the national or global policies and security standards that inform compliance requirements. The requirements must also comply with relevant national legislation. We also have an accreditation statement that names the environments the RMADS covers.
Area 2 — Business Details
We start from the broad business goals that the system must support. We work with you to identify the security-relevant aspects of the system and outline the security requirements to be met. We also identify the capabilities that the system delivers to different user groups e.g. citizens and businesses. If your system has interconnections and interfaces with other IT systems, we identify the shared business services and the security requirements to be met across the environments. We, thus, identify elements of the accreditation scope.
Area 3 — Risk Management Documents
We help with risk management strategy design. Where available, we record your organisation’s risk appetite and risk tolerance. We align risk appetite with the business impact of the breach of the security around elements/business domains or Focus of Interest (FoI). We can help undertake a detailed threat assessment. We focus on typical threat sources such as foreign intelligence, hacktivists, hackers, organised crime and any local threats. For each threat actor, we can help assess their capacity to mount attacks as well as their motivation as measured by factors such as ideology, coercion and disaffection. We then create a risk treatment plan to mitigate noted risks and map to countermeasures.
Area 4 — Development, Acceptance and In-Use
Lastly, we help you draw-up a plan for managing risk to the system throughout its life. We identify the security roles and responsibilities in the development, testing, acceptance, maintenance, incident management and decommissioning phases. We further define Security Operating Procedures (SyOPs) for each role.