1. Information Security Risk Management
IT operation outsourcing

2.  30+ years of experience of doing this
 Applies to many aspects of public service
 Works and delivers cost savings, effectiveness, new
capabilities and special skills
 Long duration makes contract difficult to get right
 Hard to remain an ‘expert customer’
 More difficult in high security environments
 Cloud is requiring new controls for new risks

3. Why it matters so much

4. Why it matters so much
It is a matter of belief in the
national ability to deliver a safe
and trusted environment for
business, citizens and visitors

5.  London riots
 National Security - Falklands
 Stable currency

8.  Confidentiality
 Integrity
 Availability
 Recently privacy has been added
 Includes all information assets not just electronic
 Controls and mitigations include physical and
personnel measures
 Use national classifications drawn from a ‘Harm
Matrix’ IL0 – no impact, IL6 NASW, mass loss of
life, NAFG
 Recently modified to include aggregation
 Use the $1 rule !

9.  250 year risk Heathrow jet fuel largest peace time explosion
in Europe £100m damage
 Takes out PNC dark site
 Building site fire 24 hours later at main site

10.  Many departments not seen as high risk in
the past now under attack
 HMRC data loss 25m child records CEO
resigns, board goes in 12 months
 Departments becoming more connected –
back doors
 High grade assets MUST be connected to the
internet – air gaps are a thing of the past
 Outsourcing to cloud architectures a new set
of issues – ideas but stable solutions not
there yet

11.  Senior Information Risk Owner – SIRO
 Departmental Security Officer – DSO
 Accreditor
 Information Asset Owner – IAO
 In the conversation between experts and IAOs
establishing risk appetite is the biggest
problem
 The only answer is engagement and
knowledge

12.  Threat actors
 Capability and motivation
 Assets and vulnerabilities
 Baseline controls
 Mitigations and countermeasures
 Residual risk
 Asset owner and risk appetite
 The customer and the outsource partner
Why is it so different ?

13.  Large scale data losses often by outsource
partner PA prisoner records
 Public awareness of cyber leads to more
questions about incidents
 Aggregation of data increases impact of incidents
 Cross linking of systems increases problems
 Increasing capability (laptops) allows vast data
sets to be moved around – and lost
 Evidence of increasing levels and sophistication
of attacks – not just human error and accidents
All of this has decreased ministers appetite for
risk

14.  Carried out annually for all assets and
systems
 Provides evidence for ministers that risks are
well managed
 Gives an opportunity to review residual risks
 Ensures consistency
 Allows a unit, or organisation to consolidate
residual risks and look at overall picture

15.  Roles and limitations set by Security Aspects
Letter – SAL
 Sets out how cyber, physical and personnel
controls will be delivered
 Works well for baseline less well for risk
based controls
 Must have ‘audit without warning rights’
 Must be in the contract
 If partner breaches SAL what do you actually
do?

16.  Mandatory notification process in contract
 Step in rights to access and manage incident
 Damage control process has to run alongside
commercial contract
 Review process perverted by commercial
situation – whose fault is it?
 Additional controls tend to lead to
contractual variations and extra costs
 After an incident it is difficult to avoid a
dispute

17. main lines of development
 Cyber crime - reduce and deter
 National resilience and defence
 Address the skills and knowledge gap
 Create an environment to drive an open and
vibrant economy