2. 30+ years of experience of doing this
Applies to many aspects of public service
Works and delivers cost savings, effectiveness, new
capabilities and special skills
Long duration makes contract difficult to get right
Hard to remain an ‘expert customer’
More difficult in high security environments
Cloud is requiring new controls for new risks
4. Why it matters so much
It is a matter of belief in the
national ability to deliver a safe
and trusted environment for
business, citizens and visitors
5. London riots
National Security - Falklands
Stable currency
6.
7.
8. Confidentiality
Integrity
Availability
Recently privacy has been added
Includes all information assets not just electronic
Controls and mitigations include physical and
personnel measures
Use national classifications drawn from a ‘Harm
Matrix’ IL0 – no impact, IL6 NASW, mass loss of
life, NAFG
Recently modified to include aggregation
Use the $1 rule !
9. 250 year risk Heathrow jet fuel largest peace time explosion
in Europe £100m damage
Takes out PNC dark site
Building site fire 24 hours later at main site
10. Many departments not seen as high risk in
the past now under attack
HMRC data loss 25m child records CEO
resigns, board goes in 12 months
Departments becoming more connected –
back doors
High grade assets MUST be connected to the
internet – air gaps are a thing of the past
Outsourcing to cloud architectures a new set
of issues – ideas but stable solutions not
there yet
11. Senior Information Risk Owner – SIRO
Departmental Security Officer – DSO
Accreditor
Information Asset Owner – IAO
In the conversation between experts and IAOs
establishing risk appetite is the biggest
problem
The only answer is engagement and
knowledge
12. Threat actors
Capability and motivation
Assets and vulnerabilities
Baseline controls
Mitigations and countermeasures
Residual risk
Asset owner and risk appetite
The customer and the outsource partner
Why is it so different ?
13. Large scale data losses often by outsource
partner PA prisoner records
Public awareness of cyber leads to more
questions about incidents
Aggregation of data increases impact of incidents
Cross linking of systems increases problems
Increasing capability (laptops) allows vast data
sets to be moved around – and lost
Evidence of increasing levels and sophistication
of attacks – not just human error and accidents
All of this has decreased ministers appetite for
risk
14. Carried out annually for all assets and
systems
Provides evidence for ministers that risks are
well managed
Gives an opportunity to review residual risks
Ensures consistency
Allows a unit, or organisation to consolidate
residual risks and look at overall picture
15. Roles and limitations set by Security Aspects
Letter – SAL
Sets out how cyber, physical and personnel
controls will be delivered
Works well for baseline less well for risk
based controls
Must have ‘audit without warning rights’
Must be in the contract
If partner breaches SAL what do you actually
do?
16. Mandatory notification process in contract
Step in rights to access and manage incident
Damage control process has to run alongside
commercial contract
Review process perverted by commercial
situation – whose fault is it?
Additional controls tend to lead to
contractual variations and extra costs
After an incident it is difficult to avoid a
dispute
17. main lines of development
Cyber crime - reduce and deter
National resilience and defence
Address the skills and knowledge gap
Create an environment to drive an open and
vibrant economy