Duncan hine input1_irm_and_outsourcing

Uploaded on


  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On Slideshare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. Information Security Risk Management IT operation outsourcing
  • 2.  30+ years of experience of doing this Applies to many aspects of public service Works and delivers cost savings, effectiveness, new capabilities and special skills Long duration makes contract difficult to get right Hard to remain an ‘expert customer’ More difficult in high security environments Cloud is requiring new controls for new risks
  • 3. Why it matters so much
  • 4. Why it matters so much It is a matter of belief in thenational ability to deliver a safe and trusted environment for business, citizens and visitors
  • 5.  London riots National Security - Falklands Stable currency
  • 6.  Confidentiality Integrity Availability Recently privacy has been added Includes all information assets not just electronic Controls and mitigations include physical and personnel measures Use national classifications drawn from a ‘Harm Matrix’ IL0 – no impact, IL6 NASW, mass loss of life, NAFG Recently modified to include aggregation Use the $1 rule !
  • 7.  250 year risk Heathrow jet fuel largest peace time explosion in Europe £100m damage Takes out PNC dark site Building site fire 24 hours later at main site
  • 8.  Many departments not seen as high risk in the past now under attack HMRC data loss 25m child records CEO resigns, board goes in 12 months Departments becoming more connected – back doors High grade assets MUST be connected to the internet – air gaps are a thing of the past Outsourcing to cloud architectures a new set of issues – ideas but stable solutions not there yet
  • 9.  Senior Information Risk Owner – SIRO Departmental Security Officer – DSO Accreditor Information Asset Owner – IAO In the conversation between experts and IAOs establishing risk appetite is the biggest problem The only answer is engagement and knowledge
  • 10.  Threat actors Capability and motivation Assets and vulnerabilities Baseline controls Mitigations and countermeasures Residual risk Asset owner and risk appetite The customer and the outsource partnerWhy is it so different ?
  • 11.  Large scale data losses often by outsource partner PA prisoner records Public awareness of cyber leads to more questions about incidents Aggregation of data increases impact of incidents Cross linking of systems increases problems Increasing capability (laptops) allows vast data sets to be moved around – and lost Evidence of increasing levels and sophistication of attacks – not just human error and accidents All of this has decreased ministers appetite for risk
  • 12.  Carried out annually for all assets and systems Provides evidence for ministers that risks are well managed Gives an opportunity to review residual risks Ensures consistency Allows a unit, or organisation to consolidate residual risks and look at overall picture
  • 13.  Roles and limitations set by Security Aspects Letter – SAL Sets out how cyber, physical and personnel controls will be delivered Works well for baseline less well for risk based controls Must have ‘audit without warning rights’ Must be in the contract If partner breaches SAL what do you actually do?
  • 14.  Mandatory notification process in contract Step in rights to access and manage incident Damage control process has to run alongside commercial contract Review process perverted by commercial situation – whose fault is it? Additional controls tend to lead to contractual variations and extra costs After an incident it is difficult to avoid a dispute
  • 15. main lines of development Cyber crime - reduce and deter National resilience and defence Address the skills and knowledge gap Create an environment to drive an open and vibrant economy