Duncan hine input1_irm_and_outsourcing
Upcoming SlideShare
Loading in...5

Like this? Share it with your network


Duncan hine input1_irm_and_outsourcing






Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

Duncan hine input1_irm_and_outsourcing Presentation Transcript

  • 1. Information Security Risk Management IT operation outsourcing
  • 2.  30+ years of experience of doing this Applies to many aspects of public service Works and delivers cost savings, effectiveness, new capabilities and special skills Long duration makes contract difficult to get right Hard to remain an ‘expert customer’ More difficult in high security environments Cloud is requiring new controls for new risks
  • 3. Why it matters so much
  • 4. Why it matters so much It is a matter of belief in thenational ability to deliver a safe and trusted environment for business, citizens and visitors
  • 5.  London riots National Security - Falklands Stable currency
  • 6.  Confidentiality Integrity Availability Recently privacy has been added Includes all information assets not just electronic Controls and mitigations include physical and personnel measures Use national classifications drawn from a ‘Harm Matrix’ IL0 – no impact, IL6 NASW, mass loss of life, NAFG Recently modified to include aggregation Use the $1 rule !
  • 7.  250 year risk Heathrow jet fuel largest peace time explosion in Europe £100m damage Takes out PNC dark site Building site fire 24 hours later at main site
  • 8.  Many departments not seen as high risk in the past now under attack HMRC data loss 25m child records CEO resigns, board goes in 12 months Departments becoming more connected – back doors High grade assets MUST be connected to the internet – air gaps are a thing of the past Outsourcing to cloud architectures a new set of issues – ideas but stable solutions not there yet
  • 9.  Senior Information Risk Owner – SIRO Departmental Security Officer – DSO Accreditor Information Asset Owner – IAO In the conversation between experts and IAOs establishing risk appetite is the biggest problem The only answer is engagement and knowledge
  • 10.  Threat actors Capability and motivation Assets and vulnerabilities Baseline controls Mitigations and countermeasures Residual risk Asset owner and risk appetite The customer and the outsource partnerWhy is it so different ?
  • 11.  Large scale data losses often by outsource partner PA prisoner records Public awareness of cyber leads to more questions about incidents Aggregation of data increases impact of incidents Cross linking of systems increases problems Increasing capability (laptops) allows vast data sets to be moved around – and lost Evidence of increasing levels and sophistication of attacks – not just human error and accidents All of this has decreased ministers appetite for risk
  • 12.  Carried out annually for all assets and systems Provides evidence for ministers that risks are well managed Gives an opportunity to review residual risks Ensures consistency Allows a unit, or organisation to consolidate residual risks and look at overall picture
  • 13.  Roles and limitations set by Security Aspects Letter – SAL Sets out how cyber, physical and personnel controls will be delivered Works well for baseline less well for risk based controls Must have ‘audit without warning rights’ Must be in the contract If partner breaches SAL what do you actually do?
  • 14.  Mandatory notification process in contract Step in rights to access and manage incident Damage control process has to run alongside commercial contract Review process perverted by commercial situation – whose fault is it? Additional controls tend to lead to contractual variations and extra costs After an incident it is difficult to avoid a dispute
  • 15. main lines of development Cyber crime - reduce and deter National resilience and defence Address the skills and knowledge gap Create an environment to drive an open and vibrant economy