Information Security Risk Management IT operation outsourcing
30+ years of experience of doing this Applies to many aspects of public service Works and delivers cost savings, effectiveness, new capabilities and special skills Long duration makes contract difficult to get right Hard to remain an ‘expert customer’ More difficult in high security environments Cloud is requiring new controls for new risks
Why it matters so much It is a matter of belief in thenational ability to deliver a safe and trusted environment for business, citizens and visitors
London riots National Security - Falklands Stable currency
Confidentiality Integrity Availability Recently privacy has been added Includes all information assets not just electronic Controls and mitigations include physical and personnel measures Use national classifications drawn from a ‘Harm Matrix’ IL0 – no impact, IL6 NASW, mass loss of life, NAFG Recently modified to include aggregation Use the $1 rule !
250 year risk Heathrow jet fuel largest peace time explosion in Europe £100m damage Takes out PNC dark site Building site fire 24 hours later at main site
Many departments not seen as high risk in the past now under attack HMRC data loss 25m child records CEO resigns, board goes in 12 months Departments becoming more connected – back doors High grade assets MUST be connected to the internet – air gaps are a thing of the past Outsourcing to cloud architectures a new set of issues – ideas but stable solutions not there yet
Senior Information Risk Owner – SIRO Departmental Security Officer – DSO Accreditor Information Asset Owner – IAO In the conversation between experts and IAOs establishing risk appetite is the biggest problem The only answer is engagement and knowledge
Threat actors Capability and motivation Assets and vulnerabilities Baseline controls Mitigations and countermeasures Residual risk Asset owner and risk appetite The customer and the outsource partnerWhy is it so different ?
Large scale data losses often by outsource partner PA prisoner records Public awareness of cyber leads to more questions about incidents Aggregation of data increases impact of incidents Cross linking of systems increases problems Increasing capability (laptops) allows vast data sets to be moved around – and lost Evidence of increasing levels and sophistication of attacks – not just human error and accidents All of this has decreased ministers appetite for risk
Carried out annually for all assets and systems Provides evidence for ministers that risks are well managed Gives an opportunity to review residual risks Ensures consistency Allows a unit, or organisation to consolidate residual risks and look at overall picture
Roles and limitations set by Security Aspects Letter – SAL Sets out how cyber, physical and personnel controls will be delivered Works well for baseline less well for risk based controls Must have ‘audit without warning rights’ Must be in the contract If partner breaches SAL what do you actually do?
Mandatory notification process in contract Step in rights to access and manage incident Damage control process has to run alongside commercial contract Review process perverted by commercial situation – whose fault is it? Additional controls tend to lead to contractual variations and extra costs After an incident it is difficult to avoid a dispute
main lines of development Cyber crime - reduce and deter National resilience and defence Address the skills and knowledge gap Create an environment to drive an open and vibrant economy