Duncan hine input1_irm_and_outsourcing


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Duncan hine input1_irm_and_outsourcing

  1. 1. Information Security Risk Management IT operation outsourcing
  2. 2.  30+ years of experience of doing this Applies to many aspects of public service Works and delivers cost savings, effectiveness, new capabilities and special skills Long duration makes contract difficult to get right Hard to remain an ‘expert customer’ More difficult in high security environments Cloud is requiring new controls for new risks
  3. 3. Why it matters so much
  4. 4. Why it matters so much It is a matter of belief in thenational ability to deliver a safe and trusted environment for business, citizens and visitors
  5. 5.  London riots National Security - Falklands Stable currency
  6. 6.  Confidentiality Integrity Availability Recently privacy has been added Includes all information assets not just electronic Controls and mitigations include physical and personnel measures Use national classifications drawn from a ‘Harm Matrix’ IL0 – no impact, IL6 NASW, mass loss of life, NAFG Recently modified to include aggregation Use the $1 rule !
  7. 7.  250 year risk Heathrow jet fuel largest peace time explosion in Europe £100m damage Takes out PNC dark site Building site fire 24 hours later at main site
  8. 8.  Many departments not seen as high risk in the past now under attack HMRC data loss 25m child records CEO resigns, board goes in 12 months Departments becoming more connected – back doors High grade assets MUST be connected to the internet – air gaps are a thing of the past Outsourcing to cloud architectures a new set of issues – ideas but stable solutions not there yet
  9. 9.  Senior Information Risk Owner – SIRO Departmental Security Officer – DSO Accreditor Information Asset Owner – IAO In the conversation between experts and IAOs establishing risk appetite is the biggest problem The only answer is engagement and knowledge
  10. 10.  Threat actors Capability and motivation Assets and vulnerabilities Baseline controls Mitigations and countermeasures Residual risk Asset owner and risk appetite The customer and the outsource partnerWhy is it so different ?
  11. 11.  Large scale data losses often by outsource partner PA prisoner records Public awareness of cyber leads to more questions about incidents Aggregation of data increases impact of incidents Cross linking of systems increases problems Increasing capability (laptops) allows vast data sets to be moved around – and lost Evidence of increasing levels and sophistication of attacks – not just human error and accidents All of this has decreased ministers appetite for risk
  12. 12.  Carried out annually for all assets and systems Provides evidence for ministers that risks are well managed Gives an opportunity to review residual risks Ensures consistency Allows a unit, or organisation to consolidate residual risks and look at overall picture
  13. 13.  Roles and limitations set by Security Aspects Letter – SAL Sets out how cyber, physical and personnel controls will be delivered Works well for baseline less well for risk based controls Must have ‘audit without warning rights’ Must be in the contract If partner breaches SAL what do you actually do?
  14. 14.  Mandatory notification process in contract Step in rights to access and manage incident Damage control process has to run alongside commercial contract Review process perverted by commercial situation – whose fault is it? Additional controls tend to lead to contractual variations and extra costs After an incident it is difficult to avoid a dispute
  15. 15. main lines of development Cyber crime - reduce and deter National resilience and defence Address the skills and knowledge gap Create an environment to drive an open and vibrant economy