A cyber security governance framework and digital risk management process for OFFICIAL environments in UK Government. A pragmatic and proportional information risk management process which can be used at speed, and is compatible with Agile projects. This is released under a Creative Commons; Attribution-Non Commercial-Share Alike 4.0 International License.
1. Cyber Security Governance and Digital Risk
Management for OFFICIAL Environments
TONY RICHARDS
SECURITY FRAMEWORK FOR
DIGITAL RISK MANAGEMENT
2. WHO WE AREWWW.SECURESTORM.COM
THE EXPERT
SECURITY ADVISORS
This work is licensed under the Creative Commons,
Attribution-Non Commercial-Share Alike 4.0 International License.
To view a copy of this license, visit
http://creativecommons.org/licenses/by-nc-sa/4.0/.
CREATIVE COMMONS
3. WHO WE AREWWW.SECURESTORM.COM
THE EXPERT
SECURITY ADVISORS
Securestorm in partnership with the Youth Justice Board (YJB), have
developed a robust security governance framework and information
risk management approach for OFFICIAL digital services and systems.
This provides a practical and proportional process with re-usable
common security profiles and architectural patterns to:
• increase efficiency
• reduce overheads
• effectively manage Information Risk
This move comes after the Cabinet Office announcement of the
retirement of mandatory accreditation from the Security Policy
Framework (SPF) and CESG’s move to supporting a business led
Information Risk Management.
INTRODUCTION
4. WHO WE AREWWW.SECURESTORM.COM
THE EXPERT
SECURITY ADVISORS
Securestorm’s Security Framework for Digital Risk Management1
approach2 enables organisations to utilise the latest security thought
leadership from across UK government and industry, in a synchronised
and logical flow that can be deployed rapidly and with agility.
Note: 1This is available from Securestorm under a Creative Commons
Attribution-NonCommercial-ShareAlike 4.0 International License.
2The following is not a stand alone process or methodology, but a framework
for organisations, incorporating a range of security and risk management
principles from CESG and the Cabinet Office.
INTRODUCTION
5. WHO WE AREWWW.SECURESTORM.COM
THE EXPERT
SECURITY ADVISORS
SECURITY GOVERNANCE FRAMEWORK
Secure by
Design
•Security Design
Principles
•User Security
Needs
•Agile Security
Stories
•Cloud and
micro-service
Architectural
Patterns
•Secured base
images
•Protecting Bulk
Personal Data
Principles
•Security
Operations
Info Risk
Management
•Information Risk
Management
Principles
•Digital
Information Risk
Management
•IT and Digital
Security Policy
•GSCS Core
Security
Controls
•Relevant
Security Profiles
Risk Managed
Life-cycle
•Risk Status and
Management
Dashboard
•Audit Program
•Risk
Management
Checkpoints&
road-maps
•Assure Third
Parties
•SIRO/AO Risk
Report
•Digital Risk
Management
Record Schema
6. WHO WE AREWWW.SECURESTORM.COM
THE EXPERT
SECURITY ADVISORS
SECURE BY DESIGN
Integrate CESG’s Security Design Principles for Digital Services
in all new service designs
https://www.cesg.gov.uk/guidance/security-design-principles-digital-services-0
User Security Needs – Predefined library of Security
Outcomes, security controls for OFFICIAL, security stories, any
legal and regulatory requirements specific to organisation and
any other relevant security controls as required by the business
https://www.gov.uk/government/publications/government-security-
classifications
Develop and share reusable Architectural Patterns where
relevant for services or system components
COMMON SOLUTIONS FOR COMMON PROBLEMS
7. WHO WE AREWWW.SECURESTORM.COM
THE EXPERT
SECURITY ADVISORS
INFORMATION RISK MANAGEMENT
Understand CESG’s guidance on managing Information Risk
https://www.cesg.gov.uk/guidance/10-steps-information-risk-management-
regime
Incorporate the “Apply Common Solutions to solve Common
Problems” approach to Information Risk Management
https://www.gov.uk/guidance/managing-information-risk
Identify and apply Security Polices, Government Security
Classification Core Controls and relevant Security Profiles
COMMON SOLUTIONS FOR COMMON PROBLEMS
Use the Security Framework for Digital Risk Management
approach to pragmatically categorise data and assess the
impact of a breach
8. WHO WE AREWWW.SECURESTORM.COM
THE EXPERT
SECURITY ADVISORS
RISK MANAGED LIFE-CYCLE
Produce a Risk Status and Management Dashboard, for weekly,
monthly or real time reporting
Develop and maintain an Audit and Assurance program, to
ensure that Service Providers and system Suppliers security
assurances are actively audited, validated and managed
Use a SIRO/AO Risk Report to document business risk decisions
and provide supporting risk and assurance detail with a
proportional Digital Risk Management Record Schema
CONTINUOUS THROUGH-LIFE PROCESS
Plan and schedule Risk Management Checkpoints to ensure
that Risk Treatment Plans and security validations are reviewed
and assured in a forecastable and pragmatic way
9. WHO WE AREWWW.SECURESTORM.COM
THE EXPERT
SECURITY ADVISORS
GOVERNANCE STRUCTURE
‘Effective leadership’ is a critical component of good security and
accountability. The permanent Secretary (or equivalent) will own the
organization's approach to security and ensure that these issues receive
the attention and investment required.
The Security Policy Framework (SPF) states: ‘Government organizations
will have, an appropriate security governance structure to support the
Permanent Secretary, that is properly resourced with individuals who
have been appropriately trained; Board-level oversight of security
compliance and auditing processes; and, arrangements to determine and
satisfy themselves that Delivery Partners, service providers and third
party suppliers, apply proper security controls’
https://www.gov.uk/government/publications/security-policy-framework/hmg-security-
policy-framework
10. WHO WE AREWWW.SECURESTORM.COM
THE EXPERT
SECURITY ADVISORS
GOVERNANCE STRUCTURE
The security management structure of an
organisation, whatever size, needs to be
strong. By splitting operational security from
information risk, enables greater flexibility,
ensuring that incident investigations and day
to day operations don’t impact compliance
and on-going risk management activities and
vice versa.
Binding the two strands together, overseeing
the bigger picture and ensuring an important
liaison with the business, the CISO is
responsible for the entire security function
while providing leadership, knowledge and
experience.
These roles are not necessarily
full time, rather should be
continuously adjusted to be
dynamic to the organisations
needs.
11. WHO WE AREWWW.SECURESTORM.COM
THE EXPERT
SECURITY ADVISORS
GOVERNANCE STRUCTURE
The organisational example depicts an extended governance structure
12. WHO WE AREWWW.SECURESTORM.COM
THE EXPERT
SECURITY ADVISORS
Prior to April 2014, a security process called accreditation was
mandated by the HMG Security Policy Framework (SPF), for all
Government departments processing classified information.
The process of accreditation provided for the assessment of a system
against its security requirements, and approval was required from an
accreditor as a prerequisite for operation.
This was removed as a mandatory requirement from the April 2014
version of the SPF
https://www.gov.uk/guidance/managing-information-risk
INTRODUCING INFORMATION RISK
13. WHO WE AREWWW.SECURESTORM.COM
THE EXPERT
SECURITY ADVISORS
An organizational responsibility: Risk management decisions should be
objective and informed by an understanding of risk. They should not be made
in isolation but on a basis of understanding how individual decisions affect
the wider business, and what it is trying to achieve.
Tech to deliver business attracts risk: Organisations should decide for
themselves what risk management decisions need to be made to support the
delivery and operation of a system or service.
Decisions: right people, time & support: They need to be empowered by the
organisation and have the right business, technology, security knowledge and
skills to enable informed and objective decisions.
https://www.gov.uk/guidance/managing-information-risk
INTRODUCING INFORMATION RISK
14. WHO WE AREWWW.SECURESTORM.COM
THE EXPERT
SECURITY ADVISORS
BUSINESS CONTEXT
RISK MANAGEMENT APPROACH
Before taking any action, the organisation must understand and communicate what
risk management approach the business is going to take to provide confidence that
the technology and information used is proportionally secured.
Organisations should always be aware of the risks they are taking to achieve their
aims. To ensure meaningful outcomes, organisations need to provide a context in
which risk management and risk assessment is conducted.
KEY COMPONANTS of RISK
Risk assessments have inputs and outputs. Regardless of the risk assessment
method used, any inputs and outputs should be understandable and meaningful in
the context of the business and what it is trying to achieve.
INFORMATION RISK MANAGEMENT
15. WHO WE AREWWW.SECURESTORM.COM
THE EXPERT
SECURITY ADVISORS
Irrespective of the approach taken to assessing risks, the outcome should be captured in
a way that can be used to inform business decision making. Consistency is achieved by
ensuring that the inputs to and outputs from assessments are meaningful in the context
of what the business is trying to achieve
To understand what risks exist, the risk assessment should be applied in the context of
what the organisation is trying to achieve. The output of any risk assessment should be
recorded for traceability purposes. Traceability is important so that risk management
decisions and investment choices can be traced to an identified risk.
MAKE INFORMED RISK MANAGEMENT DECISIONS
Throughout the lifecycle of a system or service, the organisation will need to make
objective decisions about what needs to be done to manage identified risks. These
decisions should be informed and supported by information, subject matter expertise
and evidence. After risk management action has taken place, some risks will remain.
These are often referred to as residual risks.
INFORMATION RISK MANAGEMENT
COMMUNICATE RISK CONSISTENTLY
UNDERSTAND WHAT RISKS EXIST
16. WHO WE AREWWW.SECURESTORM.COM
THE EXPERT
SECURITY ADVISORS
Taking risks is a necessary part of doing business in order to create
opportunities and help deliver business objectives. Organisations should
always be aware of the risks they are taking to achieve their aims.
To ensure meaningful outcomes, organisations need to provide a context in
which risk management and risk assessment is conducted. This context can
be set by answering the following questions:
Goal: What is the organisation trying to achieve ?
Ethos: What does it really care about ?
Attitude: What is it’s risk appetite?
BUSINESS CONTEXT
17. WHO WE AREWWW.SECURESTORM.COM
THE EXPERT
SECURITY ADVISORS
Apply common solutions to solve common problems
In this approach, the organisation applies the security provided by common
security solutions to solve common technology problems. It only carries out
tailored risk assessments (or specifies additional security controls) for those
business objectives that are not entirely covered by the common solution.
This is particularly useful in OFFICIAL environments, where an increasing
range of common solutions are being assured across government.
https://www.gov.uk/guidance/managing-information-risk
RISK MANAGEMENT APPROACH
19. WHO WE AREWWW.SECURESTORM.COM
THE EXPERT
SECURITY ADVISORS
THE OFFICIAL ENVIRONMENT
Identify which elements of the environment require
assurance as part of the service or solution.
20. WHO WE AREWWW.SECURESTORM.COM
THE EXPERT
SECURITY ADVISORS
END USER DEVICES
Configured inline with CESG EUD
Security and Configuration Guidance
https://www.gov.uk/government/collections/end-
user-devices-security-guidance
Assured for OFFICIAL by another
government organisation
Legacy Accreditation as part of a Legacy
service or system at OFFICIAL or
previously “Restricted”
ASSURANCE OPTIONS
21. WHO WE AREWWW.SECURESTORM.COM
THE EXPERT
SECURITY ADVISORS
NETWORK
Data protected in transit inline with
CESG Transport Layer Security (TLS) for
external-facing services guidance
https://www.gov.uk/guidance/transport-layer-
security-tls-for-external-facing-services
Public Services Network (PSN)
accredited by the PSNA for OFFICIAL
https://www.gov.uk/government/groups/public-
services-network
A VPN or other encrypted network
legacy accredited for OFFICIAL (or
previously “Restricted”)
ASSURANCE OPTIONS
22. WHO WE AREWWW.SECURESTORM.COM
THE EXPERT
SECURITY ADVISORS
SERVICE
Cloud services purchased via the Digital
Marketplace, which meet the security
requirements of the business inline with
CESG Cloud Security Principles.
https://www.gov.uk/government/collections/clou
d-security-guidance
Services legacy accredited for OFFICIAL
by another government organisation
including CESG Pan Government
Accreditors.
ASSURANCE OPTIONS
Services can be assessed against the
security requirements of the business
and any deficiencies risk managed inline
with the business risk appetite.
23. WHO WE AREWWW.SECURESTORM.COM
THE EXPERT
SECURITY ADVISORS
CLOUD SERVICES
Cloud services purchased via the Digital
Marketplace, can be procured in a
variety of structures:
• Software as a Service (SaaS)
• An application built on top of
Infrastructure as a Service (IaaS)
• Platform as a Service (PaaS)
• Platform as a Service (PaaS) built on
Infrastructure as a Service (IaaS)
• Infrastructure as a Service (IaaS)
CLOUD STRUCTURES
Software as a Service
Platform as a Service
Infrastructure as a Service
Application
24. WHO WE AREWWW.SECURESTORM.COM
THE EXPERT
SECURITY ADVISORS
Combined
Security
Profile
User
Security
Needs
Applicable
Security
Controls
Security
Stories
CLOUD SERVICES
Where an application is to be developed or
implemented on IaaS or PaaS, then the Digital
Risk Management approach is still applicable.
The Combined Security Profile will help identify
the relevant User Security Needs and Outcomes,
which in turn drive out proportional controls,
which map into Security Stories for Agile
development
https://www.gov.uk/service-manual
DEVELOPED APPLICATIONS
25. WHO WE AREWWW.SECURESTORM.COM
THE EXPERT
SECURITY ADVISORS
DATA TYPES
Non-Sensitive Information
This information will typically be public knowledge or intended for public consumption; for example,
marketing material, open consultations, information to be published under transparency/open data
or even routine communications with members of the public or third parties where there is no
confidentiality requirement. There may be a requirement to protect the integrity and availability of
this information.
Transactional
This includes one-off (potentially) sensitive exchanges with external partners, (citizens, industry,
third sector etc), and online transactional services where the loss of a small number of instances is
tolerable, but systematic or large scale compromise is unacceptable. Loss of confidentiality, integrity
or availability of this data will result in disruption to HMG service delivery and may have a
commercial or financial impact. Organisations may also need to comply with external compliance
obligations such as the Payment Card Industry Data Security Standard (PCI DSS).
Information of varying sensitivity that supports the routine business, operations and services of the
Public Sector. There is a requirement to protect the confidentiality, integrity and availability of this
information.
Routine Public Sector Business
26. WHO WE AREWWW.SECURESTORM.COM
THE EXPERT
SECURITY ADVISORS
DATA TYPES
Legally Defined
Information which is subject to legal and / or regulatory requirements. For example, personal
information that relates to an identifiable individual as defined by the Data Protection Act (DPA).
Legal or regulatory requirements must be met and additional controls may be required in line with
HMG risk appetite tolerances. There is a clear requirement to protect the confidentiality, availability
and integrity of such information.
OFFICIAL - SENSITIVE
The loss, compromise or misuse of information marked with the OFFICIAL-SENSITIVE caveat has
been assessed as being likely to have damaging consequences for an individual, an organisation or
HMG more generally. Risk owners will typically require additional assurance that the need-to-know
is strictly enforced, and there is a clear requirement to protect the confidentiality, integrity and
availability of this information. However, note that this example is intended to illustrate where
heightened technical protections may be appropriate; in most cases it will be more proportionate to
risk manage access to limited amounts of OFFICIAL-SENSITIVE information on corporate systems
using more stringent procedural controls instead.
27. WHO WE AREWWW.SECURESTORM.COM
THE EXPERT
SECURITY ADVISORS
SECURITY REQUIREMENTS
• External Legal requirements could include: the Data Protection Act
• External Regulatory requirements could include: PCI DSS or HMG Off-
shoring Policy for Official
28. WHO WE AREWWW.SECURESTORM.COM
THE EXPERT
SECURITY ADVISORS
BUSINESS RED-LINES
The Business must decide if there are any business appetite
red-lines that would constrain the service or solution, or
Business Red-lines are controls or restrictions that are not
mandated by external requirements
An example of a red-line might be: “No Off-Shoring of Sensitive
Information”, or “Data-in-transit Must be encrypted”
where the Business has assessed that additional specific
security controls are required
29. WHO WE AREWWW.SECURESTORM.COM
THE EXPERT
SECURITY ADVISORS
BUSINESS IMPACTS
The business impacts are a
range of impacts that could
effect the Business if a
threat was realised for
Confidentiality, Integrity or
Availability.
Each impact could be due to
a number of reasons,
including Financial,
Personnel, Physical, Logical,
etc
30. WHO WE AREWWW.SECURESTORM.COM
THE EXPERT
SECURITY ADVISORS
BUSINESS IMPACTS
No Impact – No identified impact on the business, its operations, staff,
management, or finances.
Business Red-line Impact – An impact that effects the Business
appetite in regards to a specific risk, control, or technology
Reputation Impact – An impact that effects the Business through a
degradation of its perceived reputation,
Business Disruption – An impact that effects the daily operations of
the Business, incl. administration, staff and technology
Regulatory Impact– An impact that would lead to a breach of external
regulatory requirements, resulting in fines, sanctions or agreements
Legal Impact– An impact would lead to a breach of applicable law and
the risk of legal prosecution
31. WHO WE AREWWW.SECURESTORM.COM
THE EXPERT
SECURITY ADVISORS
ASSESS THE IMPACT
The Business must assess what the worst case impact of a breach of
C, I and A would be for the Data Types involved. Text in Italics are
examples.
32. WHO WE AREWWW.SECURESTORM.COM
THE EXPERT
SECURITY ADVISORS
SECURITY PROFILES
Security Profiles are based on the 14 Cloud Security Principles from CESG’s
published guidance on Cloud Security, and the 51 G-Cloud Security Assertions.
https://www.gov.uk/government/collections/cloud-security-guidance
https://digitalmarketplace.blog.gov.uk/2014/11/04/the-g-cloud-6-security-questions
A range of reusable security profiles have been developed for different external
requirements, such as the PSN Service Security Standard, DPA compliance, PCI
DSS compliance, NHS IG Toolkit alignment, etc…
https://www.gov.uk/guidance/apply-for-a-public-services-network-psn-service-provision-
compliance-certificate
The Impact Assessment will provide guidance as to which Security Profiles are
relevant. New Security Profiles can be developed at any time to meet the
Business Security Needs, including: organisation specific security controls.
33. WHO WE AREWWW.SECURESTORM.COM
THE EXPERT
SECURITY ADVISORS
APPLY SECURITY PROFILES
Any relevant external security
requirements (DPA, PSN, NHS,
PCI DSS, etc), the business
security needs (OFFICIAL), and
any business red-lines (UK only,
etc) will define which security
profiles are applicable.
The various applicable security
profiles are then combined into
one Consolidated Security
Profile.
Security Profiles
Consolidated OFFICIAL DPA PSN OS Red-line
34. WHO WE AREWWW.SECURESTORM.COM
THE EXPERT
SECURITY ADVISORS
COMPARE SECURITY PROFILES
The Consolidated Security Profile
can be used for a range of
activities:
• As part of the selection criteria
for the procurement of services
from the Digital Marketplace
• As a Supplier security
assessment benchmark
• To develop Security
Requirements and Controls
• To develop User Security Needs
and User Security Stories
• To Audit Suppliers security
maturity
Security Profile Comparison
Consolidated Security Profile Supplier / Service Provider
35. WHO WE AREWWW.SECURESTORM.COM
THE EXPERT
SECURITY ADVISORS
RISK MANAGE THE DELTA
Identify any external requirements or business red-lines
that the solution or service does not meet.
Any deficiency to the security requirements, “the Delta”,
must be recorded and risk managed.
The outcome is to reduce, where possible, the impact on
the business or the likelihood of the impact occurring
Identify any areas where the solution does not meet the
consolidated security profile or user security needs.
36. WHO WE AREWWW.SECURESTORM.COM
THE EXPERT
SECURITY ADVISORS
RISK DEFINITIONS
Threat
Threat describes the source of a risk being realised. Where appropriate to their
organisation’s context, the business should apply the threat profile for OFFICIAL,
supplemented if necessary with local or specific threat intelligence where it is available.
https://gov.uk/government/publications/government-security-classifications
Likelihood
Likelihood also known as “probability” estimates how likely it is for a threat to occur. It
can be captured by examining historical records of compromises to estimate how history
will be repeated. https://www.gov.uk/guidance/managing-information-risk
Impact describes the consequences of a risk being realised. To allow risk evaluation and
prioritisation, impact should specify the negative effect that a risk’s realisation would
entail. This should include expected losses (e.g. financial and reputation losses) as well as
business objectives which would not be achievable as a result of the impact.
Impact
37. WHO WE AREWWW.SECURESTORM.COM
THE EXPERT
SECURITY ADVISORS
LIKELIHOOD OF OCCURANCE
RARE: The threat may occur in exceptional circumstances
UNLIKELY: The threat could occur some time in the target period
POSSIBLE: The threat may occur within the target period
LIKELY: The threat is likely to occur within the target period
EXPECTED: The threat is expected to occur within the target period
38. WHO WE AREWWW.SECURESTORM.COM
THE EXPERT
SECURITY ADVISORS
RISK INDEX
Risk Index = Impact of risk X Likelihood of occurrence
(Described in a 5x6 matrix: Low = 1-4, Medium = 5-12, High = 15-20, Critical = 24-30)
Other Risk Assessment methodologies can be used.
39. WHO WE AREWWW.SECURESTORM.COM
THE EXPERT
SECURITY ADVISORS
RISK TREATMENT
Identified risks can be avoided if alternative technical or
business decisions are made on the service design
Identified risks are transferred to more appropriate
business areas or responsibility is escalated
Identified risks are accepted in the event that business
needs override the impact of the risk or is within the
business risk appetite
Identified risks can be mitigated if a treatment or control
will reduce the impact or likelihood
AVOID
MITIGATE
TRANSFER
ACCEPT
40. WHO WE AREWWW.SECURESTORM.COM
THE EXPERT
SECURITY ADVISORS
DOCUMENTATION
Document the risk management approach, environment
elements, and relevant data types
Document the output of the assessment of impacts that
could be realised, relevant to the data type
Document the relevant security profiles and business red-
lines, and define the consolidated security profile
Document the external requirements, business red-lines
and business security needs
The documented output can be in a range of formats, not necessarily a document
41. WHO WE AREWWW.SECURESTORM.COM
THE EXPERT
SECURITY ADVISORS
DOCUMENTATION
Document any “Delta” to the security requirements,
business red-lines and consolidated security profile
Document any controls or mitigations that can reduce the
impact or likelihood of the risks occurring
Produce a, high level, Risk Report for the SIRO / AO
Document the risk management assessment outcomes,
form whichever methodology used.
42. WHO WE AREWWW.SECURESTORM.COM
THE EXPERT
SECURITY ADVISORS
DOCUMENTATION - SCHEMA
As a standardised mechanism for
recording, sharing and exchanging
information risk management data,
Securestorm developed a data schema.
The Digital Services Risk Management
Record1 provides the relevant risk and
assurance information on a system or
service, in a concise and proportional
way.
The schema can be saved in a variety of
formats, including: CSV, JSON or Txt,
enabling both human and machines
readability.