Presentation is loading. Please wait.

Presentation is loading. Please wait.

CESG. © Crown Copyright. All rights reserved. Information Assurance within HMG and Secure Information Sharing across the Wider Public Sector Kevin Hayes,

Published byJasmine Atkinson Modified over 8 years ago

Similar presentations

Presentation on theme: "CESG. © Crown Copyright. All rights reserved. Information Assurance within HMG and Secure Information Sharing across the Wider Public Sector Kevin Hayes,"— Presentation transcript:

1 CESG

2 © Crown Copyright. All rights reserved. Information Assurance within HMG and Secure Information Sharing across the Wider Public Sector Kevin Hayes, Head of IA Consultancy Services CESG

3 © Crown Copyright. All rights reserved. Objectives:  I’m going to cover:  What is Information Assurance (IA)?  The wider context - the National IA Strategy  The HMG approach to security and IA and how this affects the wider public sector  Information risk management and accreditation

4 © Crown Copyright. All rights reserved. Definition of Information Assurance (IA)  “Confidence that risks to information & communications systems are being properly managed.”  “The confidence that information systems will protect the information they handle and will function as they need to, when they need to, under the control of legitimate users.” (Information and Information System will be referred to as an ICT System from now on).

5 © Crown Copyright. All rights reserved. National IA Strategy (NIAS)  Holistic approach for the whole of the UK  To optimise ICT for Public & Private Sectors by 2011  3 Enabler Objectives:  Governance and Risk Management.  Assurance and Standards.  Capabilities (Partnerships).  Aligned with Transformational Government (TG) – CIO/CTO Councils lead  To get it right we need to change Culture and Perception across the whole of government

6 © Crown Copyright. All rights reserved. Security Policy Framework Mandated Protective Security Policy –For HMG Departments and their Agencies –Includes IA Policy 4 Tiers Not Protectively Marked –Tiers 1-3 –Available to public

7 © Crown Copyright. All rights reserved. Overarching Security Statement Protective Security, including physical, personnel and information security are key enablers in making government work better. Security Risks must be managed effectively, collectively and proportionately, to achieve a secure and confident working environment.

8 © Crown Copyright. All rights reserved. Core Security Principles Governance Collective Responsibility Information Sharing Trusted staff and contractors Resilience

9 © Crown Copyright. All rights reserved. Governance Ultimate responsibility for HMG security policy lies with the Prime Minister and the Cabinet Office Ministerial Committee – Oversight Board – Delivery Group – Departments Departments and Agencies, via their Permanent Secretaries and Chief Executives, must manage their security risks within the parameters set out in the SPF

10 © Crown Copyright. All rights reserved. Collective Responsibility All HMG employees have a collective responsibility to ensure that government assets (information, property and staff) are protected in a proportionate manner from terrorist attack, and other illegal or malicious activity

11 © Crown Copyright. All rights reserved. Information Sharing Departments and Agencies must be able to share information (including personal data) confidently knowing it is reliable, accessible and protected to agreed standards

12 © Crown Copyright. All rights reserved. Trusted Staff and Contractors Departments and Agencies must employ staff (and contractors) in whom they can have confidence and whose identities are assured

13 © Crown Copyright. All rights reserved. Resilience HMG business needs to be resilient in the face of major disruptive events, with plans in place to minimise damage and rapidly recover capabilities

14 © Crown Copyright. All rights reserved. Security Policies Seven Security Policy Documents –Governance Risk Management and Compliance –Protective Marking and Asset Control –Personnel Security –Information Security and Assurance –Physical Security –Counter-Terrorism –Business Continuity

15 © Crown Copyright. All rights reserved. Security Policies Seventy (70) mandatory requirements –High Level –Business neutral –Supported by detailed Tier 4 Security Policies and Good Practice Guidance

16 © Crown Copyright. All rights reserved. Detailed Policy and Guidance Support all seven Security Policies Mixture of detailed Policy and Guidance Policy will state must Guidance may state must, but only when it refers up to a Mandatory Requirement

17 © Crown Copyright. All rights reserved. Focus on Mandatory Requirements MANDATORY REQUIREMENT 5: Departments and Agencies must adopt a risk management approach (including a detailed risk register) to cover all areas of protective security across their organisation.

18 © Crown Copyright. All rights reserved. Focus on Mandatory Requirements MANDATORY REQUIREMENT 2: Departments must ensure that their Agencies and main delivery partners are compliant with this framework, and must consider the extent to which those providing other goods and / or services to them, or carrying out functions on their behalf, are required to comply.

19 © Crown Copyright. All rights reserved. Focus on Mandatory Requirements MANDATORY REQUIREMENT 11: Departments and Agencies must apply the Protective Marking System and the necessary controls and technical measures as outlined in this framework. MANDATORY REQUIREMENT 33: Departments and Agencies must, in conjunction with the Protective Marking System, use Business Impact Levels (ILs) to assess and identify the impacts to the business through the loss of Confidentiality, Integrity and/or Availability of data and ICT systems should risks be realised. Aggregation of data must also be considered as a factor in determining ILs.

20 © Crown Copyright. All rights reserved. Focus on Mandatory Requirements MANDATORY REQUIREMENT 32: Departments and Agencies must conduct an annual technical risk assessment (using HMG IA Standard No.1) for all HMG ICT Projects and Programmes, and when there is a significant change in a risk component (Threat, Vulnerability, Impact etc.) to existing HMG ICT Systems in operation. The assessment and the risk management decisions made must be recorded in the Risk Management and Accreditation Documentation Set (RMADS), using HMG IA Standard No.2 – Risk Management and Accreditation of Information Systems.

21 © Crown Copyright. All rights reserved. Focus on Mandatory Requirements MANDATORY REQUIREMENT 36: ICT systems that process protectively marked Government data must be accredited using HMG IA Standard No. 2 – Risk Management and Accreditation of Information Systems, and the accreditation status must be reviewed at least annually to judge whether material changes have occurred which could alter the original accreditation decision.

22 © Crown Copyright. All rights reserved. Focus on Mandatory Requirements MANDATORY REQUIREMENT 14: Departments and Agencies must follow the minimum standards and procedures for handling and protecting citizen or personal data, as outlined in HMG IA Standard No.6 – Protecting Personal Data and Managing Information Risk.

23 © Crown Copyright. All rights reserved. Security and Information Assurance in Government - how does HMG value assets? Business Impact Levels Describe the impact of loss of confidentiality, integrity or availability Read across to traditional HMG Protective Markings But can be used to describe losses of accumulated or associated data Applicable across wider government and beyond

24 © Crown Copyright. All rights reserved. Business Impact Level/Protective Marking BIL0Minimal impact BIL1 (PROTECT)Minor impact (single citizen) BIL2 (PROTECT)Moderate/short-term BIL3 (RESTRICTED)Significant/prolonged BIL4 (CONFIDENTIAL)Serious/substantial BIL5 (SECRET)Major/widespread/threat to life BIL6 (TOP SECRET)Catastrophic/lead directly to loss of life

25 © Crown Copyright. All rights reserved. What is Accreditation? Process of understanding risks to an ICT system and addressing those risks. CESG IS2 describes the process (how to produce an RMADS) and linkage to OGC Gateway process IS1 Part 1 describes how to do technical risk analysis, identify and prioritise risks IS1 Part 2 deals with risk treatment

26 © Crown Copyright. All rights reserved. Risk treatment CESG Policy and Good Practice Guides provide policy and advice on technical risk treatment: –IS5 – Secure Sanitisation –IS6 – Personal Data and Information Risk –GPG6 – Off-shoring: Managing the Security Risk –GPG7 – Protection against Malicious Software –GPG8 – Protecting External Communications to the Internet –GPG10 – Remote Working –GPG12 – Virtualisation Products and Techniques –GPG13 – Protective Monitoring

27 © Crown Copyright. All rights reserved. CESG IS6: Protecting Personal Data and Managing Information Risk Builds on DHR June 2008, for full details see: www.cabinet-office.gov.uk/csia (Also Poynter, Burton, Walport/Thomas and Omand)

28 © Crown Copyright. All rights reserved. Minimum Scope of Protected Personal Data Any information that links one or more identifiable living person with information about them whose release would put them at significant risk of harm or distress (e.g. name/address and Nation Insurance number or bank account number) Any source of information about 1000 or more identifiable individuals, other than information sourced from the public domain (e.g. 1000 names and DoB in a spreadsheet or on a disk)

29 © Crown Copyright. All rights reserved. Core minimum measures to protect information Keep protected data within secure premises and systems Minimise the use of removable media (such as laptops, computer discs and memory sticks) for personal data Information relating to 100,000 or more identifiable individuals will require independent penetration testing Access rights must be minimised Record use of electronically held personal information Greater use of formal accreditation for ICT systems

30 © Crown Copyright. All rights reserved. Accountability Formalisation of roles and responsibilities: –Accounting Officer (LA CEO) –Senior Information Risk Owner (SIRO/LA 151 Officer) –Information Asset Owner (IAO) –Senior Responsible Owner (SRO) Departments are required to: Assess information risks quarterly Put in place responses to manage those risks; Specify an annual process of assessment

31 © Crown Copyright. All rights reserved. Compliance - external scrutiny of performance: Specific inclusion in the Statement of External Control CESG Good Practice Guide 15 (Auditing Compliance) CESG IA Maturity Model assesses IA at an organisational level National Audit Office scrutiny Spot checks by the Information Commissioner; and Targeted intervention where necessary

32 © Crown Copyright. All rights reserved. Questions? Contact: Kevin Hayes CESG E-mail: kevin.hayes@cesg.gsi.gov.ukkevin.hayes@cesg.gsi.gov.uk

Download ppt "CESG. © Crown Copyright. All rights reserved. Information Assurance within HMG and Secure Information Sharing across the Wider Public Sector Kevin Hayes,"

Similar presentations

Developing an Evaluation Strategy – experience in DFID Nick York Director – Country, Corporate and Global Evaluations, World Bank IEG Former Chief Professional.

Developing an Evaluation Strategy – experience in DFID Nick York Director – Country, Corporate and Global Evaluations, World Bank IEG Former Chief Professional.
Debt Management Strategy: Governance and Transparency

Debt Management Strategy: Governance and Transparency
Auditing, Assurance and Governance in Local Government

Auditing, Assurance and Governance in Local Government
Www.ethics.qld.gov.au SES Ethics Workshop. www.ethics.qld.gov.au Compliance or Culture How to institutionalise ethics in public administration.

SES Ethics Workshop. Compliance or Culture How to institutionalise ethics in public administration.
1 Auditing in the Public Interest Records Management in the Victorian Public Sector Audit objective Audit had two objectives : The first objective was.

1 Auditing in the Public Interest Records Management in the Victorian Public Sector Audit objective Audit had two objectives : The first objective was.
Control and Accounting Information Systems

Control and Accounting Information Systems
Development of internal control: methodology and responsibility

Development of internal control: methodology and responsibility
The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.

The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.
DERBYSHIRE COUNTY COUNCIL RISK MANAGEMENT AWARENESS TOOLKIT FOR ELECTED MEMBERS Martin Brassington and Tom Smith 2006.

DERBYSHIRE COUNTY COUNCIL RISK MANAGEMENT AWARENESS TOOLKIT FOR ELECTED MEMBERS Martin Brassington and Tom Smith 2006.
1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.

1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.
Risk Management a Case Study DATALAWS Information Technology Law Consultants Presented by F. F Akinsuyi (MSc, LLM)MBCS.

Risk Management a Case Study DATALAWS Information Technology Law Consultants Presented by F. F Akinsuyi (MSc, LLM)MBCS.
2011 Governance, Risk, and Compliance Conference August 29 – 31, 2011 / Orlando, FL, USA The Top Four Essential Objectives to Auditing ERM Stephen E. McBride,

2011 Governance, Risk, and Compliance Conference August 29 – 31, 2011 / Orlando, FL, USA The Top Four Essential Objectives to Auditing ERM Stephen E. McBride,
AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUM TM is.

AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUM TM is.
Standard 1: Governance for safety and quality in heath service organisations Advice Centre Network Meeting Margaret Banks Senior Program Director February.

Standard 1: Governance for safety and quality in heath service organisations Advice Centre Network Meeting Margaret Banks Senior Program Director February.
Security Controls – What Works

Security Controls – What Works
Contractor Assurance Discussion Forrestal Building Washington, D.C. December 14, 2011.

Contractor Assurance Discussion Forrestal Building Washington, D.C. December 14, 2011.
Chapter 4 IDENTIFYING RISKS AND CONTROLS IN BUSINESS PROCESSES.

Chapter 4 IDENTIFYING RISKS AND CONTROLS IN BUSINESS PROCESSES.
Presentation on Integrating Management Systems www.imsrisksolutions.co.uk.

Presentation on Integrating Management Systems
How can projects be controlled?

How can projects be controlled?
The Crown and Suppliers: A New Way of Working People & Security15:35 – 16:20 Channels & Citizen Engagement Social Media ICT Capability Risk Management.

The Crown and Suppliers: A New Way of Working People & Security15:35 – 16:20 Channels & Citizen Engagement Social Media ICT Capability Risk Management.

Similar presentations

Ads by Google