Presentation is loading. Please wait.

Presentation is loading. Please wait.

© BT PLC 2005 ‘Risk-based’ Approach to Managing Infrastructure a ‘Commercial Prospective’ Malcolm Page BT UK AFCEA Lisbon 2005.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "© BT PLC 2005 ‘Risk-based’ Approach to Managing Infrastructure a ‘Commercial Prospective’ Malcolm Page BT UK AFCEA Lisbon 2005."— Presentation transcript:

1 © BT PLC 2005 ‘Risk-based’ Approach to Managing Infrastructure a ‘Commercial Prospective’ Malcolm Page BT UK AFCEA Lisbon 2005

2 © BT PLC 2005 Objectives of the presentation To review the drivers and challenges Dealing with collaboration Risk reviews & modelling Compliance Testing Summary Questions

3 © BT PLC 2005 Defence Drivers & Trends Modernisation of armed forces Reduction in defence budgets Rapid deployment of armed forces on overseas missions Global role - Nation’s eyes only Interoperability of Command & Control Prime contracting (PFI) - partners take share of responsibility / risk The increased threat from cyber space Foreign intelligence services and identity theft management Homeland / National ICT Defence Increase in overseas peace keeping commitments with other foreign powers Increased infrastructure attack from Cyber terrorism

4 © BT PLC 2005 Additional Drivers I ncreased pressure for Information Governance Regulatory Compliance Need to demonstrate Stake holder value Public monies being put to good use Accurate information available for C3I decision making CC3I – Command Control Communication Information!

5 © BT PLC 2005 Challenges Maintaining the confidentiality, integrity and availability of defence infrastructure Protection of defence infrastructure against attack from foreign powers (covert / overt) Information Assurance (defence accreditation of information and systems such as NATO Classified) Modernisation of armed services on reduced budgets Recruiting and retaining the right personnel Increased use of ‘ICT Networks’ to deliver Command & Control

6 © BT PLC 2005 Commercial Risk–Based Management: Defence in Depth Balanced assessment of risk probability v risk impact v cost of mitigation etc: Dynamically translated into strategies, rules, practices, processes and procedures etc. Regularly reviewed. The People Includes: Recruiting, selection, clearances, access rights and other controls (both on joining and on leaving the organisation), alternate resource pools, monitoring, auditing, communication, awareness, training etc. The physical infrastructure Includes: Sites and their locations, adjacent “threats” (natural and man- made), utility service provision and back-ups, alternate sites, physical hardware assets (down to granular levels – e.g. – signed off holdings of desk-top assets), access controls, guarding, alerting, monitoring, testing, auditing etc. The information infrastructure Includes: Data, voice and IP network information transfer systems, and associated information storage and back-up facilities etc. Information retention policies also apply.

7 © BT PLC 2005 Security In Depth People, not just technology Policy, communication and awareness Firewalls (interconnect policies) Define allowed traffic in and out of security domain Intrusion detection systems and penetration tests Monitoring and alert Security configuration compliance Servers Server sensors, patching and configuration check Desktop Anti-virus software, patching and configuration Web filters Where are your people going, what are they doing? Logging and auditing

8 © BT PLC 2005 Key Collaboration Partners Field Command Air force Civilian Defence Units & Local Govt offices Central & Intergovernmental Organisations e.g.: NATO / EU Transfer of real time critical data & information securely via multi- channel methods Collaboration and sharing of data Policy / direction setting & legislation Intelligence Civil defence contingency plans, directives, command control & coordination of action Mobile Personnel navyarmy

9 © BT PLC 2005 Risks Field Command Air force Civilian Defence Units & Local Govt offices Central & Intergovernmental Organisations e.g.: NATO / EU Mobile Personnel navy army More sophisticated attacks on information infrastructure interoperability of systems - vulnerabilities unauthorised access to sensitive data e.g.: intelligence Downtime / Denial of Service e.g.: during deployment downtime & reliability nation’s eyes only real time response to threat resilience - maintaining of comm’s in battle-space breach of classification levels of data secure comm’s from remote locations cost

10 © BT PLC 2005 How Effective is this Risk Management!

11 © BT PLC 2005 Critical Infrastructure Risk Model Protagonist Model Business Model AttackLikelihood Assessment Risk Analysis Framework Solutions Impact Analysis priorities Technology Integration Process People Capability Opportunity Motivation Criticality Continuity Dependency Protection Detection Reaction Risk Managed Solutions Vulnerability Model

12 © BT PLC 2005 Business Requirements Business Continuity Strategy Business Continuity Plans Security Risk Analysis and Management Security Policy Non- Technical Security Operating Procedures Technical Security Architecture Technical Security Components and Tools - Technical Solution Security Incident Handling and Reporting Security Awareness Security Audit/ Compliance Checking Security Assurance Testing/ Evaluation Reports Business Continuity Plan Test Security Management Community Security Policy Identification of Security Countermeasures Regular Security Audit/ Compliance Checking Monitoring System in Operational Use Feedback into Risk Analysis etc. Overall Security Process Information Security Summary Accredited Service Implemented in a Secure Environment Live System Environment Firewall Policies Accreditation

13 © BT PLC 2005 Compliance Security audit/compliance checks business security health check Gap analysis (e.g. against ISO27001, (UK) MPS/JSP440) Security evaluation services IT security testing services Compliance against regulatory requirements such as Data Protection

14 © BT PLC 2005 IT security testing services Automated Vulnerability Scan Network Mapping Penetration Testing Level 1 Level 3 Technical Security Check Level 2 Includes 1. Technical security policy review 2. Vulnerability Assessment Options 3. Firewall Rulebase Analysis 4. Physical Computer Room Check 5. Social Engineering 6. Web Application Testing Automated Vulnerability Scan Network Mapping Penetration Testing Level 1 Level 3 Technical Security Check Level 2 Includes 1. Technical security policy review 2. Vulnerability Assessment Options 3. Firewall Rulebase Analysis 4. Physical Computer Room Check 5. Social Engineering 6. Web Application Testing

15 © BT PLC 2005 Proactive Monitoring & Management & Testing Network Management Effective network design Ensure efficient operation Ensure High Availability Firewalls in place Provide connectivity Security Management Effective security design Manage vulnerability Monitor - internal/external Integrate and Interpret Build IRP Best Practice is a blend of network & security operations

16 © BT PLC 2005 Can commercial security deliver for NATO? Accountable Retain experienced staff Government cleared personnel Setting Standards Availability 365 x 24 x 7 Information sharing ‘FIRST’, trade partners, government agencies etc.

17 © BT PLC 2005 Potential benefits Reduced technological and operational risks Reduced costs Expertise – Know-how Linked into ‘in-country’’ Critical National Information Infrastructure Global capability Regular audits & reviews Invariable Commercial Of The Shelf (COTS) solutions

18 © BT PLC 2005 Questions? Malcolm Page Business Continuity, Security & Governance Practice +44 7711 073329 malcolm.page@bt.com

Download ppt "© BT PLC 2005 ‘Risk-based’ Approach to Managing Infrastructure a ‘Commercial Prospective’ Malcolm Page BT UK AFCEA Lisbon 2005."

Similar presentations

Marc Grégoire, DRDC Ottawa Luc Beaudoin, Bologik Inc.

Marc Grégoire, DRDC Ottawa Luc Beaudoin, Bologik Inc.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Security Controls – What Works

Security Controls – What Works
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
The Way Ahead for Information Systems Security: What You Don’t Know Can Hurt You Christopher Baum Research Vice President Global Government NYSCIO Conference.

The Way Ahead for Information Systems Security: What You Don’t Know Can Hurt You Christopher Baum Research Vice President Global Government NYSCIO Conference.
Chapter 12 Strategies for Managing the Technology Infrastructure.

Chapter 12 Strategies for Managing the Technology Infrastructure.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Security Offering. Cyber Security Solutions 2 Assessment Analysis & Planning Design & Architecture Development & Implementation O&M Critical Infrastructure.

Security Offering. Cyber Security Solutions 2 Assessment Analysis & Planning Design & Architecture Development & Implementation O&M Critical Infrastructure.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
CISCO CONFIDENTIAL – DO NOT DUPLICATE OR COPY Protecting the Business Network and Resources with CiscoWorks VMS Security Management Software Girish Patel,

CISCO CONFIDENTIAL – DO NOT DUPLICATE OR COPY Protecting the Business Network and Resources with CiscoWorks VMS Security Management Software Girish Patel,
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Resiliency Rules: 7 Steps for Critical Infrastructure Protection.

Resiliency Rules: 7 Steps for Critical Infrastructure Protection.
1 Managed Security. 2 Managed Security provides a comprehensive suite of security services to manage and protect your network assets –Managed Firewall.

1 Managed Security. 2 Managed Security provides a comprehensive suite of security services to manage and protect your network assets –Managed Firewall.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.

Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
K E M A, I N C. NERC Cyber Security Standards and August 14 th Blackout Implications OSI PI User Group April 20, 2004 Joe Weiss

K E M A, I N C. NERC Cyber Security Standards and August 14 th Blackout Implications OSI PI User Group April 20, 2004 Joe Weiss
Don Von Dollen Senior Program Manager, Data Integration & Communications Grid Interop December 4, 2012 A Utility Standards and Technology Adoption Framework.

Don Von Dollen Senior Program Manager, Data Integration & Communications Grid Interop December 4, 2012 A Utility Standards and Technology Adoption Framework.
Protective Measures at NATO Headquarters Ian Davis Head, Information Systems Service NATO Headquarters Brussels, Belgium.

Protective Measures at NATO Headquarters Ian Davis Head, Information Systems Service NATO Headquarters Brussels, Belgium.

Similar presentations

Ads by Google