CESG
© Crown Copyright. All rights reserved. Information Assurance within HMG and Secure Information Sharing across the Wider Public Sector Kevin Hayes, Head of IA Consultancy Services CESG
© Crown Copyright. All rights reserved. Objectives: I’m going to cover: What is Information Assurance (IA)? The wider context - the National IA Strategy The HMG approach to security and IA and how this affects the wider public sector Information risk management and accreditation
© Crown Copyright. All rights reserved. Definition of Information Assurance (IA) “Confidence that risks to information & communications systems are being properly managed.” “The confidence that information systems will protect the information they handle and will function as they need to, when they need to, under the control of legitimate users.” (Information and Information System will be referred to as an ICT System from now on).
© Crown Copyright. All rights reserved. National IA Strategy (NIAS) Holistic approach for the whole of the UK To optimise ICT for Public & Private Sectors by 2011 3 Enabler Objectives: Governance and Risk Management. Assurance and Standards. Capabilities (Partnerships). Aligned with Transformational Government (TG) – CIO/CTO Councils lead To get it right we need to change Culture and Perception across the whole of government
© Crown Copyright. All rights reserved. Security Policy Framework Mandated Protective Security Policy –For HMG Departments and their Agencies –Includes IA Policy 4 Tiers Not Protectively Marked –Tiers 1-3 –Available to public
© Crown Copyright. All rights reserved. Overarching Security Statement Protective Security, including physical, personnel and information security are key enablers in making government work better. Security Risks must be managed effectively, collectively and proportionately, to achieve a secure and confident working environment.
© Crown Copyright. All rights reserved. Core Security Principles Governance Collective Responsibility Information Sharing Trusted staff and contractors Resilience
© Crown Copyright. All rights reserved. Governance Ultimate responsibility for HMG security policy lies with the Prime Minister and the Cabinet Office Ministerial Committee – Oversight Board – Delivery Group – Departments Departments and Agencies, via their Permanent Secretaries and Chief Executives, must manage their security risks within the parameters set out in the SPF
© Crown Copyright. All rights reserved. Collective Responsibility All HMG employees have a collective responsibility to ensure that government assets (information, property and staff) are protected in a proportionate manner from terrorist attack, and other illegal or malicious activity
© Crown Copyright. All rights reserved. Information Sharing Departments and Agencies must be able to share information (including personal data) confidently knowing it is reliable, accessible and protected to agreed standards
© Crown Copyright. All rights reserved. Trusted Staff and Contractors Departments and Agencies must employ staff (and contractors) in whom they can have confidence and whose identities are assured
© Crown Copyright. All rights reserved. Resilience HMG business needs to be resilient in the face of major disruptive events, with plans in place to minimise damage and rapidly recover capabilities
© Crown Copyright. All rights reserved. Security Policies Seven Security Policy Documents –Governance Risk Management and Compliance –Protective Marking and Asset Control –Personnel Security –Information Security and Assurance –Physical Security –Counter-Terrorism –Business Continuity
© Crown Copyright. All rights reserved. Security Policies Seventy (70) mandatory requirements –High Level –Business neutral –Supported by detailed Tier 4 Security Policies and Good Practice Guidance
© Crown Copyright. All rights reserved. Detailed Policy and Guidance Support all seven Security Policies Mixture of detailed Policy and Guidance Policy will state must Guidance may state must, but only when it refers up to a Mandatory Requirement
© Crown Copyright. All rights reserved. Focus on Mandatory Requirements MANDATORY REQUIREMENT 5: Departments and Agencies must adopt a risk management approach (including a detailed risk register) to cover all areas of protective security across their organisation.
© Crown Copyright. All rights reserved. Focus on Mandatory Requirements MANDATORY REQUIREMENT 2: Departments must ensure that their Agencies and main delivery partners are compliant with this framework, and must consider the extent to which those providing other goods and / or services to them, or carrying out functions on their behalf, are required to comply.
© Crown Copyright. All rights reserved. Focus on Mandatory Requirements MANDATORY REQUIREMENT 11: Departments and Agencies must apply the Protective Marking System and the necessary controls and technical measures as outlined in this framework. MANDATORY REQUIREMENT 33: Departments and Agencies must, in conjunction with the Protective Marking System, use Business Impact Levels (ILs) to assess and identify the impacts to the business through the loss of Confidentiality, Integrity and/or Availability of data and ICT systems should risks be realised. Aggregation of data must also be considered as a factor in determining ILs.
© Crown Copyright. All rights reserved. Focus on Mandatory Requirements MANDATORY REQUIREMENT 32: Departments and Agencies must conduct an annual technical risk assessment (using HMG IA Standard No.1) for all HMG ICT Projects and Programmes, and when there is a significant change in a risk component (Threat, Vulnerability, Impact etc.) to existing HMG ICT Systems in operation. The assessment and the risk management decisions made must be recorded in the Risk Management and Accreditation Documentation Set (RMADS), using HMG IA Standard No.2 – Risk Management and Accreditation of Information Systems.
© Crown Copyright. All rights reserved. Focus on Mandatory Requirements MANDATORY REQUIREMENT 36: ICT systems that process protectively marked Government data must be accredited using HMG IA Standard No. 2 – Risk Management and Accreditation of Information Systems, and the accreditation status must be reviewed at least annually to judge whether material changes have occurred which could alter the original accreditation decision.
© Crown Copyright. All rights reserved. Focus on Mandatory Requirements MANDATORY REQUIREMENT 14: Departments and Agencies must follow the minimum standards and procedures for handling and protecting citizen or personal data, as outlined in HMG IA Standard No.6 – Protecting Personal Data and Managing Information Risk.
© Crown Copyright. All rights reserved. Security and Information Assurance in Government - how does HMG value assets? Business Impact Levels Describe the impact of loss of confidentiality, integrity or availability Read across to traditional HMG Protective Markings But can be used to describe losses of accumulated or associated data Applicable across wider government and beyond
© Crown Copyright. All rights reserved. Business Impact Level/Protective Marking BIL0Minimal impact BIL1 (PROTECT)Minor impact (single citizen) BIL2 (PROTECT)Moderate/short-term BIL3 (RESTRICTED)Significant/prolonged BIL4 (CONFIDENTIAL)Serious/substantial BIL5 (SECRET)Major/widespread/threat to life BIL6 (TOP SECRET)Catastrophic/lead directly to loss of life
© Crown Copyright. All rights reserved. What is Accreditation? Process of understanding risks to an ICT system and addressing those risks. CESG IS2 describes the process (how to produce an RMADS) and linkage to OGC Gateway process IS1 Part 1 describes how to do technical risk analysis, identify and prioritise risks IS1 Part 2 deals with risk treatment
© Crown Copyright. All rights reserved. Risk treatment CESG Policy and Good Practice Guides provide policy and advice on technical risk treatment: –IS5 – Secure Sanitisation –IS6 – Personal Data and Information Risk –GPG6 – Off-shoring: Managing the Security Risk –GPG7 – Protection against Malicious Software –GPG8 – Protecting External Communications to the Internet –GPG10 – Remote Working –GPG12 – Virtualisation Products and Techniques –GPG13 – Protective Monitoring
© Crown Copyright. All rights reserved. CESG IS6: Protecting Personal Data and Managing Information Risk Builds on DHR June 2008, for full details see: (Also Poynter, Burton, Walport/Thomas and Omand)
© Crown Copyright. All rights reserved. Minimum Scope of Protected Personal Data Any information that links one or more identifiable living person with information about them whose release would put them at significant risk of harm or distress (e.g. name/address and Nation Insurance number or bank account number) Any source of information about 1000 or more identifiable individuals, other than information sourced from the public domain (e.g names and DoB in a spreadsheet or on a disk)
© Crown Copyright. All rights reserved. Core minimum measures to protect information Keep protected data within secure premises and systems Minimise the use of removable media (such as laptops, computer discs and memory sticks) for personal data Information relating to 100,000 or more identifiable individuals will require independent penetration testing Access rights must be minimised Record use of electronically held personal information Greater use of formal accreditation for ICT systems
© Crown Copyright. All rights reserved. Accountability Formalisation of roles and responsibilities: –Accounting Officer (LA CEO) –Senior Information Risk Owner (SIRO/LA 151 Officer) –Information Asset Owner (IAO) –Senior Responsible Owner (SRO) Departments are required to: Assess information risks quarterly Put in place responses to manage those risks; Specify an annual process of assessment
© Crown Copyright. All rights reserved. Compliance - external scrutiny of performance: Specific inclusion in the Statement of External Control CESG Good Practice Guide 15 (Auditing Compliance) CESG IA Maturity Model assesses IA at an organisational level National Audit Office scrutiny Spot checks by the Information Commissioner; and Targeted intervention where necessary
© Crown Copyright. All rights reserved. Questions? Contact: Kevin Hayes CESG