Supporting Supplier Security Compliance Ian Lawden

Context Over 20 Million Customers. 5.9 million working age benefit claimants. 479 thousand people claiming Employment and Support. 2.61 million working age claimants of ESA and incapacity benefits. 692 thousand lone parents claiming Income Support (IS). 4.75 million people claiming Housing Benefit, with 5.78 million claiming Council Tax Benefit. 12.7 million people of state pension age claiming a DWP benefit. 12.5 million claimants of State Pension (SP) 3.68 million people had started on a New Deal programme up to (May 2010). All figures accurate at February 2010 unless otherwise stated

Policy and Commissioning Function Organisation Ministers prioritise customer need/outcome Client Groups Policy and Commissioning Function Local Authorities Private and Voluntary Sector providers Jobcentre Plus The Pension Disability and Carers Service Pension Protection Fund Personal Accounts Delivery Authority Health & Safety Executive Child Maintenance and Enforcement Commission Delivery Corporate Functions IT Finance Change Programme Communications Commercial Legal Human Resources Customer need/outcome met May 2009

Organisation Vision – Recognition of need for IA To deliver the IT Service for Citizens that will make a positive difference to their lives. Mission achieved by: Constantly looking for ways in which our IT systems and services can improve our service to our customers, while recognising also the absolute need to safeguard and keep secure the data which we hold on them; Listening to, understanding and responding to the IT needs of our people and our customers; Strengthening working relationships with the businesses and our suppliers to improve performance and deliver added value across all our IT systems and services; Innovating across organisational boundaries to provide a fast, efficient and seamless service, helping to deliver both the Department’s Business Strategy and the Government’s Transformational Government Strategy; Exploiting new technology to deliver solutions which are both sustainable and accessible to all; Growing the capability of our people by underpinning all our activity with professional competence, enhanced through training, research and reference to best practice; and Participating and acting with integrity in a manner that demonstrates the Department’s values and upholds its reputation.

Corporate Framework supported by Best Practice ITIL Service Management Process Service Support Service Delivery Incident Management Service Level Management Problem Management Financial Management Change Management Capacity Management Release Management IT Continuity Management Configuration Management Availability Management

ITIL & Security ITIL (v2) based: - “The ITIL-process Security Management describes the structured fitting of information security in the management organization. ITIL Security Management is based on the code of practice for information security management now known as ISO/IEC 27002. A basic goal of Security Management is to ensure adequate information security. The primary goal of information security, in turn, is to protect information assets against risks, and thus to maintain their value to the organization. This is commonly expressed in terms of ensuring their confidentiality, integrity and availability, along with related properties or goals such as authenticity, accountability, non-repudiation and reliability.” [There is] Mounting pressure for many organizations to structure their Information Security Management Systems in accordance with ISO/IEC 27001 this requires revision of the ITIL v2 Security Management volume, and indeed a v3 release is in the works. [now in place]. Courtesy of Wikipedia

Contention? Incident Management: Problem Management Change Management User up and running quickly Problem Management RCA and Correct Change Management Standard Methods and Procedures Release Management Holistic View and forward plan Config’ Management Strong asset control Security Management Preserve Evidence for Forensic Investigation Synergy Threat Identification and Emergency response Focus on Vulnerability reduction/removal Service Support

Availability Management Security Management Contention? Service Level Mgmt: Agree, monitor, report Financial Management Supports business Objectives Capacity Management Demand Management for business objectives IT Cont’y Management Recovery within agreed timescales Availability Management Customer satisfaction equates to ‘up time’ Security Management Synergy ‘Security’ not seen as business objective ‘Security’ not seen as a business objective. Preserve Evidence for Forensic Investigation System availability for maintenance (patching) Service Delivery

UK Families put on Fraud Alert Accountability & Outsourcing – the ‘owner’ of the data is still expected to respond to and resolve problems … UK Families put on Fraud Alert “Two computer discs holding the personal details of all families in the UK with a child under 16 have gone missing.” The Child Benefit data on them includes name, address, date of birth, National Insurance number and, where relevant, bank details of 25 million people. Chancellor Alistair Darling said there was no evidence the data had gone to criminals - but urged people to monitor bank accounts "for unusual activity". The Conservatives described the incident as a "catastrophic" failure.

Media and Public Interest – still a newsworthy subject Details of data all security breaches Whether personal information is on contractor disks Details of the contractor who mislaid disks etc Details of breaches of citizens' personal details USB Flash etc drives lost in previous 12 months Various lost laptops, PDAs, mobiles, blocked internet sites, staff disciplined, USBs, and iPods. Number of laptops and memory sticks lost or stolen in last 5 years Various questions relating to IT security training Lost broken devices, deletion processes, and other issues Information relating to the theft and loss of DWP laptops and mobile over the last two years 10 10

Organising your security relationships and structure

High Level Roles Business Outsourced SIaM Security Roles Business Consumers of Security Services Client ‘Retained’ Service Integration and Management’ Policy & Operations Integrator Integration Outsourced SIaM Security Professionalism Service Tower Provider Supplier Supplier Supplier Supplier Supplier Supplier Performing Suppliers Other Supplier (Tower Security Capability) May be supported by Security Experts, e.g. Vistorm Tower (service) Network SIaM Desktop Application Development App. Support & maintenance Hosting Other services

Certification – need for professionalism across the operating model “Speaking a common and professional language” HMG IT Security (phase 1) CISM WiFi Networks Certified Professional HMG IT Security (phase 2) CLAS MCSA Messaging Checkpoint certified security administrator ITPC ISO27001 Management of Risk ISO9001 MCTS Certified Ethical Hacker NICE (Network Intelligence Certified Engineer) MCSA MCSE Security CA certified security administrator MCSE Sun certified systems administrator CISA ITIL Certified penetration testing specialist SCNS (Tactical Perimeter Defence) IT Forensics CISSP

Security Capability Value Chain Design Support Strategic & Build IT Security Architecture Enterprise architecture Security strategy Innovation Horizon scanning Cross government IT Security Design Security Design Authority Pattern / product selection Bus lead for security incidents Architectural compliance Advice / guidance AD design Knowledge management IT Security Operations Management Supplier Assurance Compliance Assurance Risk Management Security Incident Management Audit Programme Security Reporting Accreditation Aftercare Operate Vision Strategy Project Requirements <<< Feedback & Influence 14 14

Roles and Responsibilities – Outsourced Supplier Management Capability Provide: Coordination of security activities across supplier community Risk management services A security incident logging, investigation and management service Security assurance & accreditation management Security audit & compliance reviews Security policy & awareness services Threat & vulnerability response services Security service management and reporting.

Internal IT Security Operations Management role: Roles and Responsibilities – Retained Capability – Managing the Manager Internal IT Security Operations Management role: Provide assurance that Service Tower providers and SIaM are compliant to security policies Monitor supplier performance in relation to their security obligations Management of necessary cross supplier and business processes (Security Waivers and Exceptions) Provide IT security guidance to internal operational staff and IT Support staff Production and approval of security bulletins and notices Progressing business IT security issues Act as centre of excellence with SIaM on all operational IT security matters

Functions Supplier Assurance Compliance Assurance Risk Management & Audit Security Incident Management Security Reporting Accreditation Aftercare I've a horrible feeling I'm under surveillance. I've been looking at Google Street View and the same van has been outside my house for days now.

S u p p l i e r P e r f o r m a n c e I n d e x Performance Management Dashboard S u p p l i e r P e r f o r m a n c e I n d e x Desktop Performance Review Performance Review Performance Review Performance Review Performance Review Networks Desktop Data Centre Maintenance Development Supplier Supplier Supplier Supplier Supplier Supplier Supplier Supplier Supplier Supplier Supplier Supplier Supplier Supplier Supplier 18

Complete Information Security Establishing and identifying Compliance Controls: The Service Integrator and Manager Perspective There must be an overarching information security framework: The lack of such a framework, aligned with strategic business objectives, leads to a disjoint in delivery priorities, & the possibility for over-developed or inappropriate security control For Government Departments, in addition to ensuring compliance with HMG security requirements, adoption of such a framework: improves engagement with both IT & non-IT supplier organisations, who generally state compliance or certification against ISO27001 & who therefore understand the requirements of it, simplifies future development & implementation of delivery solutions & services through effective, pragmatic security risk management, enables the updating of security policy & guidance in response to changing threats and business needs, improves communication with those responsible for implementing security controls more efficiently. Heading - Calibri - 28pt - no bold - Blue Sub Heading - Calibri - 22pt - no bold - Red Body Text - Calibri - 18pt - no bold - Blue Catchline - Calibri - 20pt - Italics - no bold - Blue Complete Information Security 19

Complete Information Security Policing Compliance Controls The Service Integrator and Manager Perspective Automated v Manual Control Pros Cons Automated/ Technology Consistency of analysis Speed of applying rules and measures Reduces error rate Enhanced data mining/analysis/correlation capability 24/7/365 high availability operation Can enforce compliance Cost of base lining rules and measures Critical dependence on hardware/software Interoperability of products Can introduce vulnerabilities Training Vendor enthusiasm to act as a VAR rather than a true security solution provider Manual/ Process Understanding of problems and coping with variance/idiosyncrasies Can provide for cost savings Capable of analysing the situation to manage business reputation Thinking outside the box Understanding the implications of decisions Dependencies on specific resource Costly for 24/7/365 manual operations Compliance not enforced Manual information management Potential for increased error Heading - Calibri - 28pt - no bold - Blue Sub Heading - Calibri - 22pt - no bold - Red Body Text - Calibri - 18pt - no bold - Blue Catchline - Calibri - 20pt - Italics - no bold - Blue Complete Information Security 20

Risk Management & Audit Regularly and formally review Risk Management processes and procedures ensuring holistic approach across organisation. Implement or aim for a consistent approach across all suppliers. Ensure that Risk Management is seen as a basis for all decisions by including reference in meetings and forums and workshops, Tie Audits into the Risk Management process Ensure that risks are articulated in simple but specific language and at not too high a level & that the risk is real – and the mitigation is proportionate and effective! Why did the chicken cross the road? It was trying to get a signal on its iPhone 4.

Incident Management & Reporting Awareness is key including consistency across staff and suppliers ... Share Messages,

IT Security Reporting Showing Value by reporting reduced Vulnerability Top of the Office Outcome IT Security Awareness Supplier Performance Systems Defence Risk Management Capability Impact Greater IT Security Awareness Increased Supplier Performance (or reduced non-compliance) Activity Hardened, bolstered and tested Systems Defence Proportionate, Holistic and Effective Risk Management Capability that matches the challenge Overarching Security Service Improvement Programme

Accreditation Aftercare Monitor accreditation activity and Accreditation after care, ensuring systems are used within the Accreditation scope, and that changes are notified where appropriate. (Problem Management?) In particular assurance that the Accreditations for infrastructure services are up to date and that all necessary activities are under control. (Service Level Management). Identify DWP information systems (Configuration Management?) and ensure Accreditation procedures are adhered to. (Supported by Audit) Is it just me, or would you kill for the kind of download speed that girl from the piracy ad's is getting?

Persistent Internal Challenges and Opportunities Need to identify and maintain relationship with business IT Security Stakeholders (Single Points of Contact) Diverse business scenarios within large organisations (one size may not fit all): Multiple locations, Differing operating models, Inconsistency in IT Security Expertise Accountabilities unclear. Internal Identity and Access Management - Local Installer Rights and Privilege users detracting from ‘defence in depth’ strategy: End User Computing Definition! Demands for local or flexible storage of data, Use of unapproved tools and techniques and inappropriate developments, Lack of expertise in using standard tools, Introduction of unauthorised software, Introduction of unauthorised devices, Use of ‘ready to go’ Internet services. User Awareness: - Phishing Attacks, Spam, Social Engineering Drive to provide access to Social Networking My mate Sid was a victim of ID theft - He's just called ‘S’ now.

Persistent Supply Chain Challenges and Opportunities Privilege users in the supplier community: - Local, Off Shore Remote Access Provisioning and De-provisioning (Identity and Access Management), Flexibility and Agility versus control and stability, Economic climate – continuity of supply, Evidencing Independence, Commercials and integrating compliance, Suppliers collaboration (or lack of it), Patching and maintenance against availability and risk, Enforcing standard Change Control, “It’s all about the contract! Just found an absolute bargain on EBay - Some bloke in Nigeria is selling army dog tags inscribed with your name, national insurance number, bank account and sort code details free of charge. Get in there quick!

Successes and Advantages Access to Thought Leadership, Innovation and Industry Research, Ability to resource fluctuations in demand (e.g. Accreditation & related activities) Ability to identify cross-supplier trends and issues (IAM for example) Application of Industry Standards and techniques (Patch Management), Ability to manage large amounts of security compliance information from across suppliers operational processes and technology, and drive cost effective continuous improvement (e.g. roadmap, incident management processes) Independent, integrated view of operational security risk Fixed price service measured via SLAs – driven down security resourcing costs 27 27

Key Messages Recognise that suppliers are in existence to make a profit and, therefore, ensure that you (and your supplier) understand what your priorities are and who is accountable, - does your desire to protect your business align with the suppliers business plan? Continually stress and demonstrate by actions and deeds that, where you have outsourced the management of suppliers, the ‘integrator’ is your agent and is acting on your behalf – they must be afforded the same access and cooperation as you yourself, Collaborate with your supplier in establishing and refining process definitions with clear ‘hand off’ points, Understand the end to end supply chain to flush out any ‘unexpected’ and potentially unpalatable elements (such as off shore activity), Ensure communications are consistent across all suppliers - and this is another opportunity to emphasise the support for your supplier, Ensure that security clauses in IT contracts mandate your suppliers to cooperate with your integrator, Where possible, ensure consistent methodologies for risk management, patching, etc, Ensure Availability and up time promises to the organisation are consistent with the need for essential (including unanticipated) system maintenance, Bake in compliance activity as well as technical security measures when developing systems. Don’t panic or set hares running – things are not always as bad as they first appear – but, you can soon make them that bad (or worse) through inappropriate responses! I got a second e-mail this morning from a Nigerian bank offering me £10m if I give him my bank details. What luck! I'm going to be back in credit after the first one wiped me out!