HMG Risk Management - Systems Accreditation (a view from 40,000 ft in 50 minutes!) Ian D. McKinnon BSc MSc M.Inst.ISP (ITPC) MBCS (CITP) CISSP CLAS SMWS.

Slides:



Advertisements
Similar presentations
Internal Control Integrated Framework
Advertisements

THE EDUCATION-RELATED COMPONENTS OF NOW IS THE TIME.
1 TITLE OF THE ARTICLE Author (Institution) Co-Author (Institution) .
IT Service Continuity Management
Slide 1 Insert your own content. Slide 2 Insert your own content.
1 EBIP Synthesis Report Preliminary policy messages Vladimir López-Bassols, OECD EBIP Workshop October 2001, Rome.
Ashutosh Pednekar, FCA, CISA, ISA (ICA), LLB (Gen), B.Com. Partner, M P Chitale & Co. November 6, 2007 IRDA – ICAI Round Table Meeting on Insurance Industry.
ASYCUDA Overview … a summary of the objectives of ASYCUDA implementation projects and features of the software for the Customs computer system.
Quality Improvement in the ONS Cynthia Z F Clark Frank Nolan Office for National Statistics United Kingdom.
1 SAFETY ORGANISATION. 2 Safety Organisation 3 Safety Organisation - Regulator.
Session No. 4 Implementing the State’s Safety Programme Implementing Service Providers SMS
1 IT Risk Management in Government Jonathan Smith Sr. Risk Manager Commonwealth Security and Risk Management October 1,
Organizational Governance
UK Government IT Profession Skills Framework EPAN IT Skills Workshop Maastricht 24 th June Monica Edmonds eGU IT Profession Directorate e-Government Unit.
0 - 0.
The UK Professional Standards Framework for for teaching and supporting learning in higher education 2011 UKPSF 2011.
TRP Chapter Chapter 6.8 Site selection for hazardous waste treatment facilities.
Draft Change Management Strategy Framework and Toolkit An Overview TAU Workshop: Vulindlela Academy (DBSA) 12 April 2012 Presenter: Dr Patrick Sokhela.
Khammar Mrabit Director Office of Nuclear Security
© The Treasury 1 Better Business Cases “Investing for change” Overview.
Risk The chance of something happening that will have an impact on objectives. A risk is often specified in terms of an event or circumstance and the consequences.
SHIFTING INFORMATION SECURITY LANDSCAPE FROM C&AS TO CONTINUOUS MONITORING ANDREW PATCHAN JD, CISA ASSOCIATE IG FOR IT, FRB LOUIS C. KING, CPA, CISA, CMA,
Secure Standard Introduction for IT Suppliers 09 June 2014 Clive Star 1.
Savings for the Nation Government e-Market Place II Pre-Procurement Market Engagement Nick Morris; August
1 HMRC Review of Powers, Deterrents and Safeguards The compliance checking framework Finance Act 2008.
Visual 3.1 Delegation of Authority & Management by Objectives Unit 3: Delegation of Authority & Management by Objectives.
Performing Governance Assessments Myrk Harkins CIA, CBM.
1 Cohort management and the Secondary Uses Service (SUS) Nirupa Dattani Office for National Statistics.
Cyber Security & Critical Controls Chris Few Industry Enabling Services CESG February 2011 © Crown Copyright. All rights reserved.
Service Definition SaaS Accreditation Support Service SaaS Accreditation Support Service is aimed at departments & suppliers seeking accreditation of G-Cloud.
Neil J. McRae.  CESG is the National Technical Authority for information assurance   CESG offer many Products and Services  GovCertUK.
Security and Personnel
Risk Management a Case Study DATALAWS Information Technology Law Consultants Presented by F. F Akinsuyi (MSc, LLM)MBCS.
National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.
Security Management Practices Keith A. Watson, CISSP CERIAS.
© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved. © 2012 McGladrey LLP. All Rights Reserved. © 2013 McGladrey LLP. All.
The Crown and Suppliers: A New Way of Working People & Security15:35 – 16:20 Channels & Citizen Engagement Social Media ICT Capability Risk Management.
Complying With The Federal Information Security Act (FISMA)
Internal auditing for credit unions Nuala Comerford, Chair IIA Irish Region Committee Pamela McDonald Council Member IIA Credit Union Summer School Thursday,
Mark Brett IA Advisor May 2009 Introducing Protective Marking for Local Authority Use.
 Computer security policy ◦ Defines the goals and elements of an organization's computer systems  Definition can be ◦ Highly formal ◦ Informal  Security.
Applied Technology Services, Inc. Your Partner in Technology Applied Technology Services, Inc. Your Partner in Technology.
N-Wave Shareholders Meeting May 23, 2012 N-Wave Security Update Lisa
NIST Special Publication Revision 1
CMGT400 Intro to Information Assurance and Security (University of Phoenix) Lecture, Week 5 Tom Olzak, MBA, CISSP.
Introduction to Security
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Private & Confidential1 (SIA) 13 Enterprise Risk Management The Standard should be read in the conjunction with the "Preface to the Standards on Internal.
Information Security Governance and Risk Chapter 2 Part 3 Pages 100 to 141.
Federal Information Security Management Act (FISMA) By K. Brenner OCIO Internship Summer 2013.
SCHOOLS FINANCE OFFICERS MEETINGS Records Management, “Paper-Lite” Environments and Procedures when a school closes Elizabeth Barber.
Promotions 1. Three Procedures Meritorious - Commander Authority Examination - Junior Enlisted Personnel Selection Board - Senior Enlisted and Officers.
1 What does Cybersecurity Risk Management at UW-Madison look like? Initiate DesignImplement Operate & Maintain Operate it Securely Build it Right RMF Categorize.
Human Rights Reporting: The Telecommunications Industry Dialogue Christine Diamente Alcatel-Lucent Head of Brand & Corporate Sustainability Ethical Corporation.
The Commonwealth Cybercrime Initiative David Tait, Cybercrime Policy Analyst.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 16 – IT Security.
CESG. © Crown Copyright. All rights reserved. Information Assurance within HMG and Secure Information Sharing across the Wider Public Sector Kevin Hayes,
CSC4003: Computer and Information Security Professor Mark Early, M.B.A., CISSP, CISM, PMP, ITILFv3, ISO/IEC 27002, CNSS/NSA 4011.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Cyber Security Phillip Davies Head of Content, Cyber and Investigations.
NISF Objectives Conceptual structure for guiding IS activities
Graham Gardiner and Gerard Oakes
Secure Standard Introduction for IT Suppliers
Government Security Classification (GSC) Review - Update
Information Technology Controls
COSO and ERM Committee of Sponsoring Organizations (COSO) is an organization dedicated to providing thought leadership and guidance on internal control,
Paul Woods Chair, MITIGATION: Ensuring we procure cloud services taking into account of the risks involved Paul Woods Chair, ISNorthEast.
‘Delivering better value from professional services’
Office of Health, Safety and Security
Presentation transcript:

HMG Risk Management - Systems Accreditation (a view from 40,000 ft in 50 minutes!) Ian D. McKinnon BSc MSc M.Inst.ISP (ITPC) MBCS (CITP) CISSP CLAS SMWS

7/9/13 HMG Accreditation RHUL – Distance Learning Summer School 2 of 14 Systems Accreditation Systems Accreditation is the process by which risks to HMG systems are formally expressed, mitigations are developed, implemented and assessed to ensure that the resultant residual risk is acceptable to the business. The primary output of the accreditation process is an RMADS

7/9/13 HMG Accreditation RHUL – Distance Learning Summer School 3 of 14 Asset Classification HMG Protective Marking Scheme: – Unclassified / NPM – PROTECT – RESTRICTED – CONFIDENTIAL – SECRET – TOP SECRET

7/9/13 HMG Accreditation RHUL – Distance Learning Summer School 4 of 14 Bob Quick – epic fail! See:

7/9/13 HMG Accreditation RHUL – Distance Learning Summer School 5 of 14 It’s amazing what you capture from across the street with a professional lens and a 15 mega pixel camera!

7/9/13 HMG Accreditation RHUL – Distance Learning Summer School 6 of 14 GPMS Review HMG Protective Marking Scheme: – OFFICIAL – SECRET – TOP SECRET

7/9/13 HMG Accreditation RHUL – Distance Learning Summer School 7 of 14 Business Impact Levels BIL used assign a value to assets, systems or services in terms of CIA Broadly aligned to PM scheme –0 = NPM –3 = RESTRICTED –5 = SECRET –6 = TOP SECRET ICT Systeme.g. BIL3,3,4 or BIL5,5,3 Networke.g. BIL2,2,4 or BIL3,3,4

7/9/13 HMG Accreditation RHUL – Distance Learning Summer School 8 of 14 Example BIL Table Copied from IAS1 v3.6 part 1 Appendix A – Business Impact Level Tables BIL0BIL3BIL5BIL6 Impact on life and safety NoneRisk to an individual’s personal safety or liberty Threaten life directly leading to limited loss of life Lead directly to widespread loss of life Impact on political stability NoneMinor loss of confidence in UK Government Threaten directly the internal political stability of the UK or friendly countries Collapse of internal political stability of the UK or friendly countries

7/9/13 HMG Accreditation RHUL – Distance Learning Summer School 9 of 14 Personnel Clearance HMG Vetting Scheme: –BPSS ( Baseline personnel security standard ) Basic check to confirm identity. Unsupervised access to assets up to CONFIDENTIAL and occasional supervised access to SECRET. –SC ( Security check ) Detailed background check to confirm identity. Unsupervised access to assets up to SECRET and occasional supervised access to TOP SECRET. –DV ( Developed vetting ) Exhaustive background checks including interview of applicant and referees. Unsupervised access to TOP SECRET assets.

7/9/13 HMG Accreditation RHUL – Distance Learning Summer School 10 of 14 HMG Accreditation Methodology The following standards must be used to accredit HMG systems & services: –HMG IA Standard No. 2 – Risk Management & Accreditation of ICT Systems and Services –HMG IA Standard No. 1 – Technical Risk Assessment Part 1 : Risk Assessment –HMG IA Standard No. 1 – Technical Risk Assessment Part 2 : Risk Treatment

7/9/13 HMG Accreditation RHUL – Distance Learning Summer School 11 of 14 Key Accreditation Stakeholders Accreditor –Responsible for impartial review and acceptance of the RMADS PGA – Pan Government Accreditor –Accreditor for systems or services which are shared across government (e.g. GSi) ITSO – IT Security Officer –Individual charged with oversight of IT security within the government department SIRO – Senior Information Risk Owner –Board member responsible for the Information Risk IAO – Information Asset Owner –Individual who fully understands what information is held and how it is used CLAS - CESG Listed Advisor –Responsible for accreditation and policy advice CESG –The National Technical Authority for IA advice and guidance

7/9/13 HMG Accreditation RHUL – Distance Learning Summer School 12 of 14 IAS2 Stages Stage 0 – Early planning and feasibility Stage 1 – Accreditation strategy Stage 2 – IA requirements Stage 3 – Options assessment and selection Stage 4 – Accreditation in development and acceptance Stage 5 – Risk management in-service & accreditation maintenance Stage 6 – Secure decommissioning and disposal

7/9/13 HMG Accreditation RHUL – Distance Learning Summer School 13 of 14 Policy & Guidance SPF (Security Policy Framework – Cabinet Office) Orange Book (HMRC Risk Appetite) IAS4 – Telecommunications IAS5 – Secure Sanitisation GPGs (Good Practice Guides) Architectural Patterns SEAP Catalogue (Security Equipment Assessment Panel) CPNI Guidance (Physical, personnel and counter-terrorism)

7/9/13 HMG Accreditation RHUL – Distance Learning Summer School 14 of 14 Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.