© BT PLC 2005 ‘Risk-based’ Approach to Managing Infrastructure a ‘Commercial Prospective’ Malcolm Page BT UK AFCEA Lisbon 2005

© BT PLC 2005 Objectives of the presentation To review the drivers and challenges Dealing with collaboration Risk reviews & modelling Compliance Testing Summary Questions

© BT PLC 2005 Defence Drivers & Trends Modernisation of armed forces Reduction in defence budgets Rapid deployment of armed forces on overseas missions Global role - Nation’s eyes only Interoperability of Command & Control Prime contracting (PFI) - partners take share of responsibility / risk The increased threat from cyber space Foreign intelligence services and identity theft management Homeland / National ICT Defence Increase in overseas peace keeping commitments with other foreign powers Increased infrastructure attack from Cyber terrorism

© BT PLC 2005 Additional Drivers I ncreased pressure for Information Governance Regulatory Compliance Need to demonstrate Stake holder value Public monies being put to good use Accurate information available for C3I decision making CC3I – Command Control Communication Information!

© BT PLC 2005 Challenges Maintaining the confidentiality, integrity and availability of defence infrastructure Protection of defence infrastructure against attack from foreign powers (covert / overt) Information Assurance (defence accreditation of information and systems such as NATO Classified) Modernisation of armed services on reduced budgets Recruiting and retaining the right personnel Increased use of ‘ICT Networks’ to deliver Command & Control

© BT PLC 2005 Commercial Risk–Based Management: Defence in Depth Balanced assessment of risk probability v risk impact v cost of mitigation etc: Dynamically translated into strategies, rules, practices, processes and procedures etc. Regularly reviewed. The People Includes: Recruiting, selection, clearances, access rights and other controls (both on joining and on leaving the organisation), alternate resource pools, monitoring, auditing, communication, awareness, training etc. The physical infrastructure Includes: Sites and their locations, adjacent “threats” (natural and man- made), utility service provision and back-ups, alternate sites, physical hardware assets (down to granular levels – e.g. – signed off holdings of desk-top assets), access controls, guarding, alerting, monitoring, testing, auditing etc. The information infrastructure Includes: Data, voice and IP network information transfer systems, and associated information storage and back-up facilities etc. Information retention policies also apply.

© BT PLC 2005 Security In Depth People, not just technology Policy, communication and awareness Firewalls (interconnect policies) Define allowed traffic in and out of security domain Intrusion detection systems and penetration tests Monitoring and alert Security configuration compliance Servers Server sensors, patching and configuration check Desktop Anti-virus software, patching and configuration Web filters Where are your people going, what are they doing? Logging and auditing

© BT PLC 2005 Key Collaboration Partners Field Command Air force Civilian Defence Units & Local Govt offices Central & Intergovernmental Organisations e.g.: NATO / EU Transfer of real time critical data & information securely via multi- channel methods Collaboration and sharing of data Policy / direction setting & legislation Intelligence Civil defence contingency plans, directives, command control & coordination of action Mobile Personnel navyarmy

© BT PLC 2005 Risks Field Command Air force Civilian Defence Units & Local Govt offices Central & Intergovernmental Organisations e.g.: NATO / EU Mobile Personnel navy army More sophisticated attacks on information infrastructure interoperability of systems - vulnerabilities unauthorised access to sensitive data e.g.: intelligence Downtime / Denial of Service e.g.: during deployment downtime & reliability nation’s eyes only real time response to threat resilience - maintaining of comm’s in battle-space breach of classification levels of data secure comm’s from remote locations cost

© BT PLC 2005 How Effective is this Risk Management!

© BT PLC 2005 Critical Infrastructure Risk Model Protagonist Model Business Model AttackLikelihood Assessment Risk Analysis Framework Solutions Impact Analysis priorities Technology Integration Process People Capability Opportunity Motivation Criticality Continuity Dependency Protection Detection Reaction Risk Managed Solutions Vulnerability Model

© BT PLC 2005 Business Requirements Business Continuity Strategy Business Continuity Plans Security Risk Analysis and Management Security Policy Non- Technical Security Operating Procedures Technical Security Architecture Technical Security Components and Tools - Technical Solution Security Incident Handling and Reporting Security Awareness Security Audit/ Compliance Checking Security Assurance Testing/ Evaluation Reports Business Continuity Plan Test Security Management Community Security Policy Identification of Security Countermeasures Regular Security Audit/ Compliance Checking Monitoring System in Operational Use Feedback into Risk Analysis etc. Overall Security Process Information Security Summary Accredited Service Implemented in a Secure Environment Live System Environment Firewall Policies Accreditation

© BT PLC 2005 Compliance Security audit/compliance checks business security health check Gap analysis (e.g. against ISO27001, (UK) MPS/JSP440) Security evaluation services IT security testing services Compliance against regulatory requirements such as Data Protection

© BT PLC 2005 IT security testing services Automated Vulnerability Scan Network Mapping Penetration Testing Level 1 Level 3 Technical Security Check Level 2 Includes 1. Technical security policy review 2. Vulnerability Assessment Options 3. Firewall Rulebase Analysis 4. Physical Computer Room Check 5. Social Engineering 6. Web Application Testing Automated Vulnerability Scan Network Mapping Penetration Testing Level 1 Level 3 Technical Security Check Level 2 Includes 1. Technical security policy review 2. Vulnerability Assessment Options 3. Firewall Rulebase Analysis 4. Physical Computer Room Check 5. Social Engineering 6. Web Application Testing

© BT PLC 2005 Proactive Monitoring & Management & Testing Network Management Effective network design Ensure efficient operation Ensure High Availability Firewalls in place Provide connectivity Security Management Effective security design Manage vulnerability Monitor - internal/external Integrate and Interpret Build IRP Best Practice is a blend of network & security operations

© BT PLC 2005 Can commercial security deliver for NATO? Accountable Retain experienced staff Government cleared personnel Setting Standards Availability 365 x 24 x 7 Information sharing ‘FIRST’, trade partners, government agencies etc.

© BT PLC 2005 Potential benefits Reduced technological and operational risks Reduced costs Expertise – Know-how Linked into ‘in-country’’ Critical National Information Infrastructure Global capability Regular audits & reviews Invariable Commercial Of The Shelf (COTS) solutions

© BT PLC 2005 Questions? Malcolm Page Business Continuity, Security & Governance Practice