Risk Management in the UK Public Sector

advertisement
HMG Risk Management Systems Accreditation
(a view from 40,000 ft in 50 minutes!)
Ian D. McKinnon
BSc MSc M.Inst.ISP (ITPC) MBCS (CITP) CISSP CLAS SMWS
Systems Accreditation
• Systems Accreditation is the process
by which risks to HMG systems are
formally expressed, mitigations are
developed, implemented and
assessed to ensure that the resultant
residual risk is acceptable to the
business.
• The primary output of the accreditation
process is an RMADS
7/9/13
HMG Accreditation
RHUL – Distance Learning Summer School
2 of 14
Asset Classification
• HMG Protective Marking Scheme:
– Unclassified / NPM
– PROTECT
– RESTRICTED
– CONFIDENTIAL
– SECRET
– TOP SECRET
7/9/13
HMG Accreditation
RHUL – Distance Learning Summer School
3 of 14
Bob Quick – epic fail!
See: http://news.bbc.co.uk/1/hi/7991307.stm
7/9/13
HMG Accreditation
RHUL – Distance Learning Summer School
4 of 14
It’s amazing what you capture from across the street
with a professional lens and a 15 mega pixel camera!
7/9/13
HMG Accreditation
RHUL – Distance Learning Summer School
5 of 14
GPMS Review
• HMG Protective Marking Scheme:
– OFFICIAL
– SECRET
– TOP SECRET
7/9/13
HMG Accreditation
RHUL – Distance Learning Summer School
6 of 14
Business Impact Levels
• BIL used assign a value to assets,
systems or services in terms of CIA
• Broadly aligned to PM scheme
–
–
–
–
0 = NPM
3 = RESTRICTED
5 = SECRET
6 = TOP SECRET
• ICT System
• Network
7/9/13
e.g. BIL3,3,4 or BIL5,5,3
e.g. BIL2,2,4 or BIL3,3,4
HMG Accreditation
RHUL – Distance Learning Summer School
7 of 14
Example BIL Table
• Copied from IAS1 v3.6 part 1 Appendix A –
Business Impact Level Tables
BIL0
BIL3
BIL5
BIL6
Impact on life
and safety
None
Risk to an
individual’s
personal safety or
liberty
Threaten life
directly leading to
limited loss of life
Lead directly to
widespread loss of
life
Impact on
political
stability
None
Minor loss of
confidence in UK
Government
Threaten directly
the internal political
stability of the UK
or friendly countries
Collapse of internal
political stability of
the UK or friendly
countries
7/9/13
HMG Accreditation
RHUL – Distance Learning Summer School
8 of 14
Personnel Clearance
• HMG Vetting Scheme:
– BPSS (Baseline personnel security standard)
• Basic check to confirm identity. Unsupervised
access to assets up to CONFIDENTIAL and
occasional supervised access to SECRET.
– SC (Security check)
• Detailed background check to confirm identity.
Unsupervised access to assets up to SECRET and
occasional supervised access to TOP SECRET.
– DV (Developed vetting)
• Exhaustive background checks including interview
of applicant and referees. Unsupervised access to
TOP SECRET assets.
7/9/13
HMG Accreditation
RHUL – Distance Learning Summer School
9 of 14
HMG Accreditation Methodology
• The following standards must be used to
accredit HMG systems & services:
– HMG IA Standard No. 2 – Risk Management
& Accreditation of ICT Systems and Services
– HMG IA Standard No. 1 – Technical Risk
Assessment Part 1 : Risk Assessment
– HMG IA Standard No. 1 – Technical Risk
Assessment Part 2 : Risk Treatment
7/9/13
HMG Accreditation
RHUL – Distance Learning Summer School
10 of 14
Key Accreditation Stakeholders
• Accreditor
–
Responsible for impartial review and acceptance of the RMADS
• PGA – Pan Government Accreditor
–
Accreditor for systems or services which are shared across government (e.g. GSi)
• ITSO – IT Security Officer
–
Individual charged with oversight of IT security within the government department
• SIRO – Senior Information Risk Owner
–
Board member responsible for the Information Risk
• IAO – Information Asset Owner
–
Individual who fully understands what information is held and how it is used
• CLAS - CESG Listed Advisor
–
Responsible for accreditation and policy advice
• CESG
–
7/9/13
The National Technical Authority for IA advice and guidance
HMG Accreditation
RHUL – Distance Learning Summer School
11 of 14
IAS2 Stages
•
•
•
•
•
Stage 0 – Early planning and feasibility
Stage 1 – Accreditation strategy
Stage 2 – IA requirements
Stage 3 – Options assessment and selection
Stage 4 – Accreditation in development and
acceptance
• Stage 5 – Risk management in-service &
accreditation maintenance
• Stage 6 – Secure decommissioning and
disposal
7/9/13
HMG Accreditation
RHUL – Distance Learning Summer School
12 of 14
Policy & Guidance
•
•
•
•
•
•
•
SPF (Security Policy Framework – Cabinet Office)
Orange Book (HMRC Risk Appetite)
IAS4 – Telecommunications
IAS5 – Secure Sanitisation
GPGs (Good Practice Guides)
Architectural Patterns
SEAP Catalogue
(Security Equipment Assessment Panel)
• CPNI Guidance
(Physical, personnel and counter-terrorism)
7/9/13
HMG Accreditation
RHUL – Distance Learning Summer School
13 of 14
Questions?
7/9/13
HMG Accreditation
RHUL – Distance Learning Summer School
14 of 14
Download