The Client
An organisation operating in the UK defence sector engaged Gemserv to provide lead cyber security capability.
The Challenge
Public sector organisations have increasingly become targets for cyber criminals. Given the highly sensitive nature of information held and generated within the defence sector and the risk of a potential breach to national security it is particularly vital that infrastructure and processes are secure. The client wanted to ensure the protection of over three million personal data records and ensure a robust risk management regime is in place.
Our Approach
As an integral aspect of our bid response we attended multiple requirement definition workshops regarding the security of the new capability and the risk-based approach we would follow. The approach we took included:
- Creating of a Security Management Plan (SyMP), a security and accreditation strategy aligned with the client’s business objectives. The SyMP details the risk assessment and management methodology that the project would adopt, the roles and responsibilities for the risk assessors, the frequency of the risk assessments and the security governance hierarchy that would act on the risk assessment output as part of a wider risk management framework.
- Setting up a weekly Security Working Group (SWG) to effectively support and oversee the risk assessments and the progress of the strategy. Results of risk assessments are fed into this forum and risk treatments tracked.
- Carrying out regular risk assessments in accordance with UK Information Assurance Standards, and documented in the Risk Management and Accreditation Document Set (RMADS). The risk assessment process involves undertaking a Business Impact Assessment to identify critical assets and through liaison with the Accreditor and the Senior Information Risk Officer, the risk appetite is defined and understood.
- Formal threat assessments are incorporated into the risk assessments in order to identify the applicable threat actors and sources. These define the sources with a desire to breach the security of the system and those individuals in a position to perform an attack.
- The results of the threat assessments are then used to identify the impact and likelihood of threat actors breaching the security of the system. The risk assessment outputs feed into the Risk Treatment Plan, which defines security controls to reduce, reject, assign or accept the risks, ensuring the residual risk is within the previously defined risk appetite.
The Outcome
The high profile of the programme ensures that the ongoing governance provision incorporates regular feedback on the successful delivery of our obligations and successful risk management.
Aligned with our recent adoption of the RESILIA Cyber Resilience best practice, we formally incorporated a continual improvement process to ensure that our delivery of robust security and risk assessment capability is meeting objectives, and our risk treatment recommendations remain aligned with risk appetite.
The project is mandated to undergo formal independent Accreditation, which provides assurance that the security and risk management regime fully complies with the UK and International Cyber Security Policy, and that risk assessments are at the heart of the security capability.
We ensure that defence standards, legislation and guidance are adhered to and have introduced the RESILIA Cyber Resilience methodology to the programme, turning cyber security into effective cyber resilience.