Defence Sector Case Study

The Client

An organisation operating in the UK defence sector engaged Gemserv to provide lead cyber security capability.

The Challenge

Public sector organisations have increasingly become targets for cyber criminals. Given the highly sensitive nature of information held and generated within the defence sector and the risk of a potential breach to national security it is particularly vital that infrastructure and processes are secure. The client wanted to ensure the protection of over three million personal data records and ensure a robust risk management regime is in place.

Our Approach

As an integral aspect of our bid response we attended multiple requirement definition workshops regarding the security of the new capability and the risk-based approach we would follow. The approach we took included:

  • Creating of a Security Management Plan (SyMP), a security and accreditation strategy aligned with the client’s business objectives. The SyMP details the risk assessment and management methodology that the project would adopt, the roles and responsibilities for the risk assessors, the frequency of the risk assessments and the security governance hierarchy that would act on the risk assessment output as part of a wider risk management framework.
  • Setting up a weekly Security Working Group (SWG) to effectively support and oversee the risk assessments and the progress of the strategy. Results of risk assessments are fed into this forum and risk treatments tracked.
  • Carrying out regular risk assessments in accordance with UK Information Assurance Standards, and documented in the Risk Management and Accreditation Document Set (RMADS).  The risk assessment process involves undertaking a Business Impact Assessment to identify critical assets and through liaison with the Accreditor and the Senior Information Risk Officer, the risk appetite is defined and understood.
  • Formal threat assessments are incorporated into the risk assessments in order to identify the applicable threat actors and sources. These define the sources with a desire to breach the security of the system and those individuals in a position to perform an attack.
  • The results of the threat assessments are then used to identify the impact and likelihood of threat actors breaching the security of the system. The risk assessment outputs feed into the Risk Treatment Plan, which defines security controls to reduce, reject, assign or accept the risks, ensuring the residual risk is within the previously defined risk appetite.

The Outcome

The high profile of the programme ensures that the ongoing governance provision incorporates regular feedback on the successful delivery of our obligations and successful risk management.

Aligned with our recent adoption of the RESILIA Cyber Resilience best practice, we formally incorporated a continual improvement process to ensure that our delivery of robust security and risk assessment capability is meeting objectives, and our risk treatment recommendations remain aligned with risk appetite.

The project is mandated to undergo formal independent Accreditation, which provides assurance that the security and risk management regime fully complies with the UK and International Cyber Security Policy, and that risk assessments are at the heart of the security capability.

We ensure that defence standards, legislation and guidance are adhered to and have introduced the RESILIA Cyber Resilience methodology to the programme, turning cyber security into effective cyber resilience.

Share this...

Share on email
Share on twitter
Share on linkedin
Share on facebook

Find out

More

Every day our teams of experts are analysing information like this, providing high-level need to know reports for our clients so they can continue to stay ahead and lead their industries.

Get an unfair advantage – subscribe to our mailing list by filling out the form opposite. You can find out how we look after your data in our Data Policy.

About the Authors

Following the most recent government guidance, we are asking all but essential staff to work remotely. Consequently, for the time being, we will no longer be hosting meetings at our London and Dublin offices, though we will continue to provide our services as normal.

Visit our Coronavirus Information page for full details of the procedures we are adhering to and who to contact if you have any questions.

We are in unprecedented times and businesses are needing to adapt faster than ever to an ever changing situation. But what does that mean in practice and what does that mean for employees?

We are launching a series of live podcasts with some of our team whose backgrounds are in IT, Security, Business Resilience and Digital Transformation. They will discuss advice and guidance for companies in the process of adapting to unprecedented changes in the way we work and live.

Following the most recent government guidance, we are asking all but essential staff to work remotely. Consequently, for the time being, we will no longer be hosting meetings at our London and Dublin offices, though we will continue to provide our services as normal.

Visit our Coronavirus Information page for full details of the procedures we are adhering to and who to contact if you have any questions.