Author Archives: Andy

CloudStore Opens for Business

19 Sunday Feb 2012

Posted by in PSN, GCN & G-Cloud

Leave a Comment

Tags

After announcement by Francis Maude this morning the Governments new CloudStore has opened for business.

What is the CloudStore?

Government has been working to make the purchasing of public sector ICT as simple and transparent as possible. The result is a new web site, which we are calling the CloudStore.

The CloudStore is a new way for Government to buy IT products and services. At the moment this site is a pilot and we’re asking for your feedback so we can add to and improve it.

The CloudStore is an online catalogue of over 1,700 information and communications services available to the UK public sector, and contains details of each of the suppliers and their services. You can use the CloudStore to select the services that best suit your needs.

All the services listed on the CloudStore are part of the G-Cloud framework so are immediately available for the public sector to procure and use.

This is the first of its kind in the UK for public sector ICT procurement, and we are committed to ensuring that this method of buying ICT goods and services is efficient and fit for purpose.

[description from the CloudStore website]

Check out the CloudStore at http://www.govstore.net/

Information Assurance Practitioners’ Event 2012

12 Sunday Feb 2012

Posted by in HMG IA (General)

Leave a Comment

Tags

Date: 29th February & 1st March 2012
Time: 9:30am – 5:30pm (day 1) & 9:00am – 3:15pm (day 2)
Location: York Racecourse

Website: http://www.softbox.co.uk/events/iapevent2012

Building on the success of the last event, this is the perfect opportunity for you to hear from and network with Government and industry experts to discuss your Information Assurance concerns and strategies and find out about the latest solutions.

Full details of the event are included for your perusal, including how to register for your free place at the event.

Setting the Agenda
The IA Practitioners’ Event is a key event in CESG’s calendar for Information Assurance experts at a practical level and it promises to be exceptional with an informative and comprehensive agenda themed around Information Assurance.

Dr Ian Levy, Technical Director at CESG, will be chairing the two day programme which includes main plenary sessions plus a series of workshops for delegates and vendors to take a full and active part in.

During the event there will be dedicated sessions for the Police Information Assurance Forum (PIAF) and the IT Security Officers’ Forum (ITSOF). This will provide an opportunity for those involved to discuss their specific issues and concerns in their own groups yet still be able to join in the main event where a wealth of expertise from industry and delegates across the entire public sector will be discussing innovative ways of meeting the security standards and policies required in today’s environment.

Extended breaks for tea/coffee and lunch each day will also allow you the opportunity to visit the exhibition stands, talk to the exhibitors about their latest product and service offerings and network with your peers.

At the end of day one everyone is invited to join in the Networking Evening and Dinner where you will get ample time to chat with your peers in a relaxed atmosphere whilst enjoying a traditional four course meal and being entertained by our guest speaker ‘Dr Kevin Jones’ who will give you a hilarious insight into the world of medical practice.

First Set of PSN Roadmaps Published

06 Monday Feb 2012

Posted by in PSN, GCN & G-Cloud

Leave a Comment

High level roadmaps indicating the progress of central and non-central Governement departments/organisations on to the PSN service have been relased by the PSN programme.

This publication represents a starting point but nevertheless reflects the extent of commitment now evident across the entire Public Sector.  It’s important that we start to communicate the development of all sides of the PSN marketplace, beginning with our own organisations, so that both public sector and industry can start to see the big picture more clearly.

comment from Craig Eblett (PSN Programme Director)

Links to the reports:
PSN Central Government Transition Plan, as at 31 January 2012
PSN Non-Central Government Transition Plan, as at 31 January 2012

UK Top for Cyber Preparedness

05 Sunday Feb 2012

Posted by in HMG IA (General)

Leave a Comment

According to a recent report comissioned by McAfee, to survey 250 leading authorities and 80 cyber security experts in the public and private sectors, the UK was awarded 4 stars and ranked top for Cyber preparedness, alongside the USA and Germany.

Recognition was given for the UK’s new cyber security strategy and the formation of the Office of Cyber Security and Information Assurance (OSCIA), however it did note that the UK has too high a reliance on the private sector.

The report provides the following top ten recommendations to improve cyber prepardness:

1. Build trust between industry and government stakeholders by setting up bodies to share  information and best practices, like the Common Assurance Maturity Model (CAMM) and the Cloud Security Alliance (CSA).

2. Increase public awareness of how individuals can protect their own internet data, and promote cyber-security education and training.

3. New problems and opportunities created by smart phones and cloud computing must be examined. Cloud computing needs an appropriate architecture to achieve optimum security levels.

4. Prioritise information protection, knowing that no one size fits all. The three key goals that need to be achieved are confidentiality, integration and availability in different doses according to the situation.

5. Consider establishing cyber-confidence building measures as an alternative to a global treaty, or at least as a stopgap measure, knowing that many countries view a treaty as unverifiable, unenforceable and impractical.

6. Improve communication between the various communities, from policy-makers to technological experts to business leaders both at national and international levels.

7. Enhance attribution capabilities by investing in new technologies, and establishing rules and standards.

8. Follow the Dutch model of a third party cyber-exchange for improved private-public partnership on internet security.

9. Despite the many practical hurdles in the way of transparency, both for private companies and for governments, find ways of establishing assurance – or trust – through the use of security mechanisms and processes.

10. Move the ball forward and encourage integration of cyber into existing processes and structures. Make sure cyber considerations and investment are present at every level.

Read the full report here

New Course: IA Protective Monitoring and Incident Management

01 Wednesday Feb 2012

Posted by in Education & Certification

Leave a Comment

Tags

I’ve just noticed a new course added to the National School of Government IA page:-

IA Protective Monitoring and Incident Management http://www.nationalschool.gov.uk/programmes/programme.asp?id=22914&tab=1

What you will learn:

This course will give you an in-depth understanding of the principles policy and issues affecting protective monitoring, forensic readiness and incident management.
At the end of the course you will be able to:

  • describe the purpose of audit
  • describe government protective monitoring policy
  • explain how to manage an IA incident
  • produce a Forensic Readiness plan
  • describe sanitisation and the issues around re-use of media
  • describe ways of monitoring compliance, including the IA Maturity Model.

What the programme covers:

  • Overview of audit
  • IA protective monitoring policy
  • System monitoring
  • Incident management
  • Backup and data storage
  • Forensic readiness
  • Sanitisation
  • Business continuity and disaster recovery
  • Compliance and the IA Maturity Model
  • Service management.

Government bodies responsible for cyber security

31 Tuesday Jan 2012

Posted by in HMG Policy

Leave a Comment

Tags

,

Below is a list of the defined roles and remit of the Government bodies responsible for Cyber Security.

Policy co-ordination [Office of Cyber Security and Information Assurace (OSCIA)]
Based in the Cabinet Office and set up at the same time as CSOC (see below) to provide coherence and strategic leadership across the Government’s cyber security policy interests. This includes horizon scanning to consider impact of an evolving cyber landscape for the UK’s cyber security and working with partners across government to identify and implement the appropriate policy responses.

Strategic Analysis [Cyber Security Operations Centre (CSOC)]
Established in September 2009 as part of GCHQ with staff from a range of government and other stakeholders.

Provides a hub for strategic analysis of developments in cyberspace and improving the co-ordination of the UK’s response to cyber incidents.

CSOC’s work aims to draw together a range of sources to enable a better understanding of the risks and opportunities of cyberspace, ensure information is coherently distributed to government, industry, international partners and the public and help inform strategic decision making.

Response & Analysis [GovCert UK | CERTs | CSIRTUK]
GovCertUK provide response and analysis to the public sector.
CERTs (MOD Computer Emergency Response Teams) provide response to MOD.
CSIRTUK (Combined Security Incident Response Team) provide response and analysis to critical infrastructure providers.

Advice & Guidance [CPNI | CESG]
Provide advice and guidance on electronic attack/cyber attack to the critical national infrastructure and to government departments.

Information taken from SN/SC/5832 June 2011

Free Crypto course with Stanford University

27 Friday Jan 2012

Posted by in ComSec, Education & Certification

2 Comments

Tags

, ,

For those, like myself, involved in crypto, Stanford University are offering a free online course in cryptography. It covers the internal workings of crypto (not for those who don’t like the more advance mathematics).

The course information:

Cryptography is an indispensable tool for protecting information in computer systems. This course explains the inner workings of cryptographic primitives and how to correctly use them.   Students will learn how to reason about the security of cryptographic constructions and how to apply this knowledge to real-world applications.   The course begins with a detailed discussion of how two parties who have a shared secret key can communicate securely when a powerful adversary eavesdrops and tampers with traffic.  We will examine many deployed protocols and analyze mistakes in existing systems.   The second half of the course discusses public-key techniques that let two or more parties generate a shared secret key. We will cover the relevant number theory and discuss public-key encryption, digital signatures, and authentication protocols. Towards the end of the course we will cover more advanced topics such as zero-knowledge, distributed protocols such as secure auctions, and a number of privacy mechanisms.   Throughout the course students will be exposed to many exciting open problems in the field.

The course will include written homeworks and programming labs.  The course is self-contained, however it will be helpful to have a basic understanding of discrete probability theory.

The course starts in Feb so sign up now at http://www.crypto-class.org/

In addition, Sanford have an online Computer Security course also starting in Feb you might be interested in – visit http://www.security-class.org/ today.

HMG IA Training

25 Wednesday Jan 2012

Posted by in Education & Certification

Leave a Comment

Tags

Quick post to mention some training courses that are available for those working in the HMG IA field.

[ National School of Government ]

Introduction to Information Assurance – Finding your way around IA in Government - £925 (2 days)

Topics covered:-

  • IA governance within an organisation
  • Threats, risks and impacts
  • Overview of key legislation and regulation
  • Government IA strategy
  • Government IA policy and standards
  • Assurance
  • Maintaining confidence

Information Assurance Standards IS2 and IS1 (Topic Programme 1) Process and practice – £1775 (4 days)

Topics covered:-

  • IS2 – risk management and accreditation
  • Content and development of the RMADS
  • Privacy Impact Assessments and IS6
  • The accreditation process
  • Information risk and assets
  • IS1 Part 1 – risk assessment
  • IS1 Part 2 – risk treatment

Risk Management and Accreditation Specialist Programme – IA Professionalism Stage 3 for accreditors - £630 (1 day)

Topics covered:-

  • Accreditation and the Accreditor Accreditation skills and competencies
  • Accreditation plan and process
  • Tools of the trade
  • Support and advice

IA Protective Monitoring and Incident Management (Topic Programme 3)

Topics covered:-

  • Overview of audit
  • IA protective monitoring policy
  • System monitoring
  • Incident management
  • Backup and data storage
  • Forensic readiness
  • Sanitisation
  • Business continuity and disaster recovery
  • Compliance and the IA Maturity Model
  • Service management.

[ Amethyst Risk Management ]

RMADS Introduction – Risk Management and Accreditation Document Sets - (1 day)

Topics covered:-

  • Background and Context of HMG Infosec
  • Governance and Risk Management Concepts
  • The Accreditation Process
  • Risk Management and Accreditation Documents

IA1 Practitioners Course – HMG Information Assurance Standard No.1 (IAS1) Technical Risk Assessment – (2 day)

Topics covered:-

  • The purpose, structure and context of the standard
  • Changes from previous issues of IAS1
  • The new Standard framework
  • Model-based risk analysis method
  • IAS1 risk assessment methodology
  • Security Case development
  • Detailed workshops based on a real-world case study