Securing the Realm

CloudStore Opens for Business

Andy — Sun, 19 Feb 2012 14:51:04 +0000

After announcement by Francis Maude this morning the Governments new CloudStore has opened for business.

What is the CloudStore?

Government has been working to make the purchasing of public sector ICT as simple and transparent as possible. The result is a new web site, which we are calling the CloudStore.

The CloudStore is a new way for Government to buy IT products and services. At the moment this site is a pilot and we’re asking for your feedback so we can add to and improve it.

The CloudStore is an online catalogue of over 1,700 information and communications services available to the UK public sector, and contains details of each of the suppliers and their services. You can use the CloudStore to select the services that best suit your needs.

All the services listed on the CloudStore are part of the G-Cloud framework so are immediately available for the public sector to procure and use.

This is the first of its kind in the UK for public sector ICT procurement, and we are committed to ensuring that this method of buying ICT goods and services is efficient and fit for purpose.

[description from the CloudStore website]

Check out the CloudStore at http://www.govstore.net/

G-Cloud accreditation webinar (recording)

Andy — Tue, 14 Feb 2012 11:53:07 +0000

The G-Cloud accreditation process webinar “#Accreditcamp” was held on Feb 13th to explain more about the process of accreditation including what documentation is required, timeframes and issues.

If you missed the webinar, the recording is now available here: http://www.slideshare.net/G-Cloud/accredcamp-slides-audio

Information Assurance Practitioners’ Event 2012

Andy — Sun, 12 Feb 2012 10:45:09 +0000

Date: 29th February & 1st March 2012
Time: 9:30am – 5:30pm (day 1) & 9:00am – 3:15pm (day 2)
Location: York Racecourse

Website: http://www.softbox.co.uk/events/iapevent2012

Building on the success of the last event, this is the perfect opportunity for you to hear from and network with Government and industry experts to discuss your Information Assurance concerns and strategies and find out about the latest solutions.

Full details of the event are included for your perusal, including how to register for your free place at the event.

Setting the Agenda
The IA Practitioners’ Event is a key event in CESG’s calendar for Information Assurance experts at a practical level and it promises to be exceptional with an informative and comprehensive agenda themed around Information Assurance.

Dr Ian Levy, Technical Director at CESG, will be chairing the two day programme which includes main plenary sessions plus a series of workshops for delegates and vendors to take a full and active part in.

During the event there will be dedicated sessions for the Police Information Assurance Forum (PIAF) and the IT Security Officers’ Forum (ITSOF). This will provide an opportunity for those involved to discuss their specific issues and concerns in their own groups yet still be able to join in the main event where a wealth of expertise from industry and delegates across the entire public sector will be discussing innovative ways of meeting the security standards and policies required in today’s environment.

Extended breaks for tea/coffee and lunch each day will also allow you the opportunity to visit the exhibition stands, talk to the exhibitors about their latest product and service offerings and network with your peers.

At the end of day one everyone is invited to join in the Networking Evening and Dinner where you will get ample time to chat with your peers in a relaxed atmosphere whilst enjoying a traditional four course meal and being entertained by our guest speaker ‘Dr Kevin Jones’ who will give you a hilarious insight into the world of medical practice.

G-Cloud Accreditation (#AccreditCamp)

Andy — Sat, 11 Feb 2012 19:24:31 +0000

#AccreditCamp will be a live webinar at 11.00 on the 13th February to outline the G-Cloud accreditation process for suppliers to understand what HMG are looking at, how they do it and what to expect as part of the process.

First Set of PSN Roadmaps Published

Andy — Mon, 06 Feb 2012 13:37:06 +0000

High level roadmaps indicating the progress of central and non-central Governement departments/organisations on to the PSN service have been relased by the PSN programme.

This publication represents a starting point but nevertheless reflects the extent of commitment now evident across the entire Public Sector. It’s important that we start to communicate the development of all sides of the PSN marketplace, beginning with our own organisations, so that both public sector and industry can start to see the big picture more clearly.

comment from Craig Eblett (PSN Programme Director)

Links to the reports:
PSN Central Government Transition Plan, as at 31 January 2012
PSN Non-Central Government Transition Plan, as at 31 January 2012

UK Top for Cyber Preparedness

Andy — Sun, 05 Feb 2012 10:37:04 +0000

According to a recent report comissioned by McAfee, to survey 250 leading authorities and 80 cyber security experts in the public and private sectors, the UK was awarded 4 stars and ranked top for Cyber preparedness, alongside the USA and Germany.

Recognition was given for the UK’s new cyber security strategy and the formation of the Office of Cyber Security and Information Assurance (OSCIA), however it did note that the UK has too high a reliance on the private sector.

The report provides the following top ten recommendations to improve cyber prepardness:

1. Build trust between industry and government stakeholders by setting up bodies to share information and best practices, like the Common Assurance Maturity Model (CAMM) and the Cloud Security Alliance (CSA).

2. Increase public awareness of how individuals can protect their own internet data, and promote cyber-security education and training.

3. New problems and opportunities created by smart phones and cloud computing must be examined. Cloud computing needs an appropriate architecture to achieve optimum security levels.

4. Prioritise information protection, knowing that no one size fits all. The three key goals that need to be achieved are confidentiality, integration and availability in different doses according to the situation.

5. Consider establishing cyber-confidence building measures as an alternative to a global treaty, or at least as a stopgap measure, knowing that many countries view a treaty as unverifiable, unenforceable and impractical.

6. Improve communication between the various communities, from policy-makers to technological experts to business leaders both at national and international levels.

7. Enhance attribution capabilities by investing in new technologies, and establishing rules and standards.

8. Follow the Dutch model of a third party cyber-exchange for improved private-public partnership on internet security.

9. Despite the many practical hurdles in the way of transparency, both for private companies and for governments, find ways of establishing assurance – or trust – through the use of security mechanisms and processes.

10. Move the ball forward and encourage integration of cyber into existing processes and structures. Make sure cyber considerations and investment are present at every level.

Read the full report here

New Course: IA Protective Monitoring and Incident Management

Andy — Wed, 01 Feb 2012 19:26:18 +0000

I’ve just noticed a new course added to the National School of Government IA page:-

IA Protective Monitoring and Incident Management http://www.nationalschool.gov.uk/programmes/programme.asp?id=22914&tab=1

What you will learn:

This course will give you an in-depth understanding of the principles policy and issues affecting protective monitoring, forensic readiness and incident management.
At the end of the course you will be able to:

describe the purpose of audit
describe government protective monitoring policy
explain how to manage an IA incident
produce a Forensic Readiness plan
describe sanitisation and the issues around re-use of media
describe ways of monitoring compliance, including the IA Maturity Model.

What the programme covers:

Overview of audit
IA protective monitoring policy
System monitoring
Incident management
Backup and data storage
Forensic readiness
Sanitisation
Business continuity and disaster recovery
Compliance and the IA Maturity Model
Service management.

Government bodies responsible for cyber security

Andy — Tue, 31 Jan 2012 09:00:12 +0000

Below is a list of the defined roles and remit of the Government bodies responsible for Cyber Security.

Policy co-ordination [Office of Cyber Security and Information Assurace (OSCIA)]
Based in the Cabinet Office and set up at the same time as CSOC (see below) to provide coherence and strategic leadership across the Government’s cyber security policy interests. This includes horizon scanning to consider impact of an evolving cyber landscape for the UK’s cyber security and working with partners across government to identify and implement the appropriate policy responses.

Strategic Analysis [Cyber Security Operations Centre (CSOC)]
Established in September 2009 as part of GCHQ with staff from a range of government and other stakeholders.

Provides a hub for strategic analysis of developments in cyberspace and improving the co-ordination of the UK’s response to cyber incidents.

CSOC’s work aims to draw together a range of sources to enable a better understanding of the risks and opportunities of cyberspace, ensure information is coherently distributed to government, industry, international partners and the public and help inform strategic decision making.

Response & Analysis [GovCert UK | CERTs | CSIRTUK]
GovCertUK provide response and analysis to the public sector.
CERTs (MOD Computer Emergency Response Teams) provide response to MOD.
CSIRTUK (Combined Security Incident Response Team) provide response and analysis to critical infrastructure providers.

Advice & Guidance [CPNI | CESG]
Provide advice and guidance on electronic attack/cyber attack to the critical national infrastructure and to government departments.

Information taken from SN/SC/5832 June 2011

Free Crypto course with Stanford University

Andy — Fri, 27 Jan 2012 08:31:31 +0000

For those, like myself, involved in crypto, Stanford University are offering a free online course in cryptography. It covers the internal workings of crypto (not for those who don’t like the more advance mathematics).

The course information:

Cryptography is an indispensable tool for protecting information in computer systems. This course explains the inner workings of cryptographic primitives and how to correctly use them. Students will learn how to reason about the security of cryptographic constructions and how to apply this knowledge to real-world applications. The course begins with a detailed discussion of how two parties who have a shared secret key can communicate securely when a powerful adversary eavesdrops and tampers with traffic. We will examine many deployed protocols and analyze mistakes in existing systems. The second half of the course discusses public-key techniques that let two or more parties generate a shared secret key. We will cover the relevant number theory and discuss public-key encryption, digital signatures, and authentication protocols. Towards the end of the course we will cover more advanced topics such as zero-knowledge, distributed protocols such as secure auctions, and a number of privacy mechanisms. Throughout the course students will be exposed to many exciting open problems in the field.

The course will include written homeworks and programming labs. The course is self-contained, however it will be helpful to have a basic understanding of discrete probability theory.

The course starts in Feb so sign up now at http://www.crypto-class.org/

In addition, Sanford have an online Computer Security course also starting in Feb you might be interested in – visit http://www.security-class.org/ today.