Securing the Realm

First Set of PSN Roadmaps Published

Andy — Mon, 06 Feb 2012 13:37:06 +0000

High level roadmaps indicating the progress of central and non-central Governement departments/organisations on to the PSN service have been relased by the PSN programme.

This publication represents a starting point but nevertheless reflects the extent of commitment now evident across the entire Public Sector. It’s important that we start to communicate the development of all sides of the PSN marketplace, beginning with our own organisations, so that both public sector and industry can start to see the big picture more clearly.

comment from Craig Eblett (PSN Programme Director)

Links to the reports:
PSN Central Government Transition Plan, as at 31 January 2012
PSN Non-Central Government Transition Plan, as at 31 January 2012

UK Top for Cyber Preparedness

Andy — Sun, 05 Feb 2012 10:37:04 +0000

According to a recent report comissioned by McAfee, to survey 250 leading authorities and 80 cyber security experts in the public and private sectors, the UK was awarded 4 stars and ranked top for Cyber preparedness, alongside the USA and Germany.

Recognition was given for the UK’s new cyber security strategy and the formation of the Office of Cyber Security and Information Assurance (OSCIA), however it did note that the UK has too high a reliance on the private sector.

The report provides the following top ten recommendations to improve cyber prepardness:

1. Build trust between industry and government stakeholders by setting up bodies to share information and best practices, like the Common Assurance Maturity Model (CAMM) and the Cloud Security Alliance (CSA).

2. Increase public awareness of how individuals can protect their own internet data, and promote cyber-security education and training.

3. New problems and opportunities created by smart phones and cloud computing must be examined. Cloud computing needs an appropriate architecture to achieve optimum security levels.

4. Prioritise information protection, knowing that no one size fits all. The three key goals that need to be achieved are confidentiality, integration and availability in different doses according to the situation.

5. Consider establishing cyber-confidence building measures as an alternative to a global treaty, or at least as a stopgap measure, knowing that many countries view a treaty as unverifiable, unenforceable and impractical.

6. Improve communication between the various communities, from policy-makers to technological experts to business leaders both at national and international levels.

7. Enhance attribution capabilities by investing in new technologies, and establishing rules and standards.

8. Follow the Dutch model of a third party cyber-exchange for improved private-public partnership on internet security.

9. Despite the many practical hurdles in the way of transparency, both for private companies and for governments, find ways of establishing assurance – or trust – through the use of security mechanisms and processes.

10. Move the ball forward and encourage integration of cyber into existing processes and structures. Make sure cyber considerations and investment are present at every level.

Read the full report here

New Course: IA Protective Monitoring and Incident Management

Andy — Wed, 01 Feb 2012 19:26:18 +0000

I’ve just noticed a new course added to the National School of Government IA page:-

IA Protective Monitoring and Incident Management http://www.nationalschool.gov.uk/programmes/programme.asp?id=22914&tab=1

What you will learn:

This course will give you an in-depth understanding of the principles policy and issues affecting protective monitoring, forensic readiness and incident management.
At the end of the course you will be able to:

describe the purpose of audit
describe government protective monitoring policy
explain how to manage an IA incident
produce a Forensic Readiness plan
describe sanitisation and the issues around re-use of media
describe ways of monitoring compliance, including the IA Maturity Model.

What the programme covers:

Overview of audit
IA protective monitoring policy
System monitoring
Incident management
Backup and data storage
Forensic readiness
Sanitisation
Business continuity and disaster recovery
Compliance and the IA Maturity Model
Service management.

Government bodies responsible for cyber security

Andy — Tue, 31 Jan 2012 09:00:12 +0000

Below is a list of the defined roles and remit of the Government bodies responsible for Cyber Security.

Policy co-ordination [Office of Cyber Security and Information Assurace (OSCIA)]
Based in the Cabinet Office and set up at the same time as CSOC (see below) to provide coherence and strategic leadership across the Government’s cyber security policy interests. This includes horizon scanning to consider impact of an evolving cyber landscape for the UK’s cyber security and working with partners across government to identify and implement the appropriate policy responses.

Strategic Analysis [Cyber Security Operations Centre (CSOC)]
Established in September 2009 as part of GCHQ with staff from a range of government and other stakeholders.

Provides a hub for strategic analysis of developments in cyberspace and improving the co-ordination of the UK’s response to cyber incidents.

CSOC’s work aims to draw together a range of sources to enable a better understanding of the risks and opportunities of cyberspace, ensure information is coherently distributed to government, industry, international partners and the public and help inform strategic decision making.

Response & Analysis [GovCert UK | CERTs | CSIRTUK]
GovCertUK provide response and analysis to the public sector.
CERTs (MOD Computer Emergency Response Teams) provide response to MOD.
CSIRTUK (Combined Security Incident Response Team) provide response and analysis to critical infrastructure providers.

Advice & Guidance [CPNI | CESG]
Provide advice and guidance on electronic attack/cyber attack to the critical national infrastructure and to government departments.

Information taken from SN/SC/5832 June 2011

Free Crypto course with Stanford University

Andy — Fri, 27 Jan 2012 08:31:31 +0000

For those, like myself, involved in crypto, Stanford University are offering a free online course in cryptography. It covers the internal workings of crypto (not for those who don’t like the more advance mathematics).

The course information:

Cryptography is an indispensable tool for protecting information in computer systems. This course explains the inner workings of cryptographic primitives and how to correctly use them. Students will learn how to reason about the security of cryptographic constructions and how to apply this knowledge to real-world applications. The course begins with a detailed discussion of how two parties who have a shared secret key can communicate securely when a powerful adversary eavesdrops and tampers with traffic. We will examine many deployed protocols and analyze mistakes in existing systems. The second half of the course discusses public-key techniques that let two or more parties generate a shared secret key. We will cover the relevant number theory and discuss public-key encryption, digital signatures, and authentication protocols. Towards the end of the course we will cover more advanced topics such as zero-knowledge, distributed protocols such as secure auctions, and a number of privacy mechanisms. Throughout the course students will be exposed to many exciting open problems in the field.

The course will include written homeworks and programming labs. The course is self-contained, however it will be helpful to have a basic understanding of discrete probability theory.

The course starts in Feb so sign up now at http://www.crypto-class.org/

In addition, Sanford have an online Computer Security course also starting in Feb you might be interested in – visit http://www.security-class.org/ today.

HMG IA Training

Andy — Wed, 25 Jan 2012 08:19:10 +0000

Quick post to mention some training courses that are available for those working in the HMG IA field.

[ National School of Government ]

Introduction to Information Assurance – Finding your way around IA in Government - £925 (2 days)

Topics covered:-

IA governance within an organisation
Threats, risks and impacts
Overview of key legislation and regulation
Government IA strategy
Government IA policy and standards
Assurance
Maintaining confidence

Information Assurance Standards IS2 and IS1 (Topic Programme 1) Process and practice – £1775 (4 days)

Topics covered:-

IS2 – risk management and accreditation
Content and development of the RMADS
Privacy Impact Assessments and IS6
The accreditation process
Information risk and assets
IS1 Part 1 – risk assessment
IS1 Part 2 – risk treatment

Risk Management and Accreditation Specialist Programme – IA Professionalism Stage 3 for accreditors - £630 (1 day)

Topics covered:-

Accreditation and the Accreditor Accreditation skills and competencies
Accreditation plan and process
Tools of the trade
Support and advice

IA Protective Monitoring and Incident Management (Topic Programme 3)

Topics covered:-

Overview of audit
IA protective monitoring policy
System monitoring
Incident management
Backup and data storage
Forensic readiness
Sanitisation
Business continuity and disaster recovery
Compliance and the IA Maturity Model
Service management.

[ Amethyst Risk Management ]

RMADS Introduction – Risk Management and Accreditation Document Sets - (1 day)

Topics covered:-

Background and Context of HMG Infosec
Governance and Risk Management Concepts
The Accreditation Process
Risk Management and Accreditation Documents

IA1 Practitioners Course – HMG Information Assurance Standard No.1 (IAS1) Technical Risk Assessment – (2 day)

Topics covered:-

The purpose, structure and context of the standard
Changes from previous issues of IAS1
The new Standard framework
Model-based risk analysis method
IAS1 risk assessment methodology
Security Case development
Detailed workshops based on a real-world case study

Business Impact Levels (BIL)

Andy — Sun, 22 Jan 2012 15:03:42 +0000

A successful exploitation by a threat actor or threat source will result in a compromise of one or more of the following elements of an information asset:

Confidentiality
Integrity
Availability

This compromise will have an impact on the business. Within the SPF and IAS1 they identify business impact from IL0 (lowest) to IL6 (highest).

IAS1 states that a business impact is by definition the impact that a compromise has on the operations or efficiency of an organisation, it’s customers or citizens.

Unlike a protective marking (i.e. RESTRICTED, SECRET etc.) which is concerned with the level of control, handling and management of the information asset, the impact level (IL) determines the value of an information asset if compromised and how it can impact the following:

Financial loss to an organisation;
Operational effectiveness of a system/service if compromised;
Reputational damage to an organisation;
Stress caused to an individual/citizen;
International relationships with friendly or allied nations/governments.

There is a one to one relationship between the protective marking and the impact level (but not the other way around) as can be seen below.

Non Protectively Marked (NPM) / Unclassified = IL0/IL1
PROTECT = IL2
RESTRICTED = IL3
CONFIDENTIAL = IL4
SECRET = IL5
TOP SECRET= IL6

IL2, IL3, IL4 are also correlated with CIA values as follows:

IL2 corresponds to 2-2-4
IL3 corresponds to 3-3-4
IL4 corresponds to 4-4-4

What is the PSN?

Andy — Sun, 22 Jan 2012 11:37:34 +0000

The PSN, or Public Service Network, is the Government cloud (G-Cloud) computing layer sitting on top of the GCN (Government Conveyance Network (the network layer)) where it will host a number of service applications alongside enterprise services such as DNS, PKI, VoIP, eMail etc.

The plan with the PSN is that approved suppliers to the Government can offer services through a market place providing great oppertunities for industry and large savings for the public sector.

The PSN offers a consolidated network of services for the modern Government in a unique flat network architecture with different security impact levels all operating off the same infrastructure. The PSN network will be IL2 accredited but will be able to store and process data up to a protective marking of RESTRICTED (IL3) via CESG approved encryption.

Kent and Hampshire are the first to trial the PSN service with further contracts for connectivity in early 2012.

It is expected that public sector organisations/departments will migrate to the PSN as existing contracts with service providers expire. The Government is keen to migrate all departments/agencies over to the PSN as soon as they can. This shift to the PSN could mean a shift in business for current service providers to HMG.

Links:
http://www.cabinetoffice.gov.uk/resource-library/public-services-network

Mapping SPF v6 MR to SPF v7 MR

Andy — Wed, 18 Jan 2012 08:52:46 +0000

A quick reference post for the mappings of the latest SPF (Security Policy Framework) 7 to SPF 6 (these are also available in the SPF 7 appendix):

SPF Version 7 – Oct 2011 MR Structure	SPF Version 6 – Apr 2011 MR Structure
MR 1 SECURITY ORGANISATION	3 – Board Level Responsibilities 4 – DSO Responsibilities 9 – DSU Training 35 – IA Roles and Responsibilities
MR 2 RISK MANAGEMENT APPROACHES	5 – Risk Management Approaches 32 – Managing Information Risk
MR 3 CULTURE, EDUCATION AND AWARENESS	1 – Education and Awareness for Staff 9 – Protective Security Culture 21 – Personal Responsibilities for Safeguarding Assets
MR 4 MANAGING AND RECOVERING FROM INCIDENTS	9 – Reporting of Security Incidents 21 – Security Breach System 49 – Disaster Recovery Planning 70 – Business Continuity
MR 5 ASSURANCE AND REPORTING	6 – Self Assessment and Systems of Assurance 7 – Annual Security Returns 8 – Audit and Review 34 – Statement of Internal Control 69 – CT Assurance Statements
MR 6 INFORMATION SECURITY POLICY	31 – Information Security Policy 10 – International Security Agreements 11 – Government Protective Marking System (GPMS) 12 – Legal Requirements 15 – FOI
MR 7 GOVERNMENT PROTECTIVE MARKING SYSTEM	10 – International Security Agreements 11 – Government Protective Marking System (GPMS) 16 – Need to know principle 18 – Material originating outside the HMG 19 – Universal controls 20- Special handling
MR 8 RISK ASSESSMENT AND ACCREDITATION OF ICT SYSTEMS	32 – Managing Information Risk 33 – Business impact levels 14 – HMG IA no 6 – Protecting personal data 36 – Accreditation and audit 37 – Compliance checks – RMADS
MR 9 TECHNICAL CONTROLS	39- Codes of connection and technical controls 40- Cryptography 41- Eavesdropping and Electro-Magnetic Countermeasures 42- Remote working/mobile media 45- Secure Disposal
MR 10 PROCEDURAL MEASURES	38 – Authentication controls 46 – Personnel security 48 – Education, training and awareness 42 – Mobile working
MR 11 DELIVERY PARTNERS AND SUPPLIERS	2 – SPF Compliance among Delivery Partners and Suppliers 31 – Information Security Policy DPs & 3PS 43 – Procurement
MR 12 MANAGING AND REPORTING SECURITY INCIDENTS	9 – Reporting Incidents 21 – Security Breach System 44 – Reporting ICT Incidents
MR 13 RECRUITMENT CHECKS AND NATIONAL SECURITY VETTING	23 – BPSS compliance 24 – National Security Vetting compliance 26 – Clearance Decisions
MR 14 ONGOING PERSONNEL SECURITY MANAGEMENT	22 – Applying Personal Security Controls 25 – National Security Vetting Issues 27 – National Security Vetting Aftercare
MR 15 APPEALS	28 – National Security Vetting Appeals MR 29 – Notifying GSS of Legal Challenges
MR 16 SECURITY RISK ASSESSMENT	50- Defence in Depth 51- Storage of Sensitive Assets 55- Building Security 62- Operational Requirements
MR 17 INTERNAL CONTROLS	47 – Physical Security of ICT Assets 52- Secure Containers 53- Secure Rooms 54- Officer Areas
MR 18 BUILDING AND PERIMETER SECURITY	56- Physical Access Control 57- Physical Access Control 58 – Access Control Policies 59- Incoming Mail 60- Manned Guarding 61- Perimeter Security
MR 19 PREPARING FOR CRITICAL INCIDENTS	64- Categorisation of the Government Estate 65- Government Estate Response Level System
MR 20 RESPONDING TO CRITICAL INCIDENTS	67- CT Protective Security Policy and Plans 68- Testing CT Arrangements

What is the GCN?

Andy — Wed, 18 Jan 2012 08:25:46 +0000

The GCN, or Government Conveyance Network is the replacement for the aging siloed GSi (Government Secure Intranet) network that interconnects multiple UK Government networks. The idea behind the GCN is to provide a flat network space across multiple service providers to provide a more harmonised network that can provide the services needed in both today and tomorrow’s Government market. The services will form the PSN (Public Services Network) in a cloud based solution where the underlying hardware architecture is abstracted away from the application layer.

The official definition is:

The GCN will provide the core backbone infrastructure of the PSN – and it will be a mesh of existing telecoms industry networks. It will be built to Industry standards. Suppliers who meet the standards will be able to supply GCN services.

The network layout will look like:

For more information on the GCN, check out the GCN Service Description document.