Information Assurance: Highlighted Services

The nil plus ultra network has a deep level of technical ability derived from many years providing professional consultancy services to the MoD, HMG and Industry delivered by HMG Security Cleared personnel

Services most in demand at the moment include high level and detailed technical designs of secure networks and services providing assurance that delivery will protect client data with regards to confidentiality, integrity and availability. We describe some typical solutions below:

Accreditation Scoping Appraisals

This provides an assessment of proposed enhancements and new client requirements; Will it be delivered in a secure manner? Will it deliver what the client wants? Business information exchange requirements, Infrastructure and Architecture Constraints, and the Outline Security Management plan are all assessed. Is it being delivered in line with recognised Acquisition Operational Frameworks and the appropriate Lines of Development? What is the perceived high level security risk to the delivery of services?

Security Impact Statement

This provides the client with a detailed output explaining the impacts on the networks and services to be provided, impact on extant security enforcing functions on client networks and systems. It states the business context of the proposal, assigns Roles and Responsibilities, Assets, locations, hardware and software requirements, defines the proposed topology of the service, identifies interfaces and interconnections and where necessary Codes of Connection requirements. Finally it identifies Threats and Vulnerabilities, and risk mitigation activities to address any residual risks through High Level Risk Treatment Plans.

Technical Risk Assessment

This is the ability to undertake detailed Technical Risk Assessments against the organisations perceived Threats. This involves sitting down with Key stakeholders (Senior Management and departmental heads) to identify what previous incidents have impacted the business, and what potential incidents need to be planned for. Furthermore, this takes into account organisational Threat Actors and Threat Sources (people that can influence a Threat Actor), considering what are the actors Raw and Enhanced capabilities and Motivation.

Accreditation Document Set

The Risk Management Accreditation Document set enables an organisations Senior Information Risk Owner and Information Asset Owner to fully understand the detailed Risk that he/she is carrying and it enables them to make informed decisions regarding residual risk and the most appropriate means to treat such risks, such as, Transfer the Risk, Mitigate the Risk, Reduce the Risk or Avoid the Risk. This is a living document that must be updated as and when system and network changes are implemented. No major changes should be carried out without a full Security Impact Statement being completed to assess the impact on the Accredited system.

Information Technology Health Check (ITHC)

The ITHC provides the client with a technical snap shot of the network or system. The ITHC provides an assessment of network topology, ports and services running, detailed assessment of the Operating System against recognised vulnerabilities. Output of the ITHC is a detailed report (usually protectively marked) providing evidence of vulnerabilities, scaled risk table with proposed methods to fix any issues. The ITHC should be run after any major network or system enhancements to ensure that new vulnerabilities have not been introduced to a previously accredited network or system.