170 likes | 361 Views
‘Risk-based’ Approach to Managing Infrastructure a ‘Commercial Prospective’. Malcolm Page BT UK. AFCEA Lisbon 2005. Objectives of the presentation. To review the drivers and challenges Dealing with collaboration Risk reviews & modelling Compliance Testing Summary Questions.
E N D
‘Risk-based’ Approach to Managing Infrastructure a ‘Commercial Prospective’ Malcolm Page BT UK AFCEA Lisbon 2005
Objectives of the presentation • To review the drivers and challenges • Dealing with collaboration • Risk reviews & modelling • Compliance • Testing • Summary • Questions
Modernisation of armed forces Reduction in defence budgets Rapid deployment of armed forces on overseas missions Global role - Nation’s eyes only Interoperability of Command & Control Prime contracting (PFI) - partners take share of responsibility / risk Defence Drivers & Trends The increased threat from cyber space Foreign intelligence services and identity theft management Homeland / National ICT Defence Increase in overseas peace keeping commitments with other foreign powers Increased infrastructure attack from Cyber terrorism
Additional Drivers • Increased pressure for Information Governance • Regulatory Compliance • Need to demonstrate Stake holder value • Public monies being put to good use • Accurate information available for C3I decision making • CC3I – Command Control Communication Information!
Challenges • Maintaining the confidentiality, integrity and availability of defence infrastructure • Protection of defence infrastructure against attack from foreign powers (covert / overt) • Information Assurance (defence accreditation of information and systems such as NATO Classified) • Modernisation of armed services on reduced budgets • Recruiting and retaining the right personnel • Increased use of ‘ICT Networks’ to deliver Command & Control
Commercial Risk–Based Management: Defence in Depth • Balanced assessment of risk probability v risk impact v cost of mitigation etc: • Dynamically translated into strategies, rules, practices, processes and procedures etc. Regularly reviewed. • The People • Includes: Recruiting, selection, clearances, access rights and other controls (both on joining and on leaving the organisation), alternate resource pools, monitoring, auditing, communication, awareness, training etc. • The physical infrastructure • Includes: Sites and their locations, adjacent “threats” (natural and man-made), utility service provision and back-ups, alternate sites, physical hardware assets (down to granular levels – e.g. – signed off holdings of desk-top assets), access controls, guarding, alerting, monitoring, testing, auditing etc. • The information infrastructure • Includes: Data, voice and IP network information transfer systems, and associated information storage and back-up facilities etc. Information retention policies also apply.
Key Collaboration Partners Civil defence contingency plans, directives, command control & coordination of action Central & Intergovernmental Organisations e.g.: NATO / EU Policy / direction setting & legislation Intelligence Civilian Defence Units & Local Govt offices Collaboration and sharing of data Transfer of real time critical data & information securely via multi-channel methods Field Command Mobile Personnel army navy Air force
Risks • More sophisticated attacks on information infrastructure • interoperability of systems - vulnerabilities • unauthorised access to sensitive data e.g.: intelligence • Downtime / Denial of Service e.g.: during deployment Central & Intergovernmental Organisations e.g.: NATO / EU Civilian Defence Units & Local Govt offices • downtime & reliability • nation’s eyes only • real time response to threat • resilience - maintaining of comm’s in battle-space • breach of classification levels of data • secure comm’s from remote locations • cost Field Command Mobile Personnel army navy Air force
Business Vulnerability Model Model Impact Analysis Protagonist Model Risk Managed Solutions Attack Likelihood Solutions Assessment Critical Infrastructure Risk Model Technology Integration Process People Criticality Continuity Dependency Capability Opportunity Motivation priorities Risk Analysis Framework Protection Detection Reaction
Business Continuity Strategy Business Continuity Plans Feedback into Risk Analysis etc. Business Requirements Security Risk Analysis and Management Information Security Summary Identification of Security Countermeasures Security Policy Technical Security Architecture Non- Technical Technical Community Security Policy Security Operating Procedures Firewall Policies Security Components and Tools - Technical Solution Accredited Service Implemented in a Secure Environment Security Incident Handling and Reporting Security Awareness Security Audit/ Compliance Checking Security Assurance Testing/ Evaluation Reports Accreditation Business Continuity Plan Test Live System Environment System in Operational Use Security Management Monitoring Regular Security Audit/ Compliance Checking Overall Security Process
Compliance • Security audit/compliance checks • business security health check • Gap analysis (e.g. against ISO27001, (UK) MPS/JSP440) • Security evaluation services • IT security testing services • Compliance against regulatory requirements such as Data Protection
Level 1 Automated Vulnerability Scan Network Mapping Technical Security Check Level 2 Includes 1. Technical security policy review 2. Vulnerability Assessment Options 3. Firewall Rulebase Analysis 4. Physical Computer Room Check 5. Social Engineering 6. Web Application Testing Penetration Testing Level 3 IT security testing services Level 1 Automated Vulnerability Scan Network Mapping Technical Security Check Level 2 Includes 1. Technical security policy review 2. Vulnerability Assessment Options 3. Firewall Rulebase Analysis 4. Physical Computer Room Check 5. Social Engineering 6. Web Application Testing Penetration Testing Level 3
Proactive Monitoring & Management & Testing • Network Management • Effective networkdesign • Ensure efficient operation • Ensure High Availability • Firewalls in place • Provide connectivity • Security Management • Effective security design • Manage vulnerability • Monitor - internal/external • Integrate and Interpret • Build IRP Best Practice is a blend of network & security operations
Can commercial security deliver for NATO? • Accountable • Retain experienced staff • Government cleared personnel • Setting Standards • Availability 365 x 24 x 7 • Information sharing ‘FIRST’, trade partners, government agencies etc.
Potential benefits • Reduced technological and operational risks • Reduced costs • Expertise – Know-how • Linked into ‘in-country’’ Critical National Information Infrastructure • Global capability • Regular audits & reviews • Invariable Commercial Of The Shelf (COTS) solutions
Questions? Malcolm Page Business Continuity, Security & Governance Practice +44 7711 073329 malcolm.page@bt.com