1 / 14

HMG Risk Management -Systems Accreditation (a view from 40,000 ft in 50 minutes!)

HMG Risk Management -Systems Accreditation (a view from 40,000 ft in 50 minutes!). Ian D. McKinnon BSc MSc M.Inst.ISP (ITPC) MBCS (CITP) CISSP CLAS SMWS. Systems Accreditation.

rocio
Télécharger la présentation

HMG Risk Management -Systems Accreditation (a view from 40,000 ft in 50 minutes!)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. HMG Risk Management -Systems Accreditation(a view from 40,000 ft in 50minutes!) Ian D. McKinnon BSc MSc M.Inst.ISP (ITPC) MBCS (CITP) CISSP CLAS SMWS

  2. Systems Accreditation • Systems Accreditation is the process by which risks to HMG systems are formally expressed, mitigations are developed, implemented and assessed to ensure that the resultant residual risk is acceptable to the business. • The primary output of the accreditation process is an RMADS HMG Accreditation RHUL – Distance Learning Summer School

  3. Asset Classification • HMG Protective Marking Scheme: • Unclassified / NPM • PROTECT • RESTRICTED • CONFIDENTIAL • SECRET • TOP SECRET HMG Accreditation RHUL – Distance Learning Summer School

  4. Bob Quick – epic fail! See: http://news.bbc.co.uk/1/hi/7991307.stm HMG Accreditation RHUL – Distance Learning Summer School

  5. It’s amazing what you capture from across the street with a professional lens and a 15 mega pixel camera! HMG Accreditation RHUL – Distance Learning Summer School

  6. GPMS Review • HMG Protective Marking Scheme: • OFFICIAL • SECRET • TOP SECRET HMG Accreditation RHUL – Distance Learning Summer School

  7. Business Impact Levels • BIL used assign a value to assets, systems or services in terms of CIA • Broadly aligned to PM scheme • 0 = NPM • 3 = RESTRICTED • 5 = SECRET • 6 = TOP SECRET • ICT System e.g. BIL3,3,4 or BIL5,5,3 • Network e.g. BIL2,2,4 or BIL3,3,4 HMG Accreditation RHUL – Distance Learning Summer School

  8. Example BIL Table • Copied from IAS1 v3.6 part 1 Appendix A – Business Impact Level Tables HMG Accreditation RHUL – Distance Learning Summer School

  9. Personnel Clearance • HMG Vetting Scheme: • BPSS (Baseline personnel security standard) • Basic check to confirm identity. Unsupervised access to assets up to CONFIDENTIAL and occasional supervised access to SECRET. • SC(Security check) • Detailed background check to confirm identity. Unsupervised access to assets up to SECRET and occasional supervised access to TOP SECRET. • DV(Developed vetting) • Exhaustive background checks including interview of applicant and referees. Unsupervised access to TOP SECRET assets. HMG Accreditation RHUL – Distance Learning Summer School

  10. HMG Accreditation Methodology • The following standards must be used to accredit HMG systems & services: • HMG IA Standard No. 2 – Risk Management & Accreditation of ICT Systems and Services • HMG IA Standard No. 1 – Technical Risk Assessment Part 1 : Risk Assessment • HMG IA Standard No. 1 – Technical Risk Assessment Part 2 : Risk Treatment HMG Accreditation RHUL – Distance Learning Summer School

  11. Key Accreditation Stakeholders • Accreditor • Responsible for impartial review and acceptance of the RMADS • PGA – Pan Government Accreditor • Accreditor for systems or services which are shared across government (e.g. GSi) • ITSO – IT Security Officer • Individual charged with oversight of IT security within the government department • SIRO – Senior Information Risk Owner • Board member responsible for the Information Risk • IAO – Information Asset Owner • Individual who fully understands what information is held and how it is used • CLAS - CESG Listed Advisor • Responsible for accreditation and policy advice • CESG • The National Technical Authority for IA advice and guidance HMG Accreditation RHUL – Distance Learning Summer School

  12. IAS2 Stages • Stage 0 – Early planning and feasibility • Stage 1 – Accreditation strategy • Stage 2 – IA requirements • Stage 3 – Options assessment and selection • Stage 4 – Accreditation in development and acceptance • Stage 5 – Risk management in-service & accreditation maintenance • Stage 6 – Secure decommissioning and disposal HMG Accreditation RHUL – Distance Learning Summer School

  13. Policy & Guidance • SPF (Security Policy Framework – Cabinet Office) • Orange Book (HMRC Risk Appetite) • IAS4 – Telecommunications • IAS5 – Secure Sanitisation • GPGs (Good Practice Guides) • Architectural Patterns • SEAP Catalogue (Security Equipment Assessment Panel) • CPNI Guidance (Physical, personnel and counter-terrorism) HMG Accreditation RHUL – Distance Learning Summer School

  14. Questions? HMG Accreditation RHUL – Distance Learning Summer School

More Related