Typical Work
Due to the sensitive nature of CLAS work, BladeSec IA Services Ltd. cannot usually disclose details of the work undertaken, however, we have specific experience in the following areas:-
- Implementing the standard government approach to information assurance by applying the Cabinet Office's Security Policy Framework (and historically, the Manual of Protective Security);
- The accreditation of information systems. This has included legacy, standalone, complex and widely networked systems in criminal justice, devolved government and agencies;
- Performing risk assessments using HMG IS 1 version 2, HMG IA Standard 1 version 3 and HMG IA Standard 1/2 version 4. Performing upgrades between the various versions;
- The development of risk balanced cases and security cases in accordance with HMG IS1 Part 2 or HMG IS1/2. Defining and implementing suitable countermeasures to mitigate risk to an appropriate level;
- Development of cost effective or cost limited Risk Management and Accreditation Documentation Sets (RMADS) in accordance with HMG IA Standard 2 version 3 or HMG IA Standard 1/2 version 4;
- Development of Security Operating Procedures (SyOPs). Over the years, some of the more interesting ones have included:-
- Security Incident Management;
- Background and Identity Checks;
- Mobile and Home Working;
- Line Managers' Responsibilities;
- Forensics Readiness; &
- Asset Classification and Handling.
- Technical Design Authority including network design using assured barriers. This has included:-
- Remote access solutions in compliance with GPG10 (including the use of bootable media);
- Protecting government networks from the Internet in accordance with GPG8;
- Authentication in accordance with HMG IS7;
- Mobile e-mail solutions (BlackBerry devices, and wider "approved" solutions including the new Cabinet Office End User Device Strategy); &
- Protective monitoring policies aligned to GPG13.
- Interpretation of Codes of Connection for organisations linking to a trusted community:-
- The Public Services Network (PSN);
- Criminal Justice networks such as the CJX and the PSN-Police; &
- Legacy GSi connections including xGSI, GSX and GCSX as well as the migration to GCF.
- Technical assurance requirements such as IT Health Checks that cover:-
- Scoping using different techniques such as sampling, intelligence led and full;
- Interpretation of results to provide a context and defence-in-depth; &
- Systems under development to ensure acceptable “end-to-end” testing.
- Advising commercial organisations on the supply of goods and services to HMG.
- Contractual negotiations between HMG and the commercial organisations.
- Corporate management of risk and the evaluation of an appropriate level of risk appetite.
- Safeguarding the Critical National Infrastructure of the UK including Sensitive Nuclear Information (SNI) for "List N".
- Complying and certifying with ISO/IEC 27001. This includes the application of the Baseline Control Set (as defined in HMG IS1/2) at various levels.
- Handling of legacy Government Protective Marking Scheme (GPMS) information and developing proportionate handling instructions.
- Assisting in the transition and migration to the new Government Security Classification Policy including specific handling instructions for staff to prevent the unauthorised disclosure of information;
- Background and identity checks of staff as well as the detection of fraudulent documentation.
- The development and generation of security, education, awareness and training (SEAT):-
- HMG IS1, RMADS and Accreditation (Owen was the original author of the widely acclaimed Sapphire course.);
- Computer forensics; &
- General information assurance awareness education including induction, SyOP and refresher training.
|
|
