Domestic Travel Advice

• Implementing the standard government approach to information assurance by applying the Cabinet Office's Security Policy Framework (and historically, the Manual of Protective Security);
• The accreditation of information systems. This has included legacy, standalone, complex and widely networked systems in criminal justice, devolved government and agencies. Recent experience has seen us utilise G-Cloud and public cloud to delivery government and criminal justice services;
• Performing risk assessments using HMG IS 1 version 2, HMG IA Standard 1 version 3 and HMG IA Standard 1/2 version 4. Performing upgrades between the various versions. Translating risk assessments into English for presentation to C-level executives;
• The development of risk balanced cases and security cases in accordance with HMG IS1 Part 2 or HMG IS1/2. Defining and implementing suitable countermeasures to mitigate risk to an appropriate level;
• Development of cost effective or cost limited Risk Management and Accreditation Documentation Sets (RMADS) in accordance with HMG IA Standard 2 version 3 or HMG IA Standard 1/2 version 4;
• Development of Security Operating Procedures (SyOPs). Over the years, some of the more interesting ones have included:-
  • Security Incident Management;
  • Background and Identity Checks;
  • Mobile and Home Working;
  • Line Managers' Responsibilities;
  • Forensics Readiness; &
  • Asset Classification and Handling.
• Technical Design Authority including network design using assured barriers. This has included:-
• Remote access solutions in compliance with GPG10 (including the use of bootable media);
• Protecting government networks from the Internet in accordance with GPG8;
• Authentication in accordance with HMG IS7;
• Mobile e-mail solutions (historically, just BlackBerry devices, but more recently the End User Device Strategy); &
• Protective monitoring policies aligned to GPG13.
• Interpretation of Codes of Connection for organisations linking to a trusted community:-
• The Public Services Network (PSN);
• Criminal Justice networks such as the CJX and the PSN for Policing at all levels; &
• Legacy GSi connections including xGSI, GSX and GCSX as well as the migration to GCF.
• Technical assurance requirements such as IT Health Checks that cover:-
• Scoping using different techniques such as sampling, intelligence led and full;
• Interpretation of results to provide a context and defence-in-depth;
• Systems under development to ensure acceptable "end-to-end" testing; &
• Technical evaluations of cloud architectures using traditional IT Health Checks and other mechanisms to ensure appropriate pre-live and in-life assurance.
• Advising commercial organisations on the supply of goods and services to HMG.
• Contractual negotiations between HMG and the commercial organisations.
• Corporate management of risk and the evaluation of an appropriate level of risk appetite.
• Safeguarding the Critical National Infrastructure of the UK including Sensitive Nuclear Information (SNI) for "List N".
• Complying and certifying with ISO/IEC 27001. This includes the application of the Baseline Control Set (as defined in HMG IS1/2) at various levels.
• Handling of legacy Government Protective Marking Scheme (GPMS) information and developing proportionate handling instructions.
• Assisting in the transition and migration to the new Government Security Classification Policy including specific handling instructions for staff to prevent the unauthorised disclosure of information;
• Background and identity checks of staff as well as the detection of fraudulent documentation.
• The development and generation of security, education, awareness and training (SEAT):-
• HMG IS1, RMADS and Accreditation (Owen was the original author of the widely acclaimed Sapphire course.);
• Computer forensics; &
• General information assurance awareness education including induction, SyOP and refresher training.