Specific Work Highlights
Acting Accreditor at Disclosure Scotland.
Owen has been the Acting Accreditor at Disclosure Scotland continuously since April, 2008. He has held this role longer than all other Disclosure management and ICT staff.
Owen's duties cover:-
- The formal accreditation of a legacy system, "Workflow" that had government security retro-fitted to it;
- The formal accreditation of Workflow's replacement, "PVG". Owen was involved in influencing the design and product selection as well as monitoring its implementation against very compressed delivery timescales and all the time maintaining assurance to a suitable level;
- Developing the accreditation and formal risk management approach for the new "Protecting and Safeguarding Scotland" (PaSS) platform used to replace PVG. The platform was cutting edge, being deployed into public cloud infrastructure in such a way to keep all stake-holders, including The Home Office and The Police Service of Scotland happy. The resulting work won an award
- The safe and secure destruction of PVG;
- Oversight of many aspects of operational security including physical security requirements, training and development, incident management and supplier certification and management; &
- Development of and getting senior management buy-in for a security strategy to accommodate an agile method of working.
Security consultant of last resort.
Owen was approached in 2018 by a former colleague who had been promoted into a new job, with specific information security responsibilities. Whilst this individual was finding their feet, they had to contend with a very substantial, negative public enquiry into the activities of the organisation.
Owen took on board the role of delivering an appropriate security strategy and direction for the leadership team. He further engaged staff from all areas of the organisation, to re-invigorate the resulting poor security culture and revitalise it.
Owen also dealt with many technical aspects including:-
- Early adoption of the public cloud;
- Adoption of new security architectures and enforcing tools such as Protected DNS;
- Reigning in out-of-control DevOps;
- Responsibilities for supporting counter-terrorist and emergency planning programmes;
- Developed and implemented the first stages of a new IA governance structure; &
- Implemented a forensically sound security incident management process.
Cost limited, formal Accreditation
Owen was involved in the first, formal accreditation of an information system within central government using a cost reduced process dubbed, "Mini and Micro RMADS" by the department.
Owen felt that the process was inherently broken when he initially commenced the work. Following intensive discussions with the Accreditation Authority, the flaws were eventually ironed out. The approach remains in use to this day and has gained much acclaim from other government departments looking for a more cost effective approach to accreditation whilst remaining compliant with the Security Policy Framework.
Scottish Government due diligence
Late in 2012, one of the biggest security firms in the world won a Scottish Government contract for the management of low risk offenders. In order to gauge the suitability of the proposal, the Scottish Government obtained the services of Owen, through an established framework, to undertake due diligence on the technical architecture, data protection and wider security requirements of the proposed solution.
Accreditation Working Group De-escalation
Owen was engaged by a local authority following a damning CESG Audit. A recommendation had been made by the Accreditation Working Group (AWG) to the PSN Authority that the local authority's connection to the GSI should not be re-authorised until the IA risk was reduced.
Following Owen's involvement and guidance, in April, 2012, the local authority was advised by the AWG that their connection was "no longer in escalation".
The design and implementation of cross-departmental remote access for a Restricted network.
In addition to ensuring that the network had suitable assurance, one of the key requirements of this deployment was a solution that used both the GSI and the Internet to provide remote access from other government agencies. The Restricted network was also made available securely, from an unaccredited local area network too.
The final implementation is being held up as an example of cost effective security by the Scottish Government.
Remote access using bootable media.
Owen was able to cut through the smoke and mirrors to be one of the first to develop a workable solution for remote access using bootable media. His initial network design was presented to CESG on 1ST February, 2010 which then went on to form the basis for the CESG document "Architectural Pattern for Remote Access Walled Garden".
Owen has since reused some of his work to provide a solution for certain government departments wishing to have the flexibility to deploy tablets and phones running proprietary operating systems.
Network Planning for a Scottish Local Authority.
Most local authority's computer networks are not designed and instead they evolved to meet the vastly different requirements placed on the authority. This can result in a network that is far removed from current technology, is a pain to support and most certainly is not aligned to CESG and Cabinet Office requirements.
Owen was engaged by a Scottish Local Authority with a view to developing a migration plan over 1, 3 and 5 years to allow them the flexibility to use iDevices from a Cloud based network whilst remaining compliant with relevant HMG standards.
Network Design for Devolved Government Agency.
Following the merger of two Scottish Government agencies (The General Registers Office for Scotland and National Archives of Scotland), Owen was engaged to provide a high level network design that met a number of very stringent criteria.
ITPC and the CESG IA Professionalism Project
Owen has been an Examiner for the ITPC Competencies since 2008 and continues to undertake this role since it transferred to the Institute of Information Security Professionals. He has recently been confirmed as an Assessor for the CESG Certification for IA Specialists as part of the IISP, CREST and Royal Holloway, University of London consortium. Indeed, now that the ink is dry, he is able to reveal that when the Institute was providing sample CVs of their assessors to CESG, Owen's was one of them.
Owen's first job when he joined Sapphire was to upgrade their BS7799-2 certification to ISO27001. He undertook this successfully and delivered one of the UK's first certifications - within 34 days of UKAS approving the certification.
Owen developed an industrial strength web server from initial product specification to commercially sustainable product. He was involved in tuning the network parameters as well as the configuration of the web server. Owen chose a little known high-performance web server from Zeus Technologies and over the years assisted in the progress of the software in such aspects such as sandboxing. The performance of Owen's web server so revolutionised web hosting in general that it gave rise to the web server performance benchmark charts.
As the only system administrator surrounded by Cisco engineers, Owen had to undertake a good deal of Sendmail configuration. This included some of the earliest anti-spam measures and the first implementation of "mail address" rewriting now used universally throughout the Internet industry.