security framework for digital risk managment
TRANSCRIPT
Cyber Security Governance and Digital Risk
Management for OFFICIAL Environments
TONY RICHARDS
SECURITY FRAMEWORK FOR
DIGITAL RISK MANAGEMENT
WHO WE AREWWW.SECURESTORM.COM
THE EXPERT
SECURITY ADVISORS
This work is licensed under the Creative Commons,
Attribution-Non Commercial-Share Alike 4.0 International License.
To view a copy of this license, visit
http://creativecommons.org/licenses/by-nc-sa/4.0/.
CREATIVE COMMONS
WHO WE AREWWW.SECURESTORM.COM
THE EXPERT
SECURITY ADVISORS
Securestorm in partnership with the Youth Justice Board (YJB), havedeveloped a robust security governance framework and informationrisk management approach for OFFICIAL digital services and systems.This provides a practical and proportional process with re-usablecommon security profiles and architectural patterns to:
• increase efficiency
• reduce overheads
• effectively manage Information Risk
This move comes after the Cabinet Office announcement of theretirement of mandatory accreditation from the Security PolicyFramework (SPF) and CESG’s move to supporting a business ledInformation Risk Management.
INTRODUCTION
WHO WE AREWWW.SECURESTORM.COM
THE EXPERT
SECURITY ADVISORS
Securestorm’s Security Framework for Digital Risk Management1
approach2 enables organisations to utilise the latest security thought
leadership from across UK government and industry, in a synchronised
and logical flow that can be deployed rapidly and with agility.
Note: 1This is available from Securestorm under a Creative Commons
Attribution-NonCommercial-ShareAlike 4.0 International License.
2The following is not a stand alone process or methodology, but a framework
for organisations, incorporating a range of security and risk management
principles from CESG and the Cabinet Office.
INTRODUCTION
WHO WE AREWWW.SECURESTORM.COM
THE EXPERT
SECURITY ADVISORS
SECURITY GOVERNANCE FRAMEWORK
Secure by Design
• Security Design Principles
• User Security Needs
• Agile Security Stories
• Cloud and micro-service Architectural Patterns
• Secured base images
• Protecting Bulk Personal Data Principles
• Security Operations
Info Risk Management
• Information Risk Management Principles
• Digital Information Risk Management
• IT and Digital Security Policy
• GSCS Core Security Controls
• Relevant Security Profiles
Risk Managed Life-cycle
• Risk Status and Management Dashboard
• Audit Program
• Risk Management Checkpoints& road-maps
• Assure Third Parties
• SIRO/AO Risk Report
• Digital Risk Management Record Schema
WHO WE AREWWW.SECURESTORM.COM
THE EXPERT
SECURITY ADVISORS
SECURE BY DESIGN
Integrate CESG’s Security Design Principles for Digital Services in all new service designshttps://www.cesg.gov.uk/guidance/security-design-principles-digital-services-0
User Security Needs – Predefined library of Security Outcomes, security controls for OFFICIAL, security stories, any legal and regulatory requirements specific to organisation and any other relevant security controls as required by the business https://www.gov.uk/government/publications/government-security-classifications
Develop and share reusable Architectural Patterns where relevant for services or system components
COMMON SOLUTIONS FOR COMMON PROBLEMS
WHO WE AREWWW.SECURESTORM.COM
THE EXPERT
SECURITY ADVISORS
INFORMATION RISK MANAGEMENT
Understand CESG’s guidance on managing Information Riskhttps://www.cesg.gov.uk/guidance/10-steps-information-risk-management-regime
Incorporate the “Apply Common Solutions to solve Common Problems” approach to Information Risk Management https://www.gov.uk/guidance/managing-information-risk
Identify and apply Security Polices, Government Security Classification Core Controls and relevant Security Profiles
COMMON SOLUTIONS FOR COMMON PROBLEMS
Use the Security Framework for Digital Risk Management approach to pragmatically categorise data and assess the impact of a breach
WHO WE AREWWW.SECURESTORM.COM
THE EXPERT
SECURITY ADVISORS
RISK MANAGED LIFE-CYCLE
Produce a Risk Status and Management Dashboard, for weekly, monthly or real time reporting
Develop and maintain an Audit and Assurance program, to ensure that Service Providers and system Suppliers security assurances are actively audited, validated and managed
Use a SIRO/AO Risk Report to document business risk decisions and provide supporting risk and assurance detail with a proportional Digital Risk Management Record Schema
CONTINUOUS THROUGH-LIFE PROCESS
Plan and schedule Risk Management Checkpoints to ensure that Risk Treatment Plans and security validations are reviewed and assured in a forecastable and pragmatic way
WHO WE AREWWW.SECURESTORM.COM
THE EXPERT
SECURITY ADVISORS
GOVERNANCE STRUCTURE
‘Effective leadership’ is a critical component of good security andaccountability. The permanent Secretary (or equivalent) will own theorganization's approach to security and ensure that these issues receivethe attention and investment required.
The Security Policy Framework (SPF) states: ‘Government organizationswill have, an appropriate security governance structure to support thePermanent Secretary, that is properly resourced with individuals whohave been appropriately trained; Board-level oversight of securitycompliance and auditing processes; and, arrangements to determine andsatisfy themselves that Delivery Partners, service providers and thirdparty suppliers, apply proper security controls’
https://www.gov.uk/government/publications/security-policy-framework/hmg-security-policy-framework
WHO WE AREWWW.SECURESTORM.COM
THE EXPERT
SECURITY ADVISORS
GOVERNANCE STRUCTURE
The security management structure of anorganisation, whatever size, needs to bestrong. By splitting operational security frominformation risk, enables greater flexibility,ensuring that incident investigations and dayto day operations don’t impact complianceand on-going risk management activities andvice versa.
Binding the two strands together, overseeingthe bigger picture and ensuring an importantliaison with the business, the CISO isresponsible for the entire security functionwhile providing leadership, knowledge andexperience.
These roles are not necessarilyfull time, rather should becontinuously adjusted to bedynamic to the organisationsneeds.
WHO WE AREWWW.SECURESTORM.COM
THE EXPERT
SECURITY ADVISORS
GOVERNANCE STRUCTURE
The organisational example depicts an extended governance structure
WHO WE AREWWW.SECURESTORM.COM
THE EXPERT
SECURITY ADVISORS
Prior to April 2014, a security process called accreditation was
mandated by the HMG Security Policy Framework (SPF), for all
Government departments processing classified information.
The process of accreditation provided for the assessment of a system
against its security requirements, and approval was required from an
accreditor as a prerequisite for operation.
This was removed as a mandatory requirement from the April 2014
version of the SPF
https://www.gov.uk/guidance/managing-information-risk
INTRODUCING INFORMATION RISK
WHO WE AREWWW.SECURESTORM.COM
THE EXPERT
SECURITY ADVISORS
An organizational responsibility: Risk management decisions should beobjective and informed by an understanding of risk. They should not be madein isolation but on a basis of understanding how individual decisions affectthe wider business, and what it is trying to achieve.
Tech to deliver business attracts risk: Organisations should decide forthemselves what risk management decisions need to be made to support thedelivery and operation of a system or service.
Decisions: right people, time & support: They need to be empowered by theorganisation and have the right business, technology, security knowledge andskills to enable informed and objective decisions.
https://www.gov.uk/guidance/managing-information-risk
INTRODUCING INFORMATION RISK
WHO WE AREWWW.SECURESTORM.COM
THE EXPERT
SECURITY ADVISORS
BUSINESS CONTEXT
RISK MANAGEMENT APPROACH
Before taking any action, the organisation must understand and communicate what risk management approach the business is going to take to provide confidence that the technology and information used is proportionally secured.
Organisations should always be aware of the risks they are taking to achieve their aims. To ensure meaningful outcomes, organisations need to provide a context in which risk management and risk assessment is conducted.
KEY COMPONANTS of RISK
Risk assessments have inputs and outputs. Regardless of the risk assessment method used, any inputs and outputs should be understandable and meaningful in the context of the business and what it is trying to achieve.
INFORMATION RISK MANAGEMENT
WHO WE AREWWW.SECURESTORM.COM
THE EXPERT
SECURITY ADVISORS
Irrespective of the approach taken to assessing risks, the outcome should be captured in a way that can be used to inform business decision making. Consistency is achieved by ensuring that the inputs to and outputs from assessments are meaningful in the context of what the business is trying to achieve
To understand what risks exist, the risk assessment should be applied in the context of what the organisation is trying to achieve. The output of any risk assessment should be recorded for traceability purposes. Traceability is important so that risk management decisions and investment choices can be traced to an identified risk.
MAKE INFORMED RISK MANAGEMENT DECISIONS
Throughout the lifecycle of a system or service, the organisation will need to make objective decisions about what needs to be done to manage identified risks. These decisions should be informed and supported by information, subject matter expertise and evidence. After risk management action has taken place, some risks will remain. These are often referred to as residual risks.
INFORMATION RISK MANAGEMENT
COMMUNICATE RISK CONSISTENTLY
UNDERSTAND WHAT RISKS EXIST
WHO WE AREWWW.SECURESTORM.COM
THE EXPERT
SECURITY ADVISORS
Taking risks is a necessary part of doing business in order to createopportunities and help deliver business objectives. Organisations shouldalways be aware of the risks they are taking to achieve their aims.
To ensure meaningful outcomes, organisations need to provide a context inwhich risk management and risk assessment is conducted. This context canbe set by answering the following questions:
Goal: What is the organisation trying to achieve ?
Ethos: What does it really care about ?
Attitude: What is it’s risk appetite?
BUSINESS CONTEXT
WHO WE AREWWW.SECURESTORM.COM
THE EXPERT
SECURITY ADVISORS
Apply common solutions to solve common problemsIn this approach, the organisation applies the security provided by commonsecurity solutions to solve common technology problems. It only carries outtailored risk assessments (or specifies additional security controls) for thosebusiness objectives that are not entirely covered by the common solution.
This is particularly useful in OFFICIAL environments, where an increasingrange of common solutions are being assured across government.
https://www.gov.uk/guidance/managing-information-risk
RISK MANAGEMENT APPROACH
WHO WE AREWWW.SECURESTORM.COM
THE EXPERT
SECURITY ADVISORS
RISK MANAGEMENT APPROACH
WHO WE AREWWW.SECURESTORM.COM
THE EXPERT
SECURITY ADVISORS
THE OFFICIAL ENVIRONMENT
Identify which elements of the environment require assurance as part of the service or solution.
WHO WE AREWWW.SECURESTORM.COM
THE EXPERT
SECURITY ADVISORS
END USER DEVICES
Configured inline with CESG EUD Security and Configuration Guidancehttps://www.gov.uk/government/collections/end-user-devices-security-guidance
Assured for OFFICIAL by another government organisation
Legacy Accreditation as part of a Legacy service or system at OFFICIAL or previously “Restricted”
ASSURANCE OPTIONS
WHO WE AREWWW.SECURESTORM.COM
THE EXPERT
SECURITY ADVISORS
NETWORK
Data protected in transit inline with CESG Transport Layer Security (TLS) for external-facing services guidancehttps://www.gov.uk/guidance/transport-layer-security-tls-for-external-facing-services
Public Services Network (PSN) accredited by the PSNA for OFFICIALhttps://www.gov.uk/government/groups/public-services-network
A VPN or other encrypted network legacy accredited for OFFICIAL (or previously “Restricted”)
ASSURANCE OPTIONS
WHO WE AREWWW.SECURESTORM.COM
THE EXPERT
SECURITY ADVISORS
SERVICE
Cloud services purchased via the Digital Marketplace, which meet the security requirements of the business inline with CESG Cloud Security Principles.https://www.gov.uk/government/collections/cloud-security-guidance
Services legacy accredited for OFFICIAL by another government organisation including CESG Pan Government Accreditors.
ASSURANCE OPTIONS
Services can be assessed against the security requirements of the business and any deficiencies risk managed inline with the business risk appetite.
WHO WE AREWWW.SECURESTORM.COM
THE EXPERT
SECURITY ADVISORS
CLOUD SERVICES
Cloud services purchased via the Digital
Marketplace, can be procured in a
variety of structures:
• Software as a Service (SaaS)
• An application built on top of
Infrastructure as a Service (IaaS)
• Platform as a Service (PaaS)
• Platform as a Service (PaaS) built on
Infrastructure as a Service (IaaS)
• Infrastructure as a Service (IaaS)
CLOUD STRUCTURES
Software as a Service
Platform as a Service
Infrastructure as a Service
Application
WHO WE AREWWW.SECURESTORM.COM
THE EXPERT
SECURITY ADVISORS
Combined Security Profile
User Security Needs
Applicable Security Controls
Security Stories
CLOUD SERVICES
Where an application is to be developed or
implemented on IaaS or PaaS, then the Digital
Risk Management approach is still applicable.
The Combined Security Profile will help identify
the relevant User Security Needs and Outcomes,
which in turn drive out proportional controls,
which map into Security Stories for Agile
development
https://www.gov.uk/service-manual
DEVELOPED APPLICATIONS
WHO WE AREWWW.SECURESTORM.COM
THE EXPERT
SECURITY ADVISORS
DATA TYPES
Non-Sensitive InformationThis information will typically be public knowledge or intended for public consumption; for example,marketing material, open consultations, information to be published under transparency/open dataor even routine communications with members of the public or third parties where there is noconfidentiality requirement. There may be a requirement to protect the integrity and availability ofthis information.
TransactionalThis includes one-off (potentially) sensitive exchanges with external partners, (citizens, industry,third sector etc), and online transactional services where the loss of a small number of instances istolerable, but systematic or large scale compromise is unacceptable. Loss of confidentiality, integrityor availability of this data will result in disruption to HMG service delivery and may have acommercial or financial impact. Organisations may also need to comply with external complianceobligations such as the Payment Card Industry Data Security Standard (PCI DSS).
Information of varying sensitivity that supports the routine business, operations and services of thePublic Sector. There is a requirement to protect the confidentiality, integrity and availability of thisinformation.
Routine Public Sector Business
WHO WE AREWWW.SECURESTORM.COM
THE EXPERT
SECURITY ADVISORS
DATA TYPES
Legally Defined
Information which is subject to legal and / or regulatory requirements. For example, personalinformation that relates to an identifiable individual as defined by the Data Protection Act (DPA).Legal or regulatory requirements must be met and additional controls may be required in line withHMG risk appetite tolerances. There is a clear requirement to protect the confidentiality, availabilityand integrity of such information.
OFFICIAL - SENSITIVEThe loss, compromise or misuse of information marked with the OFFICIAL-SENSITIVE caveat hasbeen assessed as being likely to have damaging consequences for an individual, an organisation orHMG more generally. Risk owners will typically require additional assurance that the need-to-knowis strictly enforced, and there is a clear requirement to protect the confidentiality, integrity andavailability of this information. However, note that this example is intended to illustrate whereheightened technical protections may be appropriate; in most cases it will be more proportionate torisk manage access to limited amounts of OFFICIAL-SENSITIVE information on corporate systemsusing more stringent procedural controls instead.
WHO WE AREWWW.SECURESTORM.COM
THE EXPERT
SECURITY ADVISORS
SECURITY REQUIREMENTS
• External Legal requirements could include: the Data Protection Act• External Regulatory requirements could include: PCI DSS or HMG Off-
shoring Policy for Official
WHO WE AREWWW.SECURESTORM.COM
THE EXPERT
SECURITY ADVISORS
BUSINESS RED-LINES
The Business must decide if there are any business appetite red-lines that would constrain the service or solution, or
Business Red-lines are controls or restrictions that are not mandated by external requirements
An example of a red-line might be: “No Off-Shoring of Sensitive Information”, or “Data-in-transit Must be encrypted”
where the Business has assessed that additional specific security controls are required
WHO WE AREWWW.SECURESTORM.COM
THE EXPERT
SECURITY ADVISORS
BUSINESS IMPACTS
The business impacts are a range of impacts that could effect the Business if a threat was realised for Confidentiality, Integrity or Availability.
Each impact could be due to a number of reasons, including Financial, Personnel, Physical, Logical, etc
WHO WE AREWWW.SECURESTORM.COM
THE EXPERT
SECURITY ADVISORS
BUSINESS IMPACTS
No Impact – No identified impact on the business, its operations, staff, management, or finances.
Business Red-line Impact – An impact that effects the Business appetite in regards to a specific risk, control, or technology
Reputation Impact – An impact that effects the Business through a degradation of its perceived reputation,
Business Disruption – An impact that effects the daily operations of the Business, incl. administration, staff and technology
Regulatory Impact– An impact that would lead to a breach of external regulatory requirements, resulting in fines, sanctions or agreements
Legal Impact– An impact would lead to a breach of applicable law and the risk of legal prosecution
WHO WE AREWWW.SECURESTORM.COM
THE EXPERT
SECURITY ADVISORS
ASSESS THE IMPACT
The Business must assess what the worst case impact of a breach of C, I and A would be for the Data Types involved. Text in Italics are examples.
WHO WE AREWWW.SECURESTORM.COM
THE EXPERT
SECURITY ADVISORS
SECURITY PROFILES
Security Profiles are based on the 14 Cloud Security Principles from CESG’spublished guidance on Cloud Security, and the 51 G-Cloud Security Assertions.
https://www.gov.uk/government/collections/cloud-security-guidancehttps://digitalmarketplace.blog.gov.uk/2014/11/04/the-g-cloud-6-security-questions
A range of reusable security profiles have been developed for different externalrequirements, such as the PSN Service Security Standard, DPA compliance, PCIDSS compliance, NHS IG Toolkit alignment, etc…
https://www.gov.uk/guidance/apply-for-a-public-services-network-psn-service-provision-
compliance-certificate
The Impact Assessment will provide guidance as to which Security Profiles arerelevant. New Security Profiles can be developed at any time to meet theBusiness Security Needs, including: organisation specific security controls.
WHO WE AREWWW.SECURESTORM.COM
THE EXPERT
SECURITY ADVISORS
APPLY SECURITY PROFILES
Any relevant external securityrequirements (DPA, PSN, NHS,PCI DSS, etc), the businesssecurity needs (OFFICIAL), andany business red-lines (UK only,etc) will define which securityprofiles are applicable.
The various applicable securityprofiles are then combined intoone Consolidated SecurityProfile.
Security Profiles
Consolidated OFFICIAL DPA PSN OS Red-line
WHO WE AREWWW.SECURESTORM.COM
THE EXPERT
SECURITY ADVISORS
COMPARE SECURITY PROFILES
The Consolidated Security Profile can be used for a range of activities:• As part of the selection criteria
for the procurement of services from the Digital Marketplace
• As a Supplier security assessment benchmark
• To develop Security Requirements and Controls
• To develop User Security Needs and User Security Stories
• To Audit Suppliers security maturity
Security Profile Comparison
Consolidated Security Profile Supplier / Service Provider
WHO WE AREWWW.SECURESTORM.COM
THE EXPERT
SECURITY ADVISORS
RISK MANAGE THE DELTA
Identify any external requirements or business red-lines that the solution or service does not meet.
Any deficiency to the security requirements, “the Delta”, must be recorded and risk managed.
The outcome is to reduce, where possible, the impact on the business or the likelihood of the impact occurring
Identify any areas where the solution does not meet the consolidated security profile or user security needs.
WHO WE AREWWW.SECURESTORM.COM
THE EXPERT
SECURITY ADVISORS
RISK DEFINITIONS
ThreatThreat describes the source of a risk being realised. Where appropriate to theirorganisation’s context, the business should apply the threat profile for OFFICIAL,supplemented if necessary with local or specific threat intelligence where it is available.https://gov.uk/government/publications/government-security-classifications
LikelihoodLikelihood also known as “probability” estimates how likely it is for a threat to occur. Itcan be captured by examining historical records of compromises to estimate how historywill be repeated. https://www.gov.uk/guidance/managing-information-risk
Impact describes the consequences of a risk being realised. To allow risk evaluation andprioritisation, impact should specify the negative effect that a risk’s realisation wouldentail. This should include expected losses (e.g. financial and reputation losses) as well asbusiness objectives which would not be achievable as a result of the impact.
Impact
WHO WE AREWWW.SECURESTORM.COM
THE EXPERT
SECURITY ADVISORS
LIKELIHOOD OF OCCURANCE
RARE: The threat may occur in exceptional circumstances
UNLIKELY: The threat could occur some time in the target period
POSSIBLE: The threat may occur within the target period
LIKELY: The threat is likely to occur within the target period
EXPECTED: The threat is expected to occur within the target period
WHO WE AREWWW.SECURESTORM.COM
THE EXPERT
SECURITY ADVISORS
RISK INDEX
Risk Index = Impact of risk X Likelihood of occurrence(Described in a 5x6 matrix: Low = 1-4, Medium = 5-12, High = 15-20, Critical = 24-30)
Other Risk Assessment methodologies can be used.
WHO WE AREWWW.SECURESTORM.COM
THE EXPERT
SECURITY ADVISORS
RISK TREATMENT
Identified risks can be avoided if alternative technical or business decisions are made on the service design
Identified risks are transferred to more appropriate business areas or responsibility is escalated
Identified risks are accepted in the event that business needs override the impact of the risk or is within the business risk appetite
Identified risks can be mitigated if a treatment or control will reduce the impact or likelihood
AVOID
MITIGATE
TRANSFER
ACCEPT
WHO WE AREWWW.SECURESTORM.COM
THE EXPERT
SECURITY ADVISORS
DOCUMENTATION
Document the risk management approach, environment elements, and relevant data types
Document the output of the assessment of impacts that could be realised, relevant to the data type
Document the relevant security profiles and business red-lines, and define the consolidated security profile
Document the external requirements, business red-lines and business security needs
The documented output can be in a range of formats, not necessarily a document
WHO WE AREWWW.SECURESTORM.COM
THE EXPERT
SECURITY ADVISORS
DOCUMENTATION
Document any “Delta” to the security requirements, business red-lines and consolidated security profile
Document any controls or mitigations that can reduce the impact or likelihood of the risks occurring
Produce a, high level, Risk Report for the SIRO / AO
Document the risk management assessment outcomes, form whichever methodology used.
WHO WE AREWWW.SECURESTORM.COM
THE EXPERT
SECURITY ADVISORS
DOCUMENTATION - SCHEMA
As a standardised mechanism forrecording, sharing and exchanginginformation risk management data,Securestorm developed a data schema.
The Digital Services Risk ManagementRecord1 provides the relevant risk andassurance information on a system orservice, in a concise and proportionalway.
The schema can be saved in a variety offormats, including: CSV, JSON or Txt,enabling both human and machinesreadability.
ANY QUESTIONS?
www.securestorm.com @Securestorm +44(0)8455196138