1. Information Security Risk ManagementIT operation outsourcing

2. 30+ years of experience of doing this Applies to many aspects of public service Works and delivers cost savings, effectiveness, newcapabilities and special skills Long duration makes contract difficult to get right Hard to remain an expert customer More difficult in high security environments Cloud is requiring new controls for new risks 3. Why it matters so much 4. Why it matters so much It is a matter of belief in thenational ability to deliver a safeand trusted environment for business, citizens and visitors 5. London riots National Security - Falklands Stable currency 6. Confidentiality Integrity Availability Recently privacy has been added Includes all information assets not just electronic Controls and mitigations include physical andpersonnel measures Use national classifications drawn from a HarmMatrix IL0 no impact, IL6 NASW, mass loss oflife, NAFG Recently modified to include aggregation Use the $1 rule ! 7. 250 year risk Heathrow jet fuel largest peace time explosionin Europe 100m damage Takes out PNC dark site Building site fire 24 hours later at main site 8. Many departments not seen as high risk inthe past now under attack HMRC data loss 25m child records CEOresigns, board goes in 12 months Departments becoming more connected back doors High grade assets MUST be connected to theinternet air gaps are a thing of the past Outsourcing to cloud architectures a new setof issues ideas but stable solutions notthere yet 9. Senior Information Risk Owner SIRO Departmental Security Officer DSO Accreditor Information Asset Owner IAO In the conversation between experts and IAOsestablishing risk appetite is the biggestproblem The only answer is engagement andknowledge 10. Threat actors Capability and motivation Assets and vulnerabilities Baseline controls Mitigations and countermeasures Residual risk Asset owner and risk appetite The customer and the outsource partnerWhy is it so different ? 11. Large scale data losses often by outsourcepartner PA prisoner records Public awareness of cyber leads to morequestions about incidents Aggregation of data increases impact of incidents Cross linking of systems increases problems Increasing capability (laptops) allows vast datasets to be moved around and lost Evidence of increasing levels and sophisticationof attacks not just human error and accidents All of this has decreased ministers appetite forrisk 12. Carried out annually for all assets andsystems Provides evidence for ministers that risks arewell managed Gives an opportunity to review residual risks Ensures consistency Allows a unit, or organisation to consolidateresidual risks and look at overall picture 13. Roles and limitations set by Security AspectsLetter SAL Sets out how cyber, physical and personnelcontrols will be delivered Works well for baseline less well for riskbased controls Must have audit without warning rights Must be in the contract If partner breaches SAL what do you actuallydo? 14. Mandatory notification process in contract Step in rights to access and manage incident Damage control process has to run alongsidecommercial contract Review process perverted by commercialsituation whose fault is it? Additional controls tend to lead tocontractual variations and extra costs After an incident it is difficult to avoid adispute 15. main lines of development Cyber crime - reduce and deter National resilience and defence Address the skills and knowledge gap Create an environment to drive an open andvibrant economy