Friday, March 2, 2012

Secure Government Networks - 5 Points For Success in Gaining Compliance and Connection

"The world is changing around us at an incredible pace due to remarkable technological change. This process can either overwhelm us, or make our lives better and our country stronger. What we can't do is pretend it is not happening." Prime Minister Tony Blair on commissioning the Transformational Government strategy.
To survive in this era of accelerating technological change, and to implement the edicts of the Transformational Government strategy, every public sector organisation will have to undergo fundamental technology-enabled change. This article provides a five-point check list for senior managers responsible for developing and delivering a successful Transformational Government change programme.
Ensuring that an organisation can satisfy the necessary information security requirements to enable it to be a component part of joined-up government, requires consideration that will inform budget and strategy, reshape organisational process and procedures, and redefine culture and working practices.
As a guide to those responsible for their organisation's information assurance and implementation of the Transformation Government agenda, this article provides a five-point check list to provide a basis for ICT-enabled organisational change.
Point 1 - Be fully appraised of current Government policy and strategy
Current UK Government policy and strategy is leading public service organisations through a significant period of change to achieve efficiency gains through streamlined citizen-centric, ICT-enabled, secure shared services.
Understanding current UK Government policy and strategy will assist you in:
Understanding measures you should take to deliver ICT enabled business change
  • Identifying expected business benefits


  • Identifying costs


  • Identifying scope of change


  • Identifying risks.

  • A list of the key sources of UK Government policy and strategy can be found in the thought leadership section of the VEGA website.
    Point 2 - Ensure board level buy-in and understanding
    A board level information assurance champion should be appointed to act as Senior Information Risk Owner (SIRO) for your organisation. This recommendation meets mandatory requirement 3 from the HMG Security Policy Framework (SPF) V1.0.
    Your SIRO should agree to terms of reference which clearly define their role and responsibilities with regard to the information assurance of your organisation. Additionally, your SIRO should meet regularly with your organisation's security staff to discuss security policy and discuss a risk managed approach to information assurance. This ensures that information assurance and governance is a recognised board level responsibility which includes the protection and utilisation of all of your organisation's assets (information, personnel and physical).
    Point 3 - Manage your stakeholders
    Obtaining stakeholder buy-in to your organisation's information assurance strategy is critical to its success. Good stakeholder management creates awareness, provides the framework for supporting delivery and assists you secure budget where resource is scarce and competition is fierce.
    A communications plan should therefore be developed to identify:
  • Desired buy-in outcomes


  • Audience of stakeholders (internal and external)


  • How to best engage stakeholders


  • How messages are to be communicated


  • Ownership of responsibility for maintaining communications


  • Frequency of communications.

  • Stakeholders should subsequently be plotted on a stakeholder map prioritised by power and interest. This will assist you in grouping them. Your communications strategy can then focus on key stakeholders whilst ensuring other stakeholders are engaged to the level required.
    Failure to gain buy-in from key stakeholders has sealed the fate of many information assurance projects.
    Point 4 - Involve the experts
    When pursuing an information assurance strategy, you should seek advice from recognised Government and industry experts. These organisations have faced the same challenges as you and have valuable information and knowledge to share. This will save you time and money, whilst ensuring that the information assurance solutions you plan to implement are fit for purpose and proven across Government.
    The organisations you may wish to contact include:
  • Office Government and Commerce Buying Solutions (OGCBS)


  • Communications-Electronics Security Group (CESG)


  • Government Computer Emergency Response Team (GOVCERT)


  • Central Sponsor for Information Assurance (CSIA)


  • Centre for the Protection of National Infrastructure (CPNI)


  • Warning, Advice and Reporting Point (WARP)


  • Information Commissioners Office (ICO)


  • Public sector organisations similar to your own


  • Consultancies with expertise in enabling Transformational Government change programmes

  • Point 5 - Achieving and evidencing compliance
    Recent data losses across Government have placed an increased focus on information assurance. Public sector organisations must comply with centrally released security policy (e.g. HMG SPF) which defines mandatory minimum security measures.
    To connect to a secure network, your organisation must comply with mandatory security controls. Depending on the security impact level of the secure network, your organisation will either have to complete a Code of Connection (CoCo) or produce a Risk Management and Accreditation Document Set (RMADS).
    To answer the requirements of a CoCo you should treat each control like an exam question (answer the question with relevant evidence), and sell your strengths, if you comply with standards such as ISO/IEC27001:2005 or PCI DSS.
    The completion of a RMADS is much more involved. Unless your organisation has significant experience, you should involve a CESG Listed Advisor from the CESG Listed Advisor Scheme (CLAS).
    Connection to a secure network will only be permitted once the relevant governing security authority is content that your organisation meets the information assurance requirements of the network you wish to connect to. This ensures that the risk your organisation poses to other organisations on the network is managed.
    Once your organisation's connection is authorised, you should expect regular audits which ensure the level of information assurance your organisation has achieved is maintained and improved.
    These five points will hopefully act as an aide memoiré when your organisation starts to consider its connection to a secure government network. The most important thing to understand is that information security is not just about technology; it is the catalyst for organisational change that encompasses people, training, policy and procedures.
    VEGA is a member of the CESG Listed Advisor Scheme (CLAS), as well as a registered CHECK service provider. VEGA has an established track record of working across Government providing strategic advice and technological expertise to help secure public sector information through the implementation and use of secure Government networks.

    IS Systems Security Degrees - Accreditation and Curriculum Info

    Obtaining an IS systems security degree may lead to a worthwhile career in state, federal, and local government departments, finance and banking, insurance, software publishing, or computer systems design. Aspiring IS experts may earn a degree at any number of schools ranging from business colleges to technical schools to traditional colleges and universities. These degrees are also offered at most levels including associate, bachelors, masters, and first professional. A number of community colleges, career schools, and technical schools also offer certificate programs in IS systems security.
    An associate or certificate in IS systems security will prepare students for entry into a bachelor's degree program or for entry-level or support positions in the field. For most IS systems security positions, employer's prefer a bachelor's degree or higher from an accredited technical school, college, or university.
    To get started on your career, you should enroll in an accredited IS systems security program, computer science or business program with a technology focus. You may choose the traditional format (on campus), blended format (online and on-campus), or you may choose to complete your IS systems security degree entirely online. If you currently work full-time or your current schedule won't allow for commuting and attending classes at set times, the online IS systems security degree is probably the best option.
    Before enrolling in any IS systems security degree program, whether traditional, blended, or online, you should check to make sure the program is accredited by an agency recognized by the U.S. Department of Education.The top accrediting bodies for technical, business and traditional schools include:
    -Association to Advance Collegiate Schools of Business (AACSB)
    -Association of Collegiate Business Schools and Programs (ACBSP)
    -Council for Higher Education Accreditation (CHEA)
    -Distance Education and Training Council (DETC)
    -The National Association of Schools of Art and Design (NASAD)
    -Middle States Association of Colleges and Schools (regional)
    -New England Association of Schools and Colleges (regional)
    -North Central Association of Colleges and Schools (regional)
    -Northwest Commission on Colleges and Universities (regional)
    -Southern Association of Colleges and Schools (regional)
    -Western Association of Schools and Colleges (regional)
    In addition verifying accreditation, spend some time reviewing curriculum and admissions requirements. IS security degree program curriculum should mirror the curriculum of top accredited traditional programs. If you are considering an online IS systems security program, you should keep in mind that the traditional IS curriculum is still the standard in the academic world. Course listings should be similar to the following:
    -Introduction to Programming
    -Introduction to Networking
    -Information, Technology, and Society
    -Introduction to Web Page Development
    -Introduction to Database
    -Network Installation and Maintenance
    -Network Maintenance Laboratory
    -Technical and Professional Communication
    -Introduction to UNIX/Linux
    -Programming II
    -Network Administration
    -International Field Experience Elective
    -Fundamentals of Information Security
    -System Analysis
    -Fundamentals of Cryptography
    -Elementary Statistics with Computer Applications
    -Ethical Hacking and Penetration Testing
    -Information Security Policy
    -Legal Issues in Information Security Management
    -Science, Technology, and Society
    -IAS Information Assurance and Security Elective
    -IAS Information Assurance and Security Elective
    -Organizational Management and Behavior
    -Capstone: Secure Systems Administrator
    -Capstone: Secure System Auditing
    -Risk Analyst Capstone
    -Information Security Forensics and Incident Response
    -Advanced Topics in Information Assurance and Security

    Jack S. Lee Information Assurance - The Availability Attribute

    Information Assurance assigns systems to shield data and the computer systems they reside on, and the transmission approaches processed to transmit the data. Availability is certified by requiring an impeccable and prompt avenue to information services and information only for entrusted users. By achieving consistency of the material and data structures of the operating system, hardware, software and filed material and analytical accuracy, entirety and dependability, integrity is guaranteed. Integrity can also assure against unauthorized deletion of information. Information assurance also certifies acceptance by guaranteeing the certainty of a communication or a document and its producer, and also by substantiating an individual's approval to accept explicit data from the architecture. Confidentiality is preserved by only exposing information to trusted organizations or systems. Non-repudiation is included, which is ensuring evidence of delivery to the transmitter of material and supporting validation of identity to the receiver, to require neither recipient can afterwards debate having processed the data. Information Assurance also accounts for additional fundamentals to include reconstruction of information systems by assembling protection, detection, and reaction qualifications.
    Information Assurance furnishes availability by furnishing up-to-date and impeccable access to information and information services for entrusted users. The users need have reliable avenue to all hardware, software, services and information. Often availability is also assessed in terms of what is attainable to just mission-critical processes, but it need also be evaluated for the comprehensive system.
    Design theories that promote availability can be incorporated into the system. Elements and subsystems need be able to be gracefully restarted at will. Subsystems and elements have to be independent of each other and adhere to an open architecture. Subordinately critical missions or functions should be uncoupled from more crucial ones, as well as more risky functions from those that are less risky. Networks, processes, and information assembly can also be optimized for mission availability. The architecture can be securely executed for increased availability so that platforms, software and architecture are produced as services such as cloud computing. Cloud computing can support additional availability owing to proficient usage of assets and making individual disruptions imperceptible to the user. The redundance of services like these make the architecture more tolerable of failures and unavailabilities.
    Timeliness, connected to Quality of Service (QoS), is notable since belated might be equally as bad as not at all. Resource allotment could be changed to adhere to timeliness requirements. There are repeatedly tradeoffs between QoS attributes and Information Assurance specifications.
    Measurement and metrics ought help describe the objects of availability problems and must also incorporate process errors. If the administration and end users are not pursuing a right process, this might alter end-to-end availability even if the hardware, software and services may be available. Processes must also be examined in the measurement of availability as it could describe for a remarkably considerable part of system interruption. There are lots of metrics that may be used for availability, comprising of:
    • How long and frequently each subsystem was down
    • How many authorized users there are and their access level
    • Portion the system is suspended or information is not reachable
    • Percent the system is down or information is not obtainable due to Security errors
    • Portion of CPU used for Security measures
    • Mean Time Between Failure (MTBF)
    • Mean Time to Repair (MTTR)