HMG Procurement Security Awareness

"Many vendors are selling into government, but stumble over a number of key issues including protective marking rules and what those mean for system, data handling, costs and lead time for personnel clearances; Information assurance, accreditation processes and List X; S-CAT-Catalyst and procurement standards."

Introduction

Understanding the general background to Assurance in the HMG environment

There is a difference in approach between:

Fundamental first step is to get a clear statement of Business Requirement.

You must start with a clear Statement of Business Requirement (SOBR) without which:

I believe in the key principle that IA (Information Assurance, including Accreditation is a key part of Business Risk management. Legal involvement with IA/Accreditor Security should start at the whiteboard level.

Supplier Briefings must include the need for Information Assurance and Security Accreditation.

Security Aspect Letters (SAL)

The key concept of the SAL is that it lays out very early in engagement what the security/IA environment will be so that suppliers do not later transgress requirement and wriggle out, or claim a fix at cost plus rates.

Use of National Security Veto to dispense with competition

It is possible to dispense with some competition by use of the National Security veto. This is not generally advisable there are sometimes reasons.

With systems that are considered as CNI there will be underlying National Security Issues for NISCC/CESG:

Work closely with your Accreditor

What is Accreditation?
What is an Accreditor?

The Accreditor and the internal IA/Security teams must work with the contractors team (immediate question who is Prime Contractor?)

This virtual team must work from first principles to ensure that the people, process and technology specified, contracted, constructed, commissioned, delivered and operated meets the Business Requirement and underpins the Business without undue Risk.

Work with IA/Security & Accreditor to ensure that Contract Schedules fully support the required levels of:

Any requirement for contract or documentation to ISO 27001/ISO 17799

Role of CLAS and development of RMADS in conjunction with Accreditor

Information Assurance should hold no terrors.

Link to Legal.

Concept of ‘No Surprises’ during and at end of Accreditation is good for all, avoids cost and delay.

The Concept of UK Critical National Infrastructure (CNI)

Ask whether NISCC /CPNI consider proposed system and its associated connections and their systems as Critical National Infrastructure.

(Should not be a problem as any well defined and protected system subject to Accreditation should have no problems with the requirements of CNI ie are they safe to underpin the business?)

Pre Employment Checks for suppliers and sub contractors

How the HMG Vetting and Clearances process works

Staff Security Checking and Vetting

List X requirements

The right to audit and undertake inspections to ensure Confidentiality and Integrity.

The ‘Protective Marking’ debate:

What is the Threat?

Assume that there will be a Threat of some kind to the government process and system that is being competed

Threat of failure for any number of reasons


Threat of loss or damage to HMG from the perspective of:

Continued adherence to Security Policy

Who is going to input the Security Policy?
How this affects handling the proposed system

Additional risks to information on the proposed system?

Most of these risks undermine effective information management and lead to compliance violations - whether accidental or deliberate.

Codes of Connection liability issues as well as the Information Assurance ones

How relying parties are satisfied that other organisations are trustworthy to an agreed set of policies, procedures and mechanisms? This requires consistency across the audit & accreditation community.

Call Centres/Help Desks

How to deal with the delicate matter of Fraud

Service level breakdowns

What levels of Resilience are required or proposed?

 

Back to main Insights page