© BT PLC 2005

‘Risk-based’ Approach to Managing Infrastructure

a ‘Commercial Prospective’

Malcolm Page BT UKAFCEA Lisbon 2005

© BT PLC 2005

Objectives of the presentation

To review the drivers and challenges

Dealing with collaboration

Risk reviews & modelling

Compliance

Testing

Summary

Questions

© BT PLC 2005

Defence Drivers & Trends

Modernisation of armed forces

Reduction in defence budgets

Rapid deployment of armed forces on overseas missions

Global role - Nation’s eyes only

Interoperability of Command & Control

Prime contracting (PFI) - partners take share of responsibility / risk

The increased threat from cyber space

Foreign intelligence services and identity theft management

Homeland / National ICT Defence

Increase in overseas peace keeping commitments with other foreign powers

Increased infrastructure attack from Cyber terrorism

© BT PLC 2005

Additional Drivers

Increased pressure for Information Governance

Regulatory Compliance

Need to demonstrate Stake holder value

Public monies being put to good use

Accurate information available for C3I decision making

CC3I – Command Control Communication Information!

© BT PLC 2005

ChallengesMaintaining the confidentiality, integrity and availability of defence infrastructure

Protection of defence infrastructure against attack from foreign powers (covert / overt)

Information Assurance (defence accreditation of information and systems such as NATO Classified)

Modernisation of armed services on reduced budgets

Recruiting and retaining the right personnel

Increased use of ‘ICT Networks’ to deliver Command & Control

© BT PLC 2005

Commercial Risk–Based Management: Defence in Depth

Balanced assessment of risk probability v risk impact v cost of mitigation etc:

Dynamically translated into strategies, rules, practices, processes and procedures etc. Regularly reviewed.

The People

Includes: Recruiting, selection, clearances, access rights and other controls (both on joining and on leaving the organisation), alternate resource pools, monitoring, auditing, communication, awareness, training etc.

The physical infrastructure

Includes: Sites and their locations, adjacent “threats” (natural and man-made), utility service provision and back-ups, alternate sites, physical hardware assets (down to granular levels – e.g. – signed off holdings of desk-top assets), access controls, guarding, alerting, monitoring, testing, auditing etc.

The information infrastructure

Includes: Data, voice and IP network information transfer systems, and associated information storage and back-up facilities etc. Information retention policies also apply.

© BT PLC 2005

Key Collaboration Partners

Field Command

Air force

Civilian Defence Units & Local Govt offices

Central & Intergovernmental Organisations e.g.: NATO /

EU

Transfer of real time critical data & information securely via multi-

channel methods

Collaboration and sharing of data

Policy / direction setting & legislation

Intelligence

Civil defence contingency plans,

directives, command control & coordination of

action

Mobile Personnel

navyarmy

© BT PLC 2005

Risks

Field Command

Air force

Civilian Defence Units & Local Govt offices

Central & Intergovernmental Organisations e.g.: NATO /

EU

Mobile Personnel

navyarmy

• More sophisticated attacks on information infrastructure• interoperability of systems - vulnerabilities • unauthorised access to sensitive data e.g.: intelligence• Downtime / Denial of Service e.g.: during deployment

• downtime & reliability• nation’s eyes only• real time response to threat• resilience - maintaining of comm’s in battle-space• breach of classification levels of data• secure comm’s from remote locations• cost

© BT PLC 2005

How Effective is this Risk Management!

© BT PLC 2005

Critical Infrastructure Risk Model

Protagonist

Model

Business

Model

Attack Likelihood

Assessment

Risk Analysis Framework

Solutions

Impact

Analysispriorities

Technology

Integration

Process

People

Capability

Opportunity

Motivation

Criticality

Continuity

Dependency

Protection

Detection

Reaction

Risk ManagedSolutions

Vulnerability

Model

© BT PLC 2005

Business Requirements

Business ContinuityStrategy

Business Continuity

Plans

Security Risk Analysisand Management

Security Policy

Non-Technical

SecurityOperatingProcedures

Technical Security Architecture

Technical

Security Componentsand Tools -

Technical Solution

Security Incident Handling and Reporting

Security Awareness

Security Audit/ Compliance

Checking Security Assurance

Testing/ Evaluation Reports

BusinessContinuity Plan Test

SecurityManagement

Community Security Policy

Identification of Security

Countermeasures

Regular Security Audit/ Compliance

Checking Monitoring

System inOperational Use

Feedback into Risk Analysis etc.

Overall Security Process

Information SecuritySummary

Accredited Service

Implemented in a Secure Environment

Live SystemEnvironment

FirewallPolicies

Accreditation

© BT PLC 2005

ComplianceSecurity audit/compliance checks

business security health check

Gap analysis (e.g. against ISO27001, (UK) MPS/JSP440)

Security evaluation services

IT security testing services

Compliance against regulatory requirements such as Data Protection

© BT PLC 2005

IT security testing services

Automated Vulnerability Scan

Network Mapping

Penetration Testing

Level 1

Level 3

Technical Security CheckLevel 2

Includes

1. Technical security policy review 2. Vulnerability Assessment

Options

3. Firewall Rulebase Analysis4. Physical Computer Room Check5. Social Engineering6. Web Application Testing

Automated Vulnerability Scan

Network Mapping

Penetration Testing

Level 1

Level 3

Technical Security CheckLevel 2

Includes

1. Technical security policy review 2. Vulnerability Assessment

Options

3. Firewall Rulebase Analysis4. Physical Computer Room Check5. Social Engineering6. Web Application Testing

© BT PLC 2005

Proactive Monitoring & Management & Testing

Network Management

• Effective network design

• Ensure efficient operation

• Ensure High Availability

• Firewalls in place

• Provide connectivity

Network Management

• Effective network design

• Ensure efficient operation

• Ensure High Availability

• Firewalls in place

• Provide connectivity

Security Management

• Effective security design

• Manage vulnerability

• Monitor - internal/external

• Integrate and Interpret

• Build IRP

Security Management

• Effective security design

• Manage vulnerability

• Monitor - internal/external

• Integrate and Interpret

• Build IRP

Best Practice is a blend of network & security operations

© BT PLC 2005

Can commercial security deliver for NATO?

Accountable

Retain experienced staff

Government cleared personnel

Setting Standards

Availability 365 x 24 x 7

Information sharing ‘FIRST’, trade partners, government agencies etc.

© BT PLC 2005

Potential benefits

Reduced technological and operational risks

Reduced costs

Expertise – Know-how

Linked into ‘in-country’’ Critical National Information Infrastructure

Global capability

Regular audits & reviews

Invariable Commercial Of The Shelf (COTS) solutions

© BT PLC 2005

Questions?

Malcolm Page

Business Continuity, Security & Governance Practice

+44 7711 073329

malcolm.page@bt.com