© bt plc 2005 ‘risk-based’ approach to managing infrastructure a ‘commercial prospective’...
Post on 15-Jan-2016
216 views
TRANSCRIPT
© BT PLC 2005
‘Risk-based’ Approach to Managing Infrastructure
a ‘Commercial Prospective’
Malcolm Page BT UKAFCEA Lisbon 2005
© BT PLC 2005
Objectives of the presentation
To review the drivers and challenges
Dealing with collaboration
Risk reviews & modelling
Compliance
Testing
Summary
Questions
© BT PLC 2005
Defence Drivers & Trends
Modernisation of armed forces
Reduction in defence budgets
Rapid deployment of armed forces on overseas missions
Global role - Nation’s eyes only
Interoperability of Command & Control
Prime contracting (PFI) - partners take share of responsibility / risk
The increased threat from cyber space
Foreign intelligence services and identity theft management
Homeland / National ICT Defence
Increase in overseas peace keeping commitments with other foreign powers
Increased infrastructure attack from Cyber terrorism
© BT PLC 2005
Additional Drivers
Increased pressure for Information Governance
Regulatory Compliance
Need to demonstrate Stake holder value
Public monies being put to good use
Accurate information available for C3I decision making
CC3I – Command Control Communication Information!
© BT PLC 2005
ChallengesMaintaining the confidentiality, integrity and availability of defence infrastructure
Protection of defence infrastructure against attack from foreign powers (covert / overt)
Information Assurance (defence accreditation of information and systems such as NATO Classified)
Modernisation of armed services on reduced budgets
Recruiting and retaining the right personnel
Increased use of ‘ICT Networks’ to deliver Command & Control
© BT PLC 2005
Commercial Risk–Based Management: Defence in Depth
Balanced assessment of risk probability v risk impact v cost of mitigation etc:
Dynamically translated into strategies, rules, practices, processes and procedures etc. Regularly reviewed.
The People
Includes: Recruiting, selection, clearances, access rights and other controls (both on joining and on leaving the organisation), alternate resource pools, monitoring, auditing, communication, awareness, training etc.
The physical infrastructure
Includes: Sites and their locations, adjacent “threats” (natural and man-made), utility service provision and back-ups, alternate sites, physical hardware assets (down to granular levels – e.g. – signed off holdings of desk-top assets), access controls, guarding, alerting, monitoring, testing, auditing etc.
The information infrastructure
Includes: Data, voice and IP network information transfer systems, and associated information storage and back-up facilities etc. Information retention policies also apply.
© BT PLC 2005
Key Collaboration Partners
Field Command
Air force
Civilian Defence Units & Local Govt offices
Central & Intergovernmental Organisations e.g.: NATO /
EU
Transfer of real time critical data & information securely via multi-
channel methods
Collaboration and sharing of data
Policy / direction setting & legislation
Intelligence
Civil defence contingency plans,
directives, command control & coordination of
action
Mobile Personnel
navyarmy
© BT PLC 2005
Risks
Field Command
Air force
Civilian Defence Units & Local Govt offices
Central & Intergovernmental Organisations e.g.: NATO /
EU
Mobile Personnel
navyarmy
• More sophisticated attacks on information infrastructure• interoperability of systems - vulnerabilities • unauthorised access to sensitive data e.g.: intelligence• Downtime / Denial of Service e.g.: during deployment
• downtime & reliability• nation’s eyes only• real time response to threat• resilience - maintaining of comm’s in battle-space• breach of classification levels of data• secure comm’s from remote locations• cost
© BT PLC 2005
How Effective is this Risk Management!
© BT PLC 2005
Critical Infrastructure Risk Model
Protagonist
Model
Business
Model
Attack Likelihood
Assessment
Risk Analysis Framework
Solutions
Impact
Analysispriorities
Technology
Integration
Process
People
Capability
Opportunity
Motivation
Criticality
Continuity
Dependency
Protection
Detection
Reaction
Risk ManagedSolutions
Vulnerability
Model
© BT PLC 2005
Business Requirements
Business ContinuityStrategy
Business Continuity
Plans
Security Risk Analysisand Management
Security Policy
Non-Technical
SecurityOperatingProcedures
Technical Security Architecture
Technical
Security Componentsand Tools -
Technical Solution
Security Incident Handling and Reporting
Security Awareness
Security Audit/ Compliance
Checking Security Assurance
Testing/ Evaluation Reports
BusinessContinuity Plan Test
SecurityManagement
Community Security Policy
Identification of Security
Countermeasures
Regular Security Audit/ Compliance
Checking Monitoring
System inOperational Use
Feedback into Risk Analysis etc.
Overall Security Process
Information SecuritySummary
Accredited Service
Implemented in a Secure Environment
Live SystemEnvironment
FirewallPolicies
Accreditation
© BT PLC 2005
ComplianceSecurity audit/compliance checks
business security health check
Gap analysis (e.g. against ISO27001, (UK) MPS/JSP440)
Security evaluation services
IT security testing services
Compliance against regulatory requirements such as Data Protection
© BT PLC 2005
IT security testing services
Automated Vulnerability Scan
Network Mapping
Penetration Testing
Level 1
Level 3
Technical Security CheckLevel 2
Includes
1. Technical security policy review 2. Vulnerability Assessment
Options
3. Firewall Rulebase Analysis4. Physical Computer Room Check5. Social Engineering6. Web Application Testing
Automated Vulnerability Scan
Network Mapping
Penetration Testing
Level 1
Level 3
Technical Security CheckLevel 2
Includes
1. Technical security policy review 2. Vulnerability Assessment
Options
3. Firewall Rulebase Analysis4. Physical Computer Room Check5. Social Engineering6. Web Application Testing
© BT PLC 2005
Proactive Monitoring & Management & Testing
Network Management
• Effective network design
• Ensure efficient operation
• Ensure High Availability
• Firewalls in place
• Provide connectivity
Network Management
• Effective network design
• Ensure efficient operation
• Ensure High Availability
• Firewalls in place
• Provide connectivity
Security Management
• Effective security design
• Manage vulnerability
• Monitor - internal/external
• Integrate and Interpret
• Build IRP
Security Management
• Effective security design
• Manage vulnerability
• Monitor - internal/external
• Integrate and Interpret
• Build IRP
Best Practice is a blend of network & security operations
© BT PLC 2005
Can commercial security deliver for NATO?
Accountable
Retain experienced staff
Government cleared personnel
Setting Standards
Availability 365 x 24 x 7
Information sharing ‘FIRST’, trade partners, government agencies etc.
© BT PLC 2005
Potential benefits
Reduced technological and operational risks
Reduced costs
Expertise – Know-how
Linked into ‘in-country’’ Critical National Information Infrastructure
Global capability
Regular audits & reviews
Invariable Commercial Of The Shelf (COTS) solutions
© BT PLC 2005
Questions?
Malcolm Page
Business Continuity, Security & Governance Practice
+44 7711 073329