good practice guide managing accreditation governance ... · good practice guide managing...

April 2010 Issue No: 1.2

Good Practice Guide

Managing Accreditation – Governance, Structure &

Culture

Good Practice Guide No. 19

Managing Accreditation – Governance, Structure & Culture

Issue No: 1.2

April 2010

The copyright of this document is reserved and vested in the Crown.


Culture

Intended Readership This Good Practice Guide is primarily intended for the benefit of Government Senior Information Risk Owners (SIROs) and those managing accreditation. The essential reading for SIROs is restricted to Chapter 1 which lists the key actions required of them to ensure that accreditation is managed. It should also be of interest to Accreditors, Senior Responsible Owners (SROs) with responsibility for information systems, project and system managers, Information Asset Owners (IAOs) and members of Audit Committees with responsibility for oversight of Information Assurance.

Executive Summary Accreditation of information systems is a business function and should not be delegated in its entirety to an Accreditor. To integrate accreditation into the wider business requires the pro-active involvement of the SIRO and management. A well managed accreditation function operates within an organisational framework that includes:

An agreed statement of risk appetite

A service level agreement for what the team of Accreditors can & cannot do for the SIRO

A training regime for Accreditors

A path for escalating difficult accreditation decisions

A reporting process to enable oversight of accreditation

A robust strategy for the maintenance of accreditation

A framework for driving improvement.

The accreditation service will be more effective if the organisation implements:

Security policies tailored to local needs

An Information Security Management System

An enterprise architecture which incorporates security

An investment programme to reduce information risk

SIROs may use the Accreditation Service Maturity Model in this guide to help drive improvement in their organisation.

Aims and Purpose This Good Practice Guide aims to explain how to manage the accreditation process so that the interests of SIROs and IAOs are balanced with other business objectives over the long term. Its purpose is to help improve the management of information risk to enable the delivery of better government services, through the increased use

of Information Communications & Technology, whilst still protecting information to a standard that could reasonably be expected by its owners. Whilst this Guide is aimed primarily at Government Departments, executive agencies and non-departmental government bodies, it should provide useful guidance to organisations across the wider UK public sector and also to commercial organisations providing services to, or managing services on behalf of government.

Changes from Previous Version This version reflects:

The publication by the Government IT Profession of the Accreditor Role Definitions. This is factored into Chapter 7 – Training and Tasking Accreditors.

The existence of ISO/IEC 17021:2006 – Conformity assessment – Requirements for bodies providing audit and certification of management systems. This is recommended as a source of useful guidance in Chapter 12 – Driving Improvement in the Accreditation Service


Culture

Contents:

Chapter 1 - Using this Good Practice Guide ................................................. 5

Chapter 2 - Setting the Scene .......... 7

Chapter 3 - Describing the Information Risk Appetite .............. 10

Statement of Information Risk Appetite ......................................... 11

Communicating Accreditation Decisions ....................................... 12

Chapter 4 - Developing an Accreditation Service Level Agreement ....................................... 14

Chapter 5 - Attributes of Effective Accreditors ...................................... 18

Range of skills for an effective accreditor ....................................... 18

Chapter 6 - Resourcing the Accreditation Function................... 22

Roles within the Accreditation Function ......................................... 22

Compliance Monitoring and Re-accreditation .................................. 25

Estimating the Resources Required for Accreditation ............................. 26

Chapter 7 - Training and Tasking Accreditors ...................................... 28

Chapter 8 - Managing Client Relationships .................................. 32

Collaboration ................................. 32

Co-operative .................................. 32

Competitive .................................... 32

Conflict. .......................................... 33

Chapter 9 - Escalating Accreditation Decisions ........................................ 36

Patterns of Accreditation Decisions ...................................................... 36

Accreditation Decision Escalation . 37

Criteria for Escalation ................... 37

Timing of Escalation ..................... 38

Conducting Accreditation Panel Meetings ....................................... 39

Granting Interim Accreditation ...... 39

Chapter 10 - Reporting .................. 42

Chapter 11 - Facilitating Accreditation .................................. 44

Security Policy .............................. 44

Information Security Management System .......................................... 44

Enterprise Architecture ................. 44

Information Risk Investment Programme ................................... 45

Chapter 12 - Driving Improvement in the Accreditation Service .............. 46

References ..................................... 52

Glossary ......................................... 54

Customer Feedback ...................... 56

THIS PAGE IS INTENTIONALLY LEFT BLANK


Culture

Chapter 1 - Using this Good Practice Guide

Key Principles

Accreditation is a key service to the SIRO in carrying out his/her mandatory responsibility and accountability under the SPF for managing information risk.

SIROs can drive improvement in the accreditation service through the use of an Accreditation Service Maturity Model contained in this document.

1. This CESG Good Practice Guide aims to help Senior Information Risk Owners (SIROs) drive improvement in their organisation’s accreditation service. The guide introduces and explains key concepts required to manage accreditation on the scale of major government organisations1. These concepts are used to develop a 5 level Accreditation Service Maturity Model in which greater maturity gives a more effective and efficient accreditation service and consequently better control of information risk.

2. Ideally SIROs will familiarise themselves with all the material in this guide but the guidance for SIROs can be condensed to the following steps:

a. Assign responsibility for managing accreditation in the organisation.

b. Task the Accreditation Manager with assessing the level of Accreditation Service maturity as defined in Chapter 12. If the organisation has already been assessed using the HMG IA Maturity Model, ref [a], this should be straightforward.

c. Set objectives for improving the level of Accreditation Service maturity. The corporate outcomes for each level of maturity are designed to make improvement attractive to the main board of directors and not just to SIROs.

d. Support the Accreditation Manager in the development of an Accreditation Service Level Agreement (SLA), which in turn helps the SIRO discharge his responsibility for producing a Statement of Risk Appetite. Guidance is given in Chapters 3 and 4 on what these documents should contain.

e. Use the Statement of Risk Appetite, Accreditation SLA and maturity objectives to make the business case for resourcing the accreditation service.

3. SIROs should also note that their accreditation service will be more effective if their organisation implements:

1 For SIROs new to this subject, terminology relating to accreditation is defined in the glossary.

a. Security policies tailored to local needs.

b. An Information Security Management System in accordance with ISO27001, ref [b].

c. An enterprise architecture which incorporates security.

d. An investment programme to reduce information risk.


Culture

Chapter 2 - Setting the Scene

Key Principles

Accreditation is a business process and should not be delegated in its entirety to an Accreditator.

Unless the accreditation process is properly integrated into business management, information risks cannot be managed effectively.

4. Accreditation is the formal assessment of an information system against its Information Assurance (IA) requirements, resulting in the acceptance of residual risks in the context of the business requirement, ref [c]. It might appear to be an unpalatable overhead in the short term but without it security compromises to business objectives are inevitable in the long term. At its best, accreditation informs the risk owner1 of the risks to their data, explains why the risks exist and what can be done to mitigate them. An effective accreditation service communicates the risk owners’ preferences to those who need to act upon them, monitors progress against the security objectives set and reports any deficiencies back to the risk owner. Furthermore the accreditation service is available when ever the risk owner needs it, whether or not they are aware of the need it for it. Overall the risk owner should feel informed and empowered by the accreditation service.

5. Delivering an accreditation service that is pragmatic, appropriate and cost-effective in meeting the business need, as opposed to one that mechanistically addresses risk management issues and as a result is dogmatic, inappropriate and costly, is not easy. To reach the standard needed by SIROs in an era of Transformational Government, ref [d], requires consistent management attention over a period of years and progress can be quickly lost when management attention is diverted.

6. This guide explains how to develop an accreditation service fit for today’s typical government Department. Details of how the basic accreditation function is carried out is explained in HMG IA Standard No 2 (Risk Management and Accreditation of Information Systems – ref [c]), supported by HMG IA Standard No 1 (Technical Risk Assessment – ref [e]). These standards provide sound advice for Accreditors but little guidance for those who manage them. For those not familiar with these standards, a glossary of key accreditation terms is at the end of this guide. HMG has extensive experience of managing accreditation and this guide aims to share some of the lessons learnt from across government.

1 ‘Risk owner’ in this context means the SIRO, IAO or their representative.

7. As accreditation is a business process, and not simply a security process, it needs to be carefully integrated into the business.2 Accreditors need to be IA professionals, with a thorough understanding of the business and the ability to communicate effectively with their management and their peers in project and programme delivery. Problems that can arise when SIROs and IAOs are not fully versed in IA and consequently do not properly integrate accreditation into the rest of the business include:

a. Accreditors find out about a new information system too late to influence its security design in a cost-effective manner.

b. In the absence of guidance and understanding by management, Accreditors feel obliged to make all the accreditation decisions with little or no reference to the business.

c. Accreditors attempt to make the right accreditation decisions but without properly understanding the business context that should be defined by the business.

d. Conflicts emerge between Accreditors and project management teams as Accreditors attempt to impose security requirements late in the design lifecycle.

e. The business imperatives to deliver the new system outweigh the Accreditor’s concerns and the system goes operational with security weaknesses which have the potential to inflict serious damage on the business.

f. The project management team is disbanded and the expertise and resources to rectify security weaknesses are dispersed across the organisation.

g. The Accreditor is frustrated and resolves to argue their next case more strongly but merely reinforces perceptions that Accreditors tend to get in the way rather than deliver real business benefits.

h. Service providers exploit the differences of opinion between Accreditor, project management, SRO and IAO and pay less attention to security.

i. Accreditation is not maintained and IA is not managed effectively through the operational life of the system, resulting in an ever-increasing risk of adverse impact on the business.

8. The long term consequence of ineffective management of accreditation can be that the organisation’s information systems are not risk managed in a pragmatic, appropriate and cost effective manner. In a previous era, when

2 The ‘business’ in this context means the organisation as represented by the Accreditor’s key stakeholders; SIRO line management, IAOs, client project managers, business managers etc.


Culture

information systems were largely independent, it was easier to contain business impacts from security incidents within the organisation. In an era when Transformational Government and Shared Services, ref [f] require complex interconnections between information systems, threats from electronic attack and malicious software are increasing, and the public and press are concerned about information security, the business impact from security incidents can be much larger.

9. Additionally, ineffective management of accreditation fosters a culture where information assurance and particularly the management and protection of sensitive information are not recognised as important.

10. Key activities for managers to undertake in order to avoid this scenario and build an accreditation service that protects and enables business objectives are:

a. In conjunction with the SIRO and IAOs, develop a statement on information risk appetite to guide Accreditors on what is and is not tolerable to information risk owners.

b. Establish a Service Level Agreement (SLA) for the accreditation service provided to the SIRO based on the resources assigned and available.

c. Conduct a gap analysis between the levels of service provided under the SLA with that needed by the business and where necessary establish a business case for an increase in resourcing.

d. Ensure accreditation is factored into the programme and project management processes, and into operational management processes.

e. Encourage Accreditors and project management teams to collaborate rather than compete over the priority between security and other business objectives.

f. Provide a management chain for escalation of difficult accreditation decisions from the Accreditor to the SIRO and ensure that Accreditors use it.

g. Ensure that Accreditors are trained in influencing skills and not just Information Assurance skills.

h. Use the residual risks accepted by IAOs in the accreditation process to support the business case for corporate investment to reduce information risk. Accreditation is necessary, but not sufficient, to control information risk at the enterprise level.

i. Use feedback from accreditation, especially accreditation maintenance, to inform the corporate risk management process.

Chapter 3 - Describing the Information Risk Appetite

Key Principles

A statement of the organisation’s Information Risk Appetite, endorsed by the SIRO, is a key tool for guiding all concerned with accreditation what level of risk is acceptable.

Major accreditation decisions provide further guidance to accreditors on the level of information risk acceptable to SIROs.

11. For Accreditation Managers who participate in accreditation decision making on a daily basis, currently the majority of accreditation decisions are straightforward. Their decisions are straightforward either because they have seen that type of risk being accepted many times before or because they know the risk is readily avoided and has not been accepted in the past. However, in the era of Transformational Government, Shared Services and Web 2.0 such decisions will become increasingly precedent setting requiring innovative risk management solutions The challenge for the Accreditation Manager is to not only share that body of knowledge, so that it is clearer to others who have less visibility of accreditation decisions, which risks are acceptable to the organisation and which are not, but also develop innovative risk management solutions that are shared with a number of other accreditors and approved by more than one SIRO.

12. It is simplistic to assume that there will be a strong correlation between the level of residual risk and whether it is wise for the organisation to accept it. In a crisis some high risks may be well worth taking and some routine low risks might be readily reduced to a negligible risk.

13. Accreditation Managers have 2 major tools at their disposal for communicating which information risks are likely to be acceptable to the organisation:

a. The Statement of Information Risk Appetite.

b. Precedent setting accreditation decisions.

14. There is a legal analogy here which may be helpful. Laws are made by Parliament but they are interpreted in the courts and over time a body of case law is established. It is the case law which provides the practical details of what is and isn’t acceptable to society. Similarly the Statement of Risk Appetite provides the high level statement of what the organisation will accept but it is the precedent setting accreditation decisions which provide the interpretation of that statement and hence the detailed guidance required of accreditors, project managers and system managers.


Culture

Statement of Information Risk Appetite

15. Ref [c] states that risk appetite should be expressed as the “boundaries that have been authorised by the management board that provide clear guidance on the levels of risk that can be taken, whether considering threat (security) or opportunity (business benefit)”. The Statement of Information Risk Appetite provides guidance to Accreditors and project management teams on the corporate limits to trading security with other business objectives. If the organisation has no Statement of Risk Appetite, accreditation management should encourage and help the management board to produce one. The statement should be developed in consultation with the SIRO, Information Asset Owners and those who will use it to ensure that it answers their questions.

16. It is possible that the corporate risk appetite will vary across the organisation and vary in time in response to external events. The IAOs and other stakeholders may wish to provide additional guidance to accreditors to take into account local circumstances. Ref [c] describes risk tolerance as “allowing for variations in the amount of risk an organisation is prepared to accept for a particular business activity.”

17. HM Treasury provides guidance on management of risk and describing risk appetites in general at references [g] & [h]. Factors to consider when developing a Statement of Information Risk Appetite include the following:

a. What is the political and business context in which information risk decisions are made.

b. What are the general expectations of Ministers, the public and of partners whose data is held by the organisation?

i. What legislation or regulation is most relevant to the organisation?

ii. What would be the consequences of acquiring a poor reputation for managing information risk?

iii. Is the overall level of information risk rising or declining? Does the organisation expect or want the trend to change?

iv. Does the organisation have a good track record of managing information risk?

v. Can it afford a security incident which although not greatly damaging in its own right, might be seen by key external bodies as confirmation of a pattern of poor management?

c. Are there categories of incidents that would be seen as disastrous, forcing the resignation of a SIRO or Permanent Secretary? Categories of incidents to consider are:

i. Widespread access to sensitive data through electronic attack.

ii. Major loss of business services due to malicious software.

iii. Major compromise of security through frequent misuse of legitimate access (the insider threat).

iv. Frequent compromises of personal data due to theft, user carelessness or poor training.

v. Loss of business services due to inadequate Business Continuity and Disaster Recovery planning in the event of a natural disaster.

d. What information risk incidents, which although serious, would the organisation and its board members survive, provided due diligence could be demonstrated?

e. Of the major information risks faced by the organisation, what is the risk appetite (ref [f] classifies risk appetites as averse, minimalist, cautious, open, hungry)? For each information risk, how does the residual risk compare with the risk appetite?

f. What are the key IA controls that the organisation depends upon to protect its information and to demonstrate due diligence; eg vetting, physical access controls, network boundary controls, malware defences, accreditation and compliance monitoring?

g. Given the above information, what IA controls should never be circumvented?

h. What business objectives could justify waivers to other IA controls; eg improved business services, increased agility, cost savings?

18. HM Treasury provides example formats for communicating risk appetites at ref [h].

Communicating Accreditation Decisions

19. If accreditors and other stakeholders are to understand how the organisation interprets the Statement of Information Risk Appetite, it is helpful that they have sight of key accreditation decisions. Accreditation Management should consider which decisions are worth circulating and to whom.


Culture

20. Some accreditation decisions set precedents for risk acceptance, considering past practices as risk avoidance and recognising that changing business circumstances justify some risk taking. Such decisions are worth circulating to those it will affect but the rationale for the new approach should be explained to avoid giving the impression that the importance of managing information risk has been reduced in some way.

21. Other accreditation decisions reinforce policy and good practice by the refusal to accept a low level of security and accepting instead increased cost, a delay to a new service or a lower level of functionality. Such decisions are also well worth sharing as they communicate management’s intentions and expectations more powerfully than a simple policy statement produced at no cost to the organisation.

Chapter 4 - Developing an Accreditation Service Level Agreement

Key Principles

An Accreditation Service Level Agreement (SLA) should be agreed between the manager responsible for accreditation, the Senior Information Risk Owner and a representative of the SRO community.

The Accreditation SLA should state the outputs expected of the accreditation team as well as the resources allocated to it.

22. The HMG Security Policy Framework, ref [j], mandates the accreditation of all ICT systems that process protectively marked data and that their accreditation be reviewed annually.1 For a large, diverse organisation under pressure to meet competing business objectives it is far from trivial for management to ensure accreditation of all systems and even harder to demonstrate that there are no unaccredited systems. However, the requirement to do so is mandatory and the Board will be held accountable for non-compliance.

23. A key tool for management is an Accreditation SLA. Accreditors are agents for the SIRO and IAOs but they also work closely with project management teams delivering new information systems and with systems and network managers. The SLA should therefore be agreed with all these communities of interest.

24. If the accreditation function has been ineffectively managed, it is likely to be under-resourced. The Accreditors will be swamped with work and are largely reacting to the most urgent or vociferous demands upon their time. In the absence of pro-active management, Accreditors tend to get spread thinly across multiple information systems. A few projects will get adequate attention, most will get less. Some areas, such as re-accreditation of legacy systems, may get no attention at all. In these circumstances it is difficult for anybody to assess the scale of information risk that the business is carrying.

25. Developing an Accreditation SLA brings some clarity to the situation provided stakeholders face up to reality and agree a service level that can be delivered with the resources available. Even a well resourced accreditation team will be unable to assess every risk that IAOs might reasonably want assessed. Questions that the Accreditation SLA should address are:

1 Organisations may additionally need to accredit systems carrying non-protectively marked information, either because it is sensitive or due to the business impact of loss of integrity or availability.


Culture

a. Will every new information system be accredited or are there some categories of Information Systems which will not be accredited?2

b. How frequently will Information Systems be re-accredited? Are there some that will not be re-accredited?

c. How will Accreditors handle minor changes to Information Systems? Are there types of changes that are ‘pre-authorised’ and can take place without reference to an Accreditor? Are there types of change that cannot be implemented without an Accreditor’s explicit consent?

d. What accreditation process will be followed for those systems in scope? HMG IA Standards No 1 and No 2 provide policy and general guidance but most Departments will develop their own templates for accreditation documents which Accreditors will be expected to use.

e. How will Accreditors know what needs accrediting and when?

f. What commitments will SROs and their delivery teams make to give accreditors early warning of the development of new information systems?

g. Should there be a triage process which assesses new requests for accreditation and decides how to handle them according to some preset criteria (eg potential level of information risk, priority, importance)?

h. What reports will Accreditors provide to enable oversight of their activities and decisions?

i. Will the accreditation process be tailored to particular categories of change; eg a new network connection or deployment of a new application?

26. Developing the SLA should make it clearer to management what can reasonably be expected from the accreditation team. The Accreditors themselves will probably be most aware of the risks that are not being assessed and should be encouraged to share that information. There may be IT changes regularly occurring in some parts of the organisation of which Accreditors are unaware even if they are subject to some form of local change control procedure. This form of uncontrolled change is often the most dangerous from an IA perspective. The lack of security oversight permits the introduction of new vulnerabilities without the organisation even being aware that it has a blind spot. Foreign intelligence Services, cybercriminals and Hackers exploit such vulnerabilities. It is worth consulting widely during the Accreditation SLA development to try to uncover these weaknesses.

27. Once the Accreditation SLA has been agreed, it has several valuable uses:

2 Maturity level 1 of the HMG Maturity Model (ref [a] requires that all new systems are subject to accreditation. Maturity level 3 requires that all business critical systems are accredited.

a. It sets clear expectations for what the accreditation team will do and what other stakeholders will do for accreditors; eg tell the accreditation team when development of a new information system is being initiated.

b. Management can monitor whether the SLA is being complied with: eg were all the new systems brought into operational use in the last reporting period accredited?

c. The limitations of the agreed Accreditation SLA can provide the basis of a business case to improve the service and there is a high likelihood that this will be supported by the Information Risk Owners who are impacted by the level of service provided. If, for example, the lack of trained and experienced Accreditors means that not all systems can be re-accredited on an annual basis, the benefits of recruiting additional Accreditors can be clearly stated.

28. Organisations may find that there is a substantial gap between the Accreditation Service that they are able to deliver and the service that they would like to be able to deliver. In this case an Accreditation Strategy may be helpful covering the following points:

a. A description of the current accreditation service.

b. A description of the desired accreditation service.

c. The plan to move from the current state to the future desired state.

d. How to manage the consequences of not being able to resource the wanted service.


Culture


Chapter 5 - Attributes of Effective Accreditors

Key Principles

Accreditors need a range of skills, knowledge and competence of which the Information Security skill set most associated with Accreditors is only a part.

29. Development of the Accreditation SLA should clarify the outputs expected of the team of Accreditors. In this chapter we consider what attributes are required of the individuals in the team if they are to collectively meet expectations. In the next chapter we consider options for resourcing the team.

Range of skills for an effective accreditor

Information Security and Assurance skills

30. A prime function of the Accreditor is to assess information risks. A basic understanding of IA is necessary (but not sufficient) to assess information risks and this in turn requires an understanding of IT. The Institute of Information Security Professionals, ref [k], defines a set of skills which underpin the profession. Accreditors cannot be experts in every aspect of Infosec but they do need sufficient awareness of the topic to know when and where to seek additional expertise.

31. HMG mandates standards for assessing technical risk and risk management at references [c] & [e]. Accreditors should have a good understanding of these Standards, as well as the entire CESG IA Policy Portfolio.

Local Business Knowledge:

32. Risk levels are determined by threats, vulnerabilities, business impacts and the probability of these occurring. To assess risk levels the Accreditor needs knowledge of the system subject to accreditation and the business of which it is a part. The more knowledge the Accreditor has of the local business the less likely it is that material facts are overlooked.

Understanding the Business Appetite for Information Risk

33. Once the Accreditor understands the level of information risk they must judge whether the risks are acceptable to the business. The risk appetites for confidentiality, integrity and availability typically vary according to business needs. In reaching their judgements on the acceptability of information risk, Accreditors will need to consider:

a. The level of business benefits that could be achieved or lost if the risk is accepted.


Culture

b. Whether similar risks have been taken in the past and hence whether a precedent been set in this area.

c. Whether there are affordable alternatives which could reduce the risks and retain the expected business benefits.

d. The length of time the business will be exposed to the information risk.

e. Whether the accreditation decision might set a precedent for future information systems.

Judgement

34. Accreditors need to be able to exercise good judgement; establishing and taking into account material facts, identifying options, reasoning carefully and testing their conclusions with stakeholders and impartial parties such as other accreditors.

Impartiality

35. Accreditors must be impartial in reaching their judgements on whether the level of information risk is acceptable. There will often be pressure to meet the interests of some stakeholders at the expense of other, less vocal stakeholders with legitimate conflicting interests. The key question the Accreditor should have in their mind when making their judgement is ‘which option is in the best long term interests of the organisation they are serving?’ Often pressure will be on the Accreditor to choose the option which is best in the short term and the challenge is to find an option which does enough to satisfy the short term business objectives whilst still maximising the long term prospects.

Influencing skills

36. Effective Accreditors have to persuade stakeholders that their judgements are sound. It may be possible for Accreditors to impose their judgements in the short term but this costs goodwill which is valuable in the long term. Accreditors who are skilled at influencing:

a. Are easy to work with but are well respected. Project management teams willingly consult them early in the project lifecycle to ensure security is properly factored into their plans.

b. Aim to collaborate with their clients looking for solutions that best meet business objectives rather than simply mandating security requirements upon the project.

c. Try to keep the accreditation process off the project critical path to delivery.

d. Explain to project teams why some options are riskier than others. They explain the risks tactfully in language readily understood and accepted by their customers and they explain it to the right people in the right order, in a timely manner.

e. Are skilled at negotiating and asserting their views. They have sufficient gravitas not to be unduly swayed by short term or parochial views or to be deterred from expressing their own viewpoint.

f. Use the most appropriate form of communication whether it is a formal meeting, e-mail, informal discussion, telephone conversation etc.


Culture


Chapter 6 - Resourcing the Accreditation Function

Key Principles

The accreditation function may be split into 4 roles.

The four roles may be funded from a combination of capital and current expenditure.

37. Once the organisation understands the outputs expected of the accreditation team as defined in the Accreditation SLA and the attributes needed of Accreditors, it has to address resourcing the team. People with the skills to be effective Accreditors will often be readily deployable to other roles. For all but the smallest organisations, the resourcing problem can be eased by recognising four roles within the accreditation function and noting that different roles may be resourced in different ways. Most organisations distinguish between capital and current expenditure and may choose to fund different parts of the accreditation function in different ways. The table below illustrates the different roles and is explained in the rest of this chapter.

RRoollee SSttrreennggtthhss RReessoouurrcceedd BByy

Accreditation management

Prioritising business objectives. Influencing stakeholders

Running costs

Accreditor Understanding business objectives. Assessing information risks. Applying IA Standard No 2.

Running costs fund a resource pool

Accreditor’s CLAS consultant

Applying IA Standards Nos 1 & 2.

Running costs fund a resource pool

Project CLAS consultant

Understanding project requirements. Understanding Infosec. Authoring Part 1 of the RMADS.

Programme funds a resource pool from capital expenditure

Table 1: Different roles

Roles within the Accreditation Function

38. Managers can take some steps to reduce the range of attributes required of individual Accreditors by involving a combination of people in the accreditation function who between them have the necessary attributes.


Culture

Accreditation Manager

39. The Accreditation Manager has a key role to integrate accreditation into business as usual. Accreditors will normally depend upon the manager of the accreditation team to influence other stakeholders at management level. The Accreditation Manager needs to be strong on local business knowledge, understanding the risk appetite and influencing skills. Typically they will be a long term employee who is familiar with the culture and has a wide network of contacts in the organisation. They will need to judge how to deploy the resources available to best meet business objectives. In order to allocate resources effectively and to judge which accreditation decisions require escalation, it is highly desirable that the Accreditation Manager has the skills and experience to be an effective Accreditor.

Accreditor

40. The Accreditor needs to be strong in understanding risk assessment and risk management as described in HMG IA Standards Nos 1 & 2. They need some local business knowledge and influencing skills but not to the same extent as the Accreditation Manager. New projects need an Accreditor to be quickly assigned to them and to facilitate this Accreditors are typically deployed from a corporate resource pool. Given the need for local business knowledge, Accreditors will not normally be contractors without prior experience of the organisation. Accreditation is not normally considered asset creating and therefore is not normally considered as capital expenditure.

Accreditor’ Consultant

41. For an organisation in which staff suitable to act as accreditors are particularly scarce it can be effective to recruit consultants such as those from CESG’s Listed Advisor Scheme (CLAS, see ref [l]). Through CLAS, CESG has accredited a pool of high quality IA consultants on which HMG and the wider public sector can draw for a range of IA related services. Accreditors can support more projects and systems if they are supported by CLAS11 consultants operating as Accreditor’s consultants who are tasked with:

a. Representing the Accreditor in discussions with the analyst during the production of a Security Case (HMG IA Standard No. 1) and a Risk Management and Accreditation Document Set (RMADS) (HMG IA Standard No. 2).

1 CESG recognises that there are capable IA consultants who are not CLAS members. If Departments choose to use consultants who have not attended the CLAS training courses they need to ensure they are familiar with relevant HMG IA standards and policy.

b. Representing the Accreditor on Accreditation panels and Security Working Groups; whilst the consultant might be empowered to take decisions on behalf of the Accreditor at such meetings, these must always be reported back formally to the Accreditor.

c. Assessing IA incidents and ITHC reports and the action plans to resolve any issues, and making recommendations to the Accreditor on the acceptability of the proposals.

42. One Accreditor can be usefully supported by two or three Accreditor’s consultants; more than this can result in the Accreditor becoming too distant from the business requirements of the systems. The team of consultants becomes a major added resource of IA expertise to the team of Accreditors improving the capacity and quality of the accreditation function. In this role consultants would normally be funded through current expenditure and assigned to a pool for deployment as required.

43. The appointment of an Accreditor’s consultant must not be interpreted by project and system management as an excuse to avoid employing individuals with IA expertise to assist with system design and development, to produce security documentation and to act as system security managers. It is not appropriate for individuals to act both as Accreditor’s consultants and to develop security architecture and designs or produce documentation which they then assess from an accreditation perspective.

Project Consultant

44. It is the responsibility of a project delivering a system subject to accreditation to demonstrate that it is fit to protect the information it will store, transmit or process. Projects can buy in consultants to assist them with this.

45. In a project or system management role, consultants can be tasked with:

a. Identifying IA issues early in the project lifecycle.

b. Security architecture and design.

c. Co-ordinating the activities to find solutions to the IA issues.

d. Producing the Security Case (IS1).

e. Producing the system RMADS (IS2).

f. Liaising with the Accreditor to ensure accreditation is granted in line with the project schedule.

46. In project-based roles the IA consultants’ work for new systems is asset creating and under government accounting policies is categorised as capital


Culture

expenditure. The costs should therefore be borne by the project or programme developing the asset.

47. In practice, if projects are left to recruit their own consultants, they will frequently arrive too late to help design security into the information system from the outset. It takes time for projects to decide what skills they need, make the business case for funding and recruit appropriate people. If key design decisions are being made before the consultant arrives, their greatest opportunities for adding value are missed.

48. One solution to this is for a pool of consultants (or suitably skilled internal staff) to be funded and recruited centrally. Once the pool is established, consultants may be quickly assigned to a project at its outset. A pool makes more efficient use of consultants than each project recruiting their own as consultants can often support more than one project. A pool also provides an array of IA skills that can be deployed where they are most needed. The pool manager can allocate the most suitable available consultant to each new project. If required, customer projects can be charged for IA consultancy services received so that the costs are borne by the activity that consumes them.

49. It is recommended that the selection of consultants to put into the pool is done by staff with IA expertise, typically from the accreditation service. Attributes required of consultants will vary according to organisation needs and the suitability of individual consultants to specific tasks will vary accordingly. The following two stage selection process is recommended:

a. A paper sift based on CVs looking for evidence of experience with the HMG government accreditation process.

b. An interview to validate the evidence claimed in the CV, to establish evidence of sufficient IA skills and to assess whether the individual would fit into the organisation culture.

Compliance Monitoring and Re-accreditation

50. Compliance monitoring and re-accreditation is not asset creating and cannot therefore be funded as capital expenditure. Most of the work can readily be undertaken by consultants e.g. operating in a security management role, the exception being actual re-accreditation decisions. If skilled employee Accreditors are scarce, a cost-effective way of reducing information risk can be to task consultants or Security Managers with monitoring compliance against IA policies (eg are patches up to date and anti-virus systems operating correctly), ensuring that accreditation maintenance criteria are met (e.g. an annual ITHC,

configuration management processes which address security). The worst exceptions can then be brought to the attention of the scarce Accreditors.

Estimating the Resources Required for Accreditation

51. Accreditation Managers often need to estimate how much it will cost to accredit a system. Clearly this can vary enormously but guidance on how to estimate this is as follows.

52. Assuming that the accreditor is involved near the start of the project to develop the information system, granting interim accreditation will invariably take until sensitive data is held in the system which is usually close to the point at which the system is used operationally. For a major system development this could be over a period of years during which the accreditor will typically participate in many project meetings and review a variety of documents. This is seldom a full time role on a sustained basis but it can be full time at critical periods; eg when reviewing tenders or during test phases.

53. The key factors to take into account when estimating resource requirements are therefore:

a. How long will it take to bring the system into operational use?

b. What activities will the Accreditor need to participate in during development of the system and once it is brought into operational use?

c. What proportion of the accreditor’s time is likely to be spent on the system in question?

d. Will some form of penetration testing be required?


Culture


Chapter 7 - Training and Tasking Accreditors

Key Principles

Accreditors should be trained and tasked according to their level of competence and experience.

54. If accreditors are managed well, their effectiveness increases rapidly at first and continues to increase throughout their time in the role, however long they remain in it. As their experience increases, the types of work they can undertake broadens. This chapter aims to help managers develop their Accreditors and to gain the most from them as individuals and as a team.

55. As part of the Government Information Assurance Competency Framework, the Government IT profession identifies 5 levels of responsibility within the accreditation specialism. The recommended skills and competency levels of the middle 3 levels are defined in terms of the IISP skills and competencies in Accreditor Role Definitions (reference [m]).

56. The purpose of defining the role of the accreditor in this manner is to:

a. Enable reliable assessments of an individual’s competence against the role definitions.

b. Drive professionalism of accreditation as envisaged by the IA Competency Framework.

c. Enable greater mobility of accreditors between public sector organisations and open up more career development opportunities.

57. The 5 responsibility levels are:

a. Trainee Accreditor. The Trainee Accreditor only makes accreditation decisions under close supervision while undergoing basic training and becoming familiar with all the stages of the accreditation process. They will typically have less than 1 year’s experience in the role.

b. Accreditor. The Accreditor can be trusted to make routine accreditation decisions with little supervision.

c. Senior Accreditor. The Senior Accreditor can be trusted to lead the accreditation of complex, high risk or precedent setting systems and to judge when to escalate accreditation decisions. Senior Accreditors may also supervise Accreditors, assist in policy development and improvement in accreditation processes.


Culture

d. Lead Accreditor. Lead Accreditors have wide experience and are responsible for ensuring that the accreditation process in their organisation meets the standards detailed in HMG IA Standards Nos 1 & 2.

e. Head of Accreditation Specialism. The Head of Accreditation Specialism is responsible for driving improvement in the quality and effectiveness of accreditation across a large organisation or group of organisations. An overall Head of Accreditation Specialism is appointed by the Accreditors’ Forum to lead for HMG as a whole. Within organisations this role will normally be filled only where there is a particularly strong focus on accreditation and a large team of accreditors.

58. The table below summarises how management can train and task Accreditors in each of these categories.

Category of Accreditor

Appropriate Training Appropriate Tasking

Trainee Undertakes Accreditor course or modules from National School of Government. Study HMG IA Standards Nos 1 & 2. Select training to acquire basic InfoSec knowledge. Understand organisation’s risk appetite and application of accreditation principles. Assigned a mentor or supervisor to give frequent guidance and feedback.

May initially undertake tasks that support accreditation rather than accreditation itself; eg draft RMADS or IS1 risk analysis. Act as accreditor for routine or low risk systems with appropriate supervision. Re-accredit systems for which there is reasonable documentation in place. Ideally will receive tasks that give some sight of the complete accreditation process from project initiation to system de-accreditation.

Accreditor May be assigned areas to develop specialist knowledge on behalf of the team; eg aspects of InfoSec policy or best practice, parts of the business, reduction of a risk of particular concern. Influencing skills training; eg negotiation, presentation, assertiveness, listening

The Accreditor’s portfolio of accreditation tasks is larger than that during the Familiarisation stage. Can be deployed to accredit most information systems with a low level of supervision.

Senior Accreditor

Will continue to undertake training in subjects related to Information Assurance to broaden and deepen knowledge base and to improve effectiveness.

Can be used to mentor, coach or supervise less experienced accreditors. Is competent to accredit the highest risk or most complex systems. Can contribute to development of the organisation’s accreditation process. Acts as the organisation’s subject matter expert in some aspects of IA.

Lead Accreditor

Should be familiar with ISO 27000 series, ISO 17021:2006 (reference [n]), HMG IA Maturity Model

Responsible for delivery to the service level agreed with the SIRO and for compliance with IS1 & IS2 across the organisation. May also act as ITSO. Will normally be line manager for accreditors.

Head of Accreditation Specialism

Should be familiar with Managing Information Risk (reference [o])

Participate in appointing Lead and Senior Accreditors; establish accreditor skill & competency standards, influence senior management to embed accreditation into business practices.


Culture


Chapter 8 - Managing Client Relationships

Key Principles

Aim for collaborative relationships and avoid conflicts between Accreditors and client projects.

59. Once the SLA has been agreed and the accreditation function resourced, another key management activity is managing the relationship between Accreditors and their clients. These may well be much broader than just a project team, potentially including the accreditation authorities of other Departments. This will also improve the sharing of best practice across Government. The way that Accreditors work with their client project management teams can be characterised as collaboration, co-operation, competition or conflict.

Collaboration

60. Collaboration is the much preferred mode where Accreditors and the project management team look for options that meet all requirements. It takes time for multi-disciplinary teams with differing personal objectives to develop a collaborative relationship. People need to meet on a regular basis, feel free to exchange ideas in a constructive atmosphere, identify options and have the time to keep exploring options until a solution is found that is supported by all stakeholders. However, it should be recognised that even in a collaborative environment, occasionally a mutually successful solution might not be possible. In such cases, both parties should be able to put their case without acrimony to Management in the form of the IAO or SIRO and subsequently work co-operatively to deliver the agreed resolution.

Co-operative

61. If there is not time to develop a collaborative relationship, a co-operative relationship is next best. The Accreditor has the opportunity to state IA objectives and the project does it is best to deliver them within the constraints of its objectives. Co-operative relationships emerge when there is goodwill between both parties but insufficient time to work collaboratively.

Competitive

62. In a competitive environment, there is some tension between the Accreditor and project management teams with neither party fully revealing their hand. Both sides (and now there are clearly two sides) stress the importance of their objectives and reluctantly trade requirements with neither side really trusting the motives of the other.


Culture

Conflict.

63. When Accreditors are only engaged late in the project lifecycle, shortly before initial operational use, conflict mode tends to result. The project management team have probably overlooked or been unaware of IA concerns. They are probably struggling to deliver within a project budget and schedule. They really do not want to address new requirements which do not deliver specified benefits. The Accreditor’s duty is to protect the interests of the SIRO and Information Asset Owner and in these circumstances there is frequently a direct conflict of interests with no easy solution. The outcome often includes a terse exchange of letters further up the management chain. If management had been engaged earlier, the situation might have been avoided.

64. It is the role of accreditation management to avoid the conflict mode and maximise the prospects for collaboration. Actions that Accreditation Managers can take to achieve this are:

a. Ensure that project and programme managers are familiar with accreditation through briefings or training.

b. Allocate Accreditors and IA consultants promptly to projects.

c. Encourage Accreditors to collaborate rather than compete with project management teams. It is tempting for Accreditors to seek the most secure solution when they, like the project management team, should look for the solution that will best support business objectives in the long term. The most secure solution will often impose undesirable costs or business constraints. An insecure solution risks compromising business objectives in the long term.

d. Provide training to Accreditors on the skills required to influence project management teams. These skills can include listening, presenting, negotiating and asserting. Training based around scenarios familiar to Accreditors (eg persuading a project management team to address security issues) can be effective particularly if trainees have the opportunity to see video recordings of them playing the Accreditor role.

e. Meet regularly with the people who manage project managers to review how well the relationship between Accreditors and project managers is working.

f. Agree at the beginning the risk appetite/tolerance to be applied and escalation requirements.

65. In order to monitor the Accreditor’s performance in respect of collaboration and the avoidance of conflict mode, it will be essential for the Accreditor’s performance manager to consult with SROs, project managers, system security

managers and IA consultants (including CESG Advisers) with whom the Accreditor deals. This can be done through a routine process in which the Accreditor’s clients are asked to complete a feedback form.


Culture


Chapter 9 - Escalating Accreditation Decisions

Key Principles

There should be a clear path for escalating contentious accreditation decisions to an appropriate management level.

Accreditors should be given guidance on when to escalate accreditation decisions.

Patterns of Accreditation Decisions

66. An organisation that has followed the guidance so far will find that the majority of accreditation decisions can be made by Accreditors with little need for further guidance from management. However some accreditation decisions will inevitably be contentious for a variety of reasons and it is crucial to the Department’s IA posture that these decisions are well managed by escalating them to an appropriate management level.

67. The pattern of accreditation decisions in an organisation has some similarities with financial decisions. For every major procurement decision that requires authorisation from the Finance Director, there are many more low level payments that are authorised at a junior level. In between there is a spectrum of financial decisions that are made at every level of management.

68. Similarly, for every accreditation decision that warrants escalation to the SIRO, there will be a significant number of low level Requests for Change submitted to the organisation’s IT Services function, the vast majority of which have no security implications. In between there will be a range of other accreditation decisions from implementation of large but not precedent setting information systems, to major upgrades to existing systems, to minor bug fixing and feature enhancements.

69. Just as financial risk management systems aim to make financial decisions at the lowest appropriate level, the same approach is required in information risk management; otherwise managers become swamped and make inappropriate decisions. To extend the financial analogy, before big financial decisions are formally placed in front of the Finance Director, there will normally have been some prior informal consultation and briefing to check that the proposal is likely to be authorised and that the proposal answers the Finance Director’s concerns. Similarly the accreditation function is far more effective if major formal decisions are preceded by informal discussion within the accreditation decision making chain and with other stakeholders. To ensure that the accreditation process isn’t clogged up with trivial decisions it may be worth ‘pre-


Culture

authorising’ certain types of low risk, common types of change so that these take place without involving accreditors.

Accreditation Decision Escalation

70. If accreditation decisions are to be escalated appropriately, a clear management chain through which decisions can be escalated should be established. This should be complemented by guidance on which decisions should be escalated and to what level. Features to look for in an effective accreditation decision making chain are:

a. The SIRO, on behalf of the Accounting Officer, is at the top of the chain otherwise the SIRO does not have control of the risks being accepted by the organisation.

b. The decision making chain follows the line management chain so that decision making can be appropriately recognised in staff performance appraisals.

c. At each step in the escalation process, staff with a wider view of the organisation’s business are involved. For example, an Accreditor who is uncomfortable accepting (on behalf of the SIRO) the risks implicit in a project plan might escalate the decision to a small panel chaired by the Accreditation Manager and including the project manager and the Information Asset Owner or their representative.

d. Within each Accreditation Panel, the seniority of the SIRO’s representative should match the seniority of the Information Asset Owners’ representative and the seniority of the programme’s Senior Responsible Officer’s representative.

e. The decisions made at each level are recorded.

71. In some organisations accreditation decisions are escalated to a programme Senior Responsible Officer (SRO). This could introduce an unhealthy tension for the SRO: a programme SRO is primarily judged on their delivery record, notably on delivery to time and budget as these are often easiest to measure. When under pressure to meet customer expectations a SRO may be tempted to to trade out the long term but hard to measure benefits of security in favour of the easily measurable, but short term concern of delivering to time and budget. This tension needs to be carefully managed through discussion between the SIRO, the SRO and the accreditor.

Criteria for Escalation

72. For the accreditation function to work efficiently, the large majority of accreditation decisions need to be made by the Accreditor assigned to the

project or other change process. Management should establish, through the corporate accreditation standards, criteria for escalating the minority of accreditation decisions which need to be made above the Accreditor’s level. A suggested list is as follows.

a. The risks are outside the organisation’s normal risk appetite and past pattern of accreditation decision making.

b. The business benefits at stake aren’t sufficient to justify the risks incurred.

c. The risks could be cost effectively reduced and the resources are available to do this but they are not being applied.

d. Controls normally applied to information systems are not being applied without a strong enough justification.

e. The general attitude of the project to IA is poor.

f. The Accreditor is uncomfortable accepting the risks they are being asked to accept on behalf of the SIRO. This may be due to the Accreditor’s inexperience rather than a material problem.

73. Some Accreditors are reluctant to escalate decisions feeling that it reduces their influence or control and that good Accreditors should be willing to make difficult decisions. They should be reminded that accreditation is a business process, not an individual’s decision and it is in the organisation’s long term interests that consensus is reached.

74. It can sometimes be tempting for an Accreditor to veto a project proposal on the grounds that he or she says so, or that HMG/CESG guidance says so. Even if a veto is the correct business decision, the Accreditor needs to explain why it is the correct decision in terms of threats, vulnerabilities, business impacts, probabilities and consequent levels of information risk. Where the Accreditor cannot reach agreement with a project management team, it is wise not to take a personal stand on the issue. An accreditation panel may take a different view from the Accreditor given their broader view of the business and undermine the Accreditor’s reputation if the Accreditor has taken a firm personal position on the issue.

Timing of Escalation

75. The earlier that accreditation decisions are escalated, the more time there will be to reach the optimal balance between security and other business objectives. There is no need to wait for a crisis before escalating. It might become apparent very early in the project or programme lifecycle that security issues which are new to the organisation will have to be addressed. In these cases it is best for an accreditation panel at the appropriate level to meet early and set some boundaries for the project management team and Accreditor to


Culture

work within. The final accreditation decision can then be referred to, or ratified by, the same panel. This gives consistency in the direction given to the project management team.

Conducting Accreditation Panel Meetings

76. When accreditation decisions are escalated to an Accreditation Panel it is often because the decisions required will set new precedents and existing IA policies provide insufficient guidance. The panel members will represent different business interests, often with conflicting objectives. To reach a consensus it is important that the panel members come to a common understanding of the business requirements, the security issues, the options available and their likely consequences. The following agenda is recommended for accreditation panel meetings:

a. Introductions covering each member’s role and clarifying who is accountable for any decisions made.

b. Explanation by the project management team or project Senior User or Senior Responsible Officer of the business objectives of the project.

c. Description by the project management team of their proposed solution.

d. Description by the Accreditor of the key information risks.

e. Opportunity for every other panel member to add further relevant information.

f. Discussion to identify options and their implications.

g. Summary by the chairman.

h. Group decision on which option to choose.

77. At panel meetings where all the relevant information has been shared, stakeholders have had time to discuss the options and all feel that their views have been heard, it is unusual not to reach a consensus on the best option. The decision made and the rationale for it should be recorded and distributed to stakeholders so all are clear on what risks have been accepted and why. This should help to identify and record changes or clarification to local policies and assist in future decision making.

Granting Interim Accreditation

78. The Accreditor or Accreditation Panel may opt for interim accreditation subject to some further work to improve security by a given date. In granting interim accreditation, the Accreditor or panel needs to be sure that there is a credible, resourced plan to do that work. Some project management teams are quickly

disbanded as an initial operational capability is achieved and are soon in no position to honour the commitments made. In this scenario the commitment to meet the accreditation conditions should be made by those who have control over the required resources and will remain responsible for the Information System when it enters service. If no credible plan for meeting the accreditation conditions is forthcoming that option should either be discarded or the decision escalated further.


Culture


Chapter 10 - Reporting

Key Principles

Regular reporting by Accreditors to management and Information Risk Owners enables oversight of the accreditation function and the SIRO and AO to fulfil their statutory reporting commitments to the centre (such as the Statement of Internal Control).

Management should report whether the Accreditation SLA has been met to enable continuous improvement of the accreditation function.

79. On behalf of risk owners, management has to balance the need for Accreditors to make timely decisions with the need to maintain oversight of the decisions being made and the level of risk being accepted. Regular reporting by Accreditors can be a useful mechanism to achieve this balance.

80. Information that managers might require their Accreditors to report are:

a. Accreditation decisions made in the last reporting period.

b. Any anticipated forthcoming contentious accreditation decisions.

c. Incidents that have occurred or been investigated.

d. A list of information systems on which the Accreditor has had some involvement in the last reporting period.

e. Any other information that the Accreditor feels that management should be aware of.

81. The frequency of reporting needs to balance:

a. The frequency with which management will review reports.

b. The frequency of accreditation decisions.

c. The degree of control that management requires.

d. The overhead placed on Accreditors to produce reports.

82. Accreditors’ reports can give management a better understanding of the work their Accreditors are involved in, the type of decisions that are being made, the nature of the relationship between Accreditors and their client projects and the level of risk that is being accepted. They also give management the openings to ask Accreditors about aspects of their work that management would otherwise be unaware of. Accreditors’ reports are also useful when assessing Accreditors’ performance.


Culture

83. By collating the reports of each Accreditor, management should be able to produce a summary report for the SIRO and other stakeholders stating whether the Accreditation SLA has been complied with over the reporting period. Where the Accreditation SLA has not been fully met, management should report any remedial actions to be taken.

84. In some organisations Accreditation Managers are also responsible for Incident Management. If so, it may be helpful to combine Accreditation and Incident Reporting as accreditation services should be influenced by the level and type of incidents.

Chapter 11 - Facilitating Accreditation

Key Principles

Accreditation Managers should encourage corporate governance initiatives that facilitate accreditation.

85. So far this guidance has focussed on opportunities for improving the accreditation process which are under the greatest control of those managing accreditation. This chapter outlines factors outside the direct control of most Accreditation Managers but which can make accreditation a more straightforward process for accreditors, project teams, system managers and data owners. It is recommended that staff managing accreditation encourage corporate initiatives that facilitate accreditation.

Security Policy

86. The Security Policy Framework requires that departmental security policy is widely available internally (Mandatory Requirement 6). Additionally Level 1 of the HMG IA Maturity Model requires that “Board commitment to effective IA is promulgated in a top-level policy statement.” Locally developed security policy, tailored to local needs, can be a powerful aid for accreditors, making it clear to system managers and project managers what local management expects from them. It is therefore in the interest of Accreditation Managers to participate in the development of security policy.

Information Security Management System

87. ISO27001, ref [b] describes requirements for an Information Security Management System (ISMS) including how to establish, implement, operate, maintain and improve an ISMS. Organisations that follow this standard provide an excellent governance framework for accreditors to work within. Achieving certification to ISO27001 can be a major organisational undertaking but is one that should be supported by Accreditation Management.

Enterprise Architecture

88. As Information Systems become more heavily interconnected, the need for an Enterprise Architecture that addresses security concerns increases. If there are no enterprise controls on the IT protocols used, interfaces between networks, access controls, malware defences, operating system configurations etc it becomes very difficult to provide Information Assurance at the enterprise level. When there is a well defined Enterprise Architecture which takes security into account, the security requirements of new systems are clearer and usually easier to implement. Accreditation of systems that comply with the Enterprise


Culture

Architecture is usually straightforward and those that don’t comply become obvious candidates for escalation.

Information Risk Investment Programme

89. Almost every organisation has some form of capital investment programme. Typically investment to reduce information risk, if it exists at all, is scattered among a variety of projects or other initiatives. However Information Assurance, the wanted outcome from investing to reduce information risk, requires an holistic view of the enterprise. Investment to reduce information risk is far more effective when included among the top level budgets. Directors can then decide the level of appropriate investment and ensure it is targeted to give the greatest risk reduction.

90. At Level 2 of the HMG IA Maturity Model ref [a], a fundamental requirement is for “the SIRO to have personally made the business case to the board of directors for a targeted programme of work to improve understanding and control of information risk, and gained approval for the programme. Within most Departments progress to Level 2 will require extensive work to be undertaken.”

91. Accreditation Management has a key role to play in making the business case for investing to reduce information risk because they typically have greatest awareness of the residual risks accepted across the organisation. When Accreditation Management has influence on the content of the programme to reduce information risk it presents a welcome new option when making accreditation decisions. Residual risks can be accepted in the short term on condition that investment reduces the risk in the medium term.

Chapter 12 - Driving Improvement in the Accreditation Service

Key Principles

Maturity models are a powerful tool for driving long term improvement.

Sustained improvement in the maturity of the Accreditation Service requires the active support of the SIRO.

92. For management tasked with improving the quality of the accreditation service, it can be helpful to have some form of road map to chart progress, to show some intermediate goals but to also remind people of the end goals. The Accreditation Service Maturity Model (AS-MM) at the end of this chapter may help in this respect. The maturity definitions are intended to be consistent with the HMG IA Maturity Model, ref [a]. The AS-MM can be used by management to assess the current level of the accreditation service and to set objectives for improvement.

93. The AS-MM has been constructed by describing the outcomes to an organisation from an ever improving quality of service. These outcomes appear in the right hand column of the AS-MM. The headings for the other columns are taken from the IT services maturity model in ITIL v3 (reference [p]). The objectives required under each ITIL heading are then elaborated in the maturity model to achieve the outcome defined for each maturity level. Of course, there can be no guarantee that achieving the objectives under each ITIL heading ensures achievement of the corresponding outcome. However the outcomes are unlikely to be achieved if the corresponding objectives have not been achieved.

94. The maturity model should therefore be used as a guide rather than as a set of instructions. It is presented to provoke ideas for improvement rather than as a prescriptive order in which things must be done. It can be tailored to the needs of the organisation as it only becomes a useful tool when key stakeholders accept that it is a valid mechanism for assessing the current status and setting objectives for improvement. Once that shared acceptance has been reached, maturity models can become powerful tools for driving progress.

95. To improve the maturity of the accreditation process across a medium to large government Department is a major undertaking. To reach maturity level 2 (Accreditation protects the business from the introduction of, or changes to, information systems that would result in risks unacceptable to the business) requires solid support through the Accreditors’ line management chain up to board level. An organisation that has followed the advice in this guide is well


Culture

placed to reach level 2. However to maintain the degree of management involvement required across the organisation to reach level 2, or to move beyond it, requires active involvement from the SIRO. Without that level of organisational commitment, attention is likely to be diverted by more urgent business objectives and the Department’s level of information assurance is likely to slide backwards.

96. SIROs and managers of accreditors should also be aware of ISO/IEC 17021:2006, Conformity assessment – Requirements for bodies providing audit and certification of management systems (reference [n]). Most of the requirements in this standard are relevant to accreditation and it provides a useful reference model of the standards expected of commercial or government bodies performing similar functions.

Maturity definitions for an Accreditation Service – See Chapter 12

LLvvll Vision & Steering Process People Technology Culture Corporate Outcome

LLeevveell

11 --

IInn

ii ttii aa

ll

A comprehensive information risk policy is in place.

The organisation’s information risk appetite is clearly articulated.

The senior management engagement to ensure policy is implemented may not be present.

All new IS are subject to an effective accreditation process, where appropriate.

The criteria for when accreditation is appropriate may not be defined.

The role of Accreditor is corporately recognised but may not be adequately resourced.

Tools to assess InfoSec vulnerabilities are available but may not be used on a systematic basis.

Accreditation is often seen as something desirable but not enforced by management.

The most severe risks to information are avoided but minor new vulnerabilities are readily introduced undetected.

LLeevveell

22 --

EEsstt aa

bbll ii

sshh

eedd

A realistic Accreditation SLA is in place.

A risk based programme of work is initiated to rectify any Accreditation shortfall where this is required to support the business need.

The corporate accreditation process meets national standards as defined in HMG IS1 & IS2.

The accreditation process is institutionalised for those systems deemed in scope in accordance with Security Policy Framework Mandatory Requirements 32, 33 & 36.

A process is in place to escalate

There is a recruitment programme in place to resource the needs of the Accreditation SLA.

There is a training programme in place to meet the needs of Accreditors.

Accreditors are categorised according to their level of

Some tools are routinely used in the accreditation process to assess vulnerabilities.

Accreditation data is stored in a structured & accessible form to enable effective administration of the accreditation process.

Staff expect information systems to gain accreditation before holding sensitive data.

Accreditors are seen as helping rather than hindering by their customer projects and risk owners.

Project staff typically

Accreditation protects the business from the introduction of, or changes to, information systems that would result in risks unacceptable to the business.

Management responsible for accreditation can demonstrate due

Managing Accreditation- Governance, Structure &

Culture


information risks through the organisation’s management structure for effective decision making, within the organisation, its delivery partners, and with external stakeholders.

Security requirements are factored into information system requirements.

Compliance with the Accreditation SLA is informally monitored.

competence and are trained and tasked accordingly.

Individual performance is managed through corporate HR processes.

co-operate with Accreditors.

diligence in the event of security incidents.

LLeevveell

33 ––

BBuu

ssii nn

eess

ss EE

nnaabb

ll iinn

gg

Business objectives are reflected in the Statement of Risk Appetite and Accreditation SLA and are used to direct accreditation management.

There is a defined list of business critical systems.

The underlying causes of information risk

The accreditation process is tailored according to the level of risk, potential business impact, the speed of decision making and to reuse previous risk analysis.

Personnel, physical and InfoSec accreditation processes are integrated such that weaknesses in one area can be compensated for elsewhere.

All business critical information systems are in scope for

Accreditors engage with projects throughout their lifecycle to minimise impact upon cost & schedule.

Accreditors’ level of responsibility is based upon formal assessment of their competence.

Accreditors have individual areas of

A set of vulnerability testing tools is consistently used.

New tools are frequently considered for improving the accreditation process.

The needs of Accreditors are factored into the choice of tools to manage the Enterprise IT.

Systems introduced or used with sensitive data but without accreditation treated as a security incident.

DSOs, SROs, ITSOs and IAOs encourage their teams to collaborate with Accreditors.

The accreditation service seeks regular feedback from

The accreditation process is driven by short & long term business objectives.

Accreditation enables new business opportunities to be taken at acceptable risk.

The delivery of new systems is rarely delayed by the accreditation process.


trends are investigated and options for improvement are presented to the business.

accreditation.

Reports are routinely produced to enable compliance with the Accreditation SLA to be monitored and to give stakeholders visibility of the accreditation process.

specialist knowledge to maximise their collective expertise.

stakeholders on their satisfaction with the service provided.

Risks are systematically mitigated where it is cost effective to do so.

LLeevveell

44 ––

QQuu

aann

tt iitt aa

tt iivveell yy

MMaann

aagg

eedd

The Statement of Risk Appetite and Accreditation SLA are updated at least annually to take into account accreditation reports, incidents, expert opinion and changes in business objectives.

The Accreditation SLA requires the reporting of metrics to assess the effectiveness and efficiency of the service.

The Accreditation service is metricated to enable its effectiveness & efficiency to be monitored.

Failures to meet the Accreditation SLA are recorded and summarised in reports to the SIRO.

Lessons learnt from incidents and IT Health Checks are used to improve the accreditation service.

Accreditors closely follow the SLA and Accreditation process, reporting exceptions where appropriate.

Expert IA knowledge is available and applied where justified by the potential business impact of failures in security.

Accreditors are proactive in identifying new threats or vulnerabilities and assessing the consequent risks.

Technology is used to provide metrics valued by risk owners or their agents.

The organisation is an early adopter of appropriate, market leading tools to identify and monitor information risks.

The organisation makes careers or posts in IA attractive to appropriate numbers of staff.

Accreditors are valued by peers and management at about the same level as staff in mainstream areas.

Feedback from stakeholders on the accreditation service is structured to measure satisfaction with the service.

The organisation has a high level of assurance that it correctly understands and can control the level of risk to information on all systems.

Accreditation metrics provide a comprehensive understanding of the effectiveness and efficiency of the service.

LLee

vveell

55 --

OOpp tt ii mmii

ssii

nngg

Quantitative targets Weaknesses in the accreditation Training & Technology is used as Attitudes towards The effectiveness and

Managing Accreditation- Governance, Structure &

Culture


are set for improving the accreditation process to support wider business objectives.

Senior management provide guidance and support to achieve the required improvements.

service are analysed to find their root causes and to enable measurable improvement.

development programmes are in place to drive improvement in skill levels defined for Accreditors.

Skills and knowledge are tested to monitor improvement.

a source of tools to improve the accreditation service.

Accreditors, accreditation and IA are monitored and the findings influence training programmes.

efficiency of the accreditation service is measurably improving.

Table 3: Maturity definitions

References

[a] HMG IA Maturity Model, http://www.cesg.gov.uk/products_services/iacs/iamm/index.shtml

[b] ISO 27001:2005 Information Security Management Systems - Requirements

[c] HMG IA Standard No. 2, Risk Management and Accreditation of Information Systems, Issue 3.2, Forthcoming (Not Protectively Marked). Available from the CESG IA Policy Portfolio.

[d] Transformational Government, http://www.cabinetoffice.gov.uk/cio/transformational_government.aspx

[e] HMG IA Standard No. 1, Technical Risk Assessment, Part 1, Issue 3.5, October 2009 (Not Protectively Marked). Available from the CESG IA Policy Portfolio.

[f] Cabinet Office Shared Services, http://www.cabinetoffice.gov.uk/cio/shared_services.aspx

[g] HM Treasury – The Orange Book. The Management of Risk – Principles & Concepts, October 2004, http://www.hm-treasury.gov.uk/d/FE66035B-BCDC-D4B3-11057A7707D2521F.pdf

[h] HM Treasury – Thinking about risk. Managing your risk appetite: A practitioner’s guide, November 2006, http://www.hm-treasury.gov.uk/d/tar_practitioners_guide.pdf

[i] HM Treasury – Thinking about risk. Setting & Communicating your risk appetite: A practitioner’s guide, November 2006, http://www.hm-treasury.gov.uk/d/tar_riskappetite.pdf

[j] HMG Security Policy Framework, http://www.cabinetoffice.gov.uk/spf.aspx

[k] Institute of Information Security Professionals, https://www.instisp.org/SSLPage.aspx?pid=201

[l] CESG Listed Adviser Scheme, www.cesg.gov.uk/clas/index.cfm?

[m] Accreditor Role Definitions v1.0, Government IT Profession, https://it.civilservice.gov.uk/secure/index.aspx

http://www.cesg.gov.uk/clas/index.cfm

https://it.civilservice.gov.uk/secure/index.aspx


Culture

[n] ISO/IEC 17021:2006, Conformity assessment – Requirements for bodies providing audit and certification of management systems

[o] Managing Information Risk, KIMB/2008/02, www.nationalarchives.gov.uk/documents/information-risl.pdf

[p] Office of Government Commerce, IT Infrastructure Library v3, http://www.ogc.gov.uk/guidance_itil.asp

http://www.nationalarchives.gov.uk/documents/information-risl.pdf

Glossary

Accreditation Accreditation is the formal assessment of an information system against its IA requirements, resulting in the acceptance of residual risks in the context of the business requirement. It is a prerequisite to approval to operate.

Accreditor Person appointed to act as an impartial assessor of the risks that an information system may be exposed to in the course of the meeting the business requirement and to formally accredit that system on behalf of the SRO and/or SIRO.

Departmental Security Officer

Person appointed by the management board with day-to-day responsibilities for all aspects of Protective Security (including physical, personnel and information security).

Information Asset Owner

Person appointed by the SIRO with day to day responsibility for assessing and mitigating risks to a set of information. Usually a senior business manager within the organisation.

Information Assurance (IA)

The confidence that information systems will protect the information they handle and will function as they need to, when they need to, under the control of legitimate users.

Infosec Information security.

Interim accreditation

Accreditation granted for a time bounded period, subject to a commitment to some conditions being satisfied by the end of that period.

Risk The potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause some business impact to the organisation.

Risk Management & Accreditation Document Set (RMADS)

The documentation, often a portfolio, which specifies the risk management measures, accreditation policy and status of an information system.


Culture

Senior Information Risk Owner (SIRO)

The member of the Management Board accountable for information risk management.

Senior Responsible Owner

Person responsible for delivery and realising the benefits of a project or programme of work. Responsibilities include managing the information risks consequent from their project/programme to ensure that they meet the objectives agreed with the SIRO and Board level business owners.

Transformational Government

Strategy to ensure that Government starts to make full use of the technological advances that are becoming increasingly common in people's lives – whether at home or on the move. See ref [d].

This information is exempt from disclosure under the Freedom of Information Act 2000 (FOIA) and may be exempt under other

UK information legislation. Refer any FOIA queries to GCHQ on 01242 221491 x30306 or email [email protected]

Customer Feedback

CESG Information Assurance Guidance and Standards welcomes feedback and encourage readers to inform CESG of their experiences, good or bad in this document. We would especially like to know about any inconsistencies and ambiguities. Please use this page to send your comments to: Customer Support CESG A2j Hubble Road Cheltenham GL51 0EX (for the attention of IA Policy Development Team) Fax: (01242) 709193 (for UNCLASSIFIED FAXES ONLY) Email: [email protected] For additional hard copies of this document and general queries please contact CESG enquiries at the address above

PLEASE PRINT

Your Name: Department/Company Name and Address: Phone number: Email address: Comments:

mailto:[email protected]

<


Culture

CESG’s Good Practice Guides are issued by the UK’s National Technical Authority for Information Assurance with the aim of informing intended recipients of the general security issues they should consider in their approach to information and communications technologies. They are not a replacement for tailored technical or legal advice on specific systems or issues. GCHQ/CESG and its advisers accept no liability whatsoever for any expense, liability, loss, claim or proceedings arising from reliance placed upon this Guidance.

good practice guide managing accreditation governance ... · good practice guide managing...

Documents