Senior management buy-in is key to protecting government information from threats, according to Harj Singh.
As mobile, cloud and digital transformation dominate the future of computing in the public sector, security and accountability are at risk of falling through the cracks. Risk management, in both the public and private sectors, is all too often seen a stand-alone project. Once ticked off the ‘to do’ list it is shelved for the next year or two.
The typical public sector approach to risk management is document heavy, focused on process, and uses a linear, one shot approach which is conducted in isolation as a ‘siloed’ activity under the guise of ‘accreditation’. In my mind that is wrong.
All too often, risk management within a typical government department follows a common path, where an information system, service or device is identified as requiring ‘accreditation’ to ensure that it is fit for purpose and to demonstrate that it has been tested against its security requirements.
The common definition of this sort of accreditation is that a technical risk assessment is required following CESG’s Information Assurance Standard No.1 (IS1) and a Risk Management & Accreditation Document Set (RMADS) in accordance with IS2 is needed, which includes various details about the information system and the output from the IS1 risk assessment.
Typically, any risks are shown to be mitigated by application of the Baseline Control Set (BCS) which is essentially Annex A from ISO27001 – a list of good practice security controls.
The RMADS is usually developed by a private sector security consultant with occasional input from the department’s security team. The department would have someone assigned as an accreditor who would act as the impartial assessor of the risks and would provide sign off of the RMADS.
The RMADS would then be taken to the Senior Information Risk Owner (SIRO) for final sign off meaning that the residual risks documented in the RMADS had been accepted.
Once signed off, the system or service is deemed to be accredited and the RMADS is shelved until the next review, typically in 12 months’ time.
So what’s wrong with that you might ask? Well for a start, the RMADS is often written in technical language and the output from the IS1 risk assessment is so jargon-heavy that no one really understands what it means. Unfortunately risk assessment can often be a ‘handle turning’ exercise that does not really identify the real business of risks at all.
Risk mitigation is simply mapping security control from the BCS to the risk without giving any thought to how it actually mitigates the risks throughout the lifecycle of the information system. Unfortunately the only thing this approach achieves is a nice revenue stream for the private sector consultant and a ticked box for the department.
Data assets are valued using Business Impact Levels (BILS) which relate to the Government Protective Marking Scheme (GMPS), but this is more of a labelling scheme than a system for identifying business impacts. A binary yes/no decision on whether the risks in the system have been adequately managed is not enough as new risks could emerge soon after the Accreditation decision is made which will not be identified and acted upon.
The quality of the RMADS is often measured by its weight, rather than it’s content. The fact that it is supposed to be a business document is often forgotten. Its use is limited to an annual dusting off and review, rather than it being used to continuously manage risks in the system throughout its lifecycle.
The result can be disproportionate costs, poor security and inability to realise true value from IT. In addition, the user experience is either ignored or is seen as being secondary to security. However many government information systems are still ‘accredited’ by the above process.
The Solution. April 2014, The Cabinet Office published a new approach to classifying information, the Government Security Classifications (GSC). The Cabinet Office concluded that the existing GPMS (Government Protective Marking System) was not working effectively, it was misunderstood, misused and burdensome, providing a false level of assurance.
The new scheme is not statutory, but operates within the framework of domestic law including the Official Secrets Act (1911 & 1989), The Freedom of Information Act (2000) and the Data Protection Act (1998). The policy states that ‘Government Departments and Agencies should apply this policy and ensure that consistent controls are implemented throughout their public sector delivery partners (i.e. NDPBs and Arms Length Bodies) and wider supply chain’.
The new scheme introduced three levels of classification; OFFICIAL, SECRET and TOP SECRET based on the threat being defended from. The majority of information that is created or processed by the public sector falls within the OFFICIAL classification based on the threat being from attackers with bounded capabilities and resources (e.g. hacktivists, competent individual hackers, single issue pressure groups, investigative journalists and criminals (individuals and groups).
The big change which many organisations find difficult to understand was that there is no requirement to mark information at OFFICIAL. The other big change is the business now had to think about who they want to protect the data from, rather than follow a prescriptive list of controls for a protective marking, which did not consider the threat and led to disproportionate and costly controls being implemented.
The new scheme works where the old GPMS failed. However it is not as easy replacing GPMS with GSC. A risk management framework must first be developed within the business to use the GSC scheme effectively. The framework must include identification of the information assets held and assignment of Information Asset Owners who are responsible for the information and the associated risks.
CESG is no longer supporting IS1 &2 accreditation and has published new guidance on GOV.UK for risk management, which essentially says that a business has to decide what is appropriate for its needs. This ‘new’ approach to risk management in combination with the Government Classification Scheme aims to achieve a more proportionate response to the real business risks faced. Its aim is to create an ‘excellent user experience where security is good enough’. This requires the business to ask the following questions: What am I trying to do? What do I care about and how much? Who do I want to protect my data from?
The responses to the above provide the business needs which allow the security expectations to be developed. However for the responses to be valuable and a true reflection of the business needs, the questions ought to be answered by keys members of the wider business (information asset owners, project leads and senior management and ‘risk owners) in addition to IT and security.
The security expectations will then help to shape the security controls needed which for OFFICIAL would be based on commercial good practice. Personally I would add that instead of a six scale BIL system, why not articulate the real business impact in plain English so the business can understand and appreciate the impact to the business?
There is currently a misconception that a risk assessment is required for every system, however this is not always the case. If the system/solution/service is based on standard functions then an appropriate approach to selection of controls would be to use guidance already provided by HMG for sites like GOV.UK.
If the system uses non-standard or novel functions then a risk assessment may be necessary to identify risks however this must be conducted based on what is important to the business (e.g. threats, vulnerabilities, Confidentiality, costs, customer perception, usability etc.).
In conclusion. The GSC scheme will allow for information to be protected from the real threats provided it is implemented correctly and training is provided to all staff on how it is to be used.
The new approach to risk management will allow the business to identify the real risks relating to what the business really cares about and help in the selection of proportionate security controls that are cost effective.
However, there are some critical success factors for achieving what I have set out above. Senior management buy-in is key. A governance structure must be created which focuses on how the culture of the organisation can be changed to think securely by default. Good security practices must become part of business as usual.
Creating a security culture is about changing behaviours, it’s not about technology.
Harj Singh is an independent CLAS and public sector security consultant for Carrenza.