HMG Procurement Security Awareness

Call: +44 (0)1189 767544

or email: cmr@ecalimited.co.uk

Home / Insights / HMG Procurement Security Awareness

HMG Procurement Security Awareness

"Many vendors are selling into government, but stumble over a number of key issues including protective marking rules and what those mean for system, data handling, costs and lead time for personnel clearances; Information assurance, accreditation processes and List X; S-CAT-Catalyst and procurement standards."

Introduction

Understanding the general background to Assurance in the HMG environment

There is a difference in approach between:

• Central Government
• MOD contracts
• Local Government

Fundamental first step is to get a clear statement of Business Requirement.

You must start with a clear Statement of Business Requirement (SOBR) without which:

• You cannot identify the primary business objectives
• You cannot identity the risks to the information availability required to meet the business objectives
• You cannot define the risk mitigation policies, procedures & mechanisms, including the scope of IA and Accreditation. Defining appropriate and implementable policies is essential to success.
• You cannot contract for required levels of Sustainability etc
• You cannot let a cost effective contract

I believe in the key principle that IA (Information Assurance, including Accreditation is a key part of Business Risk management. Legal involvement with IA/Accreditor Security should start at the whiteboard level.

Supplier Briefings must include the need for Information Assurance and Security Accreditation.

• There are differences between Departmental & Pan Government Accreditors
• Depending on type and nature of competitive exercise, discussion of IA implications for forming and constructing consortiums
  • Consortium members; who they are, what they are?
  • CNI
  • Employees and likely clearance/vetting requirements
  • National issues

Security Aspect Letters (SAL)

The key concept of the SAL is that it lays out very early in engagement what the security/IA environment will be so that suppliers do not later transgress requirement and wriggle out, or claim a fix at cost plus rates.

• Most problems centre on HMG issuing good SALs.
• If there isn’t one:
  • don’t celebrate,
  • ask for one
  • be the client’s friend "It’s in all our interests for the avoidance of doubt". It is actually true.

Use of National Security Veto to dispense with competition

It is possible to dispense with some competition by use of the National Security veto. This is not generally advisable there are sometimes reasons.

• There are some other measures that can be deployed (e.g. considered or staged deployment of a variation of the National Security Waiver).

With systems that are considered as CNI there will be underlying National Security Issues for NISCC/CESG:

• Russia/China/Israel/France etc.
  • Backdoors
  • Escrow
  • Maintainability and updates

Work closely with your Accreditor

What is Accreditation?
What is an Accreditor?

The Accreditor and the internal IA/Security teams must work with the contractors team (immediate question who is Prime Contractor?)

This virtual team must work from first principles to ensure that the people, process and technology specified, contracted, constructed, commissioned, delivered and operated meets the Business Requirement and underpins the Business without undue Risk.

Work with IA/Security & Accreditor to ensure that Contract Schedules fully support the required levels of:

• Confidentiality
• Integrity
• Availability
• Risk Impact levels for loss or compromise of data etc.
• Security Schedule(s)

Any requirement for contract or documentation to ISO 27001/ISO 17799

Role of CLAS and development of RMADS in conjunction with Accreditor

Information Assurance should hold no terrors.

Link to Legal.

Concept of ‘No Surprises’ during and at end of Accreditation is good for all, avoids cost and delay.

The Concept of UK Critical National Infrastructure (CNI)

Ask whether NISCC /CPNI consider proposed system and its associated connections and their systems as Critical National Infrastructure.

• Is the proposed system CNI now?
• Will it be designated CNI later?

(Should not be a problem as any well defined and protected system subject to Accreditation should have no problems with the requirements of CNI ie are they safe to underpin the business?)

• Understand relationship and role of NISCC/CPNI (Centre for Protection of National Infrastructure) as NISCC will become in early 2007
• Legal/Security requirement under CNI and contract for supplier to be:
  • Registered office in UK (UK Liability)
  • Execs in UK liable to UK legislation
  • Offshoring debate - not for CNI for number of obvious reasons, not least of which is that NISCC/CPNI remit stops at UKJ border.

Pre Employment Checks for suppliers and sub contractors

How the HMG Vetting and Clearances process works

• What it is
• What it is not

Staff Security Checking and Vetting

• Pre employment checking
• Government Security checks
• Aftercare of staff and ‘changes of circumstance’ reporting
  

List X requirements

• What is ‘List X’?
• What it is used for handling Protective Marking of CONFIDENTIAL and above
• How to join

The right to audit and undertake inspections to ensure Confidentiality and Integrity.

The ‘Protective Marking’ debate:

• The requirement itself may be Protectively Marked
• The detailed requirement or outline designs often are,
• The Contract may be
• And if the above are, the detailed system plans and designs will be but increasing in severely because of the level of detail they contain and consequence of loss or compromise of the information contained therein.
• Can suppliers deal with these? Cost and complications may be corporate wide.
• During and post contract.
• This may require systemic mechanisms for ensuring users are properly authenticated and can only access sensitive information within an accredited authorisation regime.
  

What is the Threat?

Assume that there will be a Threat of some kind to the government process and system that is being competed

Threat of failure for any number of reasons

• Poor requirement
• Poor design
• Poor implementation

Threat of loss or damage to HMG from the perspective of:

• Integrity
• Availability
• Confidentiality
• Reputation
• Systems (people and process as well as technology WILL at some stage be a target for Serious & Organised Crime).

Continued adherence to Security Policy

Who is going to input the Security Policy?
How this affects handling the proposed system

• Vetting levels for system staff, system administrators, etc?
• Vetting levels for user community?
• ADS and codes of connection.
• Wider Identity Management issues
• Insider
• Privacy
• Information Commissioner
• ACPO and other professional bodies (where appropriate)
• Interest Groups
• Codes of Connection to other systems and authorised use
• Disclosure policy within & ‘without’ system
• Law enforcement & ‘special cases & connections’

Additional risks to information on the proposed system?

Most of these risks undermine effective information management and lead to compliance violations - whether accidental or deliberate.

• Lack of marking & handling scheme
• Lack of an agreed taxonomy - the lexicon for the business
• Lack of an accurate means of cataloguing information in accordance with the taxonomy
• Lack of a means of tagging data consistently
• Lack of rules for the handling of tagged data.
• Lack of tools to ensure data is released or changed in accordance with the rules.
• Lack of tools & reports to monitor and manage the access to sensitive data.
  

Codes of Connection liability issues as well as the Information Assurance ones

How relying parties are satisfied that other organisations are trustworthy to an agreed set of policies, procedures and mechanisms? This requires consistency across the audit & accreditation community.

Call Centres/Help Desks

• Offshore temptations
• Staff Vetting and pre employment checks
• Staff will be a target for corruption

How to deal with the delicate matter of Fraud

• What happens when things go wrong, as they will?
• Resolution mechanisms built into the contract that continue the levels of Integrity and Confidentiality required
• Policies implemented in systems to prevent anonymous access, identity fraud, illegal access by authenticated users to sensitive data and to prevent sensitive data leaking out.

Service level breakdowns

• They will happen
• Service credits do not always help or are appropriate
• Risks of breakdown can be mitigated at several levels.

What levels of Resilience are required or proposed?

• By SOR?
• Supplier?
• Contracted?
• People, process, technology
• System
• Communications
• On the Primary site
• Backup site
• Business Continuity
• Disaster Recovery
• Data recovery etc

 

Back to main Insights page