Achieving Government Security Accreditation and ISO27001 and BS7799 and ISO17799 certification. Assurance of information.
  ECA - consultants for ISO27001 and ISO17799 certification  

Managing Business Risk.

How can you do business, if you make yourself unavailable?

Assurance of information

In an age of mobile and online computing, the fortress mentality is a thing of the past. Access is all-important – but so is managing the invisible virtual perimeter. It brings major business benefits, but also risks. We balance those two key issues.

SIAM helps Information Assurance become a business enabler.

Any business activity involves risk – which is why security is a fundamental part of overall Business Assurance. SIAM sums it up:

  • Security
  • Integrity
  • Availability
  • Management Mechanisms

    • When assessing security risks, ensure that your external-facing systems are not a target.
    • Keep up to date with the latest security patches and software upgrades.
    • Remember that regular updating is a legal requirement.

The Data Protection Act, Freedom of Information Act and similar legislation affect all businesses.

  • All staff must be aware of the Information Policy set.
  • All information and information systems must be properly regulated and protected.
  • In electronic commerce, you must be absolutely sure about the identity of the person or company with whom you’re exchanging information.

CESG Listed Advisor Scheme (CLAS). Ultimate assurance for vital organisations

Under this scheme, the UK Government technical authority has created a pool of consultants qualified to give Information Assurance to government departments and organisations providing services vital to the United Kingdom.
A number of our associate consultants are members of the CLAS scheme.
A list of all CLAS consultants can be found by visiting www.cesg.gov.uk.

Achieving Government Security Accreditation.

Accreditation is fundamental to the assurance and delivery of any ‘trusted’ system or service that underpins Government business.
It is a Continuous Process, throughout and beyond the life of the delivery project.
It is government policy that if a system contains positively marked information, or is part of the Critical National Infrastructure (CNI) it should be subject to Accreditation. The principles of this accreditation are now closely aligned with those of ISO27001 and ISO17799.
ECA has an unbroken track record of achieving accreditation first time every time.

CESG defines Accreditation in Government as follows…

“Any business activity involves risk, to the organisation, to other business activities, to clients, customers and partners. Some of these risks are security related, in that they involve threats to the confidentiality, security, integrity and availability of its information and business processes, or to the ability of the organisation to monitor its own activities and comply with the law. Accreditation is the process whereby these risks are assessed, and cost-effective countermeasures are determined and put in place. It includes the point at which the residual risks are formally accepted on behalf of the organisation.”

…which puts the whole thing in a nutshell.

  • Accreditation of your system should start when the IT project is first discussed. It is an integral service, not a ‘bolt on’.
  • It must be a rolling Quality Assurance and validation process, in which business risks are constantly assessed and countermeasures put in place.
  • It is vital that the overall design specification and its implementation avoid single points of failure, throughout the end-to-end delivery of the overall operation.
  • The accredited system is inspected annually – and if substantial changes are made, it must be re-inspected.


The Accreditation Document Set (ADS)
This describes the processes required for accreditation and is normally written by a CLAS qualified consultant.
ADS Part 1 describes the business requirement, with the process and system that underpin and deliver that requirement. Acting as the system synopsis, it describes component parts, networks, user communities, data, links and boundaries.
ADS Part 2 contains the risk assessments, Risk Management Statement and the necessary protective measures.
ADS Part 3 shows the security operating procedures essential for the system users and managers to maintain availability, integrity and confidentiality.
ADS Part 4 is the final Inspection, Assessment, IT Health Check and Penetration test results and – when granted – the Accreditation Certification.

ISO27001 and IS017799
These set out the standards for an Information Security Management System (ISMS).
They identify, manage and minimise the range of threats to which all commercial information is regularly subjected.
ECA staff are qualified to work as ISO27001 and ISO17799 implementers and lead auditors. This is complementary with our expertise in government security accreditation.

ISO27001 and ISO17799 identifies 10 key areas and controls.

  • Security Policy - to provide Management Direction and support for information security.
  • Organisation of Assets and Resources - to help you manage information security.
  • Asset classification and control – to help you identify and protect your assets.
  • Personnel security – to reduce the risks of human error, theft, fraud or misuse of facilities.
  • Physical and environmental security – to prevent unauthorised access, damage, and interference with business premises and information.
  • Communications and operations management - to ensure the correct and secure operation of information processing facilities.
  • Access control – to control access to information.
  • Systems development and maintenance – to ensure that security is built into information systems.
  • Business continuity management – to counteract interruptions to business activities and protect critical processes from the effects of major failures or disasters.
  • Compliance – to avoid breaches of criminal and civil law, statutory, regulatory, or contractual obligations, and any security requirement.

An organisation using ISO27001 and ISO17799 as the basis for its ISMS and registered by BSI proves to stakeholders that it meets the required standard. ECA can help any organisation achieve ISO27001 and ISO17799 certification.

Operational Threat and Risk Assessment.
After many years experience, working with government and commercial organisations, ECA have evolved a methodology for analysing, identifying and addressing threats, risks and weaknesses. We list these as:

  • Tangible Assets – your People, Property and Information.
  • Intangible Assets – your Reputation and Intellectual Property.

Throughout this process, we work closely with your key staff, showing them how to calculate and prevent or mitigate these threats.
To be effective, it is essential that risks and counter-measures are regularly reviewed and updated, paying particular attention to:

  • The Risk Assessment.
  • The Impact Assessment.
  • The Vulnerability Assessment.

However, there is no such thing as a totally risk-free strategy and the cost of seeking one may outweigh its advantages.

The Management of Corporate Resilience, Security and Risk.

  • The keynote of this check is absolute confidence and discretion for the client and the fewer people who know of its existence the better.
  • We approach your company’s entire operation holistically, beginning with the logical and physical perimeter and work steadily inwards. The emphasis of our external checks will be on surreptitious infiltration.
  • Once we have checked from the outside, we would work inwards examining the interaction between people, your processes and any technology that you use to support your daily operations.
  • Our experience has shown the value of examining your corporate services as an ‘end-to-end system delivery’. This includes checking the IT and communications systems for flaws and vulnerabilities to ensure that your corporate services are not liable to failure by accident, inadvertent action or outside intervention.

The whole operation is fully discussed with the client before the operation begins and all parameters covered so that you know exactly what we do and how we go about it.

A final confidential report will be delivered with our findings and recommendations and we can fully debrief a selected audience with a presentation of the facts.

To discuss the ways in which we could enhance the Resilience and Security of your organisation,
simply ring +44 (0) 118 976 7544

return to services

 

ECA Homepage | About Us | Services | Frequently Asked Questions | Case Studies | Advice | Links | Terms of use | Link to this page

 

Electronic Commerce associates, Information assurance through ISO27001 and ISO17799