In order to provide clear objectives, requirements and direction, an overarching Cyber Security Strategy is required. This strategy is informed by both internal and external factors including but not limited to and in no particular order of priority:
- National Information Assurance Strategy;
- Information Assurance Maturity Model;
- Security Policy Framework;
- ISO 27000;
- Government Internal Audit Manual standards
- CESG Information Assurance Standards and Good Practice Guides;
- National Cyber Security Strategy;
- National Audit Office findings and publicity relating thereto;
- Public Accounts Committee hearings and publicity relating thereto;
- Data Handling Review;
- Public opinion;
- Your customers’ requirements;
- your ICT Strategy & Architecture.
The strategy should be defined in terms of realising business and security outcomes, i.e. the results of embedding policies, principles and working practices into the fabric of our customer.
I recommend a workshop-based approach to the delivery and communication of the required strategy. By assigning a dedicated team to work with our customers, we are confident that we are able to deliver robust, fit for purpose strategies which meet all of our customer’s (and its stakeholders’) requirements within fixed and agreed timescales.
The management approach will conform to the best practice principles of the OGC’s Managing Successful Programmes and PRINCE2 methodologies. Where appropriate, influences will also be drawn from the OGC’s Management of Risk methodology and the ITIL Service Management Framework.
Activities involved include business risk analysis of current cyber security posture (“as-is posture”) and all technical documentation relating to the IS, ICT and Security Architectures; understanding of external influences and requirements; formulation of strategic outcomes and objectives (“to be posture”); drafting of Strategy; prioritising of implied activities and deliverables based on business and technical risk assessment to the achievement of our customer’s business objectives.
I operate on the core assumption that our customers not only wish to have a strategy document but also to see it successfully implemented. In order for this to be done, several components need to be produced which either feed into or out from the strategy itself.
The resulting strategy will satisfy the following criteria:
- Is the strategy fit for purpose; does it represent good/best practice?
- Does the strategy include the methodology by which you can implement a coherent information assurance and cyber security regime? How aligned is it to the guidance provided in ISO/IEC 27001:2005 which details the requirements for an effective Information Security Management System (ISMS)?
- Does the strategy take a though-life approach from concept to disposal of information and equipment?
- Does the strategy include all aspects of the business requirement?
- Does the strategy take due account of the need to engage early with the business as it examines new ICT solutions to ensure that IA requirements are factored in from the start?
- Are specific IA risk issues such as those concerning Flexible Working and the use of removable media included?
- Has the full range of vulnerabilities and threats to information been captured within the Strategy (both current and those considered to be relevant to the business in the future) and has the Department engaged with the expert community in drawing up the list?
- Is there sufficient linkage of the Strategy with other relevant policies?