Risk management of the enterprise IT for CERT-UK
This case study was withdrawn on
This content has been moved to the CESG website: https://www.cesg.gov.uk/risk-management-collection
A case study of how decisions with a security impact were taken when building the enterprise IT service for CERT-UK.
Overview of the service
CERT-UK was formed in March 2014. IT infrastructure for around 50 users was required, with initial functionality comprising basic office productivity tools, plus ticketing and document management systems.
Approach to risk management
CERT-UK aim to ensure their systems are built and maintained to be secure enough. They have a preference for the system to implement controls sufficient so that users don’t have to be relied upon to do the right thing. As a body concerned with IT security, CERT-UK recognised the potential reputational damage that might result from any incidents and the fact that they could be targeted.
CERT-UK’s starting position for design choices was to make use of existing CESG guidance and look to tailor it to their needs if it did not fit. Business continuity was a key consideration, and there were strict time constraints for delivery, as the IT had to be up and running before the launch of CERT-UK.
How did it meet the Principles of Effective Risk Management?
This case study was one of a number of case studies that informed the creation of the Principles of Effective Risk Management. This section describes how this project embodied the principles, and where there were areas for improvement.
Accept there will always be uncertainty
There were a number of occasions where difficult decisions with significant security and usability implications needed to be made. The SIRO gained confidence in these difficult decisions by getting an independent view of the work from both the accreditor and a senior manager, valuing them as an impartial sounding board. Penetration testing was also an important part of gaining confidence and was carried out by two independent companies.
Make everyone part of your delivery team
The delivery team included an external security advisor (in this case an accreditor) along with the project manager, technical leads, user representatives and the IT manager. They shared the common goal of delivering a usable and secure system on time.
Ensure the business understands the risks it is taking
The multidisciplinary delivery team had a good awareness of security issues in addition to technical and project management skills. The small size of the organisation helped with communication and the team were able to express risks clearly to the SIRO in terms of implications to the business.
Trust competent people to make decisions
Options were proposed by the working level team and decisions were made quickly. Often the technical team felt comfortable making decisions without wider consultation. The senior managers and the SIRO were kept informed of developments and were presented with a summary of key risks and decisions so that they could influence these where appropriate.
Trust was built up with suppliers over time, by observing their competence and asking for evidence of how they implemented security on their corporate networks.
Security is part of every technology decision
Potential solutions were compared side-by-side for resilience to particular security scenarios, along with other import factors such as usability and value for money. This has led to security being considered up front as options are generated and decisions are made.
User experience should be fantastic - security should be good enough
There were a number of examples where CERT-UK were happy to trade off user experience for increased security. For example, where PGP is used to encrypt emails relating to potential or actual compromises of organisations.
Demonstrate why you made the decisions - and no more
Given the tight timescales the team was keen not to produce any documentation that would not prove useful. Many decisions were taken verbally, and a summary of key risks and decisions was recorded and presented to the SIRO.
While a lightweight risk assessment was produced, this had less influence on the project overall than workshops with input from appropriate security experts.
Understand that decisions affect each other
The choice of email encryption technology and email scanning solution had a direct impact on one another. A key decision about where to decrypt inbound emails and consequently whether scanning would take place on the desktop or on the server also had a significant security and usability implications.