Cyber security and information assurance
Maintaining the confidentiality, integrity and availability of services and information as well as protecting services against threats.
Cyber security and information assurance covers appropriate steps that must be taken to guarantee security when building and managing a service.
Some relevant roles: technical architects, developers, chief technology officers, chief digital officers, senior information risk owners (SIRO) and departmental security officers (DSO).
Confidentiality, integrity and availability
- applying the 3 main concepts of information security (confidentiality, integrity and availability) to assessing and managing information risk
- when designing or adopting security controls making sure they address one or more of these concepts
- advising on the risks associated with data management and on how to develop strategies to reduce those risks
- setting out information risks in business terms
Government Security Classification Scheme
- implementing the security controls necessary in government IT systems with consideration of the the new Government Security Classification scheme
- understanding that at the ‘OFFICIAL’ classification tier the very best security technology from the commercial market will provide suitable defence with no need for bespoke or government-only controls
- understanding that further security should be considered for information at classifications higher than the ‘OFFICIAL’ tier
Ensuring security policies meet standards and legislation
- creating security policies for an organisation or business unit (eg an organisation’s overall approach to security or single issues such as the management of data centres, internet connectivity or remote access)
- making sure those security policies are in line with the 3 main concepts of information security (confidentiality, integrity and availability) as well as appropriate legislation, government standards and governance requirements
Following security guidelines
Choosing appropriate security controls
- employing different kinds of controls to maintain security (physical, technical and people/culture controls)
- advising on the use of those controls in the development of systems and services
- understanding that, as we move more towards commodity technologies and cloud computing, knowledge of these controls will need to change
Basing policies on desired security outcomes
- setting out security policies by stating a desired security outcome that security controls can achieve in a proportionate manner
- understanding that security outcomes should be traceable to an identified risk and controls clearly traceable to a security outcome
Avoiding excessive security by meeting user needs
- putting user needs in context, so that security controls avoid over-prescriptive use of technology that leads to a degraded user experience
- understanding that over-prescriptive technologies cause users to suffer degraded productivity or to circumvent security controls, compromising the service
- ensuring that security is factored in at the design stage and not bolted on at the end of production
Implementing controls against common internet threats
This involves being:
- familiar with both ‘The 20 Critical Security Controls for Cyber Defence’ from the Centre for the Protection of National Infrastructure (CPNI)
- able to implement the basic controls are needed to reduce risk from common internet based threats, as outlined in the Cyber Essentials scheme
- aware of when an assessment against the Cyber Essentials or Cyber Essentials+ schemes is necessary
- understanding the design and architecture of security technology, infrastructure, and network build
- using attack prevention tools and techniques as they relate to application defences and operating system defences
Carrying out effective risk assessments against threats and vulnerabilities, while keeping in mind the risk appetite of the department and the costs of addressing potential issues.
- analysing the probable interest in government information from threat sources
- establishing the capabilities and methods of those threat sources
- advising on proportionate ways to reduce these threats in a traceable manner
- understanding that over-engineering security controls can lead to poor user experience, or provide illusions of security without actually reducing the risks
- tracking emerging threats and risks
- knowing what to monitor in the threat landscape, such as state-sponsored attacks and ‘back door’ attacks via 3rd-party vendors
Intrusion detection and prevention
- designing, testing and implementing intrusion detection and prevention
- being able to run penetration tests to ensure data leak prevention
- understanding that the nature of government services means they can be targets for a wide range of different threats – from financially motivated criminals and online activists up to nation states
- understanding the basic principles of asymmetric and symmetric encryption
- being able to implement disk and file level encryption solutions
- understanding the application of cryptography to promote security in systems such as Wireless
Operational management of cyber security incidents
This involves understanding:
- the role of an information security operations centre (ISOC) including the reporting mechanisms in place and who to report incidents to
- the roles of CERT-UK and GovCertUK in cyber security
- follow-up actions that may be needed after reporting an incident, including possible legal action
Audits and verifying user behaviour
- conducting security testing and audits
- establishing systems to verify user behaviour to ensure policy compliance
- understanding that the Civil Service Reform Plan and new classification scheme place emphasis on greater user responsibility and reducing restrictive technical controls
Cloud security and Cloud First
Considering and implementing security in a cloud environment
- assessing the security risks of implementing cloud technologies, in line with the government’s Cloud Security Principles and ‘Cloud First’ policy
- understanding the security impacts of using these services (vital, as public sector organisations must now consider and fully evaluate potential cloud solutions before they consider any other option)
Ensuring suppliers meet cloud security requirements
- reviewing/auditing third-party suppliers’ adoption of the Cloud Security Principles and other Information Assurance requisites
- ensuring that the supplier follows the requirements throughout the service or system’s delivery
Open standards and open source
- advising on the use of open standards and open source technologies in government
- understanding that government is committed to a level playing field for open technologies
- understanding and deploying security best practice when using these technologies
Security of open and big data
- explaining the benefits and risks associated with big and open data, particularly those relating to data confidentiality and subject privacy
- understand organisational and regulatory compliance related to this
Information Risk Management for Government (IS1/2) is the training advised for those in government carrying out risk assessment. CESG has a list of providers licensed to give IS1/IS2 training.
CESG has approved Certification Bodies to assess Information Assurance (IA) professionals on their capability to perform IA roles across the public sector.
CCP offers Master’s degrees in cyber security certified by the Government Communications Headquarters. These offer a deeper understanding of cyber security concepts, principles, technologies and practices.
The Government Security Profession is an organisation within the Civil Service committed to the professional development of security professionals working in government.
The Open University website offers an Introduction to cyber security online course. It gives an overview of cyber security, different types of malware (eg viruses and trojans), network security, cryptography, identity theft, risk management etc.
Widely acknowledged as Her Majesty’s Government’s standard for cyber security professionals, the CESG Certified Professionals (CCP) scheme offers courses covering roles such as:
- IA auditor
- IA architect
- IT security officer
- security and risk advisor
- communications security
- penetration tester
The Institute of Information Security Professionals publishes a skills framework describing the range of competencies expected of information security and information assurance professionals in the effective performance of their roles.
Read the Cabinet Office policy paper The National Cyber Security Strategy 2013: forward plans and achievements to find out out about the government’s plans on how the UK can improve its cyber security by focusing on increasing knowledge, resilience and stability.