The case for a considered approach to Information Assurance on MOD projects
“Just get a contractor in to write an RMADS when we’ve finished testing the system.”
How many times have we heard those fateful words? And how many times have we put our heads in our hands and almost cried?
“What’s the problem?” you may ask. Well, in this article, we’ll explain.
We’ll make a balanced case for why your approach to Information Assurance (IA – making sure your information stays secure) would benefit from a more holistic approach.
What is an RMADS?
Systems, services or devices designed to handle classified information need to be ‘accredited’ so they adequately mitigate the risks of compromise to the confidentiality, integrity and availability of the data.
The most recognised approach is to follow a suitable risk assessment methodology (formerly mandated as CESG’sInformation Assurance Standard No.1 (IS1)) and capture the outcomes in an RMADS (Risk Management and Accreditation Document Set).
The RMADS sets out the system, the identified risks, and the security controls applied. An appointed accreditor reviews and, if all is well, signs off the RMADS, before the Senior Information Risk Owner (SIRO) gives final sign-off.
So, what’s wrong with that?
Sounds fine and, for a simple system, it may be fine. But here’s a list of things that make an RMADS in isolation a potentially dangerous weapon:
- It is often done at the end of the project as a ‘wrap-up’ exercise, undertaken in the dismissive tenor of the opening sentence.
- It focuses on compliance for the sake of compliance – a compulsory “tick-box” exercise.
- It is a stand-alone, one-off exercise often shelved and forgotten once finished.
- It is heavy on process and documentation.
- It is often written in technical, jargon-ridden language.
- It is resource heavy and so perceived as expensive.
- It is often outsourced meaning there is minimal interaction between the author and the system owner.
- And, contrary to popular belief, an RMADS is not a mandatory deliverable – any format of document that adequately identified risks and controls is appropriate.
Which all adds up to something that may cost a lot and be of limited business value. Ironically, it may even result in a system with poor security. To draw a parallel, ISO 9001 certification only means you have a set of processes in place and you follow them – not that they are efficient and effective processes or that you are a better business for it.
And, to cap it all, by leaving it to the end, you are simply documenting what’s been done, rather than proactively identifying and mitigating the information risks.
Don’t get us wrong, we are not saying that an RMADS is a bad thing, but just producing an RMADS as part of the completion process leaves much to be desired. It needs to be part of a balanced and rounded approach.
What else can be done?
Well, the opposite of the list above. In accordance with JSP440, and in line with Ascentor’s philosophy, IA and accreditation should follow the Pragmatic, Appropriate and Cost Effective (PACE) principle.
To achieve PACE, the Security Assurance Coordinator (SAC) function, responsible for IA on projects, must be an integral part of the delivery team and must get involved early.
Projects will range from complex to straightforward. Equipment Programme (EP) projects are typically complex, as are some UOR (Urgent Operational Requirement) to Core projects. These complex projects demand a structured approach to IA delivery. Activities and products need to be defined based on where the project is within the Concept, Assessment, Demonstration, Manufacture, In-Service and Disposal (CADMID) cycle.
This ensures IA is appropriately applied at the correct stage, mitigating project risks of failing to achieve Initial and Main Gate approval and system accreditation. It also reduces financial exposure to the consequences of re-engineering technical security solutions.
By following robust IA processes, the IA requirement can be optimised before an Invitation to Tender (ITT) is issued to potential suppliers, thus ensuring IA is considered in the proposal and appropriately costed and built into the design.
At the other end of the scale, UOR projects and projects, where commercial-off-the-shelf (COTS) equipment is being procured without modification, do not require such a structured approach to IA. In these cases, the MOD is buying a product with the technical security already included, so there is little, if any, opportunity to add it in.
The focus here relies on developing PACE processes and procedures that may modify the end users’ tactics, training and procedures. Hence, a simpler, less expensive approach is more appropriate – perhaps in these cases, just an RMADS is enough.
Projects may fall firmly into either the complex or straightforward category, or may be a hybrid somewhere in between. A flexible approach to achieving PACE that caters for all different types and sizes of project is based on the concept of a triage process, as shown in the diagram below.
Using this process, the SAC assesses each project for its IA characteristics with full stakeholder involvement (including the project team, the accreditor and the information asset owner).Together they reach consensus on which approach offers a PACE solution and identify what benefits can be derived. Whatever approach is decided, the risks and how they are mitigated need to be understood and the residual risks exposed.
An RMADS may well be the chosen medium but that will depend on the complexity of the system, the IA approach taken and the preference defined by the Accreditor. The decision is reached through an informed and considered process; it is not simply a forgone conclusion.
How Ascentor can help
For 12 years, Ascentor has provided IA and accreditation services to HMG departments including implementing triage processes and supporting MOD EP, UOR, and UOR to Core projects. Many IA consultancies can offer certified staff who understand compliance, but few can rival our drive for IA to bring true benefit and ensure it does not become a burdensome, resource hungry activity, blindly following process and policy.
Earlier in this article, we referred to the idea of an SAC function. We used the term “function” deliberately as the traditional SAC role can be substituted with an SAC team or service. We have successfully implemented this in MOD delivery teams to bring:
- Skilled and qualified consultants working full time in IA and accreditation, which lowers the risk of appointing short tenure or temporary MOD SAC cover.
- Flexibility and experience to handle different types and sizes of project.
- Resilience and agility to scale up and down as demand for SAC services changes.
- Value for money by applying the PACE principle in each situation.
For more information please read Tipsfor Security Assurance Coordinators on MoD projects.
For further information
If you have found this article of interest, the Ascentor blog regularly carries articles about Information Assurance (IA) and cyber security issues. You might also like to keep in touch with Ascentor by receiving our quarterly newsletter .
Should you wish to gain further advice on your IA and accreditation or just generally improving your cyber security maturity, please contact Dave James, MD at Ascentor.
Email: [email protected]
Office: 01452 881712