Information Assurance

Overview of Services

Below is a list of the services that Lakestyle can offer clients in the field of infomation assurance, which encompasses all aspects of IT, Physical, and processes around the protection of information.

For more on the Information Assurance services offered by Lakestyle, click one of the links below:

Accreditation Life-cycle Management
CLAS Consultancy
Cloud Computing and Cloud Security
Cyber Security and APT
Customer Friend / Trusted Advisor Role
Establishing List-X Status / Facilities
Feasibility studies
GCSX / GSI compliance
ISO27001 compliance / Security Audits
IT Health Check Management and Review
Physical Security and Resilience
Project Closedown and Decommissioning
Risk Assessment
RMADS Production
Secure Software Architectures
Security Architecture Design
Security Operating Procedures (SyOps)
Strategy Guidance

Introduction

Before we talk about our services, we need discuss what is Information Assurance and what is the driver for the demand for services.

Wikipedia defines the following – “Information assurance (IA) is the practice of managing risks related to the use, processing, storage, and transmission of information or data and the systems and processes used for those purposes”

Therefore the information could for example be data in a computer system, or perhaps paper documents stored in secure cabinets, and operating procedures controlling the handling of the information – how to transfer it, who is authorised or cleared to undertake the handling of the documents, or access to the IT system.

With more and more information being stored on IT systems, the opportunities to lose the information keeps increasing, and there is seldom a week goes by without a story in the national press of data either being lost or attempts to steal it. Some of the stories in the links below illustrate what is happening, and what will continue unless everyone takes a holistic approach to information assurance –

As the saying goes, “this is just the tip of the iceberg”, and only gives a flavor of the types of threats to data. Good practice can stop a lot of the accidental breaches caused by loss of memory sticks – instead of buying the cheapest, use ones that have integral hardware encryption by default. Similarly for laptops, no company should have sensitive data on laptops – this does not mean putting full disk encryption on some of them – it means all of them, where a laptop with seemingly no sensitive data, may be caching the email Global Address List (GAL) enabling external parties to target other people.

In more recent times the concept of individuals being targeted is not uncommon. If the adversaries know there is the possibility of stealing financial data, state secrets, or company intellectual property then they may take the effort to target individuals. Emails and attachments received will look highly credible, with the aim of gaining access to everything the user can access.

China has been widely blamed with the rise of Advanced Persistent Threat (APT) where Western companies and governments are targeted for state and commercial secrets. With software these days being so complex (unnecessarily so) we see Windows 7 with over 50 million lines of code. Although security patches are regularly issued, they will seldom be applied on the day. Similarly adversaries may research into exploitation of such complex operating systems to discover new zero day exploits for use in targeted attacks. Companies may spend money on bringing in penetration test teams to secure on-line systems, however such teams will only test for known vulnerabilities. A Penetration test may only take place over a few days, but an adversary may have months to find vulnerabilities once the system is online.

Information Assurance has grown into a highly complex subject, and to guard against APT all avenues should be protected. A company may have online systems with DMZs, firewalls etc., however if the adversary targets a trusted internal employee to click on a link in an email which causes a download of code which contains a zero day exploit then the users PC, and all that the user can access may be compromised.

So unfortunately to protect against the threats it costs money, and Lakestyle can offer services to advise clients with respect to the protective controls to be put in place. However, can you afford not to? – If you are a company that produces unique products that have a high degree of intellectual investment, how would your company fare if the detailed design documents and diagrams were hacked by a foreign party, your designs were copied and the products produced at a much lower cost abroad, effectively destroying your export market, and perhaps your domestic market.

Accreditation Life-cycle Management

Handling all issues from system design, RMADS production, penetration test planning and management, and liaison with the Government Accreditors.

This is a familiar role for Lakestyle – we have observed a tendency for customers where they ask for the cost of the RMADS as though it a peripheral document, that is written at the end of the project. This is wrong – security has a lifecycle. It should not start at the end of the infrastructure implementation, but at the start of the project when bidding for the work. If you design in the security controls when you bid for the project the cost will be correct. If competitors do not undertake this then they will ultimately have to do it, else the system will have difficulties in getting accredited, and their profit margin will suffer in ultimately being forced to do the job correctly.

The word lifecycle implies a beginning and end. We have established the start point should ideally be in the bid process, but the endpoint is not when the RMADS has been written. This event is just the start of the operational phase, and until the system is decommissioned, security should always be considered for any changes either to the implementation of the system, or if the risk profile of the surrounding environment changes. Such changes could be where software products become end of life and are no longer supported and patched by the vendor.

So whether you are bidding for work, or are at ta later stage of the security lifecycle we can help.

CLAS Consultancy

CLAS is the CESG Listed Adviser Scheme. CESG is the Information Assurance arm of GCHQ, and fulfills the role of being the UK Government’s technical authority for Information Assurance.
The CLAS scheme links the technical expertise and resources of the private sector, to provide services to UK Government. CESG operates a list of approved & trained CLAS consultants, who are fully briefed on the latest CESG policies for securing IT Systems.

The remit of CLAS Consultants, extends not just to systems holding UK Government data, but also to advising on best practice for information assurance to the private sector in the Critical National Infrastructure, where the same techniques can be used to assess the impact on Confidentiality, Integrity, and Availability. CLAS Consultants take a holistic approach to security. It is not just a matter of whether an appropriate firewall is being used for the IT System, but should also consider the physical aspects of the infrastructure, vetting measures that are in place, and ensuring that persons using, or in the vicinity of the system pose a controllable risk.

Lakestyle is able to take this holistic approach, and manage the interface between the Government Accreditors & Client such that the Accreditation process is managed efficiently.

Many companies, particularly the smaller List-X have the requirement for advice on HMG issues i.e. setting up an accredited LAN, however they cannot justify employing a CLAS Consultant full-time. Lakestyle can help by only offering support when required.

Cloud Computing and Cloud Security

A popular topic in the IT community, the placing of applications and data in the cloud, hosted by a 3rd party provider to provide a “private cloud”. Alternatively the use of a cloud hosted public services to use an application shared by others.

Much has been written by persons stating that cloud computing is insecure and should not be used – all data should be kept in-house behind the company firewalls. This is not only untrue, but it is not cost effective. Cloud Computing can provide resource on demand scaling up and down on demand, with the client only paying for what they use.

Lakestyle fully understands cloud architectures, the security challenges, and the products and approaches to secure cloud based infrastructures such that the data remains secure, and that the service is resilient to attack maximizing availability.

Cyber security and APT

Cyber security is a term that can be regarded as 80% good practice for information assurance, and the remaining 20% being the cyber initiatives underway to counter the Advanced Persistent Threat (APT) facing HMG and companies from foreign parties attempting to steal state & commercial secrets / Intellectual Property.

APT is a very real threat, and companies should monitor their IT systems for data not only coming in, but also exiting the company. Data Leak Protection countermeasures should be in place to ensure that data is not exported intentionally via USB stick, but also monitor for data being ex-filtrated out of the companies firewall to a 3rd party from installed network based Trojan(s) under the control of the 3rd party.

Lakestyle is very familiar with the subject of APT, and the approaches to undertake.

Customer Friend / Trusted Advisor Role

Acting on behalf of the customer, perhaps reviewing bid documentation and assisting the client in down-selecting suppliers / products.

IT architectures and the security issues surrounding these, whether they relate to the software architecture, the hardware, the threats that may exist and the range of controls that may be required to counter the threat actors and sources, is a complex matter. Unless you are highly versed in the domain, you should consider engaging the services of Lakestyle to guide you through the maze of issues. The earlier this starts, the less risk you are being exposed to.

Lakestyle does not claim to be a large IT Security Consultancy, and therefore we do not come with many of the issues that arise when engaging a larger consultancy.

Establishing List-X Status / Facilities

For companies that may have won, or intend to win HMG work, the need to establish a List-X facility may appear daunting. Lakestyle can offer ongoing advice & support in this process to ease the setting up of facilities i.e. lock, alarm systems, together with advice on how the IT systems should be deployed, and writing of RMADS for new networks. All this needs the agreement of the Government accreditation authorities and Lakestyle can handle this on behalf of the client.

Feasibility studies

The client may not have the time or experience to find the answers to difficult problems. An example could be where an Identity Management system is required. Which one is suitable against the client’s requirements? and what will it cost to deploy on their global infrastructure? Or perhaps a desktop consolidation exercise providing user access to multiple domains of sensitive information, or remote access architecture issues. Whatever the problem Lakestyle is able to undertake feasibility studies, and present these findings to the customer, recommending the down-selected candidate architectures and way forward.

GCSX / GSI compliance

Lakestyle has significant experience in the reviewing of GCSX Code of Compliance submissions, and determining whether the applicable controls are in place. Whether it is the review of new architecture submissions or existing infrastructure and controls Lakestyle can offer advice on the steps necessary to achieve compliance. This is equally applicable to GSI and other HMG connectivity where Lakestyle is able to provide the same services.

ISO27001 Compliance / Security Audits

ISO27001 is an international standard relating to Information Assurance. Note the term “Information Assurance” relates to all aspects of information protection, whether this is IT security, or physical and procedural controls.

Lakestyle is able to review existing or proposed systems against ISO27001 and related standard ISO27002 for controls to be implemented, and advise on the establishment of internal Information Security Management System (ISMS), for clients to control and review their information risks.

IT Health Check Management and Review

Lakestyle does not undertake IT Health Checks (penetration testing), and leaves this to accredited CHECK / CREST / Tiger certified companies, who undertake the tests and produce reports for the customer. However, the client may not know how to scope the testing activities, and may not have the technical skills to review the results received from the IT Health Check.

Lakestyle can manage IT Health Checks on behalf of, and alongside clients
– Selecting the IT Health Check company,
– Determine the required scope of testing,
– Produce the testing scope document to be used by the IT Health Check company, for quoting against
– Manage the clients IT service providers to ensure the tests can take place
– Being on-hand to react during the testing activities
– Review the report produced by the IT Health Check company,
– And make recommendations to the client concerning remedial actions.

Physical Security and Resilience

Lakestyle has considerable experience in physical security audits of client environments and datacenters, and is able to make recommendations to clients concerning the building infrastructure to maximize security.

Additionally guidance can be provided with respect to the information systems and data within the organization, with advice on physical protection of server facilities, and protective controls required to guard against major disaster, such as local and off-site backup, or resilient systems for failover to secondary disaster recovery site.

Project Closedown and Decommissioning

Whether it is a full IT system that is no longer required, or a faulty hard disk that has been replaced, or a recordable CD with sensitive data, steps must be taken to ensure the correct process is followed to ensure that any sensitive or protectively marked information is destroyed or declassified.

Depending on the nature of the data that is to be destroyed there are a number of defined approaches, do ensure no residual data is present – whether this is overwriting of disks with approved software, degaussing, or destruction. Putting a CD through a shredder is relatively straightforward, whereas declassifying a SAN (Storage Area Network) with hundreds of hard disks is more involved.

It is not only the recording media that should be considered then disposing of items, but information held in flash memory is also an issue. For example many types of IT equipment are programmable such as routers, firewalls, and Portable Electronic Devices (PEDs) such as Blackberries or iPhones. Appropriate steps must be taken to remove sensitive information before disposing / transferring to other parties.

Lakestyle is able to advise clients with respect to data / system decommissioning and disposal, and arranging for all protectively marked assets or information with sensitive information to be collated, declassified and/or destroyed in the appropriate manner.

Risk Assessment

Calculating the risk level of the system using techniques from the existing HMG InfoSec standards and other documents within the HMG Security Policy Framework (SPF).

Lakestyle is familiar with processes used on Government systems and is able to use this process for new systems within the government arena, or is able to customize the process for the non-government arena. Although systems for Government may contain Protectively Marked information, which needs to be protected, there are other industries where data is of equal sensitivity, such as members of the Critical National Infrastructure, where compromise of systems may have far reaching consequences.
Lakestyle is able to advise the customer with respect to the process to be undertaken, and follow through with the schedule of activities identified. The output of this process in the Government arena will be a RMADS (Risk Management and Accreditation Document Set). For Government systems this can represent a significant amount of work, however for clients that require a tailored process for non-Government systems, then the extent of the work and consequent consultancy costs can be tailored to suit the customer budget.

RMADS Production

A Risk Management and Accreditation Document Set is legally mandated for any systems holding HMG Protectively Marked data, Lakestyle is able to write the RMADS on behalf of the customer. We are well versed in the latest government standards, and have produced RMADS for systems at all levels of protective marking.

Secure Software Architectures

Lakestyle is able to work with customers, to analyze how bespoke or COTS (Commercial off the Shelf) software architecture has been, or is proposed to be implemented. Although COTS solutions may seem appealing from a cost viewpoint, if they are implemented without consideration to IT security and protective monitoring, this can lead to difficulties in accrediting the solution.

Companies use a wide range of applications, and although it is desirable that these are fully patched and security hardened sometimes it may not be possible to expose these systems to a high degree of threat, such as internet connectivity for remote access. However, by careful selection of the technologies such as VPNs (Virtual Private Networks) or using thin client technology such as Citrix, or Windows Remote Desktop it is possible to implement secure deployment architectures for virtually any software application.

Security Architecture Design

The complete solution, with specification of the software products to be hosted, including down selection of candidate solutions (application architecture (J2EE/.NET), middle-ware, databases, SAN infrastructure), design of hardware infrastructure (servers, switches, LAN/WAN connectivity, etc.), and the security infrastructure including the requirements for zoning, lock-down, and protective monitoring & system management infrastructure.

Lakestyle are experienced in the conceptual design and implementation of large scale globally deployed architectures. Taking customer requirements at the bid stage Lakestyle is able to tailor the solution for maximum compliance. This may be single server solutions, or VPN remote access solutions, through to full-scale enterprise solutions with a disaster recovery instance. Clearly the permutations are extensive but because we understand the technology, we can adapt this to any situation.

Security Operating Procedures (SyOps)

For an organization to manage the security risks policies will need to be in place, these are the SyOps (Security Operating Procedures). Where critical information is involved these SyOps may need to be rather detailed to ensure the correct level of protective measures are being applied. It is not good enough to leave things to chance, when something happens people need to know what to do. There may be many documents that may form the SyOps, typical examples may be

– Acceptable Use Policy (AUP), which documents acceptable use of IT equipment
– Incident Response Procedure, outlining key persons and responsibilities in the event of a security incident, and the steps to be taken.

– Forensic Readiness Plan, which will outline the process for isolating an incident and the information to be gathered to protect the chain of evidence.
There are many more that could be applicable, but every system is different and a judgment is required with respect to what is appropriate and proportionate for the system in place.

Lakestyle is able to work with customers to produce and review the SyOps, and ensuring where applicable that the controls align with the Cabinet Office Security Policy Framework

Strategy Guidance

Business face challenges, perhaps reducing costs whilst ensuring that the security risk profile is unaltered. Lakestyle is well versed in the whole sphere of architecture skills, and is able to guide the client via feasibility studies, with respect to architecture options to solve the business problem.
Lakestyle is able to elicit requirements from stakeholders, and present the strategy of how these requirements can be implemented over the project life cycle. This will help the client gain an early understanding of the project costs.