A full lifecycle IA approach for suppliers and buyers
Information Assurance (IA) is now a well-established countermeasure to the growing cyber threat that all organisations and citizens face. The UK Government’s new Cyber Security Strategy 2016-21 is testament to the importance we should all afford the issue.
This importance is particularly applicable to the defence sector. For some time, the Government has insisted that all its suppliers conform to the new Cyber Essentials Scheme (CES). This went up a gear in April 2017 with the Ministry of Defence’s (MOD) launch of the Cyber Security Model (CSM). To be compliant, the MOD supply chain will now need to have Cyber Essentials or Cyber Essentials Plus and information security governance policies in place.
While schemes and standards like CES and ISO27001 are a good start, in practice IA isn’t always integral to our working practices and systems. Often we pay lip service to it or add it as an afterthought. In major defence projects, especially ones that involve sensitive information, this is just not acceptable. IA must be built in all the way through.
IA Inside from Ascentor is designed to help buyers and suppliers do exactly that – making IA holistic, integrated and effective throughout the project lifecycle.
“In over a decade of working with public sector buyers and suppliers, we have rarely seen a joined up approach to IA. At best it’s fragmented, at worst it’s missing altogether. Bolting IA on at the end just isn’t viable so we’ve come up with the IA Inside concept to help all the actors on the IA stage.” Dave James, Managing Director of Ascentor
Here’s how it works:
IA Inside for Buyers
Identifying information risks and protecting your information should not simply be a question of conformance to policy; it is good business practice. The earlier you analyse your requirements the better, so you can embed them in the specification and lay the foundation for a robust approach to securing your information.
Once the specification contains IA requirements, it’s important to give them focus and weight during the procurement phase. The Invitation to Tender (ITT) could highlight IA by setting scored questions seeking both the supplier’s IA approach to the project and the supplier’s corporate IA credentials.
Building IA into the heart of your projects will save you money and reduce risk. Remember the principles of Total Quality Management and structured software engineering? Defects found early in the process are easier and quicker to fix, and therefore cheaper to fix, than those found later. It makes perfect sense, so why not do the same for IA?
IA Inside would help the MOD assess and specify its information risks, and ensure they are handled in accordance with JSP440 and to the satisfaction of the accreditor.
IA Inside for Suppliers
As IA increases in importance and starts to feature explicitly in ITTs, suppliers treating IA seriously will be in a stronger position. When IA is implicit, hidden or missing altogether, suppliers can often treat it as something to ignore or trade-off in favour of lower cost, taking a “we’ll worry about it later if we win” attitude. With IA Inside, this won’t work any longer.
By the time delivery commences on an IA Inside project, the IA elements will be built in to the approach. Suppliers will need to deliver on their promise rather than go back to the drawing board when IA is mentioned.
IA superiority is starting to count. Having robust IA from both a business and project perspective should enable you to build competitive advantage. You may also save money as you will enter the delivery phase with IA well-defined and budgeted, so there will be no risk of you having to add functionality from your contingency fund.
This article was submitted by Dave James, MD of Ascentor. Ascentor provides support and guidance to public sector organisations and departments that have very high value and sensitive information assets. www.ascentor.co.uk
The post Building Information Assurance into the heart of your projects appeared first on Defence Online.