Due to the sensitive nature of the work undertaken, BladeSec IA Services Ltd. cannot usually disclose any details, however, we have specific experience in the following areas:-
- Implementing the standard government approach to information assurance by applying the Cabinet Office's Security Policy Framework (and historically, the Manual of Protective Security);
- The accreditation of information systems. This has included legacy, standalone, complex and widely networked systems in criminal justice, devolved government and agencies. Recent experience has seen us utilise G-Cloud and public cloud to delivery government and criminal justice services;
- Performing risk assessments using HMG IS 1 version 2, HMG IA Standard 1 version 3 and HMG IA Standard 1/2 version 4. Performing upgrades between the various versions. Translating risk assessments into English for presentation to C-level executives;
- The development of risk balanced cases and security cases in accordance with HMG IS1 Part 2 or HMG IS1/2. Defining and implementing suitable countermeasures to mitigate risk to an appropriate level;
- Development of cost effective or cost limited Risk Management and Accreditation Documentation Sets (RMADS) in accordance with HMG IA Standard 2 version 3 or HMG IA Standard 1/2 version 4;
- Development of Security Operating Procedures (SyOPs). Over the years, some of the more interesting ones have included:-
- Security Incident Management;
- Background and Identity Checks;
- Mobile and Home Working;
- Line Managers' Responsibilities;
- Forensics Readiness; &
- Asset Classification and Handling.
- Technical Design Authority including network design using assured barriers. This has included:-
- Remote access solutions in compliance with GPG10 (including the use of bootable media);
- Protecting government networks from the Internet in accordance with GPG8;
- Authentication in accordance with HMG IS7;
- Mobile e-mail solutions (historically, just BlackBerry devices, but more recently the End User Device Strategy); &
- Protective monitoring policies aligned to GPG13.
- Interpretation of Codes of Connection for organisations linking to a trusted community:-
- The Public Services Network (PSN);
- Criminal Justice networks such as the CJX and the PSN for Policing at all levels; &
- Legacy GSi connections including xGSI, GSX and GCSX as well as the migration to GCF.
- Technical assurance requirements such as IT Health Checks that cover:-
- Scoping using different techniques such as sampling, intelligence led and full;
- Interpretation of results to provide a context and defence-in-depth;
- Systems under development to ensure acceptable "end-to-end" testing; &
- Technical evaluations of cloud architectures using traditional IT Health Checks and other mechanisms to ensure appropriate pre-live and in-life assurance.
- Advising commercial organisations on the supply of goods and services to HMG.
- Contractual negotiations between HMG and the commercial organisations.
- Corporate management of risk and the evaluation of an appropriate level of risk appetite.
- Safeguarding the Critical National Infrastructure of the UK including Sensitive Nuclear Information (SNI) for "List N".
- Complying and certifying with ISO/IEC 27001. This includes the application of the Baseline Control Set (as defined in HMG IS1/2) at various levels.
- Handling of legacy Government Protective Marking Scheme (GPMS) information and developing proportionate handling instructions.
- Assisting in the transition and migration to the new Government Security Classification Policy including specific handling instructions for staff to prevent the unauthorised disclosure of information;
- Background and identity checks of staff as well as the detection of fraudulent documentation.
- The development and generation of security, education, awareness and training (SEAT):-
- HMG IS1, RMADS and Accreditation (Owen was the original author of the widely acclaimed Sapphire course.);
- Computer forensics; &
- General information assurance awareness education including induction, SyOP and refresher training.