C3IA Solutions Ltd is an ICT and Information Security company based in Poole. A large part of their work is into Government and Defence. Most of the cyber team are NCSC certified professionals and working in Risk Assessment, Risk Management, and applying Government and MoD security guidance and policies to projects and programs that are building new capability.
Noel Hannan from C3IA Solutions discussed cyber security and working with HMG during this month’s SWCSC Network Meeting.
Working with HMG – Challenges and Opportunities
- Many challenges and opportunities for small companies
- Minimum standards: Cyber Essentials and Cyber Essentials Plus – neither should be onerous for a small company to achieve as they are very basic practice. Cyber Essentials is a self-assessment questionnaire and Cyber Essentials Plus includes an external assessment of an organisations’ IT infrastructure.
- Trusted organisations can be very successful within HMG, but prepare for investment in time and money
- Upgrading physical security to the following levels: List X (required at SECRET and above) and List N (required for OFFICIAL-SENSITIVE: SENSITIVE NUCLEAR INFORMATION O-S:SSNI)
- Employee vetting: National Security Vetting – BPSS, CTC and DV
Understanding the Government Protective Marking Scheme
- Introduced in 2014
- Three formal Tiers
- OFFICIAL, SECRET, TOP SECRET
- OFFICIAL-SENSITIVE is a caveat and was never meant to be a formal Tier, however, overtime it has become a de factor Tier and now represents the majority of routine HMG data
- To work with HMG you MUST be able to routinely communicate at OFFICIAL-SENSITIVE
Creation, Transmission and Processing of Data at OFFICIAL-SENSITIVE
- Need access to MODNet and to the Assured Land Intranet (ALI)
- DCCP levels are required, these are a step up from the Cyber Essentials standard
- Secure Communities Working – Sopra Seria laptops. Able to rent such laptops
- Need to check you have the correct route for an OFFICIAL-SENSITIVE document
- Work to build standards for User Access Devices – appropriate data at rest encryption, appropriate data in transit encryption, hardened to NCSC standards
- Accreditation required for all systems processing HMG information
- CyDR – Cyber Defence and Resilience
- DART – Defence Assurance and Risk Tool