Professional Documents
Culture Documents
Date:
I certify that the material contained in this dissertation is my own work and does not contain
unreferenced or unacknowledged material. I also warrant that the above statement applies
to the implementation of the project and all associated documentation. Regarding the
electronically submitted version of this submitted work, I consent to this being stored
electronically and copied for assessment purposes, including the Department’s use of
plagiarism detection systems in order to check the integrity of assessed work. I agree to my
dissertation being placed in the public domain, with my name explicitly included as the author
of the work.
Date:
Signed:
0
SCC.420: MSc Dissertation
Necessary and proportionate Cyber-Risk Management for Policing
1
Jason Corbishley 31961006
TABLE OF CONTENTS
Abstract ................................................................................................................................................... 4
1.0 Introduction ...................................................................................................................................... 4
1.1 Legislation considerations............................................................................................................. 5
1.2 National police Chief’s Council strategic vision ............................................................................ 5
1.3 National Police Delivery ................................................................................................................ 6
1.4 Cultural perspectives in national policing ..................................................................................... 7
1.5 National government supporting each other ............................................................................... 8
2.0 Background to Information Security in Policing ............................................................................... 9
2.1 National government strategy ...................................................................................................... 9
2.2 Legislation implications ............................................................................................................... 10
2.3 Cultural considerations ............................................................................................................... 11
2.4 National police governance overview......................................................................................... 12
3.0 Development of Cyber-Security in Policing .................................................................................... 14
3.1 Cyber-Risk Management Methodology Design & Development ................................................ 15
3.1.1 Principles .............................................................................................................................. 15
3.1.2 Security by Design ................................................................................................................ 16
3.1.3 National Police Cyber-Security Model ................................................................................. 17
3.1.4 Legislation and Policy Landscape ......................................................................................... 21
3.1.5 Confidentiality, Integrity, Availability (CIA) .......................................................................... 23
3.1.6 People Process Technology .................................................................................................. 24
3.1.7 Cyber-Risk Management Methodology ............................................................................... 25
4.0 Implementation of Cyber-Risk Management in Policing ................................................................ 39
The cyber-risk management baseline is essential for national policing to identify police force
readiness via a common model the maturity states across national policing. This required a 2
phase approach:................................................................................................................................ 39
4.1 Police Baseline Cyber Maturity ................................................................................................... 39
4.1.1 Force pre engagement questionnaire.................................................................................. 39
4.2 Cyber-Risk Management Methodology Elements & Security Model ......................................... 42
4.2.1 Phase 1: Risk Management and Accreditation Strategy ...................................................... 43
4.2.2 Phase 2: Business Impact Assessments ............................................................................... 43
4.2.3 Phase 3: Threat Assessments ............................................................................................... 43
4.2.4 Phase 4: Inherent Risk Assessment...................................................................................... 44
4.2.5 Phase 5: Scenarios................................................................................................................ 46
4.2.6 Phase 6: Security Model Control Development ................................................................... 48
2
Jason Corbishley 31961006
4.2.7 Integration into the Architecture ......................................................................................... 48
4.3 Cyber-Risk Management Security Model Local Force assessment ............................................. 48
4.3.1 Force Engagement Plan ....................................................................................................... 48
5.0 Evaluation of Cyber-Risk management Methodology & Model ..................................................... 51
5.1 Policing Cyber Maturity baseline ................................................................................................ 51
5.2 Policing Cultural perception of Cyber-Risk ................................................................................. 51
5.3 Policing Cyber-Risk Management Methodology......................................................................... 52
5.4 Cyber-Risk Management Security Model for Policing ................................................................ 53
5.5 Cyber-Risk Management as Business as Usual ........................................................................... 53
6.0 Conclusions ..................................................................................................................................... 54
APPENDIX 1 Pilot 12 force questions .................................................................................................... 58
APPENDIX 2 Developed 43 force questionnaire ................................................................................... 68
APPENDIX 3 Ethics Form ....................................................................................................................... 74
Bibliography .......................................................................................................................................... 80
3
Jason Corbishley 31961006
ABSTRACT
The purpose of this project is to provide UK policing a workable methodology and model for the
management of cyber-risk. The project will explore the cultural challenges facing decision making in
relation to cyber-security and how a centralised cyber-risk assessment can provide a security model
for the implementation of SaaS. The paper will also provide a cyber-security approach to architectural
design ensuring that cyber-risk management is not an afterthought that can impact policing financially
or exposure policing to non-managed cyber-threats. The project will consider the influences facing
policing and its approach to cyber-risk management. The project will use information gathered as part
of a readiness assessment to form a baseline of maturity with the outputs of the project delivering an
end to end process including delivery. The proposed methodology will provide policing with a
structured approach to cyber-risk management and its implementation through a common security
model to be adopted by all police forces.
The cyber-risk management methodology is a structured approach taken from Iso27001 and Iso27005
and the implementation is explained within the project. A security model for the support of
architectural design is also explained as is its implementation. The implementation is described
however the phased approach proposed still makes reference to a cyber-maturity assessment tool
which is still under development.
1.0 INTRODUCTION
Information Risk management and the growing integration of cyber related business process in
policing has highlighted the need to consider how cyber-risk management is conducted at both
national and local levels of policing. This paper will consider the readiness state of national policing in
relation to cyber-risk management as well as assessing the problem of no formal methodology being
available to use. The intended goal is to provide cyber-security operatives as well as technical design
and implementation resources with a cyber-risk management methodology to efficiently and
effectively manage cyber-risk with an additional structured security model as part of the process to
support architectural technical design and implementation.
Risk management is not new, and therefore we must consider how cyber is demanding change from
the existing approach to traditional risk management principles and techniques. This is supported by
early research in to assessing the risk of cloud computing environments. (Albakri, 2014) The design
phase of this dissertation will consider the core management principles and suitable frameworks
which will offer policing an end to end cyber-risk management methodology and cyber-security model.
My objective is to propose a methodology to policing which will allow cyber-security risk management
to support architectural technical design in mitigating areas of cyber identified threats and a security
model to support architectural technical design.
Technical innovation is developing at pace with public sector and private companies aligning their
strategies to ensure that services and goods supplied, integrate with the technical change being
provisioned. The future technical innovation and development investment is focused at cloud
infrastructure with a decline of on premise infrastructure innovation as we move towards 2020.
Therefore it is imperative that national police has a mechanism to manage all assets and identify which
assets have a need to remain under tight risk management control on premise. However this is likely
to become a minority of systems managed by specialist product suppliers with ‘cloud first’ becoming
the norm. (Gartner, 2016)
4
Jason Corbishley 31961006
1.1 LEGISLATION CONSIDERATIONS
Both public sector and private business are facing a growing threat from fines in relation to
information security, with many organisations considering insurance against cyber-security breaches.
Therefore it is critical for policing to be in a position to identify any breach in information security or
wider cyber-security to protect policing from cashable risks such as fines but also non-cashable
penalties such as reputational impact. (Ogut, 2011). This reinforces the perception that risk should be
mitigated in full with budget pressures providing a foundation of fear in relation cyber which in turn
fuels a perception that legislation ensures cyber-risk is not taken.
It would not be practical to attempt undertaking a comprehensive end to end cyber-risk management
exercise for national policing as this would quickly become well beyond the scope of this work.
However we can select a programme which is intending to utilise commercial Software as a Service
(SaaS) and consider how a cyber-risk management methodology and a security model can be
implemented as an enabler for wider organisational change.
An Identity Access Management (IAM) platform - to enable user access to local, regional and
national information, network and applications including cloud services in an efficient and
effective manner.
The three deliverables are shown with their integrating elements in figure 1 below:
5
Jason Corbishley 31961006
Figure 1.2.1 SaaS National Enabling Programme
It is important to note the operational productivity benefits and the vision which is taken from the
police vision 2025 and that the National Enabling Programme is not a technical delivery programme
in its own right. It is therefore essential that cyber-risk management and the development of a security
model to give policing the assurance that information, data and technical infrastructure is adequately
risk managed. (National Police Chiefs Council, 2016)
6
Jason Corbishley 31961006
To underpin the delivery of the technical design and the wider specifications there needs to be a risk
assessment of both the products being proposed as well as acceptance that locally within each force
there is a varying level of cyber and technical maturity. In order to achieve this, the approach proposed
is structured to deliver a comprehensive risk managed output that will inform the technical design. In
order to achieve this a base line is needed, as is a new way of working for cyber-risk management in
policing as shown in figure 1.3.1 below:
7
Jason Corbishley 31961006
therefore is it realistically achievable to gain a comprehensive assessment of the risks that are
presented from the Internet? The discussion within this dissertation will start to address how a cyber-
risk management methodology can allow policing to develop a cyber-risk model allowing the
consumption of commercial SaaS with increased confidence and assurance.
Changes to legislation and government policy also impact how risk and accreditation is perceived and
understood. General Data Protection Regulation (GDPR) became effective in May 2018 with
amendments being made to the UK Data protect Act to provide updates that are required to meet the
legislation change for GDPR. (Information Commisioners Office, 2017). Whilst the change with the
introduction of GDPR will bring added complexity to cyber-risk management the legislation has a
larger implication for policing. Policing is built on the intelligence it gathers on individuals and
therefore data classification becomes more complex as separation layers of control are needed in
order to ensure identified risk is managed effectively. The analysis and base line for the monitoring of
process and procedure will allow technical design to identify the requirements from cyber-risk
management and the findings within this paper will allow a more structured approach to design and
the architecture of systems.
Influencing any change in an organisation is challenging. However this paper will propose a change to
how cyber-risk is managed nationally across policing. This will be challenging and the change
prevention in the community will make the task somewhat more difficult without the full
understanding that what is currently in place and its limitations. This develops the question of decision
making and the power associated with managing the output of risk. Is the challenge related to how
we manage risk or the outputs that allow change to progress? It is critical that existing developers of
process and policy do not become entrenched in their thinking. The National Health Service recently
found themselves at the mercy of a cyber-attack resulting in life threatening consciences which is said
to have been caused by out of date equipment which was not being maintained. This position was
born not from a will to update systems and applications but one of funding and decision making within
NHS management. (Leydon, 2017) This issue will be addressed throughout the paper but in particular
how cyber-risk management can develop a process with changes to the culture of risk management
to assist policing in delivering a cyber-risk management function for policing.
The National Police Information Risk Management Team (NPIRMT) does not believe that guidance
produced by Government Digital Service or National Cyber Security Centre (NCSC) are relevant to
Policing. In addition to this the National Police Information Risk Management team does not accept
that guidance produced outside of Policing is specific enough, choosing instead to implement policy
and additional guidance specifically for Policing. This presents additional complexity for Policing and
increases the confusion for technical design, policy and procedure development as well as limiting
operational solution design.
8
Jason Corbishley 31961006
National policing therefore does not have a framework for the management of cyber-risk or a security
model to support architectural design. My proposed process will allow policing to define the risk
management, accreditation and security process that will bring clarity to the actions needed to allow
policing to deliver strategic operational changes supported by an enabling cyber-risk management
process. The production of technical architecture design will be developed with a security perspective
from the start identifying mitigation to cyber-risk.
The objective is to ensure cyber-risk management is used as an enabler of transformation and not
used as a reason not to progress or make change within the provision of technical infrastructure for
policing. This will be explained throughout the discussion within this dissertation to ensure that
‘Defense in Depth’ is achieved from cyber-risk management and the delivery of technical design. This
paper will propose a cyber-management approach for national policing that can also be used for the
provision of local systems within a police force.
However the proposed methodology cannot be evaluated in isolation and there is a need to consider
the capability readiness of forces and the current cyber-maturity before any implementation.
Therefore the implementation of change will also be briefly covered where a cyber-assessment will
be undertaken in relation to policing capability to take on a structured cyber-risk management process
and security by design approach. It is however essential that more than technical design is considered
and a more holistic approach including people, technology and process will contribute to the structure
of proposed approach to ‘Cyber-Risk Management for Policing’.
This paper will therefore propose a cyber-risk management methodology supported by the
implementation of a cyber-risk security model for national policing. Within the development and
implementation the influencing factors that are shaping change will be considered. The conclusion
will identify the successes of the implementation as well as the remaining challenges faced in the ever
changing threat landscape that cyber is producing.
9
Jason Corbishley 31961006
preventing the use of Internet for services other than standard browsing, and defining a direction of
self-hosted solutions and the associated cost parameters that are attributed to provisioning data
centers locally and the skills needed to support them.
National government technical strategy is more mature than it has ever been. Government Digital
Services (GDS) has provisioned the Technology Code of Practice (Government Digital Services, 2017)
which provides a code of practice for all government departments in relation to design, provision and
purchase of technical systems. There are some clear elements of guidance included. ‘Use Cloud First’
(Government Digital Services, 2017) which provides a clear set of guidelines supported by National
Government policy for the consideration of cloud technology in all deployments. Cloud is defined as a
solution or system which utilises the internet to facilitate access to the service or solution.
(Government Digital Services, 2017). The Government Digital Services (GDS) makes a number of
sensible and basic recommendations for good reason, specifically defining user needs. (Government
Digital Services, 2017). This may seem obvious but national and local policing has a habit of defining
the solution it wants based on the advice provided by the supplier to a senior executive who has little
or no expertise in the delivery of technical solutions. This is a common example of the cultural
challenges faced.
National Police Chiefs Council (NPCC) has established a strategic Policing Vision 2025 that outlines how
Policing will change to meet the changing demand placed upon its resources through the next 10 years.
(National Police Chiefs Council, 2016). This strategy places a firm focus on the use of technology to
assist in the transformation and development of Police business process recognizing that digital
integration is critical to meet the policing needs of communities. A particular aspect of the strategy is
focused on collaboration between police forces and partner agencies. Examples are local authorities
and National Health Service (NHS) for the support of operational business process change and to
deliver the ability to share information and data electronically with necessary and proportionate
controls in place. This is a step away from the current thinking in policing, that placing documentation
inside two envelopes provides the necessary security that is required for policing data.
These strategic statements support the need for necessary and proportionate cyber-risk management
to ensure that risk management doesn’t design out functionality for operational policing and erode
business benefit. The existing policy and procedure in relation to data sharing would prevent the
sharing of documentation without cumbersome manual process, however the future can be more
controlled in allowing the sharing of documentation but using risk based technical controls to track
and monitor how documents are being consumed. The strategic vision will maneuver risk
management from being someone else’s problem to a key element in providing a solution to the
Policing Vision 2025.
10
Jason Corbishley 31961006
These roles in policing are changing, however the operating model must also change or policing will
find it has a large number of manual data management processes and skills attempting to manage
cyber-solutions and the new risks that are faced when providing similar assurance to the storage of
data in the future.
Ever changing legislation is not something new, however General Data Protection Regulation (GDPR)
has thrown policing data protection officers in to a frenzy of solutionising. GDPR places firm
responsibility with the Senior Information Responsible Officer in each force and has required updates
to the data protection act. (Information Commisioners Office, 2017). However this has resulted in all
police forces trying to solve the same problems in their entirety. GDPR is a living regulation which
means that changes and updates will be made to ensure the regulation remains valid as technology
and data storage changes. (Information Commisioners Office, 2017). However the current position in
police forces differs based on the technical maturity of each organisation. Therefore it is not practical
to attempt to solve all aspects of GDPR with a single implementation of technology without a clear
central strategic approach to ensuring that the correct risks are identified and mitigated with the
implementation.
11
Jason Corbishley 31961006
2.4 NATIONAL POLICE GOVERNANCE OVERVIEW
The decision making structures for national policing are built on a hierarchical structure which is
representative of Chief Constable leads for areas of delivery coming together to form NPCC. This
structure has allowed a governance structure to be established which links Information Assurance
(Security Design Authority), Operational Requirements Board (Business Design Authority) and the
National Police Technology Council (NPTC and the Technical Design Authority). This structure has
proven to surface the challenges faced with new legislation, boundaries between risk based decisions
however technical decisions is further complicated by individuals sitting within multiple governance
groups.
The figure 2.4.1 on the following page represents the governance structure and the segregation of
security based auditing and risk assessment, and the technical delivery of design and architecture. The
NPTC has established an Infrastructure Working Group to ensure that technology solutions being
implemented are designed and documented to a set of standards that ensure any solution
implemented is necessary and proportionate and that the security controls defined as part of the
implementation should contribute to the mitigation or removal of identified risks. This can only be
achieved if the risk is understood and is legitimate with a representative score before and after the
control is applied. This approach has caused some controversy as the previous processes allowed local
and national technical delivery teams to develop design in an ad hock way with no common process
of methodology.
12
Jason Corbishley 31961006
Figure 2.4.1 Governance structure
13
As previously mentioned there are many existing risk management methodologies each with tooling
and mechanics to assist the practitioner with calculating risk. National policing therefore had to
consider the following 2 options:
- Utilise an existing risk management methodology and develop outcomes from this existing
end to end process.
- Consider and evaluate existing risk management methodologies and determine if industry
best practice complimented by selected outputs from existing methodology will supply
national policing with its own interpretation of a usable methodology.
The design will therefore propose a methodology to address cyber-risk management in policing. This
will provide a methodology to support architectural design by selecting industry based best practice
but ensuring that the elements selected to form the methodology were in themselves not over
engineered.
14
3.1 CYBER-RISK MANAGEMENT METHODOLOGY DESIGN & DEVELOPMENT
3.1.1 Principles
The design of a methodology for national policing requires that a number of specific considerations
and guiding principles are defined ahead of the development of the methodology. The principles
proposed all align to develop a methodology to assist in the delivery of the National Police 2025 vision
(National Police Chiefs Council, 2016).
The principles will contribute to the management of over engineered perceptions of cyber-security
threats. The general media reports on the new risks from cyber-security threats and relies upon the
lack of understanding and knowledge of the general public to ensure that breaches are presented with
a perspective to fuel an escalation of the vulnerability. It is therefore essential that the proposal
addresses this potential miss conception by defining principles which will challenge the risk position
of those who are not well informed or knowledgeable in this area. This point is supported by
(Baskerville, 1991, p. 123) where the argument is made that perception is based on recent risk
implications and knowledge which is developed from situational awareness such as media and the
press.
It therefore is essential that the proposed principles are not generated in isolation and through
collaborative working with NPTC and the National Police Information Risk Management Team
(NPIRMT) a number of key accreditation principles are proposed to best achieve the key accreditation
principles and ensure legitimacy in the proposed approach. The principles proposed are pitched at a
high level intentionally to provide a guide for cyber-risk management. This is supported by
(KAUSPADIENE, 2017) where providing high level principles can contribute to the success of cyber-risk
management methodologies. The principles to develop the methodology are shown in figure 3.1
below:
Figure 3.1
Critical to the successful acceptance of the methodology is a practical process that can be used by
both a national and local cyber-security practitioners.
Clear and Intelligible:
15
Jason Corbishley 31961006
- The production of any risk management methodology must be clear and easily understood.
Accepting that there will always be differing levels of knowledge and awareness of cyber-risk
management and the output should be fully aware of this and make the associated allowances.
Organisation Agnostic:
- The cyber-risk management methodology should not be created with a single police force as
the outcome. The delivered set of tools and processes should be capable of being mapped to
all police forces working on the assumption that policing is not a separate set of deliverables
as required, but a service with local devolution and therefore a common approach to cyber-
risk management is achievable.
Flexible:
- The methodology should be flexible and be agile enough to change according to change in the
cyber-landscape.
Single process:
- All forces should use the same process. There should be no need to alter the process from
force to force.
Clear delineation of national vs regional risk management:
- It is recognised that there are responsibilities and accountabilities for those who are
responsible for cyber-risk that are associated with assets police own. Therefore the
methodology should provide a mechanism for the management of both local and national
cyber-risk management
Necessary and proportionate:
- It is critical that cyber-risk management is not over thought or susceptible to media influence.
The National Cyber Security Centre provide a wide range of information and guidance in
relation to cyber-risk management however at times the publications in relation to threat
intelligence is not proportionate to likelihood of the occurrence materialising. (Martin, 2018)
This is a particularly important point that will shape the overall methodology.
Cost and time effective:
- The methodology should not be a process which never reaches any conclusion. It should be
effective in delivering an output as well as being cost efficient in terms of effort required to
undertake the process. The total cost of operation should be proportionate to the risk being
managed.
Repeatable and replicable:
- The methodology should produce a process that can be repeated as the cyber-risk
management landscape changes. Therefore the process should result in a position where
organisations must always start from scratch and define a baseline.
16
Jason Corbishley 31961006
emphasise the importance and cost implications of getting a design, and worse the implementation
of a complex technical programme wrong resulting in an increase to cyber-risk for policing.
There are many examples both locally and nationally of technological systems being developed and
security controls being considered after the design phase of the project has concluded. Historically
the requirements of a system and the architectural design were developed and when concluded they
are passed to the security architects and Information-security teams for accreditation. This usually
highlighted areas of risk that had not been considered due to financial or time constraints resulting in
delays to implementation or significant rework relating to re-design.
NCSC (National Cyber Security Centre) is the group within the Government Communications
Headquarters (GCHQ) that supports government departments to manage their own information
security. The role of NCSC is to provide guidance and advice in relation to the risk management of
cyber and tools for design and architecture implementation. NCSC has set out a thorough set of
‘Security by Design’ guidelines for securing digital solutions in order to guide government departments
to build solutions both resilient to attack as well as easy to use. The intended goal is to “enhance
security without impeding the proper use of your service.” (NCSC, 2016)
Therefore ‘Security by Design’ has been developed throughout this proposal in order to support and
guide the development of architectural implementation providing the best opportunity to secure
services to Government standards. To support the development the NCSC best practice guidelines will
allow security requirements to be identified, prioritised and designed in an agile manner to meet the
strict time demands of operational change from Policing.
‘Security by Design’ is an approach with the embedding of security from the conception through to
the final delivery of any potential solution. This approach is based upon NCSC best practice guidance
covering how to securely build and implement digital solutions. It is therefore critical that a core
principle of interconnected cyber-risk management with architectural design is undertaken to limit
any duplicated effort or re-engineering of technical solutions which will result in additional cost or re-
work.
Therefore in order to consider an end to end process the proposed cyber-risk management
methodology must provide a means to produce a security model. The security model is therefore an
output of the architectural process provided by the ‘Security by Design’.
- The Inherent Risk Assessment needed a set of user scenarios or journeys in order to validate
the necessity of a security control and therefore technical architects required an
understanding of where the risk or mitigation was required.
- To identify if the control is related to People, Process or Technology.
The National Institute of Standards and Technology (NIST) have developed a cyber-security framework
to assist in improving cyber-security risk management following the 2013 executive order provisioned
by the US government. (USA Gov, 2013) The framework allows practitioners to adopt a series of
processes and procedures to achieve a risk assessed position utilising an adaptive and flexible
approach that will meet the cyber-risk awareness that policing requires. The NIST framework
recognises that not one process will suit all organisations. A key element identified by national policing
and discussed within the background section of this paper. The NIST cyber-security framework
therefore allows for core traditional risk management methodologies such as iso27005 to be adapted
17
Jason Corbishley 31961006
to meet the needs of an organisation (NIST, 2014, p. 6) whilst allowing policing to adapt the process
to meet its needs. This approach is supported in a recent article within Network Security. (Aminzade,
2018)
The NIST framework provides a set of tools to help organisations achieve the cyber-risk management
outcomes needed to mitigate cyber-security. It is important to identify that the framework is not
intended to identify or assess risk but it will allow the presentation of mitigation controls to be clearly
identifiable and ensure that these can be attributed to a NIST function and that an organisation can
identify where risk may exist. This supports earlier discussion where perceived risk can in itself be
more risky than the actual risk specifically diluting any necessary and proportionate approach being
taken to cyber-risk management.
The NIST Framework focuses on using business drivers to guide cyber-security activities and behaviors
whilst considering cybersecurity risks as part of the national policing wider cyber-risk management
process. An attractive benefit of using the NIST Framework is that it acts as an enabler to communicate
technical architecture security controls in an accessible and coherent business manner that can be
understood by all involved with wider overall risk acceptance.
- Framework Core
- Framework Profile
- Framework Implementation Tiers (NIST, 2014)
The Framework Core is a set of cyber-security activities, outcomes, and informative references that
are common across critical infrastructure sectors providing the detailed guidance for developing
individual police force profiles. Through use of the profiles the framework will help national policing
align its cyber-security activities with its business requirements, risk tolerances, and the resources
available. (NIST, 2015)
The rationale for choosing this framework is that it enables organisations regardless of size, degree of
cyber-security risk, or cyber-security maturity to apply the principles and best practices of cyber-risk
management to improving the security and resilience of policing critical infrastructure. The framework
will provide policing with structure to today’s multiple approaches to cyber-security and awareness
by assembling standards, guidelines, and practices that are working effectively across industry today.
In addition because it references globally recognised standards for cyber-security, the framework can
serve as a model for international cooperation on strengthening critical infrastructure across policing.
The framework is not a one-size-fits-all approach to managing cyber-risk management for critical
infrastructure. Policing will continue to have unique risks with different threats, different
vulnerabilities, and different risk tolerances, however the implementation of the practices in the
framework will vary based on specific needs over and above those needed for SaaS. Police forces can
determine activities that are important to critical service delivery and can prioritise investments to
maximise the impact of each area of spend. “Ultimately, the framework is aimed at reducing and
better managing cyber-security risks through the use of cyber-risk management.” (NIST, 2014)
The NIST cyber-security framework (NIST, 2015) reference tool represents the framework ‘Core’
which is a set of cyber-security activities with desired outcomes and applicable references that are will
provide policing with a common approach. This use of industry standards, guidelines, and practices
allows for the communication of cyber-security activities and outcomes across policing. The
Framework ‘Core’ consists of five concurrent and continuous Functions - Identify, Protect, Detect,
18
Jason Corbishley 31961006
Respond and Recover. (NIST, 2014) When considered together these Functions provide a high-level
strategic view of the lifecycle of cyber-security risk. The framework ‘Core’ then identifies underlying
key categories and subcategories for each function, and matches them with example informative
references such as existing standards, guidelines, and practices. (NIST, 2015)
The framework provides a common language for understanding, managing, and expressing cyber-
security risk both internally and externally. It can be used to help identify and prioritise actions for
reducing cyber-security risk and it is a tool for aligning people, process and technological approaches
to managing these areas of risk. It can be used to manage cyber-security risk across policing but the
methodology presented within this paper can be extended beyond SaaS as desired.
The framework ‘Core’ provides a set of activities to achieve specific cyber-security outcomes and
references examples of guidance to achieve those outcomes. The ‘Core’ is not just a checklist of
actions to perform. It presents key cyber-security outcomes identified by industry as helpful in
managing cyber-security risk. (NIST, 2014) The ‘Core’ comprises four elements:
- “Functions
- Categories
- Subcategories
- Informative References, depicted in the infographic below” (NIST, 2015)
In order to manage the desired output of improving national cyber-security awareness though a local
approach, cyber-capability assessments and maturity assessments based on the NIST categories
Identify, Protect, Detect, Respond, Recover are being developed outside this paper. This cyber-
maturity assessment will be key to the initial implementation of the overall methodology within a
police force.
To support the development of how the NIST categories fit with policing a number of user scenarios
were developed to support the legitimacy and are shown in figure 3.2 below.
19
Jason Corbishley 31961006
The 5 framework ‘Core’ functions are defined below. These functions are not intended to form a serial
path, or lead to a static desired end state. Rather, the functions can be performed concurrently and
continuously to form an operational culture that addresses the dynamic cyber-security risk.
- Protect – “Develop and implement the appropriate safeguards to ensure delivery of critical
infrastructure services”. (NIST, 2015) The ‘Protect’ function supports the ability to limit or
contain the impact of a potential cyber-security event. Examples of outcome Categories within
this Function include:
o Access Control
o Awareness and Training
o Data Security
o Information Protection Processes and Procedures
o Maintenance
o Protective Technology
- Detect – “Develop and implement the appropriate activities to identify the occurrence of a
cybersecurity event.” (NIST, 2015) The ‘Detect’ function enables timely discovery of cyber-
security events. Examples of outcome categories within this function include:
o Anomalies and Events
o Security Continuous Monitoring
o Detection Processes.
- Respond – “Develop and implement the appropriate activities to take action regarding a
detected cybersecurity event.” (NIST, 2015) The ‘Respond’ function supports the ability to
contain the impact of a potential cyber-security event. Examples of outcome categories within
this function include:
o Response Planning
o Communications; Analysis
o Mitigation
o Improvements
- Recover – “Develop and implement the appropriate activities to maintain plans for resilience
and to restore any capabilities or services that were impaired due to a cybersecurity event.”
(NIST, 2015) The ‘Recover’ function supports timely recovery to normal operations to reduce
the impact from a cyber-security event. Examples of outcome categories within this function
include:
o Recovery Planning
o Improvements
20
Jason Corbishley 31961006
o Communications
This policy statement is insinuating a change in government risk appetite and a change from the
embedded culture that security is better if provisioned on premise in a semi closed network. Recent
research into critical national infrastructure supports a change in the approach to considering risk
management. Police infrastructure is classified as critical national infrastructure. A US executive order
signed in 2013 stated that the “cyber threat to critical infrastructure continues to grow and represents
one of the most serious national security challenges we must confront” (USA Gov, 2013) . This
represents a change in the thinking of government, escalating the policy driven decisions governments
are taking.
The policies that exist largely fall short in terms of providing detail which can be easily mapped to a
Security Model and does not provide the level of detail needed for specific product configurations. For
that reason, methodology and design have to make a number of key organisational and design
assumptions before a methodology can be considered:
- The existing legislative landscape for police information is complex and is currently considered
as part of the Code of Practice for the Management of Police Information (MoPI).
- The General Data Protection Regulation (GDPR) and the Law Enforcement Directive 2016/680
(or their equivalents post Brexit) will apply to the processing of personal data by the police
with the scope of the GDPR focused on personnel records and non-policing activities.
- Under GDPR and regulation 2016/680, the police, alongside all other organisations processing
personal data will need to comply with a new suite of requirements which in turn will require
a good understanding of data flows within and across systems and effective data management
with the ability to demonstrate compliance with the regulatory requirements.
- The GDPR introduces new, and enhances existing privacy obligations, such as the requirement
to report all data breaches to the regulatory authority (the Information Commissioner’s Office
in the UK) and the obligation to implement ‘privacy by design’ to ensure that privacy is built
into systems and processes from the beginning. (Information Commissioners Office, 2017)
These obligations, combined with the increased penalties for non-compliance bring the
management and use of personal data to the forefront of requirements when considering
how data is processed and managed within police forces across the UK.
- It should be understood that personal data is defined in the GDPR as “any information relating
to an identified or identifiable natural person (‘data subject’); an identifiable natural person is
one who can be identified, directly or indirectly, in particular by reference to an identifier such
as a name, an identification number, location data, an online identifier or to one or more
factors specific to the physical, physiological, genetic, mental, economic, cultural or social
identity of that natural person”. (European Union, 2016)
21
Jason Corbishley 31961006
In order to develop necessary and proportionate security controls as an output from the methodology
in practice and a foundation to the delivery of ‘security by design’ a number of both local and national
assumptions need to be identified. The list below outlines these key organisational assumptions.
An overarching assumption against which this paper accepts is the hugely complex position of
legislation policy that exists in the UK. However this position is fundamental to the basis on which
cyber-risk management and security controls are developed and subsequently implemented.
Therefore, there is a critical dependency for any security control suggested for policing on the
following policy being in place:
National Policing:
- Appropriate national policies are in place or recognised as a requirement which can be applied
to each police force and set direction for information asset management and security. This
could include, but is not limited to:
o User Authentication
o Data Retention and Acceptable Use policies
- Effective policies such as the above mentioned are required to support the secure
implementation and subsequent management of SaaS. Without these policies and key
guidelines (such as requirements for setting secure passwords, the retention of sensitive data
types in o365 formats and mobile device protection) the confidentiality, integrity and
availability of police information assets could be threatened. Reasonable assumptions are
therefore needed in order to develop appropriate security controls where there are existing
policy gaps. The policy gaps will be re-visited later in the dissertation as well as the
implications from these gaps.
Local Police Force:
- That there are mature governance practices in place to identify information assets and record
relevant information in an asset register.
- That there is adherence to HMG Security Policy Framework and any subordinate
documentation.
The rapid evolution of cyber-related threats means that no single set of people, process or technology
scenarios or single control will remain effective indefinitely. Therefore any methodology or process
must be able to meet business as usual or business operational requirements as required.
- Police forces, in conjunction with national policing units and partners will be required to
review the risk landscape regularly and analysis the security controls to assess robustness to
mitigate threats.
- It is assumed that information no higher than a classification of Official-Sensitive (Cabinet
Office, 2014) will be hosted in SaaS.
It is critical that policing doesn’t attempt to write all the required policy and legislation based on group
perception or individual perception of the policing cyber-landscape.
22
Jason Corbishley 31961006
Figure 3.4
The above Policy Pyramid in figure 3.4 represents the foundation of the proposed approach to how
security controls within the proposed Security Model are identified. All controls are aligned with
current national and supranational legislation. UK government policy (such as GSC) is the second layer
that each control must be consistent with. In the absence of explicit guidance from these sources
further clarification has been sought from local policing policy, NCSC (National Cyber Security Centre)
recommendations or guidance, other government departments such as GDS (Government Digital
Services) and finally commercial best practice. This approach ensures a secure foundation that is
consistent as far as possible with existing legislation and policy, recognising that there are gaps that
will be filled by the use of other sources of information or industry best practice if appropriate.
The levels of maturity of government policy and the need for amendments relating to changes in
technology or changes in wider government policy present a risk which will be discussed further
throughout this paper.
23
Jason Corbishley 31961006
based on fulfilling the ultimate intended goal of achieving a complete risk free solution of
Confidentiality, Integrity and Availability. So the cultural boundaries of ‘necessary’ and ‘proportionate’
are key when undertaking any activity in relation to technical architecture and wider cyber-risk
management.
The principle of CIA can play a key role in defining a necessary and proportionate approach to ensuring
that cyber-risk management is implemented in a proportionate way.
24
Jason Corbishley 31961006
The challenges associated with identifying cyber-related risk and the link with people, process and
technology will be discussed further when considering the wider outputs from a risk methodology for
national policing but the success of developing People, Process and Technology in to a single delivery
will be dependent on the development of change in the cultural approach to ‘Cyber-Risk Management’
The proposal outlined provides a base management standard from existing published international
standards providing legitimacy and assurance to the proposed cyber-risk management methodology
implementation. ISO27000 family of standards provides this legitimacy and in particular ISO27005
provides a methodology that could provide the base for the proposal. The core requirements
considered are:
25
Jason Corbishley 31961006
Figure 3.5
26
Figure 3.5 above outlines the product outputs the methodology will produce, as well as the key
stakeholders involved in the process which aligns to the governance structure discussed earlier in the
‘Background ‘ section of this paper.
The below provides an overview of the phases involved in the risk management and accreditation
methodology depicted above:
Scope:
- The first stage of the risk management and accreditation process is to define the project
scope. The aim of this phase is to: Understand the environment that is to be assured
- Agree definitions of security and accreditation and improve and ensure a collective
understanding of these terms across the programme
- Define the security and accreditation mission, methodology and outputs
- Agree, define and enforce security operations for the programme
The scoping activities will consider the local police force current security and accreditation status
including missions and values, governance, structure and strategy, legislative and regulatory
requirements, and constraints affecting the police force. Once this has been established the definition
of mission and key principles of cyber-risk management will be defined. This will allow a base line to
be established resulting in identifiable deliverables.
The scoping phase will rely on engagement with identified stakeholders and the cyber-risk
management methodology to understand the scope of the work. Gathering information around the
“current state” of cyber awareness will rely on the use of questionnaires (Appendix 1 &2) and a cyber-
maturity assessment tool during the implementation stage to gather input from local police forces to
gain their contribution and develop the required outputs. Definitions and Mission statements for
cyber-risk management will be shared with Local SIRO’s and NPIRMT to ensure a common
understanding is adopted.
The documents and additional outputs below will be produced as part of this cyber-risk management
process:
- Discovery questionnaires
- Cyber-capability assessment
The below RACI matrix shows who is responsible, accountable, consulted and informed for each
activity in this ‘scoping’ phase.
27
Security & Risk
Local Police Programme NPIRMT,
Scope Cyber Capability Assessment Management
Forces Leadership NSIRO
Team
(National Enablling Programme Security Risk Management, 2017)
Asset:
The second stage of the process involves the identification of policing critical assets so that these can
be prioritised and effectively protected. To do this, a Business Impact Assessment will be completed
which has two phases. Firstly, assets will be identified from business processes and appropriately
classified using GSC. (Cabinet Office, 2014) Secondly, the assets will be valued according to their
criticality for fulfilling business objectives and business functions. The process of valuation will
consider:
This exercise will be integral to effectively assessing the cost proportionality of security controls and
help to prioritise how agreed controls are delivered. It is therefore a critical activity in enforcing
necessary and proportionate security controls.
A high level asset identification and valuation exercise will be undertaken identifying assets and
scoring them in a range of 1-5 based on the criticality of preserving confidentiality, integrity and
availability.
Figure 3.6 below shows an example Asset Valuation Table to be used to assess the value and relative
criticality of assets.
The confidentiality of the asset is of The integrity of the asset is of The availability of the asset is of
limited to no importance. The limited to no importance. The limited to no importance. The
1
confidentiality of the asset need not integrity of the asset need not be availability of the asset need not be
be secured. secured. secured.
The confidentiality of the asset is of The integrity of the asset is of low The availability of the asset is of low
low importance. Minor consideration importance. Minor consideration importance. Minor consideration
2
should be made to securing the should be made to securing the should be made to securing the
confidentiality of the asset. integrity of the asset. availability of the asset.
The confidentiality of the asset is of The integrity of the asset is of high The availability of the asset is of
high importance. Asset must stay importance. Asset must never be high importance. Asset must always
4
secure and confidential at all times altered in any unintended way with be available as intended with few
with few exceptions permitted. few exceptions permitted. exceptions permitted.
28
Jason Corbishley 31961006
This will assist the delivery to conceptualise their initial security considerations. In the security by
design phase a full Business Impact Assessment will be delivered consisting of two phases. Firstly,
assets will be identified from business processes and appropriately classified. Secondly, the assets will
be valued according to their criticality for fulfilling business objectives and business functions.
The output of the above will be quantified using Business Impact Reference Tables (BIRTs) (NCSC,
2016) which will allow asset impact to be assessed based on how a breach of the Information Security
Triad (CIA) could effect a number of criteria such as financial, reputation, operations and compliance.
This exercise will be integral to effectively assessing the cost proportionality of security controls and
help to prioritise how agreed controls will be delivered.
Figure 3.7 below is an example BIRT:
The BIA will be conducted through workshops consisting of scenario based questions with
representatives and consumers of the services and solutions. The involvement of key business
stakeholders (traditionally asset owners and information asset owners) will be critical to the success
of the BIA.
29
Jason Corbishley 31961006
The NPIRMT will develop the Business Impact Assessment (BIA) methodology and Business Impact
Reference tables (BIRTS) with outputs influenced by security working groups. Once this is complete it
will be the responsibility of the cyber-risk management team to facilitate the BIA process including
arrangement of workshops, collation of outputs and reporting. In line with industry good practice, the
approach will not assess the criticality of assets as this will remain the responsibility of the asset owner,
custodian or other appropriate designated business representative.
It will be the responsibility of Security Working Group to validate the process and findings of the BIA
recognising that all processes are continually assessed and therefore progress should not be slowed
due to process evaluation or change. Providing these responsibilities have been met the cyber-risk
management team will remain accountable for the BIA deliverables. The document sign off process
will follow the IMORCC Governance Structure outlined earlier in the ‘background’ section of this paper.
As a key deliverable the Business Impact Assessment Report will be signed off by the Security Working
Group, NPIRMT and the Solution Design Authority.
The documents and outputs below will be produced as part of this ‘Asset’ phase:
- High level Asset Identification and Valuation Exercise including asset register
- Business Impact Assessment Framework including methodology, BIRTS and output format and
- Business Impact Assessment Report analysis and scoring
The below RACI matrix shows who is responsible, accountable, consulted and informed for each
activity in this accreditation phase.
Threat:
This phase will look to identify and prioritise the relevant threats to the environment being assessed
and determine how harm to that environment could materialise. Within this section of delivery, a
threat can be defined as “a potential cause of an unwanted incident, which may result in harm to a
system or organisation.” (IT Governance Ltd , 2013) A set of threat attributes including capability,
motivation and opportunity will be evaluated when assessing threats.
A formal threat assessment has already been conducted by NPIRMT at a national level and agreed by
Police Information Assurance Board (PIAB). The approach to threat assessment will therefore become
a contextualisation and validation exercise to leverage the work already completed. During this
30
Jason Corbishley 31961006
exercise the threat landscape will be reverse engineered to look at the threat actors and threat vectors
already defined. This will involve a review of the capability, motivation and opportunity for attacks.
Each actor and vector will be assessed for validity and an assessment as to whether the threat remains
valid and an assessment as to whether the threat is relevant given the specific scope of the programme
or project should be undertaken.
Figure 3.8 below shows grouped examples of common threats. “The following list indicates for each
threat type where D (deliberate), A (accidental), E (environmental) is relevant. D is used for all
deliberate actions aimed at information assets, A is used for all human actions that can accidentally
damage information assets, and E is used for all incidents that are not based on human actions. The
groups of threats are not in priority order” (International Organization for Standardization, 2011, p.
48)
Water damage A, D, E
Pollution A, D, E
Physical damage
Major accident A, D, E
Climatic phenomenon E
Seismic phenomenon E
Natural events Volcanic phenomenon E
Meteorological phenomenon E
Flood E
Electromagnetic radiation A, D, E
Disturbance due to
radiation Thermal radiation A, D, E
Electromagnetic pulses A, D, E
Remote spying D
Eavesdropping D
Disclosure A, D
31
Jason Corbishley 31961006
Position detection D
Insider threat D
Figure 3.8 (International Organization for Standardization, 2011, p. 48)
Inherent Risk:
Inherent Risk is the risk to the organisation at the point where no security controls or other mitigating
factors are in place and is the gross risk or risk status before security controls are applied. (Sewall,
2009). However it should be noted that risk cannot removed completely. The inherent risks identified
are those in which the proposed methodology will mitigate with continued assessment and
reevaluation of the risks throughout change to the provision of cyber solutions. This therefore
emphases the need for continuous re-examination of the risks as technology changes or develops.
The purpose of this phase is to identify security risks to delivery so that these can be understood and
effectively managed through the development of necessary and proportionate security controls
within the security by design \ security model stage of technical architecture development. This will
also ensure that any security control applied is in line with the agreed risk appetite and proportionate
in its implementation.
Once the BIA, Threat Validation and Contextualisation exercise is complete the outputs will be used
to produce an Inherent Risk Assessment (IRA). The IRA will combine the likelihood of a threat with the
impact of breach and the results will be used to develop a Risk Matrix. This combined with risk appetite
will then become the foundation of the Security Model a holistic framework of security controls
mapped against, and proportionate to identify risks.
The documented outputs below will be produced as part of the Inherent Risk phase:
- Inherent Risk Assessment (IRA)
- Risk Matrix
The below RACI matrix shows who is responsible, accountable, consulted and informed for each
activity in this accreditation phase.
32
Jason Corbishley 31961006
Security & Risk
Inherent Conduct IRA and produce Programme
Management NPTC, NPIRMT -
Risk report Leadership
Team
NPTC,
Security & Risk
Inherent NPIRMT,
Develop Risk Matrix Management - -
Risk Programme
Team
Leadership
(National Enablling Programme Security Risk Management, 2017)
Risk Appetite:
The risk appetite for policing is something many police chief officers are reluctant to discuss. The
default position being that of ‘Averse’. This is a generic binary position and whilst ‘averse’ is fair there
are differing states of averse with senior executives choosing to make differing assumptions in relation
to this position. Risk is taken by everyone in every part of life however the language used creates a
position that indicates no risk is taken. This is not the case and the methodology proposed addresses
this.
Policing is a public service and decisions taken on a daily basis must be proportionate and necessary.
However as already discussed there is a lack of understanding and knowledge in the complex structure
of cyber risk. This results in a position where executives are reluctant to discuss the risk position for
fear of criticism or fear of the consequence. This position supports the need for this proposed
methodology which will provide a process to support a necessary and proportionate cyber-risk
management.
However to help with a more comprehensive understanding the risk appetite can be defined as
follows:
“The amount and type of risk that an organisation is willing to pursue or retain” (ISO, 2017)
An organisation’s overall risk appetite is typically determined at the governing body or executive
management level and involves:
- determining which risk categories, or types of risk that could affect the achievement of the
organisation’s objectives
- Identifying the organisation’s risk appetite for each category of risk expressed as the
maximum acceptable combination of likelihood and impact which is determined in the earlier
part of the process of Asset where a Business Impact Assessment is undertaken.
In relation to national policing, the risk appetite is defined by the National Senior Information Risk
Owner NSIRO who considers the outputs from the Asset and Threat phases of the risk assessment.
Risk appetite is defined at a national level however, this will need to be contextualised if it is to be
useful for informing programme risk management. The national risk appetite will be broken down into
a number of programme risk statements which can be directly referenced by cyber-risk managers and
governance forums in particular the Solution Design Authority and Security Working Group in making
risk management decisions. Inversely cyber-risk management decisions taken throughout any
programme will help to reaffirm or reshape the national risk appetite accepting that cyber-risk
management is continuously changing in line with technology innovation and the threat landscape
changing from changes in adversary behavior. (Cook, 2017) This is further supported by identifying
that risk assessments are not static and need to be a repeatable process. (Zhang, 2010, p. 1332)
33
Jason Corbishley 31961006
The below RACI matrix shows who is responsible, accountable, consulted and informed for each
activity in this accreditation phase.
- Mitigate the risk by applying security controls taken from government guidance, industry best
practice, SME experience, candidate control sets, compliance control requirements, and the
experience and knowledge of practitioners.
- Transfer the risk to another party e.g. transfer the service to a vendor who assumes
responsibility for the risk under a Service Level Agreement (SLA).
- Avoid the risk by stopping a planned activity or functionality.
- Accept the risk if it is in-line with risk appetite or the cost of mitigation is disproportionate
deeming the security control not to be necessary and proportionate.
The management option selected will depend on the severity of the risk and the risk appetite of each
programme and will be aligned to the stated Programme Risk Appetite Statements. This is supported
with similar outputs within (Albakri, 2014, p. 2121)
The Risk Matrix created from the Inherent Risk Assessment will form the foundation of cyber-risk
management by becoming the foundation of the Security Model (discussed earlier and linked to
security by design) produced as the foundation to the technical design. Within the Security Model the
selected management option will be recorded against each risk. In the case of risk mitigation,
necessary and proportionate security controls will be mapped against the risks in line with the
Programme Risk Appetite Statements. The development of security controls will incorporate:
- Government guidance (e.g. NCSC, GPG13 (now retired but deemed good practice)
- Industry best practice
- SME experience (the knowledge and experience of our information security SME’s)
- Candidate control sets (such as the NPIRMT candidate control sets)
- Compliance control requirements (a policy and legal review will be carried out to understand
if there are specific controls that must be in place to comply with local policy and the law)
Delivery and effectiveness of these controls will be recorded in the model on an iterative basis with
details of how each of the controls will be assured and how often.
34
Jason Corbishley 31961006
Figure 3.9
35
Figure 3.9 above shows how the management of controls will integrate with the development of
technical design. Accepting that technical design is continuously evolving in the SaaS provision this
process will be updated in line with any technical change and therefore is a key amendment to how
technical design and cyber-security risk management must work closely. It should be noted that
technical architecture applying security by design may need to apply multiple controls to mitigate the
identified risk.
This work will be managed on a Business as Usual (BAU) basis by the cyber-risk management team
who will be responsible and accountable for the production of outputs. The cyber-risk management
team will be embedded within the project teams and will design the security controls and ensure that
these are embedded within low level designs as well as recorded in the Security Model.
- The control involves significant spend
- The control (or lack of) may have a significant business impact
- The control has a significant impact on intentional architecture
If a management decision is taken to accept a risk outright or accept a residual risk as an output of a
control then this must be approved by the Solution Design Authority and Security Working Group with
the Police National Information Accreditor present. Risks above a certain threshold will be escalated
as per the IMORCC Governance Structure for approval. For complex risk mitigations, cyber-risk
management plans will be developed with mitigation actions and timelines for completion and
assurance activities will be provided.
NPIRMT will be responsible and accountable for active participation in workshops and for the
provision of timely review and feedback of the Security Model and other low level control designs.
Security controls effecting local police forces will be discussed in the Solution Design Authority and
NPTC Security Working Group. Once agreed these will be added to the Governance Information Risk
Return (GIRR) by NPIRMT. NPTC will be responsible for facilitating stakeholder coordination
throughout the process. This includes working with local police forces in the NPTC Solution Design
Authority to help them understand any proposed changes to the GIRR and reporting any issues back
to the Security Working Group.
As an iterative “living” document, the Security Model will change regularly during the Low Level Design
Phase, Build Phase and will need to be maintained once the solutions are deployed and running in live
service. For the purposes of accreditation the relevant controls will be integrated into the detailed
design documents of each workstream and a point in time snap-shot of the Security Model will also
be provided to the accreditor at the time of accreditation and following the IMORCC Governance
Structure the detailed design documents and Security Model will be approved by the Security Working
Group and Solution Design Authority.
The documents/outputs below will be produced as part of this accreditation phase:
- Low Level Designs
- Security Model
- Risk Management Plans
- Candidate Control Set Validation (Excel spreadsheet)
- Compliance and Policy review (Excel spreadsheet)
The below RACI matrix shows who is responsible, accountable, consulted and informed for each
activity in this accreditation phase.
36
Process Activity R A/Sign-off C I
Produce and manage Security & Risk
Management Programme
Security Model Management NPTC, NPIRMT Project Teams
Options Leadership
(threats/risks/controls) Team
Security and
Management Programme
Develop low level designs Project Teams NPTC, NPIRMT Accreditation
Options Leadership
Team
Security & Risk
Management Develop and manage Risk Programme
Management NPTC, NPIRMT -
Options Management Plans Leadership
Team
Security & Risk
Management Complete candidate control Management Programme
NPTC, NPIRMT -
Options set validation exercise Team, Project Leadership
Teams
Management Complete compliance and Programme
TBC NPTC, NPIRMT -
Options policy review Leadership
(National Enablling Programme Security Risk Management, 2017)
The implementation of management controls to the design process will determine the success of the
implementation of ‘Security by Design’ and the adherence of the application of the NCSC core
principles. (NCSC, 2016) The development of management options will determine the success of the
implementations of technology but more importantly it brings together the earlier element of the
proposed ‘Cyber Risk Management’ methodology. By leveraging each element of the proposed risk
process the successful delivery will propose management options that can contribute to the
implementation of technical solutions based on formal necessary and proportionate risk management
and not just perception of cyber risk offering new and improved ways of delivering business process
to operational policing.
Residual Risk:
This phase involves an update or re-iteration of the risk assessment taking into account the expected
effects of the proposed risk treatments which in this case is the security control applied to the
technical design. The residual risk is the remaining risk once the security control has been applied.
Once the management options are defined residual risk will need to be calculated, recorded and
reported. This will be updated regularly as the status of the security controls changes. Similarly, the
risk assessment process will be repeated to reflect any major changes in impact or threat and the
Security Model will be adjusted appropriately. Residual risk will be reported regularly through self-
generating Management Information in the Security Model based on core data changes being applied
following the completion of previous steps. Should the residual risk not meet the programme's risk
acceptance criteria, a further iteration of risk treatment may be necessary before proceeding to risk
acceptance. Alternatively, this may need to be escalated for risk acceptance via the IMORCC
Governance Structure.
The work will be led by the cyber-risk management team who is responsible and accountable for the
production of Management Information reporting. Residual risks will be regularly discussed within the
Security Working Group and where no further mitigation of appropriate risks within the risk appetite
will be considered for acceptance by NPIRMT, or otherwise escalated as appropriate. NPIRMT and
NPTC will be responsible for active review of the Management Information reporting through the
IMORCC Governance Structure. Management Information reporting requires no formal approval
37
Jason Corbishley 31961006
however the residual risk ratings will remain part of the Security Model of which a snap-shot will be
taken and approved at the point of accreditation.
The documents below will be produced as part of residual risk phase:
- Residual risk MI reporting
The below RACI matrix shows who is responsible, accountable, consulted and informed for each
activity in this accreditation phase.
New threats, vulnerabilities or changes in likelihood or consequences can increase risks previously
assessed as low. Factors that affect the likelihood and consequences of threats occurring could change,
as could factors that affect the suitability or cost of the various treatment options. Major changes
affecting policing should be reason for a more specific review in relation to that specific change.
Therefore, the risk monitoring activities should be regularly repeated and the selected options for risk
treatment should be reviewed periodically.
It is critical to accept that ‘cyber-risk management’ will have both a local and national requirement for
delivery however, in the delivery of a ‘BluePrint’ design for the national consumption of service, a
large proportion of the Cyber-Risk Management Methodology assessment will be undertaken
centrally to reduce cost and duplication. This also supports a central understanding of the risks
associated with the use of cloud services and in this case o365.
38
Jason Corbishley 31961006
4.0 IMPLEMENTATION OF CYBER-RISK MANAGEMENT IN POLICING
The cyber-risk management baseline is essential for national policing to identify police force
readiness via a common model the maturity states across national policing. This required a 2 phase
approach:
- Force pre-engagement questionnaire
- Force cyber-security assessment undertaken as part of the Security Model implementation
This approach is supported in a recent article Network Security (Aminzade, 2018) where the need to
understand the current posture of the organization will help establish a foundation for any
methodology proposed.
With the cyber-risk management methodology designed we must consider what Police forces will be
required to implement when considering People, Process and Technology. However in order to assess
the local cyber-maturity and risk appetite, an understanding of local forces is needed. The move to
consider the consumption of SaaS for Policing is ground breaking with existing perception that locally
is more secure than national dominating the current thinking, an assessment of forces is needed. This
point is reinforced by (Baskerville, 1991) where the point made is that risk assessments should not be
guess work and that there must be a process that delivers a technique to appropriately challenge
views and perspectives which may be entrenched.
The collation of information that would determine the individual force cyber-maturity status was
therefore critical to the successful delivery of services and the consumption of commercial SaaS.
However the collation of information would need to cover a wider surface than just ICT and
Information Security.
The need for a wider questionnaire or process considering people, process and technology
implementation was needed. A comprehensive questionnaire was developed by a small team and I
must emphasis that this was not solely my work and unfortunately not all forces were able to submit
a completed return. (Appendix 1 & 2)
- IAM
- IT Environment
- Applications
- Mobile Applications and Unified Communications
- Social Media & Intranet
39
Jason Corbishley 31961006
- Projects and Business Change
- Document Management
- General
- Equipment
- Infrastructure
- Finance
The above sections of the questionnaire each had number of specific questions to be answered which
were then analysed and scored based on the weightings applied to each specific section. The
questionnaire was sent to 43 forces of which 12 were visited by a programme team led by myself
where the questions were asked via a series of meetings. A full list of the questions asked are included
in Appendix 1.
In addition to the landscape questionnaire an additional set of questions were developed specifically
relating to cyber-risk maturity which covered people, process and technology. The development of
these questions and the resulting output of the overall assessment of the maturity gave national
policing a perspective of the cyber-risk management maturity. This, in some cases was linked to the
risk appetite a force had, but in some it represented a cyber-maturity position which needed
development. The section questions were:
- Training
- Equipment
- Personnel
- Infrastructure
- Doctrine and Concepts
- Organisation
- Information and Interoperability
The questions relating to each of the above sections is included in Appendix 2. These questions were
produced by a wider team and are those used when undertaking ‘Pilot’ engagement with the initial
12 Police forces.
The output of the baseline readiness is therefore a varied picture however the following infographic
depicts the current state of readiness for the consumption of commercial SaaS.
Figure 4.1 below depicts the maturity states of forces in relation to readiness for the consumption of
cloud services specifically SaaS. However this doesn’t allow for a wider assessment of the actual state
of cyber-security awareness which will define the approach a force will take in relation to cyber-risk
management. Therefore there is a need for a more focused approach to determining the specific
maturity of specific forces relating to cyber-security awareness and cyber-risk management. The
position shown is one of differing maturity within the different areas. It should be noted that some
forces chose not to respond and most missed out areas specifically relating to change altogether. This
supports some of the findings within this paper as ICT departments are limited in their capability to
determine change or new areas of technology delivery such as social media. These areas of poor or
non-return could present new and serious cyber-risk and therefore highlight the challenge in policing.
40
Jason Corbishley 31961006
Police Force 10
Police Force 11
Police Force 12
Police Force 13
Police Force 14
Police Force 15
Police Force 16
Police Force 17
Police Force 18
Police Force 19
Police Force 20
Police Force 21
Police Force 22
Police Force 23
Police Force 24
Police Force 25
Police Force 26
Police Force 27
Police Force 28
Police Force 29
Police Force 30
Police Force 31
Police Force 32
Police Force 33
Police Force 34
Police Force 35
Police Force 36
Police Force 37
Police Force 38
Police Force 39
Police Force 40
Police Force 41
Police Force 42
Police Force 43
Police Force 44
Police Force 45
Police Force 46
Police Force 1
Police Force 2
Police Force 3
Police Force 4
Police Force 5
Police Force 6
Police Force 7
Police Force 8
Police Force 9
Operating System 2 4 4 1 2 4 4 4 2 2 2 2 2 4 2 4 2 1 4 4 4 2 2 4 2 2 2 2 2 3 2 2 2 2 4 2 4 4 4 1 4 4 4 2 4 4
Network 3 4 4 4 4 4 4 4 4 4 4 1 3 4 4 4 1 4 4 4 4 1 4 4 1 4 4 4 4 4 1 4 4 4 4 4 4 4 4 4 4 4 4 1 4 4
Browser 1 4 4 1 1 4 4 4 1 1 1 1 1 4 1 4 1 1 4 4 4 1 1 4 1 1 1 1 1 1 1 1 1 1 4 1 4 4 4 1 4 4 4 1 4 4
Active Directory 1 4 4 1 1 4 4 4 2 1 1 1 1 4 1 4 1 1 4 4 4 1 1 4 1 2 1 1 1 1 1 1 2 1 4 1 4 4 4 1 4 4 4 1 4 4
Productivity 2 4 4 1 2 4 4 4 1 1 2 1 2 4 3 4 3 3 4 4 4 3 1 4 1 2 2 4 4 2 4 3 3 1 4 1 4 4 4 3 4 4 4 1 4 4
Intranet 3 4 4 3 1 4 4 4 3 1 1 3 3 4 1 4 3 3 4 4 4 1 3 4 3 4 3 3 1 1 3 3 3 3 4 3 4 4 4 4 4 4 4 4 4 4
Unified Comms. 3 4 4 1 1 4 4 4 2 1 1 1 1 4 2 4 1 2 4 4 4 2 1 4 1 2 2 1 3 3 2 2 3 4 4 2 4 4 4 2 4 4 4 2 4 4
Remote Access 2 4 4 1 2 4 4 4 2 1 1 2 2 4 2 4 2 1 4 4 4 2 2 4 2 2 1 1 1 2 2 1 2 2 4 2 4 4 4 2 4 4 4 1 4 4
Document Management 1 4 4 1 1 4 4 4 2 1 1 1 2 4 1 4 2 1 4 4 4 1 3 4 1 2 2 1 1 1 3 3 3 1 4 1 4 4 4 1 4 4 4 1 4 4
Application Provisioning 1 4 4 1 1 4 4 4 1 2 2 2 2 4 3 4 1 1 4 4 4 2 2 4 1 2 1 2 4 2 2 2 1 1 4 2 4 4 4 4 4 4 4 1 4 4
Mobile Applications 2 4 4 2 2 4 4 4 2 2 2 4 2 4 2 4 2 2 4 4 4 2 2 4 2 2 2 2 2 2 2 2 2 4 4 2 4 4 4 2 4 4 4 2 4 4
Social Media 2 4 4 2 2 4 4 4 2 2 2 2 2 4 2 4 2 2 4 4 4 2 2 4 2 3 3 3 2 3 3 3 2 2 4 2 4 4 4 2 4 4 4 2 4 4
Operating Model 3 4 4 1 3 4 4 4 3 1 1 1 1 4 1 4 3 1 4 4 4 1 1 4 3 1 3 1 3 1 1 3 1 1 4 1 4 4 4 1 4 4 4 1 4 4
Agile Working 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
Change Readiness 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
Engagement 1 4 4 2 1 4 4 4 2 1 1 2 1 4 1 4 2 1 4 4 4 1 1 4 1 1 1 1 2 1 1 2 1 1 4 1 4 4 4 1 4 4 4 1 4 4
User Segmentation 1 4 4 2 2 4 4 4 3 3 3 3 3 4 3 4 1 3 4 4 4 3 3 4 3 2 3 3 3 1 3 3 3 3 4 2 4 4 4 3 4 4 4 2 4 4
Training 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
Adoption 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
In-flight Projects 3 4 4 3 3 4 4 4 3 3 3 3 1 4 3 4 3 2 4 4 4 2 2 4 2 3 2 2 2 1 3 1 3 3 4 3 4 4 4 3 4 4 4 3 4 4
Figure 4.1 (National Enablling Programme Security Risk Management, 2017). Please note not all forces responded.
41
4.2 CYBER-RISK MANAGEMENT METHODOLOGY ELEMENTS & SECURITY MODEL
The Risk Management Police and stakeholder Insider, external and The Inherent Risk Underpinning the seven Aligned with the principle Working closely with the
and Accreditation information assets environmental threats Assessment combined critical risks, forty three of "defence in depth" Design Team
Strategy was developed were identified and to the environment the outputs from the scenarios were necessary and throughout, the
to detail and agree the their relative criticality were assessed and BIAs and TA in order to considered - looking at proportionate security identified controls were
process for security, assessed by measuring prioritised considering calculate the inherent the specific attack controls were developed - integrated into the Low
accreditation and the impact of a breach a number of threat risks to the vectors of a particular using the NIST Cyber Level Designs and
information risk of confidentiality, actor attributes environment - 7 critical threat and the likely Security Framework (CSF) architecture (where
management - including integrity or availability including capability, risks were identified assets targeted to ensure adequate appropriate)
detailed descriptions of history and consideration and
stakeholders motivation coverage of control types
responsibilities
Figure 4.2
42
In earlier parts of this paper I have outlined how national policing can address cyber-risk management
through the use of core iso27001, 27005 elements and the use of the NIST “Framework for Improving
Critical Infrastructure Cybersecurity” (NIST, 2015). However during the implementation it is required
that the cyber-risk assessment and the Framework for improvement and implementation come
together in order to provide legitimacy in its implementation and adoption. Figure 4.2 above starts to
explain how the risk assessment contributes and provide the baseline needed for the controls through
the process of Security by Design concluding the methodology to take national policing through to
implementation. This is supported by (Verginadis, 2017) approach to security by design.
Each element of the process through its implementation delivers an output contributing to the next
phase of the methodology. This provides a link between the phased methodology shown in figure
3.5 providing a view of the actual output of the process:
To measure and score impact, Business Impact Reference Tables (BIRTs) (Cabinet Office, 2012, p. 150)
were leveraged from HMG Information Assurance Standard No.1 (IS1). IS1 offers a standardised way
to identify, classify and score the impact of a compromise on an environment. It sets clear parameters
between different outcomes in the event of compromise, reducing the level of subjectivity when
assigning impact scores. It should be noted that (IS1) has been retired due to the complex and often
risk averse way this standard was used in practice.
Leveraging these BIRTS, each potential impact on an asset (based on confidentiality, integrity and
availability respectively) was graded from 1 (Low) to 6 (High) and the supporting impact narrative was
recorded along with additional comments to justify scoring rationale. A score of 0 during this phase is
deemed to be unacceptable to the assessment of assets.
The BIRT justification tables set out clear guidelines on how to score the impact of an event (e.g. for
an impact on police officer safety, a score of 6 would mean a threat to life or multiple injuries).
Within the BIA form impact is separated into two types – ‘worst case’ impact and ‘realistic’ impact.
The ‘worst case’ impact refers to the most serious of potential outcomes from a compromise
regardless of its probability. The ‘realistic’ impact takes a more measured view, and considers the most
likely outcomes only.
43
Jason Corbishley 31961006
threat can be defined as: “a potential cause of an unwanted incident, which may result in harm to a
system or organisation.” (International Organization for Standardization, 2016, p. 13)
Articulation of the threat was completed using an IRAM2 threat assessment, leveraging several
sources (including threat intelligence from NPIRMT), and using local intelligence sources. A set of
threat attributes (e.g. history, capability, motivation and commitment) were evaluated to assess the
threats from each actor. Each attribute relating to a threat actor was scored on a scale from 1 (Low)
to 3 (High) and added together to form a cumulative final ‘Threat Score’ (e.g. 12/15).
To match the scoring scale of the BIAs (1-6), the final ‘Threat Score’ for each actor was moderated
down to a score of 1-6 (e.g. 12/15 becomes 5/6).
Key to a successful Threat Assessment is the production of a realistic likelihood. The Likelihood will be
required in order to complete the wider cyber-risk assessment and will determine the control to be
applied to the design.
To calculate inherent risk, a standardised risk equation is used, (Risk = Likelihood x Impact) as shown
figure 4.3 on the following page:
Page | 44
Figure 4.3 (Information Risk Assessment Methodology 2, 2014)
45
The Inherent Risk scores were leveraged to develop over 300 low level risks. These are composed of
the most prevalent threat actors and top 15 most critical information assets.
Based on the 300 low level risks, seven recurring risks to the environment were identified and
converted into risks statements. The risk statements provide stakeholders with a macro understanding
of risk to the environment however the seven recurring risks will be used across national policing as
the strategic risk statements relate to the strategic assets identified and these will impact all national
delivery.
- This risk can be realised through various means including but not limited to: A removable
device being used to either extract data or introduce malware onto the network.
- Data being leaked via email by attaching incorrect or inappropriate material or sending it to
unintended or unapproved recipient(s).
- A non-approved application being downloaded onto a corporate device
The scenarios are not mutually exclusive hence a single control may mitigate more than one risk, nor
are they collectively exhaustive meaning there is an assumption that police forces in conjunction with
national policing units and partners will ensure the risk picture is subject to regular review and analysis
and that security controls remain robust enough to mitigate identified risks.
Figure 4.4 below presents a pictorial view of one scenario by way of an example. The mapping of
scenarios allows the mapping to the NIST Framework giving legitimacy to overall cyber-risk
management.
46
INHERENT RISK SCENARIO MITIGATION
Risk assessments are continual and build necessary and proportionate
IDENTIFY security controls to mitigate against identified risks. Risk responses are
prioritised effectively.
47
4.2.6 Phase 6: Security Model Control Development
Within the Security Model, necessary and proportionate security controls have been mapped against
risk scenarios to give an end to end view of risk mitigation and residual risk.
When developing the security controls the concept of defense in depth (SANS Institute, 2001) for
protecting the environment with a series of defensive mechanisms ensuring that if one fails another
will be in place to thwart the attack. Because there are so many potential attackers and sophistication
and scope of methodology is rapidly evolving there is no single method for successfully protecting the
environment. Therefore in accordance with GSC a multi-layered approach to security is required.
(Cabinet Office, 2014) Utilising this strategy reduces the risk of a successful attack.
As described throughout this paper security controls are where possible taken from UK legislation and
HMG policy but where this is not possible, a considered and transparent foundation rooted in police
decisions, UK government guidance and commercial best practice has been used.
As GSC states: “There is no silver bullet for mitigating all threats at OFFICIAL and organisations should
provide layered security across their businesses. People, technology and environmental controls should
be mutually enforcing and given equal consideration as part of a holistic approach to security.”
(Cabinet Office, 2014)
1. Assess: Conducting assessments of the force to identify its maturity against the NIST Cyber
Security Framework, to identify its compliance with the security controls in the technical
architectural security model and to identify any local information security risks.
48
Jason Corbishley 31961006
2. Accelerate: Ensure that all risks are managed appropriately by the force and that risk
management processes are embedded into the force.
3. Integrate: Assisting the force with its technical and procedural integration with the integration
of the Police National Management Centre.
This three phase approach will allow forces to baseline there cyber-risk management maturity. The
security model and the maturity assessment tools are evergreen and will require continuous updating
and refreshing. You will see in figure 4.5 on the following page, that each of the assessment stages
links back to the NIST cyber-security framework and provides a link and integration between the
cyber-risk assessment, architectural design and implementation via the proposed cyber-risk
management security model.
Page | 49
Figure 4.5
50
5.0 EVALUATION OF CYBER-RISK MANAGEMENT METHODOLOGY & MODEL
51
Jason Corbishley 31961006
to move with cyber-incidents becoming more mainstream with policing now focusing on the changes
to threat landscapes and the need to understand the link between cyber-risk management and
technical architectural design and implementation.
The delivery locally in forces has highlighted that whilst the effort and detail built in to the cyber-risk
management methodology has been well received it had not addressed the cultural issues specifically
the resistance to change and challenge from those who are comfortable in their current operating
process. An identified significant challenge has been the passive compliance to the implementation of
cyber-risk management when in reality little or nothing was being done at a local level. This is a bold
statement but supported by the current working practices which are focused solely on Information
Security. This does not take in to account the points discussed earlier relating to the benefits of
security by design and embedding technical architectural design with cyber-risk management at its
core ensuring necessary and proportionate security controls are being applied but more importantly
continually assessed.
This cultural influence is therefore a longer term challenge for national policing and one which will
develop as those involved start to understand throughout the engagement with the cyber-risk
management process proposed. It has therefore been necessary to manage change through education
and the development of core Information Risk Management resources nationally and locally.
Page | 52
Jason Corbishley 31961006
proposed methodology which will provide policing with an approach to cyber-risk management that
will drive proportionality. This is an area (Baskerville, 1991) discusses where there is a need for
versatile and practical tools that become part of a security practitioners everyday work. The security
model will then allow technical architecture to be developed with an intrinsic link to the inherent risk
statements which will assist in ensuring necessary and proportionate controls are applied to the
mitigation of risk. These process will help ensure that the operability for the end user is protected.
Page | 53
Jason Corbishley 31961006
methodology will be presented to the Police Information Assurance Board with a recommendation
that the cyber-risk management methodology and the security model should be approved as a
national process and become business as usual.
The overall cyber-risk management methodology process proposed must be re-evaluated periodically.
The overall risk assessment scoring is only valid for a period of time relevant to the assets and threats
being assessed.
6.0 CONCLUSIONS
The proposal within this project has outlined that cyber-risk management is not just an IT or technical
issue but is linked to traditional Information Security and also to architectural design. The approach
presented develops a cyber-management framework for Policing, centrally updated for use nationally
and locally and is split in to 2 core deliverables:
- Cyber-Risk Management Methodology
- Cyber-Risk Management Security Model
The methodology presented references and is supported by guidance published by NCSC and
addresses the need to consider people, process and technology. There is an intrinsic link between
these areas of cyber-risk management and policing should as outlined in the NCSC guidance (NCSC,
2016) adopt as suggested an approach to risk management which allows a comprehensive risk
management approach covering all three of these areas.
This provides an opportunity to make changes resulting in a much improved cyber-risk position which
can then provide assurance that identifies risks that are managed effectively and efficiently with core
central principles providing a foundation of development. However, there will be additional changes
needed moving forward, specifically relating to keeping the process current, joined up and functional
recognising that SaaS is an evergreen infrastructure. (Albakri, 2014, p. 2123) The operating model will
require central teams to take ownership of development of the cyber-risk management methodology
and then communicate these continual developments to all forces.
The core methodology will provide a means to identify and manage risk effectively and efficiently and
will help mitigate the identified inherent risks providing policing with a comprehensive duty of care in
assessing risk.
The methodology is shown in figure 5.1 below which provides a visual representation of the Iso27005
aligned risk management methodology outlined within the cyber-risk management section of this
paper. Included in the process proposed is a link to the development and integration of security
controls into architectural design.
Page | 54
Phase 2 Phase 3 Phase 4 Phase 7
Phase 1 Phase 5 Phase 6
Business Impact Threat Inherent Risk Integration into
Strategy Risk Scenarios Security Controls
Assessment (BIA) Assessment (TA) Assessment solution design
The Risk Management Police and stakeholder Insider, external and The Inherent Risk Underpinning the seven Aligned with the principle Working closely with the
and Accreditation information assets environmental threats Assessment combined critical risks, forty three of "defence in depth" Design Team
Strategy was developed were identified and to the environment the outputs from the scenarios were necessary and throughout, the
to detail and agree the their relative criticality were assessed and BIAs and TA in order to considered - looking at proportionate security identified controls were
process for security, assessed by measuring prioritised considering calculate the inherent the specific attack controls were developed - integrated into the Low
accreditation and the impact of a breach a number of threat risks to the vectors of a particular using the NIST Cyber Level Designs and
information risk of confidentiality, actor attributes environment - 7 critical threat and the likely Security Framework (CSF) architecture (where
management - including integrity or availability including capability, risks were identified assets targeted to ensure adequate appropriate)
detailed descriptions of history and consideration and
stakeholders motivation coverage of control types
responsibilities
Figure 5.1
55
The Security Model is a tool for risk professionals to manage and control implementation and residual
risk. It is holistic in nature and covers all NIST security domains. While police forces with the highest
security maturity are likely to be able to demonstrate compliance against a large proportion of the
controls, the cyber-risk management security model itself is not intended to be used as a compliance
“tick box” exercise. There is no expectation that every control in the cyber-risk management security
model will be implemented by a police force. Instead, the expectation is that the cyber-security risk
management security model will be used to help police forces understand their inherent risks and
draw from the model to improve their capability to mitigate against these risks.
There are good reasons why a police force may not want to implement a certain control (including
cost, user experience or adverse effects on wider enterprise architecture). In these circumstances the
police force should look to implement other compensating controls in-line with the principle of
defense in depth and understand the residual risk which they may need to accepted.
As part of the delivery of the cyber-risk management security model a cyber-security maturity
assessment is undertaken within a force. The completed assessment is presented to the force as a
baseline to be maintained by the force’s information security team. However the maturity assessment
tool presents a challenge in relation to keeping the tool current and effective. Business as usual
activities discussed will therefore be essential to the success of the proposal.
The cyber-risk management security model is delivered in three phases. The first phase is ‘Assess’
where an independent assessment of the police force’s information-security risk management
capabilities. This will identify a number of information-security risks held by the force. The second
phase is ‘Accelerate’ in which the risks identified in the Assess phase are placed into a risk
management process and risk management plans are developed. This phase is a continuous process
which is represented by the ‘Operationalise’ phase. The third phase is ‘Integrate’ during which the
force is integrated with the National Management Centre. Once complete the force can be considered
at full operational capability. This process is shown in figure 4.5 on page 49.
This process has been well received by the forces however there is always a natural trepidation which
comes from being independently assessed. One of the major feedback points from forces is that the
maintenance of the assessment tool and the security controls represents extra work on top of an
already significant work load. This is not the intention of the cyber-risk management security model,
the processes or the cyber-maturity assessment tool. It is envisaged that the security model and the
cyber-maturity assessment controls will form the basis of police wide terms of reference for
Information Security Officers based around the maintenance of reasonable and proportionate
information security controls developed, maintained and distributed from a central delivery.
The proposal outlines the case that policing cannot have cyber-risk management separate to
architecture design, they have to work together and provide an end to end position for Information-
Security, and architectural design which will provide ‘Defense in depth’. This process will provide a
cyber-risk position that considers what cyber-risk is as well as how it is mitigated. In order for this to
be successful the perception by those responsible for the management of Information Risk must
change. This will in itself support a change to the overall culture adopted by forces and the perception
that SaaS is not as secure as the provisioned on premise services thus supporting a move to cloud
services. (Kumarl, 2015)
It is essential that the proposed cyber-security risk management methodology and the security model
are living processes. The outcomes of the processes proposed must be mature enough to cope with
the ever changing environment SaaS and policing is operating within. (Zhang, 2010, p. 1332)
56
Jason Corbishley 31961006
Policing therefore needs quality information to support decision making when considering cyber-risk
management. The information and media impact to cyber-risk can be perceived to be a problem based
on the volume of information and intelligence is sometimes inaccurate or out of context or even
contradictory. This creates a fog of truth or perception relating to an actual position clouding non-
aware executives. The inability to see a pattern or gain any use from this fog of information hinders
the ability to make the right decisions in the right time frame, resulting in a friction of understanding
in relation cyber-risk management. This will certainly have clouded the initial analysis and has also
influenced other studies in relation to information security. (Verginadis, 2017) As an analogy, the fog
of poor management information creates the friction of slow or wrong business decisions. This
discussion points to similarities made by Clausewitz when discussing traditional decision making.
(Parks, 1994) Therefore a cyber-risk management methodology and security model can draw
similarities to other everyday cultural and complex strategic decision making.
Page | 57
Jason Corbishley 31961006
Page | 58
Jason Corbishley 31961006
Page | 59
Jason Corbishley 31961006
Page | 60
Jason Corbishley 31961006
Page | 61
Jason Corbishley 31961006
83 Is OWA enabled?
84 Externally or internally?
85 What is your force current average
mailbox size?
86 What is your force total volume of
mailbox data?
87 Does your force use bulk mailing?
88 Is your force using IE11 or Edge?
90 Does your force use Chrome or
Firefox?
91 Are they the latest version?
92 Does your force use any browser
plugins?
94 Does your force currently use a tool
to manage workflow? E.g.
SharePoint
95 What solution does your force use?
96 Does your force currently use a tool
to manage forms? E.g. InfoPath
Mobile Apps 98 Do your force users currently have
and Unified access to applications via their
Comms corporate mobile device (e.g. email,
policing apps etc?)
Page | 62
Jason Corbishley 31961006
Page | 63
Jason Corbishley 31961006
Page | 64
Jason Corbishley 31961006
Page | 65
Jason Corbishley 31961006
Page | 66
Jason Corbishley 31961006
Page | 67
Jason Corbishley 31961006
Page | 68
Jason Corbishley 31961006
Page | 69
Jason Corbishley 31961006
Page | 70
Jason Corbishley 31961006
different
individuals?
20 Is there a process
for requesting,
establishing,
issuing, and closing
user accounts?
21 Is there a defined
process for
escalation of
processes?
Infrastructure 22 Do you have a
backup site in a
separate location?
23 Do you have a
disaster recovery
plan?
24 What network
connections are
available between
the log source
collection points
and the SOC?
25 What is the
available
bandwidth?
26 Will new network
links be required?
These will have to
be ordered as soon
as they are
identified. 90 days
at least for BT to
get new links
provisioned. Plus
the work of
integrating into the
Log Source DCs.
27 Do you have
existing
vendor/third party
contracts? If yes
please provide a list
28 Backups log
source?
Organisation 29 Who are the key
individuals to
whom information
security
responsibilities
Page | 71
Jason Corbishley 31961006
have been
allocated?
30 What information
security
responsibilities are
allocated to your
geographical or
business area?
31 What metrics and
key performance
indicators do you
report to the
Global information
security function?
32 Do you operate any
information
security steering
groups or forums
within your
geographical or
business area? If
yes, how does this
forum report to
senior
management?
Information and 33 Provide a list of any
Interoperbility bespoke builds:
software, hardware
and ports which
operate on non-
standard ports.
34 Is there any legacy
software that is in a
change freeze due
to compatibility
(i.e.Windows
servers 2003)?
35 Do you have
detailed lists of
asset inventories?
Details could
include, MAC
address, DHCP,
name and/or
unique identifier,
location, asset
purpose,
classification,
owner, status, date
last checked, etc…
Page | 72
Jason Corbishley 31961006
Page | 73
Jason Corbishley 31961006
managed by third
parties
1. Basic information
Page | 74
Jason Corbishley 31961006
43
Page | 75
Jason Corbishley 31961006
Does the research involve deception, trickery or other procedures that may
contravene participants’ informed consent, without timely and appropriate
debriefing, or activities that cause stress, anxiety or involve physical contact?
No
No
Does the research project & associated experiments potentially risk the physical
safety of yourself or the participants?
No
Does the research involve travel to areas where you might be at risk?
No
No
Page | 76
Jason Corbishley 31961006
5. Data handling
The data is stored with a classification of Official Sensitive within Cumbria Police
data management systems. The access to the data is limited to myself and
Technical Administrators via a break glass privilege escalation process.
What steps will be taken to ensure the anonymity of the data collected?
Data within the report will by anonymised and will reference Police force and a
number.
What steps will be taken to ensure the confidentiality of the data collected?
State how individual identifying information will be removed, where the data will
be stored and who will have access to the data.
Access to the data is limited to myself and stored within a Police Data
management system.
Page | 77
Jason Corbishley 31961006
1. RISKS
2. DISCLOSURE
Does the study involve the use of deception, either in the form of
withholding essential information about the study or intentionally N
misinforming participants about aspects of the study.
3. DEBRIEFING
4. INFORMED PARTICIPATION/CONSENT
Page | 78
Jason Corbishley 31961006
If any of the boxes below require ticks, more detail may be required to get
ethical approval. If none of the boxes require ticks, then it is reasonable to
expect approval.
If you have answered ‘YES’ to any of the questions in Section 1 (risks), please tick
the box
If you have answered ‘NO’ to any of the questions in Section 3 (debriefing), please
tick the box
If you have answered ‘NO’ to any of the questions in Section 4 (consent), please
tick the box
Page | 79
Jason Corbishley 31961006
8. Declaration
_______________________________ _________________
I confirm that I have read this proposal and agree that it is a clear and accurate
assessment of the project to be undertaken. I have emailed a copy of this ethics
form to the teaching office.
___________________________ _________________
BIBLIOGRAPHY
Albakri, S., 2014. Security Risk Assessment framework for cloud computing environments. SECURITY
AND COMMUNICATION NETWORKS, 10th January, Volume 7, pp. 2114-2124.
Baskerville, 1991. Risk Analysis: an interpretive feasibility tool in justifying information systems
security. European Jounal of Information Systems, 1(2), pp. 121-130.
Page | 80
Jason Corbishley 31961006
Cabinet Office, 2014. Government Security Classifications FAQ Sheet 2: Manageing Information Risk
at Official. [Online]
Available at:
https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/286667/FAQ2_-
_Managing_Information_Risk_at_OFFICIAL_v2_-_March_2014.pdf
[Accessed 11th February 2018].
Cabinet Office, 2014. Government Security Classifications FAQ Sheet 2: Managing Information Risk at
OFFICIAL. [Online]
Available at:
https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/286667/FAQ2_-
_Managing_Information_Risk_at_OFFICIAL_v2_-_March_2014.pdf
[Accessed 7th December 2017].
Cook, S. M., 2017. Measuring the Risk of Cyber Attack in Industrial Control Systems, Leicester: De
Montfort University.
Gartner, 2016. Gartner Says By 2020, a Corporate "No-Cloud" Policy Will Be as Rare as a "No-
Internet" Policy Is Today. [Online]
Available at: https://www.gartner.com/newsroom/id/3354117
[Accessed 19th November 2017].
Page | 81
Jason Corbishley 31961006
Information Commisioners Office, 2017. Overview of the General Data Protection Regulation (GDPR).
[Online]
Available at: https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/
[Accessed 16th November 2017].
Kumarl, S. V., 2015. Data Outsourcing: A Threat to Confidentiality, Integrity, and Availability. s.l.,
IEEE.
Leydon, 2017. NHS WannaCrypt postmortem: Outbreak blamed on lack of accountability. [Online]
Available at: https://www.theregister.co.uk/2017/06/29/nhs_wannacry_report/
[Accessed 17th November 2017].
Martin, 2018. Government warns critical industry firms to prepare for cyberattacks. [Online]
Available at: https://news.sky.com/story/government-warns-critical-industry-firms-to-prepare-for-
cyberattacks-11226555
[Accessed 1st February 2018].
Page | 82
Jason Corbishley 31961006
Nationa Police Information Risk Management Team, 2017. Managing Policing Information at Official
v 2.0. London: Nationa Police Information Risk Management Team.
National Cyber Security Center, 2016. The Cyber threat to UK business. [Online]
Available at:
https://www.ncsc.gov.uk/content/files/protected_files/news_files/The%20Cyber%20Threat%20to%
20UK%20Business%20%28b%29.pdf
[Accessed 17th November 2017].
National Enablling Programme Security Risk Management, 2017. Security Risk Senario Mapping,
London: NPTC.
National Institute of Standards and Technology, 2014. Framework for Improving Critical
Infrastructure Cybersecurity. [Online]
Available at: https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-
framework-021214.pdf
[Accessed 16th November 2017].
NCSC, 2016. 10 Steps to Cyber Security: 10 Steps: Risk Management Regime. [Online]
Available at: https://www.ncsc.gov.uk/guidance/10-steps-information-risk-management-regime
[Accessed 18th February 2018].
NCSC, 2016. Outcomes over process: how risk management is changing in government. [Online]
Available at: https://www.ncsc.gov.uk/articles/outcomes-over-process-how-risk-management-
changing-government
[Accessed 1st February 2018].
Ogut, 2011. Cyber Security Risk Management: Public Policy Implications of Correlated Risk, Imperfect
Ability to prove loss and observability of self protection. Risk Analaysis, 31(3), pp. 497-512.
Parks, P. L., 1994. A Marketer’s Guide to Clausewitz: Lessons for Winning Market Share. [Online]
Available at: https://ac-els-cdn-com.ezproxy.lancs.ac.uk/0007681394900515/1-s2.0-
0007681394900515-main.pdf?_tid=4d32f42b-d9ca-4dc8-b79e-
2c8776acaa0b&acdnat=1526640950_1369851b6229c8dcef2650c507c5b696
[Accessed 18th May 2018].
Page | 83
Jason Corbishley 31961006
Tchernykha, S. T. B., 2016. Towards understanding uncertainty in cloud computing with risks
ofconfidentiality, integrity, and availability. Journal of Computational Science, 1(1), p. Unknown.
USA Gov, 2013. Executive Order -- Improving Critical Infrastructure Cybersecurity. [Online]
Available at: https://obamawhitehouse.archives.gov/the-press-office/2013/02/12/executive-order-
improving-critical-infrastructure-cybersecurity
[Accessed 1st Feb 2018].
Verginadis, M. S. H. P., 2017. PaaSword: A Holistic Data Privacy and Security by Design Framework
for Cloud Services. Jounal of Grid Computing, 15(2), pp. 219-234.
Zhang, W. L. Z., 2010. Information Security Risk Management Framework for the Cloud Computing
Environments. Bradford, UK, IEEE International Conference on Computer and Information
Technology, pp. 1328-1334.
Page | 84