Necessary and Proportionate Cyber-Risk Management For Policing

Name: Jason Corbishley
Student ID: 31961006
Dissertation Title: Necessary and proportionate Cyber-Risk Management for Policing
Module: SCC 420
Date:
I certify that the material contained in this dissertation is my own work and does not contain
unreferenced or unacknowledged material. I also warrant that the above statement applies
to the implementation of the project and all associated documentation. Regarding the
electronically submitted version of this submitted work, I consent to this being stored
electronically and copied for assessment purposes, including the Department’s use of
plagiarism detection systems in order to check the integrity of assessed work. I agree to my
dissertation being placed in the public domain, with my name explicitly included as the author
of the work.
Date:
Signed:
0
SCC.420: MSc Dissertation
Necessary and proportionate Cyber-Risk Management for Policing
Jason Corbishley 31961006
Corbishley, Jason 31961006

7-30-2018
1
TABLE OF CONTENTS
Abstract ................................................................................................................................................... 4
1.0 Introduction ...................................................................................................................................... 4
1.1 Legislation considerations............................................................................................................. 5
1.2 National police Chief’s Council strategic vision ............................................................................ 5
1.3 National Police Delivery ................................................................................................................ 6
1.4 Cultural perspectives in national policing ..................................................................................... 7
1.5 National government supporting each other ............................................................................... 8
2.0 Background to Information Security in Policing ............................................................................... 9
2.1 National government strategy ...................................................................................................... 9
2.2 Legislation implications ............................................................................................................... 10
2.3 Cultural considerations ............................................................................................................... 11
2.4 National police governance overview......................................................................................... 12
3.0 Development of Cyber-Security in Policing .................................................................................... 14
3.1 Cyber-Risk Management Methodology Design & Development ................................................ 15
3.1.1 Principles .............................................................................................................................. 15
3.1.2 Security by Design ................................................................................................................ 16
3.1.3 National Police Cyber-Security Model ................................................................................. 17
3.1.4 Legislation and Policy Landscape ......................................................................................... 21
3.1.5 Confidentiality, Integrity, Availability (CIA) .......................................................................... 23
3.1.6 People Process Technology .................................................................................................. 24
3.1.7 Cyber-Risk Management Methodology ............................................................................... 25
4.0 Implementation of Cyber-Risk Management in Policing ................................................................ 39
The cyber-risk management baseline is essential for national policing to identify police force
readiness via a common model the maturity states across national policing. This required a 2
phase approach:................................................................................................................................ 39
4.1 Police Baseline Cyber Maturity ................................................................................................... 39
4.1.1 Force pre engagement questionnaire.................................................................................. 39
4.2 Cyber-Risk Management Methodology Elements & Security Model ......................................... 42
4.2.1 Phase 1: Risk Management and Accreditation Strategy ...................................................... 43
4.2.2 Phase 2: Business Impact Assessments ............................................................................... 43
4.2.3 Phase 3: Threat Assessments ............................................................................................... 43
4.2.4 Phase 4: Inherent Risk Assessment...................................................................................... 44
4.2.5 Phase 5: Scenarios................................................................................................................ 46
4.2.6 Phase 6: Security Model Control Development ................................................................... 48
2
4.2.7 Integration into the Architecture ......................................................................................... 48
4.3 Cyber-Risk Management Security Model Local Force assessment ............................................. 48
4.3.1 Force Engagement Plan ....................................................................................................... 48
5.0 Evaluation of Cyber-Risk management Methodology & Model ..................................................... 51
5.1 Policing Cyber Maturity baseline ................................................................................................ 51
5.2 Policing Cultural perception of Cyber-Risk ................................................................................. 51
5.3 Policing Cyber-Risk Management Methodology......................................................................... 52
5.4 Cyber-Risk Management Security Model for Policing ................................................................ 53
5.5 Cyber-Risk Management as Business as Usual ........................................................................... 53
6.0 Conclusions ..................................................................................................................................... 54
APPENDIX 1 Pilot 12 force questions .................................................................................................... 58
APPENDIX 2 Developed 43 force questionnaire ................................................................................... 68
APPENDIX 3 Ethics Form ....................................................................................................................... 74
Bibliography .......................................................................................................................................... 80
3
ABSTRACT
The purpose of this project is to provide UK policing a workable methodology and model for the
management of cyber-risk. The project will explore the cultural challenges facing decision making in
relation to cyber-security and how a centralised cyber-risk assessment can provide a security model
for the implementation of SaaS. The paper will also provide a cyber-security approach to architectural
design ensuring that cyber-risk management is not an afterthought that can impact policing financially
or exposure policing to non-managed cyber-threats. The project will consider the influences facing
policing and its approach to cyber-risk management. The project will use information gathered as part
of a readiness assessment to form a baseline of maturity with the outputs of the project delivering an
end to end process including delivery. The proposed methodology will provide policing with a
structured approach to cyber-risk management and its implementation through a common security
model to be adopted by all police forces.
The cyber-risk management methodology is a structured approach taken from Iso27001 and Iso27005
and the implementation is explained within the project. A security model for the support of
architectural design is also explained as is its implementation. The implementation is described
however the phased approach proposed still makes reference to a cyber-maturity assessment tool
which is still under development.
1.0 INTRODUCTION
Information Risk management and the growing integration of cyber related business process in
policing has highlighted the need to consider how cyber-risk management is conducted at both
national and local levels of policing. This paper will consider the readiness state of national policing in
relation to cyber-risk management as well as assessing the problem of no formal methodology being
available to use. The intended goal is to provide cyber-security operatives as well as technical design
and implementation resources with a cyber-risk management methodology to efficiently and
effectively manage cyber-risk with an additional structured security model as part of the process to
support architectural technical design and implementation.
Risk management is not new, and therefore we must consider how cyber is demanding change from
the existing approach to traditional risk management principles and techniques. This is supported by
early research in to assessing the risk of cloud computing environments. (Albakri, 2014) The design
phase of this dissertation will consider the core management principles and suitable frameworks
which will offer policing an end to end cyber-risk management methodology and cyber-security model.
My objective is to propose a methodology to policing which will allow cyber-security risk management
to support architectural technical design in mitigating areas of cyber identified threats and a security
model to support architectural technical design.
Technical innovation is developing at pace with public sector and private companies aligning their
strategies to ensure that services and goods supplied, integrate with the technical change being
provisioned. The future technical innovation and development investment is focused at cloud
infrastructure with a decline of on premise infrastructure innovation as we move towards 2020.
Therefore it is imperative that national police has a mechanism to manage all assets and identify which
assets have a need to remain under tight risk management control on premise. However this is likely
to become a minority of systems managed by specialist product suppliers with ‘cloud first’ becoming
the norm. (Gartner, 2016)
4
1.1 LEGISLATION CONSIDERATIONS
Both public sector and private business are facing a growing threat from fines in relation to
information security, with many organisations considering insurance against cyber-security breaches.
Therefore it is critical for policing to be in a position to identify any breach in information security or
wider cyber-security to protect policing from cashable risks such as fines but also non-cashable
penalties such as reputational impact. (Ogut, 2011). This reinforces the perception that risk should be
mitigated in full with budget pressures providing a foundation of fear in relation cyber which in turn
fuels a perception that legislation ensures cyber-risk is not taken.
It would not be practical to attempt undertaking a comprehensive end to end cyber-risk management
exercise for national policing as this would quickly become well beyond the scope of this work.
However we can select a programme which is intending to utilise commercial Software as a Service
(SaaS) and consider how a cyber-risk management methodology and a security model can be
implemented as an enabler for wider organisational change.
1.2 NATIONAL POLICE CHIEF’S COUNCIL STRATEGIC VISION

The NPCC (National Police Chiefs Council) has developed a vision 2025 for policing outlining the need
to utilise technology to assist in the delivery of policing services to the citizens of the UK. This vision
outlines some core delivery in relation to digital policing and contact with the public, recognising that
the systems in place are not sustainable or likely to meet the needs of policing in the longer term. In
addition there is a strategic push for collaboration and the ability to share information and data in the
same way we are able to share physical assets (National Police Chiefs Council, 2016, p. 3). In support
of the Policing vision 2025 the National Police Technology Council (NPTC), with sponsorship from the
National Police Chiefs Council (NPCC) and the Association of Police and Crime Commissioners (APCC),
has been successful in securing initial funding from the Police Transformation Fund (PTF) for
establishing three national solutions as part of an Enabling Programmes initiative:
 A Security Operations Centre (SOC) - to deliver a nationally coordinated monitoring, response and
remediation capability in order to protect all UK police forces from cyber-threats.
 An Identity Access Management (IAM) platform - to enable user access to local, regional and
national information, network and applications including cloud services in an efficient and
effective manner.
 Productivity Services – to establish a national and standardised technology platform that

compliments the Public Contact vision from the Digital Policing Portfolio and delivers productivity
benefits such as: collaborative production for documents; spreadsheets and presentations
(amongst other examples); and the storage and management of these files, email and file-sharing,
aiming to remove barriers to operational efficiency and to enable joint working and digital
engagement with the public.
The three deliverables are shown with their integrating elements in figure 1 below:
5
Figure 1.2.1 SaaS National Enabling Programme
It is important to note the operational productivity benefits and the vision which is taken from the
police vision 2025 and that the National Enabling Programme is not a technical delivery programme
in its own right. It is therefore essential that cyber-risk management and the development of a security
model to give policing the assurance that information, data and technical infrastructure is adequately
risk managed. (National Police Chiefs Council, 2016)
1.3 NATIONAL POLICE DELIVERY

The National Enabling Programme (NEP) operates under the governance of the Information
Management and Operational Requirements Coordination Committee (IMORCC). In order to
successfully deliver the three areas of technical functionality the programme will require a cyber-risk
management and accreditation methodology to ensure that policing is not exposing itself to increased
risk by consuming Internet based Software as a Service (SaaS) as per Government Digital Services
Technology Code of practice. (Government Digital Services, 2017). In order to meet this requirement
it is critical that Policing understands the cyber-security baseline it currently has so that a suggested
methodology can cover any identified gaps and provide a common baseline across policing. This will
be covered as part of the readiness state for the consumption of commercial cloud services
recognising that every police force has a different starting position.
National policing is facing its own cultural battle associated with cyber-risk management and
accreditation. Governance and decision makers responsible for risk have developed from a
background of Information Security and data protection. This leaves policing with a strategic situation
that may not meet the future needs of policing as well as resources not understanding the different
risks that policing are facing from cyber, due to lack of knowledge and understanding.
The proposal to utilise commercial Internet is a bold but obvious step for the technical architect
responsibly for the designing of the solution, highlighting the need to ensure that if commercial SaaS
is to be consumed then a comprehensive risk assessment is needed for policing to build from. (Albakri,
2014, p. 2115) The challenge however is that the Microsoft o365 solution is made up of a number of
components each offering capability from the Microsoft cloud. Not all products are available in all
Microsoft UK data centers and therefore negative assumptions from the many existing Information
Security Officers is something that national policing needs to prepared for and is discussed further in
this paper when considering the cultural influences.
6
To underpin the delivery of the technical design and the wider specifications there needs to be a risk
assessment of both the products being proposed as well as acceptance that locally within each force
there is a varying level of cyber and technical maturity. In order to achieve this, the approach proposed
is structured to deliver a comprehensive risk managed output that will inform the technical design. In
order to achieve this a base line is needed, as is a new way of working for cyber-risk management in
policing as shown in figure 1.3.1 below:
Figure 1.3.1 cyber-risk management scope

As well as defining the methodology for the purpose of risk, the intension is to turn cyber-risk in to an
enabler of change. Assessing the current cyber-security readiness state across forces has allowed a
rich picture of views and perspectives to surface, including the challenges facing inpatient strategic
leaders and the assumption of technical architects that cyber-risk is somebody else’s issue. This
presents policing with a problem that influences both strategic organisation decision making as well
as technical delivery. This supports the need for a structured and methodical approach to cyber-risk
management that can be used both locally and nationally within policing.
1.4 CULTURAL PERSPECTIVES IN NATIONAL POLICING

The cultural position of cyber-risk management is still developing across policing with mixed results.
A historical position is that a good structure for traditional information security management is in
place however, the wider position of cyber-risk management is still developing. The common position
is that data protection officers have responsibility for cyber-risk management but with no experience
beyond information security. Technical Architects have no responsibility for information security so
who and where is all this information collated to allow a collective understanding?
Providing a cyber-risk management methodology to national policing will not provide a completed
solution. Cyber-risk cannot be treated separately from that of solution and architectural design.
Security by design is not something new to technical process and best practice but is this a practice
adopted or accepted by technical architectural delivery in policing? This paper will consider how core
principles will support the cyber-risk management methodology with the development of a security
model in providing assurance to NPCC and its Senior Information Risk Owners that a centralised cyber-
risk management methodology can drive progress and change from architectural development.
However can traditional risk management practices provide a realistic approach to the risk assessment
of commercial cloud services? This is vastly different from assessing a risk which is bounded and
7
therefore is it realistically achievable to gain a comprehensive assessment of the risks that are
presented from the Internet? The discussion within this dissertation will start to address how a cyber-
risk management methodology can allow policing to develop a cyber-risk model allowing the
consumption of commercial SaaS with increased confidence and assurance.
Changes to legislation and government policy also impact how risk and accreditation is perceived and
understood. General Data Protection Regulation (GDPR) became effective in May 2018 with
amendments being made to the UK Data protect Act to provide updates that are required to meet the
legislation change for GDPR. (Information Commisioners Office, 2017). Whilst the change with the
introduction of GDPR will bring added complexity to cyber-risk management the legislation has a
larger implication for policing. Policing is built on the intelligence it gathers on individuals and
therefore data classification becomes more complex as separation layers of control are needed in
order to ensure identified risk is managed effectively. The analysis and base line for the monitoring of
process and procedure will allow technical design to identify the requirements from cyber-risk
management and the findings within this paper will allow a more structured approach to design and
the architecture of systems.
Influencing any change in an organisation is challenging. However this paper will propose a change to
how cyber-risk is managed nationally across policing. This will be challenging and the change
prevention in the community will make the task somewhat more difficult without the full
understanding that what is currently in place and its limitations. This develops the question of decision
making and the power associated with managing the output of risk. Is the challenge related to how
we manage risk or the outputs that allow change to progress? It is critical that existing developers of
process and policy do not become entrenched in their thinking. The National Health Service recently
found themselves at the mercy of a cyber-attack resulting in life threatening consciences which is said
to have been caused by out of date equipment which was not being maintained. This position was
born not from a will to update systems and applications but one of funding and decision making within
NHS management. (Leydon, 2017) This issue will be addressed throughout the paper but in particular
how cyber-risk management can develop a process with changes to the culture of risk management
to assist policing in delivering a cyber-risk management function for policing.
The National Police Information Risk Management Team (NPIRMT) does not believe that guidance
produced by Government Digital Service or National Cyber Security Centre (NCSC) are relevant to
Policing. In addition to this the National Police Information Risk Management team does not accept
that guidance produced outside of Policing is specific enough, choosing instead to implement policy
and additional guidance specifically for Policing. This presents additional complexity for Policing and
increases the confusion for technical design, policy and procedure development as well as limiting
operational solution design.
1.5 NATIONAL GOVERNMENT SUPPORTING EACH OTHER

The NCSC provides organisations with specific guidance about how to establish cyber-defense
mechanisms. The growing threat to policing from cyber, and as criminals become ever more
distributed thanks to cyber environments and the levels of knowledge that adversaries have the skills
available to policing in cyber means change is needed. This is supported in opening comments with
the annual cyber-threat report for business where “Cyber attacks will continue to evolve, which is why
the public and private sectors must continue to work at pace to deliver real-world outcomes and
ground-breaking innovation to reduce the threat to critical services and to deter would-be attackers”
(Ciaran, 2016-17, p. 2). This supports the need for robust risk management which is practical and
deliverable. Cyber-risk should therefore be integrated from the outset and closely coupled with the
delivery of architectural design with a link to the implementation of a cyber-risk model for policing.
(National Cyber Security Center, 2016, p. 15).
8
National policing therefore does not have a framework for the management of cyber-risk or a security
model to support architectural design. My proposed process will allow policing to define the risk
management, accreditation and security process that will bring clarity to the actions needed to allow
policing to deliver strategic operational changes supported by an enabling cyber-risk management
process. The production of technical architecture design will be developed with a security perspective
from the start identifying mitigation to cyber-risk.
The objective is to ensure cyber-risk management is used as an enabler of transformation and not
used as a reason not to progress or make change within the provision of technical infrastructure for
policing. This will be explained throughout the discussion within this dissertation to ensure that
‘Defense in Depth’ is achieved from cyber-risk management and the delivery of technical design. This
paper will propose a cyber-management approach for national policing that can also be used for the
provision of local systems within a police force.
However the proposed methodology cannot be evaluated in isolation and there is a need to consider
the capability readiness of forces and the current cyber-maturity before any implementation.
Therefore the implementation of change will also be briefly covered where a cyber-assessment will
be undertaken in relation to policing capability to take on a structured cyber-risk management process
and security by design approach. It is however essential that more than technical design is considered
and a more holistic approach including people, technology and process will contribute to the structure
of proposed approach to ‘Cyber-Risk Management for Policing’.
This paper will therefore propose a cyber-risk management methodology supported by the
implementation of a cyber-risk security model for national policing. Within the development and
implementation the influencing factors that are shaping change will be considered. The conclusion
will identify the successes of the implementation as well as the remaining challenges faced in the ever
changing threat landscape that cyber is producing.
2.0 BACKGROUND TO INFORMATION SECURITY IN POLICING
2.1 NATIONAL GOVERNMENT STRATEGY

The provision of Information Technology in Policing has evolved significantly during the last 10 years.
There have been a number of national agencies and departments that have tried unsuccessfully to
strategically align ICT service delivery with either an objective to save money or to provide a vehicle
for police forces to collaborate. This challenge presents Chief Constables with the dilemma of
providing technical equipment or police officers on the street. This is further complicated by the
demand for technology to support policing process.
The governance structure for national policing identifies designated Chief Constables take on the lead
role for strategic delivery of specific national police process and application delivery. For example the
National Senior Information Risk Owner (NSIRO) is responsible for accepting risk associated with the
information and data used at a national level. The structure introduces a governance structure which
provides assurance to all Chief Constables that there is the required level of assurance in the provision
of police national ICT systems.
National policing has a central Information Assurance (IA) team which is there to provide audit
capability against predefined technical standards. These standards have developed with a focus to
provision ‘on premise’ infrastructure with a perception that ‘on premise’ can offer more assurance
from risk than service consumed via the Internet. National police audit has developed to become not
just an IA function but one of technical change control influencing the direction and strategy based on
a solid understanding of threat but without serious consideration of the likelihood in a risk event
occurring. This has defined a risk appetite that can fall within a range relating to ‘averse’ resulting in
9
preventing the use of Internet for services other than standard browsing, and defining a direction of
self-hosted solutions and the associated cost parameters that are attributed to provisioning data
centers locally and the skills needed to support them.
National government technical strategy is more mature than it has ever been. Government Digital
Services (GDS) has provisioned the Technology Code of Practice (Government Digital Services, 2017)
which provides a code of practice for all government departments in relation to design, provision and
purchase of technical systems. There are some clear elements of guidance included. ‘Use Cloud First’
(Government Digital Services, 2017) which provides a clear set of guidelines supported by National
Government policy for the consideration of cloud technology in all deployments. Cloud is defined as a
solution or system which utilises the internet to facilitate access to the service or solution.
(Government Digital Services, 2017). The Government Digital Services (GDS) makes a number of
sensible and basic recommendations for good reason, specifically defining user needs. (Government
Digital Services, 2017). This may seem obvious but national and local policing has a habit of defining
the solution it wants based on the advice provided by the supplier to a senior executive who has little
or no expertise in the delivery of technical solutions. This is a common example of the cultural
challenges faced.
National Police Chiefs Council (NPCC) has established a strategic Policing Vision 2025 that outlines how
Policing will change to meet the changing demand placed upon its resources through the next 10 years.
(National Police Chiefs Council, 2016). This strategy places a firm focus on the use of technology to
assist in the transformation and development of Police business process recognizing that digital
integration is critical to meet the policing needs of communities. A particular aspect of the strategy is
focused on collaboration between police forces and partner agencies. Examples are local authorities
and National Health Service (NHS) for the support of operational business process change and to
deliver the ability to share information and data electronically with necessary and proportionate
controls in place. This is a step away from the current thinking in policing, that placing documentation
inside two envelopes provides the necessary security that is required for policing data.
These strategic statements support the need for necessary and proportionate cyber-risk management
to ensure that risk management doesn’t design out functionality for operational policing and erode
business benefit. The existing policy and procedure in relation to data sharing would prevent the
sharing of documentation without cumbersome manual process, however the future can be more
controlled in allowing the sharing of documentation but using risk based technical controls to track
and monitor how documents are being consumed. The strategic vision will maneuver risk
management from being someone else’s problem to a key element in providing a solution to the
Policing Vision 2025.
2.2 LEGISLATION IMPLICATIONS

Legislation changes also influence how Policing can provision applications and data. All organsiations
will have policy for the retention and deletion of data but in policing this is influenced by the
department of justice. The point of sentencing results in extremely complex procedures to ensure that
data is retained for extended periods of time. For example all information and data relating to a
murder case with a successful conviction must be retained by the Police for 99 years. When this
legislation was committed to Law, cases were presented at court on paper before the introduction of
computerised evidence, however this legislation is still present today. This results in complex and
costly technical solutions which require growth in data capacity at an alarming rate. Technical
practitioners see Software as a Service (SaaS) as part of the solution to this growing problem.
As legislation was developed during the 1970’s and 1980’s a growing need for Data Prevention Officers
became apparent for local forces. This role was introduced to deal with the growing demand to
manage large paper based data sets and manage the secure and organised storage of this information.
10
These roles in policing are changing, however the operating model must also change or policing will
find it has a large number of manual data management processes and skills attempting to manage
cyber-solutions and the new risks that are faced when providing similar assurance to the storage of
data in the future.
Ever changing legislation is not something new, however General Data Protection Regulation (GDPR)
has thrown policing data protection officers in to a frenzy of solutionising. GDPR places firm
responsibility with the Senior Information Responsible Officer in each force and has required updates
to the data protection act. (Information Commisioners Office, 2017). However this has resulted in all
police forces trying to solve the same problems in their entirety. GDPR is a living regulation which
means that changes and updates will be made to ensure the regulation remains valid as technology
and data storage changes. (Information Commisioners Office, 2017). However the current position in
police forces differs based on the technical maturity of each organisation. Therefore it is not practical
to attempt to solve all aspects of GDPR with a single implementation of technology without a clear
central strategic approach to ensuring that the correct risks are identified and mitigated with the
implementation.
2.3 CULTURAL CONSIDERATIONS

In today’s society nobody questions high fences and armed guards or close circuit television systems
on the entrances to secure facilities, or the installation of fire prevention services such as sprinklers
and alarms. These systems are entrenched in the culture of society and in business terms there would
never be the need for a detailed business cases for either the replacement or introduction of such a
system. However the culture of policing and the kit v cops argument repeatedly questions the
implementation of cyber-defense techniques resulting in a perception that policing will go to extreme
lengths to prevent a physical intruder but is questioning the need to prevent the cyber-adversary from
gaining access via a wire from anywhere in the world. This culture shift either in defense of change
due to skill deficiency or fear of the unknown alongside an attitude of ‘it hasn’t happened yet’ provides
a rich environment for a major cyber-incident in policing.
The existing culture is mixed depending on the role of an individual. Chief Officers are aware of
reputational risk but often do not see visible returns for investment in cyber-risk management.
Information Assurance operatives focus on the end result and therefore build cumbersome and
complex controls in to the delivery of technical solutions. There is no holistic consideration for Defense
in Depth (SANS Institute, 2001) or acceptance that a cyber-breach will occur at some point or the
approach to identify, protect, detect, respond, recover (National Institute of Standards and
Technology, 2014) from such an incident. The need for necessary and proportionate risk management
is critical and a move away from the current position where basic project management risk is
maintained and understood by the majority or worse, risk is managed through perception. There is a
need to develop a cyber-risk management methodology to allow national policing to manage cyber-
risk but without repeating or increasing risk ensuring that the current community of trust within
policing is maintained, improved and meets the requirements of today’s operational policing.
For many years policing has provisioned services via a closed network called the ‘Police National
Network Protect’ or PNNP. This closed network untilises an encryption overlay upon the Public
Services Network or PSN. This network provides additional assurance for services which require
additional protection for policing and access to national police systems. The cultural resistance to any
change and the security controls which are provisioned often degrade the end user experience. This
presents an additional dynamitic in relation to cyber-risk perception and the need to accurately
understand the functionality requirement and the residual cyber-risks from the provision of technical
and management controls.
11
2.4 NATIONAL POLICE GOVERNANCE OVERVIEW
The decision making structures for national policing are built on a hierarchical structure which is
representative of Chief Constable leads for areas of delivery coming together to form NPCC. This
structure has allowed a governance structure to be established which links Information Assurance
(Security Design Authority), Operational Requirements Board (Business Design Authority) and the
National Police Technology Council (NPTC and the Technical Design Authority). This structure has
proven to surface the challenges faced with new legislation, boundaries between risk based decisions
however technical decisions is further complicated by individuals sitting within multiple governance
groups.
The figure 2.4.1 on the following page represents the governance structure and the segregation of
security based auditing and risk assessment, and the technical delivery of design and architecture. The
NPTC has established an Infrastructure Working Group to ensure that technology solutions being
implemented are designed and documented to a set of standards that ensure any solution
implemented is necessary and proportionate and that the security controls defined as part of the
implementation should contribute to the mitigation or removal of identified risks. This can only be
achieved if the risk is understood and is legitimate with a representative score before and after the
control is applied. This approach has caused some controversy as the previous processes allowed local
and national technical delivery teams to develop design in an ad hock way with no common process
of methodology.
12
Figure 2.4.1 Governance structure
13
As previously mentioned there are many existing risk management methodologies each with tooling
and mechanics to assist the practitioner with calculating risk. National policing therefore had to
consider the following 2 options:
- Utilise an existing risk management methodology and develop outcomes from this existing
end to end process.
- Consider and evaluate existing risk management methodologies and determine if industry
best practice complimented by selected outputs from existing methodology will supply
national policing with its own interpretation of a usable methodology.
The design will therefore propose a methodology to address cyber-risk management in policing. This
will provide a methodology to support architectural design by selecting industry based best practice
but ensuring that the elements selected to form the methodology were in themselves not over
engineered.
3.0 DEVELOPMENT OF CYBER-SECURITY IN POLICING

The identified gap in cyber-risk management across policing presents a significant risk to core policing
operational process. The core issue is that skills and knowledge in areas responsible for cyber-risk
management are not sufficient to meet the changing landscape of both police operational process but
also the threats from the cyber-adversary. Therefore the core issue is that policing requires a national
methodology to manage cyber-risk to support technology development and the implementation of
SaaS.
National policing has a number of new challenges when considering cyber-risk management and the
use of commercial SaaS. The challenges are no different to those of wider industry or the commercial
organisations and include:
- How do organisations risk assess the consumption of SaaS?
- As technical architecture changes and the perception of a protected boundary disperses how
do organisations risk manage technical implementations?
- How will the cultural perception of risk influence risk awareness of cyber environments?
The approach to the design and the delivery of risk management in a changing cyber-world requires
organisations to be agile in their approach to cyber-risk management. Any developed model or
methodology must always be assessed and reviewed to ensure that the process and tooling is relevant
meeting the intended objective, recognising that cyber-attacks are undertaken by intelligent
adversaries who can adopt to change faster than organisations can make change to a complex and
detailed cyber-risk assessment process. (Cook, 2017, p. 111)
The design of the proposed methodology is separated in to specific delivery sections to assist the
reader in understanding how the methodology has been developed as well as identifying the wider
output of this process.
The design and development of the proposed cyber-risk management methodology and security
model require a firm foundation and the identification of the many influencers. The principles outlined
define a boundary of development with technical architecture design being undertaken to protect the
business requirement. The proposed development of the cyber-risk management methodology must
consider legislation and the policy landscape needed to support a successful implementation. Having
a cyber-risk management methodology and model without policy to support a change in cyber-risk
management attitude will allow forces to drift to alternative practices or old non-effective practice
which may be familiar.
14
3.1 CYBER-RISK MANAGEMENT METHODOLOGY DESIGN & DEVELOPMENT
3.1.1 Principles
The design of a methodology for national policing requires that a number of specific considerations
and guiding principles are defined ahead of the development of the methodology. The principles
proposed all align to develop a methodology to assist in the delivery of the National Police 2025 vision
(National Police Chiefs Council, 2016).
The principles will contribute to the management of over engineered perceptions of cyber-security
threats. The general media reports on the new risks from cyber-security threats and relies upon the
lack of understanding and knowledge of the general public to ensure that breaches are presented with
a perspective to fuel an escalation of the vulnerability. It is therefore essential that the proposal
addresses this potential miss conception by defining principles which will challenge the risk position
of those who are not well informed or knowledgeable in this area. This point is supported by
(Baskerville, 1991, p. 123) where the argument is made that perception is based on recent risk
implications and knowledge which is developed from situational awareness such as media and the
press.
It therefore is essential that the proposed principles are not generated in isolation and through
collaborative working with NPTC and the National Police Information Risk Management Team
(NPIRMT) a number of key accreditation principles are proposed to best achieve the key accreditation
principles and ensure legitimacy in the proposed approach. The principles proposed are pitched at a
high level intentionally to provide a guide for cyber-risk management. This is supported by
(KAUSPADIENE, 2017) where providing high level principles can contribute to the success of cyber-risk
management methodologies. The principles to develop the methodology are shown in figure 3.1
below:
Figure 3.1
Critical to the successful acceptance of the methodology is a practical process that can be used by
both a national and local cyber-security practitioners.
Clear and Intelligible:
15
- The production of any risk management methodology must be clear and easily understood.
Accepting that there will always be differing levels of knowledge and awareness of cyber-risk
management and the output should be fully aware of this and make the associated allowances.
Organisation Agnostic:
- The cyber-risk management methodology should not be created with a single police force as
the outcome. The delivered set of tools and processes should be capable of being mapped to
all police forces working on the assumption that policing is not a separate set of deliverables
as required, but a service with local devolution and therefore a common approach to cyber-
risk management is achievable.
Flexible:
- The methodology should be flexible and be agile enough to change according to change in the
cyber-landscape.
Single process:
- All forces should use the same process. There should be no need to alter the process from
force to force.
Clear delineation of national vs regional risk management:
- It is recognised that there are responsibilities and accountabilities for those who are
responsible for cyber-risk that are associated with assets police own. Therefore the
methodology should provide a mechanism for the management of both local and national
cyber-risk management
Necessary and proportionate:
- It is critical that cyber-risk management is not over thought or susceptible to media influence.
The National Cyber Security Centre provide a wide range of information and guidance in
relation to cyber-risk management however at times the publications in relation to threat
intelligence is not proportionate to likelihood of the occurrence materialising. (Martin, 2018)
This is a particularly important point that will shape the overall methodology.
Cost and time effective:
- The methodology should not be a process which never reaches any conclusion. It should be
effective in delivering an output as well as being cost efficient in terms of effort required to
undertake the process. The total cost of operation should be proportionate to the risk being
managed.
Repeatable and replicable:
- The methodology should produce a process that can be repeated as the cyber-risk
management landscape changes. Therefore the process should result in a position where
organisations must always start from scratch and define a baseline.
3.1.2 Security by Design

Security by design is not a new approach to the development of technical architectural methodology
and the principles of solution design and its implementation have and are influenced by an approach
to ‘Security by Design’ which is supported in a recent paper “PaaSword: A Holistic Data Privacy and
Security by Design Framework for Cloud Services” . (Verginadis, 2017)This is a high level approach to
16
emphasise the importance and cost implications of getting a design, and worse the implementation
of a complex technical programme wrong resulting in an increase to cyber-risk for policing.
There are many examples both locally and nationally of technological systems being developed and
security controls being considered after the design phase of the project has concluded. Historically
the requirements of a system and the architectural design were developed and when concluded they
are passed to the security architects and Information-security teams for accreditation. This usually
highlighted areas of risk that had not been considered due to financial or time constraints resulting in
delays to implementation or significant rework relating to re-design.
NCSC (National Cyber Security Centre) is the group within the Government Communications
Headquarters (GCHQ) that supports government departments to manage their own information
security. The role of NCSC is to provide guidance and advice in relation to the risk management of
cyber and tools for design and architecture implementation. NCSC has set out a thorough set of
‘Security by Design’ guidelines for securing digital solutions in order to guide government departments
to build solutions both resilient to attack as well as easy to use. The intended goal is to “enhance
security without impeding the proper use of your service.” (NCSC, 2016)
Therefore ‘Security by Design’ has been developed throughout this proposal in order to support and
guide the development of architectural implementation providing the best opportunity to secure
services to Government standards. To support the development the NCSC best practice guidelines will
allow security requirements to be identified, prioritised and designed in an agile manner to meet the
strict time demands of operational change from Policing.
‘Security by Design’ is an approach with the embedding of security from the conception through to
the final delivery of any potential solution. This approach is based upon NCSC best practice guidance
covering how to securely build and implement digital solutions. It is therefore critical that a core
principle of interconnected cyber-risk management with architectural design is undertaken to limit
any duplicated effort or re-engineering of technical solutions which will result in additional cost or re-
work.
Therefore in order to consider an end to end process the proposed cyber-risk management
methodology must provide a means to produce a security model. The security model is therefore an
output of the architectural process provided by the ‘Security by Design’.
3.1.3 National Police Cyber-Security Model

The development of a cyber-risk management security model is essential for 2 reasons:
- The Inherent Risk Assessment needed a set of user scenarios or journeys in order to validate
the necessity of a security control and therefore technical architects required an
understanding of where the risk or mitigation was required.
- To identify if the control is related to People, Process or Technology.
The National Institute of Standards and Technology (NIST) have developed a cyber-security framework
to assist in improving cyber-security risk management following the 2013 executive order provisioned
by the US government. (USA Gov, 2013) The framework allows practitioners to adopt a series of
processes and procedures to achieve a risk assessed position utilising an adaptive and flexible
approach that will meet the cyber-risk awareness that policing requires. The NIST framework
recognises that not one process will suit all organisations. A key element identified by national policing
and discussed within the background section of this paper. The NIST cyber-security framework
therefore allows for core traditional risk management methodologies such as iso27005 to be adapted
17
to meet the needs of an organisation (NIST, 2014, p. 6) whilst allowing policing to adapt the process
to meet its needs. This approach is supported in a recent article within Network Security. (Aminzade,
2018)
The NIST framework provides a set of tools to help organisations achieve the cyber-risk management
outcomes needed to mitigate cyber-security. It is important to identify that the framework is not
intended to identify or assess risk but it will allow the presentation of mitigation controls to be clearly
identifiable and ensure that these can be attributed to a NIST function and that an organisation can
identify where risk may exist. This supports earlier discussion where perceived risk can in itself be
more risky than the actual risk specifically diluting any necessary and proportionate approach being
taken to cyber-risk management.
The NIST Framework focuses on using business drivers to guide cyber-security activities and behaviors
whilst considering cybersecurity risks as part of the national policing wider cyber-risk management
process. An attractive benefit of using the NIST Framework is that it acts as an enabler to communicate
technical architecture security controls in an accessible and coherent business manner that can be
understood by all involved with wider overall risk acceptance.
The Framework consists of three parts:
- Framework Core
- Framework Profile
- Framework Implementation Tiers (NIST, 2014)
The Framework Core is a set of cyber-security activities, outcomes, and informative references that
are common across critical infrastructure sectors providing the detailed guidance for developing
individual police force profiles. Through use of the profiles the framework will help national policing
align its cyber-security activities with its business requirements, risk tolerances, and the resources
available. (NIST, 2015)
The rationale for choosing this framework is that it enables organisations regardless of size, degree of
cyber-security risk, or cyber-security maturity to apply the principles and best practices of cyber-risk
management to improving the security and resilience of policing critical infrastructure. The framework
will provide policing with structure to today’s multiple approaches to cyber-security and awareness
by assembling standards, guidelines, and practices that are working effectively across industry today.
In addition because it references globally recognised standards for cyber-security, the framework can
serve as a model for international cooperation on strengthening critical infrastructure across policing.
The framework is not a one-size-fits-all approach to managing cyber-risk management for critical
infrastructure. Policing will continue to have unique risks with different threats, different
vulnerabilities, and different risk tolerances, however the implementation of the practices in the
framework will vary based on specific needs over and above those needed for SaaS. Police forces can
determine activities that are important to critical service delivery and can prioritise investments to
maximise the impact of each area of spend. “Ultimately, the framework is aimed at reducing and
better managing cyber-security risks through the use of cyber-risk management.” (NIST, 2014)
The NIST cyber-security framework (NIST, 2015) reference tool represents the framework ‘Core’
which is a set of cyber-security activities with desired outcomes and applicable references that are will
provide policing with a common approach. This use of industry standards, guidelines, and practices
allows for the communication of cyber-security activities and outcomes across policing. The
Framework ‘Core’ consists of five concurrent and continuous Functions - Identify, Protect, Detect,
18
Respond and Recover. (NIST, 2014) When considered together these Functions provide a high-level
strategic view of the lifecycle of cyber-security risk. The framework ‘Core’ then identifies underlying
key categories and subcategories for each function, and matches them with example informative
references such as existing standards, guidelines, and practices. (NIST, 2015)
The framework provides a common language for understanding, managing, and expressing cyber-
security risk both internally and externally. It can be used to help identify and prioritise actions for
reducing cyber-security risk and it is a tool for aligning people, process and technological approaches
to managing these areas of risk. It can be used to manage cyber-security risk across policing but the
methodology presented within this paper can be extended beyond SaaS as desired.
The framework ‘Core’ provides a set of activities to achieve specific cyber-security outcomes and
references examples of guidance to achieve those outcomes. The ‘Core’ is not just a checklist of
actions to perform. It presents key cyber-security outcomes identified by industry as helpful in
managing cyber-security risk. (NIST, 2014) The ‘Core’ comprises four elements:
- “Functions
- Categories
- Subcategories
- Informative References, depicted in the infographic below” (NIST, 2015)
In order to manage the desired output of improving national cyber-security awareness though a local
approach, cyber-capability assessments and maturity assessments based on the NIST categories
Identify, Protect, Detect, Respond, Recover are being developed outside this paper. This cyber-
maturity assessment will be key to the initial implementation of the overall methodology within a
police force.
To support the development of how the NIST categories fit with policing a number of user scenarios
were developed to support the legitimacy and are shown in figure 3.2 below.
Figure 3.2 (NIST, 2015)
19
The 5 framework ‘Core’ functions are defined below. These functions are not intended to form a serial
path, or lead to a static desired end state. Rather, the functions can be performed concurrently and
continuously to form an operational culture that addresses the dynamic cyber-security risk.
- Identify – “Develop the organisational understanding to manage cybersecurity risk to systems,

assets, data, and capabilities.” (NIST, 2015) The activities in the ‘Identify’ function are
foundational for effective use of the Framework. Understanding the business context, the
resources that support critical functions and the related cyber-security risks enables an
organisation to focus and prioritise its efforts consistent with its risk management strategy
and business needs. Examples of outcome Categories within this Function include:
o Asset Management
o Business Environment
o Governance
o Risk Assessment
o Risk Management Strategy
- Protect – “Develop and implement the appropriate safeguards to ensure delivery of critical
infrastructure services”. (NIST, 2015) The ‘Protect’ function supports the ability to limit or
contain the impact of a potential cyber-security event. Examples of outcome Categories within
this Function include:
o Access Control
o Awareness and Training
o Data Security
o Information Protection Processes and Procedures
o Maintenance
o Protective Technology
- Detect – “Develop and implement the appropriate activities to identify the occurrence of a
cybersecurity event.” (NIST, 2015) The ‘Detect’ function enables timely discovery of cyber-
security events. Examples of outcome categories within this function include:
o Anomalies and Events
o Security Continuous Monitoring
o Detection Processes.
- Respond – “Develop and implement the appropriate activities to take action regarding a
detected cybersecurity event.” (NIST, 2015) The ‘Respond’ function supports the ability to
contain the impact of a potential cyber-security event. Examples of outcome categories within
this function include:
o Response Planning
o Communications; Analysis
o Mitigation
o Improvements
- Recover – “Develop and implement the appropriate activities to maintain plans for resilience
and to restore any capabilities or services that were impaired due to a cybersecurity event.”
(NIST, 2015) The ‘Recover’ function supports timely recovery to normal operations to reduce
the impact from a cyber-security event. Examples of outcome categories within this function
include:
o Recovery Planning
o Improvements
20
o Communications
3.1.4 Legislation and Policy Landscape

Legislation and policy are significant influencers and drivers for changing culture within policing. The
existing national police policies in relation to governing technical infrastructure, information and
processes for OFFICIAL and OFFICIAL SENSITIVE (Cabinet Office, 2014) government information makes
clear that government organisations should make use of commercial practices and tools whilst
observing and considering key government policies. This is supported by GSC policy which states “this
means increased adoption of commoditised technology and services, use of the cloud and greater
emphasis on devices that allow mobile or flexible working.” (Cabinet Office, 2014)
This policy statement is insinuating a change in government risk appetite and a change from the
embedded culture that security is better if provisioned on premise in a semi closed network. Recent
research into critical national infrastructure supports a change in the approach to considering risk
management. Police infrastructure is classified as critical national infrastructure. A US executive order
signed in 2013 stated that the “cyber threat to critical infrastructure continues to grow and represents
one of the most serious national security challenges we must confront” (USA Gov, 2013) . This
represents a change in the thinking of government, escalating the policy driven decisions governments
are taking.
The policies that exist largely fall short in terms of providing detail which can be easily mapped to a
Security Model and does not provide the level of detail needed for specific product configurations. For
that reason, methodology and design have to make a number of key organisational and design
assumptions before a methodology can be considered:
- The existing legislative landscape for police information is complex and is currently considered
as part of the Code of Practice for the Management of Police Information (MoPI).
- The General Data Protection Regulation (GDPR) and the Law Enforcement Directive 2016/680
(or their equivalents post Brexit) will apply to the processing of personal data by the police
with the scope of the GDPR focused on personnel records and non-policing activities.
- Under GDPR and regulation 2016/680, the police, alongside all other organisations processing
personal data will need to comply with a new suite of requirements which in turn will require
a good understanding of data flows within and across systems and effective data management
with the ability to demonstrate compliance with the regulatory requirements.
- The GDPR introduces new, and enhances existing privacy obligations, such as the requirement
to report all data breaches to the regulatory authority (the Information Commissioner’s Office
in the UK) and the obligation to implement ‘privacy by design’ to ensure that privacy is built
into systems and processes from the beginning. (Information Commissioners Office, 2017)
These obligations, combined with the increased penalties for non-compliance bring the
management and use of personal data to the forefront of requirements when considering
how data is processed and managed within police forces across the UK.
- It should be understood that personal data is defined in the GDPR as “any information relating
to an identified or identifiable natural person (‘data subject’); an identifiable natural person is
one who can be identified, directly or indirectly, in particular by reference to an identifier such
as a name, an identification number, location data, an online identifier or to one or more
factors specific to the physical, physiological, genetic, mental, economic, cultural or social
identity of that natural person”. (European Union, 2016)
21
In order to develop necessary and proportionate security controls as an output from the methodology
in practice and a foundation to the delivery of ‘security by design’ a number of both local and national
assumptions need to be identified. The list below outlines these key organisational assumptions.
An overarching assumption against which this paper accepts is the hugely complex position of
legislation policy that exists in the UK. However this position is fundamental to the basis on which
cyber-risk management and security controls are developed and subsequently implemented.
Therefore, there is a critical dependency for any security control suggested for policing on the
following policy being in place:
National Policing:
- Appropriate national policies are in place or recognised as a requirement which can be applied
to each police force and set direction for information asset management and security. This
could include, but is not limited to:
o User Authentication
o Data Retention and Acceptable Use policies
- Effective policies such as the above mentioned are required to support the secure
implementation and subsequent management of SaaS. Without these policies and key
guidelines (such as requirements for setting secure passwords, the retention of sensitive data
types in o365 formats and mobile device protection) the confidentiality, integrity and
availability of police information assets could be threatened. Reasonable assumptions are
therefore needed in order to develop appropriate security controls where there are existing
policy gaps. The policy gaps will be re-visited later in the dissertation as well as the
implications from these gaps.
Local Police Force:
- That there are mature governance practices in place to identify information assets and record
relevant information in an asset register.
- That there is adherence to HMG Security Policy Framework and any subordinate
documentation.
The rapid evolution of cyber-related threats means that no single set of people, process or technology
scenarios or single control will remain effective indefinitely. Therefore any methodology or process
must be able to meet business as usual or business operational requirements as required.
- Police forces, in conjunction with national policing units and partners will be required to
review the risk landscape regularly and analysis the security controls to assess robustness to
mitigate threats.
- It is assumed that information no higher than a classification of Official-Sensitive (Cabinet
Office, 2014) will be hosted in SaaS.
It is critical that policing doesn’t attempt to write all the required policy and legislation based on group
perception or individual perception of the policing cyber-landscape.
22
Figure 3.4
The above Policy Pyramid in figure 3.4 represents the foundation of the proposed approach to how
security controls within the proposed Security Model are identified. All controls are aligned with
current national and supranational legislation. UK government policy (such as GSC) is the second layer
that each control must be consistent with. In the absence of explicit guidance from these sources
further clarification has been sought from local policing policy, NCSC (National Cyber Security Centre)
recommendations or guidance, other government departments such as GDS (Government Digital
Services) and finally commercial best practice. This approach ensures a secure foundation that is
consistent as far as possible with existing legislation and policy, recognising that there are gaps that
will be filled by the use of other sources of information or industry best practice if appropriate.
The levels of maturity of government policy and the need for amendments relating to changes in
technology or changes in wider government policy present a risk which will be discussed further
throughout this paper.
3.1.5 Confidentiality, Integrity, Availability (CIA)

Confidentiality, Integrity, Availability (CIA) (International Organization for Standardization, 2011) is
an industry standard that has been a core element of Information Security principles and approach
and is a key consideration when defining a cyber-risk management methodology that can be used by
national Policing. This information security principle works by providing a triad of information
security principles that contribute to an overall approach to cyber-risk management.
CIA and information security is only a part of a wider landscape of cyber-security and hence the
intension within a cyber-risk management methodology is to build a comprehensive foundation with
CIA at the heart of its delivery.
The application of CIA principles in the proposed methodology presents a core element to assess risk
as well as providing an industry recognised best practice approach. Protecting data and information
ensuring that information is accurate and not been exposed to tampering and that the systems and
applications supporting the confidentiality and integrity is available for use. This is supported by
industry where explanations are: “Preservation of confidentiality interpreted as a limited access to
information, integrity as the assurance that the information is trustworthy and accurate, and
availability as a guarantee of reliable access to the information by authorized people are three most
crucial components of cloud computing.” (Tchernykha, 2016) However this leads to a link to the culture
of an organsiation and its ability to think and make decisions based on a position of fact and not one
23
based on fulfilling the ultimate intended goal of achieving a complete risk free solution of
Confidentiality, Integrity and Availability. So the cultural boundaries of ‘necessary’ and ‘proportionate’
are key when undertaking any activity in relation to technical architecture and wider cyber-risk
management.
The principle of CIA can play a key role in defining a necessary and proportionate approach to ensuring
that cyber-risk management is implemented in a proportionate way.
3.1.6 People Process Technology

Technology’s is becoming more complex and the technical architectures being considered are now
introducing cloud connected services. SaaS is therefore a technology provision that organisations
consider to be normal practice but this presents new risks that must be identified and understood
before security controls and risk mitigation can be considered.
If cloud computing presents new technical architecture challenges, consideration of the data and
information risks associated with the loss of the traditional boundary perimeters must also be
considered. After all it would be almost impossible to try and undertake a cyber-risk management
assessment of the Internet. But compounding the complexity facing policing is the redaction of
structured risk management processes for government agencies including the police. NCSC and CESG
are now marketing the process of focusing on the required outcomes and are offering guidance on
the retirement of process based cyber-risk management including IS1 and IS2. (NCSC, 2016)
This is particularly relevant when considering the link between people, process and technology and
the resulting risks associated with the organisational outcomes. There are likely to be further
complications associated with boundaries of delineation within an organisation before the added
complexity of services which are accessed via the Internet. These decisions clearly present a new risk
to policing and therefore the approach taken by NCSC could be perceived to present increased risk to
policing.
So if the additional risks are perceived to exist how can policing start to understand the impacts that
people, process and technology have on the end to end consumption of cloud based services such as
o365? The services and outcomes used by thousands of end users must be safe to policing and there
must be sufficient cyber-risk management process to give assurance that CIA is met as well as ensuring
that legislative requirements are also considered from the outset. It is therefore essential that policing
from the outset considers how to reduce risk by concentrating on people, process and technology
collectively accepting that all three areas are intrinsically linked. (COTENESCU, 2016, p. 394)
There have been a number of high profile cyber-events in past year with ransom wear featuring as the
popular malware attack for the cyber-adversary. However the resulting effect of malware being
successfully delivered is usually via a person not following process and therefore introducing a risk to
the organisation. This is specifically relevant in policing with operational officers often working under
significant time pressures relating the Pace clock (Leglisation.gov.uk, 1984). This time pressure makes
the utilisation of technology extremely important as well as the use of the Police National Decision
Making Model.
Therefore if policing can apply the above model to everyday operational policing the same principles
should be applied to the management of cyber-related risk. Therefore as people and process utilise
technology we must accept that people will be the weakest link and it is likely that any major cyber-
event will be linked to an individual not following process. This point is made clearly where “Users who
have access to the data are often the root cause of the data loss. Employees opening an email which
launches malicious code, data on a lost thumb drive, sending confidential data via email, or innocently
connecting to a malicious website all demonstrate that the human element is a major factor in the
data loss problem and must first be controlled before the technology can make a difference”
(COTENESCU, 2016, p. 394)
24
The challenges associated with identifying cyber-related risk and the link with people, process and
technology will be discussed further when considering the wider outputs from a risk methodology for
national policing but the success of developing People, Process and Technology in to a single delivery
will be dependent on the development of change in the cultural approach to ‘Cyber-Risk Management’
3.1.7 Cyber-Risk Management Methodology

Standards have been available to assist in providing structure to the development of holistic risk
management systems for some time. Policing has had several risk management systems developed
for local needs but the development of national systems has been slow. The gap resulted in each
national programme implementing a process it thought would allow their intended delivery only
resulting in a silo approach. Locally the interpretation was again determined by the presence of
unknowns and therefore no consistency.
The proposal outlined provides a base management standard from existing published international
standards providing legitimacy and assurance to the proposed cyber-risk management methodology
implementation. ISO27000 family of standards provides this legitimacy and in particular ISO27005
provides a methodology that could provide the base for the proposal. The core requirements
considered are:
- The strategic value of the business information process

- The criticality of the information assets involved
- Threats to assets and business information processes
- Legal and regulatory requirements, and contractual obligations
- Operational and business importance of confidentiality, integrity and availability
- Stakeholders expectations and perceptions, and negative consequences for reputation
- Risk treatment prioritisation
The risk standard therefore is pivotal to the process of defining a methodology for national policing,
whilst ensuring that we maintain the core principle of necessary and proportionate risk mitigation.
This structure will also provide the foundation for the principle of ‘Security by Design’ being adopted
by technical architects as well as starting to define the requirement to provide a credible security
architect role within the technical design process. This in turn allows the architect role to define the
level of control based on process and not individual perception. Graphically the proposed role of risk
management is defined in the diagram on the following page along with governance roles shown in
blue boxes. This diagram depicts the core elements in my proposal of a cyber-risk management
methodology. The success of this proposal is the integration of core police governance with the core
elements of cyber-risk management. The success of the cyber-risk management methodology is
represented in the proportionate development of the methodology outputs.
25
Figure 3.5
26
Figure 3.5 above outlines the product outputs the methodology will produce, as well as the key
stakeholders involved in the process which aligns to the governance structure discussed earlier in the
‘Background ‘ section of this paper.
The below provides an overview of the phases involved in the risk management and accreditation
methodology depicted above:
Scope:
- The first stage of the risk management and accreditation process is to define the project
scope. The aim of this phase is to: Understand the environment that is to be assured
- Agree definitions of security and accreditation and improve and ensure a collective
understanding of these terms across the programme
- Define the security and accreditation mission, methodology and outputs
- Agree, define and enforce security operations for the programme
The scoping activities will consider the local police force current security and accreditation status
including missions and values, governance, structure and strategy, legislative and regulatory
requirements, and constraints affecting the police force. Once this has been established the definition
of mission and key principles of cyber-risk management will be defined. This will allow a base line to
be established resulting in identifiable deliverables.
The scoping phase will rely on engagement with identified stakeholders and the cyber-risk
management methodology to understand the scope of the work. Gathering information around the
“current state” of cyber awareness will rely on the use of questionnaires (Appendix 1 &2) and a cyber-
maturity assessment tool during the implementation stage to gather input from local police forces to
gain their contribution and develop the required outputs. Definitions and Mission statements for
cyber-risk management will be shared with Local SIRO’s and NPIRMT to ensure a common
understanding is adopted.
The documents and additional outputs below will be produced as part of this cyber-risk management
process:
- Discovery questionnaires
- Cyber-capability assessment
The below RACI matrix shows who is responsible, accountable, consulted and informed for each
activity in this ‘scoping’ phase.
Process Activity R A/Sign-off C I

Security & Risk
Develop discovery Programme
Scope Management - NPTC
questionnaire Leadership
Team
Security & Risk
Populate discovery Local Police Programme
Scope Management -
questionnaire Forces Leadership
Team
Security & Risk
Workshops with NPIRMT and Programme
Scope Management - NPIRMT,NPTC
NPTC Leadership
Team
27
Security & Risk
Local Police Programme NPIRMT,
Scope Cyber Capability Assessment Management
Forces Leadership NSIRO
Team
(National Enablling Programme Security Risk Management, 2017)
Asset:
The second stage of the process involves the identification of policing critical assets so that these can
be prioritised and effectively protected. To do this, a Business Impact Assessment will be completed
which has two phases. Firstly, assets will be identified from business processes and appropriately
classified using GSC. (Cabinet Office, 2014) Secondly, the assets will be valued according to their
criticality for fulfilling business objectives and business functions. The process of valuation will
consider:
- The replacement value of the asset

- The business consequences or effect of loss or compromise of the asset. This doesn’t have to
be monitory but in policing terms could be a loss of life or reputational damage
This exercise will be integral to effectively assessing the cost proportionality of security controls and
help to prioritise how agreed controls are delivered. It is therefore a critical activity in enforcing
necessary and proportionate security controls.
A high level asset identification and valuation exercise will be undertaken identifying assets and
scoring them in a range of 1-5 based on the criticality of preserving confidentiality, integrity and
availability.
Figure 3.6 below shows an example Asset Valuation Table to be used to assess the value and relative
criticality of assets.
Score Confidentiality (C) Integrity (I) Availability (A)
The confidentiality of the asset is of The integrity of the asset is of The availability of the asset is of
limited to no importance. The limited to no importance. The limited to no importance. The
1
confidentiality of the asset need not integrity of the asset need not be availability of the asset need not be
be secured. secured. secured.
The confidentiality of the asset is of The integrity of the asset is of low The availability of the asset is of low
low importance. Minor consideration importance. Minor consideration importance. Minor consideration
2
should be made to securing the should be made to securing the should be made to securing the
confidentiality of the asset. integrity of the asset. availability of the asset.
The confidentiality of the asset is of

The integrity of the asset is of The availability of the asset is of
moderate importance. Some
moderate importance. Some moderate importance. Some
3 consideration should be made to
consideration should be made to consideration should be made to
securing the confidentiality of the
securing the integrity of the asset. securing the availability of the asset.
asset.
The confidentiality of the asset is of The integrity of the asset is of high The availability of the asset is of
high importance. Asset must stay importance. Asset must never be high importance. Asset must always
4
secure and confidential at all times altered in any unintended way with be available as intended with few
with few exceptions permitted. few exceptions permitted. exceptions permitted.
The integrity of the asset is of

The confidentiality of the asset is of The availability of the asset is of
critical importance. Asset must
5 critical importance. Asset must stay critical importance. Asset must
never be altered in any unintended
secure and confidential at all times. always be available as intended.
way.
Figure 3.6 (Information Risk Assessment Methodology 2, 2014)
28
This will assist the delivery to conceptualise their initial security considerations. In the security by
design phase a full Business Impact Assessment will be delivered consisting of two phases. Firstly,
assets will be identified from business processes and appropriately classified. Secondly, the assets will
be valued according to their criticality for fulfilling business objectives and business functions.
The output of the above will be quantified using Business Impact Reference Tables (BIRTs) (NCSC,
2016) which will allow asset impact to be assessed based on how a breach of the Information Security
Triad (CIA) could effect a number of criteria such as financial, reputation, operations and compliance.
This exercise will be integral to effectively assessing the cost proportionality of security controls and
help to prioritise how agreed controls will be delivered.
Figure 3.7 below is an example BIRT:
The BIA will be conducted through workshops consisting of scenario based questions with
representatives and consumers of the services and solutions. The involvement of key business
stakeholders (traditionally asset owners and information asset owners) will be critical to the success
of the BIA.
29
The NPIRMT will develop the Business Impact Assessment (BIA) methodology and Business Impact
Reference tables (BIRTS) with outputs influenced by security working groups. Once this is complete it
will be the responsibility of the cyber-risk management team to facilitate the BIA process including
arrangement of workshops, collation of outputs and reporting. In line with industry good practice, the
approach will not assess the criticality of assets as this will remain the responsibility of the asset owner,
custodian or other appropriate designated business representative.
It will be the responsibility of Security Working Group to validate the process and findings of the BIA
recognising that all processes are continually assessed and therefore progress should not be slowed
due to process evaluation or change. Providing these responsibilities have been met the cyber-risk
management team will remain accountable for the BIA deliverables. The document sign off process
will follow the IMORCC Governance Structure outlined earlier in the ‘background’ section of this paper.
As a key deliverable the Business Impact Assessment Report will be signed off by the Security Working
Group, NPIRMT and the Solution Design Authority.
The documents and outputs below will be produced as part of this ‘Asset’ phase:
- High level Asset Identification and Valuation Exercise including asset register
- Business Impact Assessment Framework including methodology, BIRTS and output format and
- Business Impact Assessment Report analysis and scoring
activity in this accreditation phase.

High level asset identification, Security & Risk
Programme
Asset classification and valuation Management NPTC Project Teams
Leadership
exercise Team
NPTC, Security
& Risk Programme
Asset Define the BIA framework Project teams -
Management Leadership
Team
NPIRMT; Asset
Security & Risk
owners/custodians, Programme
Asset BIA workshops Management -
Key business Leadership
Team, NPTC
stakeholders
Security & Risk
Produce BIA for each Programme
Asset Management NPTC, NPIRMT -
workstream Leadership
Team, NPTC
Threat:
This phase will look to identify and prioritise the relevant threats to the environment being assessed
and determine how harm to that environment could materialise. Within this section of delivery, a
threat can be defined as “a potential cause of an unwanted incident, which may result in harm to a
system or organisation.” (IT Governance Ltd , 2013) A set of threat attributes including capability,
motivation and opportunity will be evaluated when assessing threats.
A formal threat assessment has already been conducted by NPIRMT at a national level and agreed by
Police Information Assurance Board (PIAB). The approach to threat assessment will therefore become
a contextualisation and validation exercise to leverage the work already completed. During this
30
exercise the threat landscape will be reverse engineered to look at the threat actors and threat vectors
already defined. This will involve a review of the capability, motivation and opportunity for attacks.
Each actor and vector will be assessed for validity and an assessment as to whether the threat remains
valid and an assessment as to whether the threat is relevant given the specific scope of the programme
or project should be undertaken.
Figure 3.8 below shows grouped examples of common threats. “The following list indicates for each
threat type where D (deliberate), A (accidental), E (environmental) is relevant. D is used for all
deliberate actions aimed at information assets, A is used for all human actions that can accidentally
damage information assets, and E is used for all incidents that are not based on human actions. The
groups of threats are not in priority order” (International Organization for Standardization, 2011, p.
48)
Type Threats Origin

Fire A, D, E
Water damage A, D, E
Pollution A, D, E
Physical damage
Major accident A, D, E
Destruction of equipment or media A, D, E
Dust, corrosion, freezing A, D, E
Climatic phenomenon E
Seismic phenomenon E
Natural events Volcanic phenomenon E
Meteorological phenomenon E
Flood E
Failure of air-conditioning or water supply system A, D

Loss of essential
services Loss of power supply A, D, E
Failure of telecommunication equipment A, D
Electromagnetic radiation A, D, E
Disturbance due to
radiation Thermal radiation A, D, E
Electromagnetic pulses A, D, E
Interception of compromising interference signals D
Remote spying D
Eavesdropping D
Theft of media or documents D
Compromise of Theft of equipment D

information
Retrieval of recycled or discarded media D
Disclosure A, D
Data from untrustworthy sources A, D
Tampering with hardware D
Tampering with software A, D
31
Position detection D
Insider threat D
Figure 3.8 (International Organization for Standardization, 2011, p. 48)
The documents/outputs below will be produced as part of this accreditation phase:

- Threat Report
activity in the threat phase.

Provide national threat Programme
Threat NPIRMT - -
landscape materials Leadership
Workshops to validate and Security & Risk
Programme
Threat contextualise the threat Management - NPTC,NPIRMT
Leadership
model Team
Security & Risk
Programme
Threat Threat Report Management NPTC,NPIRMT -
Leadership
Team
Inherent Risk:
Inherent Risk is the risk to the organisation at the point where no security controls or other mitigating
factors are in place and is the gross risk or risk status before security controls are applied. (Sewall,
2009). However it should be noted that risk cannot removed completely. The inherent risks identified
are those in which the proposed methodology will mitigate with continued assessment and
reevaluation of the risks throughout change to the provision of cyber solutions. This therefore
emphases the need for continuous re-examination of the risks as technology changes or develops.
The purpose of this phase is to identify security risks to delivery so that these can be understood and
effectively managed through the development of necessary and proportionate security controls
within the security by design \ security model stage of technical architecture development. This will
also ensure that any security control applied is in line with the agreed risk appetite and proportionate
in its implementation.
Once the BIA, Threat Validation and Contextualisation exercise is complete the outputs will be used
to produce an Inherent Risk Assessment (IRA). The IRA will combine the likelihood of a threat with the
impact of breach and the results will be used to develop a Risk Matrix. This combined with risk appetite
will then become the foundation of the Security Model a holistic framework of security controls
mapped against, and proportionate to identify risks.
The documented outputs below will be produced as part of the Inherent Risk phase:
- Inherent Risk Assessment (IRA)
- Risk Matrix
32
Security & Risk
Inherent Conduct IRA and produce Programme
Management NPTC, NPIRMT -
Risk report Leadership
Team
NPTC,
Security & Risk
Inherent NPIRMT,
Develop Risk Matrix Management - -
Risk Programme
Team
Leadership
Risk Appetite:
The risk appetite for policing is something many police chief officers are reluctant to discuss. The
default position being that of ‘Averse’. This is a generic binary position and whilst ‘averse’ is fair there
are differing states of averse with senior executives choosing to make differing assumptions in relation
to this position. Risk is taken by everyone in every part of life however the language used creates a
position that indicates no risk is taken. This is not the case and the methodology proposed addresses
this.
Policing is a public service and decisions taken on a daily basis must be proportionate and necessary.
However as already discussed there is a lack of understanding and knowledge in the complex structure
of cyber risk. This results in a position where executives are reluctant to discuss the risk position for
fear of criticism or fear of the consequence. This position supports the need for this proposed
methodology which will provide a process to support a necessary and proportionate cyber-risk
management.
However to help with a more comprehensive understanding the risk appetite can be defined as
follows:
“The amount and type of risk that an organisation is willing to pursue or retain” (ISO, 2017)
An organisation’s overall risk appetite is typically determined at the governing body or executive
management level and involves:
- determining which risk categories, or types of risk that could affect the achievement of the
organisation’s objectives
- Identifying the organisation’s risk appetite for each category of risk expressed as the
maximum acceptable combination of likelihood and impact which is determined in the earlier
part of the process of Asset where a Business Impact Assessment is undertaken.
In relation to national policing, the risk appetite is defined by the National Senior Information Risk
Owner NSIRO who considers the outputs from the Asset and Threat phases of the risk assessment.
Risk appetite is defined at a national level however, this will need to be contextualised if it is to be
useful for informing programme risk management. The national risk appetite will be broken down into
a number of programme risk statements which can be directly referenced by cyber-risk managers and
governance forums in particular the Solution Design Authority and Security Working Group in making
risk management decisions. Inversely cyber-risk management decisions taken throughout any
programme will help to reaffirm or reshape the national risk appetite accepting that cyber-risk
management is continuously changing in line with technology innovation and the threat landscape
changing from changes in adversary behavior. (Cook, 2017) This is further supported by identifying
that risk assessments are not static and need to be a repeatable process. (Zhang, 2010, p. 1332)
33

NPTC, Security
Risk Provide national risk appetite & Risk Programme
NPIRMT -
Appetite materials Management Leadership
Team
NPIRMT, NPTC
Risk Produce Programme Risk Security & Risk Programme
Project teams -
Appetite Appetite Statements Management Leadership
Team
Risk Management Options:

This phase relates to the decisions that national delivery programmes make in relation to the
management of cyber risks. Cyber-risk managers have four management options:
- Mitigate the risk by applying security controls taken from government guidance, industry best
practice, SME experience, candidate control sets, compliance control requirements, and the
experience and knowledge of practitioners.
- Transfer the risk to another party e.g. transfer the service to a vendor who assumes
responsibility for the risk under a Service Level Agreement (SLA).
- Avoid the risk by stopping a planned activity or functionality.
- Accept the risk if it is in-line with risk appetite or the cost of mitigation is disproportionate
deeming the security control not to be necessary and proportionate.
The management option selected will depend on the severity of the risk and the risk appetite of each
programme and will be aligned to the stated Programme Risk Appetite Statements. This is supported
with similar outputs within (Albakri, 2014, p. 2121)
The Risk Matrix created from the Inherent Risk Assessment will form the foundation of cyber-risk
management by becoming the foundation of the Security Model (discussed earlier and linked to
security by design) produced as the foundation to the technical design. Within the Security Model the
selected management option will be recorded against each risk. In the case of risk mitigation,
necessary and proportionate security controls will be mapped against the risks in line with the
Programme Risk Appetite Statements. The development of security controls will incorporate:
- Government guidance (e.g. NCSC, GPG13 (now retired but deemed good practice)
- Industry best practice
- SME experience (the knowledge and experience of our information security SME’s)
- Candidate control sets (such as the NPIRMT candidate control sets)
- Compliance control requirements (a policy and legal review will be carried out to understand
if there are specific controls that must be in place to comply with local policy and the law)
Delivery and effectiveness of these controls will be recorded in the model on an iterative basis with
details of how each of the controls will be assured and how often.
34
Figure 3.9
35
Figure 3.9 above shows how the management of controls will integrate with the development of
technical design. Accepting that technical design is continuously evolving in the SaaS provision this
process will be updated in line with any technical change and therefore is a key amendment to how
technical design and cyber-security risk management must work closely. It should be noted that
technical architecture applying security by design may need to apply multiple controls to mitigate the
identified risk.
This work will be managed on a Business as Usual (BAU) basis by the cyber-risk management team
who will be responsible and accountable for the production of outputs. The cyber-risk management
team will be embedded within the project teams and will design the security controls and ensure that
these are embedded within low level designs as well as recorded in the Security Model.
- The control involves significant spend
- The control (or lack of) may have a significant business impact
- The control has a significant impact on intentional architecture
If a management decision is taken to accept a risk outright or accept a residual risk as an output of a
control then this must be approved by the Solution Design Authority and Security Working Group with
the Police National Information Accreditor present. Risks above a certain threshold will be escalated
as per the IMORCC Governance Structure for approval. For complex risk mitigations, cyber-risk
management plans will be developed with mitigation actions and timelines for completion and
assurance activities will be provided.
NPIRMT will be responsible and accountable for active participation in workshops and for the
provision of timely review and feedback of the Security Model and other low level control designs.
Security controls effecting local police forces will be discussed in the Solution Design Authority and
NPTC Security Working Group. Once agreed these will be added to the Governance Information Risk
Return (GIRR) by NPIRMT. NPTC will be responsible for facilitating stakeholder coordination
throughout the process. This includes working with local police forces in the NPTC Solution Design
Authority to help them understand any proposed changes to the GIRR and reporting any issues back
to the Security Working Group.
As an iterative “living” document, the Security Model will change regularly during the Low Level Design
Phase, Build Phase and will need to be maintained once the solutions are deployed and running in live
service. For the purposes of accreditation the relevant controls will be integrated into the detailed
design documents of each workstream and a point in time snap-shot of the Security Model will also
be provided to the accreditor at the time of accreditation and following the IMORCC Governance
Structure the detailed design documents and Security Model will be approved by the Security Working
Group and Solution Design Authority.
The documents/outputs below will be produced as part of this accreditation phase:
- Low Level Designs
- Security Model
- Risk Management Plans
- Candidate Control Set Validation (Excel spreadsheet)
- Compliance and Policy review (Excel spreadsheet)
36
Produce and manage Security & Risk
Management Programme
Security Model Management NPTC, NPIRMT Project Teams
Options Leadership
(threats/risks/controls) Team
Security and
Management Programme
Develop low level designs Project Teams NPTC, NPIRMT Accreditation
Options Leadership
Team
Security & Risk
Management Develop and manage Risk Programme
Management NPTC, NPIRMT -
Options Management Plans Leadership
Team
Security & Risk
Management Complete candidate control Management Programme
NPTC, NPIRMT -
Options set validation exercise Team, Project Leadership
Teams
Management Complete compliance and Programme
TBC NPTC, NPIRMT -
Options policy review Leadership
The implementation of management controls to the design process will determine the success of the
implementation of ‘Security by Design’ and the adherence of the application of the NCSC core
principles. (NCSC, 2016) The development of management options will determine the success of the
implementations of technology but more importantly it brings together the earlier element of the
proposed ‘Cyber Risk Management’ methodology. By leveraging each element of the proposed risk
process the successful delivery will propose management options that can contribute to the
implementation of technical solutions based on formal necessary and proportionate risk management
and not just perception of cyber risk offering new and improved ways of delivering business process
to operational policing.
Residual Risk:
This phase involves an update or re-iteration of the risk assessment taking into account the expected
effects of the proposed risk treatments which in this case is the security control applied to the
technical design. The residual risk is the remaining risk once the security control has been applied.
Once the management options are defined residual risk will need to be calculated, recorded and
reported. This will be updated regularly as the status of the security controls changes. Similarly, the
risk assessment process will be repeated to reflect any major changes in impact or threat and the
Security Model will be adjusted appropriately. Residual risk will be reported regularly through self-
generating Management Information in the Security Model based on core data changes being applied
following the completion of previous steps. Should the residual risk not meet the programme's risk
acceptance criteria, a further iteration of risk treatment may be necessary before proceeding to risk
acceptance. Alternatively, this may need to be escalated for risk acceptance via the IMORCC
Governance Structure.
The work will be led by the cyber-risk management team who is responsible and accountable for the
production of Management Information reporting. Residual risks will be regularly discussed within the
Security Working Group and where no further mitigation of appropriate risks within the risk appetite
will be considered for acceptance by NPIRMT, or otherwise escalated as appropriate. NPIRMT and
NPTC will be responsible for active review of the Management Information reporting through the
IMORCC Governance Structure. Management Information reporting requires no formal approval
37
however the residual risk ratings will remain part of the Security Model of which a snap-shot will be
taken and approved at the point of accreditation.
The documents below will be produced as part of residual risk phase:
- Residual risk MI reporting

Security & Risk
Residual
Residual risk calculations Management NPIRMT NPTC -
Risk
Team
NPTC,
Security & Risk
Residual NPIRMT,
Residual risk MI reporting Management - -
Risk Programme
Team
Leadership
Ensuring Assurance Remains Current:

Policing must recognise that technology innovation is evergreen and therefore risks are not static.
Many organisations lose sight of this and assume that once implemented the task is complete. It is
critical that risks and their factors (i.e. value of assets, impacts, threats and vulnerabilities) should be
monitored and reviewed to identify any changes and maintain a complete risk awareness of the
environment being managed. It is therefore critical that regular monitoring for any change in the
policing environment to detect changes and to ensure that cyber-risk management is maintained. The
risk assessment process should be repeated in any of the following circumstances:
- Where asset values have changed
- Where new threats are identified
- Where new vulnerabilities are identified
- Where business impact of asset compromise has changed
- Where the cost of a control changes
- Any other factor effecting the risk calculation
New threats, vulnerabilities or changes in likelihood or consequences can increase risks previously
assessed as low. Factors that affect the likelihood and consequences of threats occurring could change,
as could factors that affect the suitability or cost of the various treatment options. Major changes
affecting policing should be reason for a more specific review in relation to that specific change.
Therefore, the risk monitoring activities should be regularly repeated and the selected options for risk
treatment should be reviewed periodically.
It is critical to accept that ‘cyber-risk management’ will have both a local and national requirement for
delivery however, in the delivery of a ‘BluePrint’ design for the national consumption of service, a
large proportion of the Cyber-Risk Management Methodology assessment will be undertaken
centrally to reduce cost and duplication. This also supports a central understanding of the risks
associated with the use of cloud services and in this case o365.
38
4.0 IMPLEMENTATION OF CYBER-RISK MANAGEMENT IN POLICING
The cyber-risk management baseline is essential for national policing to identify police force
readiness via a common model the maturity states across national policing. This required a 2 phase
approach:
- Force pre-engagement questionnaire
- Force cyber-security assessment undertaken as part of the Security Model implementation
This approach is supported in a recent article Network Security (Aminzade, 2018) where the need to
understand the current posture of the organization will help establish a foundation for any
methodology proposed.
4.1 POLICE BASELINE CYBER MATURITY

The previous sections of this dissertation has explained how cyber-security risk management can be
applied to support core architectural design through the use of ‘Security by Design’ as a core principle.
But this must now stretch to a local Police force implementation and in order to ensure that the on
the ground implementation is necessary and proportionate and the baseline of cyber-security
maturity must be ascertained. This is needed to allow a force to identify the remedial work needed to
achieve an acceptable level of cyber-risk maturity.
With the cyber-risk management methodology designed we must consider what Police forces will be
required to implement when considering People, Process and Technology. However in order to assess
the local cyber-maturity and risk appetite, an understanding of local forces is needed. The move to
consider the consumption of SaaS for Policing is ground breaking with existing perception that locally
is more secure than national dominating the current thinking, an assessment of forces is needed. This
point is reinforced by (Baskerville, 1991) where the point made is that risk assessments should not be
guess work and that there must be a process that delivers a technique to appropriately challenge
views and perspectives which may be entrenched.
The collation of information that would determine the individual force cyber-maturity status was
therefore critical to the successful delivery of services and the consumption of commercial SaaS.
However the collation of information would need to cover a wider surface than just ICT and
Information Security.
The need for a wider questionnaire or process considering people, process and technology
implementation was needed. A comprehensive questionnaire was developed by a small team and I
must emphasis that this was not solely my work and unfortunately not all forces were able to submit
a completed return. (Appendix 1 & 2)
4.1.1 Force pre engagement questionnaire

The questionnaire covered the following areas:
- IAM
- IT Environment
- Applications
- Mobile Applications and Unified Communications
- Social Media & Intranet
39
- Projects and Business Change
- Document Management
- General
- Equipment
- Infrastructure
- Finance
The above sections of the questionnaire each had number of specific questions to be answered which
were then analysed and scored based on the weightings applied to each specific section. The
questionnaire was sent to 43 forces of which 12 were visited by a programme team led by myself
where the questions were asked via a series of meetings. A full list of the questions asked are included
in Appendix 1.
In addition to the landscape questionnaire an additional set of questions were developed specifically
relating to cyber-risk maturity which covered people, process and technology. The development of
these questions and the resulting output of the overall assessment of the maturity gave national
policing a perspective of the cyber-risk management maturity. This, in some cases was linked to the
risk appetite a force had, but in some it represented a cyber-maturity position which needed
development. The section questions were:
- Training
- Equipment
- Personnel
- Infrastructure
- Doctrine and Concepts
- Organisation
- Information and Interoperability
The questions relating to each of the above sections is included in Appendix 2. These questions were
produced by a wider team and are those used when undertaking ‘Pilot’ engagement with the initial
12 Police forces.
The output of the baseline readiness is therefore a varied picture however the following infographic
depicts the current state of readiness for the consumption of commercial SaaS.
Figure 4.1 below depicts the maturity states of forces in relation to readiness for the consumption of
cloud services specifically SaaS. However this doesn’t allow for a wider assessment of the actual state
of cyber-security awareness which will define the approach a force will take in relation to cyber-risk
management. Therefore there is a need for a more focused approach to determining the specific
maturity of specific forces relating to cyber-security awareness and cyber-risk management. The
position shown is one of differing maturity within the different areas. It should be noted that some
forces chose not to respond and most missed out areas specifically relating to change altogether. This
supports some of the findings within this paper as ICT departments are limited in their capability to
determine change or new areas of technology delivery such as social media. These areas of poor or
non-return could present new and serious cyber-risk and therefore highlight the challenge in policing.
40
Police Force 10
Police Force 11
Police Force 12
Police Force 13
Police Force 14
Police Force 15
Police Force 16
Police Force 17
Police Force 18
Police Force 19
Police Force 20
Police Force 21
Police Force 22
Police Force 23
Police Force 24
Police Force 25
Police Force 26
Police Force 27
Police Force 28
Police Force 29
Police Force 30
Police Force 31
Police Force 32
Police Force 33
Police Force 34
Police Force 35
Police Force 36
Police Force 37
Police Force 38
Police Force 39
Police Force 40
Police Force 41
Police Force 42
Police Force 43
Police Force 44
Police Force 45
Police Force 46
Police Force 1
Police Force 2
Police Force 3
Police Force 4
Police Force 5
Police Force 6
Police Force 7
Police Force 8
Police Force 9
Operating System 2 4 4 1 2 4 4 4 2 2 2 2 2 4 2 4 2 1 4 4 4 2 2 4 2 2 2 2 2 3 2 2 2 2 4 2 4 4 4 1 4 4 4 2 4 4
Network 3 4 4 4 4 4 4 4 4 4 4 1 3 4 4 4 1 4 4 4 4 1 4 4 1 4 4 4 4 4 1 4 4 4 4 4 4 4 4 4 4 4 4 1 4 4
Browser 1 4 4 1 1 4 4 4 1 1 1 1 1 4 1 4 1 1 4 4 4 1 1 4 1 1 1 1 1 1 1 1 1 1 4 1 4 4 4 1 4 4 4 1 4 4
Exchange & Outlook 1 4 4 1 1 4 4 4 1 1 1 1 1 4 1 4 1 1 4 4 4 1 1 4 3 3 1 1 1 1 1 1 2 1 4 1 4 4 4 1 4 4 4 1 4 4
Active Directory 1 4 4 1 1 4 4 4 2 1 1 1 1 4 1 4 1 1 4 4 4 1 1 4 1 2 1 1 1 1 1 1 2 1 4 1 4 4 4 1 4 4 4 1 4 4
Productivity 2 4 4 1 2 4 4 4 1 1 2 1 2 4 3 4 3 3 4 4 4 3 1 4 1 2 2 4 4 2 4 3 3 1 4 1 4 4 4 3 4 4 4 1 4 4
Intranet 3 4 4 3 1 4 4 4 3 1 1 3 3 4 1 4 3 3 4 4 4 1 3 4 3 4 3 3 1 1 3 3 3 3 4 3 4 4 4 4 4 4 4 4 4 4
Unified Comms. 3 4 4 1 1 4 4 4 2 1 1 1 1 4 2 4 1 2 4 4 4 2 1 4 1 2 2 1 3 3 2 2 3 4 4 2 4 4 4 2 4 4 4 2 4 4
Remote Access 2 4 4 1 2 4 4 4 2 1 1 2 2 4 2 4 2 1 4 4 4 2 2 4 2 2 1 1 1 2 2 1 2 2 4 2 4 4 4 2 4 4 4 1 4 4
Document Management 1 4 4 1 1 4 4 4 2 1 1 1 2 4 1 4 2 1 4 4 4 1 3 4 1 2 2 1 1 1 3 3 3 1 4 1 4 4 4 1 4 4 4 1 4 4
Application Provisioning 1 4 4 1 1 4 4 4 1 2 2 2 2 4 3 4 1 1 4 4 4 2 2 4 1 2 1 2 4 2 2 2 1 1 4 2 4 4 4 4 4 4 4 1 4 4
Mobile Applications 2 4 4 2 2 4 4 4 2 2 2 4 2 4 2 4 2 2 4 4 4 2 2 4 2 2 2 2 2 2 2 2 2 4 4 2 4 4 4 2 4 4 4 2 4 4
Social Media 2 4 4 2 2 4 4 4 2 2 2 2 2 4 2 4 2 2 4 4 4 2 2 4 2 3 3 3 2 3 3 3 2 2 4 2 4 4 4 2 4 4 4 2 4 4
Workflow & Forms 2 4 4 1 4 4 4 4 3 1 1 1 1 4 3 4 1 1 4 4 4 2 4 4 3 1 1 1 1 4 4 2 4 1 4 1 4 4 4 2 4 4 4 1 4 4
Operating Model 3 4 4 1 3 4 4 4 3 1 1 1 1 4 1 4 3 1 4 4 4 1 1 4 3 1 3 1 3 1 1 3 1 1 4 1 4 4 4 1 4 4 4 1 4 4
Agile Working 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
Change Readiness 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
Engagement 1 4 4 2 1 4 4 4 2 1 1 2 1 4 1 4 2 1 4 4 4 1 1 4 1 1 1 1 2 1 1 2 1 1 4 1 4 4 4 1 4 4 4 1 4 4
User Segmentation 1 4 4 2 2 4 4 4 3 3 3 3 3 4 3 4 1 3 4 4 4 3 3 4 3 2 3 3 3 1 3 3 3 3 4 2 4 4 4 3 4 4 4 2 4 4
Training 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
Adoption 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
In-flight Projects 3 4 4 3 3 4 4 4 3 3 3 3 1 4 3 4 3 2 4 4 4 2 2 4 2 3 2 2 2 1 3 1 3 3 4 3 4 4 4 3 4 4 4 3 4 4
Figure 4.1 (National Enablling Programme Security Risk Management, 2017). Please note not all forces responded.
41
4.2 CYBER-RISK MANAGEMENT METHODOLOGY ELEMENTS & SECURITY MODEL
Phase 2 Phase 3 Phase 4 Phase 7

Phase 1 Phase 5 Phase 6
Business Impact Threat Inherent Risk Integration into
Strategy Risk Scenarios Security Controls
Assessment (BIA) Assessment (TA) Assessment solution design
The Risk Management Police and stakeholder Insider, external and The Inherent Risk Underpinning the seven Aligned with the principle Working closely with the
and Accreditation information assets environmental threats Assessment combined critical risks, forty three of "defence in depth" Design Team
Strategy was developed were identified and to the environment the outputs from the scenarios were necessary and throughout, the
to detail and agree the their relative criticality were assessed and BIAs and TA in order to considered - looking at proportionate security identified controls were
process for security, assessed by measuring prioritised considering calculate the inherent the specific attack controls were developed - integrated into the Low
accreditation and the impact of a breach a number of threat risks to the vectors of a particular using the NIST Cyber Level Designs and
information risk of confidentiality, actor attributes environment - 7 critical threat and the likely Security Framework (CSF) architecture (where
management - including integrity or availability including capability, risks were identified assets targeted to ensure adequate appropriate)
detailed descriptions of history and consideration and
stakeholders motivation coverage of control types
responsibilities
Figure 4.2
42
In earlier parts of this paper I have outlined how national policing can address cyber-risk management
through the use of core iso27001, 27005 elements and the use of the NIST “Framework for Improving
Critical Infrastructure Cybersecurity” (NIST, 2015). However during the implementation it is required
that the cyber-risk assessment and the Framework for improvement and implementation come
together in order to provide legitimacy in its implementation and adoption. Figure 4.2 above starts to
explain how the risk assessment contributes and provide the baseline needed for the controls through
the process of Security by Design concluding the methodology to take national policing through to
implementation. This is supported by (Verginadis, 2017) approach to security by design.
Each element of the process through its implementation delivers an output contributing to the next
phase of the methodology. This provides a link between the phased methodology shown in figure
3.5 providing a view of the actual output of the process:
4.2.1 Phase 1: Risk Management and Accreditation Strategy

The purpose of this phase is to detail the risk management, accreditation and security activities
including the responsibilities and outputs for national policing. Defining the risk management,
accreditation and security process bringing clarity to the actions needed to allow policing both locally
and nationally to deliver as planned which will improve collaboration by clearly demonstrating
responsibilities and accountabilities in relation to Cyber-Risk Management.
4.2.2 Phase 2: Business Impact Assessments

Business Impact Assessments (BIAs) were completed and drew on critical assets from the NPIRMT
Guidance on Handling of Policing data within OFFICIAL v 2.0 (Nationa Police Information Risk
Management Team, 2017) assets in total were included in the (BIAs).
To measure and score impact, Business Impact Reference Tables (BIRTs) (Cabinet Office, 2012, p. 150)
were leveraged from HMG Information Assurance Standard No.1 (IS1). IS1 offers a standardised way
to identify, classify and score the impact of a compromise on an environment. It sets clear parameters
between different outcomes in the event of compromise, reducing the level of subjectivity when
assigning impact scores. It should be noted that (IS1) has been retired due to the complex and often
risk averse way this standard was used in practice.
Leveraging these BIRTS, each potential impact on an asset (based on confidentiality, integrity and
availability respectively) was graded from 1 (Low) to 6 (High) and the supporting impact narrative was
recorded along with additional comments to justify scoring rationale. A score of 0 during this phase is
deemed to be unacceptable to the assessment of assets.
The BIRT justification tables set out clear guidelines on how to score the impact of an event (e.g. for
an impact on police officer safety, a score of 6 would mean a threat to life or multiple injuries).
Within the BIA form impact is separated into two types – ‘worst case’ impact and ‘realistic’ impact.
The ‘worst case’ impact refers to the most serious of potential outcomes from a compromise
regardless of its probability. The ‘realistic’ impact takes a more measured view, and considers the most
likely outcomes only.
4.2.3 Phase 3: Threat Assessments

Relevant threats to the environment were assessed and it was determined how they could manifest
to cause harm to that environment. (Information Risk Assessment Methodology 2, 2014, p. 22) A
43
threat can be defined as: “a potential cause of an unwanted incident, which may result in harm to a
system or organisation.” (International Organization for Standardization, 2016, p. 13)
Articulation of the threat was completed using an IRAM2 threat assessment, leveraging several
sources (including threat intelligence from NPIRMT), and using local intelligence sources. A set of
threat attributes (e.g. history, capability, motivation and commitment) were evaluated to assess the
threats from each actor. Each attribute relating to a threat actor was scored on a scale from 1 (Low)
to 3 (High) and added together to form a cumulative final ‘Threat Score’ (e.g. 12/15).
To match the scoring scale of the BIAs (1-6), the final ‘Threat Score’ for each actor was moderated
down to a score of 1-6 (e.g. 12/15 becomes 5/6).
Key to a successful Threat Assessment is the production of a realistic likelihood. The Likelihood will be
required in order to complete the wider cyber-risk assessment and will determine the control to be
applied to the design.
4.2.4 Phase 4: Inherent Risk Assessment

The calculation and articulation of inherent risk to the environment is an important part of security
and risk management, a crucial step in the critical path towards accreditation and a key enabler for
the UK Policing Vision 2025. (National Police Chiefs Council, 2016) It acts as a precursor to the design
and implementation of security controls and adheres to the principles of ‘Secure by Design’. (NCSC,
2016) It enables specific security controls to be tailored to the risks articulated in the inherent risk
assessment so that cyber-security risk management is a key consideration throughout any delivery
and not just a reactive afterthought.
To calculate inherent risk, a standardised risk equation is used, (Risk = Likelihood x Impact) as shown
figure 4.3 on the following page:
Page | 44
45
The Inherent Risk scores were leveraged to develop over 300 low level risks. These are composed of
the most prevalent threat actors and top 15 most critical information assets.
Based on the 300 low level risks, seven recurring risks to the environment were identified and
converted into risks statements. The risk statements provide stakeholders with a macro understanding
of risk to the environment however the seven recurring risks will be used across national policing as
the strategic risk statements relate to the strategic assets identified and these will impact all national
delivery.
1. Employee or third party accidental disclosure / alteration / destruction of assets.

2. Self-determined, malicious or disgruntled employees deliberately disclose / alter / destroy the
asset.
3. Attackers exploit vulnerabilities in the network to gain access / alter / destroy assets.
4. Attackers leverage employee (including third party employee) to access assets.
5. Attackers exploit vulnerabilities in the network to deny access to the environment
(Hacktivists).
6. System failure denies access to assets.
7. External environmental events disrupts access to the assets
4.2.5 Phase 5: Scenarios

A number of scenarios were considered for each of the seven national strategic inherent risks. These
scenarios describe how the seven inherent risks can materialise i.e. Inherent Risk 1 concerns accidental
alteration, disclosure or deletion of information. The purpose of the scenario is that the risk becomes
tangible and people can relate to the risk being presented. This allows the executive or end user to
understand the risk without it being perceived to be technical. An unintended benefit is that this
process also challenges the culture of policing as there is a link to the professional standards of
policing.
- This risk can be realised through various means including but not limited to: A removable
device being used to either extract data or introduce malware onto the network.
- Data being leaked via email by attaching incorrect or inappropriate material or sending it to
unintended or unapproved recipient(s).
- A non-approved application being downloaded onto a corporate device
The scenarios are not mutually exclusive hence a single control may mitigate more than one risk, nor
are they collectively exhaustive meaning there is an assumption that police forces in conjunction with
national policing units and partners will ensure the risk picture is subject to regular review and analysis
and that security controls remain robust enough to mitigate identified risks.
Figure 4.4 below presents a pictorial view of one scenario by way of an example. The mapping of
scenarios allows the mapping to the NIST Framework giving legitimacy to overall cyber-risk
management.
46
INHERENT RISK SCENARIO MITIGATION
Risk assessments are continual and build necessary and proportionate
IDENTIFY security controls to mitigate against identified risks. Risk responses are
prioritised effectively.
INSIDER: User - Data Leakage: Sends and email to a

recipient with inappropriate material Block the sending of certain specified information types externally using
accidental attached and/or to a non-approved Microsoft DLP.
recipient
Block the personal use of third party web e-mail clients (e.g. Gmail, Yahoo,
Outlook) at the web proxy server.
PROTECT Configure Active Directory to provide role / group based permissions to users
Access to sensitive information (OFFICIAL-SENSITIVE, PII etc) shall be restricted

based on user groups or Originator guidelines.
User uses a removable device to
either install malware or extract
information Specialist monitoring staff are trained to spot indicators of compromise
and conduct analysis which can reduce detection times and aid
identification.
INSIDER: User - DETECT Having a firm grasp of permissible assets that can connect to the network
malicious and access information systems enables the detection of potentially
malicious activity from unauthorised assets.
Hostile reconnaissance to track

potential targets and identify
Incident scenario planning and exercising
weaknesses in the infrastructure for
exploitation RESPOND Implement monitoring of mailboxes on Exchange Servers (on-prem)
and O365 (cloud) to identify suspected policy violations.
PIR process in place

INSIDER: Admin - Rogue admin installs data capture
tool (e.g. key logger / sniffer) onto
RECOVER Ensure governance structures are in place to effectively execute
malicious recovery plans. Develop a RACI matrix for recovery activities.
a system
Figure 4.4 (National Enablling Programme Security Risk Management, 2017)
47
4.2.6 Phase 6: Security Model Control Development
Within the Security Model, necessary and proportionate security controls have been mapped against
risk scenarios to give an end to end view of risk mitigation and residual risk.
When developing the security controls the concept of defense in depth (SANS Institute, 2001) for
protecting the environment with a series of defensive mechanisms ensuring that if one fails another
will be in place to thwart the attack. Because there are so many potential attackers and sophistication
and scope of methodology is rapidly evolving there is no single method for successfully protecting the
environment. Therefore in accordance with GSC a multi-layered approach to security is required.
(Cabinet Office, 2014) Utilising this strategy reduces the risk of a successful attack.
As described throughout this paper security controls are where possible taken from UK legislation and
HMG policy but where this is not possible, a considered and transparent foundation rooted in police
decisions, UK government guidance and commercial best practice has been used.
As GSC states: “There is no silver bullet for mitigating all threats at OFFICIAL and organisations should
provide layered security across their businesses. People, technology and environmental controls should
be mutually enforcing and given equal consideration as part of a holistic approach to security.”
(Cabinet Office, 2014)
4.2.7 Integration into the Architecture

The security and architecture design must work closely throughout the design of any system to ensure
that security controls are where appropriate integrated into architecture and mapped against the low
level designs. This is a key element to the methodology being successful and the cultural impacts from
desperate teams working together is critical to the overall success. This phase completes the process
of integrating cyber-risk management in to the process of ‘Security by Design’ and defines the
proposed cyber-security model.
4.3 CYBER-RISK MANAGEMENT SECURITY MODEL LOCAL FORCE ASSESSMENT

The security maturity assessment tool allows security professionals to conduct an assessment of their
compliance to the security model and their maturity against the NIST cyber-security framework. This
tool is the next phase following the baseline questionnaire is has been developed to incorporate the
core elements of the NIST framework. It will output management information to demonstrate a Police
Force’s level of compliance against the NEP Security Model and maturity against the NIST cyber-
security framework and highlight any major areas of concern to those roles responsible for cyber-risk
management.
4.3.1 Force Engagement Plan

Having developed a security model to assure the secure delivery of architectural development into
Police Forces and created a tool which will aid in the assessment of forces against the NIST cyber-
security framework policing needs to ensure that the required controls are implemented locally in
forces. This is done by embedding security professionals into police forces which are implementing
SaaS designs. This team will conduct assessments throughout the delivery of the productivity tools
and support the forces information security team throughout. The engagement will be conducted in
3 phases:
1. Assess: Conducting assessments of the force to identify its maturity against the NIST Cyber
Security Framework, to identify its compliance with the security controls in the technical
architectural security model and to identify any local information security risks.
48
2. Accelerate: Ensure that all risks are managed appropriately by the force and that risk
management processes are embedded into the force.
3. Integrate: Assisting the force with its technical and procedural integration with the integration
of the Police National Management Centre.
This three phase approach will allow forces to baseline there cyber-risk management maturity. The
security model and the maturity assessment tools are evergreen and will require continuous updating
and refreshing. You will see in figure 4.5 on the following page, that each of the assessment stages
links back to the NIST cyber-security framework and provides a link and integration between the
cyber-risk assessment, architectural design and implementation via the proposed cyber-risk
management security model.
Page | 49
Figure 4.5
50
5.0 EVALUATION OF CYBER-RISK MANAGEMENT METHODOLOGY & MODEL
5.1 POLICING CYBER MATURITY BASELINE

A set of questions were asked of 12 police forces and Constabularies as part of a discovery phase of
my work. These questions were put together to establish a base line in relation to cyber-security and
to inform me ahead of establishing a methodology for risk management and a process for ensuring
that risk management provided the foundation for system and architectural design. The same set of
questions were then extended and amended from lessons learnt to the set used to assess the baseline
of cyber-security maturity and architectural readiness or specifically the consumption of o365 a
commercial cloud service. Whilst this provided a set of completed returns it did not take account of
any behavioral analysis and therefore some of the answers were potentially tainted by the cultural
position of the force or individuals in question. This position is supported by a Protection Motivational
Theory which is potentially influencing the engagement and understanding of users involved in the
change. It is supported in studies focusing on Information security and behavior formations. (Sohrabi,
2014)
The cyber-risk management approach has been developed to address a common approach for police
forces and therefore different levels of maturity in relation to the cyber-risk management has been
considered.
The initial forces have undertaken the proposed approach to cyber-risk management allowing an
evaluation at apposing ends of the maturity spectrum. This difference in organisational maturity to
cyber-risk management and their individual levels of risk tolerance will contribute to the need for a
cyber-risk management methodology and a cyber-risk management security model. The overall
process of following the cyber-risk management methodology and the implementation of the security
model has presented some difficult outcomes to senior leaders within policing. It has highlighted the
issues that relate to cyber-risks at a local level and the verbose nature of providing organisational
cyber-risk identification and the required remedial actions to mitigate such risks as being strategic
risks to an organsiation whilst often not returning any visible outcome to policing.
The baseline questionnaire has provided a firm position in relation to the existing maturity position
forces are operating from. However it fails to provide a process for general operational use resulting
in an additional need for further work specifically relating to business as usual. This is supported by a
more involved approach to guiding a police force in the development of cyber security. (Sohrabi, 2014)
5.2 POLICING CULTURAL PERCEPTION OF CYBER-RISK

The position that local forces take in relation to what is perceived as criticism is something which
forces must adapt their thinking and cultural position and accept as advise. Being compliant, or
working towards a compliance position is dynamic and fluid with cyber-risk management being a point
in time maturity position which changes as technology changes supporting the methodologies
approach to support evergreen status. Forces therefore must accept the position of meeting an
acceptable cyber-risk management position will continuously need evaluation which supports the
approach of developing a set of tools that contribute to the continuous assessment of the actual cyber-
risk position policing finds itself in.
The cultural position policing finds itself in is changing. With GDPR and other legislative changes
threatening financial risk to an organisation, senior leaders are changing their behavior. The initial
implementation of the baseline questions and the presentation of the methodology outputs (Business
Impact Assessment, Threat Assessment, and Inherent Risk Assessment) were perceived to be
presenting a situation that cyber-risk was to be feared. However the cultural position is now starting
51
to move with cyber-incidents becoming more mainstream with policing now focusing on the changes
to threat landscapes and the need to understand the link between cyber-risk management and
technical architectural design and implementation.
The delivery locally in forces has highlighted that whilst the effort and detail built in to the cyber-risk
management methodology has been well received it had not addressed the cultural issues specifically
the resistance to change and challenge from those who are comfortable in their current operating
process. An identified significant challenge has been the passive compliance to the implementation of
cyber-risk management when in reality little or nothing was being done at a local level. This is a bold
statement but supported by the current working practices which are focused solely on Information
Security. This does not take in to account the points discussed earlier relating to the benefits of
security by design and embedding technical architectural design with cyber-risk management at its
core ensuring necessary and proportionate security controls are being applied but more importantly
continually assessed.
This cultural influence is therefore a longer term challenge for national policing and one which will
develop as those involved start to understand throughout the engagement with the cyber-risk
management process proposed. It has therefore been necessary to manage change through education
and the development of core Information Risk Management resources nationally and locally.
5.3 POLICING CYBER-RISK MANAGEMENT METHODOLOGY

The proposed cyber-risk management methodology provides national policing with a foundation
where core identification of inherent risks can be centralised. This core element therefore supports
the dynamic nature of technology, processes and the people using the end outcome of the solution.
This removes the need for the process to be undertaken 43 times. However the process will allow all
police forces to untilise a single output and where required undertake the process of ‘security by
design’ for local architectural implementation.
This will require a robust implementation of the business as usual operating model to ensure that the
first 4 phases of the cyber-risk management methodology are centrally reviewed and continuously
updated:
- Ensure that scope is assessed to provide a necessary and proportionate cyber-risk
management to national policing. It should not block innovation or the need for continuous
improvement to core Policing operational process.
- The assets included within the ‘Business Impact Assessment’ should be reviewed to provide
confidence that they are current. The core business impact reference tables must also be
reviewed support confidence in the overall assessment.
- The ‘Threat Assessment’ or Threat landscape should also be reviewed. This should be current
and take account of any new intelligence that will provide a threat to national policing.
- The inherent risk statement should be reviewed following any changes to the above. This
output is critical to the overall ‘Security by design’.
In practice the methodology is still new, however there is now a desire for the approach defined within
this paper to become the national police standard and developed further. This develops the link
between Information Security and technical architectural design but there will need to be constant
reviews of the overall end to end process as well as robust communication between the central and
local delivery teams.
The proposed methodology and the security model provide a foundation to challenge the cultural
resistance to change as well as removing the barriers to technical development based on the
perception of cyber-risk. The position of perceived risk and over engineered perceptions of
catastrophic cyber-attack can be qualified through the identification of risk within the use of the
Page | 52
proposed methodology which will provide policing with an approach to cyber-risk management that
will drive proportionality. This is an area (Baskerville, 1991) discusses where there is a need for
versatile and practical tools that become part of a security practitioners everyday work. The security
model will then allow technical architecture to be developed with an intrinsic link to the inherent risk
statements which will assist in ensuring necessary and proportionate controls are applied to the
mitigation of risk. These process will help ensure that the operability for the end user is protected.
5.4 CYBER-RISK MANAGEMENT SECURITY MODEL FOR POLICING

The NIST Framework provides the base for the core assessment undertaken in force. This has been
piloted however the results have had different outcomes supporting the different approaches used to
address cyber-risk management. These differing approaches adopted are resulting in forces being
exposed to risk which is not fully understood locally and therefore misunderstood in relation to an
overall risk profile. The change from the implementation and consumption of SaaS and the
understanding and appetite that exists in local Information Security Officers and Senior Information
Risk Owners must improve in order to establish a baseline readiness for SaaS consumption.
This gap in knowledge and understanding is influencing the wider acceptance of the proposed
approach. Without a local appetite or acceptance that the threat landscape changes with the
implementation and consumption of SaaS the risk to policing will continue to rise as more service is
consumed. The implementation of o365 is the first opportunity to consider cyber-related risk. It is
therefore essential that using Risk Management and industry proven standards such as NIST to help
deliver legitimate structure to design change will help develop a new approach to the overall delivery
of ‘Security by Design’ across policing.
The NIST framework provides a structured industry standard that provides the link between traditional
risk management and the needs of architectural design. It has provided a clear link between decision
making in technical design and the mitigation of risk based on a position of proportionality and
necessity and not perception. But in order for this process to be truly successful existing community
of trust which exists needs to be convinced that the methodology and the security model are
intrinsically connected.
The force engagement plan also brings the security model some significance in the overall delivery
within a force. It allows a potential baseline for cyber-security maturity to be aligned as all forces will
be working to a single method of implementation. This is therefore an opportunity to deliver
significant change cyber-risk management throughout policing.
5.5 CYBER-RISK MANAGEMENT AS BUSINESS AS USUAL

The cyber-risk management methodology is suited to a centrally updated operational process,
however the cyber-risk management security model is agnostic and can be operated either centrally
when considering national system development or locally on smaller local development. This
highlights a potential issue in the upkeep and development of the overall practice as the security
model is only effective if the methodology is kept up to date. There is a link to the cultural issues that
have been discussed as the threat is from those supportive of the change against those passive no
changers that believe no change is needed.
The implementation has also highlighted that change to the existing agreed Blueprint position of risk
management will present greater problems in the future, specifically in relation to practitioner
capacity which is needed to ensure that the evergreen changes to technical solutions and the resulting
changes to Policing assets are kept up to date. These changes and the assessment of threat will
ultimately change the inherent risk position and therefore the security model requirements for
controls to mitigate changes to any architectural design. This does present a challenge to the
sustainability of the proposed methodology and security model. However in September the
Page | 53
methodology will be presented to the Police Information Assurance Board with a recommendation
that the cyber-risk management methodology and the security model should be approved as a
national process and become business as usual.
The overall cyber-risk management methodology process proposed must be re-evaluated periodically.
The overall risk assessment scoring is only valid for a period of time relevant to the assets and threats
being assessed.
6.0 CONCLUSIONS
The proposal within this project has outlined that cyber-risk management is not just an IT or technical
issue but is linked to traditional Information Security and also to architectural design. The approach
presented develops a cyber-management framework for Policing, centrally updated for use nationally
and locally and is split in to 2 core deliverables:
- Cyber-Risk Management Methodology
- Cyber-Risk Management Security Model
The methodology presented references and is supported by guidance published by NCSC and
addresses the need to consider people, process and technology. There is an intrinsic link between
these areas of cyber-risk management and policing should as outlined in the NCSC guidance (NCSC,
2016) adopt as suggested an approach to risk management which allows a comprehensive risk
management approach covering all three of these areas.
This provides an opportunity to make changes resulting in a much improved cyber-risk position which
can then provide assurance that identifies risks that are managed effectively and efficiently with core
central principles providing a foundation of development. However, there will be additional changes
needed moving forward, specifically relating to keeping the process current, joined up and functional
recognising that SaaS is an evergreen infrastructure. (Albakri, 2014, p. 2123) The operating model will
require central teams to take ownership of development of the cyber-risk management methodology
and then communicate these continual developments to all forces.
The core methodology will provide a means to identify and manage risk effectively and efficiently and
will help mitigate the identified inherent risks providing policing with a comprehensive duty of care in
assessing risk.
The methodology is shown in figure 5.1 below which provides a visual representation of the Iso27005
aligned risk management methodology outlined within the cyber-risk management section of this
paper. Included in the process proposed is a link to the development and integration of security
controls into architectural design.
Page | 54
Phase 2 Phase 3 Phase 4 Phase 7
Phase 1 Phase 5 Phase 6
Business Impact Threat Inherent Risk Integration into
Strategy Risk Scenarios Security Controls
Assessment (BIA) Assessment (TA) Assessment solution design
The Risk Management Police and stakeholder Insider, external and The Inherent Risk Underpinning the seven Aligned with the principle Working closely with the
and Accreditation information assets environmental threats Assessment combined critical risks, forty three of "defence in depth" Design Team
Strategy was developed were identified and to the environment the outputs from the scenarios were necessary and throughout, the
to detail and agree the their relative criticality were assessed and BIAs and TA in order to considered - looking at proportionate security identified controls were
process for security, assessed by measuring prioritised considering calculate the inherent the specific attack controls were developed - integrated into the Low
accreditation and the impact of a breach a number of threat risks to the vectors of a particular using the NIST Cyber Level Designs and
information risk of confidentiality, actor attributes environment - 7 critical threat and the likely Security Framework (CSF) architecture (where
management - including integrity or availability including capability, risks were identified assets targeted to ensure adequate appropriate)
detailed descriptions of history and consideration and
stakeholders motivation coverage of control types
responsibilities
Figure 5.1
55
The Security Model is a tool for risk professionals to manage and control implementation and residual
risk. It is holistic in nature and covers all NIST security domains. While police forces with the highest
security maturity are likely to be able to demonstrate compliance against a large proportion of the
controls, the cyber-risk management security model itself is not intended to be used as a compliance
“tick box” exercise. There is no expectation that every control in the cyber-risk management security
model will be implemented by a police force. Instead, the expectation is that the cyber-security risk
management security model will be used to help police forces understand their inherent risks and
draw from the model to improve their capability to mitigate against these risks.
There are good reasons why a police force may not want to implement a certain control (including
cost, user experience or adverse effects on wider enterprise architecture). In these circumstances the
police force should look to implement other compensating controls in-line with the principle of
defense in depth and understand the residual risk which they may need to accepted.
As part of the delivery of the cyber-risk management security model a cyber-security maturity
assessment is undertaken within a force. The completed assessment is presented to the force as a
baseline to be maintained by the force’s information security team. However the maturity assessment
tool presents a challenge in relation to keeping the tool current and effective. Business as usual
activities discussed will therefore be essential to the success of the proposal.
The cyber-risk management security model is delivered in three phases. The first phase is ‘Assess’
where an independent assessment of the police force’s information-security risk management
capabilities. This will identify a number of information-security risks held by the force. The second
phase is ‘Accelerate’ in which the risks identified in the Assess phase are placed into a risk
management process and risk management plans are developed. This phase is a continuous process
which is represented by the ‘Operationalise’ phase. The third phase is ‘Integrate’ during which the
force is integrated with the National Management Centre. Once complete the force can be considered
at full operational capability. This process is shown in figure 4.5 on page 49.
This process has been well received by the forces however there is always a natural trepidation which
comes from being independently assessed. One of the major feedback points from forces is that the
maintenance of the assessment tool and the security controls represents extra work on top of an
already significant work load. This is not the intention of the cyber-risk management security model,
the processes or the cyber-maturity assessment tool. It is envisaged that the security model and the
cyber-maturity assessment controls will form the basis of police wide terms of reference for
Information Security Officers based around the maintenance of reasonable and proportionate
information security controls developed, maintained and distributed from a central delivery.
The proposal outlines the case that policing cannot have cyber-risk management separate to
architecture design, they have to work together and provide an end to end position for Information-
Security, and architectural design which will provide ‘Defense in depth’. This process will provide a
cyber-risk position that considers what cyber-risk is as well as how it is mitigated. In order for this to
be successful the perception by those responsible for the management of Information Risk must
change. This will in itself support a change to the overall culture adopted by forces and the perception
that SaaS is not as secure as the provisioned on premise services thus supporting a move to cloud
services. (Kumarl, 2015)
It is essential that the proposed cyber-security risk management methodology and the security model
are living processes. The outcomes of the processes proposed must be mature enough to cope with
the ever changing environment SaaS and policing is operating within. (Zhang, 2010, p. 1332)
56
Policing therefore needs quality information to support decision making when considering cyber-risk
management. The information and media impact to cyber-risk can be perceived to be a problem based
on the volume of information and intelligence is sometimes inaccurate or out of context or even
contradictory. This creates a fog of truth or perception relating to an actual position clouding non-
aware executives. The inability to see a pattern or gain any use from this fog of information hinders
the ability to make the right decisions in the right time frame, resulting in a friction of understanding
in relation cyber-risk management. This will certainly have clouded the initial analysis and has also
influenced other studies in relation to information security. (Verginadis, 2017) As an analogy, the fog
of poor management information creates the friction of slow or wrong business decisions. This
discussion points to similarities made by Clausewitz when discussing traditional decision making.
(Parks, 1994) Therefore a cyber-risk management methodology and security model can draw
similarities to other everyday cultural and complex strategic decision making.
Page | 57
APPENDIX 1 PILOT 12 FORCE QUESTIONS

Police Force:
Category Question Question Answer(s)
Number
IAM 1 Do you already use the Microsoft
Office 365 cloud services or any
other Microsoft cloud based
services?
3 Do you have an existing Identity and
Access Management system?
5 Do some users have multiple user
accounts?
6 Are all accounts (including standard
user accounts, service accounts,
shared accounts, test or training
accounts) able to be traced to a
specific individual still employed?
7 Is there a standard User ID naming
convention used across your
network?
8 Do you already have Microsoft
Active Directory Federation Service
(ADFS) or any other Microsoft AD
synchronisation tools (such as AD
connect) or any other federation
software (such as PING federate)
running as either Identity Provider
or Service Provider?
10 Is there an access control or
business process that disables users
with immediate effect, and likewise
able to re-enable a user with
immediate effect?
11 Is there an on-line process for
requesting access to applications
and likewise removing access from
applications?
12 Do all employees and non
employees that currently have user
access to your network have a
record in a Human Resource system
or any other system for maintaining
data about persons?
14 Does the process of adding a person
to the HR or other system result in
the fully 'automated' creation of a
user login account, complete with
all birthright entitlements (such as
e-mail)?
Page | 58
17 Does the process of changing an

employees details (Example: name
change on marriage, change of
manager) in the HR or other system
result in the fully automated change
to user login account, email, global
address list, AD group distribution
lists and other application accesses
held by the user?
18 Does the process of terminating an
employee in the HR or other system
automatically result in the removal
of the users login account and all
other application accesses?
20 Has the employee and non-
employee data been cross checked
or validated against user login
accounts within the last 12 calendar
months to remove unused or
orphan accounts?
21 Are you using any other Directory
such as LDAP, AD AM?
23 Is your Email system currently
integrated with Active Directory?
24 Are there any quotas or limitations
(such as message size) implemented
in your email systems?
26 Is there a dedicated team for the
creation, management and removal
of user login accounts?
27 Is there a dedicated team for the
creation, management and removal
of users mail accounts?
28 Are the user administration policies,
processes and procedures fully
documented, including approval
levels and responsibilities?
29 Is there a policy that allows a user to
be treated as a re-hire and be given
access to a previously disabled or
deleted user login account, mailbox
and access to other applications?
30 Has an assessment of the job roles
held by users in your organisation
ever been completed, including
profiling the IT systems and
applications which each role is
entitled to?
31 Has an assessment of the roles held
by users in your organisation ever
been completed?
Page | 59
32 Is role based access controls (RBAC)

implemented within your
organisation?
33 Do you implement and monitor
segregation of duties in your
applications now?
34 Does your organisation certify or
recertify a users role, accesses or
entitlements on a periodic basis?
37 What is the strategic plan regards
core operational platforms (PND,
CRASH, Crime/RMS. Example:
increase or decrease take up and
usage, change user polices)
38 To what extent does your force
share access to systems and
applications hosted by you with
other forces.
39 Are there opportunities to share
access to specialist systems,
applications or resources operated
by other forces?
40 Approximately how many users in
your force have access to PND?
your force have access to ATHENA?
your force have access to CRASH?
43 Approximately how many (standard)
users access your forces network
(standard user login)?
44 Approximately how many (NON
standard) users access your forces
network?
45 Are there any other specialist
devices that might be used to access
strategic platforms or local
applications? If so please describe
these.
47 How frequently does your force
need to enable access to users from
other forces due to extra-ordinary
events?
48 In the circumstances of an extra-
ordinary event requiring access to
your forces systems by users from
other forces, how is access removed
after the event?
IT 49 Are all client devices on Windows
Environment 8.1 or Windows 10?
Page | 60
50 Does your force have a planned or

on-going project (at any stage) to
get there?
51 Are there any exceptions or devices
that have specific reasons to have
not been migrated (e.g. legacy
applications)?
52 Does your force have any client
virtualisation capabilities for either
in office or remote connections?
53 What tool / version does your force
use e.g. Citrix XenApp 6.5?
54 If other please provide details
55 How many typical connections
would your force expect in a day?
56 What are the primary devices for
office based workers?
57 What are the primary devices for

mobile/remote workers?
58 Does your force currently use

roaming profiles?
59 Is your force using Active Directory
Schema Level Windows 2008 R2 or
later?
61 How do users connect out of office?
62 How do users connect in office?
63 What is your force current

bandwidth utilisation?
64 Does your force currently use a tool
for application provisioning e.g.
SCCM?
65 Which tool does your force use?
66 Is this used for all front and back
end builds + patching?
67 Do users currently have the ability
to access force systems remotely?
68 What solution is used?
69 Does your force use a VPN to allow
users to access systems remotely
70 Which VPN product does your force
use?
Applications 71 Is your force using Office 2013 or
later? (Office 2011, 2016 for Mac?)
Page | 61
73 Does your force use any plugins to

Office applications? Please consider
policing as well as back office
applications
74 Please provide details of the
plugin(s)?
75 Does your force have any business
critical VBA currently in place?
77 Does your force use Exchange 2010
SP 3 or later?
79 Does your force have any
applications that integrate with
Exchange or Outlook? Please
consider policing applications as
well as back office applications.
applications and how they are
integrated?
81 Do any of your force applications
use mail relay?
applications?
83 Is OWA enabled?
84 Externally or internally?
85 What is your force current average
mailbox size?
86 What is your force total volume of
mailbox data?
87 Does your force use bulk mailing?
88 Is your force using IE11 or Edge?
90 Does your force use Chrome or
Firefox?
91 Are they the latest version?
92 Does your force use any browser
plugins?
to manage workflow? E.g.
SharePoint
95 What solution does your force use?
to manage forms? E.g. InfoPath
Mobile Apps 98 Do your force users currently have
and Unified access to applications via their
Comms corporate mobile device (e.g. email,
policing apps etc?)
Page | 62
99 Which applications are accessible?
100 Does your force have a planned or

on-going projects (at any stage) to
add applications or application
access with in the next 12 months?
101 Do any of these mobile applications
integrate with Office, Exchange or
SharePoint?
102 Please provide details (please
exclude national applications)?
103 Does your force use a mobile device
management solution to manage
these devices?
unified comms?
108 What is your force's current
conferencing calling solution(s)?
109 What is your force's current video
conferencing solution?
Social Media & 110 Does your force currently use a
Intranet corporate social media tool e.g.
Polka, Yammer?
112 What percentage of users actively
use this tool (once per week)
113 What tool does your force currently
use to host the force intranet?
Projects & 114 Does your force have any in-flight
Business projects (include next 6 months) to
Change upgrade client operating system?
115 Please provide a short summary of
any relevant projects?
116 Does your force have any in-flight
projects (include next 6 months) to
upgrade office applications?
upgrade core line of business
applications?
upgrade back office applications?
E.g. HR, Finance, Legal, Risk
Page | 63
122 Does your force have any change

freezes over the next 12 months?
123 Please provide details (timing,
reason etc.)?
124 Does your force currently have a
structured training programme for
your staff?
125 Which of the following methods
does your force use to communicate
and engage with users as part of
business as usual?
126 Which of the following methods
does your force use to communicate
and engage with users as part of
projects?
change champions when
introducing new hardware or tools?
Document 128 Does your force currently use file
Management shares?
129 How many?
SharePoint?
131 Is it version 2013 or later?
132 Does your force currently use any
other tools for document
management?
134 How does your force manage access
to these shares and tools?
135 What percentage of data stored on
corporate devices would be
classified as non-business?
136 Does your force have a solution in
place for secure file sharing across
forces?
138 Does your force use quotas for file
shares?
139 Does your force use archiving?
140 Does your force have any individual
files that are larger than 10GB?
141 Does your force have any document
encryption in place?
General 143 Does your force currently consume
any cloud services?
144 What services is your force using,
and how long has the force been
using the service?
145 What percentage of your force users
are office based?
Page | 64
146 What percentage of your force

users would be considered flexible
(spend at least 40% of time in office,
40% of time outside office)
147 What percentage of your force users
would be considered field workers
(spend 80% time + outside office)
148 Does your force believe there will an
increase in demand for agile
working over next 12 months?
149 Does your force currently classify
your users into personas? E.g.
Connected, Disconnected/Fixed,
Flexible, Field?
Equipment 152 What is the estimated consolidated
log volume from all devices (events
per second (eps))?
153 How many times does event load
PEAK beyond the sustained average
per day?
154 What is the number of monitored
assets considered critical / high-
priority for security or compliance
reasons?
155 How many Windows Servers (not
including servers below) does your
force currently use?
156 How many Linux / Unix Servers (not
including servers below) does your
157 How many Web Servers (IIS,
Apache, Tomcat) * does your force
currently use?
158 How many Email Servers (Exchange,
Sendmail, BES, etc) does your force
currently use?
159 How many IM Presence / Skype
servers does your force currently
use?
160 How many AntiVirus / DLP Server
does your force currently use?
161 How many Mainframe / Midrange
162 How many Database (MSSQL,
Oracle, Sybase) does your force
currently use?
163 How many Windows Desktops does
your force currently use?
164 How many Laptops does your force
currently use?
Page | 65
165 How many Full mobility devices -

tablets does your force currently
use?
166 How many Full mobility devices -
smartphones does your force
currently use?
167 How many Vehicle mounted data
terminals (Airwave etc.) does your
168 How many Network Routers does
169 How many Network Switches does
170 How many Network Flows (NetFlow
/ Jflow / S-Flow) does your force
currently use?
171 How many Network Wireless LAN
172 How many Network Load-Balancers
173 How many Network Firewalls does
174 How many Network IPS/IDS does
175 How many Network VPN / SSL VPN
176 How many Network AntiSpam does
177 How many Network Web Proxy does
178 How many WAN Accelerator does
179 How many VOIP gateways does your
180 How many
TACACS/RADIUS/Kerberos does
181 How many Video conferencing suite
(Polycom, Cisco, any IPTV, etc.) does
182 Which SIEM tool does your force
use?
184 Which network monitoring tool
does your force use?
186 Which endpoint protection/AV tools
does your force use?
Infrastructure 188 What percentage of your total IT
budget is dedicated to IT security?
189 What is your uncommitted WAN
bandwidth?
Page | 66
190 Do you have existing security

vendor/third party contracts?
191 Do you have any outsourced ICT
services?
193 How many VPN connections are
used with two-factor authentication
for any remote connections used by
third parties?
194 Do you have a backup site in a
separate location?
196 Do you have a disaster recovery
plan?
Finance 198 How many staff are part of your
force, including part-time/job
sharing?
199 What is the percentatge split
between Officers and support
functions?
200 Is there an annual hardware refresh
cost?
201 How much does your force spend in
a typical year purchasing new
hardware?
202 What does your force spend on
office applications in a typical year?
203 Are your force office applications
priced per user or as a lump sum?
204 What proportion of this spend is on
cloud based applications?
205 How much does your force spend on
physical security for your IT?
206 How much does your force spend on
cyber security for your IT?
207 Has your force had any cyber
attacks in the last year, which have
affected this budget?
209 How much in network carrier
charges does your force have to pay
annually?
210 How much does your force pay
annually in relation to data centres?
211 How much does your force spend in
total, upskilling officers and other
staff to use different technologies?
212 Does your force get to re-charge
other forces or business units for IT
services?
214 Does your force have records of
benefits realised from previous IT
projects?
Page | 67
APPENDIX 2 DEVELOPED 43 FORCE QUESTIONNAIRE

Police Force:
Category Question Number Question Answer(s)

Training 1 Have employees
received adequate
training to fulfil
their security
responsibilities and
is this training
documented and
monitored?
2 What types of
documentation do
employees receive
about security
awareness - is
there Rules of
Behaviour
document handed
out? Are there
mandatory annual
refresher courses?
3 What testing do
you undertake to
validate the
effectiveness of
awareness
campaigns?
4 How do you
validate and
improve the
security skills of key
personnel involved
in critical areas?
Please include:
Equipment 5 What is the total
number of log
generating devices
to be monitored
with the solution?
6 What is the
estimated
consolidated log
volume from all
devices (events per
second (eps) or
Gigabytes per day)?
Page | 68
7 If you answered the

previous question,
how many times
per day does event
load PEAK beyond
the sustained
average?
8 Do you plan on
pulling logs directly
from workstations?
If so, what is the
reason?
9 What is the
number of
monitored assets
considered critical /
high-priority for
security or
compliance
reasons?
10 For the purposes of
contextual alerting
and reporting
intelligence, do you
have a named list
of all networks in
your environment
and all assets you
plan on
monitoring?
11 Do you currently
have a log
management
server(s) deployed
providing alerts or
reports?
12 Would you like to
integrate any of the
existing log
management
solutions with the
SIEM environment?
13 Please list or
provide examples
of the types of
alerts you would
like to receive from
the product and
what method of
deliver you’d prefer
Page | 69
(i.e. syslog, SMTP,

SMS, SNMP).
14 How many reports

would you like the
solution to
generate on an
automated basis?
15 Will reports that
are automatically
generated be
delivered to a
number of people
via email? If so,
please specify the
estimated number
of users receiving
reports.
16 If you are planning
on monitoring in-
house custom
applications, please
provide details of
what threats or use
cases you would
like the system to
monitor the
applications for.
17 How many users to
you predict will
need access to the
system for the
various functions
such as system
administration,
content (rules,
filters) authoring,
incident handling,
reporting and
compliance
auditing?
Personnel 18 Are sensitive
functions divided
among different
individuals?
19 Are distinct
systems support
functions
performed by
Page | 70
different
individuals?
20 Is there a process
for requesting,
establishing,
issuing, and closing
user accounts?
21 Is there a defined
process for
escalation of
processes?
Infrastructure 22 Do you have a
backup site in a
separate location?
23 Do you have a
disaster recovery
plan?
24 What network
connections are
available between
the log source
collection points
and the SOC?
25 What is the
available
bandwidth?
26 Will new network
links be required?
These will have to
be ordered as soon
as they are
identified. 90 days
at least for BT to
get new links
provisioned. Plus
the work of
integrating into the
Log Source DCs.
27 Do you have
existing
vendor/third party
contracts? If yes
please provide a list
28 Backups log
source?
Organisation 29 Who are the key
individuals to
whom information
security
responsibilities
Page | 71
have been
allocated?
30 What information
security
responsibilities are
allocated to your
geographical or
business area?
31 What metrics and
key performance
indicators do you
report to the
Global information
security function?
32 Do you operate any
information
security steering
groups or forums
within your
geographical or
business area? If
yes, how does this
forum report to
senior
management?
Information and 33 Provide a list of any
Interoperbility bespoke builds:
software, hardware
and ports which
operate on non-
standard ports.
34 Is there any legacy
software that is in a
change freeze due
to compatibility
(i.e.Windows
servers 2003)?
35 Do you have
detailed lists of
asset inventories?
Details could
include, MAC
address, DHCP,
name and/or
unique identifier,
location, asset
purpose,
classification,
owner, status, date
last checked, etc…
Page | 72
36 How are asset

inventories
managed through
the asset lifecycle?
Please include:
patching, testing,
roll-out (migration),
etc.
37 Do you have an up
to date CMDB?
38 Are asset owners’
responsibilities
defined and
documented?
39 Do you have an IT
risk register? Who
manages this? How
often is it
refreshed?
40 Please describe
your local
processes for
securely
identifying, on-
boarding, managing
and terminating
third party
relationships?
41 What security
considerations are
included within
third party
contracts? Please
include whether
contracts are
generic or tailored
based on risk or
classification.
42 How do you ensure
that only
appropriate third
party individuals
have access to
systems, data and
premises?
43 How are third party
activities
monitored?
44 Identify what
devices/networks
in the estate are
Page | 73
managed by third
parties
APPENDIX 3 ETHICS FORM

SCC Postgraduate Ethics Form
1. Basic information
Name of Student: Jason Corbishley Student ID: 31961006
Course: Msc Cyber Security
Name of Supervisor: Bingsheng Zhang
Project Title: Necessary and proportionate Cyber-Risk Management for Policing
Aim(s) of the research project. (3-4 sentences)
The aim is to provide National UK Policing with a Risk management methodology

for the management of Cyber Risk and a model to apply this technical
architectural design.
2. Proposed research methods and analysis
Provide details about:
 the research design (e.g.’ questionnaire, interview, observation…),

 the procedure (e.g. what participants will be asked to do)
Page | 74
 the analysis that will be undertaken:
A holistic questionnaire will be used to define the technical readiness of UK police

forces ahead of undertaking a technical design for the use of commercial SaaS in
particular o365.
3. Information about Human Participants
If applicable, provide details about:
What type of participants will be used in the study?
Police CIO, Heads of ICT and Director of IT.
What age range is to be used?
Various but all of working age.
What characteristics (if any) are to be used in selecting participants?
There is no selection, however heads of service have the knowledge or capability

to provide the required answers.
How many participants will be involved?
43
How will participants be recruited?
Page | 75
Does the research involve deception, trickery or other procedures that may
contravene participants’ informed consent, without timely and appropriate
debriefing, or activities that cause stress, anxiety or involve physical contact?
No
Access to records of personal or other confidential information, including genetic

or other biological information, concerning identifiable individuals, without their
knowledge or consent?
No
Does the research project & associated experiments potentially risk the physical
safety of yourself or the participants?
No
Does the research involve travel to areas where you might be at risk?
No
4. Information about non-human participants such as animals
If applicable, provide details about:
Does the research involve animals?
No
Page | 76
5. Data handling
Provide details about:
What type of data will be collected?
Data will be collected based on technical maturity including the assessment of

data readiness.
How will this be stored?
The data is stored with a classification of Official Sensitive within Cumbria Police
data management systems. The access to the data is limited to myself and
Technical Administrators via a break glass privilege escalation process.
What steps will be taken to ensure the anonymity of the data collected?
Data within the report will by anonymised and will reference Police force and a
number.
What steps will be taken to ensure the confidentiality of the data collected?
State how individual identifying information will be removed, where the data will
be stored and who will have access to the data.
Access to the data is limited to myself and stored within a Police Data
management system.
Page | 77
6. Please complete all sections by ringing the appropriate answer.
1. RISKS
Do any aspects of the study pose a possible risk to participants’

physical well-being (e.g. use of substances such as alcohol or extreme N
situations such as sleep deprivation)?
Are there any aspects of the study that participants might find N
embarrassing or be emotionally upsetting?
Are there likely to be culturally sensitive issues (e.g. age, gender, N
ethnicity etc)?
Does the study require access to confidential sources of information N
(e.g. medical, criminal, educational records etc.)?
Might conducting the study expose the researcher to any risks (e.g. N
collecting data in potentially dangerous environments)?
Does the intended research involve vulnerable groups (e.g. prisoners, N
children, older or disabled people, victims of crime etc.)
2. DISCLOSURE
Does the study involve covert methods? Y N
Does the study involve the use of deception, either in the form of
withholding essential information about the study or intentionally N
misinforming participants about aspects of the study.
3. DEBRIEFING
Do the planned procedures include an opportunity for participants to

ask questions and/or obtain general feedback about the study after NA
they have concluded their part in it?
4. INFORMED PARTICIPATION/CONSENT
Will participants in the study be given accessible information

outlining: a) the general purpose of the study, b) what participants Y
will be expected to do c) individuals’ right to refuse or withdraw at
any time?
Will participants have an opportunity to ask questions prior to Y
agreeing to participate?
Page | 78
Have appropriate authorities given their permission for participants to

be recruited from or data collected on their premises (e.g. shop Y
managers, head teachers, classroom lecturers)?
5. ANONYMITY AND CONFIDENTIALITY
Is participation in the study anonymous? N
If anonymity has been promised, do the general procedures ensure

that individuals cannot be identified indirectly (e.g. via other N
information that is taken)?
Have participants been promised confidentiality? Y
If confidentiality has been promised, do the procedures ensure that

the information collected is truly confidential (e.g. that it will not be Y
quoted verbatim)?
Will data be stored in a secure place which is inaccessible to people Y
other than the researcher?
If participants’ identities are being recorded, will the data be coded Y
(to disguise identity) before computer data entry?
7. SUMMARY OF ETHICAL CONCERNS
If any of the boxes below require ticks, more detail may be required to get
ethical approval. If none of the boxes require ticks, then it is reasonable to
expect approval.
If you have answered ‘YES’ to any of the questions in Section 1 (risks), please tick
the box
If you have answered ‘YES’ to any of the questions in Section 2 (Disclosure/covert

methods), please tick the box
If you have answered ‘NO’ to any of the questions in Section 3 (debriefing), please
tick the box
If you have answered ‘NO’ to any of the questions in Section 4 (consent), please
tick the box
Page | 79
If you have answered ‘NO’ to any of the questions in Section 5 (confidentiality),

please tick the box
8. Declaration
I confirm that this is an accurate record of the project to be undertaken.
Student signature Date
_______________________________ _________________
I confirm that I have read this proposal and agree that it is a clear and accurate
assessment of the project to be undertaken. I have emailed a copy of this ethics
form to the teaching office.
Project supervisor Date
___________________________ _________________
BIBLIOGRAPHY
Albakri, S., 2014. Security Risk Assessment framework for cloud computing environments. SECURITY
AND COMMUNICATION NETWORKS, 10th January, Volume 7, pp. 2114-2124.
Aminzade, 2018. Confidentiality, integrity and availability – finding a balanced IT framework.

Network Security, 2018(5), pp. 9-11.
Baskerville, 1991. Risk Analysis: an interpretive feasibility tool in justifying information systems
security. European Jounal of Information Systems, 1(2), pp. 121-130.
Bussey, 2017. LNS Re-Search. [Online]

Available at: http://blog.lnsresearch.com/most-asked-questions-from-yesterdays-ehs-webcast
[Accessed 11th Fenruary 2018].
Page | 80
Cabinet Office, 2012. HMG IA Standard Numbers 1 & 2 – Supplement. [Online]

Available at:
https://www.ncsc.gov.uk/content/files/guidance_files/IS1%20%26%202%20Supplement%20-%20Te
chnical%20Risk%20Assessment%20and%20Risk%20Treatment%20-%20issue%201.0%20April%20201
2%20-%20NCSC%20Web.pdf
[Accessed 18th February 2018].
Cabinet Office, 2014. Government Security Classifications FAQ Sheet 2: Manageing Information Risk
at Official. [Online]
Available at:
https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/286667/FAQ2_-
_Managing_Information_Risk_at_OFFICIAL_v2_-_March_2014.pdf
Cabinet Office, 2014. Government Security Classifications FAQ Sheet 2: Managing Information Risk at
OFFICIAL. [Online]
Available at:
https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/286667/FAQ2_-
_Managing_Information_Risk_at_OFFICIAL_v2_-_March_2014.pdf
[Accessed 7th December 2017].
Ciaran, 2016-17. The cyber threat to UK business. [Online]

Available at:
https://www.ncsc.gov.uk/content/files/protected_files/news_files/The%20Cyber%20Threat%20to%
20UK%20Business%20%28b%29.pdf
[Accessed 17th November 2017].
College of Policing, 2014. National Decision Model. [Online]

Available at: https://www.app.college.police.uk/app-content/national-decision-model/the-national-
decision-model/
[Accessed 1st February 2018].
Cook, S. M., 2017. Measuring the Risk of Cyber Attack in Industrial Control Systems, Leicester: De
Montfort University.
COTENESCU, V.-M., 2016. PEOPLE, PROCESS, AND TECHNOLOGY; A BLEND TO INCREASE AN

ORGANIZATION SECURITY POSTURE. “Mircea cel Batran” Naval Academy Scientific Bulletin, 19(2), p.
580.
European Union, 2016. GDPR recitals and articles. [Online]

Available at: http://eur-lex.europa.eu/
[Accessed 7th December 2017].
Gartner, 2016. Gartner Says By 2020, a Corporate "No-Cloud" Policy Will Be as Rare as a "No-
Internet" Policy Is Today. [Online]
Available at: https://www.gartner.com/newsroom/id/3354117
Government Digital Services, 2017. Technology Code of Practice. [Online]

Available at: https://www.gov.uk/government/publications/technology-code-of-
practice/technology-code-of-practice#the-technology-code-of-practice
Page | 81
Government Digital Services, 2017. Use Cloud First. [Online]

Available at: https://www.gov.uk/guidance/use-cloud-first
[Accessed 16 November 2017].
Information Commisioners Office, 2017. Overview of the General Data Protection Regulation (GDPR).
[Online]
Available at: https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/
Information Commissioners Office, 2017. Privacy by design. [Online]

Available at: https://ico.org.uk/for-organisations/guide-to-data-protection/privacy-by-design/
Information Risk Assessment Methodology 2, 2014. Information Security Forum. [Online]

Available at: https://www.securityforum.org/tool/information-risk-assessment-methodology-iram2/
[Accessed 2nd February 2018].
International Organization for Standardization, 2011. Information technology -- Security techniques --

Information security risk management. [Online]
Available at: https://www.iso.org/standard/56742.html
International Organization for Standardization, 2016. ISO/IEC 27000:2016. [Online]

Available at: https://www.iso.org/standard/66435.html
ISO, 2017. ISO/IEC TR 38502:2017(en). [Online]

Available at: https://www.iso.org/obp/ui/#iso:std:iso-iec:tr:38502:ed-2:v1:en
IT Governance Ltd , 2013. Terms and definitions of ISO27005. [Online]

Available at: a potential cause of an unwanted incident, which may result in harm to a system or
organisation
KAUSPADIENE, C. G. T. R., 2017. High-Level Self-Sustaining Information Security Management

Framework. Modern Computing, 5(1), pp. 107-123.
Kumarl, S. V., 2015. Data Outsourcing: A Threat to Confidentiality, Integrity, and Availability. s.l.,
IEEE.
Leglisation.gov.uk, 1984. Police and Criminal Evidence Act 1984. [Online]

Available at: http://www.legislation.gov.uk/ukpga/1984/60/contents
Leydon, 2017. NHS WannaCrypt postmortem: Outbreak blamed on lack of accountability. [Online]
Available at: https://www.theregister.co.uk/2017/06/29/nhs_wannacry_report/
Martin, 2018. Government warns critical industry firms to prepare for cyberattacks. [Online]
Available at: https://news.sky.com/story/government-warns-critical-industry-firms-to-prepare-for-
cyberattacks-11226555
Page | 82
Nationa Police Information Risk Management Team, 2017. Managing Policing Information at Official
v 2.0. London: Nationa Police Information Risk Management Team.
National Cyber Security Center, 2016. The Cyber threat to UK business. [Online]
Available at:
https://www.ncsc.gov.uk/content/files/protected_files/news_files/The%20Cyber%20Threat%20to%
20UK%20Business%20%28b%29.pdf
National Enablling Programme Security Risk Management, 2017. Security Risk Senario Mapping,
London: NPTC.
National Institute of Standards and Technology, 2014. Framework for Improving Critical
Infrastructure Cybersecurity. [Online]
Available at: https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-
framework-021214.pdf
National Police Chiefs Council, 2016. Police Vision 2025. [Online]

Available at: http://www.npcc.police.uk/documents/Policing%20Vision.pdf
NCSC, 2016. 10 Steps to Cyber Security: 10 Steps: Risk Management Regime. [Online]
Available at: https://www.ncsc.gov.uk/guidance/10-steps-information-risk-management-regime
NCSC, 2016. Design Principles Intoduction. [Online]

Available at: https://www.ncsc.gov.uk/guidance/design-principles-introduction
NCSC, 2016. Outcomes over process: how risk management is changing in government. [Online]
Available at: https://www.ncsc.gov.uk/articles/outcomes-over-process-how-risk-management-
changing-government
NIST, 2014. Framework for Improving Critical Infrastructure Cybersecurity. [Online]

Available at: https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-
framework-021214.pdf
NIST, 2015. NIST Cybersecurity Framework (CSF) Reference Tool. [Online]

Available at: https://www.nist.gov/cyberframework/csf-reference-tool
Ogut, 2011. Cyber Security Risk Management: Public Policy Implications of Correlated Risk, Imperfect
Ability to prove loss and observability of self protection. Risk Analaysis, 31(3), pp. 497-512.
Parks, P. L., 1994. A Marketer’s Guide to Clausewitz: Lessons for Winning Market Share. [Online]
Available at: https://ac-els-cdn-com.ezproxy.lancs.ac.uk/0007681394900515/1-s2.0-
0007681394900515-main.pdf?_tid=4d32f42b-d9ca-4dc8-b79e-
2c8776acaa0b&acdnat=1526640950_1369851b6229c8dcef2650c507c5b696
[Accessed 18th May 2018].
Page | 83
SANS Institute, 2001. SANS Institute Reading rooom. [Online]

Available at: https://www.sans.org/reading-room/whitepapers/basics/defense-in-depth-525
[Accessed 12th May 2018].
Security Forum, n.d. [Online]

Available at: https://www.securityforum.org/tool/information-risk-assessment-methodology-iram2/
Sewall, 2009. Information Security Handbook. [Online]

Available at: http://ishandbook.bsewall.com/risk/Assess/Risk/inherent_risk.html
Sohrabi, S. V. S. F. G. H., 2014. Information Security conscious care behaviour formation in

organisations. Elsevier, Volume 53, pp. 65-78.
Tchernykha, S. T. B., 2016. Towards understanding uncertainty in cloud computing with risks
ofconfidentiality, integrity, and availability. Journal of Computational Science, 1(1), p. Unknown.
USA Gov, 2013. Executive Order -- Improving Critical Infrastructure Cybersecurity. [Online]
Available at: https://obamawhitehouse.archives.gov/the-press-office/2013/02/12/executive-order-
improving-critical-infrastructure-cybersecurity
[Accessed 1st Feb 2018].
Verginadis, M. S. H. P., 2017. PaaSword: A Holistic Data Privacy and Security by Design Framework
for Cloud Services. Jounal of Grid Computing, 15(2), pp. 219-234.
Zhang, W. L. Z., 2010. Information Security Risk Management Framework for the Cloud Computing
Environments. Bradford, UK, IEEE International Conference on Computer and Information
Technology, pp. 1328-1334.
Page | 84

Necessary and Proportionate Cyber-Risk Management For Policing

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Necessary and Proportionate Cyber-Risk Management For Policing

Uploaded by

Copyright:

Available Formats

Name: Jason Corbishley

Student ID: 31961006

Dissertation Title: Necessary and proportionate Cyber-Risk Management for Policing

Module: SCC 420

Jason Corbishley 31961006

Corbishley, Jason 31961006

1.2 NATIONAL POLICE CHIEF’S COUNCIL STRATEGIC VISION

 Productivity Services – to establish a national and standardised technology platform that

1.3 NATIONAL POLICE DELIVERY

Figure 1.3.1 cyber-risk management scope

1.4 CULTURAL PERSPECTIVES IN NATIONAL POLICING

1.5 NATIONAL GOVERNMENT SUPPORTING EACH OTHER

2.0 BACKGROUND TO INFORMATION SECURITY IN POLICING

2.1 NATIONAL GOVERNMENT STRATEGY

2.2 LEGISLATION IMPLICATIONS

2.3 CULTURAL CONSIDERATIONS

3.0 DEVELOPMENT OF CYBER-SECURITY IN POLICING

3.1.2 Security by Design

3.1.3 National Police Cyber-Security Model

The Framework consists of three parts:

Figure 3.2 (NIST, 2015)

- Identify – “Develop the organisational understanding to manage cybersecurity risk to systems,

3.1.4 Legislation and Policy Landscape

3.1.5 Confidentiality, Integrity, Availability (CIA)

3.1.6 People Process Technology

3.1.7 Cyber-Risk Management Methodology

- The strategic value of the business information process

Process Activity R A/Sign-off C I

- The replacement value of the asset

Score Confidentiality (C) Integrity (I) Availability (A)

The confidentiality of the asset is of

The integrity of the asset is of

Figure 3.6 (Information Risk Assessment Methodology 2, 2014)

Figure 3.7 (Information Risk Assessment Methodology 2, 2014)

Process Activity R A/Sign-off C I

Type Threats Origin

Destruction of equipment or media A, D, E

Dust, corrosion, freezing A, D, E

Failure of air-conditioning or water supply system A, D

Failure of telecommunication equipment A, D

Interception of compromising interference signals D

Theft of media or documents D

Compromise of Theft of equipment D

Data from untrustworthy sources A, D

Tampering with hardware D

Tampering with software A, D

The documents/outputs below will be produced as part of this accreditation phase:

Process Activity R A/Sign-off C I

Process Activity R A/Sign-off C I

Process Activity R A/Sign-off C I

Risk Management Options:

Process Activity R A/Sign-off C I

Ensuring Assurance Remains Current:

4.1 POLICE BASELINE CYBER MATURITY

4.1.1 Force pre engagement questionnaire

Exchange & Outlook 1 4 4 1 1 4 4 4 1 1 1 1 1 4 1 4 1 1 4 4 4 1 1 4 3 3 1 1 1 1 1 1 2 1 4 1 4 4 4 1 4 4 4 1 4 4

Workflow & Forms 2 4 4 1 4 4 4 4 3 1 1 1 1 4 3 4 1 1 4 4 4 2 4 4 3 1 1 1 1 4 4 2 4 1 4 1 4 4 4 2 4 4 4 1 4 4

Phase 2 Phase 3 Phase 4 Phase 7

4.2.1 Phase 1: Risk Management and Accreditation Strategy

4.2.2 Phase 2: Business Impact Assessments

4.2.3 Phase 3: Threat Assessments

4.2.4 Phase 4: Inherent Risk Assessment

1. Employee or third party accidental disclosure / alteration / destruction of assets.