The agency is part of a major Whitehall department that works to prevent loss of life and improve safety in its area of responsibility.
Client Requirement and Business Drivers
As a consequence of the Gershon review findings the Whitehall department implemented a Shared Services Centre in order to reduce operational costs across the department and its agencies.
In order to derive these planned benefits from the Shared Services Centre the agency needed to be able to connect to it. This required the agency to become Accredited to demonstrate appropriate information security management in order to facilitate this connection.
The client therefore decided that it was essential to engage with an independent, expert CLAS consultancy provider to analyse the requirements to attain accreditation and assist in delivering the requirements. The business drivers for this engagement can be summarised as follows:
- Cost reduction targets as part of Whitehall wide shared services initiative
- Secondary benefits for agency in terms of managing their operational risk by improving their organisation’s information security to recognised government accreditation standards
- The client recognised the potentially disastrous impact on operations that could arise from any security related incident
Recognising the importance of the right specialist expertise, together with the need for objectivity and independence Commissum was engaged to meet the strategic, business and technical security related objectives of the project within tight timescales set by the business.
The assignment delivered services in the following areas:
Commissum thoroughly reviewed the existing draft Risk Management and Accreditation Document Set.
Interviews were conducted with business sponsors and key IT staff to establish objectives, both explicit and underlying, of the Accreditation requirements.
An initial gap analysis was conducted to assess what was required to attain Accreditation and consultancy was provided to assist the Agency in turning this into an implementation plan.
Advice on Implementation and Management of Controls
Commissum provided business and technical CLAS consultancy to both review existing controls in place and advise and implement deficient and missing required controls.
Areas covered included: physical security requirements, personnel security requirements, protective monitoring, security operational procedures advice, ISMS implementation, 3rd party access management and controls, RMADS risk assessments and documentation.
The agency continues to successfully move forward with its accreditation targets.