“The work Peter undertook on the risk assessment, preparation of the RMADS and production of the residual risk register was of an extremely high standard. He had a very good knowledge of both the HMG standards and the business drivers for the [XXX] solution. He worked to very tight timescales to ensure risk mitigation measures could be put in place to allow an interim accreditation of [XXX] to meet timescales which could not be moved for political reasons. His work ensured that the accreditation decision could be made with a full understanding of the remaining risks being carried by the programme. I would have no hesitation in recommending Peter for work on any Government IT program requiring accreditation. He was knowledgeable on all aspects of Information Assurance.”
I have been working in the Information Security industry for well over a decade, and in that time have been involved in some interesting projects, taking responsibility for a wide variety of security-related tasks for organisations of all sizes and kinds.
I have been commended for my work at the highest levels, as evidenced by the feedback (right) from a Pan Government Accreditor, the highest accreditation authority in the UK (some project names have been substituted with [xxx]):
There follow some examples of work I’ve undertaken, and where relevant feedback from the customers involved. If you are considering using my services, and wish to speak directly to anyone that can recommend me, do please drop me a line.
Secure Development Environment
A software development house had been awarded a contract to develop secure online applications for a Criminal Justice organisation. Having been issued with the Security Aspects Letter (SAL), a contractual statement of the sensitivity of information involved in a Government contract, it became clear that certain aspects of the development would require a secure facility to be built within the developer’s commercial premises.
I was responsible for ensuring this environment was built and operated in accordance with HMG Policy relating to sensitive material, which included:
- Supervising the physical construction of the development environment, including access controls and monitoring systems;
- Ensuring physical and technical separation of development facilities, and secure import/export mechanisms as required;
- Defining, writing and agreeing with the customer the applicable physical, procedural, personnel and technical policies applicable to the environment; and
- Production of accreditation evidence relating to technical infrastructure housed within the environment.
Once the environment was in operation, I additionally took on the role of Local Site Security Officer (LSSO), responsible for access control, monitoring, audit and accountability, while a permanent member of staff was trained in order to take over this responsibility.
The Chief Technical Officer of the development house later wrote:
“Peter is a member of a very small and elite group of information assurance professionals who understand policy, technology and people in the context of pragmatism, proportionality and price. If you want someone to get to the core of your IA activities, and to help either improve them or understand and resolve your issues, he’s the man.”
HMG Accreditor Advice/Support
As a CLAS Consultant, my skills and knowledge greatly overlap those of an HMG Accreditor – indeed, under the upcoming IA Professionalisation inititative, all CLAS consultants will be able to demonstrate their skills under the same framework as Accreditors. For this reason, and as recommended by CESG, CLAS consultants are frequently used as advisers to an Accreditor, accreditation team or Senior Information Risk Owner (SIRO), whether to increase capacity or to offer specialist advice across the whole gamut of Information Security.
I have worked in precisely this capacity for many HMG organisations, and also for suppliers that need advice on how an Accreditor (their customer) might respond to their work and submissions. As an adviser acting on behalf of an Accreditor, advising an Accreditor or advising on the accreditation process, my work can take a number of forms:
- Advice on Impact Assessment and Protective Markings;
- Advice on Threat Assessment (Threat Sources and Threat Actors);
- Technical advice on Security Architecture, countermeasures and controls;
- Advice on physical security;
- Advice on implementation of Baseline Countermeasures;
- Interpretation and guidance on CESG Good Practice Guides;
- Advice on compliance with HMG Policy, legislation and regulatory frameworks;
- Advice on personnel vetting and Security Operating Procedures (SyOPs);
This list is by no means exhaustive, so if you have any questions about the aspects of Information Security on which I can advise, feel free to contact me and ask!
Accreditors and SIROs I have advised and supported in the past have had the following to say about my input:
“Peter has a wealth of technical knowledge which he applies to great effect. His input on both complex legacy systems and a strategic new build has been invaluable. He has been able to talk with authority to the suppliers and they have welcomed his expert advice and guidance. In working with the supplier he has guided them in risk workshops, assisted them in planning and applying mitigations and reviewed and developed their RMADS with them. He has worked closely with the project, information assurance and accreditation teams delivering accreditable systems in challenging circumstances and against hard deadlines. In fulfilling all of these roles he has been critical to the success of key programmes and his contribution has been formally acknowledged by our Chief Executive and our SIRO.”
“Peter is a highly valued member of the Accreditation process within IPS projects. He works in a meticulous and methodical manner. His in depth understanding of HMG IA policy and guidance makes him a valued and professional example of how a CLAS resource should operate. He has provided input to a number of high profile projects, while being employed with IPS and has continually picked out potential issues emanating from a supplier prior to reaching the Accreditor.”
“Peter has very strong technical skills which were of great value, especially in designing a compliant Manual V IPSec solution and researching viable options for xGSi connectivity for [XXX] which has a very large user requirement for GSi connectivity but also a small, but important requirement for xGSi connectivity.”
“Peter’s work has always been of a very high, timely and professional standard. His communication skills are exceptional, and he has shown himself to perform equally well as a team player or independently. Feedback about him from Central Government has always been exemplary. I would recommend Peter as a valuable asset to any project, and would use his services again without question.”
GSi Connection and Application Hosting
One of the original roles for a CLAS consultant, which continues to be important across Government (and will remain so during and after the transition to the PSN) is advising organisations on compliance with the Government Secure intranet (GSi) Code of Connection (CoCo). I have assisted multiple organisations of all sizes in connecting to the GSi and demonstrating compliance with the CoCo, as well as helped commercial organisations connect to (and host applications on) the Government Secure Extranet (GSE).
Some examples of tasks I have undertaken in this area include:
- Technical architecture and design of systems needing to comply;
- Formal accreditation of connected systems;
- Innovation in demonstrating appropriate Risk Management for atypical systems (e.g. application hosting on the GSE);
- Direct liaison with Cable & Wireless, OGC/buying.solutions and CESG in demonstrating compliance; and
- Ongoing review and renewal of connection (annually).
The Head of Information Assurance at one GSi-connected Department had the following to say about my work:
“Peter is one of the most technically knowledgeable people in his subject matter and has, on every occasion I have asked, provided a cost-effective and risk-balanced solution to the problem raised. He provides a depth of knowledge and experience that allows clients to make a sensible risk decision. He has the ability to rationally discuss the whole subject, from detailed technical security implementation matters to the intricacies of pragmatic policy implementation.”
Defence Telecommunications Accreditation
I have worked on the accreditation of telecommunications and other systems in the Defence arena, at all levels of classification. Due to the nature of the work involved, I am not able to publish feedback and testimonials relating to this work, but my input has been well-received and I have successfully achieved accreditation for a variety of systems in this area.
Technical Security Testing
As detailed on my Network Security page (and related ones), for many years I have undertaken technical security testing of a wide variety of different types (and classification) of systems and networks, in the UK and abroad. The tasks involved can be varied, depending on the nature of the system under test, but have included:
- Network scanning – enumeration and identification of available services and devices;
- Vulnerability analysis – identifying any vulnerable services exposed, and assessing the level of risk those vulnerabilities pose;
- Wireless scanning, including WiFi (802.11), Bluetooth and even GSM/GPRS/3G;
- Application security testing, whether Web-based or more ‘traditional’ (e.g. client-server);
- Intrusion detection, based on traffic analysis; and
- Compliance analysis (where policy dictates the nature of services permitted on a network, and/or their configuration).
Please see also my Information Assurance client feedback to see all the testimonials separately.
If I have worked with you in the past, your testimonial would be very welcome! Please send your feedback to me via my contact form and I will respond to acknowledge receipt. Many thanks indeed.