Evolve’s work for the Crown Prosecution Service (CPS) over the past two and a half years has been divided into a number of assignments with the overarching objective of contributing to a continuous security improvement programme, structured around compliance with ISO27001 (formerly BS7799). Our work has also been set within the context of the emerging requirements for government data handling as defined by the Cabinet Office.
CPS operates a range of systems processing sensitive data and is connected to secure intranet services such as GSI and xGSI. IT support arrangements are outsourced and the internal IT and security function has engaged Evolve to provide validation and assurance regarding the technical security environment.
All of the work undertaken by Evolve for this client has been carried out by CLAS consultants.
Risk Assessment
We designed a risk assessment approach based upon the application of best practice principles to support organisational adoption of ISO27001. At the pilot stage we undertook a range of risk assessments for different systems and business areas in order to prove the concept. Once agreement had been obtained from key stakeholders, this method was then trained to over 50 staff in support of the objective of skills transfer and organisational ownership of the process. The method was applicable to both business risk assessments and IT assessments and included the concepts of business impact analysis, threat assessment and vulnerability analysis. ISO27001 compliant risk treatment plans were also produced.
IT Security Policies
A recent assignment has been to assess the CPS security policy set against the requirements of the new Security Policy Framework (SPF). We reviewed all security polices and update documentation to reflect the changed security operating position following recent guidance on government data handling and also to reflect ISO27001 requirements. This work has extended to a review of technical Security Operating Procedures (SyOps) following an assignment to review the IT network RMADS.
RMADS Review
CPS requested us to provide a CLAS consultant to undertake a review of the IT Network RMADS following its update by an outsourced IT service provider. This RMADS incorporated all documentation to support CPS’s connection to the GSI. Following review of the documentation the consultant made detailed recommendations in relation to those areas that required attention before accreditation could be achieved. Advice was provided in the following areas:
- How to better align the RMADS with ISO27001;
- Presentation of risk assessments and risk treatment plans;
- Advising upon the design of a contingency arrangement to improve technical resilience;
- Providing advice on improving the anti-virus regime;
- Reviewing encryption requirements for remote laptops and ensuring CAPS products were being used;
- Verifying that firewall arrangements as outlined in the RMADS were consistent with CESG best practice and commensurate with the Conditions of Connection for GSI.
ISO27001 Compliance Reviews
In support of organisational compliance with ISO27001, we are engaged by CPS to undertake three area based ‘healthchecks’ on an annual basis, These checks review all local policies, procedures and security arrangements with the overarching objective of delivering a consistent best practice based security regime across the service. All reviews are accompanied by a detailed report and action plans to support better implementation of the standard. We also support the annual review of ISO27001 procedures that are applied across the organisation and have reworked the method to ensure that it incorporates both Data Handling and Security Policy Framework mandatory requirements. By doing this we can avoid duplication of effort on a number of similar initiatives and incorporate all activity under the ISO27001 banner.
Data Handling
We were engaged by CPS to undertake a review of data handling procedures following the Cabinet Office directives coming out of the ‘Hannigan Review’ and other related initiatives. This work was extensive, focussing on a range of corporate data and how it is received, stored and transferred around the organisation and externally. We looked procedures for removable media and our work extended right through to data archiving and secure destruction. A detailed report and action plan was produced outlining a range of new procedures to be put in place to ensure compliance with Cabinet Office requirements.
Testimonial
The Crown Prosecution Service is pleased to be able to support the information provided within this case study. We have an exceptionally effective partnership in place with Evolve and we know that we can rely upon them to provide experienced and responsive consultants that precisely match the range of requirements that we have. Their work is of a consistently high standard and our projects have been delivered on time, on budget and to the satisfaction of staff at all levels in the organisation. As well as being highly qualified and technically competent, the Evolve team is also very sensitive to the local needs of staff and the culture of the organisation. Their solutions are always developed in partnership with us and their commitment to skills transfer is apparent in all of the work they do. Another point worthy of note is their value for money – our work with Evolve goes back some years and never once have they increased their rates.