HMG Infosec Standard No.1

Last updated

HMG Information Assurance Standard No.1, usually abbreviated to IS1, was a security standard applied to government computer systems in the UK.

Contents

The standard was used to assess – and suggest responses to – technical risks to the confidentiality, integrity and availability of government information. [1] The modelling technique used in the standard was an adaptation of Domain Based Security. In confidentiality terms, IS1 did not apply to information which was not protectively marked, but it may still have been used to assess risks to the integrity and availability of such information. [2]

The UK Cabinet Office Security Policy Framework requires that all ICT systems that manage government information or that are interconnected to them are assessed to identify technical risks. IS1 was the standard method for doing this and was mandated by previous versions of the Security Policy Framework, but other methods may now be used. [3]

The results of an IS1 assessment, and the responses to risks, were recorded using HMG Information Assurance Standard No.2, usually abbreviated to IS2, which concerned risk management and was relevant to the accreditation of government computer systems. [4]

CESG provided IS1 risk assessment tools. [5]

Example

An HMG IS2 Full Accreditation Statement based on an HMG IS1 ITSHC (IT Security Health Check) by Deloitte and subsequent remediation by Recipero of its interface between Recipero's NMPR and the UK government's PNC, which are systems used to track mobile devices for law enforcement purposes was posted publicly. [6] A public HMG IS2 Full Accreditation Statement based on an actual ITSHC (by Deloitte in this case) puts the auditor's reputation on the line, in a way that a confidential statement does not.

See also

Related Research Articles

The Common Criteria for Information Technology Security Evaluation is an international standard for computer security certification. It is currently in version 3.1 revision 5.

<span class="mw-page-title-main">Federal Information Security Management Act of 2002</span> United States federal law

The Federal Information Security Management Act of 2002 is a United States federal law enacted in 2002 as Title III of the E-Government Act of 2002. The act recognized the importance of information security to the economic and national security interests of the United States. The act requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.

<span class="mw-page-title-main">IT security standards</span> Technology standards and techniques

IT security standards or cyber security standards are techniques generally outlined in published materials that attempt to protect the cyber environment of a user or organization. This environment includes users themselves, networks, devices, all software, processes, information in storage or transit, applications, services, and systems that can be connected directly or indirectly to networks.

<span class="mw-page-title-main">McCumber cube</span>

In 1991, John McCumber created a model framework for establishing and evaluating information security programs, now known as The McCumber Cube. This security model is depicted as a three-dimensional Rubik's Cube-like grid.

Classified information in the United Kingdom is a system used to protect information from intentional or inadvertent release to unauthorised readers. The system is organised by the Cabinet Office and is implemented throughout central and local government and critical national infrastructure. The system is also used by private sector bodies that provide services to the public sector.

Information assurance (IA) is the practice of assuring information and managing risks related to the use, processing, storage, and transmission of information. Information assurance includes protection of the integrity, availability, authenticity, non-repudiation and confidentiality of user data. IA encompasses both digital protections and physical techniques. These methods apply to data in transit, both physical and electronic forms, as well as data at rest. IA is best thought of as a superset of information security, and as the business outcome of information risk management.

NHSmail is an email, diary and directory system for National Health Service (NHS) employees in England and Scotland. The system is not for patients of the NHS. Retired NHS staff do not have access.

The CESG Claims Tested Mark, formerly CSIA Claims Tested Mark, is a UK Government Standard for computer security.

Information technology risk, IT risk, IT-related risk, or cyber risk is any risk relating to information technology. While information has long been appreciated as a valuable and important asset, the rise of the knowledge economy and the Digital Revolution has led to organizations becoming increasingly dependent on information, information processing and especially IT. Various events or incidents that compromise IT in some way can therefore cause adverse impacts on the organization's business processes or mission, ranging from inconsequential to catastrophic in scale.

NIST Special Publication 800-53 provides a catalog of security and privacy controls for all U.S. federal information systems except those related to national security. It is published by the National Institute of Standards and Technology, which is a non-regulatory agency of the United States Department of Commerce. NIST develops and issues standards, guidelines, and other publications to assist federal agencies in implementing the Federal Information Security Modernization Act of 2014 (FISMA) and to help with managing cost effective programs to protect their information and information systems.

<span class="mw-page-title-main">Risk Management Framework</span>

The Risk Management Framework (RMF) is a United States federal government guideline, standard and process for risk management to help secure information systems developed by National Institute of Standards and Technology. The Risk Management Framework (RMF), illustrated in the diagram to the right, provides a disciplined and structured process that integrates information security, privacy and risk management activities into the system development life cycle.

<span class="mw-page-title-main">CESG Listed Adviser Scheme</span>

The CESG Listed Adviser Scheme was a programme run by CESG, to provide a pool of information assurance consultants to government departments and other public-sector bodies in the UK.

<span class="mw-page-title-main">IT risk management</span>

IT risk management is the application of risk management methods to information technology in order to manage IT risk, i.e.:

The Security Policy Framework is a set of high-level policies on security, mainly affecting the UK government and its suppliers.

The cyber security community in the United Kingdom is diverse, with many stakeholders groups contributing to support the UK Cyber Security Strategy. The following is a list of some of these stakeholders.

The Government Security Classifications Policy (GSCP) is a system for classifying sensitive government data in the United Kingdom.

Cyber Essentials is a United Kingdom certification scheme designed to show an organisation has a minimum level of protection in cyber security through annual assessments to maintain certification.

"Domain Based Security", abbreviated to "DBSy", is a model-based approach to help analyze information security risks in a business context and provide a clear and direct mapping between the risks and the security controls needed to manage them. A variant of the approach is used by the UK government's HMG Infosec Standard No.1 technical risk-assessment method. DBSy is a registered trade mark of QinetiQ Ltd.

The Open Trusted Technology Provider Standard (O-TTPS) is a standard of The Open Group that has also been approved for publication as an Information Technology standard by the International Organization of Standardization and the International Electrotechnical Commission through ISO/IEC JTC 1 and is now also known as ISO/IEC 20243:2015. The standard consists of a set of guidelines, requirements, and recommendations that align with best practices for global supply chain security and the integrity of commercial off-the-shelf (COTS) information and communication technology (ICT) products. It is currently in version 1.1. A Chinese translation has also been published.

System and Organization Controls (SOC), as defined by the American Institute of Certified Public Accountants (AICPA), is the name of a suite of reports produced during an audit. It is intended for use by service organizations to issue validated reports of internal controls over those information systems to the users of those services. The reports focus on controls grouped into five categories called Trust Service Criteria. The Trust Services Criteria were established by The AICPA through its Assurance Services Executive Committee (ASEC) in 2017. These control criteria are to be used by the practitioner/examiner in attestation or consulting engagements to evaluate and report on controls of information systems offered as a service. The engagements can be done on an entity wide, subsidiary, division, operating unit, product line or functional area basis. The Trust Services Criteria were modeled inconformity to The Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control - Integrated Framework. In addition, the Trust Services Criteria can be mapped to NIST SP 800 - 53 criteria and to EU General Data Protection Regulation (GDPR) Articles. The AICPA auditing standard Statement on Standards for Attestation Engagements no. 18, section 320, "Reporting on an Examination of Controls at a Service Organization Relevant to User Entities' Internal Control Over Financial Reporting", defines two levels of reporting, type 1 and type 2. Additional AICPA guidance materials specify three types of reporting: SOC 1, SOC 2, and SOC 3.

References

  1. "HMG IA Standard No. 1 Technical Risk Assessment Issue 3.51" (PDF). October 2009. Archived from the original (PDF) on 2012-05-26. Retrieved 2014-08-15.
  2. "e-Government Strategy Framework Policy and Guidelines" (PDF). 2009-08-24. Archived from the original (PDF) on 2009-11-11. Retrieved 2010-10-24.
  3. "HMG Security Policy Framework". Cabinet Office. April 2014. Retrieved 28 August 2014.
  4. "IS1 Part 1". Platinum Squared. Archived from the original on 14 March 2012. Retrieved 14 August 2011.
  5. "IS1 Risk Assessment Tools". CESG. July 2010. Archived from the original on 23 December 2012. Retrieved 14 August 2011.
  6. "Accreditation Statement".
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.