This major MOD programme involved development of a complex bespoke system for use in a high-threat environment. The contract had been awarded to a defence prime contractor that did not have an in-house security team. Due to the nature of the system, it was also appropriate for the system security to be managed by an independent party. Ascentor was appointed as supply side security advisors to develop the technical security solution and manage the accreditation activities in accordance with JSP440 (the MOD’s Joint Services Publication covering security).
Ascentor assigned a principal security architect to lead on the technical security solution for the system, and an information assurance (IA) consultant to manage the accreditation aspects and the formal deliverables. Both consultants were CLAS (CESG Listed Advisor Scheme) certified â€”equivalent to today’s CESG Certified Professional (CCP) scheme.
Over the course of several workshops, the security architect worked with the prime contractor’s design team to develop the security aspects of the technical design.
The IA consultant was responsible for conducting a threat and vulnerability assessment and a technical risk assessment following the HMG Information Assurance Standards 1 and 2 (IS1 & 2) and associated tools. The consultant developed the derived security requirements and security design documentation to inform the Security Aspects of the Design (SAD) document for the Critical Design review.
In just under four months, Ascentor’s consultants delivered: an IA development plan; the threat and vulnerability assessment; the technical risk assessment; technical security requirements; technical security design; and the Security Aspects of the Design document.
This helped the prime contractor deliver a fully compliant system in accordance with the MOD policy and requirements. The system subsequently achieved full accreditation and Ascentor was asked to support the prime contractor on another project.