During times of action, when the MOD needs to procure equipment to support military needs in an emergency, a UOR (urgent operational requirements) process is followed. At a later stage, the MOD may decide to incorporate the UOR equipment into mainstream operations. This is particularly relevant for computer systems that require careful integration. Projects managing this transition are known as “UOR to Core”. Such projects often require specific consideration of the security aspects of transition and integration, not least because vulnerable working practices can develop in an operational environment that need to be removed. For this project, the MOD needed security advice and guidance.
Ascentor assigned one of its consultants, qualified as a CESG Certified Professional Security and Information Risk Advisor (CCP SIRA), to support the project for three months. The consultant conducted the following tasks:
- Advised stakeholders on how to approach the project.
- Produced formal security deliverables: the HMG Information Assurance Standard (IS1&2) technical risk assessment; risk treatment plan; risk register and residual risks.
- Developed the accreditation strategy, which was approved by the Defence Assurance and Information Security (DAIS) accreditor.
- Provided advice to the user community to reduce vulnerable working practices.
- Trained the new ‘in house’ Security Assurance Coordinator (SAC).
Ascentor achieved a successful transition for both the accreditor and the incoming SAC.
The accreditor endorsed the deliverables as well as Ascentor’s pragmatic and cost-effective approach. The consultant received direct positive feedback.
The new SAC, who had no previous security training or experience, benefited from the knowledge transfer provided by Ascentor, the established accreditation strategy and mature security documentation. These deliverables enabled the new SAC to build the Risk Management and Accreditation Document Set (RMADS) and ensure the equipment completed its transition to core with pragmatic, appropriate and cost-effective security in line with policy.