How to rise to the new challenges facing SACs
Heightened cyber risk and smaller budgets means that Government security requirements have to be more focused – and that means that the important role of the Security Assurance Coordinators (SACs) for MoD projects is changing too.
The role of the SAC is vital to the success of any MoD project seeking formal security accreditation. Now that all spend has to be thoroughly justified, the onus is on the SAC to make the case for potentially expensive security controls.
It’s not just about boring paperwork or simply dealing with the Accreditor anymore. The SAC has to be an integral member of any project team, leading the development of cost-effective and pragmatic security solutions that balance project requirements with the underlying risks.
The role can be complex, but by working as part of the team, you can add real value to any project, helping ensure it’s delivered on time and to cost and quality metrics.
Here at Ascentor, we have years of hands-on experience performing the duties of a Security Assurance Coordinator role on MoD projects. Here are some important things we’ve learned along the way. I hope these tips will be useful for SACs who want to carry out this difficult role successfully.
Tip 1: Be a team
As the SAC, you are a member of a team that is pulling together to achieve the same goal; a facilitator that brings the right skills to the table. You don’t have to be a gifted technical security architect but you do need to know where to get hold of an expert when required. Equally, you may be very technically capable but may not have experience putting together complex accreditation strategies. So don’t be afraid to seek advice.
Tip 2: Understand the requirement
Your role is to understand what needs to be protected and why. Instead of diving straight into a technical risk assessment, work to understand where the requirement came from, how it is intended to be used and who will be involved.
One of the most important aspects is getting to know who owns the information that needs protecting and why it is being given a particular value. Often, the value of an asset is grossly over or under-assessed. Never forget the three security pillars: confidentiality, integrity and availability.
Tip 3: Establish the stakeholders
As the SAC, be clear about who you need to coordinate with. As well as the information owner(s), you’ll need to work with the following stakeholders:
- The Accreditor: The relationship between the SAC and the Accreditor is key to the success of any security activity. Close cooperation allows you to move forward knowing that your plans won’t be scuppered by the Accreditor at a later date.
- Project Managers (PMs) or Work Package Managers (WPMs): Not everyone you work with will fully understand the security requirements. They may be part of an MoD Delivery Team or appointed by the supplier. In addition, the PMs or WPMs may be tasked directly by the SAC to deliver a piece of security work. Your job is to engage with all project managers to ensure security activities are identified and delivered.
- Data Owners, Information Asset Owners (IAO) or Information Risk Owners (IRO): As crucial information is increasingly shared, you may have to talk to several people about information security. In addition, they may have different risk appetites or have a requirement for higher levels of assurance.
Supplier security personnel or technical staff: As the SAC, you must understand the constraints under which supplier personnel are operating. Some SACs take an ivory tower approach and fail to realise that security controls cannot be implemented without having significant business consequences. The sooner you engage with your suppliers, the better the overall outcome will be.
Tip 4: Establish lines of communication
Establish lines of communication right from the start. Establish a Security Working Group (SWG) and agree Terms of Reference (ToRs). The SWG provides security governance and the Accreditor will be an essential attendee. Any lack of attendance will undermine the authority of the SWG.
Tip 5: Have an escalation path
The Terms of Reference should determine the escalation path. However, experience shows us that it is often only a paper exercise until a critical issue arises. Make sure the ToRs are robust so that any issues that may impact the overall security of the project can be escalated with minimal disruption.
Tip 6: Record all decisions
Decisions made at the SWG must be recorded and distributed. Any decisions made outside of the SWG should be raised at the SWG. As SAC, make sure you can track decisions and so you can say when and why a particular decision was made and who made it. During the lifecycle of a major project, the same questions will keep coming up – your role is to avoid conflict or pointless effort.
Tip 7: Keep planning
All project managers love a good plan. As the SAC, you are effectively the project manager for security-related activities. Key planning requirements are:
- Accreditation Plan: The Accreditation Plan should provide the detailed breakdown of what security activities are to take place, over what time frame, to what standard and by whom.
- Assurance Planning: The requirement for assurance planning is worth a special mention. The specialist resources needed to conduct IT Health Checks (ITHC), Vulnerability Assessments, CESG Tailored Assurance Service (CTAS) tests and others must be identified in your formal security activity planning.
- Alignment: A key part of your role as SAC is to ensure that security plans align with the wider project plans and don’t conflict with overall objectives. Trying to shoehorn security controls into designs at the end rather than building them in from the start often increases costs and adds a time delay.
There’s no doubt that taking on the role of SAC can be complex, time-consuming and stressful. However, with planning, preparation and a determination to get involved, the role of SAC can be very rewarding and will add real benefit to any project.
I really hope these ideas help. Do let me know, and call if you need any further assistance – we’re always happy to help.