Services

Depth and breadth

For the depth of experience we have developed software systems that have met extremely high reliability needs (Non-Stop and clustered architectures) together with X.400 message handling systems using kernel software and Transaction Processing middleware for high performance scalable systems.

This involved an in-depth understanding of software and systems together with all the networking layers. This has been complimented with n-tier system architecture work to develop security architectures for distributed high user systems. Different topologies have covered centralized networks as well as Extranet and Intranet IP architectures, together with legacy systems and leased lines. PKI security objectives and solutions have been devised for clients that both need their own Certification Authority and others whose needs can link with third party CAs.

Business areas

We have covered the following, which involve a variety of risk philosophies:

• Finance (international) - Information providers (international) - Media Telecommunications - Government (& Research) - Police and Utilities.

The scale of organisations covered is also wide ranging through:

• Tri-national projects - 2 man partnerships - FTSE100 - International finance organisations.

For larger client organisations the above choices have been synthesized and explained leading to approval by Management committees. This involves derivation of security policies, objectives and associated risk assessments appropriate to business drivers.

Security evaluation

Our staff helped form the first ITSEC licensed evaluation facility in the UK which independently evaluates security systems and products against internationally agreed criteria. Furthermore our principle helped in the DTI working groups that developed the latest Common Criteria standards as well as the only standard world-wide for security management: BS7799.

We stress this approach, as it is the way to ensure that your security management is not driven by the fear, uncertainty and doubt principle. Furthermore, it gives us a goals based attitude that counters the ostrich principle of risk management.

In common with all security fields information security is non intuitive. Simple functional testing is not sufficient as any security claim implies that we prove a negative (no one can access this data without being on the 'entitled' list). The resolution is to examine the design and test sufficiently for the security assurance needed. This emphasizes the essential need for specialist staff's skills and experience with engineering techniques.

We have already outlined that even the requirements, policy or security objectives phase of any security task is undermined if security engineering experience is not used to think ahead. Unfortunately, these disadvantages may not be realized until later leading to very expensive costs in terms of security management, incident handling and ad hoc security measures.

The other benefit from this approach is that the work done is traced and reasoned. This allows it to transferred into your company and allows for certain changes that you may be able manage internally

When you ask who could help, think about what security means to you. The clear definition of your security objectives in light of your business trust environment is key. Without this, IT security becomes a minefield of salesman claiming their product as the wonder palliative to the latest publicised threats.

Many consultancies sell products, with their staff being little more than product installers. Other advisers (often auditors) will happily derive a risk assessment and security policy with no experience of the operational costs or risks of developing the implied security architecture. Often they run through elaborate security risk methods which obscure the reasoning. This also makes the assessment difficult to cater with changes in the objectives, threats or vulnerabilities.

Thus, to review information security or conduct a re-useable risk assessment and devise the security architecture requires:

• Operational and technical development experience
• Security evaluation experience
• Policy and risk assessment experience in government or commercial fields
• Unbiased advice

Do you need information security? Well, how strong and appropriate is your current security? Who tells you it is secure and how do they know? Do you know what security breaches are costing now? Is it flexible enough so that it does not limit the business? Think of information availability:-

Appropriate availability (entitlements)

Should all your employees see everything? Is everyone you communicate with entitled to see all the information on your network? Does your business hold personal data? Can your competitors see it? Can you assure appropriate protection to partner organisations?

Correct information available (integrity)

Do clients and business partners rely on that information being correct? Why do they trust your business? What if your information is corrupted, will your business notice - in time, can you correct it. How much time and effort will it cost? Will you lose business, pay penalties, and what about your reputation? What other business processes are disrupted? In e-commerce can you show they really made that electronic order? Is that really the right person or server?

Timely availability (availability)

How much will it cost the business if it's not available for an hour, a day, or a month? What about clients? How patient are they?