Secure Network Design and Assurance

Executive Summary

The National Crime Agency (NCA) and the Regional Organised Crime Units (ROCU) exist to protect the public from the most serious threats by disrupting and bringing to justice those serious and organised criminals who present the highest risk to the UK. Organised crime is one of the gravest threats to UK national security – blighting communities, ruining lives and costing the UK well over £20 billion every year. The work of the NCA and ROCUs span all elements of organised crime from the sexual exploitation of children to the smuggling of illegal firearms, cybercrime, human trafficking and modern slavery.

In order to deliver this service, the ROCUs are heavily reliant on the safe and secure use of supporting computer systems.  As part of this service delivery one of the ROCUs had a requirement for a new highly secure system.  C3IA Solutions took on the challenge to provide an architectural design for a dedicated highly secure system and carry out a cyber security risk assessment.  C3IA Solutions  delivered the work on time, on budget and exceeded the client’s expectations in all areas.

IT Service Management

Challenges and Goals

Due to changes in the UK government approach to risk management and system design in response to the growing cyber threat, the ROCU lacked a design pattern for a highly secure system.  This meant that the client was unable through mandated security controls or policy documentation to define what “good” looked like in this case. From a governance perspective this was further impacted by the change in the Home Office approach to risk management.  In addition, the introduction of the National Police Information Risk Management Team provided a level of uncertainty in terms of revised assurance strategy and approach.

Our Approach

These changes and challenges resulted in C3IA Solutions taking a new bottom up and requirements driven approach to system design, documentation, service engagement and formal governance activity.  Experienced C3IA consultants were able to draw on existing knowledge and relationships within the Home Office in order to understand the wider governance and assurance requirements.

C3IA Solutions engaged directly with the ROCU client and through a structured approach was able to identify and define the threat landscape, the information to be protected, the information sources and the system user access control requirements.  Further work defined system audits, event management, data accumulation and aggregation, and client information exchange needs.  As cyber security ultimately resides in the real world there was also a need to understand and assess physical security issues and concerns such as access controls, CCTV requirements, hardware disposal and cabling infrastructure.

Once this information had been defined the C3IA Solutions consultants could outline and document a high-level design for the new secure system from end user device, through the networking environment to the back-end supporting server infrastructure.   This technical design documentation also included the necessary supporting people, process and physical security control elements to ensure that a holistic approach to security could be delivered.

Using the established client supplied risk management process it was then possible for C3IA Solutions to carry out a thorough risk assessment against the high-level design of the secure system.   This work was also carried out with reference to both the Home Office and National Police Information Risk Management Team governance and assurance requirements.

Secure Mobile Ad Hoc Data Solutions

Results and Benefits

Based on the high-level design and associated risk assessment the new secure system was approved in terms of the strict governance and assurance regime.  The ROCU was then able to instruct the internal IT service provider to build the new secure system in line with the design documentation and specifications provided by C3IA Solutions.  The IT service provider encountered no major problems with the system build, configuration or roll-out, and was able to fully deploy the secure system as per the design documentation provided.  Once built the new secure system was subject to independent Penetration Testing that revealed no critical or significant findings.  Based on this the system went live and as such the ROCU is actively using the secure system in its continued battle to protect the UK public from the most serious threats posed by organised crime.

“This was an interesting piece of work for me, and it was great to be able to bring our knowledge of the current government risk management approach to bear in helping this ROCU.  Next time I see on the news that the Police in that region have broken up an organised crime gang I will know that they used the IT system we designed”

C3IA Solutions Ltd – Lead CCP Consultant

“After consulting with the unit’s management a proposal document was prepared which was concise and informative. The proposal provided the ROCU with flexibility to mitigate and accept risk. Although pricing was competitive C3IA were engaged by the ROCU on the quality of this proposal.
On engagement a cyber-security consultant and engineer visited the site. The staff were very professional and experienced in their field. Over the next week the consultant liaised with our information security officer and Home Office to agree a process for accreditation. Within a week the unit were provided with design and information risk assessment reports which was followed up by an extremely useful report on how existing infrastructure could be mitigated against risk.
I would not hesitate to engage C3IA again”

ROCU – Intelligence Manager