Supplier Information Assurance Assessment Framework and Guidance UNCLASSIFIED

January 2011 Issue No: 1.0 Supplier Information Assurance Assessment Framework and Guidance UNCLASSIFIED

Supplier Information Assurance Assessment Framework and Guidance Issue No: 1.0 January 2011 The copyright of this document is reserved and vested in the Crown.

Supplier Information Assurance Assessment Framework and Guidance Purpose & Intended Readership This document provides guidance on how the Supplier Information Assurance Tool (SIAT) question sets and tool specification can be used by suppliers of key business services to HMG. The aim of the tool is to provide assurance that HMG s requirements for effective information risk management are managed by ICT suppliers and within their own supply chains. The SIAT process embodied in this document will be of interest to those in HMG charged with managing information risk where that information is held or processed at arms length, and those in industry who supply information related services to HMG. It is relevant to both prime industry suppliers, and their sub-contractors. Executive Summary The joint HMG/industry Information Security and Assurance Board was formed to develop, in a collaborative way, a method for extending Information Risk Management (IRM) activities as they relate to HMG information, particularly personal information, into the HMG industry supply chain. HMG Departments routinely provide IRM reports to the CO which includes an assessment of IRM capabilities in their industry supply chains. The SIAT approach provides a common and agreed process for industry IRM reporting to HMG. This document introduces the SIAT process and provides guidance on how to use the question sets that underpin an IRM assessment. It also provides the necessary detail to inform the building of software tools to automate the assessment and reporting process. A key point that is highlighted is the need for engagement and collaboration between HMG and industry suppliers in order to achieve a beneficial outcome for both. In many cases there will be a number of prime industry suppliers to an HMG organisation, and in turn a number of sub-contractors to a prime supplier. Since it may well be impractical to conduct assessments for all of these entities, there is guidance here to help in the selection of those to be included in an assessment. Answers to questions result in a score being awarded, and these scores and their associated weightings are explained, together with a methodology for aggregating results into a consolidated assessment score. Finally there is a detailed Requirements Specification setting out guidance for potential software developers against which they can build automated software tools to conduct assessments. Page 1

THIS PAGE IS INTENTIONALLY LEFT BLANK Page 2

Supplier Information Assurance Assessment Framework and Guidance Contents: Chapter 1 - SIAT Assessment Framework...5 What is this Assessment for?...5 How do I use it?...5 Background...5 Context...6 Collaborative Assessment Process.7 Supplier Screening...8 Question Sets...9 Scoring and Weightings...9 Aggregation of Data...10 Automating the Process...11 Appendix A - SIAT Basic Question Set...13 Appendix B - SIAT Follow on Questions...31 Appendix C SIAT Question Map.45 Appendix D SIAT Tool Requirements Specification for IAAB Intellect Group...47 Introduction...47 Purpose...47 Document Conventions...47 Intended Audience and Reading Suggestions...47 Project Scope...47 Overall Description...48 Product Perspective...48 Product Features...48 User Classes and Characteristics...49 Operating Environment...49 Design and Implementation Constraints...49 User Documentation...49 Assumptions and Dependencies 50 System Features... 50 Capture... 50 Rules... 51 Output... 51 External Interface Requirements.. 51 User Interfaces... 51 Hardware Interfaces... 53 Other Non-functional Requirements... 53 Safety Requirements... 53 Security Requirements... 53 Software Quality Attributes... 53 Data Requirements... 53 Process Requirements... 54 Other Requirements... 54 XML Schema... 55 Sample from the corresponding spreadsheet... 58 Appendix E - Criteria for selecting supply chain partners for selfassessment... 59 Appendix F Example of Aggregating Results... 61 References... 63 Further Reading... 63 Glossary... 65 Customer Feedback... 67 Page 3

THIS PAGE IS INTENTIONALLY LEFT BLANK Page 4

Supplier Information Assurance Assessment Framework and Guidance Chapter 1 - SIAT Assessment Framework Key Principles SIAT Assessment Framework enables Government Departments and Prime Contractors to assess the IA of their supply chains by a process of selfassessment. Important to adopt a collaborative approach between Government and industry in assessing and making improvements in the supply chain IA regime. Basic and Follow-on Question Sets are provided to facilitate progressive disclosure so that burden in completing assessment is minimised. Guidance is provided in how to select sub contractors for assessment and in how to aggregate the results. A specification for a tool to automate the assessment process is provided. What is this Assessment for? 1. This assessment has been designed to enable Government Departments to gain a level of assurance from their major ICT suppliers with regard to securing information and particularly, personal data. However, suppliers are still expected to meet their responsibilities as defined by the DHR and Data Protection Act (ref [a]) in addition to this assessment. The assessment will highlight areas of concern within the supply chain and where work needs to be done to address gaps in security. It will also ensure that a comprehensive dialogue is created and exists between the Government Department and their supply chain. How do I use it? 2. Detailed guidance on how to answer the questions in the assessment framework is imbedded within the question sets. The assessment process has been designed along a progressive disclosure model. This allows for supplier organisations to answer as much or as little of the question set as is required. For example, a major Government supplier which has a contractual obligation to handle personal sensitive data will be required to complete the full assessment. Those suppliers with little or no interaction with personal sensitive data will not be required to complete the entire assessment. Background 3. Following a number of high profile data loss incidents, industry and Government recognised the need to work together to embed data handling best practice throughout Government and its private sector ICT delivery partners and ensure consistency of its application. The Information Security & Assurance Board Page 5

(IS&A Board) was established in May 2009 with scope and objectives as follows: Develop and maintain a constructive dialogue between Government and its private sector ICT delivery partners to establish a common understanding of Government requirements and industry priorities. The Board recognises that information security issues affect all areas of the public sector, thus any outputs that the Board produces should be provided as useful reference for local government colleagues. Ensure that information risk is understood and mitigated whilst maintaining efficiency and meeting government requirements such as shared services and innovation. Educate the stakeholder community about their ongoing obligations under the Data Handling Report requirements published in June 2008. Contribute collaborative working case studies to the development of the first annual report to Parliament on information risk. Establish an agreed media approach for promulgating information regarding progress and key milestones agreed by the Board. Ensure that the mandatory data handling clauses published by OGC do not unnecessarily burden ICT suppliers and government departments. Identify barriers and accelerators for secure data handling across government and its private sector ICT delivery partners. 4. The IS&A Board is delivering against these objectives principally through its Supply Chain IA Tools (SIAT) and Culture, Education & Training (CET) work streams. Context 5. Government Departments and related organisations are required by the Cabinet Office (CO) to conduct an annual review of their security and information risk management processes. Standards such as the Security Policy Framework (SPF) mandate that Departments assess how well these risks are being managed all the way down the delivery chain as part of this process. Widespread outsourcing of Government services means that suppliers play a key role in the delivery chain, so Departments will look to suppliers to provide them assurance regarding the measures they are taking to protect the confidentiality, availability and integrity of the information they are handling. 6. No single method of carrying out an IA assessment is mandated, but an adequate level of due diligence is required. The SIAT Framework outlined in this document satisfies this due diligence requirement. The Framework consists of the following: Page 6

Supplier Information Assurance Assessment Framework and Guidance SIAT Basic Question Follow-on Question Set Mapping Details Tool Specification 7. Those suppliers who plan to use the SIAT Framework for the assessment of information risk for their organisations and their own supply chain for the 2010/11 reporting round are recommended to follow the guidance provided in this document. It is also strongly recommended that the process be undertaken as a collaborative exercise between ICT Suppliers and Departments. It is important to note that the SIAT Assessment is not intended to be used as a method of judging a supplier's capability to deliver a new product or service, nor to provide an assessment of a company s IA capability, but to assess the IA regime that has been put in place in the delivery of an existing, contracted service. 8. The SIAT process is a self assessment process. While there are no mandated criteria against which a supplier assessment should be made, the SIAT question sets are based on supplier relevant measures in the Data Handling Review (DHR) (ref [b]) and the Information Security Assurance requirements of the HMG Security Policy Framework (SPF), (ref [c]), as they are embodied in the HMG IA Maturity Model (IAMM) (ref [d]), which is also aligned with ISO/IEC 27001:2005 (ref [e]). The methodology is closely based on the Home Office s HADRIAN approach so that the level of assessment correlates with the level of risk. As an example a List X supplier routinely handling hundreds of thousands of highly confidential records will be required to complete the full assessment, whereas a supplier who provides a service transporting boxes of unclassified information using a track and trace system will complete a limited assessment. 9. Suppliers who are members of Intellect s Public Sector Council (PSC) and Strategic Supplier Board (SSB) have been encouraged to utilise the SIAT Assessment model to profile those of their suppliers involved in the wider HMG supply chain. So in complex supply chains consisting of multiple suppliers the prime contractor should aggregate all the SIAT returns and integrate them into their own return to their government customers. Thus a three-tier IA approach is achieved in the Government s supply chain; i.e. the Government organisation, its prime contractor and their third party suppliers or subcontractors. Collaborative Assessment Process 10. It is intended that the SIAT Framework should be used as part of a collaborative assessment process. A point of contact should be nominated by the Department that the prime contractor can seek advice and assistance from in Page 7

preparing for and in carrying out the assessment. Similarly the prime contractor should identify an individual as a point of contact for the Department. 11. Both the Department and the prime contractor should discuss and agree the approach to be adopted for the assessment. The SIAT process is primarily a self assessment process but Departments may chose to offer to their suppliers the services of members of staff who have previous experience in carrying out IAMM Self Assessments and/or who attended one of the Supported Self Assessment training days run by CESG during the winters of 2009 and 2010. Alternatively, Departments may wish to perform additional due diligence measures as agreed with their prime contractors. 12. It is important for the Department and the supplier to agree a means by which feedback can be received from the Department on assessment responses and any outcomes for the Department from the overall assessment provided to the Cabinet Office. It is also beneficial for a member of the Department s commercial unit to have some involvement in the process as they may become involved with assessing the impact of implementing any mitigating measures identified in the assessment. Ongoing annual assurance is important and some consideration of how assessments and any resulting action plans could be taken forward for the next round of review should be allowed for. Supplier Screening 13. Departments may have many prime contractors providing them with products or key services. Departments should first assess the level of risk carried by each service, and the appropriate level of risk appetite, in order to determine which of their processes they should consider including in the scope of their risk assessment process. 14. A prime contractor may also have many sub contractors who play a key role in delivering a service. Therefore, it is important that the supplier conducts a triage assessment of its supply chain and associated risk appetites, deciding which sub contractors might to be assessed in order to provide a comprehensive overview of IA maturity within their supply chain. This will lessen the burden of collating and aggregating assessment results in order to report upwards to the Department concerned. Appendix E provides some guidance on how to determine which sub-contractors might be included as part of a Prime Contractor s assessment process. 15. Complex reviews may need to be broken into phases and that any such activities could be agreed with the Department as part of a longer term supplier assurance strategy. Any suppliers not included in one year s review may be the focus of a subsequent year s assessment activity. Page 8

Supplier Information Assurance Assessment Framework and Guidance Question Sets 16. The assessment questions are divided into two sets. The first set, referred to as the Basic Question Set is at Appendix A. The navigation from question to question is included alongside the questions, but this is also provided in a separate navigation map at Appendix C. Only when an answer to a question in the Basic Question Set is considered unsatisfactory is reference made to the second set of questions, which are referred to as the Follow-on Questions. These questions are at Appendix B and are designed to elicit additional information to provide evidence as to the nature of the IA regime which is in place, so that a judgement can be made as to what remedial action may be required. Although the questions can be used in the form they are presented in the Appendixes, the intention is that they should be incorporated into an automated Tool following the specification at Appendix D. Scoring and Weightings 17. Answers to the majority of the Basic Questions attract a score, with those assessed to be of greater importance to the delivery of effective information risk management, delivering a higher score. In addition, certain answers also attract a Red Flag which is designed to alert the recipient of the questionnaire that there is an issue of importance that needs follow-up. When the questions are embodied within an automated tool, in addition to collating the individual answers to the questions, the Tool is designed to provide summary scores and Red Flag details for each section, as well as for the entire set of questions. The maximum scores and the numbers of red flags per section are shown in the table below: Page 9

SECTION MAX SCORE RED FLAGS Initial Questions 15 4 General IRM Questions 7 1 Personal Information Questions 16 4 Policy Questions 24 5 Training Questions 14 0 Risk & Accreditation Questions 20 2 IRM 28 3 Compliance 21 0 Totals 145 19 Aggregation of Data 18. Even after applying the triage process at Appendix E, most prime contractors will have a significant number of responses from their sub contractors which will need aggregating with their own internal response in order to provide a collated response to the contracting Government Department. The nature of the responses, together with the relative impact of each aspect of the supply chain on the overall information risk management of any service is such that a straight arithmetical approach to aggregation would not be representative of the true information risk. 19. It is recommended that the results from each supplier are plotted on a chart similar to the one below. Clearly where red flags are raised suppliers will wish to follow up the responses with some supplementary investigation to verify what remedial actions are intended and their schedule. But by using the chart, one is also able to see where the reported scores per section are either dramatically too high, or too low, when compared with other suppliers and hence again where further investigation may be necessary all instances of failure to illicit a return from a sub contractor are to be recorded and commented upon. Page 10

Supplier Information Assurance Assessment Framework and Guidance Supplier Scoring Grid Prime Contractor Sub Contractor A Sub Contractor B Aggregated Score for Service Delivered Sectio n Max Scor e Red Flag s Scor e Red Flag s Scor e Red Flag s Scor e Red Flag s Scor e Red Flag s Comments IQ 15 4 GIRM 7 1 PIQ 16 4 PQ 24 5 TQ 14 0 RAQ 20 2 IRM 28 3 C 21 0 Totals 145 19 20. When aggregating the scores all un-resolved Red Flags from anywhere within the supply chain must be reported to the Department. It is then recommended that the prime and sub contractor scores from each section of the SIAT are compared and where there are no marked differences in the scores (within 20%) an arithmetic mean is used as the representative score. However, where there are highly divergent scores, whether too large or too small, an assessment needs to be made as to the relative importance (applying the triage criteria) of the particular sub-contractor in the delivery of the service. Based on this assessment a decision should then be made as to the weight that should be given to their score vis-à-vis the other scores in determining the representative score, along with supporting logic where applicable. Appendix F gives an example of how this might be done in practice. Automating the Process 21. The question set may be incorporated into a software tool that will provide many features, including the ability to automate the assessment. A software tooling specification which outlines the criteria any software mechanism should include is at Appendix D. 22. Departments and prime contractors are not required to use any specific package, however to ensure the integrity of responses, the selection of a toolset should adhere to the specification at Appendix D. Equally, Departments that require additional assurance may wish to propose a tool that has achieved appropriate accreditations. Page 11

THIS PAGE IS INTENTIONALLY LEFT BLANK Page 12

Appendix A - SIAT Basic Question Set Notes: 1. The Basic Question Set consists of weighted questions. The weighting regime applied is VH = x5, H = x3 and M = x1. Where there are multiple choice questions the application of the weighting is not straight forward and hence in the tables below the appropriate score is placed in brackets by each answer. 2. A particular answer to some questions should cause the Prime Contractor or Department to investigate. These are annotated Red Flag next to the relevant answer. INITIAL QUESTIONS Mapping Ser In Question Answers Guidance Material Mapping Out IQ1 Start What is the name of your company? Free Text Box IQ2 - Remarks (including weighting) IQ2 IQ1 Does your company have a named individual responsible for the security aspects of our contract? (3) (0) Red Flag If you are unsure whether your organisation has a nominated contact for security and/or data assurance issues, please discuss with those who deal with the commercial issues relating to your contract. IQ3 IQ4 H IQ3 IQ2 What are his/her contact details? Name: Address: Telephone Number: e-mail: IQ4 - IQ4 IQ2&3 What is the nature of the product or service your company provides for us? 1. Professional Services 2. Information and Communications Technology (ICT) Services 3. Business Process Outsourcing 4. Estates, Facilities Management (FM), Guarding and Support Services 5. Transport /Mail 6. Storage/Archive Professional Services - Knowledge based services e.g. consultancy, contractors and interim managers. Information and Communications Technology (ICT) Services - ICT systems and/or related services. Business Process Outsourcing - The provision of an end-to-end business process. Estates, Facilities Management (FM) IQ5 - Page 13

7. Operational Equipment and Office Supplies 8. Other [Free Text Box] and Support Services - Services which support our physical infrastructure. Transport and Storage - Services which move or store people, documents or other physical entities. Operational Equipment and Office Supplies - Products which are used or consumed in support of our physical infrastructure or operations. IQ5 IQ4 Have you been told to what extent your product or service requires you to comply with the HMG Security Policy Framework? (3) (0) Red Flag The Security Policy Framework (SPF) sets out universal mandatory standards, as well as offering guidance on risk management and defining new compliance and assurance arrangements. Linkage between these questions and SPF Mandatory Requirements are denoted by the appropriate MR being listed in brackets e.g. (MR7) as in the following question. IQ5a +PHSQ1 H Every public sector supplier should review their product or service offering in the light of the Security Policy Framework. For further information link to http://www.cabinetoffice.gov.uk/intellige nce-security-resilience/intelligence-andprotective-security.aspx IQ5a IQ5 Do you meet the minimum mandatory requirements of the Security Policy Framework? (3) (0) Red Flag If you are not sure, speak to your contract manager. IQ6 +PHSQ1 Page 14

IQ6 IQ5a +PERQ12 Does your company formally report to us regarding security compliance in the following areas: (Please tick all which apply) A list of key individuals responsible for security matters ( ) Risks and mitigations that have implications for protective security ( ) All significant security incidents ( ) The public sector is required to report annually in these areas. Supplier reports form a key input into these reports. (MR7) If you are not sure, speak to your contract manager. IQ6a M Scoring Regime: 0-1 = Score 0 2-3 = Score 1 IQ6a IQ6 Can you confirm your acceptance of an on-site security audit at any time (1) with reasonable notice (1) (0) Red Flag Should the need arise, do you have the authority to and capacity to support an onsite audit which will look at those areas of your organisation which are used to deliver those products and services which handle our sensitive data? (MR8) IQ7 M IQ7 IQ6a Has your company undergone any structural reorganisation or changed any arrangements with respect to its use of third parties or agents in the delivery of your product or service within the last twelve months? (0) (1) Note: Marking reversed intentionally Consider changes in your legal entity such as mergers and takeovers or changes in your share equity (greater than 33%). This also includes significant board changes and changes of any supplier used in delivering any product or service which requires the handling of our sensitive data. (MR7) IQ8 IQ9 M IQ8 IQ7 Have the implications of any such changes been reflected in the security policy and procedures and have we been advised? and we have advised you (1), but we have not advised you (1) (0) IQ9 M IQ9 IQ7&8 Do your company's security policies and procedures mandate that board members who are responsible for security routinely familiarise themselves with security and associated risk (3) (0) Responsible organisations should ensure that regular refresher training, awareness programmes and security briefings are provided to all staff. (MR9) IQ10 IQ10 H Page 15

management approaches? IQ10 IQ9 Does your organisation supply products or services which involve the handling of protectively marked data (includes Category A and B personal data)? 1. Yes 2. Yes, but exclusively on your premises. 3. No 4. Don t know [Include definition from Annex A to IAS6] GQ0 GQ0 IQ12 IQ11 - IQ11 IQ10 Please do not continue completing these questions, but refer this request for information to someone in your company who does know the answer to this question, or ask the contracts branch with whom you have the contract for this work for clarification. EXIT - IQ12 IQ10 Please confirm you do not have access to either our personal data or other information nor handle any of our personal data or other information in the delivery of this product or service. I confirm This includes both protectively marked data (e.g. material to which a RESTRICTED or PROTECT etc. marking has been applied) and personal data. In the context of this question personal data includes any information that is subject to DPA98 and that links one or more identifiable living person with private information about them (such as finger prints, national insurance number, place of work or school attendance records) or any source of information about 1,000 identifiable individuals or more, unless already in the public domain. For a full and comprehensive list of what constitutes protected personal data refer to IAS6, available from CESG If you CONFIRM, you will EXIT the questionnaire If you DO handle our sensitive data in any sense, please EXIT - Page 16

press Previous question as many times as necessary and then select the positive answer which most closely describes your situation so that you can continue to complete the questionnaire. GENERAL IRM QUESTION Ser Mapping In GQ0 IQ10 Do you make use of our ICT infrastructure in delivering your product and/or service? GQ1 GQ0. Please confirm your company understands our expectations when handling our data, including our protected data and has embodied our requirements in your policies and procedures. This includes all of the following: What security clearance is required by your staff before they can access our data Where our data can be stored When our data can and cannot be discussed over the telephone When our data can and cannot be used on removable media in accordance with Paragraph 12 of IS6 When our data and or information can or cannot be transmitted electronically When our data and or information Question Answers Guidance Material (1) No (0) (1) No (0) (1) No (0) (1) No (0) (1) No (0) Protected data includes both protectively marked data (e.g. material to which a RESTRICTED or PROTECT etc. marking has been applied) and personal data. In the context of this question personal data includes any information that is subject to DPA98 and that links one or more identifiable living person with private information about them (such as finger prints, national insurance number, place of work or school attendance records) or any source of information about 1,000 identifiable individuals or more, unless already in the public domain. For a full and comprehensive list of what constitutes protected personal data refer to IAS6, available from CESG Mapping Out GQ1 GQ1a Remarks (including weighting) H Page 17

can or cannot be transmitted via facsimile When our data and or information can or cannot be sent via post or courier When and how to dispose of media (e.g. CD or DVD, other removable media, hard copy (paper) or hard drives) on which our data has been stored (1) No (0) (1) No (0) (1) No (0) Scoring Regime: 1-3 yes = Score 1 4-5 Yes = Score 2 6-8 Yes = Score 3 GQ1 a GQ1 Does your organisation supply products or services which involve the handling of our personal data? Don t know Red Flag Personal data includes any information that is subject to DPA98 and that links one or more identifiable living person with private information about them (such as finger prints, national insurance number, place of work or school attendance records) or any source of information about 1,000 identifiable individuals or more, unless already in the public domain. For a full and comprehensive list of what constitutes protected personal data refer to IAS6, available from CESG. +PIQ1 GQ2 IQ11 - GQ2 GQ1a +PIQ1 +PIQ2 +PIQ9 Does your company have a senior individual who is responsible for information risk within your organisation? (3) (0) Each organisation must appoint at least one senior individual who is accountable for the purpose and manner in which personal or sensitive data is collected, processed, stored and disposed of. (MR35) GQ3 +GIRM1 H Page 18

GQ3 GQ2 +GIRM3 Has the Main Board of you company issued a top-level policy statement committing the organisation to make whatever changes may be needed to implement effective IA with regard to our information? (1) (0) PQ1 M PERSONAL INFORMATION QUESTIONS Ser PIQ 1 Mapping In GQ1a Question Answers Guidance Material What type of personal data records do you handle? Category A only Category B only Categories A and B (Combined) Don t know [Include definition from Annex A to IAS6] Mapping Out PIQ2 GQ2 PIQ3 IQ11 Remarks (including weighting) - PIQ 2 PIQ1 What volume of our Category A data do you handle? Less than 1,000 personal data records 1,000 or more personal data records GQ2 PIQ3 - PIQ 3 PIQ1 PIQ2 In the past 12 months has your organisation assessed its compliance under the Data Protection Act and where necessary has it put in place an action plan to address any weaknesses? and no weaknesses identified (5) and action plan in place to address weaknesses (3), but nothing done to address identified weaknesses (1) Red Flag (0) Red Flag All organisations holding personal data have legal obligations under the Data Protection Act 1998 to ensure that it is managed in accordance with the eight DPA98 principles. PIQ5 PIQ5 PIQ5 PIQ4 VH PIQ 4 PIQ3 How does your company take responsibility for complying with the eight principles of the Data Protection Act, what responsibility does your company take for applying these to the delivery of your product/service using (Free Text Box) This refers to the Data Protection Act of 1998. A full copy of the act can be found on the Office for Public Sector Information website www.opsi.gov.uk PIQ5 - Page 19

our data? For convenience the 8 principles are summarised below: Data is processed fairly and lawfully Data is obtained and only used for specified and lawful purposes Data is adequate - relevant and not excessive Data is accurate and kept up to date Data is kept for no longer than is necessary Data is processed in accordance with the individual s rights Data is kept secure Data is only transferred to countries that offer adequate data protection PIQ 5 PIQ3 PIQ4 Where do you store and/or process our personal data? UK mainland with no IT connection to public networks (e.g. Internet) UK mainland, but with accredited IT connection to public network UK mainland, but with non accredited IT connection to public network (e.g. Internet) Accredited overseas offshore solution Overseas (including Internet based services where our data is not guaranteed): a. EEA b. US c. Elsewhere d. Don t know (3) (3) (0) Red Flag (2) (0) Red Flag PIQ6 H Page 20

PIQ 6 PIQ5 Have any of the bespoke applications used to process our data been developed overseas? (1) (3) PIQ7 PIQ9 H PIQ 7 PIQ6 Is any of our data used by the offshore software developers? (0) (1) PIQ8 PIQ9 PIQ 8 PIQ7 Has the development of the bespoke application been approved by the Contracting Authority? (1) (0) Red Flag PIQ9 PIQ 9 PIQ6 PIQ7 PIQ8 Does your company have arrangements in place to log the activity of users who access our electronically held protected personal data, particularly those who work remotely and those who have higher levels of functionality? (5) (0) Red Flag GQ2 VH POLICY QUESTIONS Ser PQ 1 PQ 2 Mapping In GQ3 PQ1 +GIRM4 Question Answers Guidance Material Has your company received a copy of the government organisation s Information Risk Policy and have members of your company been consulted about how it impacts on the service you deliver? Have you seen the Information Charter that the Government organisation has published setting out how they handle information and how members of the public can address any concerns that they have? and we have been consulted, but we have not been consulted Red Flag N/A Red Flag N/A This question is only applicable to prime contractors and not for subcontractors. This question is only applicable to prime contractors and not for subcontractors. Mapping Out PQ2 PQ2 +GIRM4 Remarks (including weighting) - PQ3 - Page 21

PQ 3 PQ2 Is your company aware of the Government s current off-shoring policy and the guidance contained in CESG Good Practice Guide (GPG) No 6, particularly as this relates to your subcontractors? (3) (0) CESG Good Practice Guide (GPG) No 6 is available on application from CESG at www.cesg.gov.uk PQ4 H PQ 4 PQ3 Does your company comply with all codes-of-connection, bilateral agreements and/or community or shared service security policies to which you are signatories and do you apply the specific technical policies covering; patching, malware, boundary security devices, content checking/blocking and lockdown?, and apply required technical policies (5), but not fully compliant (3) (0) Red Flag N/A (5) PQ5 +TIRM15 +TIRM16 +TIRM16 VH PQ 5 PQ 6 PQ 7 PQ4 +TIRM17 PQ5 +GIRM6 +GIRM11 +GIRM12 PQ6 +GIRM13 Has your company issued your own Information Risk Policy setting out how you and your supply chain will comply with our requirements set out in our Information Risk Policy and where applicable the minimum requirements of the HMG Security Policy Framework? Does your company have an Acceptable Use Policy (AUP) which includes effective sanctions, and are all IS users to which the policy applies made aware of it? Does your company have policies in place covering the control of hard copy and/or removable media, which (3) (0) Red Flag we have a policy (1) we have a policy and users are aware of it. (2) (0) (5) (0) Red Flag An AUP is a set of clear and concise rules that define what staff are, and are not, allowed to do with the ICT equipment of an organisation. It should define the sanctions that will be applied is a member of staff contravenes the AUP. It is good practice to require staff to sign an AUP before they are given access to ICT equipment. PQ6 +GIRM5 PQ7 PQ7 +GIRM13 PQ8 +GIRM14 H M VH Page 22

includes laptops, removable disks, CDs, USB memory sticks, PDAs and media card formats? PQ 8 PQ7 +GIRM16 Does your data handling policy and/or procedures specify when data should be encrypted? (3) (0) All sensitive data should be considered for encryption at vulnerable points in the data lifecycle. For each product or service these vulnerabilities should be explored and appropriate measures taken to further secure the information through data encryption. (MR40) PQ9 H PQ 9 PQ8 Do you have a documented procedure which addresses breaches of the agreed data handling policy? (3) (0) Breaches include the loss of personal or sensitive data or security breaches on your premises. (MR44) TQ1 +GIRM17 H TRAINING QUESTIONS Ser TQ1 TQ2 TQ3 Mapping In PQ9 +GIRM17 TQ1 TQ2 +GIRM21 Question Answers Guidance Material Has every member of your company who have access to personal data undergone an annual session of information risk awareness training? Has every member of your company who have access to our information undergone an annual session of information risk awareness training? Is a process in place to give assurance to our SIRO that every member of staff within your company and your supply chain who have access to our (3) (0) (3) (0) (1) (0) The National School of Government has developed e-learning packages specifically for civil servants, but these are available to private sector organisations who work with government. See www.nationalschool.gov.uk/programme s/programme.asp?id=23216 Mapping Out TQ2 +GIRM18 TQ3 TQ4 Remarks (including weighting) H H M Page 23

information, for which we are accountable, receives information risk awareness training on induction and annually thereafter? TQ4 TQ3 Does an effective mechanism exist to ensure that those who have undergone the information risk awareness training remember what they have been taught i.e. Does the training involve some form of assessment? TQ5 TQ4 Does a programme of targeted education and training exist for staff who manage and or maintain the secure configuration of ICT systems or who have IA responsibilities? TQ6 TQ7 TQ8 TQ5 +GIRM22 TQ6 TQ7 Are details of the % of staff who have undergone annual information risk awareness refresher training collected? Are effective mechanisms in place within your company to ensure that all those who should have undertaken the compulsory training are trained? Is a process in place within your company to determine the sufficiency of the information risk awareness training in terms of its depth, breadth and coverage? (1) (0) (3) (0) (1) (0) (1) (0) (1) (0) TQ5 TQ6 +GIRM22 TQ7 TQ8 RAQ1 +GIRM23 M H M M M Page 24

RISK & ACCREDITATION QUESTIONS Ser RAQ 1 RAQ 2 RAQ 3 RAQ 4 Mapping In TQ8 +GIRM23 RAQ1 +TIRM12 RAQ2 RAQ3 Question Answers Guidance Material Has your company contributed to the process by which the Government organisation produces an annual assessment of the forthcoming changes to service, technology and the threat so that these can be reflected in our Annual Risk Assessment? When your company handles our protectively marked information, do you use Business Impact Levels (ILs) to assess and identify the impacts to the business caused through the loss of Confidentiality, Integrity and/or Availability of data or ICT systems should risks be realised? Is a systematic process is in place within your company to conduct operational and technical risk reviews of business critical ICT Systems and their related business policies and processes and are the requirements for remedial action satisfied in a timely manner? Have all new ICT systems and planned changes to live ICT systems, processing information requiring protection, been subject to Accreditation? Red Flag N/A (3) (0) the process is in place and remedial actions are taken in a timely manner (5) the process is in place (3) (0) (3) (0) Red Flag This question is only applicable to prime contractors and not for subcontractors. Details of the Business Impact Level definitions are available from the CESG website at www.cesg.gov.uk/policy_technologies/p olicy/risk-tool.shtml All ICT systems that process protectively marked Government data must be accredited using HMG IA Standard No. 2 (MR36) Mapping Out RAQ2 +TIRM11 RAQ3 RAQ4 RAQ5 +TIRM1 Remarks (including weighting) - H VH H Page 25

RAQ 5 RAQ4 +TIRM10 a For ICT systems processing protectively marked information are the technical risk assessments and the risk management decisions recorded in the Risk Management and Accreditation Documentation Set (RMADS), using HMG IA Standard No.2 - Risk Management and Accreditation of Information Systems? (3) (0) HMG IA Standard No.2 - Risk Management and Accreditation of Information Systems is available on application from CESG at www.cesg.gov.uk (MR32) RAQ6 +TIRM13 H RAQ 6 RAQ5 Are procedures in place to ensure that all ICT systems handling our protectively marked Government data are accredited using HMG IA Standard No. 2, or an appropriately tailored derivative? and we use HMG IAS No2 (3) and we use a tailored derivative (3) (0) IRMQ1 H IRM CONTROL QUESTIONS Ser Mapping Question Answers Guidance Material In IRM Q1 IRM Q 2 RAQ6 +TIRM14 c IRMQ1 Does your company know what physical security measures we require you to be put in place to safeguard PROTECT level information held in both paper and electronic form and are you compliant with our requirements? Do you know what strong and effective arrangements we require to be put in place to safeguard unencrypted personal information collected, held, processed or transferred within your company and within your supply chain and are you complaint with our requirements? and we are compliant (3), but we are not complaint (0) (0) Don t Know (0) Red Flag and we are compliant (3), but we are not complaint (0) (0) Red Flag Don t Know (0) Red Flag N/A (3) Mapping Out IRMQ2 IRMQ3 Remarks (including weighting) H H Page 26

IRM Q 3 IRMQ2 Are any, or all, copies/backups of our personal and/or business critical data logged, tracked, transported and stored securely and subject to the same security standards as the systems holding the live data?, we apply the same security standards (or would do if we were ever to take copies/backups) (3), we do not necessarily always apply the same security standard to copies or backups or your data (0) Red Flag Copies or backups are important to ensure that data is secure however handling of these backups must be subject to the same vigorous security standards as other sensitive data. IRMQ4 H IRM Q 4 IRMQ3 Where our personal information has to be accessed remotely by staff of your company are effective mechanisms in place to protect the information in transit using approved devices in accordance with the DHR mandatory requirements? (3) (0) N/A (3) See CESG IA Standard No 6 available on application from CESG at www.cesg.gov.uk (MR32) IRM4a IRMQ5 IRMQ5 H IRM 4a IRQM4 Does your organisation have a policy on remote working that complies with the HMG Security Policy Framework? (3) (0) (MR42) IRQM5 H IRM Q 5 IRMQ4 +PIQ10 Are ICT system asset registers maintained for new ICT systems and do these show clearly who has ownership for each of the system assets?, system asset registers are maintained and ownership is assigned (2), system asset registers are maintained, but they do not show ownership. (1) (0) IRMQ6 IRMQ6 IRMQ7 M IRM Q 6 IRMQ5 Are the ICT system asset registers which you maintain annotated to show in addition to the ownership the business criticality and IA requirements of all ICT system assets? Annotated to show business criticality (2) Annotated to show IA requirements (1) t annotated (0) IRMQ7 M Page 27

IRM Q 7 IRMQ5&6 Does your organisation have appropriate Business Continuity and Disaster Recovery Plans for all locations where information and system assets are kept? (3) (0) The HMG Security Framework contains details of what should be included in a Business Continuity Plan and can be found on the Cabinet Office website at http://www.cabinetoffice.gov.uk/intellige nce-security-resilience/intelligence-andprotective-security.aspx IRMQ8 H IRM Q 8 IRMQ7 Does your company have effective processes in place for controlling the re-use of ICT equipment and do these comply with the requirements of HMG IA Standard No 5 Secure Sanitisation of Protectively Marked or Sensitive Information?, and compliant with HMG IA Standards (3), but not fully compliant (1) (0) For access to HMG IA Standard No 5 apply to CESG. www.cesg.gov.uk IRMQ9 H IRM Q 9 IRMQ8 Does your company have effective processes in place for the controlled disposal (secure destruction, overwriting, erasure, or degaussing) of electronic media that have been used for our protected information in accordance with HMG IA Standard No 5 Secure Sanitisation of Protectively Marked or Sensitive Information?, and compliant with HMG IA Standards (3), but not fully compliant (1) (0) For access to HMG IA Standard No 5 apply to CESG. www.cesg.gov.uk C1 H Page 28

COMPLIANCE QUESTIONS Ser Mapping In C1 IRMQ9 Do you have any agents such as subcontractors or suppliers who are not directly employed by your company who assist in the delivery of your product or service who may access 0ur data? Question Answers Guidance Material (1) Agents or sub contractors include external consultants, interim managers, external auditors and other independent contractors. Mapping Out C2 C3 Remarks (including weighting) - C2 C1 How does your company gain assurance that any agents such as subcontractors or suppliers comply with your risk and security policies? Formal audit (1) Spot checks (1) Rely on contract requirements (1) assurance is sought (0) C3 H C3 C1&C2 Has your company established an effective compliance regime to ensure that IRM measures that are put in place comply with our endorsed policy? (5) (0) C4 +TIRM18 VH C4 C3 +GIRM24 Has your company put in place a process to ensure the effectiveness of the compliance regime? (1) (0) C5 +GIRM25 M C5 C4 Has the process put in place by your company to validate the effectiveness of the compliance regime reported and has action been taken to rectify the weaknesses identified?, but no action has been taken (3) and action has been taken (5) (0) C6 VH C6 C5 +GIRM25 Are plans are in place to action the recommendations made in all reviews and audits of our IA posture relating to Business Critical IS and related processes?, all remedial actions resolved within 6 months (5), all remedial actions resolved within 6 months (5) (0) C7 C7 +GIRM26 VH Page 29

C7 C6 +GIRM26 Has an effective and accurate means been established within your company to monitor the status of the control measures in use within your company and your sub-contractors? (3) (0) CQ1 H CLOSING QUESTIONS Ser Mapping In CQ1 C7 Are you willing to allow the results to be shared with a limited number of other government bodies? [NB an answer of yes aims to prevent duplicate approaches for the respondent.] Question Answers Guidance Material, subject to specific agreement Mapping Out Remarks (including weighting) CQ2 - CQ2 CQ1 Thank you for completing this questionnaire. Do you have any further important issues/concerns relating to information risk management which you wish to bring to our attention? (free text box) EXIT - Page 30

Appendix B - SIAT Follow on Questions ADDITIONAL GENERAL IRM QUESTIONS Ser Mapping In Question Answers Guidance Material +GIRM 1 GQ2 At what level of your organisation does accountability for the assurance of our information lie? +GIRM 2 +GIRM1 How is accountability for the assurance of our information in your company s custody achieved? +GIRM 3 +GIRM2 Is there an effective methodology in place to maintain and review an Information risk register and address the risks? +GIRM 4 PQ1 Has your company been advised of the risk appetite which is applicable to delivering your product/service involving our information? +GIRM 5 PQ5 How often does your company review its data handling policies and procedures with respect to the product or services it delivers? Chief Executive Officer Operating Board Senior Management HR Department IT Department CISO Other All organisations should have an agreed and documented policy on data assurance (security) and data privacy, including compliance with the Data Protection Act. This policy should set out the governance arrangements for data assurance and security. Good governance makes it clear who is ultimately responsible and accountable for the protection of all sensitive data. (MR3) Mapping Out +GIRM2 Free Text Box +GIRM3 Monthly Quarterly Every six months Annually formal review within the last 12 Organisations must have, as a component of their overarching security policy, an information security policy setting out how they, and their delivery partners, comply with the minimum requirements set out in the HMG GQ3 PQ2 +GIRM6 Page 31

+GIRM 6 +GIRM5 Has your company conducted a structured risk assessment to highlight when our information is most vulnerable while in your care? +GIRM 7 +GIRM 6 If the risk assessment revealed the need for improvements, have they been made? +GIRM 8 +GIRM 7 Does your company have in place documented policies and procedures for IT, IA and Information Management which reflect the need to identify and mitigate digital continuity risks? months Security Framework http://www.cabinetoffice.gov.uk/intellige nce-security-resilience/intelligence-andprotective-security.aspx (MR31). A review should evaluate the effectiveness of current processes and introduce amendments as appropriate. improvements identified Improvements identified and in hand Improvements identified and completed Improvements identified but not yet undertaken, relevant policies are in place, but a risk management plan is yet to be produced, but their development is underway, and their development is not planned Suppliers should: Clearly identify each asset and those responsible for them; Understand the vulnerability and likelihood of attack from various threats; Value them in terms of impact from loss or failure; and Assign a proportionate level of protection to mitigate any risk. (MR5) Suppliers should have in place a documented plan for undertaking a risk assessment process to identify and manage digital obsolescence risks to the continuity of our information assets. The plan should be consistent with the Digital Continuity Approach and Guidance from The National Archives (TNA). www.nationalarchives.gov.uk/electronicr ecords/digitalcontinuity/guidance-on- +GIRM7 PQ6 +GIRM 8 +GIRM 9 Page 32

digital-continuity +GIRM 9 +GIRM 8 To what extent has your organisation made these policies available internally? The whole organisation Those parts of the organisation which handle your information Policies not available internally A robust range of policies and procedures should exist to cover the delivery of supplier s products or services. These policies and procedures should be routinely shared with all data handlers. (MR6) +GIRM10 +GIRM 10 +GIRM 9 Do your data handling procedures address the following areas for all data handlers? (Please tick all that apply) Means of controlling access to personal and/or business critical data Authentication of the unique identity of individuals attempting to access personal and/or business critical data Validation that each user has the appropriate authority to read/create/modify/delete specific data Audit of all attempted accesses to personal and/or business critical data Workers across your organisation may be employed as data handlers to read, amend, modify or manage the sensitive data. Controls and records should be maintained with respect to data handler access, authentication and authority ensuring sensitive data is handled on a need to know basis. +GIRM 11 +GIRM 11 +GIRM 10 Has an assessment has been made of your company s compliance with the mandatory measures contained in Tier 3 of the SPF, particularly those relating to IA? Details of the HMG Security Framework are at: http://www.cabinetoffice.gov.uk/intellige nce-security-resilience/intelligence-andprotective-security.aspx +GIRM 12 PQ 6 +GIRM 12 +GIRM 11 Where there are non-compliances by your company with the requirements of the SPF, is remedial action being taken to bring your company into compliance, where necessary supported by contract amendment, or modified service level agreement? PQ 6 Page 33

+GIRM 13 PQ6 Does your company provide guidance to staff on handling our information with respect to: Please tick all that apply? Official Secrets Act Data Protection Act Freedom of Information Act Environmental Information Act Data security legislation provides minimum guidelines for data handling. All employees who handle data should be familiar with this legislation. (MR12) PQ7 +GIRM 14 PQ7 In what format do you receive, modify or create our Data? (Please tick all that apply) Paper (Documents/Letters/Files) Removable Electronic Media (such as CDs or portable hard drives) Electronic Data Transfer Other (e.g. Microfiche) +GIRM15 +GIRM 15 +GIRM14 What is the typical frequency at which your product or service require you to receive, modify or create our data? Continuously Daily Weekly Monthly Annually Less than once a year +GIRM16 +GIRM 16 +GIRM15 When delivering your product and/or service, please confirm that you have documented procedures relating to the prevention, detection and response in the mishandling and/or loss of our data/information in the following areas. (Please tick all that apply.) Collection Verification and Cleansing Primary Use (Maintenance, Updates, Backups and Sharing) Secondary use (Copying, Reuse and Exporting) Disposal PQ8 +GIRM 17 PQ9 In the event of a breach of your data assurance policy and/or procedures (such as a laptop being left on a train) your first action would be to: Firstly try and rectify the breach/find the misplaced item Wait for a period of time and then perform an impact assessment of the data lost Report the breach immediately Implement the necessary steps to Every member of staff should be adequately trained to spot and address breaches of your policy. (MR44) TQ1 Page 34

+GIRM 18 TQ1 Has specific training has been established for the senior named individual, who owns the company s information risk policy and for the members of the Audit Committee on appointment and at least annually thereafter? +GIRM 19 +GIRM18 Is the senior named individual, who owns the company s information risk policy, and are the members of your company s the Audit Committee up to date in completing their annual IA training? +GIRM 20 +GIRM19 Has the effectiveness of the training given to the senior named individual, who owns the company s information risk policy and to the members of the Audit Committee been assessed to ensure it is aligned to the needs of the business? +GIRM 21 +GIRM18 +GIRM19 +GIRM20 Do your staff know when they can and cannot share our information with other members of staff? +GIRM 22 TQ5 If there is no training regime in place for key staff involved in discharging IA related duties, how do you ensure they are experienced and qualified enough to discharge their duties? secure and replace the data Organisations must ensure that access to sensitive data is only granted on the basis of the need to know principle. All employees must be made fully aware of their personal responsibility in applying this principle. (MR16) +GIRM19 +GIRM21 +GIRM20 +GIRM21 +GIRM21 Free Text Box TQ6 TQ3 Page 35

+GIRM 23 TQ8 How do you assess that the desired changes in approach to information risk are being adopted into the culture of your company? Free Text Box RAQ1 +GIRM 24 +TIRM19 Is a method of assessing compliance with your company s acceptable use policy in place? +GIRM 25 C4 Has an independent assessment (conducted by suitably qualified personnel from a legally separate organisation) been made of the breadth, depth and effectiveness of your company s IRM compliance regime to ensure that your measures are compliant with our endorsed policy? +GIRM 26 C6 Does your company s senior named individual, who owns the company s information risk policy, track and manage progress against any IA improvement plans relating to business critical IS and related processes. C4 C6 C7 ADDITIONAL TECHNICAL IRM QUESTIONS Ser Mapping In Question Answers Guidance Material +TIRM 1 RAQ4 How do managers responsible for the delivery of live service manage: a. Changing Information Risks relating to the existing ICT configuration. b. Information risks relating to proposed changes in the live ICT configuration? (Free Text Box) (Free Text Box) Mapping Out +TIRM2 Page 36

+TIRM 2 +TIRM1 Does an effective process exist to escalate significant information risks from Programmes and Projects up through the management chain of your company to achieve satisfactory IRM? +TIRM 3 +TIRM2 Are those who are responsible for ICT service management committed to exercising the security aspects of their role? Is this expressed in your company s ICT Service Management documentation? +TIRM 4 +TIRM3 Has your company issued policy, guidance and direction with the aim of embedding a systematic approach to IA within ICT service management? +TIRM 5 +TIRM4 Have corporate objectives, priorities and qualitative performance targets been set for the improvement of the IA aspects of Service Management? +TIRM 6 +TIRM5 Are those responsible for ICT Service Management within your company allocated sufficient resource and funding to tackle IA issues? +TIRM 7 +TIRM6 Do those responsible for ICT Service Management within your company have responsibilities for delivering specific levels of improvement in IA? +TIRM 8 +TIRM7 IS IA embedded within ICT Service Management procedures for all new ICT systems so that they are operated and administered in accordance with Security Operating Procedures (Sy Ops)? Do these ICT service +TIRM3 +TIRM4 +TIRM5 +TIRM6 +TIRM7 +TIRM8 +TIRM9 Page 37

management procedures include effective configuration management? +TIRM 9 +TIRM8 Is IA good practice institutionalised within the ICT Service Management function so that systems are operated and administered in accordance with corporate security operating procedures? +TIRM 9a +TIRM 9 Is Service Management supported by clearly documented corporate processes and procedures? +TIRM 10 +TIRM9a Is IA embedded within the IT Service Management procedures for all our business critical IS. +TIRM 10a +TIRM10 Does the IA embedded within the IT Service Management procedures for business critical IS include effective configuration management? +TIRM 11 RAQ1 Are the IA personnel within your company fully engaged in the development and implementation of our future ICT Strategy? +TIRM 12 +TIRM11 Are there credible plans and processes in place to ensure that emerging ICT requirements are recognised early enough so that a full range of IRM processes can be applied from the outset? +TIRM 13 RAQ5 Is a process in place within your company to ensure that all accredited ICT systems are subject to an annual review (to determine whether changes Some, but not all +TIRM9a +TIRM10 +TIRM10a RAQ5 +TIRM12 RAQ2 +TIRM14 Page 38

have occurred which could alter the original accreditation decision such as: significant changes in threats, vulnerabilities, system configuration, management structure, Business Impact levels etc)? Are such systems re-accredited when they undergo significant change or at least every 5 years? +TIRM 14 +TIRM13 Does your company comply with HMG IA Standard No.4 Communications Security and Cryptography (parts 1-3) for the protection of protectively marked material? For access to HMG IA Standard No 4 apply to CESG. www.cesg.gov.uk +TIRM14a +TIRM 14a +TIRM14 Where you use cryptography, do you only use CESG approved solutions? +TIRM14b +TIRM 14b +TIRM14a Do you apply the correct control mechanisms for cryptographic items? +TIRM14c +TIRM 14c +TIRM14b Do you enforce the requirement for specified levels of personnel security clearance for individuals handling cryptographic items? IRMQ1 +TIRM 15 PQ4 Does your organisation possess the following 'code of connection' policies? (Please tick all that apply) A patching policy covering all IT systems A policy which manages risk posed from malicious software Boundary security devices Content checking blocking policy Lockdown policy to restrict unnecessary services Organisations must follow the requirements of any codes of connection, multilateral or bilateral international agreements and community or shared services security policies to which they are signatories (for example Government Secure Intranet (GSI)). (MR38/MR39) +TIRM16 Page 39

+TIRM 16 PQ4 +TIRM15 Do you have evidence to show that patches are applied in a time scale applicable to the seriousness of the vulnerability? +TIRM 17 +TIRM16 Does a comprehensive patching regime exist to safeguard our information? +TIRM 18 C3 Where your company is subject to codes-of-connection, bilateral agreements and/or community or shared service security policies, do effective plans exist to assure compliance with the requirements? +TIRM 19 +TIRM18 Are all codes-of-connection, bilateral agreements and/or community or shared service security policies subject to an effective compliance regime and this has been assessed by audit? +TIRM17 PQ5 +TIRM19 +GIRM24 ADDITIONAL PHYSICAL SECURITY QUESTIONS Ser Mapping In Question Answers Guidance Material +PHSQ 1 IQ5 IQ5a Has your company taken the following precautions in areas where our information/equipment is used or stored? (Please tick all which apply) Protectively marked data is secured in appropriate security containers Windows, locks, doors and entry controls meet appropriate security standards Access is restricted to those who need to know Mapping Out +PHSQ2 Page 40

+PHSQ 2 +PHSQ1 Do you ensure that security risks are taken into account when planning, selecting, designing and modifying your facilities? Organisations must assess the security risks to their estate ensuring that security is fully integrated early in the process of planning, selecting, designing and modifying their facilities. +PHSQ3 +PHSQ 3 +PHSQ2 What is your company s policy with regard to the response expected from your staff should an individual attempt to gain physical access to the site on which our data can be accessed? Report the incident at a later time Occasionally challenge Always challenge Do nothing Perimeter security is a vital component in ensuring that sensitive data is safe from physical threat. The perimeter should be protected with appropriate security barriers and entry controls. (MR56/61) +PHSQ4 +PHSQ 4 +PHSQ3 Does your company have plans and procedures for dealing with and intercepting unauthorised visitors and intruders? Perimeter security is a vital component in ensuring that sensitive data is safe from physical threat. The perimeter should be protected with appropriate security barriers and entry controls. (MR57) +PHSQ5 +PHSQ 5 +PHSQ4 How are your access control policies communicated? (Please tick all which apply) Policies are circulated to all staff Staff are briefed on their personal responsibilities Policies are centrally available Personal responsibilities may include wearing a pass at all times, escorting visitors and searching their work area if required. +PHSQ6 +PHSQ 6 +PHSQ5 Do you have procedures in place to screen incoming mail/deliveries for suspicious items? Delivered items can include letters, packets and parcels and may contain; explosive or incendiary devices, blades or sharp items, offensive materials, chemical, biological or radiological (CBR) materials or devices. Anyone receiving a suspicious delivery is unlikely to know exactly which type it is, so procedures should cater for every eventuality. (MR59) +PHSQ7 Page 41

+PHSQ 7 +PHSQ6 Have you considered the use of guard services to protect our information/equipment?, currently under consideration, planned for implementation, have been implemented Where guards are deployed the GSZ Manned Guarding Services Manual (part of HMG Security Policy Framework) is considered best practice. For more information see www.cabinetoffice.gov.uk/spf.aspx (MR60) +PERQ1 ADDITIONAL PERSONNEL SECURITY QUESTIONS Ser Mapping In Question Answers Guidance Material +PERQ 1 +PHSQ7 Do the HR policies and processes of your company consider the assurance of our data throughout the lifecycle of your employees? +PERQ 2 +PERQ1 Does your company provide guidance to all employees and agents, including contractors and service providers, on your policies and procedures for handling our information/equipment? +PERQ 3 +PERQ2 Are the staff in your company who handle our information/equipment required to pass BPSS and or CTC checks? +PERQ 4 +PERQ3 Does your company comply with the following principles when selecting which employees should be security vetted? (Please tick all that apply) BPSS CTC Neither Security vetting is necessary Security vetting is proportionate Security vetting adds real value Employees are a major factor in ensuring a secure site. The employee lifecycle covers staff right through their time with your company and beyond. This will include recruitment, selection, training and termination. Organisations must meet special handling arrangements where they apply and ensure that all staff handling such information understand these arrangements. (MR20) If you are unsure of security vetting requirements please discuss with your usual security contact (MR24) Mapping Out +PERQ2 +PERQ3 +PERQ4 +PERQ5 Page 42

+PERQ 5 +PERQ4 Do you keep a register of staff who have undergone the security clearance process which includes the following details? (Please tick all that apply) The type of security vetting clearances that have been undertaken The number of people who have undergone security vetting clearances The outcome of all internal and independent vetting appeals If you are unsure of security vetting requirements please discuss with your usual security contact (MR24) +PERQ6 +PERQ 6 +PERQ5 Do you have the following personnel security arrangements in place? (Please tick all which apply) Formal reviews of the need for National Security Vetting clearances Regular reminders to managers and individuals of their responsibility to inform the vetting authorities of any change in circumstance that may impact on the suitability to hold a security clearance If you are unsure of security vetting requirements please discuss with your usual security contact (MR24) +PERQ7 +PERQ 7 +PERQ6 Does your company give clear guidance to staff highlighting that deliberate or accidental compromise of protectively marked material may lead to disciplinary action and/or criminal proceedings? A clear and well communicated disciplinary procedure plays an important role in deterring deliberate or accidental mishandling of sensitive data. (MR21) +PERQ8 +PERQ 8 +PERQ7 Does your company undertake risk management assessments of specific employee roles in relation to personnel security controls and access to personal and/or business critical assets? Risk management assessments should consider all aspects of a particular employee role in order to assess where risk lies. This plays a vital role in identifying and mitigating risk to sensitive data. (MR22) +PERQ9 +PERQ 9 +PERQ8 Have the personnel security process in use by your company and within your supply chain, particularly in terms of security checking and vetting, been assured by audit and have any weaknesses identified have been +PERQ10 Page 43

rectified by prompt action? +PERQ 10 +PERQ9 Where members of your company and members of your supplier companies work on our contract are they required to sign confidentiality, or non-disclosure agreements, stating their responsibilities for information security? +PERQ 11 +PERQ10 Is a process in place to ensure that all your employees and the employees of supply chain companies, who make use of our information, surrender all of our information assets in their possession upon termination of their employment, contract, or agreement? +PERQ 12 +PERQ11 Are the access rights of personnel employed (either permanently, or temporarily) by your company and by your sub contractors removed upon termination of their employment in any role that has access to our information. +PERQ11 +PERQ12 IQ6 Page 44

Supplier Information Assurance Assessment Framework and Guidance Appendix C SIAT Question Map Start IQ1 IQ2 Y N IQ3 IQ4 IQ5 Y N IQ5a Y PERQ12 PERQ11 PQ7 Y(n) Y(n) N PQ6 GIRM13 N N GIRM5 PQ5 Y(n) SIAT QUESTION MAP GIRM14 GIRM15 GIRM16 Y/N N GIRM6 N Y TIRM15 Y(n) GIRM12 GIRM11 Y/N Y GIRM7 N Y GIRM10 TIRM17 Y/N TIRM16 GIRM8 N/A GIRM9 Y TQ1 PQ8 Y/N PQ9 N GIRM17 Y N GIRM18 TQ2 Y/N TQ3 Y/N N GIRM21 N Y GIRM19 Y Object (n) d/n KEY GIRM20 Represents a qualifier don t know last question in a flow Y N IQ6 PHSQ1 IQ6a PHSQ2 PHSQ3 Y Y(n) N PHSQ4 IQ7 PHSQ5 Y N PHSQ6 IQ8 PHSQ7 IQ9 PERQ1 Y/N Y/N IQ10 Y Y(n) N d/n GQ0 IQ12 GQ1 Y/N IQ11 d/n d/n Y GQ1a N PERQ10 PERQ9 PERQ8 PERQ7 PERQ6 PERQ5 PERQ4 PERQ3 PERQ2 PIQ2 Cat A Only PIQ1 >1K <1K PIQ4 N Y/N PIQ8 Y PIQ3 PIQ7 Y Cat A & B combined N PIQ6 PIQ5 Y PIQ9 N Cat B Only Y IRMQ4a Y/N PQ4 Y/N N IRMQ4 N IRMQ5 Y N/A Y/N TQ4 IRMQ3 PQ3 Y(n) Y(n) Y/N Y N N/A N TQ5 IRMQ6 IRMQ7 Y N IRMQ2 TIRM14c Y N PQ2 TQ6 GIRM22 Y/N TIRM14b Y/N Y(n) GIRM4 IRMQ1 TIRM14a N Y/N Y/N TIRM14 IRMQ8 Y/N TIRM5 TIRM6 IRMQ9 PQ1 TQ7 TIRM13 Y/N TIRM4 TIRM7 C1 Y/N RAQ6 TIRM8 TQ8 TIRM3 Y N GQ3 Y N TIRM9 C2 Y N TIRM2 TIRM9a C3 GIRM3 GIRM23 TIRM10 GIRM2 N Y RAQ1 RAQ5 TIRM10a GIRM1 TIRM1 TIRM18 N Y C4 Y N TIRM19 Y/N RAQ4 N TIRM11 N Y GIRM24 Y/N Y/N GIRM25 C5 Y GIRM26 N GQ2 RAQ3 TIRM12 C7 Y(n) Y/N Y/N C6 RAQ2 CQ1 CQ2 Exit V1.7 Page 45

THIS PAGE IS INTENTIONALLY LEFT BLANK Page 46

Supplier Information Assurance Assessment Framework and Guidance Appendix D SIAT Tool Requirements Specification for IAAB Intellect Group Introduction Purpose The purpose of this appendix is to define the requirements for software tool(s) to allow commercial suppliers into HMG to record answers to the Information Risk Return (IRR). This tool will act as the mechanism in order to apply a standard assessment framework in order to assess the Information Assurance (IA) maturity of Government Departments, their prime contractors, and third party suppliers in the prime contractors supply chains. Document Conventions This appendix is related to the assessment of IA maturity in the supply chain, using the following terms; [Government] Organisation: Customer of outsourced services [Prime] Contractor: Organisation in a contractual relationship with Government Organisation for the provision of products or services Suppliers in the Prime contractors supply chain: Organisation in a contractual relationship with the prime contractor for the provision of products or services. Intended Audience and Reading Suggestions This appendix is intended for developers of tools that will enable the creation and management of the annual Information Risk Return (IRR) to the Cabinet Office. Other interested parties include those charged with the delivery of the IRR, including Information Asset Owners, Departmental Security Officers, and Security Managers. The appendix is intended to be technical and therefore Information Assurance professionals should be read in conjunction with http://www.cabinetoffice.gov.uk/media/207318/hmg_security_policy.pdf and in particular Mandatory Requirement No 7. Project Scope The SIAT will deliver an ICT based mechanism to allow a Contractor (normally a commercial supplier to either HMG or another commercial entity supplying to HMG) to respond to a series of questions relating to its Information Assurance and Information Risk Management profile. This will then be supplied to the Department, Page 47

who in turn will use it to populate the Cabinet Office required Information Risk Return. Although the overall process is keyed to the HMG annual reporting round, this mechanism may also be used by the Contractor as a regular and routine measurement tool for its internal business benefit. Indeed this exercise is expected to foster regular communication regarding information risk between the government organization and its prime contractor, as well between the prime contractor and their suppliers. There is therefore a requirement to prepare individual assessments, and to aggregate assessments as determined by organizational level, for example; by project, programme, organization, enterprise etc. Overall Description Product Perspective The purpose of the tool will be to provide a mechanism in order to complete an assessment; this is depicted in figure 1. Figure 1: IA Assessment in the Supply Chain Product Features The tool will be comprised of three key functions: CAPTURE: Allows the input of answers based on a question set, and the import of separate assessments in a standard format. Page 48

Supplier Information Assurance Assessment Framework and Guidance RULES: Application of rules for the input, output and flow of questions within the tool. For example the application of different weightings to different inputs. REVIEW: Allow aggregated view of inputs by 3rd party supplier, prime contractor, government dept, i.e. individual to enterprise level. User Classes and Characteristics There shall be support for four types of users: Contributors: User class that can contribute toward providing answers to the question set within the tool. Signoff: User class with the ability to lock and signoff the responses in preparation for formal submission. Reviewers: User class with ability to review response(s) within the tool. Sysadmin: Class with ability to load and manage questions sets, weightings, access classes. Operating Environment The tool should be capable of operating in Windows XP/2000 or more recent environments. If browser based access is provided to the tool then it should be compatible will all common web browsers, including Internet Explorer (v6 onwards), Mozilla, Firefox and Opera. Design and Implementation Constraints The solution must operate within all commonplace ICT operating environments, e.g. Windows, Unix etc. The resultant output from the solution must be exportable and importable to other environments and systems without involving executable content, thus avoiding any local system restrictions on such imports or exports. The solution must produce final results in a common standard xml form (see XML Schema), and be capable of importing results from other solution instantiations in the same xml form. User Documentation User documentation should include a user operating manual describing how the solution is designed to operate, details of the user interface, how to migrate through the question set and enter data and record evidence items, This may be in the form of an online tutorial. Page 49

There must be a real-time help facility selectable at any time during the operation of the solution. This should be similar in design to conventional help facilities, e.g. MS Word, and allow selection by subject, question or keyword. There must be guidance on the meaning of individual questions. This material will be provided as part of the question set, but will need to be available online, and selectable with the related questions. Assumptions and Dependencies It is assumed that the question set and default rules will be available to plug into the tool. System Features The system features are broken down into the three sections of the tool: CAPTURE RULES REVIEW Capture Capture and reporting of periodic assessments of a service delivered by a supplier to a customer using a standard assessment framework (standardised question set). A user interface to allow input Configurable extensible assessment framework Progressive disclosure approach in capturing answers Reassessment delta reporting Version control and traceability of the assessment framework and the answers to questions Import of assessment data set (via XML standard See XML Schema) enabling interchange between software systems that support the assessment (data collection) process and the consistent determination of the assessment result Individual Responses will be classified at IL2 Input and output in xml format (See XML Schema) support for MS and Open Office Ability for the tool to support a guidance page per question. Page 50

Supplier Information Assurance Assessment Framework and Guidance Rules Import of assessment reports to allow for aggregated management reporting at the organization and/or enterprise levels; e.g. aggregation of project/programme views; aggregation of multiple supplier views; construction of the IRR User-defined assessment aggregation rules to reflect organizational policy (e.g. weighting) Aggregated assessments should not normally exceed IL3. Where they do, guidance should be sought from the contracting organization. Allow customer to modify higher/lower weighting. Output The tool must be capable of the following: To allow printed output to be available in a variety of formats including XML, HTML, PDF, RTF, CSV, DOC, therefore enabling interchange between software systems that support the assessment (data collection) process and the consistent determination of the assessment result. Provision of a mechanism to allow either an aggregated or individual view of return(s) by 1) question, 2) section, or 3) by return(s). Where aggregate view is selected, the application of a flat weighting scheme is to be applied, as the triage process is expected to normalize risk profiles of subcontractors. Outputs to include digital signature to verify integrity of question set. External Interface Requirements User Interfaces The tool must be able to support the four user classes defined in User Classes and Characteristics. The system admin function must include the capability to:- Set up access privileges for specified roles, e.g. Reviewer, Contributor, Manage access privileges, Install authorized question set updates as provided, Install authorized revised weightings, or scoring standards, Install authorized revised help or tutorial guides. The tool should open with an instruction page containing details how to use the solution. A Help button should be available here and on all screens throughout use Page 51

of the tool. The initial opening page should include a Protective Marking drop down menu option; there should be no default here, a selection must be made. It must be possible to return to this option at any time during use of the solution and change the selection unless the responses have been signed off. There should then be a button entry to the assessment sections of the solution. This should include options to: Start the assessment from the beginning, Move directly to a specific question location, Move directly to the location where Save and Return was last used. The solution must allow for logical forward movement through the question set, but also the capability to return to any question by selection, and change as required. A Save and Return button must be available on all pages. A Save and End button must be available once all relevant input has been completed, but not before. A Signoff button that allows the user with the appropriate privileges to lock the responses in readiness for submission. The presentation of the assessment sections of the solution should include: The question, A score button with the option to display score options and their meanings, An option to link evidence in support of a score. This will open another screen to enable recording of links to evidence, a free flow evidence comment box, and a return button, A free flow comment box, A location indicator, showing the question thread that has brought the user to this point in the solution, A more information button that provides the space for question guidance to be displayed. A reporting interface should be available with reports available in accordance with the defined access privileges, e.g. organizational reports available to individual reporting organizations, enterprise level reports available to those aggregating results from many sources. Page 52

Supplier Information Assurance Assessment Framework and Guidance Hardware Interfaces The solution must operate on all commonplace hardware implementations, e.g. laptop, desktop PC, via corporate network etc. Other Non-functional Requirements Safety Requirements N/A Security Requirements The requirement is to protect the input process during compilation, and to protect the final data set once complete. The system administrator role should allow the configuration of access controls. Access controls should be applied as follows:- On first use of the tool, there should be a mechanism that allows the user to security save input and return later to complete a submission. Once a submission is complete, access to the data set to be restricted to the original inputting user, and a specified set of other roles as defined by the business. Subsequent use of the data set should be read only, including when imported into another solution instantiation. Software Quality Attributes The solution must be capable of providing source assessment data sets in the standard xml form required, such that other solution instantiations can import these data sets and report the same results. Similarly, the solution must be capable of importing data sets from other solution instantiations, and report the same results. CBP software quality controls as appropriate to the selected solution should be applied during solution development. There is no specific mandate for security assurance certification of the solution. However, where a supplier deems it advantageous to provide this, a CCTM certificate would be appropriate. Data Requirements Input and output in xml format (see XML Schema) support for MS and Open Office. Page 53

Process Requirements Allow a reference/receipt to be shared between parties to confirm transmission of assessment data to allow the obfuscation of company name within assessment return. Other Requirements The tool must have the ability to see the details of why a respondent scored in a certain way in order to see areas of improvement. The solution must have an option to produce a paper version of the mechanism in a form that allows a user to complete the question set on paper. This option should include: a mandated user selected Protective Marking on all printed pages; Optionally the following: print the initial instruction pages print the question set and question guidance print the question and answer data set print the tutorial/help content. Page 54

Supplier Information Assurance Assessment Framework and Guidance XML Schema While there is no unique XML schema to describe the data used in the SIAT tool, the following definition is proposed as the common standard for interoperability. The XML schema corresponds to a simple single level data structure such as would be used in a spreadsheet with a single tab. The schema has been used to store the SIAT questions and answers in both Microsoft Excel (XP / 2000) and OpenOffice Calc version 3.2. This schema stores both the questions and the possible and actual answers. Clearly, a further reduction in data volumes would be possible if only the actual answers were recorded and stored. Once further experience has been gained with the IRR questionnaire then the interested parties may choose to adopt a simpler, more compact, interoperable format. <?xml version="1.0" encoding="utf-8"?> <office:document> <table:table-cell table:style-name="ce1" office:value-type="string"> <text:p>question Number</text:p> </table:table-cell> <table:table-cell table:style-name="ce1" office:value-type="string"> <text:p>mapping in</text:p> </table:table-cell> <table:table-cell office:value-type="string"> <text:p>question</text:p> </table:table-cell> <table:table-cell table:style-name="ce4" office:value-type="string"> <text:p>number of possible answers</text:p> </table:table-cell> <table:table-cell table:style-name="ce4" office:value-type="string"> <text:p>type of answer</text:p> </table:table-cell> <table:table-cell office:value-type="string"> <text:p>possible Answer 1</text:p> </table:table-cell> <table:table-cell office:value-type="string"> <text:p>mapping out 1</text:p> </table:table-cell> <table:table-cell office:value-type="string"> <text:p>score 1</text:p> </table:table-cell> <table:table-cell office:value-type="string"> <text:p>possible Answer 2</text:p> </table:table-cell> <table:table-cell office:value-type="string"> <text:p>mapping out 2</text:p> Page 55

</table:table-cell> <table:table-cell office:value-type="string"> <text:p>score 2</text:p> </table:table-cell> <table:table-cell office:value-type="string"> <text:p>possible Answer 3</text:p> </table:table-cell> <table:table-cell table:style-name="ce4" office:value-type="string"> <text:p>mapping out 3</text:p> </table:table-cell> <table:table-cell table:style-name="ce4" office:value-type="string"> <text:p>score 3</text:p> </table:table-cell> <table:table-cell office:value-type="string"> <text:p>possible Answer 4</text:p> </table:table-cell> <table:table-cell table:style-name="ce4" office:value-type="string"> <text:p>mapping out 4</text:p> </table:table-cell> <table:table-cell table:style-name="ce1" office:value-type="string"> <text:p>score 4</text:p> </table:table-cell> <table:table-cell office:value-type="string"> <text:p>possible Answer 5</text:p> </table:table-cell> <table:table-cell office:value-type="string"> <text:p>mapping out 5</text:p> </table:table-cell> <table:table-cell office:value-type="string"> <text:p>score 5</text:p> </table:table-cell> <table:table-cell office:value-type="string"> <text:p>possible Answer 6</text:p> </table:table-cell> <table:table-cell office:value-type="string"> <text:p>mapping out 6</text:p> </table:table-cell> <table:table-cell office:value-type="string"> <text:p>score 6</text:p> </table:table-cell> <table:table-cell office:value-type="string"> <text:p>possible Answer 7</text:p> </table:table-cell> <table:table-cell office:value-type="string"> Page 56

Supplier Information Assurance Assessment Framework and Guidance <text:p>mapping out 7</text:p> </table:table-cell> <table:table-cell office:value-type="string"> <text:p>score 7</text:p> </table:table-cell> <table:table-cell table:style-name="ce1" office:value-type="string"> <text:p>possible Answer 8</text:p> </table:table-cell> <table:table-cell table:style-name="ce1" office:value-type="string"> <text:p>mapping out 8</text:p> </table:table-cell> <table:table-cell table:style-name="ce1" office:value-type="string"> <text:p>score 8</text:p> </table:table-cell> <table:table-cell table:style-name="ce1" office:value-type="string"> <text:p>possible Red Flag for answer number</text:p> </table:table-cell> <table:table-cell table:style-name="ce1" office:value-type="string"> <text:p>actual Answer</text:p> </table:table-cell> <table:table-cell table:style-name="ce1" office:value-type="string"> <text:p>actual score</text:p> </table:table-cell> <table:table-cell table:style-name="ce1" office:value-type="string"> <text:p>actual Red Flag</text:p> </table:table-cell> <table:table-cell table:style-name="ce1" office:value-type="string"> <text:p>remarks</text:p> </table:table-cell> <table:table-cell table:style-name="ce1" office:value-type="string"> <text:p>link to Guidance</text:p> </table:table-cell> </office:document> Page 57

Sample from the corresponding spreadsheet Question Mapping Number of possible Type of Possible Mapping Possible Number in Question answers answer Answer 1 out 1 Score 1 Answer 2 1 Start What is the name of your company? 1 Free text IQ2 0 Does your company have a named 2 IQ1 individual responsible for security? 2 Yes IQ3 3 No What are his/her contact details? 3 IQ2 Name, Address, Telephone, e-mail? 1 Free text IQ4 0 4 IQ2&3 What is the nature of the product or service your company provides for us? 8 Professional Services IQ5 Information and Communicat ions Technology (ICT) Services Page 58

Supplier Information Assurance Assessment Framework and Guidance Appendix E - Criteria for selecting supply chain partners for self-assessment The aim of this Appendix is to provide guidance on how to determine which sub contractors a prime contractor might wish to survey in order to identify the information risks associated with the delivery of a particular service to Government. The key consideration must be the degree of risk that a particular sub contractor might introduce into the delivery of the particular contracted service. The following criteria are provided as guidance on the factors that a prime contractor might wish to take into account: CONFIDENTIALITY Is the supplier required to be accredited under the List X scheme, or does the supplier routinely handle RESTRICTED or higher classifications of HMG information or routinely handle large volumes (>1000 records) of PROTECT level information, or would a breach in confidentiality cause reputational damage to HMG? AVAILABILITY Is the continuity of the supplier s service significant (>90% availability) or critical (i.e. >98% availability) to the delivery of an HMG service, or would a drop in or loss of information availability cause reputational damage to HMG? INTEGRITY Does the information processed by the supplier have to be > 98% accurate, complete and/or up to date such that failure would compromise an HMG service, or would a drop in or loss of information integrity cause reputational damage to HMG? SPEND Is the overall proportion of spend with a supplier far more than that with other suppliers contributing to the delivery of the service? SUPERVISION How difficult is it to assess what the supplier does in terms of their IA? What frequency of contact do you have with them, are they for example located a considerable distance from your facilities thus preventing close supervision? Page 59

THIS PAGE IS INTENTIONALLY LEFT BLANK Page 60

Appendix F Example of Aggregating Results The Table below has been populated with fictitious data to highlight how some of the issues relating to the aggregation of results from suppliers for a particular service might be handled to produce a single aggregated score that can be provided to the Government Department contracting for the particular service. In populating this table it is assumed that work has already been undertaken to resolve as many of the Red Flag issues as possible. Supplier Scoring Grid Prime Contractor Sub Contractor A Sub Contractor B Sub Contractor C Sub Contractor D Sub Contractor E Aggregated IA Score for Service Delivered Section Max Score Red Flags Score Red Flags Score Red Flags Score Red Flags Score Red Flags Score Red Flags Score Red Flags Score Red Flags Comments IQ 15 4 15-12 - 15 - - - 11-13 13 - GIRM 7 1 6-6 - 7 - - - 6-5 6 - PIQ 16 4 13-0 - 15 - - - 14-13 13 - PQ 24 5 22 1 16 1 23 - - - 20-18 19 2 Comment Needed TQ 14 0 10-9 - 14 - - - 4-9 10 - RAQ 20 2 18 1 15-19 - - - 15-16 16 1 Comment Needed IRM 28 3 25-20 - 27 - - - 19-20 21 - C 21 0 16-14 20 - - - 15-14 15 - Totals 145 19 125 2 92 1 140 - - - 110-108 113 3 Notes 1. Prime Contractor. As would be expected the IA performance of the Prime Contractor is very good and there are few causes for concern. The Red Flags in the PQ and RAQ Sections relates to the Prime Contractor not receiving a copy of the Department s Information Risk Policy and not being asked to contribute to the Department s annual risk assessment process. 2. Sub Contractor A. Sub Contractor A only deals with Category A personal data and has less than 1,000 records, hence returns a zero score for PIQ. The Red Flag in PQ is because Sub Contractor A does not have an Information Risk Policy and there was insufficient time to resolve this issue before submitting the return to the Department. 3. Sub Contractor B. The results from Sub Contractor B appear to be unduly optimistic and they have refused attempts to get them to review their scores. As they have agreed to an on-site audit, they will be visited at the earliest opportunity. 4. Sub Contractor C. Sub Contractor C has produced a nil-return. This issue will be escalated through management and commercial channels to ensure that a return is completed. Page 61

5. Sub Contractors D & E. The remaining two sub contractors produce average results along the lines expected apart from the score for TQ from Sub Contractor D, which is way below the average. 6. Aggregating Results. The results from Sub Contractors B and C are eliminated from the aggregation process and then a rounded mean is taken of the other scores, providing the results are within 20% of the resultant mean. Clearly the PIQ result from Sub Contractor A is ignored. When aggregating the TQ scores the low score from Sub Contractor D is outside the 20% tolerance and hence an arithmetic mean would be inappropriate. Sub Contractor D is a new contractor who has recently taken over responsibility for an aspect of the delivery of this service and hence it can be expected that the level of training has not reached an acceptable level. From follow-up questioning it is know that they have programmes in place to redress this deficiency and hence the decision is taken not to reflect their performance in the aggregated total, but to note the rationale for doing so. The aggregated return made by the Prime Contractor for this particular service to the contracting Department would then be along the lines of the following: Supplier Scoring Grid Section Max Score Red Flags Score Red Flags IQ 15 4 13 - GIRM 7 1 6 - PIQ 16 4 13 - PQ 24 5 19 2 TQ 14 0 10 - RAQ 20 2 16 1 IRM 28 3 21 - C 21 0 15 - Aggregated IA Score for Service Delivered Comments One Red Flag is because we, as Prime Contractor, have not receiving a copy of your Information Risk Policy. The second is because one of our subcontractors has not yet issued their own information risk policy, but they will have done so within 3 months. One sub-contractor has only recently taken over responsibility for an aspect of the delivery of this service and the level of training has not reached an acceptable level. However, they have programmes in place to redress this deficiency and hence their scores are not reflected in the aggregated total. This Red Flag is because we, as Prime Contractor, have not being asked to contribute to your annual information risk assessment process Overall Comment We determined that five of our sub contractors have sufficient involvement in the delivery of this service to warrant inclusion in this process. We received satisfactory returns from three of them and this return is based on their results aggregated with our own. Of the remaining two sub contractors, one failed to respond and that issue is being addressed by our commercial staff and the other sub contractor provided results which in our view were overly optimistic, so we have eliminated them from the aggregation process and intend to visit them to conduct an on-site audit. Totals 145 19 113 3 Page 62

Supplier Information Assurance Assessment Framework and Guidance References [a] [b] [c] Data Protection Act 1998 Available at www.legislation.gov.uk/ukpga/1998/29/contents Cabinet Office Data Handling Review Report Data Handling Procedures in Government: Final Report, June 2008. (Not Protectively Marked). Available at www.cabinetoffice.gov.uk/media/65948/dhr080625.pdf HMG Security Policy Framework, Version 4.0, May 2010. Tiers 1-3 (Not Protectively Marked). Available at www.cabinetoffice.gov.uk/media/207318/hmg_security_policy.pdf [d] HMG Information Assurance Maturity Model and Assessment Framework, version 4.0 dated 27 May 2010. [e] ISO/IEC 27001:2005 Information Security Management Systems Requirements www.27001-online.com Further Reading [a] HMG Information Assurance Standard No.6, Protecting Personal Data and Managing Information Risk, issue 1.2, March 2009. Available from the CESG IA Policy Portfolio. [b] SPF and Information Risk: Annual Report to Cabinet Office 2009/2010 [c] Annex B to IRR 3 rd Party Suppliers Information Risk and Assurance, version 1.0, dated 22 January 2010. 63

THIS PAGE IS INTENTIONALLY LEFT BLANK 64

Supplier Information Assurance Assessment Framework and Guidance Glossary AUP BPSS Business Impact Levels CBP CCTM CESG CET CISO CO CO IRR CTC DHR DPA DSO GPG HADRIAN HMG IA IAAF IAMM Acceptable Use Policy Baseline Personnel Security Standard Risk levels as defined in IS1 Commercial Best Practice CESG Claims Tested Mark HMG National Technical Authority for Information Assurance Culture, Education & Training work stream of ISAB Chief Information Security Officer Cabinet Office Cabinet Office Information Risk Return Counter-Terrorist Check Data Handling Review Data Protection Act Departmental Security Officer CESG Good Practice Guide Home Office assessment tool for commercial suppliers Her Majesty s Government Information Assurance Information Assurance Assessment Framework Information Assurance Maturity Model IAS# CESG Information Assurance Standard by number (#) ICT Intellect IRM ISAB Information & Communications Technology The leading trade association which serves to represent its members in the UK technology industry and HMG. Information Risk Management Information Security & Assurance Board MR# SPF Mandatory Requirements by number (#) 65

Prime Contractor PSC RMADS SIAT SIRO SPF Sub Contractor SyOps TNA A commercial entity who directly contracts with an HMG organisation Public Sector Council Risk Management and Accreditation Document Set as defined in IAS2 Supply Chain IA Tools work stream of ISAB Senior Information Risk Owner Security Policy Framework A commercial entity who contracts to a Prime Contractor, or other sub-contractor, in delivering services to HMG organisations. Security Operating Procedures The National Archives 66

Supplier Information Assurance Assessment Framework and Guidance Customer Feedback CESG Information Assurance Guidance and Standards welcomes feedback and encourage readers to inform CESG of their experiences, good or bad in this document. We would especially like to know about any inconsistencies and ambiguities. Please use this page to send your comments to: Customer Support CESG A2j Hubble Road Cheltenham GL51 0EX (for the attention of IA Policy Development Team) Fax: (01242) 709193 (for UNCLASSIFIED FAXES ONLY) Email: enquiries@cesg.gsi.gov.uk For additional hard copies of this document and general queries please contact CESG enquiries at the address above Your Name: Department/Company Name and Address: PLEASE PRINT Phone number: Email address: Comments:

IA CESG B2h Hubble Road Cheltenham Gloucestershire GL51 0EX Tel: +44 (0)1242 709141 Fax: +44 (0)1242 709193 Email: enquiries@cesg.gsi.gov.uk Crown Copyright 2011. Communications on CESG telecommunications systems may be monitored or recorded to secure the effective operation of the system and for other lawful purposes.