Within the Public Sector, Police Forces and Local Authorities are subject to a number of cyber and information security compliance requirements. These requirements are usually dependent on their particular function, along with the network resource they wish to use, such as the Public Service Network (PSN). Maintaining compliant levels of security and having the associated resources available to achieve that compliance is often a challenging area for Public Sector bodies who, are sometimes subject to severe resource constraints.
To overcome this, some bodies in South Wales have chosen to amalgamate their IT support services, which is being delivered by the Shared Resource Services Wales (SRS). As a result, Gwent Police, Monmouthshire County Borough Council, Torfaen County Borough Council and Blaenau Gwent County Borough Council all have their IT support services managed by the SRS. The SRS is a collaborative technology provision, underpinned by a Memorandum of Understanding that enables the groups to have a single management structure across the board. The model is one that is now heavily encouraged through the Welsh Public Sector Technology Strategy. The SRS has a host employer for all SRS staff, a single mechanism for managing the entire delegated budget, a single plan of audit and a single governance structure, which includes cyber and information security.
For Nigel Stephens, Assistant Chief Officer of Resources who is responsible for the cyber and information security service, this style of arrangement meant managing the requirements of not only of Gwent Police, but also those of each council, who also have their own edicated Senior Information Risk Owners.
Initially there was a significant struggle around resourcing the cyber and information security unction, since attracting the right calibre of individuals at the right price in the industry is challenging.
This could quickly impact the cyber and information security operations of each organisation leaving them struggling to cope. Rather than leave it to chance, the organisations sought the support of an external cyber and information security company who also had industry experience of public sector, their risk profiles and compliance requirements.
Challenging Threat & Compliance Landscape
Each organisation has their own compliance requirements, which needed to be delivered
by the central cyber and information security function that Nigel is responsible for. This included ISO27001:2013 certification, four annual PSN compliance audits, one PSNP compliance requirement and three PCI DSS compliance processes. There were also a umber of technical security requirements that needed to be delivered, along with re-establishing governance frameworks to manage and report on cyber and information security operations.
In Nigel’s view he states that;
“Gwent Police had lost our information team and a lot of our security team, so we needed to ensure that we got a provision in quickly. We initially conducted a procurement process via G-Cloud and subsequently went out to formal tender and Bridewell Consulting were successful”.
“Bridewell now provide a fully outsourced cyber and information security service to Gwent Police and three other partner organisations. They are also helping us with the new PSN requirements for policing, and supporting our local partners who have very similar requirements”.
“Together we have been able to combine our needs and find a single provider in Bridewell, who have delivered an outstanding service to date”
One Step At A Time
Because the requirements of Gwent Police were so complex and specific, Bridewell provided one of their expert CESG Certified Professional consultants to work on-site with not only the director of the police, but the senior leadership across all involved councils and organisations.
By working with all of these bodies, Bridewell were able to ensure that their ISO27001:2013 certification was retained. As well as delivered a number of strategic technical improvements that drastically reduced the Police and Councils attack surface and created an improved set of policies, procedures and processes, all within the first year.
Once the initial issues were handled, Bridewell continue to provide the service, driving security improvements across all platforms in collaboration with the SRS, which range from compliance improvements, security operations and penetration testing.
“With a range of different skills and expertise within the IT security world needed, we got the flexibility wrapped around that with Bridewell. They offer a professional, responsive security service and they do provide a range of other services specifically around other security areas required, which proves cost effective and I think that for me is the nub of it, they know what they’re doing, they do a good job and we’re not paying through the nose.”
But it wasn’t all smooth sailing. SRS operate and deliver services using an Agile based delivery method, which whilst working well, wasn’t initially integrating with information security, so it was difficult to track and manage the work being performed for security and maintenance activities, such as patching.
However, the team at Bridewell worked closely with the SRS to get security activities integrated into the Agile Sprints and developed a weekly reporting system, which provided the directors with all the information they needed on progress against key activity that has been commissioned.
Nigel also commented that Bridewell solved a number of challenges for him, including personnel related issues:
“I think it’s significant in that Bridewell solve personnel challenges by providing the complete set of skills required dependant on task and also ensure their knowledge is current and up to date, as well as having the capacity to provide knowledge transfer to many individuals. Bridewell can provide an extensive service in the areas of knowledge and expertise, that is obviously required. We wouldn’t, as individual small organisations, be able to afford the range of expertise provided to effectively deliver all the services required.”
Efficiency Through United Leadership
Of course, operating across a Police Force and 3 Local Authorities isn’t always simple, and many things could easily get lost in translation. To avoid this, and to ensure all parties needs were met, Bridewell created an Information Security Leadership Board, which engages all senior executives within the Police and the Local Authorities. This allowed Bridewell to engage with each organisation on a regular basis to collaborate and manage strategic requirement, driving real cyber and information security improvement.
“Bridewell is delivering Information Security Services, both from a leadership perspective and Technical IT Operations Security, working with the SRS to secure our infrastructure, applications and mobile solutions.
Basically, everything that needs a connection into the PSN for the councils. They provide a full range of services to ensure that we configure and operate the technology in accordance with NCSC guidance and good practice.”
Nigel added that this level of support had been particularly invaluable for him:
“All four organisations are involved in information security services and actually collaborate on many things, which allows all of our IT to be delivered from a single, secure data centre. Bridewell has been able to provide an information security team based from that site, working with the SRS to ensure our security requirements are being delivered”
Protecting The Protectors
While Gwent Police spend their days protecting the people of Gwent, they take advantage of modern technology to support policing and it is critical that this technology is protected from vulnerabilities, malware and hacking attempts.
Through working with Bridewell, Gwent Police have also been able to effectively manage this responsibility; providing timely identification, advice and guidance to mitigate some of the well-known industry threats and vulnerabilities that have emerged, such as WannaCry, Petya and more recently the Krack vulnerability.
“Naturally, we do face hacking attempts, and we are very much aware of our vulnerabilities. Bridewell ensures that when any one of the partner defence systems is attacked, that we’ve got coverage across all four of the partner organisations” During the course of all these industry scares the Police and Local Authorities have managed to deal with them effectively, working collaboratively with the SRS.
“Bridewell report very clearly, so I get a weekly report on the progress that they have made for all four partners as I manage the contract. They support and drive security leadership meetings, which I chair on behalf of the four partners and are clear on progress and how the support program is working”.
“Overall, Bridewell have been worth their weight in gold, I am impressed with their philosophy and approach; and in all seriousness, the relative amounts that each individual partner pays towards the service means it offers very good value for money.”
Bridewell have a vast amount of services within their Portfolio, covering Cyber Security, Technology Risk, Information Security and Assurance, Penetration Testing and Data Privacy. To discuss how Bridewell could assist your organisation with your requirements just get in touch with us today.