The culture and approach to how cyber security is being addressed in organisations needs to change. Cyber security is often viewed in a silo, or added in retrospectively and not part of the organisations standard delivery processes. This does not give organisations the best chance to keep their business operations secure.

At QinetiQ, we are helping organisations to advance their digital resilience towards a business systems level view, integrating cyber security into standard delivery processes, enabling a context aware security culture to become secure by design.

A central concept of Secure by Design is that security risk management needs to be embedded throughout the whole lifecycle of system development from inception to design, implementation and service. Our Secure by Design approach will lead to the delivery of more secure business operations through better integration, simplified and consistent processes, clearer guidance, more flexibility and empowered decision making.

Security engagement model

We use a standard engagement model, which has proven successful across a number of projects and clients in both Government and industry. The security engagement model is illustrated in the figure below.

Security engagement model

Security Discovery

Working closely with the client, we identify key systems and services, and the ‘As-Is’ position, from a security architecture perspective. We cover organisational security culture including governance and risk, technical security, monitoring, and incident response. The discovery exercise examines existing cyber-security artefacts relating to IT environments, and the business services they support, including both on-premises and cloud systems.

Security Modelling

A Security Model depicts from a security perspective the proposed set of security domains, environment, connections, users, and potential attackers, for the agreed scope, including both internal and external agents. The Security Model can represent an ‘as-is’ or a ‘to-be’ model, for the system in question. Security Models allow us to work with the client to explore the system or project from a security perspective, exposing its users, interconnections and risks.

Processes, Procedures and Standards

We advise on the security governance aspects, including Processes and management arrangements, Procedures and Technical Security Standards in place for an agreed scope, along with the level of compliance with relevant security standards. This is all done within the context of a compliance regime.

Technical Security Architecture (TSA) and Security Designs

We produce a Technical Security Architecture (TSA) showing major sub-systems, security protocols and enforcing functions, data flows and interfaces, user groups, and data, grouped by business function. NCSC’s CAF is typically used as a guiding framework for the TSA and the required Security Controls are derived from NIST 800 series documents.

Security Architecture Patterns

We produce high level design patterns for required security subsystems, such as Cross-Domain Solutions (CDS), Identity and Key Management systems, and monitoring services.

Threat and Risk Analysis

System-level threat and risk assessments are undertaken at various times through the life of the project. These are aligned to the Security Model and TSA, and are presented in the form of spreadsheets and reports. The risk assessment highlights key areas of high risk to the project, such as attacks arising from Cross-Domain Connections. We recommend remediation or improvements to security posture, such as more assured Cross-Domain Solutions (CDS). We incorporate outputs from the above activities, to provide a combined view of security risk to the organisation.

Secure by design principles

This paper aims to provide clarity and demonstrate the very real and practical benefits of a Secure by Design future... and the risks, costs and problems caused by prevarication or inaction. 
Download
Secure by design

Key Benefits

  • Visualise and understand cyber risk across all domains at an enterprise level
  • Integration of cyber security into standard delivery processes
  • Security risk management embedded throughout the whole lifecycle of system development
  • Creation of resilient business operations
  • Reduced complexity and increased operational pace through the delivery of standard outputs
  • Regulatory frameworks used to improve security rather than just compliance

Why QinetiQ?

We have a large team of in-house Cyber specialists, supported by an extensive supplier network of Subject Matter Experts to provide specialist expertise on projects and programs beyond security architecture where required. Between our in-house staff and partners, we have access to an extensive partner network with access to Security Information Risk Advisors and Security Architects cleared to SC or higher.

  • Best Expert’ approach using partner ecosystem enabling agility & sustainability
  • In house SQEP resources, with experience of technology domains including monitoring and IT and OT knowledge and expertise
  • Proven delivery model for MOD, Government and Industry
  • Familiarity with Traditional and Agile approaches to project delivery
  • Core team consistent throughout project life, with supporting resource as required
  • Understanding of working to constraints, no two systems are the same especially when dealing with specialised environments with high security needs.
  • Cutting edge security tools and methods