0151261984

CASE STUDIES

Aprose Risk has vast experience delivering a competent, approachable and reliable service across high-criticality and commercial clients. These case studies from our engagements in the Defence, Police and Finance sectors demonstrate our ability to secure projects in tight timescales and to the highest standard.

CASE STUDIES

Aprose Risk has vast experience delivering a competent, approachable and reliable service across high-criticality and commercial clients. These case studies from our engagements in the Defence, Police and Finance sectors demonstrate our ability to secure projects in tight timescales and to the highest standard.

UK Defence Client


Aprose Risk are currently providing the lead cyber security capability to ensure the protection of over 3 million personal data records within the UK Defence sector, by undertaking regular risk assessments and ensuring a robust risk management regime is in place. The project is mandated to undergo formal independent Accreditation, which provides assurance that the security and risk management regime fully complies with the UK and …

Read More

UK Defence Client

Aprose Risk are currently providing the lead cyber security capability to ensure the protection of over 3 million personal data records within the UK Defence sector, by undertaking regular risk assessments and ensuring a robust risk management regime is in place.

The project is mandated to undergo formal independent Accreditation, which provides assurance that the security and risk management regime fully complies with the UK and International Cyber Security Policy, and that risk assessments are at the heart of the security capability. Furthermore, Aprose Risk ensures that defence standards, legislation and guidance are adhered to. Recently, Aprose Risk has introduced the RESILIA Cyber Resilience best practice to the programme to ensure resilient capability.

Aprose Risk were engaged to assist with the response to the early stages of the bid activity. As an integral aspect of the bid response our consultants attended multiple requirement definition workshops specifically regarding the security of the new capability and the risk-based approach we would follow.

Integral to the submission of the security response within the bid documentation was definition of a security and accreditation strategy aligned with the defence client’s business objectives through the creation of a Security Management Plan (SyMP). The SyMP detailed the risk assessment and management methodology that the project would adopt, the roles and responsibilities for the risk assessors, the frequency of the risk assessments and the security governance hierarchy that would act on the risk assessment output as part of a wider risk management framework.

To effectively support and oversee the risk assessments and the progress of the Security strategy, a weekly Security Working Group (SWG) has been established, attended by key Defence security and risk stakeholders, as well as additional subject matter experts as required. Results of risk assessments are fed into this forum and risk treatments tracked.

The regular Risk Assessments are conducted in accordance with UK Information Assurance Standards, and are documented in the Risk Management and Accreditation Document Set (RMADS). The risk assessment process involves undertaking a Business Impact Assessment to identify critical assets, and through liaison with the Accreditor and the Senior Information Risk Officer, the risk appetite is defined and understood. In order to identify the applicable threat actors and sources, formal Threat Assessments are incorporated into the Risk Assessments. These define the sources with a desire to breach the security of the system and those individuals in a position to perform an attack. The results of the Threat Assessments are then used to identify the impact and likelihood of threat actors breaching the security of the system. The risk assessment outputs feed into the Risk Treatment Plan, which define security controls to reduce, reject, assign or accept the risks, ensuring the residual risk is within the previously defined risk appetite.

This consultancy engagement is ongoing, with go-live expected in Q4 of 2016 and therefore the closure aspects of the consultancy engagement have yet to be delivered. However, the high profile of the programme ensures that the ongoing governance provision incorporates regular feedback on the successful delivery of our obligations and successful risk management.

Aligned with our recent adoption of the RESILIA Cyber Resilience best practice, we formally incorporate a continual improvement process to ensure that our delivery of robust Security and risk assessment capability is meeting the Authority’s objectives, and our risk treatment recommendations remain aligned with their risk appetite.

Close

UK Police Service


Aprose Risk were contracted via a Tier One service provider to deliver security architecture design services, CLAS Accreditation and CHECK penetration testing services to the project (Total Project Value of approx. £400 Mil) in support of the design, configuration, assurance, delivery and security accreditation of an integrated IT Facilities Management (FM) solution for a UK Police Service operating at the…

Read More

Aprose Risk were contracted via a Tier One service provider to deliver security architecture design services, CLAS Accreditation and CHECK penetration testing services to the project (Total Project Value of approx. £400 Mil) in support of the design, configuration, assurance, delivery and security accreditation of an integrated IT Facilities Management (FM) solution for a UK Police Service operating at the…

Read More

UK Police Service


UK Police Service

Aprose Risk were contracted via a Tier One service provider to deliver security architecture design services, CLAS Accreditation and CHECK penetration testing services to the project (Total Project Value of approx. £400 Mil) in support of the design, configuration, assurance, delivery and security accreditation of an integrated IT Facilities Management (FM) solution for a UK Police Service operating at the Business Impact Level 2 (Protect) and Business Impact Level 3 (RESTRICTED).

The solution is designed to provide a secure means of information sharing and allocating FM work requests, tracking completion and issuing and receiving payments between the UK Police Service, the solution provider and approximately twenty smaller (second tier) service providers that connect to the solution through un-trusted end points. The solution operates through logically segregated IL2 & IL3 data repositories with redacted data sets shared between user communities. User communities have varying levels of access on a ‘need to know’ and ‘proven business requirement’ basis. The solution operates a UK cyber security standard compliant protective monitoring capability within a secure network operations centre (SNOC) designed and developed by Aprose Risk in conjunction with the service provider’s technical teams.

Aprose Risk consultants were deployed into the service provider’s delivery team and were employed as the service provider’s security and accreditation subject matter experts, Accreditor and engagement leads.

In these types of engagements, our approach is to break down the project’s ultimate objective of achieving full security accreditation into individual milestones with clearly identifiable and documented criteria for achievement. These milestones are designated as accreditation decision points (ADPs). Each ADP has a security critical deliverable attached (e.g. risk assessment, Penetration test, or assurance plan). These ADPs are integrated into the overall programme plan and closely aligned with the delivery schedule. By integrating them in this manner Aprose were able to ensure both the Police service and service provider’s programme management team had complete visibility of progress and was able to ensure complimentary work stream activity was closely aligned.

Throughout the engagement, Aprose operated in complete transparency with their partners and were always completely open about technical, assurance and security challenges. In order to support open dialogue and ensure stakeholder views were fully considered, we set up and ran the project’s security working group (SWG). The SWG was the main forum for all project stakeholders to openly discuss issues, overcome challenges and ensure the delivery team clearly understood business priorities. Additionally, it served as the platform for presenting penetration test results and the mitigation actions required to ensure all vulnerabilities were appropriately addressed.

Full security accreditation of the solution was completed in March 2014 in accordance with the original project forecast and all eight ADPs were completed on target. The SWG continues to operate as a means of ensuring open dialogue and transparency between the service provider and the Police Service, and the delivery of the live service continues.

The business benefits to the UK Police Service are numerous from increasing the accuracy, granularity and reliability of management information available to the internal property services business units, improving contractor efficiency through better resource and task allocation and oversight via the centralised management of work orders and the monitoring of task completion. Additionally, the solution enables the UK Police Service and service providers to share protectively marked information across a diverse range of user communities with a varying risk level, from internal Users working in a low risk, secure environment, to higher risk FM service providers working from untrusted end points on their local networks. The solution is currently running at full operating capacity and will continue to deliver service in a secure and efficient manner for at least the next seven years which is the duration of the current contract.

Close

UK Financial Organisation


Aprose Risk were engaged by a UK Financial Organisation to develop their Cyber Security Strategy, undertake threat and risk assessments and create and implement Security policy documentation. These activities would ensure compliance with the Prudential Regulation Authority (PRA), with an objective to be granted approval to trade. Aprose began by running a number of workshops to identify risks to each area…

Read More

UK Financial Organisation

Aprose Risk were engaged by a UK Financial Organisation to develop their Cyber Security Strategy, undertake threat and risk assessments and create and implement Security policy documentation. These activities would ensure compliance with the Prudential Regulation Authority (PRA), with an objective to be granted approval to trade.

Aprose began by running a number of workshops to identify risks to each area of the business including the capture and documentation of threat vectors and attack methods in compliance with best practice.

In compliance with the international standard of risk management ISO 27005, each threat was assessed based on the likelihood of occurrence, the impact to the business unit and the overall organisation, the effort taken in man-hours, cost to prevent and to correct and, the method (if any) by which it could be mitigated. The results of this work were then overlaid onto the PRA licencing requirements so prioritised risk treatment work could begin.

Essential to the prioritisation effort was the understanding of risk appetite within the different areas of the business which included the identification of critical assets, services and products. Aprose developed a framework and method by which surveys were conducted across the organisation to identify critical information assets and services. The results were collated and an associated risk score was added to each asset and assessed within the context of the overall risk appetite.

As part of the mitigation work Aprose helped the organisation develop its overall security strategy. Once the strategy had been produced Aprose then created bespoke policy documents in areas such as: identity and access management, risk assessments, vulnerability and patch management, secure software development and monitoring and alerting. All risk treatment recommendations were aligned with the organisation’s risk appetite.

Aprose successfully assisted the Financial organisation in gaining an interim licence to trade and helped to develop the risk framework and security strategy for the business to use going forward. This will significantly support the achievement of their full operating licence.

To date all deliverables have been delivered on target and the cyber security posture of Financial organisation has been significantly enhanced. Due to the success of this engagement Aprose has subsequently been retained to lead them through Cyber Essentials and ISO 27001:2013 certification.

Close

Get in touch


8 + 1 =