Appropriate and cost-effective Information Security is more important now than ever before as organisations become connected to the Internet. Information is one of the most important assets to an organisation and a breach in confidentiality, integrity or availability could have a serious impact upon the ability to meet organisational objectives.

Information must be protected throughout its entire life span, from the initial creation through to the final disposal. During its lifetime, information may pass through many different information processing systems. Information and systems can be threatened in many different ways and to fully protect the information during its lifetime, each component of the information processing system must have its own protection mechanisms.

Evolve provides a full range of Information Security services to help ensure that the confidentiality, integrity and availability of information over its complete life cycle is maintained. They are available either as a stand-alone service or in conjunction with our traditional business consultancy.

BS7799 / ISO27001/2 and Government Requirements

Effective Information Security has always been a key consideration for all organisations and its importance has been further reinforced through Government Papers and the Cabinet Office mandate requiring all Central Government organisations to achieve compliance with BS7799 (revised to ISO 17799 and then most recently to ISO 27001) – the international standard for Information Security best practice.

The Standard recommends the following be examined during a risk assessment:

• Security Policy;
• Organization of Information Security;
• Asset Management;
• Human Resources Security;
• Physical and Environmental Security;
• Communications and Operations Management;
• Access Control;
• Information Systems Acquisition;
• Development and Maintenance;
• Information Security Incident Management;
• Business Continuity Management;
• Regulatory Compliance.

Because the business environment is constantly changing and new threats and vulnerabilities emerge every day, the process of risk management must be an ongoing iterative one that is repeated indefinitely. However, the choice of countermeasures (controls) used to manage risks must strike a balance between productivity, cost, effectiveness of the countermeasure and the value of the information / asset being protected; not all information requires the same degree of protection.

In broad terms the risk management process consists of:

• Identify assets and estimate their value; these include people, buildings, hardware, software, data (electronic, print, other), supplies.
• Conduct a threat assessment that includes acts of nature (natural disasters, pandemics, etc.) and of war (including terrorism), accidents and malicious acts (originating from both inside and outside the organization).
• Conduct a vulnerability assessment and, for each vulnerability, calculate the probability that it will be exploited. Evaluate current policies, procedures, standards, training, physical security, quality control, technical security.
• Calculate the impact that each type of threat would have on each asset. Use both qualitative and quantitative analyses.
• Identify, select and implement appropriate controls in order to provide a proportional response that takes into consideration cost effectiveness, productivity and the value of the asset.
• Evaluate the effectiveness of the control measures to ensure that they provide the required cost effective protection without discernable loss of productivity.

All of Evolve’s Information Security work complies with the Standard for two main reasons:

• It provides a consistent framework of operations that covers all areas of information security (policy, legal and regulatory, physical and environmental, technical, personnel and business continuity);
• The Standard’s alignment with the HMG Manual of Protective Security ensures it is consistent with the mandatory requirements of a government organisation;
• Services delivered by the experts.

We are founder members of the CESG Listed Advisor Scheme (CLAS) for security consultants and are approved by BSI to deliver ISO27001 consultancy services. Our consultancy team is at the top of this profession; it contains one of the first consultants in the country qualified to BS7799 Lead Auditor level and one of the country’s first OGC Management of Risk approved trainers. In addition to specialist affiliations many of our consultants are PRINCE2 accredited practitioners. Our success in the field of Information Security and Business Continuity Planning is based upon the expertise, experience and dedication of our people.

Furthermore, we are authorised to provide security consultancy under the OGC Buying Solutions approved supplier framework.

Our Services

• Risk Assessment and Management (including CRAMM, the UK government preferred risk method). Our consultancy team includes of one of the country’s first approved trainers in the OGC
• Management of Risk (MoR) method and our approaches to risk assessment and management are fully informed by this method;
• Security Policy development consistent with BS7799 (ISO27001) and HMG Manual of Protective Security;
• Security Analysis, which also extends to physical and environmental when looking at secure installations);
• BS7799 (ISO27001) compliance strategy development and implementation through to full certification and compliance confirmation through the use of qualified BS7799 (ISO27001) Lead Auditors;
• Systems and Network Audit including familiarity with COBIT;
• Secure network and system design service based around technical risk analysis and security requirements specification;
• Network penetration testing using CHECK trained personnel;
• Risk Management and Accreditation Document Set (RMADS) production using CLAS consultants;
• GSi connectivity support using CLAS consultants;
• Compliance with HMG Baseline standards and associated CESG documentation and Memoranda (e.g. Manual V);
• Specification and management of the implementation of technical security solutions such as PKI, VPNs, Remote Access, switches, routers, intrusion detection and firewalls consistent with CESG best practice standards;
• Voice and telephone security including VoIP security and secure video conferencing;
• Wireless security including specification of Manual V IPSec based solutions;
• Advice on biometrics, identity management applications and the provision of technical support to ensure smooth and secure integration with existing applications;
• Compliance with appropriate legislation such as Data Protection and Freedom of Information;
• Content Management policy development and specification of technologies to support effective policy deployment;
• Training in BS7799 (ISO 27001), Business Continuity Planning, Privacy legislation and bespoke technical courses such as network security, including firewall design, encryption, VPN, routers and switches, remote access and wireless;
• Assurance Services – Increasingly as public sector organisations outsource their IT, there is a risk that tight security control might be compromised through management of IT residing outside the business. We provide independent technical security expertise to work on behalf of our clients to ensure that outsourced IT service providers are delivering security consistent with contractual obligations and government standards;
• Physical and environmental security, including counter terrorist work, assessment of security control requirements and guarding.
• Expertise in building construction and resilience assessment.

Our Clients

Our work for organisations such as Crown Prosecution Service, Ministry of Justice, Home Office, Northern Ireland Court Service, Dept for Transport, IPCC and many others has resulted in tangible security and business related benefits for these clients. We are also very proud of the fact that we have taken Northern Ireland Court Service to full organisation wide certification to ISO27001. We understand that this is the largest certification in central government to date.