Sopra Group Provides Information Security Assurance Services To A Large UK Public Sector Body
For all Government systems, regardless of whether the information that they are handling is public domain, sensitive or Protectively Marked, there are minimum requirements which must be met in order to ensure that an adequate and effective information assurance framework is in operation, supported by appropriate people, process and technology security controls.
Sopra Group's security division acts as the sole provider of CESG IT Health Check services to a UK-wide Public Sector Body. These services are provided under a security services framework and provide the organisation with assurance over the effectiveness of their security controls.
Sopra Group provides network and application assurance services for all systems in use across this Public Sector organisation on a project-by-project basis. To date, the security experts have had extensive involvement in providing assurance throughout the systems development lifecycle for a number of critical National systems.
Solution
Reporting to the Head of Information Security, Sopra Group has provided CESG Check Teams to conduct comprehensive early stage development lifecycle security services, including threat modelling and rigorous pre-production network and application security testing.
The delivery of all these services is managed by a dedicated Service Delivery Manager who, as a previous Check Team Member and experienced CLAS Consultant, not only ensures that all deliverables are placed in the context of the risk to the organisation and their key assets but also ensures that all activities carried out take full account of existing and emerging HMG Policy and Guidance.
Benefits
By retaining the expertise of Sopra Group's security experts through a framework agreement the customer has seen many benefits including:
- Enabling the identification of application security vulnerabilities within the development lifecycle allowed these issues to be addressed and the system accredited prior to it going into service
- Independent accredited 3rd party assurance of application security
- On-tap specialist security expertise and resources available when required
- A flexible delivery model for efficient deployment of specialist resources during project lifecycle
- Pragmatic risk-based reporting
- Value-added services and ad-hoc advice from Sopra Group's Service Delivery Team.
Example Project
Sopra Group security experts were engaged to carry out a detailed application security health check followed by an open system review for a new critical system.
As part of the security assurance program, Sopra Group identified a series of serious security flaws in the application which could have exposed potentially confidential data in the system and provided a launch pad for further attacks behind the security perimeter.
To resolve this, the Sopra Group team worked closely with the client's security team to provide security controls guidance for the development team. Additionally, the client's security team sought to gain further assurance by deploying additional defence-in-depth tactical security controls.
To achieve this, Sopra Group helped the client to identify a suitable control in the form of an application security firewall deployment that provided additional benefits in providing a mechanism to counter future application security threats without taking the application off-line.
Benefits
Once deployed, this not only provided the client with protection against the most common application security vulnerabilities but also provided the following value-added benefits:
- increased application availability
- more granular application security control
- improved web application performance
- simplified on-going application and infrastructure management.
Large UK Public Sector Body