2T Security Objective:
To ensure that the risks across the ResilienceDirect (RD) Service, handling real-time incident data sharing for all Emergency responders, were identified, understood, and managed in a way that did not result in security being seen as a barrier.
2T Security Outcome:
We have implemented a risk register which is managed alongside the existing project management, in collaboration with the RD Team and the suppliers for the RD Programme. By hosting monthly calls with each supplier we track progress against risks in an agile manner. The results of penetration tests have also been reviewed in line with the risk assessment to ensure consistency of approach.
The UK’s only secure web Service for exercising, planning, response and recovery
RD was established in March 2014 to provide a secure Service for information sharing and collaborative working between the different emergency services, relevant private sector organisations (such as utility companies), and central and local government. In 2017, 2T Security was brought in to provide risk assessment services using its innovative RiskTree® process. We visited each RD supplier, running Risk Discovery Workshops to create attack trees for each application, and then blended these to create an overall risk assessment report for the RD Programme. Since then, we have responded to changes in the supplier community by running further workshops to update the attack trees and ensure that the report is up to date and includes all current risks. Since 2020 we have reviewed security monthly with each supplier, providing an opportunity to discuss any updates and changes and their potential impact. 2T Security is a long-term trusted adviser to various government departments, and viewed as a safe pair of hands. We were entrusted with the security for the RD programme because of our robust reputation and delivery expertise.
Services that we have provided include:
- Risk assessment and management – using our RiskTree process we have continually identified, assessed, and prioritised the risks across all the RD Suppliers.
- Risk reporting – we create and maintain the security risk assessment report, and have prepared and presented excerpts from this to Cabinet Office senior management.
- Physical security audit – we have visited supplier sites and discussed their site security as part of the review.
- Security management – we review security on a monthly basis to track progress of risk mitigation work with suppliers, and provide an opportunity for them to raise any security related questions.
- Security liaison – we liaise with the National Cyber Security Centre’s representative for RD to ensure alignment of advice.
- Pen test review – we have worked alongside the RD team to review the scope and results of penetration testing of the RD applications and provided advice on mitigation.
- Analysing the implications of implementing multi-factor authentication in the RD environment.
- Established a strong focus on security across all RD suppliers.
- Identified previously unknown risks, made recommendations for mitigation, and tracked these through to completion.