Information Assurance and Security
All businesses are dependent on the use of ICT and hold large volumes of valuable and commercially sensitive information that is at risk, whether from industrial espionage, financial fraud or human error. Security breaches have a number of consequences including:
- Unauthorised access and/or loss of personal data held by or on behalf of clients, resulting in breaches of privacy law obligations and, potentially, individual loss claims.
- Unauthorised access and/or loss of confidential information, which may amount to a breach of contract, loss of commercial advantage and/or breach of regulatory obligations with the risk of regulatory fines.
- Unauthorised access to financial systems leading to financial fraud and other forms of ransom attack that have direct financial consequences.
- Denial of service and similar disruptive attacks, that prevent the use of operational systems and cause excessive service downtime.
- Attacks on operational control systems leading to physical damage to plant and machinery.
- Reputational damage caused as the consequence of any of these risks occurring.
Information Assurance and Security relates to the means to ensure the confidentiality, integrity and availability of information to the legitimate user. It includes providing advice on Identity and Access Management, to ensure that the user has a legitimate right to access that information including through the use of encryption and electronic signatures.
- Advising Symantec on national Certificate Policy and Certificate Policy Statements.
- Advising Department of Health on the use of Advanced Electronic Signatures as part of its Identity and Access Management system and on its Certificate Policies.
- Advising the National Policing Improvement Agency on the establishment of a PKI system as part of its Identity and Access Management programme.
- Advising Land Registry on the establishment of a PKI system as part of its Identity and Access Management programme.