enterprise dave gorshkov uk trade and investment
DESCRIPTION
TRANSCRIPT
Dave GorshkovICT Sector Champion
May 2010
Enterprise and Cyber Security:Emerging Applications
Information Security a UK perspective
UK Trade & Investment
Office of Cyber Security - Vision
Areas of Vulnerability - Security breech information
UK opportunities
– Enterprise
– G-Cloud
– Government ‘Apps store ‘,
Security Standards - The importance of ISO 27001
Additional Information Sources
UK Research
Who are UKTI?
Government organisation managed jointly by Foreign &Commonwealth Office (FCO) & DBIS
Close partnership with the MoD through the DSO.
Comprises the UK government’s trade and inward investmentpromotion activity
Close partnership with 12 regional agencies
(9 RDA’s and 3 DDA’s)
Why the UK?
Major Enterprise andConsumer markets
Ideal platform for globalgrowth
6th largest global economy
Strong IT policies fromgovernment
“The UK is the gateway, and mostimportant market in Europe.
If it succeeds here, it trickleselsewhere”
David Yarnton, MD – Nintendo UK
UK Cyber Security vision
VISION:
Citizens, business and government can enjoy the fullbenefits of a safe, secure and resilient cyber space:working together, at home and overseas, to understandand address the risks, to reduce the benefits to criminalsand terrorists, and to seize opportunities in cyber spaceto enhance the UK’s overall security andresilience.Reduce risk from the UK’s use of cyber space.Exploit opportunities in cyber space and Improveknowledge, capabilities and decision-making
Dr Steven Marsh, Office of Cyber Security.
UK Cyber Security vision
To address the UK’s cyber security challenges, the Government will:
•Establish a cross-Government programme to address the following priorityareas in pursuit of the UK’s strategic cyber security objectives:
•Safe Secure & Resilient Systems Policy,
•Doctrine, Legal & Regulatory issues Awareness & Culture Change Skills &Education Technical Capabilities & Research andDevelopment Exploitation International Engagement Governance, Roles &Responsibilities
•Work closely with the wider public sector, industry, civil liberties groups, thepublic and with international partners;
• Set up an Office of Cyber Security (OCS) to provide strategic leadership forand coherence across Government;
• Create a Cyber Security Operations Centre (CSOC)to: actively monitor thehealth of cyber space and co-ordinate incident response; enable betterunderstanding of attacks against UK networks and users; provide better adviceand information about the risk to business and the public.
Computers have evolved enormously over 50 years
– They are much more user-friendly
– They are connected to one another and many devices
– They have become vulnerable to information leakage
Yet people are still the cause of most security breaches
Information Security Challenges
6/2/10 7
Off-shore Data Centres
Increase leakage risk
More Outsourcing
Increase leakage risk
LapTop/Stick Protection
Damages/Losses
Secure Comms
Secure eMail
Resilient DataCentres
Riots, Strikes, Terrorism etc
Public Conversations
Eavesdropping
Staff Culture
More than awareness
Working in Public Places
AnyTime, AnyPlace
Content
Environment
People
UK Info Security – Breaches Survey 2008
Source: BERR – IS Breaches Survey 2008
Annual survey of companies by BERR
– Department for Business Enterprise & Regulatory Reform
UK Opportunities
UK opportunities -Enterprise Products, Software & Services
UK is the largest European market for IT products and services.
The domestic market is growing faster than other major Europeanmarkets as a result of:
– Government investments across local and central government andhealthcare - UK government spends over $26BN (USD) pa on ITservices across all of its government departments and has stringentcyber security requirements
– the UK’s very successful financial services market based not only inand around London but also in key insurance and banking centressuch as Norwich, Swindon, Cardiff and Edinburgh
– investments by major retailers such as Tesco, M&S, DSGi and Kesaas well as newer on-line retailers make the UK a key area for retailand payment related security technology.
UK Overview
UK opportunities -Enterprise Products, Software & Services
Autonomy, Capita, Logica, MiSys, Northgate, Sage, and many otherindigenous UK firms operate alongside international investors fromAccenture, HP and IBM to Steria and Tata Consulting Services, Infosys,Mindtree and HCL.
Social & Business Networking website have attracted some 7 million UKusers who already spend more time on-line than citizens of any other EUcountry;
LinkedIn, one of the leading business social network sites,recently set up its first non-US operation in UK
2nd Life and Bebo, as well as many other International socialnetworking sites are based in the UK.
The UK is also the main centre for online media and onlineretailing sites making it a major area of opportunity for cybersecurity projects.
UK Commercial landscape
Government Cloud (G-Cloud)
Government Cloud (G-Cloud)
12 new data centres housing *all Government services
Introduction of Government applications store ‘G-Store’
Common applications, platforms and OS
Core capabilities, storage and security
Consolidation of existing data storage and operational servicesto new centres
More involvement of SME’s in provision of ‘G-Store’ apps
* All government departments CIO’s (400) will transition services within next 5yrs to the G-
Cloud with the exception of Defence and Intelligence service.
G-Cloud
UK G-Cloud- 12 data centres constructed in 5 yrs
–Central
–Regional
–Local
–Criminal Justice
–Health
–Education
–Defence
–Transport
Technology for Government Services
Investing around £17 billions pa in technology, especially to makegovernment services more accessible, responsive and more efficient.
G Cloud data centre initiative worth £3.2Bn over next 5 years
Five key growth areas
– Shared services to simplify supply chains
– Outsourcing and off-shoring
– Mobile and flexible working
– Government ‘Apps store’
– The green agenda
Major departments effectively outsource much of their ICT spend.
– Pressure to reduce number of suppliers
Top 20 suppliers account for around £12 billion (70%);
long tail of over 1000 suppliers for remaining 30%
.GOV
Technology for Enterprise
Increasing use of online validation systems and capabilities for the ‘digitalconsumer’ and ‘digital enterprise’ client
Introduction of software based 2FA and Mutual Authentication basedcapabilities
Opportunities to improve mobile
enterprise solutions vulnerability
and security
.CO.UK
Technology for Government Services
Eight key sub-sectors
– Central
– Regional
– Local
– Criminal Justice
– Health
– Education
– Defence
– Transport
Standards, Certifications & Training
BSI Global – National Standards Body
CESG – National Technical Authority for Information Assurance
ITGovernance – Certification & Training
SANS Institute – Certification & Training
etc
The importance of ISO 27001
Public sector acknowledgement of ISO27001
Managing information risk
Information is a key asset to Government and its correct handling is vital to thedelivery of public services and to the integrity of HMG. In striking the right balancebetween sharing and protecting data.
Departments and Agencies must manage business impacts and risks associatedwith Confidentiality, Integrity and Availability (C, I & A) of all information.TheInformation Assurance (IA) functions that support the protection of GovernmentInformation and Communications Technology (ICT) Systems are :-
– risk management,
– accreditation,
– standards and compliance.
The importance of IA to public service delivery has been demonstrated by thepublication of National IA Strategy; this policy supports this strategy.
The International Standard for Information Security Management Systems(ISO/IEC 27001) is acknowledged as good practice and this policy is alignedto that standard.
MANDATORY REQUIREMENT 32
MANDATORY REQUIREMENT 32
Departments and Agencies must conduct an annual technical risk assessment(using HMG IA Standard No.1) for all HMG ICT Projects and Programmes, andwhen there is a significant change in a risk component (Threat, Vulnerability,Impact etc.) to existing HMG ICT Systems in operation.
The assessment and the risk management decisions made must be recordedin the Risk Management and Accreditation Documentation Set (RMADS), usingHMG IA Standard No.2 – Risk Management and Accreditation of InformationSystems.
Further Guidance
When handling personal data there is a further requirement to conduct a riskassessment every quarter, please refer to HMG IA Standard No.6 – ProtectingPersonal Data and Managing Information Risk.
Approaching ISO27001 certification
Some of the most common questions pertaining to the 27000 series of standardsrelate to the certification process for ISO27001.
The process starts when the organization makes the decision to embark upon theexercise.
It is important to ensure management commitment and then assign projectresponsibilities.
– An organizational top level policy can then be developed and published.
– This can, and will normally, be supported by subordinate policies.
The next stage is particularly critical:
– Scoping defines which part(s) of the organization will be covered. Typically, itwill define the location, assets and technology to be included.
At this stage a risk assessment is necessary, to determine the organization's riskexposure/profile, and identify the best route to address this.
The document produced will be the basis for the next stage - the management ofthose risks.
A part of this process will be selection of appropriate controls with respect to thoseoutlined in the standard (and ISO27002), with the justification for each decisionrecorded in a Statement of Applicability (SOA).
The controls themselves should then be implemented as appropriate.
The certification process itself can then be embarked upon via a suitableaccredited third party.
Additional Information Sources
UK: Some useful networking groups
Intellect – Security & Privacy group
A group set up to represent the views of IT organisations operating in the security and privacymarkets and to provide members with guidance around current data concerns.
Intellect – Security & Resilience group
The group's work includes thought leadership, policy consultation and market/businessdevelopment strata, building strong relationships between the technology industry andpolicymakers, customers and end users across the many sectors and markets involved insecurity and resilience.
Knowledge Transfer Network - Cyber-Security
We are a single focal point for UK Cyber Security expertise, to collaboratively identify universalchallenges and develop effective response, influence UK investment strategy and governmentpolicy, accelerate innovation and education, harness and promote UK capability internationallyand help improve the UK security baseline.
South East England Development Agency - Security Knowledge & Innovation Network
Security KIN seeks to catalyse collaboration between representatives of the knowledge base andbusiness in order to bring new innovation security solutions to market. It does this by:
– Integrating and mobilising the Region's security industry
– Linking regional security industry with the relevant regional knowledge base
– Facilitating the Region's security industry and knowledge base to work together to developinnovative new products and services, taking advantage of UK Government, EU and otherresearch funding opportunities
6/2/10 25
UK: Access to UK Networks (software)
Our sophisticated business environment connects technologists,creatives, entrepreneurs, financiers, in a range of activebusiness networks– British Computer Society– British Application Software Developers Association– Business Software Alliance– CBI– GSM Association– Institute of Chartered Accountants in England & Wales– Institute of Directors– Institution of Engineering & Technology– Intellect– Internet Service Providers Association– Knowledge Transfer Networks– Mobile Data Association– National Computing Centre– National Microelectronics Institute– Society for Information Technology Management
And many regional / local organisations
UK Events: Information Security
Key Events
– IA10 - The Government IA Symposium of 2010 London, UK
– IFSEC 2011 Birmingham, UK
– Infosecurity 2011 London, UK
UK Research
UK Research: Information Security
Key UK research groups active in information security include:
– Bristol: Cryptography & Information Security Research Group
– Cambridge: Computer Laboratory Security Group
– Glamorgan: Information Security Research Group
– Kent: Information Systems Security Research Group
– London: City University: Next Generation Networks Research Group
– London: Imperial: Intelligent Systems & Networks
– London: Royal Holloway: Information Security Group
– London: UCL Department of Computer Science: Information SecurityResearch Group
– Newcastle: Centre for Software Reliability
– Nottingham: School of Computer Science & Information Technology
– Oxford: Computing Laboratory
– Plymouth: Information Security & Network Research Group
– Southampton: School of Electronics & Computer Science
– Surrey: Centre for Communications Systems Research
– York: Department of Computer Science
6/2/10 29
Access to Collaborative R&D - ‘R’
Engineering and Physical Science Research Council (EPSRC)
– Seven UK Research Councils invest around £2.8Bpa
– EPSRC is principal funder for ICT R&Duniversity academic requests funds to cover the cost of the research atthe university.The project partner can make a contribution of any size, either in cash orin kind.IP negotiation is with the University40% of EPSRC projects are collaborative
projects are typically c.£300K over three years
EPSRC’s current portfolio of projects can be found and searched at:
http://gow.epsrc.ac.uk/GrantsPortfolio.aspx
More guidance on collaborating with EPSRC can be found at:
http://www.epsrc.ac.uk/Business/Funding/CollaborativeProjects.htm
Strategic partnership with EPSRC on a topic of mutual interest
– Typically, requires a company to offer c.£1-5M to fund university research ona topic that EPSRC is willing to match fund.
Access to Collaborative R&D - ‘D’
Technology Strategy Board (TSB)
– Provides funded and support for industry and academic collaborations–£8 million for collaborative ICT projects – developing technologies to supportbetter networked business–IP developed within the project is the property of the consortium–Up to 50% of company costs and 80% of academic costs funded by programme–All of company's eligible costs for the project - whether paid for by its owncontribution or by this programme - attract R&D tax credits at the large companyrate.
EU’s FP7 programme
The European Commission framework programme is the EU’s main instrument forfunding research and development. The programme has R&D budget in the region of 75billion for 2009-2015.
R&D Tax Credits
R&D Tax Credits
What is considered R&D?
A basic definition is "work to resolve scientific ortechnological uncertainty aimed at achieving anadvance in science or technology". Advancesinclude new or improved products, processes andservices.
Broader innovation in products, processes andservices (e.g. proprietary content, non-technicaldesign or developing other non-technologicalunique selling points) is not considered R&D.
As a rule of thumb, developing information orother 'content' is not R&D, but developing themeans to deliver 'content' can be R&D.
Companies can claim R&D Tax Credits forrevenue expenditure on:
Employing staff directly and actively engaged incarrying out R&D, paying a staff provider for staffprovided to the company who are directly andactively engaged in carrying out R&D,
Consumable or transformable materials useddirectly in carrying out R&D (broadly, physicalmaterials which are consumed in the R&D), andPower, water, fuel and computer software useddirectly in carrying out R&D.
Who can benefit from R&D tax credits?
All companies with qualifying spendingover £10,000 (US$18,800) a year on R&Dare entitled to a deduction whencalculating their taxable profits of:
– 130% of qualifying expenditure forlarge companies,
– reducing the company's UKcorporation tax bill accordingly,
– with no upper limit.
Large companies apply under the largecompany scheme.
Smaller companies may qualify for 175%of costs as a tax break
Between April 2000 and April 2005 around17,000 claims for R&D tax credits weremade with around £1.3bn of supportclaimed.
UK Trade & Investment (UKTI)
6/2/10 33
UK Trade & Investment (UKTI)
Our free and confidential investment servicesinclude:
– Information - comparing UK & Europeanmarket statistics
– Advice on talent and technology – where andhow to find it
– Support to find value-adding partners in UK
– Advice on locations - help finding sites thatmatch your needs; practical help to set upyour business in UK
– Advice on finance – signposting routes toinvestment capital
– Advice on growth - ongoing business supportto help you set up in UK and access newmarkets from your UK base
– Operational insights - practical advice andinformation on how to optimise your UKbusiness
– Representation – feedback to UKGovernment
Our subsidised trade support servicesinclude:
– A Passport to Export Scheme
– Overseas Market InformationService (OMIS)
– Inward and outward trademissions
– Overseas Exhibitions Programme
– Tailored individual companyoverseas visit programmes
– One-to-one meeting events inUK
– Seminars and networking eventsin UK
UKTI is the UK Government organisation that helps business locate in UK and grow internationally
6/2/10 34
Contacts
Dave Gorshkov
ICT Sector Champion
Business Group
UK Trade & Investment
Kingsgate House
66-74 Victoria Street
London SW1E 6SW
Tel: + 44 77611229872
Carrie England
Inward Investment Manager
UK Trade & Investment
British Consulate-General Sydney
Level 16, The Gateway
1 Macquarie Place
Sydney NSW 2000
Australia
+61 (0)2 8247 2234
