Convince your board: How to prepare your business for List X
DaveJames23
1,868 views
12 slides
Aug 10, 2017
Slide 1 of 12
1
2
3
4
5
6
7
8
9
10
11
12
About This Presentation
Get up and running as a List X company much quicker. Hints and tips on the pragmatic steps you can take. Practical advice for government suppliers.
Slide Content
Pragmatic steps to quickly get you
up and running as a List X company
Convince your board…
Prepare your business for List X
up and running as a List X company
Convince your board…
Prepare your business for List X
Ascentor: Convince Your Board
Are you interested in becoming a List X company?
2
Then this Slideshare is for you. Ascentor has a great deal of experience
helping companies prepare for List X and managing the process.
It has been produced by Ascentor as part of a series of “Convince Your
Board” presentations.
We help organisations stay safe through information risk management –
and equip suppliers to deliver projects and bid for contracts more
successfully. Our public and private sector customers rely on our pragmatic
and business focused approach to their cyber security and information
assurance challenges.
The concept is to use any of the slides as you see fit - with the aim of
convincing your board of the importance of topics related to Information
Risk Management.
Ascentor - August 2017
Please note: This Slideshare is provided free of charge and for information purposes only. Any
steps taken as a result of the information contained are at your own risk.
Are you interested in becoming a List X company?
2
Then this Slideshare is for you. Ascentor has a great deal of experience
helping companies prepare for List X and managing the process.
It has been produced by Ascentor as part of a series of “Convince Your
Board” presentations.
We help organisations stay safe through information risk management –
and equip suppliers to deliver projects and bid for contracts more
successfully. Our public and private sector customers rely on our pragmatic
and business focused approach to their cyber security and information
assurance challenges.
The concept is to use any of the slides as you see fit - with the aim of
convincing your board of the importance of topics related to Information
Risk Management.
Ascentor - August 2017
Please note: This Slideshare is provided free of charge and for information purposes only. Any
steps taken as a result of the information contained are at your own risk.
Ascentor: Convince Your Board
How to use this presentation
3
We explain what List X is - and how to obtain sponsorship.
We then talk you through the five tips it would be
advantageous to have addressed before you start the
process.
You’ll find links to other sites for more detail, where
appropriate.
We conclude with links to additional Ascentor List X
content and our contact details, should you wish to know
more.
Thank you for viewing this presentation - we hope it will
help convince your board of the value in preparing your
business for List X status.
How to prepare your
company for
achieving List X
How to use this presentation
3
We explain what List X is - and how to obtain sponsorship.
We then talk you through the five tips it would be
advantageous to have addressed before you start the
process.
You’ll find links to other sites for more detail, where
appropriate.
We conclude with links to additional Ascentor List X
content and our contact details, should you wish to know
more.
Thank you for viewing this presentation - we hope it will
help convince your board of the value in preparing your
business for List X status.
How to prepare your
company for
achieving List X
Ascentor: Convince Your Board
So what exactly is List X?
4
The term refers to contractors or subcontractors that have
been placed on the List X database. So, how do you get on
this list?
You’ll have a contract, usually with the Ministry of Defence
(MOD), that requires you to to store, on your own premises,
government assets classified as SECRET or above or,
international partners’ e.g. NATO, information at
CONFIDENTIAL or above.
The term ‘List X’ is the UK equivalent to Facility Security
Clearance (FSC) used in the rest of the world.
If you are bidding for (or expecting) such a contract, you
should seek List X status - but there’s a catch. You can’t
apply - you have to be ‘sponsored’ by a Contracting
Authority (CA).
How to prepare your
company for
achieving List X
So what exactly is List X?
4
The term refers to contractors or subcontractors that have
been placed on the List X database. So, how do you get on
this list?
You’ll have a contract, usually with the Ministry of Defence
(MOD), that requires you to to store, on your own premises,
government assets classified as SECRET or above or,
international partners’ e.g. NATO, information at
CONFIDENTIAL or above.
The term ‘List X’ is the UK equivalent to Facility Security
Clearance (FSC) used in the rest of the world.
If you are bidding for (or expecting) such a contract, you
should seek List X status - but there’s a catch. You can’t
apply - you have to be ‘sponsored’ by a Contracting
Authority (CA).
How to prepare your
company for
achieving List X
Ascentor: Convince Your Board
Obtaining List X sponsorship
5
Companies must be ‘sponsored’ by the CA that intends
passing them classified information.
The CA can be:
• A UK government body;
• An existing List X company;
• Overseas government or defence contractors;
• NATO
The CA will detail the security aspects of the List X
requirement e.g. what classified information is to be held
and why.
As the MOD is the CA for the majority (85%) of List X sites,
the whole process is managed by the MOD Defence
Equipment & Support (DE&S) Principal Security Advisor
(PSyA) based at Abbey Wood, Bristol.
How to prepare your
company for
achieving List X
Obtaining List X sponsorship
5
Companies must be ‘sponsored’ by the CA that intends
passing them classified information.
The CA can be:
• A UK government body;
• An existing List X company;
• Overseas government or defence contractors;
• NATO
The CA will detail the security aspects of the List X
requirement e.g. what classified information is to be held
and why.
As the MOD is the CA for the majority (85%) of List X sites,
the whole process is managed by the MOD Defence
Equipment & Support (DE&S) Principal Security Advisor
(PSyA) based at Abbey Wood, Bristol.
How to prepare your
company for
achieving List X
Ascentor: Convince Your Board
Tip 1: Understand why you need List X
6
There’s a difference in requirements depending on
whether it’s a UK or foreign contract. You’ll need to
understand what your contract involves as follows:
UK contracts: The requirement will be stated in a contract
from the UK government CA and will be accompanied by a
Security Aspects Letter (SAL) that details the types of
information and its associated sensitivity that you will need
to hold.
Foreign contracts: The requirement may just be in the
contract security requirements. The CA is responsible for
gaining appropriate assurance in your suitability to hold
classified assets, e.g. SECRET and above for UK.
How to prepare your
company for
achieving List X
Tip 1: Understand why you need List X
6
There’s a difference in requirements depending on
whether it’s a UK or foreign contract. You’ll need to
understand what your contract involves as follows:
UK contracts: The requirement will be stated in a contract
from the UK government CA and will be accompanied by a
Security Aspects Letter (SAL) that details the types of
information and its associated sensitivity that you will need
to hold.
Foreign contracts: The requirement may just be in the
contract security requirements. The CA is responsible for
gaining appropriate assurance in your suitability to hold
classified assets, e.g. SECRET and above for UK.
How to prepare your
company for
achieving List X
Ascentor: Convince Your Board
Tip 2: Meet the basic company requirements
7
List X companies are required to maintain a minimum of 50%
British nationals on the Board of Directors (See Industrial Security –
Departmental responsibilities).
In addition, the following positions must be in place before List X
can be awarded - they also provide confidence to the List X
inspectors that an appropriate security governance framework is
already in place.
• Board Contact
• Security Controller;
• Clearance Contact
• IT Installation Security Officer
These roles are covered in more depth on the Ascentor website here.
Depending on the type of contract, you may also need to appoint
an ATOMIC Liaison Officer and/or a Crypto Custodian. Full details
for the different roles and responsibilities are available from the
Security Requirements for List X Contractors.
How to prepare your
company for
achieving List X
Tip 2: Meet the basic company requirements
7
List X companies are required to maintain a minimum of 50%
British nationals on the Board of Directors (See Industrial Security –
Departmental responsibilities).
In addition, the following positions must be in place before List X
can be awarded - they also provide confidence to the List X
inspectors that an appropriate security governance framework is
already in place.
• Board Contact
• Security Controller;
• Clearance Contact
• IT Installation Security Officer
These roles are covered in more depth on the Ascentor website here.
Depending on the type of contract, you may also need to appoint
an ATOMIC Liaison Officer and/or a Crypto Custodian. Full details
for the different roles and responsibilities are available from the
Security Requirements for List X Contractors.
How to prepare your
company for
achieving List X
Ascentor: Convince Your Board
Tip 3: Assess your information risks and develop a
security improvement plan
8
Being a List X company means having good security
practices embedded in your everyday working for the
whole company.
It is about maintaining good risk management around
physical, personnel, procedural and technical security.
Follow a recognised standard that is likely to be known by
the List X assessors such as ISO/IEC 27001:2013. Alternatively,
try putting together a security plan to identify areas for
improvement.
You may like to consider the Centre for the Protection of
National Infrastructure’s (CPNI) guidance for the protection of
critical assets against security threats.
Conducting such a plan will not only improve your
company’s overall security exposure but also introduce
measures that will be required as part of the List X process.
How to prepare your
company for
achieving List X
Tip 3: Assess your information risks and develop a
security improvement plan
8
Being a List X company means having good security
practices embedded in your everyday working for the
whole company.
It is about maintaining good risk management around
physical, personnel, procedural and technical security.
Follow a recognised standard that is likely to be known by
the List X assessors such as ISO/IEC 27001:2013. Alternatively,
try putting together a security plan to identify areas for
improvement.
You may like to consider the Centre for the Protection of
National Infrastructure’s (CPNI) guidance for the protection of
critical assets against security threats.
Conducting such a plan will not only improve your
company’s overall security exposure but also introduce
measures that will be required as part of the List X process.
How to prepare your
company for
achieving List X
Ascentor: Convince Your Board
Tip 4: Define the physical space to be used
9
Having a clear understanding of where you intend to
create the List X physical space will help you get the
security requirements in place before the contract is
awarded.
When assessing the most appropriate space you should
consider the following:
•Boundary controls such as CCTV, approved doors, windows, locks etc.
CPNI provides advice and guidance about the types of physical
security barriers that are required.
•The alarm system will need to be from a reputable company,
preferably NSI approved with an adequate response time (normally
within 20 minutes).
•Depending on the types of sensitive asset held, there may be a
requirement for security furniture such as secure server racks,
document safes, shredders etc.
How to prepare your
company for
achieving List X
Tip 4: Define the physical space to be used
9
Having a clear understanding of where you intend to
create the List X physical space will help you get the
security requirements in place before the contract is
awarded.
When assessing the most appropriate space you should
consider the following:
•Boundary controls such as CCTV, approved doors, windows, locks etc.
CPNI provides advice and guidance about the types of physical
security barriers that are required.
•The alarm system will need to be from a reputable company,
preferably NSI approved with an adequate response time (normally
within 20 minutes).
•Depending on the types of sensitive asset held, there may be a
requirement for security furniture such as secure server racks,
document safes, shredders etc.
How to prepare your
company for
achieving List X
Ascentor: Convince Your Board
Tip 5: Prepare the IT system
10
Depending on your level of confidence in winning a List X
contract, you may like to prepare the IT system that is likely
to be used in the contract.
If you are likely to be required to produce written reports at
SECRET, you will need to set up an appropriate IT system.
Whatever, solution you design it will need to be accredited
by Defence Assurance and Information Security: defence
industry/List X.
Assessing the accreditation requirements of the IT system
before achieving List X will give you a head start on the
accreditation process and allow you to get up and running
much more quickly.
If your contract is with the MOD, your corporate IT system
will also need to comply with Cyber Security Model
requirements. See the Ascentor blog on the subject.
How to prepare your
company for
achieving List X
Tip 5: Prepare the IT system
10
Depending on your level of confidence in winning a List X
contract, you may like to prepare the IT system that is likely
to be used in the contract.
If you are likely to be required to produce written reports at
SECRET, you will need to set up an appropriate IT system.
Whatever, solution you design it will need to be accredited
by Defence Assurance and Information Security: defence
industry/List X.
Assessing the accreditation requirements of the IT system
before achieving List X will give you a head start on the
accreditation process and allow you to get up and running
much more quickly.
If your contract is with the MOD, your corporate IT system
will also need to comply with Cyber Security Model
requirements. See the Ascentor blog on the subject.
How to prepare your
company for
achieving List X
Ascentor: Convince Your Board
Summary
11
Ascentor’s opinion is that achieving List X should not be a
major challenge as the security requirements these days
are equally applicable to any business working with
sensitive information in the cyber marketplace.
However, the successful implementation of List X depends
on the commitment of the people charged with carrying
out their responsibilities.
That’s why we believe this commitment should sit at
Board level. This will allow good security practices and
controls to be given the organisational profile and
resources needed to be adopted - and gain maximum
security benefit.
How to prepare your
company for
achieving List X
Summary
11
Ascentor’s opinion is that achieving List X should not be a
major challenge as the security requirements these days
are equally applicable to any business working with
sensitive information in the cyber marketplace.
However, the successful implementation of List X depends
on the commitment of the people charged with carrying
out their responsibilities.
That’s why we believe this commitment should sit at
Board level. This will allow good security practices and
controls to be given the organisational profile and
resources needed to be adopted - and gain maximum
security benefit.
How to prepare your
company for
achieving List X
Ascentor: Convince Your Board
Additional List X information
12
The full article ‘How to prepare your company for achieving
List X'
Ascentor’s guide to List X Roles and Responsibilities
Ascentor’s most popular List X article ‘List X Explained’
Ascentor can help
Should you wish to gain further security advice on List X or just generally
improving your company’s cyber security maturity, then please contact
Dave James, MD at Ascentor.
Email: [email protected]
Office: 01452 881712
Web: www.ascentor.co.uk
You might also like to keep in touch with Ascentor by receiving our
quarterly newsletter and following us on LinkedIn and Twitter.
How to prepare your
company for
achieving List X
Additional List X information
12
The full article ‘How to prepare your company for achieving
List X'
Ascentor’s guide to List X Roles and Responsibilities
Ascentor’s most popular List X article ‘List X Explained’
Ascentor can help
Should you wish to gain further security advice on List X or just generally
improving your company’s cyber security maturity, then please contact
Dave James, MD at Ascentor.
Email: [email protected]
Office: 01452 881712
Web: www.ascentor.co.uk
You might also like to keep in touch with Ascentor by receiving our
quarterly newsletter and following us on LinkedIn and Twitter.
How to prepare your
company for
achieving List X
Categories
GeneralDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 1,868
- Slides 12
- Favorites 1
- Age 3038 days
Related Slideshows
22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
32 views
26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
35 views
31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
32 views
14
Fertility awareness methods for women in the society
Isaiah47
30 views
35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
29 views
5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
30 views