"Aristi have become our trusted security advisor of choice, providing information security advice and guidance as and when we need it. We have built a strong working relationship with Aristi which has led to them having a good understanding of our organisation and it’s needs." Accreditor, The Office of Rail Regulation
The Office of Rail Regulation (ORR) is the independent safety and economic regulator for Britain’s railways. It’s principal function is to secure the safe operation of the railway system, and to protect both those working on the system and members of the public from health and safety risks arising from the railways. As an independent regulator, ORR operates within the framework set by UK and EU legislation and is accountable through Parliament and the courts.
The Cabinet Office’s Security Policy Framework (SPF) sets the mandatory standards by which government should comply with information and physical security. Government departments are required to submit an annual report showing compliance with the SPF, the first of which was submitted by ORR in June 2009. This annual report also includes an Information Risk Return section, which requires HMG’s Information Assurance Maturity Model (IAMM) to be completed. For the 2009 annual report, ORR as a non-ministerial government department was not required to complete the Information Risk Return section.
Cabinet Office informed ORR that it will be required to complete the Information Risk Return section for the 2010 annual report. A key requirement of the SPF involves the accreditation of a system that processes protectively marked data. This being a new area for ORR, a tender was issued to procure CLAS support to meet this requirement and provide ongoing advice and guidance over a three year period.
Aristi was selected as the trusted security partner and provided an experienced CLAS Consultant to help ORR through the accreditation process which involved a business impact assessment, a risk assessment in accordance with HMG IS1, production of a Risk Management and Accreditation Document Set (RMADS) and briefing the risk owner on the risks. To support the accreditation, Aristi was able to advise on secure architecture design, information security policies & procedures and security requirements for managed service providers.
Aristi continues to provide value to ORR by providing expert security advice on a number of business critical projects.