SITC - Security Innovation & Technology Consortium

Information Governance Ltd

InfoGov is a specialist governance risk and compliance software development company.  Its principal product is Proteus Enterprise, the full enterprise wide, multi-standard, web based compliance and risk management framework. 

Role: GRC Project Manager & GRC Lead

Infogov project manages the iGRC consortium and have introduced methods for the automatisation of control status and threat levels for enhanced situational awareness.  An iGRC™ configuration is GRC technology coupled to network sensors via the open GRCiP protocol to enable recognition of threats at an early stage through the automatisation of control status and threat level change and the taking of measures to avoid it. iGRC™ provides an insurance policy for CEOs wanting to assure the integrity of critical controls and measures to maintain low probability of occurrence of high impact risk events.

Assuria Ltd

Assuria provides IT security configuration assurance, compliance, log management and protective monitoring solutions to organisations in more than 30 countries worldwide

Role: Sensors Lead

Assuria leads the joint research on the network sensors, detectors and monitors required to implement a comprehensive information infrastructure threat and vulnerability management framework and system.  A GRCiP XML schema is being developed and has been installed in Assuria's and Nexor’s sensor products to provide a range of security related information including state and event changes that are non-compliant to standards such as ISO 27001 and PCI DSS.  This GRCiP XML schema is the basis of the GRCiP standard interface to and from multiple sensor feeds.  A technically viable dynamic IGRC framework and system is being developed capable of delivering inter and intra-network audits and evaluations against current standards, regulations, and service levels.

HP Enterprise Services

HP creates new possibilities for technology to have a meaningful impact on people, businesses, governments and society. The world’s largest technology company, HP brings together a portfolio that spans printing, personal computing, software, services and IT infrastructure to solve customer problems.

Role: End User Requirements

HPES draws on its extensive public and private sector expertise and experience as a major provider of IT outsource services.  Through targeted interviews with operational subject matter experts, HPES has brought an operational perspective on the present approaches employed to manage the complexity, risk and resilience aspects of secure information infrastructures, reviewed extant and emerging cyber threats and vulnerabilities, assessed people, process and technology gaps and influencing factors, postulated future modes of operation, recommended pragmatic transition steps for iGRC solutions and identified the business benefits that will accrue from iGRC implementation. 

Nexor Ltd

Nexor is a leading provider of information assurance solutions to defence and government agencies.  Founded in 1990, Nexor connects, transforms and protects sensitive information to ensure trusted access and secure interoperability.

Role: Sensor Specialist

Working with Assuria, Nexor has developed a comprehensive information infrastructure threat and vulnerability management framework and system.  The GRCiP XML schema is being developed and installed on Nexor's sensor products to provide a range of security related information including state and event changes that are non-compliant to standards such as ISO 27001 and PCI DSS.  This GRCiP XML schema is the basis of the GRCiP standard interface to and from multiple sensor feeds.  A technically viable dynamic IGRC framework and system is being developed capable of delivering inter and intra-network audits and evaluations against current standards, regulations and service levels.

Birkbeck University

Birkbeck is a vibrant centre of academic excellence, renowned for its world class research where over 90% of its academics are research active.

Role: Cyber Security Management Context

Birkbeck University has conducted Cyber Security SLEPT and SWOT Analyses and a Cyber Security Decision Analysis which is being integrated within the research carried out by the members of the Consortium.  The multi-disciplinary SLEPT and SWOT analyses draws on existing cyber security knowledge and provides managers with a means to develop robust corporate strategies through effective environmental and infrastructural risk assessment.  This helps to guide top management in putting in place effective risk, governance and compliance monitoring and evaluation systems and programmes.  A Strategic Marketing Management Framework is being produced that identifies unmet needs and priorities for developing iGRC product and service capabilities, and their commercialisation.

Cranfield University

Cranfield Defence and Security (CDS) is made up of three academic departments of which the Department of Informatics and Sensors specialises in research and research-led education and training in defence and security-related disciplines focussing on information collection, management and exploitation.

Role: End User Requirements

Cranfield is working with HPES to research End User Requirements in order to inform the iGRC IS requirements definition.   Through targeted interviews with operational subject matter experts, they are developing an academic analysis of the present approaches employed to manage the complexity, risk and resilience aspects of secure information infrastructures, extant and emerging cyber threats and vulnerabilities, people, process and technology gaps and influencing factors.  They are developing generic process templates to inform end-user operational establishment of the iGRC IS.

Loughborough University

Loughborough was awarded the coveted Sunday Times University of the Year 2008-09 title and has received six Queen's Anniversary Prizes. The Engineering Systems of Systems Group brings its expertise in supply chain analysis to the consortium.

Role: Supply Chain Management

Research findings have been shared with audit experts who are carrying out the requisite operational analysis to develop the controls and metrics necessary for sustained GRC management, network wide.  This work contributes to the existing systems solutions by making the complexity controllable and more manageable through the introduction of modelling approaches: a Supply Chain Risk Structure Model that describes the system that determines the causes and effects of supply chain risks, and a Supply Chain Risk Dynamics Model to model the possible dynamics of the risk development.  These models are being integrated into a Supply Chain Reference Model process framework.  Additionally, a Soft Systems Methodology (SSM) is being applied for problem solving and  in order to obtain a common understanding of the project's concepts and terminology, which will be implemented through ontology and semantic systems.

First Cyber Security Ltd

Developers of technology to increase trust in the internet by authenticating websites with S.O.L.I.D. Authentication®, and validate the use of trademarks and logos on web sites, with SOLID 3PV technology.

Project: Anti-Phishing Analyser Integration

The SOLID RTI Analyser is a server application that intelligently analyses the internet looking for specific criteria that suggest fraudulent or phishing websites. For example, Proteus could send a request looking for web sites that mention a particular brand, or product, or even a music or film title, and the SOLID RTI Analyser would report back detected suspicious web sites that meet a complex profile, suitably filtered to remove real and duplicate entries.

Abatis (UK) Ltd

Developers of the HDF® (Hard Drive Firewall): a security product that proactively prevents malicious software (malware) infection and protects against hacker intrusion using a unique generic method which does not need signature file updates nor regular maintenance.

Project: A Filesystem Layer Sensor

HDF's implementation allows it to have an overall view of disk Input/Output activity on a computer system and it is configurable to operate in 'monitoring mode' or 'enforcement mode'. In both cases, HDF audit logs the I/O decision and details to a text log file, and it can be enhanced to send the log to other log repository or an information security management system, such as Proteus. HDF provides Proteus and other cooperating devices a real time overview report of all disk I/O activities on a computer asset. The timely information is very useful to detect and determine any malicious activity and system anomaly by any IPS and security event handling applications.

Amethyst Cryptographic Services Ltd

ACS offers a series of fully managed cryptographic services to its customers.

Project: Cryptographic Services Integration

The aim is to understand the extent to which the managed encryption services provided by Amethyst Cryptographic Services (ACS) can be integrated with the iGRC framework and system. A short white paper is the anticipated output. Should such integration be considered feasible and of benefit to the aims of the iGRC consortium, the obvious further development would be integration testing, to which end ACS has a dedicated and portable test rig that could be made available for this purpose.

Aditech Ltd

Experts in the supply of Iris Recognition technology and solutions where accurate identification of an individual is paramount.

Project: Iris Biometric Authentication Integration

To illustrate the capabilities of Iris Recognition technology and the impact of integrating into large database applications. 
Phase 1 - Investigation into the DB API and best method for interfacing with iGRC application.
Phase 2 - Development of iGRC interface application, documentation and log events for onward reporting to the iGRC ISMS.
Phase 3 - Integration of application and testing with the iGRC framework via Assuria Log Manager (ALM) software. 

Inqlab Ltd

Inqlab is building new technologies that augment existing systems, adapting and improving their capabilities so that they can become resilient and thrive in the event of risk occurring.

Project: Nimbi Intrusion Detection Integration

Our aim is to implement and integrate the iGRC XML framework within the ‘Nimbi’ environment in order that status change information can be exchanged between the Nimbi sensor platform and the iGRC system.

The resultant output will be a virtual prototype/technology demonstrator that will demonstrate the iGRC XML implementation and functionality in order that further development and testing can take place before final product integration.

Triometric

Triometric specialises in the ‘understanding, testing and monitoring' of web and enterprise applications, providing organisations with essential, real-time and accurate information about how applications are being used and performing throughout their life cycle. Unrivalled expertise in application performance consulting and its Analyzer technology means that Triometric is ideally placed to help organisations manage upgrades and implementations, monitor service levels and maximise end user satisfaction.

Project: Network Traffic Capture Study

Triometric's core technology is passive packet capture software which enables the non-intrusive capture of network traffic and possible applications of Triometric's IP include intrusion attack, DDoS and data leak detection/prevention. Triometric also has expertise in the analysis and reporting of network traffic which may also be of value to the consortium. 
The primary aim of the feasibility and scope study will be to understand how and in which areas Triometric's technology and expertise can best add value to the iGRC consortium and define the next steps to take.

Mandalorian Security Services Ltd

Mandalorian provide technical Information Assurance and Incident Response services, specialising in penetration testing, tailored assessment services and advanced malware response.

Project: Penetration Testing Report Integration

Nessus is the world's leading vulnerability scanner used by businesses and government to handle day to day threat management, as well as by commercial penetration testing companies. Our proposal is to write tool that will convert Nessus output into a format suitable for import into the iGRC project. This can then be used in technology demonstrations as well as the final product. The tool output will provide the platform with technical threat intelligence as well as severity information using the CVSS2 vulnerability scoring open standard. This can then be prioritised by the tool to give a view of compliance gaps across a complex infrastructure environment as well as drill down capability.