About Us News Investors Careers Corporate Responsibility

Home > Case Studies > Security > Developing a Security Architecture

In this section
		Security
		A Full Stop with X-Net
		Computer Forensics
		Developing a Security Architecture
		Digital Video Enhancement
		Forensic Investigation for a Local Authority
		Fraud Investigation for a Large Financial Organisation
		IT Security Health Check
		Knowledge transfer through collaboration
		Management of operational risk in a banking environment
		Protecting Online Credit Card use
		Quality Assurance of the E-Voting Pilots for the ODPM
		Response to a Hacking Attack
		Safe transactions
		Securing our Borders
		Travelling in Safety
		US Army deploys QinetiQ vehicle arrest system in Iraq and Afghanistan

Our Business
		Defence
		Security
		Energy & Environment
		Our Capabilities
		Our Products

Case Studies - Security

Developing a Security Architecture

“This was an excellent piece of work and is now being rolled out across the Group as the de facto standard.”
Paul Kelsall, Director of Technology Management for Royal Mail.

Background
Royal Mail Group plc is a public limited company wholly owned by Government, with an annual turnover of £8.9 billion and more than 190,000 employees. The group operates four business: Royal Mail, Post Office Ltd., Parcelforce Worldwide and GLS Logistics. They offer wide-ranging services involving banking and electronic billing through to retail sales, warehousing and time-critical delivery, and must work within a variety of strict and complex regulatory constraints. The groups have highly diverse information security needs, ranging from defence against fraud in on-line trading capability to continuity of business critical operations in the mail delivery services.

Royal Mail provides an essential service relied upon by the general public, businesses large and small, the public sector and national government delivering some 84 million items per day.

Challenge
The challenge posed by Royal Mail Group was three-fold:

To define a coherent suite of protective measures to be applied across the entire enterprise, that is effective in managing the diverse risks to which their business is exposed, while allowing that business to be conducted efficiently;
To show that the costs of the proposed measures provide valuable return on investment;
To ensure consistent implementation of the prescribed measures by all of the outsourced service providers contracted to deliver their Information System (IS) capability.

To meet this challenge, Royal Mail Group recognised that a security architecture would be essential: one that would be easy for non-IS people to understand and for IS people to use. It would need to be developed using a consistent, flexible, proven methodology, which would help the Group achieve a genuine balance between business flexibility and security and would take account of the real threats posed to different aspects of Royal Mail Group business.

The Solution
QinetiQ’s Domain Based Security (DBSy®) was selected as the approach that best met these criteria. QinetiQ’s own DBSy practitioners supported Royal Mail Group in this task, backed by their wide ranging specialists in Information Security technologies.
Critical threats and impacts to Royal Mail Group business provided the initial input to the development of the security architecture. These were gleaned, together with a clear understanding of how the different business groups operate, through a series of workshops and interviews with key staff in each group. This enabled the QinetiQ team to identity protection needs in business terms, and to express them through the graphical DBSy architecture models.

Validation and refinement of the models followed, based on the rigorous, model-based DBSy risk analysis method and further sessions with Royal Mail staff, using the models to focus the discussions. Specific defences were selected, which would counter the risks effectively, while offering minimal impedance to the way Royal Mail people operate.

The DBSy models helped to highlight the impact that proposed defences might have on business efficiency as well their efficacy in managing risks.

Rough costings for the defensive measures were estimated and assessed against perceived benefits, based on avoidance or mitigation of damaging events. These formed the basis for informed decision making, and ultimately a security case for presentation and agreement at board level.

Results
As a consequence of this work, Royal Mail Group has an agreed security architecture, comprising graphical views with tables and supporting text specifications. It prescribes a set of achievable security defences and clearly defines where they should be deployed. The Group also have a risk analysis showing that the measures are appropriate to counter the threats, providing the rationale to inform commercial decisions on affordable security.

This security architecture is the goal towards which all the group’s systems will migrate, according to a strategic change programme. It provides the blue-print to which all outsource service providers will be expected to comply. It will also support the group in continually re-assessing of its security posture, based on evolving business opportunities and a changing threat profile.

As part of the UK’s Critical National Infrastructure, Royal Mail Group makes security a priority. Using the DBSy® methodology, they have adopted a strategic approach to security, and reconciled their many and varied security requirements and operational needs within a comprehensive and consistent architecture.

“This was an excellent piece of work and is now being rolled out across the Group as the de facto standard.”
Paul Kelsall, Director of Technology Management for Royal Mail.

Related sections

> Security Architecture - domain based security

QinetiQ Ltd 2008

QinetiQ Group PLC, Company Registration No 4586941, Registered Office 85 Buckingham Gate, London SW1E 6PD