The Metropolitan Police Service has published a new cyber security strategy with an emphasis on four ‘core vision principles’ to protect its information assets.
It sets out priorities to: defend the data, distrust the asset; use identity as its perimeter; develop transparency of its internet traffic; and be aware and prepared.
It has also said that it will update the strategy at least annually as a jumping off point for all other authoritative material.
The document has been developed to support operations in digital policing, strengthen the cyber security of the Met Police and define a baseline operating model for its wider services.
The strategy is formally governed by a data board with technology roadmaps and standards.
Its first principle reflects a shift in cyber security from focusing on perimeter defences and endpoint protection to the protection of data wherever it resides. The document says this should ease the path to the ‘bring your own device’ approach or similar operating models without needing to accept significant risks.
Zero trust plan
The principle also involves producing a roadmap for a move to a ‘zero trust’ model, which assumes the network, device and credentials are all likely to be compromised at some point. Rather than aim to mitigate against all of this, it involves conducting authentication checks of a user request in the background based on factors including a device signature, location of access and unusual access patterns. This leads to the creation of a risk score to allow or deny access.
Under the ‘identity is our perimeter’ principle, the Met Police is aiming to deploy a formal password manager to handle single sign-on to its corporate platforms. This will be accompanied by moving away from the use of usernames and passwords, which could be compromised, to a biometric model for asserting identities and credentials, along with multi-factor authentication through methods such as push notifications and soft tokens.
It also has plans to rationalise and reinforce its identity stores with identity management capabilities.
The third principle on the transparency of traffic involves network monitoring and interpretation of packet data, which in the event of a breach can help identify where any data was accessed and moved.
Fourthly, the ‘aware and prepared’ principle involves regularly providing relevant content (at least quarterly) to staff to demonstrate risks and increase their understand of how to detect, prevent mitigate the impact of any attacks. A network of information management and professional standards champions will promote awareness across the organisation.
The strategy also points to the role of the National Enabling Programme – developed by the National Police Chiefs Council to improve ICT systems in policing – in delivering a licensing deal and risk assessment to provide technical controls to support security. The Met Police will be assessing elements of the offering.
Image from iStock