SPECIALISTS IN INFORMATION SECURITY MANAGEMENT SYSTEMS (ISO/IEC 27001)  

 

Innovation

Gamma prides itself on the research it has performed over the years. Innovation is one of Gamma’s key skills, being well able to tackle new and most challenging problems in information security to which  no one else yet knows the answers.

Gamma is an ISO 9001, ISO/IEC 27001 specialist consultancy company

Our Research page lists our key publications, starting with our “Chinese Wall” paper, published in the US in 1989, right up to the present day. Our current innovations lie in the area of internal control and the role that information security/assurance has to play in corporate governance.

The innovations that we have helped to create and apply over the years, shown chronologically in the animation above, are:

The picture shows an extract from our paper “EFT evaluation: a craftsman-led approach”, written in 2003 it describes work performed by Dr. Brewer in 1986 to evaluate an electronic funds transfer system. The pipeline is an architectural model designed by Dr. Brewer as an aid to understanding how an electronic funds transfer system. Another innovation was the use of formal program analysis tools and their use to produce reports in a form of Pidgin English, which could be read and understood by non-IT literate bankers.
The picture shows a reference to our seminal paper “The Chinese Wall Security Policy”, which presents a mathematical model of the access control requirements of the 1986 Financial Services Act. The paper was presented at the IEEE Symposium on Privacy and Security in Oakland, California in 1989.
During its first decade of operations, Gamma performed many assignments for the UK Ministry of Defence. We became well known for our work on producing system security policies and the picture shows a 3.5 inch floppy disc containing version 3 of our Help Tool.
Working under assignment to the DTI we helped to produce the ITSEC and its associated evaluation manual.
This work led to the development of the Common Criteria (ISO/IEC 15408).
In 1998 we become involved with the ISMS series of standards, assisting in the revision of BS 7799:1995 and the drafting of BS 7799-2:1998 and 1999.
Around this time, we were engaged in a series of products that looked into the subject of trustworthiness. The SEDUCER project was a particularly interesting one.
In the early 2000s, we also did a lot of thinking around the subject of risk analysis . This diagram illustrates a break though that we made concerning residual risk. Although advanced for the time, these ideas were overtaken by better ones a few years later.
We were part of the team that produced BS 7799-2:2002, which later become ISO/IEC 27001:2005 with very little change.
In the early 2000s we also undertook a number of assignments concerning smart cards. The pinnacle achievement was the production of a semi-formal specification for the security of the GlobalPlatform Smart Card. The picture shows an extract from our smart card architecture

In 2002/2003 we had an assignment with the Ministry of Information Technology and Telecommunications (Mauritius) to develop four ISMS within the Civil Service in Mauritius, and teach the Ministry staff how to do it. To assist us we invented a template ISMS, written in HTML and this viewed using a browser. This technology became the forerunner of IMS-Smart.

In 2004 we published our seminal paper “Measuring the effectiveness of an internal control system” , which proposes measuring the effectiveness of internal controls using time as a parameter. A particular component of this paper is the consideration of performing a risk assessment using events and impacts. This completely overturned our views on risk assessment and lead to our own formulation for a Risk Treatment Plan (RTP).
A year later we published our Opportunity Exploitation Plans (OEPs) paper. OEPs are the mirror image of risk treatment plans. Established standards, such as ISO/IEC 27001, manage risks, but what about exploiting opportunities? This paper explains how.
Taken together, OEPs and RTPs describe the two components of internal control: respectively, the processes for doing the job and the process for doing the job the way the boss wants it done. Putting the two together allowed us to develop an architecture for integrated management systems, presented in our paper “Exploiting an Integrated Management System”.
The picture shows the first IMS-Smart version of the template IMS used in Mauritius. This extended the original version by adding in ISO 9001 and BS 25999, and was first used by us in India.
At the same time we developed a “Productised Intellectual Property-led Service” (PIPS). The idea here is to perform assignments, such as building an ISMS, in a standardised way, rather like mass production cars. Such an approach reduces costs, making it less expensive, but still attains a very high level of quality.
We were very actively engaged in the recent revision of ISO/IEC 27001 resulting in the Second Edition published October 2013, and we have a web page dedicated to that process.
As part of this work, we were some of the first National Body Experts to work with the new ISO directives (called Draft Guide 83 at the time) concerning the high level structure and identical core text that now applies to all new and revised management system standards. The picture shows the front cover of a document we produced to help other people to understand the concepts.
Our last picture shows the IMS-Smart logo. Gamma is an IMS-Smart franchisee and plays a significant role in all of IMS-Smart’s innovation and R&D.