home
about us
products & services
news events
case studies
case study 1 - 2 - 3 - 4 - 5 - 6
resources
contact us
* *
case study previous case studynext case study

British Government Web Portal - security audit & test

client
Our client is a government agency providing a specific public service via the Internet.

client requirement and business drivers
The client operates a high availability, high throughput site that is accessible to all members of the public. The client provides information, via the web site, to individuals that is tailored to their needs, requiring the input of certain personal data. There is also the need to save certain information to enable frequent returns and access to the site to be more efficient.

The main business drivers were:

enabling
  • the government is taking a lead in the area of e-commerce and security by targeting achievement of BS7799/ISO17799 compliance for all areas of government as a long term strategy - the agency was required to adopt a proactive and focused approach to security, as demanded by this strategy
  • it was important that public confidence was high in order to ensure that the required return on investment, in the form of wide scale public use of the service - part of this was ensuring that there would be no concern over the input of potentially sensitive personal data
risk reduction
  • full compliance with security demands of the data protection act was essential
  • the agency had already been the subject of malicious hacking attacks in the past that had degraded the availability of the service - it was a strong requirement to reduce the possibility for such attacks in the future to ensure the 24 x 7 nature of the service

commissum was engaged to conduct a series of security related audits and tests upon the application and supporting infrastructure.

commissum services provided
  • audit of the 3rd party developer to ensure full understanding of the issues involved in development of secure applications and appropriate internal processes to ensure this
  • external testing of the web based application to ensure its resilience to abuse and unintentional exposure of sensitive information
  • external penetration testing of the network infrastructure
  • audit of the hosting organisation's facilities against a BS7799/ISO17799 framework

This project was an unfortunate example of commissum being asked to carry out security reviews late in the lifecycle - in fact only a month before launch. A number of fundamental security issues were identified which resulted in the need to re-design areas of the application.

The project is however back on track and commissum are now scheduled to carry out the final testing and provide ongoing security support to the agency which recognises that security review is not a "test once and forget" measure.
   
site map

slash

 terms & conditions © 2001-2008 commissum