The XRAM tool is conceived, designed and implemented by Peter Flack, director of Challenger Consulting Ltd. Further information about XRAM can be obtained from:
Peter has over 28 years practical IT security consultancy, risk assessment, security policy specification, security evaluation/audit and management experience. Peter has managed a variety of teams covering the entire development and project lifecycle. Peter has a UK Government SC security clearance.
Peter provided IT security consultancy for European Commission (EC) based systems in Brussels, including security risk analysis and production/review of subsequent ADS/ISMS material for two major DGs (Directorate Generals) and their systems, including:
- An EC wide repository for classified information
- An EC wide system used to maintain sensitive personal medical information
- An EU wide system allowing individuals (supported by appropriate citizen petitions) from the 28 member states to call directly on the European Commission to propose a legal act
- Several systems responsible for definition and enforcement of EU rules regarding fair competition between companies within EU countries (including the areas of cartels, mergers and state aid)
- Production of Security Policy/ISMS information to support the risk assessment (consistent with the ISO/IEC 27000 family)
- Providing input to EC security policy and its supporting security standards and guidance documents
- Gap analysis of resultant system’s security policies with EC Security Policy (e.g. C(2006)3602 based on ISO/IEC 27001, 2017/46, 2001/844/EC, Reg No 45/2001, supporting 3602 security standards/guidance documentation) consistent with ISO/IEC 27000 family principles
- Creation of a tool to support calculation of risk and selection of security controls
- Interaction with EC security personnel (e.g. Security Officer, Information Security Officer and Data Protection Officers)
- Interaction with project managers, business expects and project teams to understand applicable threats
- Review of proposed EC security related decisions, regulations and standards
- Presentation to senior management of risk assessment strategy, process, results and implications
- Authoring of DG website material to provide guidance and signposting to applicable EC security decisions, regulations and standards
Peter also provided consultancy for the European Commission (EC) Joint Research Centre (JRC) for development of a risk assessment method, consistent with existing EC Security Policy and Standards, with reference to the ISO/IEC 27K family material. The JRC is the EC’s science and knowledge service, providing research and independent scientific advice and support to EU policy.
Peter has been a member of the CESG Listed Advisor Scheme (CLAS) until October 2015. CLAS consultants are approved by CESG to provide Information Assurance advice on systems processing protectively marked information up to, and including, SECRET.
Amongst Peter’s roles he has planned and documented ISO/IEC 27001 Information Security Management System (ISMS) material for 2012 Olympic services, and delivered information security management services for BT’s Capital Care Alliance Care Record Service, provided on behalf of the NHS as part of the National Programme for IT – the UK’s single largest secure development programme.
Peter has provided Common Criteria consultancy to customers of the BT CLEF, being a Qualified CLEF Evaluator, performing evaluations under both the Common Criteria and UK ITSEC Scheme.
Previously, Peter was the Programme Manager of Datacard Platform Seven’s Secure Products Group, responsible for the full project lifecycle of products from inception, through design and development and implementation, onto roll out into market. As well as managing the teams that developed the security critical financial systems, Peter provided the guidance and technical expertise in preparation for security evaluation (Common Criteria EAL4+ and the first ever ITSEC E6 evaluation, equivalent to EAL7).