A client had a business requirement to communicate securely between two domains of different security level. The extant way of working was to use out of band (paper) channels to effect the information exchange requirements which had obvious (detrimental) effects in the time required to complete transactions.
Using a risk-based approach which was tuned to the client’s context, we proposed a gateway design with discrete security attributes which were mapped to the identified risks. The design was submitted for approval along with a residual risk statement which articulated the remaining risks with the gateway in place. The client considered this with external stakeholders and approved the design. The design is now implemented and working and materially changing the way the client does business – volumes, accuracy and audit have all had a favourable increase.