With the PSN compliance deadline at the end of March 2014 fast approaching recent figures from the Cabinet Office suggest that there are still 37 organisations at “significant risk” of failing to achieve 2013 PSN Compliance.
Our experience of supporting PSN customer organisations has shown they have a number of frustrations in their attempts to achieve compliance. We wonder if you are experiencing similar frustrations.
CoCo condition RIS.1
Demonstration of a risk management and standards-based approach:
We have seen evidence that the Cabinet Office and CESG have been promoting the use of the IA Standards No1&2 (IAS1&2) as part of PSN compliance. Our experience shows that compliance issues have arisen when there is no evidence of any structured and repeatable assessment having taken place. IAS1&2 are complicated, lengthy documents and people who have traditionally used them in central government have undergone training.
In organisations without any experience of IAS1&2 the CESG Listed Advisor Scheme (CLAS) provides a mechanism to procure commercial support from individuals trained in the use of IAS1&2.
CoCo condition RIS.2
Identification of the correct individual with responsibility for information risk:
Our experience has shown that organisations that have not chosen to appoint an appropriately senior individual as Senior Information Risk Owner (SIRO) have faced greater challenges in achieving compliance.
It is recognised that Chief Executives are busy people, our experience has shown nomination of the SIRO at the Chief Executive level, at least whilst an appropriate Information Assurance (IA) governance framework and roles are established, worked extremely well and improved credibility with senior representatives at the Cabinet Office.
A decision to appoint the ICT Manager for this role is undeniably flawed – information risk ownership/management belongs in the Board Room. An ICT Manager is likely to either have to rely on goodwill in the organisation or resort to escalating to influence HR processes of the organisation and this therefore means that delivering personnel security is out of their hands. The same goes for physical and procedural security; the ICT manager will have no influence over physical access control measures, and they are likely not to be in a position to define the security procedures of the entire organisation. This certainly does not mean that the ICT Manager will not have an active role to play in the IA governance framework.
A vital part of establishing the IA governance framework is to provide a forum to discuss information security, with accompanying management, treatment, escalation and acceptance of risks. That forum generally takes the form of a Security Working Group (SWG). The frequency of its gathering depends upon the risks the organisation faces and possibly the status of the CoCo submission, i.e., if your organisation’s CoCo is due in one month’s time it may be reasonable to hold fortnightly or even weekly SWGs.
To cement RIS.2 in place, we have worked very closely on this topic in our recent contracts to define and help implement suitable Terms of Reference (ToRs) for security leads and supporting personnel. The ToRs define personnel responsibility and accountability to ensure that risks are treated or managed appropriately.
Confusion over Impact Levels (IL) and Protective Markings
Many organisations on the PSN share information the majority of which is IL0 (UNCLASSIFIED) or IL2 (PROTECT), but also have the daily requirement to transfer limited amounts of information at IL3 (RESTRICTED). Cabinet Office released a letter in December 2012 which discussed the fact that GCSX customers in their transition to PSN were not required to implement the IL3 overlays mandated for other GSi groups, instead that customers must adhere to the CoCo and any relevant Memoranda of Understanding (MoU) they are bound to with their data sharing partners.
Our experience has shown that the implications of these statements are not well understood and inappropriate presentation of material in CoCo submissions has caused issues even when compliance with the stated requirements is being delivered by the customer.
Policies, Procedures and Awareness Training (CoCo conditions EDU.1 & EDU.2)
Some organisations are poor at defining policies and procedures, and establishing an appropriate security training regime.
It’s often said that ‘insiders’ are the biggest threat. With the exception of some (non-UK) government-supported organisations that seek to compromise national security and high-value commercial information on a full-time basis, this is probably true. However, balanced against the value of the information Local Authorities process insiders are the biggest threat.
In order to reduce the risks posed by the insider, measures need to be applied; first of all a vetting process (see BPSS below), but also instructions to those employees and contractors on how they are expected to conduct themselves throughout their employment and beyond. A series of policies and procedures tailored where necessary to individual groups of employees will be needed to fulfil this requirement. These policies should be reviewed at least annually and up-issued to demonstrate to personnel that security is continually regarded as a critical factor in the organisation by the respective Board-level issuer. The policies should be distributed at least annually for repeated acknowledgement by employees.
Also important is a security awareness training regime. Each individual employee or contractor, regardless of their role (whether the new Chief Executive or the Cleaner), needs to undergo appropriate induction training that covers the elements of information security relevant to their role. They will also need to read and acknowledge all relevant policies and procedures before they’re given unaccompanied access to information and buildings. Security awareness needs to be part of business as usual to ensure that everybody keeps up with changes and is reminded of its ongoing importance.
Your policies may be weak or none existent; support can be provided to help you define these policies. You may also want to consider approaches to assist with the distribution and monitoring of acknowledgement of your policy documentation.
Baseline Personnel Security Standard
BPSS as the lowest level of security screening whilst mandated in central government for many years has not necessarily been widely adopted at a local government level. With regards to the PSN CoCo the Cabinet Office are demonstrating little flexibility in the requirement for compliance.
Organisation need to identify the most sensitive groups to process first and consider if mitigations can be put in place in the interim.
What is evident from our experience is that cleaners, contractors, key holders and even ITC staff, have not been included in this vetting process. A cleaner, employed with no assurances of their character and with uncontrolled access to the server room is potentially more capable of compromising the security of the organisation’s information than your Head of Revenue & Benefits.
The Cabinet Office has defined three stages of expected implementation, which started in 2013 and runs through to 2015.
· For your 2013 compliance: All users of PSN services or data must be validated to BPSS (or comparable/equivalent)– We interpret this now to be historical, if you submitted your CoCo in 2013, then the following should have been considered:
o Personnel with access to Revenue & Benefits data or any sensitive personal data registers
o ICT Administrators
o We believe you should probably also include:
§ Permanent members of your SWG (since they will ultimately be influencing the security of your PSN connection)
§ Any employees or contractors with unaccompanied access to locations hosting server or network equipment (Cleaners or Property Services personnel for example).
· For your 2014 compliance: All users of PSN email must be validated to BPSS (or comparable/equivalent) – When you submit CoCo evidence this year, i.e., before 31st March, you will need to consider all personnel with a GCSX email accounts in addition to those covered in 2013.
· For your 2015 compliance: All users of a PSN connected network must be validated to BPSS (or comparable/equivalent) – We interpret this to mean in the majority of cases anybody with access to your corporate network. When you submit evidence in 2015 these personnel will need to have the necessary clearance.
· Formally issued devices
Access to corporate services, including PSN services for remote workers is permitted on formally issued devices (managed endpoints) when key requirements are met. These include full disk encryption and two-factor user authentication of network connections in addition to standard operating system controls. These additional controls need to be appropriately maintained and documentation provided both for administrators and users.
· Formally issued devices which can’t meet the requirements
In many organisations some individuals will be have been issued with devices which cannot meet the security requirements such as iPads and smartphones.
CESG have issued advice on controlling the risks of these devices, which doesn’t require specific commercial products, although it can be time consuming to implement. There are sandboxing options such as Good for Enterprise which provide a useful one-stop approach, however they are still viewed as presenting significant challenges when accessing PSN data.
The case for allowing these kinds of devices to access your corporate network needs to be carefully analysed so that the appropriate corporate risk owners can understand and agree. Access to PSN data when achievable is going add considerably to the time taken to complete the compliance process and should not be undertaken without some technical know-how or professional advice.
ICT Managers whilst potentially understanding the controls are likely to need some support in the translation of ‘information’ to ‘corporate’ risks. Members of CLAS are trained to work with the CESG standards and guidance materials and would be able to help with both the interpretation of information risk and the CESG End User Device guidance.
Unmanaged Endpoints / Bring Your Own Device
Unmanaged endpoints, whether home PCs or personal smart phones carry with them a host of technical and non-technical risks. At this stage in the process unless unmanaged endpoints are already subject to a robust and coherent set of controls these risks are likely to present an insurmountable hurdle to PSN compliance in the time available. If the controls aren’t in place you need to ask at a corporate level, does the loss of PSN connectivity or the loss of unmanaged devices present the greater corporate risk.
We know that ICT Managers understand most of the technical issues and security rationale behind the factors discussed above, although with end of March looming some may benefit from further advice from a CLAS-certified professional with recent testimony of advising Local Authorities in gaining CoCo compliance.
We have the know-how and the tools (with reference to the latest Cabinet Office and CESG Standards and guidance notes) to conduct risk and threat assessments tailored to your organisation, meet CoCo requirements and help you implement these standards in support of your business, prioritising work and ensuring that your efforts are targeted at the most pressing tasks to ensure a return on investment and approval of your continued connection to the PSN.
Why not give us a call, we’d be happy to discuss your requirements and perhaps we can answer some of your more pressing questions with no obligation over the phone.
 The title of the group is not important; Information Risk Management Group (IRMG) may also be appropriate.