By 31st March 2014 all Government Connect Secure Extranet (GCSX) customers will have transitioned over to the Public Services Network (PSN). This week’s figures from the Cabinet Office suggest that there are still 37 organisations at “significant risk” of failing to achieve 2013 PSN Compliance. These organisations will need to meet the March deadline or face disconnection.
In April last year the Cabinet Office released a rather strongly worded letter to PSN customer organisations entitled “PSN Compliance – A Zero Tolerance Approach to the PSN Code of Connection”. The letter warned that customers with weak compliance from previously submitted Government Secure Intranet (GSi) CoCos, or who had not corrected actions arising from previous on-site assessments or IT Health Checks would be rejected – meaning disconnection from the PSN.
In October they released another letter that, although being clear that the “zero-tolerance regime” remained in place, the risk of immediate suspension had been removed for organisations demonstrating genuine appetite and realistic plans to achieve compliance. In this letter there was a statement to suggest that a level of interim compliance would be granted to those organisations struggling, but making concerted efforts to comply.
This near to the deadline only those organisations with a small gap to close are going to achieve compliance in time. The other organisations need to focus on implementing the changes required in their organisation to demonstrate their genuine appetite for compliance. Demonstrating this can only be achieved by co-ordinating the groups responsible for the implementation of specialist controls and those with ownership of organisational risk.
In many organisations a major challenge arises when there is a need to understand at a granular level how the combination of technical, procedural, physical and personnel security controls interact to counter information risks and thus influence wider corporate risk. The Cabinet Office through the compliance process is seeking to assess information risk, so organisations need to provide material at this level rather than that of a corporate nature.
Whilst technical leads such as ICT Managers will understand how technical security controls counter threats and vulnerabilities, they are probably less comfortable conveying how these factors affect information risk. Information Assurance professionals are experienced at articulating information risks and will work with both the technical and business groups to ensure a common understanding for the immediate compliance requirement, and your own ongoing maintenance, whilst providing documented material at the level expected by the Cabinet Office.
Regency has recent testimony from Local Authorities they have helped to gain PSN CoCo compliance. Why not give us a call, we’d be happy to discuss your requirements and perhaps we can answer some of your more pressing questions with no obligation over the phone.