UK Government IA Recent Changes and Update

Transcription

1 UK Government IA Recent Changes and Update

2 INTRODUCTION Agenda Part 1 Government IA and Cyber Security Background Quick Threat Update UK Government Cyber Security Initiative Government Asset Control in terms of Protective Markings PSN Drivers, Anatomy and Terminology Part 2 Government IA Developments Procurement Notes New GCS Security Accreditation. Presenter Paul Bright

3 CYBER SECURITY INITIATIVE Threat Overview Cyber security threat increasing Nation states are now buying a cyber attack capability Threats exist against the critical national infrastructure The worst breach cost, on average, 65, ,000 for small businesses and 600,000 1,150,000 for large organisations, 2014 Information Security Breaches Survey. Low level assets Vast array of official data, including Machinery of Government data is not sensitive, but some OFFICIAL data has to be of course. Drive to protect lower level (OFFICIAL) data against high end states is not as strong as it was.

4 CYBER SECURITY INITIATIVE Objectives The UK to tackle cyber crime and be one of the most secure places in the world to do business in cyberspace. The UK to be more resilient to cyber attacks and better able to protect our interests in cyberspace. The UK to have helped shape an open, stable and vibrant cyberspace which the UK public can use safely and that supports open societies. The UK to have the cross-cutting knowledge, skills and capability it needs to underpin all our cyber security objectives..

5 CYBER SECURITY INITIATIVE Aspiration by 2015 is the UK is in a better position where: law enforcement is tackling cyber criminals; citizens know what to do to protect themselves; effective cyber security is seen as a positive for UK business; a thriving cyber security sector has been established; public services online are secure and resilient; and the threats to our national infrastructure and national security have been confronted.

6 GCS Government Classification Scheme The new Government Classification Scheme (GCS) in place since 6 Apr 2014 Previous Government Protective Marking Scheme (GPMS) marked according to BILs: BIL6: Top Secret, BIL5: SECRET: BIL4 Confidential, BIL3: Restricted. Also PROTECT for BIL1 or 2 and then NPM for BIL0 The last changes introduced after Cabinet Secretary found RESTRICTED on a note attached to a fridge.

7 ASSET CONTROL Low level asset control still a challenge The challenge of securing the fridges has not gone away - press report of 19 Nov 2014 reported lock placed on the Chancellor s fridge in the Treasury to protect the milk! Customers are still linking classifications to Impact Levels George Osborne 'locks milk in Treasury fridge says his deputy Danny Alexander

8 Public Services Network (PSN) Background Before, Departments, agencies, local authorities, police authorities had their own network. At least 2000 networks existed, connecting around 5.5 million public sector workers over hundreds of sites. Work with these bodies to rationalise and standardise the networks was needed and to save on costs. PSN Aims Make savings on duplicated connections, multiple procurements and service and maintenance overheads Enhance the ability for collaborative working between departments - deliver service efficiency and enable the sharing of sensitive information Make mobile working easier, offering potential savings from flexible working and better use of public estates Provide opportunities to share applications and data centre capacity

9 PSN Objectives Secure private internet for the public sector with the security that HMG requires. A network of networks from multiple suppliers to encourage a competitive marketplace Look and feel like a single network to its public sector customers, even though it is being provided by numerous suppliers; Allow industry to develop innovative products and generate savings across the public sector A single network multiple suppliers

10 PSN PROCUREMENT ARCHITECTURE Integrator 3 Integrator 4 Business Services Vendor 7 Integrator 1 Integrator 2 Vendor 8 Vendor 9 Technical Services Vendor 1 Vendor 4 Vendor 5 Vendor 6 Operator 1 Operator 2 Vendor 2 Vendor 3 Service Provider 3 Service Provider 4 Network / Access Services Government Conveyance Network Operator 3 Service Provider Operator 1 5 Service Provider 2 Transport & Core Network Operator 4

11 THE PSN CODES Commercial Obligations to PSN Code of Connection (CoCo) - Commitments that customers make to one another, and to the PSN Authority (PSNA), replaced the GCSx CoCo v4.1 Code of Practice (CoP) - Commitments that PSN Service Providers make to the PSNA Code of Interconnection (CoICo) - Commitments that Direct Network Service Providers make to the PSNA Deed of Undertaking (DoU) - Commitments that GCN Service Providers make to the PSNA All codes contain Technical Interoperability, Service Management, Governance, Commercial and Information Assurance Conditions..

12 PSN COMMERCIAL UNDERTAKING Cabinet Office PSN Framework Authorities Service Contract PSNA CoCo PSN Customers Framework MoU Central Services Service Providers GCN Deed of Undertaking CoICo CoP PSN Service Agreement (Framework Agreement Call-Off or Direct Contract) Framework Agreement GCN Service Providers GCN Service Providers GCN Service Agreement Direct Network Service Providers Network Service Agreement PSN Service Providers Contract Other Agreement GCN Interconnection Agreement

13 IA DEVELOPMENTS Cyber Security Initiative UK Govt s National Cyber Security Strategy - make UK a safer place to conduct business online by building a vibrant, resilient and secure cyberspace by Procurement Notices Wef 1 Oct 14, suppliers bidding to handle certain sensitive and personal information to be certified against the Cyber Essentials scheme (not required under G-Cloud or Digital Services Framework). Note 09/14 issued by Cab Office. ITTs can not ask for IL assurance. Suppliers must challenge. Policy and GCS New SPF issued Jun 3 Jun 14. Less prescriptive, MRs have gone. Replaced with a set of eight Security Outcomes. OFFICIAL information can be managed with good commercial solutions similar to risks posed to any large Corporate entity. Reduced to 3 levels: TOP SECRET, SECRET and OFFICIAL. OFFICIAL covers such a large landscape from old public (IL0) to some old Confidential (IL4) that some SENSITIVE-caveats are required.

14 IA SKILL FORCE DEVELOPMENTS CESG CERTIFIED PROFESSIONAL Community of recognised cyber security professionals in both the UK public and private sectors. Developed in consultation with government departments, academia, industry, the Certification Bodies and members of the CESG Listed Advisor Scheme (CLAS). All CLAS Consultants created the initial swell in to the new CCP Scheme. Scheme handled by 3 bodies accredited by CESG (APM, BCS & IISP). 7 x defined roles (Accreditor, IA auditor, IA architect, SIRA, ITSO, COMSEC, Pen Tester) plus 1 new to be added (Cyber Security Analyst). Current scheme under review to address a 2-tier system (results expected in Mar 15).

15 SECURITY ACCREDITATION PSN Accreditation Preferred IAS1 Risk Assessment Tool being withdrawn wef Jan No need to conduct any bespoke risk assessment. Pan Government Accreditation will be stopped for new G-Cloud; there are only 5 x PGAs now, will stop from Jan 15. PGA will concentrate on PSN backbone incl. DNSPs, core PSNSPs Remaining accreditation transferred to the commercial entity of the Government Digital Service (GDS). New G-Cloud services subject to a supplier assertion process against the G-Cloud Security Principles. The purchasing authority will do their own IA. Presumably some HMG InfoSec Standards will need to be updated pretty soon too.

16 PSNSPs - ACCREDITATION PSNSP Accreditation Security element has now moved to commercial element in GDS. New approach: not about centralised compliance, nor self-certification. It is a transparency exercise where suppliers state what they are doing to secure their services and products. Supplier makes assertions against each of the Cloud Security Principles (x14) as part of a supplier assessment exercise. RMADS gravy train disappearing. RISK ASSESSMENT & RISK GUIDANCE Guidance on how to assess risk due in Jan 15. Architectural patterns to be extended to cover risk management guidance Description for risk presented no need to conduct any bespoke assessment. Use an appropriate method consultation with partners happening now.

17 CYBER ESSENTIAL SCHEME (1) PURPOSE Scope State most essential security requirements. Certify against requirements. Make certification relevant, affordable & achievable (target cost of 350 for the certificate only to certify plus consultant s time and external testing for Cyber Essentials Plus scheme); BIS innovation voucher scheme can help with funding available from the Government. Scope is not extensive. A lot out of scope, e.g. removable devices, users, web development.

18 CYBER ESSENTIAL SCHEME (2) MITIGATING CONTROLS Boundary devices, e.g. a port scan CVSS v2 score 7 = fail. Secure configuration, e.g. devices scanned to check CVSS ratings ( 7 = fail). User access control: e.g. unsuitable IDs or weak passwords = fail. Malware protection: phishing test achieved by clicking on AV test file in or external URL, AV must be in use. Patch management: e.g. core software licensed and supported, updates to software within 30 days, out of date software removed, patches installed within 14 days (against list of common apps). APPROACH Stage 1 Self Assessment = Cyber Essentials; Stage 2 Independently tested = Cyber Essentials Plus Growing maturity Cyber Essentials becomes an integral part org s approach to risk management. No end date on the certificate! with recommendation to relist within 12 months..

19 FURTHER READING LINKS (1) Cyber Security Strategy GCS 1/uk-cyber-security-strategy-final.pdf 80/Government-Security-Classifications-April-2014.pdf Register for a PSN Service Supplier certificate PSN supplier assertions and Cloud Security Principles /Implementing_the_Cloud_Security_Principles.pdf

20 FURTHER READING LINKS (2) Cyber Security Essentials CESG /Cyber_Essentials_Requirements.pdf GOV.UK Digital Marketplace

21 Thank you for listening. Any questions?