esourcing MANAGED SERVICE CUSTOMER NOTICE Security Accreditation

Transcription

1 esourcing MANAGED SERVICE CUSTOMER NOTICE Security Accreditation Purpose The purpose of this Customer Notice is to provide details of the Security Accreditation for the esourcing Managed Service performed by OGCbuying.solutions and BravoSolution. Background 1. The OGCbuying.solutions esourcing Managed Service is a secure, hosted managed service provided by BravoSolution. It is accessed by customers and their suppliers via the internet. 2. A range of core services including help desk, system management and support services are provided to customers. 3. The esourcing Managed Service comprises four service elements that may be used individually or in any combination to support the sourcing and contract management activities. These service elements are: etendering; eevaluation; ecollaboration; and econtract Management 4. OGCbuying.solutions and BravoSolution have completed an accreditation process to ensure that the service is compliant with HMG Information Security Standards, the requirements of the Manual of Protective Security (MPS) and all UK legislation relevant to the processing of information 5. OGCbuying.solutions have accredited the esourcing Managed Service against HM Government Information Security Standards for information up to egov Impact Level 3 equating to a UK Protective Marking of Restricted. Scope 1. The accreditation relates to the esourcing managed service supplied by BravoSolution to public sector organisations through OGCbuying.solutions (OGCbs). 2. The initial accreditation includes only the etendering and eevaluation service modules that are hosted at the prime hosting site in Milan, the connectivity and associated systems that are provided by sub-contractors to BravoSolution as well as the connectivity that is provided for remote support purposes. 3. The Accreditation does not relate to the ecollaboration or econtract Management service modules which will be subject to further accreditation process at a later date. 4. The scope of the Accreditation encompasses the following: The esourcing service and application. This will include the following aspects:

2 User account allocation; User authentication; Data separation; Data storage; Access control to the data; Employment of encryption technologies; The security controls protecting the application from the Internet. All elements of the system/application from the Internet connection through the various tiers within the production environment that are provided by BravoSolution. The ADS will not address the other non-production environments that are in place or services provided by COLT. The latter is controlled and managed via a Service Level Agreement with COLT; All connectivity that is in place to the production environment; A review of the security surrounding the hosting facilities provided by Colt Telecoms. Hosted Solution 1. The primary hosting site is based in Milan with the hosting service provided by Colt Telecoms who also provide the Internet connectivity. COLT have a current BS 7799 certificate to support all the their hosting service provision services. All support and management of the BravoSolution environment is undertaken by BravoSolution staff. The only services provided by COLT are: Use of a shared load balancer; Media management COLT will change and store (both locally and remotely) the backup tapes. 2. There are aspects of the solution (eevaluation) that are provided by Commerce Decisions, a subcontractor to BravoSolution who are based in the U.K.. 3. The etendering and eevaluation service modules are hosted offshore by BravoSolution in Italy. The decision to host Restricted data offshore has been ratified by the Senior Information Risk Owner and Central Sponsor of Information Assurance (CSIA). The Accreditation Process 1. At the request of OGCbuying.solutions, BravoSolution appointed a CESG approved CLAS consultant from Insight Consulting to conduct a security risk assessment and develop a full Accreditation Document Set for the esourcing Managed Service in line with HMG InfoSec standards. The solution was also subject to a comprehensive security penetration test carried out under the CESG IT Health Check scheme. 2. This IT Check Report and the Accreditation Document Set was be reviewed by OGCbuying solutions own CLAS consultant from Newell & Budge Security prior to formal accreditation by the OGCbuying.solutions Senior Risk Owner for the solution.

3 Risk Management 1. In producing the ADS, a risk assessment was performed using the Express Version of CRAMM. Based on the results of the risk assessment, the Measure of Risk for the esourcing Managed Service was considered to be at a very low or low level. 2. The calculations and resulting RRI are summarised below: No. Connection Type of Connection Barrier Total RRI Assurance Including Common Barrier ITSEC Criteria 1 Internet Megastream Firewall and Not Connection to DR Site 2 Internet Megastream Firewall and Connection to DR Site 3 Dedicated Circuit Megastream Connection to BravoSolution Head Office 4 Dedicated Circuit Megastream Connection to BravoSolution Head Office Not 5 Via the Internet Megastream Access to the E Evaluation server E1 EAL2 6 Via the Internet Megastream Access to the E Not Evaluation server 7 Via the Internet Direct Access to Controls for User E4 EAL5 8 Via the Internet Direct Access to Controls for User Not 9 Via the Internet Direct Access to Controls for User Not 10 Via the Internet Direct Access to Controls for User Direct access to the System Direct Access to the application Procedural controls E2 EAL3 Accreditation Document Set 1. The format of the ADS produced was compared with the requirements outlined in HMG Infosec Standard No.2. This document recommends that the ADS is organised under four main sections as follows: Part 1 Part 2 Part 3 Part 4 Basic Information. Risk Management Document Set. Security Operating Procedures (SyOps) and Interconnection Security Measures (ISMs) Inspection Reports and Accreditation Certificate. 2. The basic format and layout of Part 1 (Basic Information), within the esourcing ADS was found to be in line with the HMG Infosec Standard No2 recommendations. 3. The second section, Part 2 (Risk Management Report) of the ADS, was also found to be in line with the HMG Infosec Standard No2 recommendations. 4. The third section, Security Operating Procedures was found to be in line with the HMG Infosec Standard No2 recommendations. 5. The IT Health Check report was included within Part 4 of the ADS

4 Penetration Testing External Penetration Test 1. An External Penetration Test was carried out against BravoSolution s web application at This represents the instance for the British Library and was to all intents and purposes, running as a live service. The review was conducted from the Insight offices, based in Walton-on-Thames 2. The tests were conducted in May The aims of the test were to: Find known vulnerabilities in the targeted IP address; Exploit, where possible, vulnerabilities with a view to obtaining access to resources not permitted; Review of known vulnerabilities for identified software and hardware. 3. Automated scans and manual penetration tests were carried out in an attempt to gain access to the system. 4. No major vulnerabilities were identified and the infrastructure and web application were of a good security standard. Internal Penetration Test 1. An internal Penetration Test was carried out against BravoSolution s infrastructure based at the COLT hosting facility in Milan. The scope of the tests covered the internal network environment, the DMZ and a review of the firewall/switch configurations. 2. The tests were conducted in June The aims of the test were to: Find known vulnerabilities in the targeted IP addresses; Exploit, where possible, vulnerabilities with a view to obtaining access to resources not permitted; Assess the build of selected servers within the environment Review of known vulnerabilities for identified software and hardware. 3. Automated scans and manual penetration tests were carried out in an attempt to gain access to the targeted systems. 4. A number of issues were identified, however, some of these were brought to BravoSolutions attention and rectified immediately. Though a number of configurable issues were found, very few exploitable vulnerabilities were identified. Tests were conducted on these vulnerabilities to verify that they were not false positive results. All results and findings have been included in the report. 5. No major vulnerabilities were identified Re-accreditation Arrangements Re-Accreditation 1. The ADS is valid until May At this stage a re-examination should be carried out of the need for security and the type of countermeasures that need to be in place to provide the appropriate level of protection. 2. Re-accreditation is required every year and this will include an IT Health Check of the esourcing environment and any other key systems. This will follow the same approach as the initial ITHC that was performed. However, re-accreditation can occur at the discretion of the Accreditor and will be required when: The original solution is extended or significantly altered, e.g. the introduction of new external connections, major changes in functionality; The operating environment (e.g. site/location) changes from the current supplier. This will also apply to the DR site;

5 Information at markings higher than RESTRICTED are to be processed on the esourcing application; Major changes to the operating system (i.e. upgrades to new versions); Any changes to the application that affect the authentication, data and/or user separation and access control which could affect the OGCbs user base. Permitted Changes 1. The following changes will be allowed to the application without the need for re-accreditation: Installation of patches to the operating system/application; Installation of point release versions of the software (e.g. version 8.2 to 8.3 would not require reaccreditation); Software changes to the application that have no affect on the authentication, data/user separation or access controls measures that are in place; The take-on of additional customers irrespective of their geographical location; Changes implemented by the hosting company that have no affect on the esourcing infrastructure, service, connectivity or security; Software application changes that are made to instances of the application that do not affect OGCbs; Changes to the parameterisation values that are used to create the look and feel of the application; The implementation of additional components to increase the capacity of the esourcing infrastructure. Recommendations and Action Plan Newell and Budge Security advised OGCbuying.solutions that the esourcing ADS met HMG Infosec requirements, subject to successful implementation of the following agreed actions Recommendation The IS1 Risk Calculations should be reviewed to ensure that the RRI figure for systems administrators (Barrier 6) can be reduced to an acceptable level. This could be facilitated by ensuring that the small number of personnel involved were security cleared to an acceptable equivalent to UK Basic Check (BC) clearance. Some detailed technical issues of a non critical nature were raised by the IT Health Check. It is essential that the IT Health Check Report is released to BravoSolution on a need to know basis in order for appropriate remedial action to be taken by the service provider. Agreed Actions & Current Status OGCbuying.solutions and BravoSolution have obtained security clearance for BravoSolution and sub-contractor staff performing system and database administration activities. Full IT Health Check Report released to BravoSolution on a Need-To-Know basis on 27 July 2005.