UK Government IA Recent Changes and Update

Similar documents
Thales Service Definition for PSN Secure Gateway Service for Cloud Services

Cybercrime in the Automotive Industry How to improve your business cyber security

February 2015 Issue No: 5.2. CESG Certification for IA Professionals

CESG ASSURED SERVICE CAS SERVICE REQUIREMENT PSN CA (IPSEC)

Embrace the G-Cloud. Ultra Secure Colocation Services for the Public Sector. thebunker.net Phone: Fax:

Procurement Policy Note Use of Cyber Essentials Scheme certification

How to gain accreditation for a G-Cloud Service

PROGRAMME OVERVIEW: G-CLOUD APPLICATIONS STORE FOR GOVERNMENT DATA CENTRE CONSOLIDATION

Get Better Protected... Secure data sharing made possible with Updata s Encryption Overlay Service.

Cyber Essentials Scheme. Protect your business from cyber threats and gain valuable certification

National Approach to Information Assurance

IT Heath Check Scoping guidance ALPHA DRAFT

ICT and Information Security Resources

Assurance in the Cloud: Outsourcing Risk in a Shifting Landscape

Specialist Cloud Services. Acumin Cloud Security Resourcing

HMG Security Policy Framework

white paper CLOUD SERVICES AND THE GOVERNMENT SECURITY CLASSIFICATIONS POLICY

Cyber Defence Capability Assessment Tool (CDCAT ) Improving cyber security preparedness through risk and vulnerability analysis

April 2015 Issue No:1.0. Application Guidance - CCP Security and Information Risk Advisor Role, Practitioner Level

HMG Security Policy Framework

Growth Through Excellence

Government Cloud Strategy

Resilience and Cyber Essentials

A. Reference information. A0. G-Cloud Programme unique ID number for the service and version number of this scoping template

Practitioner Certificate in Information Assurance Architecture (PCiIAA)

A Guide to the Cyber Essentials Scheme

Cyber Essentials Scheme

SBL Integration, Capabilities, and Enablement in Defence

Application Guidance CCP Penetration Tester Role, Practitioner Level

The UK cyber security strategy: Landscape review. Cross-government

January 2015 Issue No: 2.1. Guidance to CESG Certification for IA Professionals

Thales Service Definition for IL3 Encrypted Overlay for Cloud Services

CESG Certified Professional

GOVERNMENT HOSTING. Cloud Service Security Principles Memset Statement.

G-Cloud Service Definition. Atos infrastructure Vulnerability Scanning (Outpost24) SaaS

Service Definition Document

G-Cloud III Services Service Definition Accenture Cloud Security Services

Objectives for today. Cloud Computing i det offentlige UK Public Sector G-Cloud, Applications Store & Data Centre Strategy

G-Cloud IV Services Service Definition Accenture Cloud Security Services

HSCIC IT Hosting Strategy

How To Secure Cloud Compute At Eduserv

Safety by trust: British model of cyber security. David Wallace, First Secretary, Head of of the Policy Delivery Group British Embassy in Warsaw

developing your potential Cyber Security Training

GPG13 Protective Monitoring. Service Definition

Government Security Classifications FAQ Sheet 2: Managing Information Risk at OFFICIAL. v2.0 March 2014

1. This report outlines the Force s current position in relation to the Policing of Cyber Crime.

Remote Access Service (RAS)

Protective Monitoring as a Service. Lot 4 - Specialist Cloud Services. Version: 2.1, Issue Date: 05/02/201405/02/2014. Classification: Open

Cyber Essentials Scheme. Summary

G-Cloud Service Definition. Atos Oracle Cloud ERP Implementation Services

G-Cloud 7 Service Definition. Atos Oracle Cloud ERP Implementation Services

The Cadence Partnership Service Definition

Cyber Essentials Scheme

CESG CIR SCHEME AND CREST CSIR SCHEME FREQUENTLY ASKED QUESTIONS

Lot 1 Service Specification MANAGED SECURITY SERVICES

Small businesses: What you need to know about cyber security

Cyber Security Consultancy Standard. Version 0.2 Crown Copyright 2015 All Rights Reserved. Page 1 of 13

Committees Date: Subject: Public Report of: For Information Summary

Leading by Example - Government Cloud Services from the UK, Germany and Japan

WHAT YOU NEED TO KNOW ABOUT CYBER SECURITY

CYBER SECURITY TRAINING SAFE AND SECURE

Cybersecurity: What CFO s Need to Know

CROWN HOSTING DATA CENTRES AND THE CLEAREST ROUTE TO THE CLOUD. August 2015

On Premise Vs Cloud: Selection Approach & Implementation Strategies

Keynote. Professor Russ Davis Chairperson IC4MF & Work Shop Coordinator for Coordinator for Technology, Innovation and Exploitation.

Government Procurement Service

Cyber Security - What Would a Breach Really Mean for your Business?

Thales Service Definition for NOC Services for Cloud

The Scottish Wide Area Network Programme

G-Cloud Service Definition. Atos Data Quality Audit SCS

PSN Protective Monitoring. Service Definition

Supplier Assurance Framework Good Practice Guide

06100 POLICY SECURITY AND INFORMATION ASSURANCE

Information governance strategy

Virtual Desktop Infrastructure Platform as a Service

G-Cloud Service Definition. Atos Business Intelligence Dashboards and Analytics SCS

UNCLASSIFIED HMG IA Standard No. 1 Technical Risk Assessment

Cyber security. Cyber Security. Digital Employee Experience. Digital Customer Experience. Digital Insight. Payments. Internet of Things

SCOTTISH CENSUS INDEPENDENT SECURITY REVIEW REPORT

93% of large organisations and 76% of small businesses

SERVICE DEFINITION G-CLOUD 7 SECURE FILE TRANSFER DIODE. Classification: Open

Transcription:

UK Government IA Recent Changes and Update

INTRODUCTION Agenda Part 1 Government IA and Cyber Security Background Quick Threat Update UK Government Cyber Security Initiative Government Asset Control in terms of Protective Markings PSN Drivers, Anatomy and Terminology Part 2 Government IA Developments Procurement Notes New GCS Security Accreditation. Presenter Paul Bright

CYBER SECURITY INITIATIVE Threat Overview Cyber security threat increasing Nation states are now buying a cyber attack capability Threats exist against the critical national infrastructure The worst breach cost, on average, 65,000-115,000 for small businesses and 600,000 1,150,000 for large organisations, 2014 Information Security Breaches Survey. Low level assets Vast array of official data, including Machinery of Government data is not sensitive, but some OFFICIAL data has to be of course. Drive to protect lower level (OFFICIAL) data against high end states is not as strong as it was.

CYBER SECURITY INITIATIVE Objectives The UK to tackle cyber crime and be one of the most secure places in the world to do business in cyberspace. The UK to be more resilient to cyber attacks and better able to protect our interests in cyberspace. The UK to have helped shape an open, stable and vibrant cyberspace which the UK public can use safely and that supports open societies. The UK to have the cross-cutting knowledge, skills and capability it needs to underpin all our cyber security objectives..

CYBER SECURITY INITIATIVE Aspiration by 2015 is the UK is in a better position where: law enforcement is tackling cyber criminals; citizens know what to do to protect themselves; effective cyber security is seen as a positive for UK business; a thriving cyber security sector has been established; public services online are secure and resilient; and the threats to our national infrastructure and national security have been confronted.

GCS Government Classification Scheme The new Government Classification Scheme (GCS) in place since 6 Apr 2014 Previous Government Protective Marking Scheme (GPMS) marked according to BILs: BIL6: Top Secret, BIL5: SECRET: BIL4 Confidential, BIL3: Restricted. Also PROTECT for BIL1 or 2 and then NPM for BIL0 The last changes introduced after Cabinet Secretary found RESTRICTED on a note attached to a fridge.

ASSET CONTROL Low level asset control still a challenge The challenge of securing the fridges has not gone away - press report of 19 Nov 2014 reported lock placed on the Chancellor s fridge in the Treasury to protect the milk! Customers are still linking classifications to Impact Levels George Osborne 'locks milk in Treasury fridge says his deputy Danny Alexander

Public Services Network (PSN) Background Before, Departments, agencies, local authorities, police authorities had their own network. At least 2000 networks existed, connecting around 5.5 million public sector workers over hundreds of sites. Work with these bodies to rationalise and standardise the networks was needed and to save on costs. PSN Aims Make savings on duplicated connections, multiple procurements and service and maintenance overheads Enhance the ability for collaborative working between departments - deliver service efficiency and enable the sharing of sensitive information Make mobile working easier, offering potential savings from flexible working and better use of public estates Provide opportunities to share applications and data centre capacity

PSN Objectives Secure private internet for the public sector with the security that HMG requires. A network of networks from multiple suppliers to encourage a competitive marketplace Look and feel like a single network to its public sector customers, even though it is being provided by numerous suppliers; Allow industry to develop innovative products and generate savings across the public sector A single network multiple suppliers

PSN PROCUREMENT ARCHITECTURE Integrator 3 Integrator 4 Business Services Vendor 7 Integrator 1 Integrator 2 Vendor 8 Vendor 9 Technical Services Vendor 1 Vendor 4 Vendor 5 Vendor 6 Operator 1 Operator 2 Vendor 2 Vendor 3 Service Provider 3 Service Provider 4 Network / Access Services Government Conveyance Network Operator 3 Service Provider Operator 1 5 Service Provider 2 Transport & Core Network Operator 4

THE PSN CODES Commercial Obligations to PSN Code of Connection (CoCo) - Commitments that customers make to one another, and to the PSN Authority (PSNA), replaced the GCSx CoCo v4.1 Code of Practice (CoP) - Commitments that PSN Service Providers make to the PSNA Code of Interconnection (CoICo) - Commitments that Direct Network Service Providers make to the PSNA Deed of Undertaking (DoU) - Commitments that GCN Service Providers make to the PSNA All codes contain Technical Interoperability, Service Management, Governance, Commercial and Information Assurance Conditions..

PSN COMMERCIAL UNDERTAKING Cabinet Office PSN Framework Authorities Service Contract PSNA CoCo PSN Customers Framework MoU Central Services Service Providers GCN Deed of Undertaking CoICo CoP PSN Service Agreement (Framework Agreement Call-Off or Direct Contract) Framework Agreement GCN Service Providers GCN Service Providers GCN Service Agreement Direct Network Service Providers Network Service Agreement PSN Service Providers Contract Other Agreement GCN Interconnection Agreement

IA DEVELOPMENTS Cyber Security Initiative UK Govt s National Cyber Security Strategy - make UK a safer place to conduct business online by building a vibrant, resilient and secure cyberspace by 2015. Procurement Notices Wef 1 Oct 14, suppliers bidding to handle certain sensitive and personal information to be certified against the Cyber Essentials scheme (not required under G-Cloud or Digital Services Framework). Note 09/14 issued by Cab Office. ITTs can not ask for IL assurance. Suppliers must challenge. Policy and GCS New SPF issued Jun 3 Jun 14. Less prescriptive, MRs have gone. Replaced with a set of eight Security Outcomes. OFFICIAL information can be managed with good commercial solutions similar to risks posed to any large Corporate entity. Reduced to 3 levels: TOP SECRET, SECRET and OFFICIAL. OFFICIAL covers such a large landscape from old public (IL0) to some old Confidential (IL4) that some SENSITIVE-caveats are required.

IA SKILL FORCE DEVELOPMENTS CESG CERTIFIED PROFESSIONAL Community of recognised cyber security professionals in both the UK public and private sectors. Developed in consultation with government departments, academia, industry, the Certification Bodies and members of the CESG Listed Advisor Scheme (CLAS). All CLAS Consultants created the initial swell in to the new CCP Scheme. Scheme handled by 3 bodies accredited by CESG (APM, BCS & IISP). 7 x defined roles (Accreditor, IA auditor, IA architect, SIRA, ITSO, COMSEC, Pen Tester) plus 1 new to be added (Cyber Security Analyst). Current scheme under review to address a 2-tier system (results expected in Mar 15).

SECURITY ACCREDITATION PSN Accreditation Preferred IAS1 Risk Assessment Tool being withdrawn wef Jan 2015. No need to conduct any bespoke risk assessment. Pan Government Accreditation will be stopped for new G-Cloud; there are only 5 x PGAs now, will stop from Jan 15. PGA will concentrate on PSN backbone incl. DNSPs, core PSNSPs Remaining accreditation transferred to the commercial entity of the Government Digital Service (GDS). New G-Cloud services subject to a supplier assertion process against the G-Cloud Security Principles. The purchasing authority will do their own IA. Presumably some HMG InfoSec Standards will need to be updated pretty soon too.

PSNSPs - ACCREDITATION PSNSP Accreditation Security element has now moved to commercial element in GDS. New approach: not about centralised compliance, nor self-certification. It is a transparency exercise where suppliers state what they are doing to secure their services and products. Supplier makes assertions against each of the Cloud Security Principles (x14) as part of a supplier assessment exercise. RMADS gravy train disappearing. RISK ASSESSMENT & RISK GUIDANCE Guidance on how to assess risk due in Jan 15. Architectural patterns to be extended to cover risk management guidance Description for risk presented no need to conduct any bespoke assessment. Use an appropriate method consultation with partners happening now.

CYBER ESSENTIAL SCHEME (1) PURPOSE Scope State most essential security requirements. Certify against requirements. Make certification relevant, affordable & achievable (target cost of 350 for the certificate only to certify plus consultant s time and external testing for Cyber Essentials Plus scheme); BIS innovation voucher scheme can help with funding available from the Government. Scope is not extensive. A lot out of scope, e.g. removable devices, users, web development.

CYBER ESSENTIAL SCHEME (2) MITIGATING CONTROLS Boundary devices, e.g. a port scan CVSS v2 score 7 = fail. Secure configuration, e.g. devices scanned to check CVSS ratings ( 7 = fail). User access control: e.g. unsuitable IDs or weak passwords = fail. Malware protection: phishing test achieved by clicking on AV test file in e-mail or external URL, AV must be in use. Patch management: e.g. core software licensed and supported, updates to software within 30 days, out of date software removed, patches installed within 14 days (against list of common apps). APPROACH Stage 1 Self Assessment = Cyber Essentials; Stage 2 Independently tested = Cyber Essentials Plus Growing maturity Cyber Essentials becomes an integral part org s approach to risk management. No end date on the certificate! with recommendation to relist within 12 months..

FURTHER READING LINKS (1) Cyber Security Strategy GCS https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/6096 1/uk-cyber-security-strategy-final.pdf https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/2514 80/Government-Security-Classifications-April-2014.pdf Register for a PSN Service Supplier certificate https://www.gov.uk/apply-for-a-public-services-network-psn-service-compliancecertificate PSN supplier assertions and Cloud Security Principles https://www.gov.uk/government/publications/cloud-service-securityprinciples/cloud-service-security-principles https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/3661 22/Implementing_the_Cloud_Security_Principles.pdf

FURTHER READING LINKS (2) Cyber Security Essentials CESG https://www.gov.uk/government/publications/cyber-essentials-scheme-overview https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/3174 81/Cyber_Essentials_Requirements.pdf http://www.cesg.gov.uk/awarenesstraining/certified-professionals/pages/index.aspx GOV.UK Digital Marketplace https://www.digitalmarketplace.service.gov.uk/

Thank you for listening. Any questions?

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information