Red Island Consulting SECURITY ACCREDITATION FOR THE PSN Dave Duke Head of Business Development Red Island Consulting 9/17/2013 8:45:39 AM. AM 1
Agenda 1. A bit about Red Island Consulting 2. PSN Accreditation First Steps 3. PSN Accreditation Impact Levels 4. PSN Accreditation IL2 5. ISO27001 Certification Process 6. IL2 and IL3 Accreditation process 7. PSN Accreditation Things to Consider 9/17/2013 8:45:39 AM. 2
Who are we? Enterprise Risk Management, Compliance and Governance Services Management System & Technology Specialists 3 rd Party Information Assurance and Risk Management Off-site Analysis On-site Audit Global Information Security / ISO27001 Specialists 28% of all UK ISO27001 certs HMG / CLAS / NHS N3 / GPG Numerous telco s and ISPs PCI DSS QSA Since 2008 Sole QSA to BT, EE, o2 De-Scoping and Process Experts BCP / ISO22301 (BS25999) Global Business Continuity Specialist -1 st Major Middle East Energy Co to UKAS certification Bespoke Training Industry Leading E- Learning On-site training Experienced Consultants Only Experienced Consultants Technical people turned Consultants Business focused Client Sizes 7 26,000 9/17/2013 8:45:39 AM. 3
PSN Accreditation First Steps PSN = Public Services Network Intended to unify the provision of network infrastructure across the public sector into an interconnected "network of networks Designed to enable you to get accredited once and then enable you to continue to deal with the public sector. Designed to make it easier for SMEs to do business with public sector. (e.g. You become certified once rather than by contract) To initiate accreditation suppliers need to formally apply through the government procurement process so you ll need a sponsor. 9/17/2013 8:45:39 AM. 4
PSN Accreditation First Steps Network Diagrams PSN Code IT Health Check Assurance 9/17/2013 8:45:39 AM. 5
PSN Accreditation Impact Levels (IL) IL2 Protect IL3 Restricted 9/17/2013 8:45:39 AM. 6
PSN Accreditation IL2 ISO27001 process Asset Identification Business Impact Analysis Risk Assessment Risk Treatment Plan Documentation Implementation On-going Monitoring 9/17/2013 8:45:39 AM. 7
ISO27001 Certification Process Certification involves 2 audits Stage 1 Review Asset ID, BIA and RA Methodology Review RTP Review Roles & Responsibilities Review ISMS Maturity Stage 2 Evidence of Implementation & Awareness Certificate is valid for 3 years, subject to regular surveillance audits 9/17/2013 8:45:39 AM. 8
PSN Accreditation IL3 Greater protection and segregation Reviewed by CLAS Airgap RMADS 9/17/2013 8:45:39 AM. 9
IL2 & IL3 Evidence Sets RMADS Lightweight RMADS required for BIL2 / Full RMADS required for IL3 Residual Risk Statement Risk Register Security Operating Procedures (relevant to the consumer and/or supplier) Other Security Related documentation such as IA conditions consumers are expected to meet Statement on personal data and a completed DPA questionnaire Required for both IL2 and IL3 systems/services Required for both IL2 and IL3 systems/services Required for both IL2 and IL3 systems/services Required for both IL2 and IL3 systems/services Required for both IL2 and IL3 systems/services ITHC (scope and results) and other evidence of assurance (e.g. CPA certificate) Required for both IL2 and IL3 systems/services, though the extent will be less for the IL2 systems/services. ISO/IEC 27001 Certificate, report & improvement notice Required for IL2systems/services 9/17/2013 8:45:39 AM. 10
PSN Accreditation Things to consider Functional description of Services Required (No marketing info!) Is my assurance evidence sufficient for accreditation? IS1 technical risk assessment Mapping between system components and ISO 27001 certifications (for IL2) 9/17/2013 8:45:39 AM. 11
PSN Accreditation Help? Who can I use to provide independent assurance? ISO27001 certification consultants CLAS consultants ISO27001 certification bodies CHECK testers 9/17/2013 8:45:39 AM. 12
Activities Phase 1 Phase 2 Phase 3 Phase 4 Gap Analysis Implement Controls PSN Application Accreditation Client brief on services to be accredited and confirm future PSN scope Agree phase 1 objectives with client Review & assess current documentation against scope Document Gaps against ISO/IEC27001:2005 and CESG GPG 32 (Telecoms Audit Standards) SAPMA Physical Security assessment of all sites 1 day per site Risk Treatment Plan Management summary report Agree next stage objectives with Client Scope and deliver Accreditation Plan based on phase 1 post objectives Update Design documents Document new controls into documentation Update Procedure documents Procedure planning / scheduling PSN Application planning Populate PSN CoCo and Annex B Approve initial PSN application (CoCo (spreadsheet) and Annex B (word document)) with Client Agree next stage objectives with Client Submit PSN Application to PSNA Respond to PSNA requests for change Develop resulting RMADS to support approved application CHECK Penetration Testing, (Scope, test, resolve risks) Update RMADS CLAS consultant to review and approve RMADS prior to formal submission to CESG Submit RMADS to CESG Update RMADS based on CESG comments Agree next stage objectives with Client Accreditation achieved Implement audit strategy to maintain accreditation Implement annual reaccreditation activities as business as usual Submit annual accreditation self assessment Review all changes either client or 3 rd Parties for impact to accreditation 9/17/2013 8:45:39 AM. 13
A date for your diaries! Find out more about Security Accreditation for PSN Friday 20 th September 9.00am to 12.30pm HMS Belfast, London 9/17/2013 8:45:39 AM. 14
Red Island Consulting Thank you! Dave Duke Head of Business Development Red Island Consulting M: 07818 064130 9/17/2013 8:45:39 8:45:41 AM. AM 15