How to gain accreditation for a G-Cloud Service



Similar documents
A. Reference information. A0. G-Cloud Programme unique ID number for the service and version number of this scoping template

GPG13 Protective Monitoring. Service Definition

Protective Monitoring as a Service. Lot 4 - Specialist Cloud Services. Version: 2.1, Issue Date: 05/02/201405/02/2014. Classification: Open

PSN Protective Monitoring. Service Definition

Thales Service Definition for PSN Secure Gateway Service for Cloud Services

GOVERNMENT HOSTING. Cloud Service Security Principles Memset Statement.

Thales Service Definition for IL3 Encrypted Overlay for Cloud Services

Service Definition Document

Information governance strategy

National Approach to Information Assurance

SCOTTISH CENSUS INDEPENDENT SECURITY REVIEW REPORT

February 2015 Issue No: 5.2. CESG Certification for IA Professionals

How To Secure Cloud Compute At Eduserv

UK Government IA Recent Changes and Update

Specialist Cloud Services. Acumin Cloud Security Resourcing

Growth Through Excellence

April 2015 Issue No:1.0. Application Guidance - CCP Security and Information Risk Advisor Role, Practitioner Level

IBM Web Server as a Service

Thales Service Definition for NOC Services for Cloud

Service description RFL Virtual Data Centre

CESG ASSURED SERVICE CAS SERVICE REQUIREMENT PSN CA (IPSEC)

Government Security Classifications FAQ Sheet 2: Managing Information Risk at OFFICIAL. v2.0 March 2014

DIGITAL MARKETPLACE (G CLOUD 7) OFFERING. Sopra Steria Integration Platform Support as a Service. Service Overview. Sopra Steria in the public sector

Get Better Protected... Secure data sharing made possible with Updata s Encryption Overlay Service.

Procurement Policy Note Use of Cyber Essentials Scheme certification

Cyber Security Consultancy Standard. Version 0.2 Crown Copyright 2015 All Rights Reserved. Page 1 of 13

IBM G-Cloud Microsoft Windows Active Directory as a Service

IT Heath Check Scoping guidance ALPHA DRAFT

G-Cloud Service Definition. Atos Business Intelligence Dashboards and Analytics SCS

IBM G-Cloud Application Systems Management as a Service

G-Cloud 7 Service Definition. Atos Oracle Cloud ERP Implementation Services

SIAM Procurement G-cloud 7 framework

CenturyLink Disaster Recovery Service. G-Cloud V Lot 4 (Specialist Cloud Services)

SERVICE DEFINITION G-CLOUD 7 SECURE FILE TRANSFER DIODE. Classification: Open

Committees Date: Subject: Public Report of: For Information Summary

white paper CLOUD SERVICES AND THE GOVERNMENT SECURITY CLASSIFICATIONS POLICY

IBM Database as a Service

ediscovery G-Cloud V Service Definition Lot 4 SCS Contact us: Danielle Pratt Tel: G-Cloud@esynergy-solutions.co.

G-Cloud Service Definition. Atos Data Quality Audit SCS

developing your potential Cyber Security Training

ISO Environmental Management Certification for AXA PPP healthcare via e-learning

Caretower s SIEM Managed Security Services

Embrace the G-Cloud. Ultra Secure Colocation Services for the Public Sector. thebunker.net Phone: Fax:

WebFOCUS Cloud Express. The WebFOCUS Cloud Express service is delivered as a managed G-Cloud service by Amtex Solutions Ltd.

Cloud Enablement. Lot 4 - Specialist Cloud Services. Version: 2.0, Issue Date: 05/02/2014. Classification: Open

Vodafone Total Managed Mobility

DIGITAL FORENSICS AND CYBER INCIDENT RESPONSE SERVICES

IT asset disposal for organisations

Supplier Assurance Framework Good Practice Guide

Overview. Service Description: BCP & DR Strategy (L6)

ICT and Information Security Resources

Remote Access Service (RAS)

Cyber security. Cyber Security. Digital Employee Experience. Digital Customer Experience. Digital Insight. Payments. Internet of Things

G-Cloud Service Definition. Atos Information Security Wireless Scanning Service

G-Cloud Service Definition. Atos Oracle Database Upgrade

Virtual Desktop Infrastructure Platform as a Service

HOW MUCH MONEY HAVE YOU WASTED ON G-CLOUD?

G-Cloud Service Definition Lotus Notes to Microsoft SharePoint Migration Discovery Service

RISK MANAGEMENT AND ACCREDITATION OF INFORMATION SYSTEMS ALSO RELEASED AS HMG INFOSEC STANDARD NO. 2

The Audit Committee self-assessment checklist

Connecting to the Cloud. Lot 4 - Specialist Cloud Services. Version: 3.0, Issue Date: 01/12/2014. Classification: Open

Cloud Software Services for Schools. Supplier self-certification statements with service and support commitments

28400 POLICY IT SECURITY MANAGEMENT

Data Protection Act Guidance on the use of cloud computing

Procuring Penetration Testing Services

G-Cloud Service Definition. Atos Infrastructure as a Service (IL3) for Cloud IaaS

How To Help Your Business Succeed

UNCLASSIFIED CESG ASSURED SERVICE CAS SERVICE REQUIREMENT DESTRUCTION. Version 1.0. Crown Copyright 2012 All Rights Reserved.

D-G4-L4-126 Police contact management and demand reduction review Deloitte LLP Service for G-Cloud IV

G-Cloud IV Services Service Definition Accenture Cloud Security Services

G-Cloud Service Definition Canopy Big Data proof of concept Service SCS

Managing Supply Chain Impacts

Data Protection Act. Conducting privacy impact assessments code of practice

Microsoft Dynamics CRM Case Management Pricing

How to develop and maintain an OHSAS Health & Safety Management System faster, better, and smarter

Integrated Management System Implementation (ISO27001/ISO9001/ISO14001)

Cloud Software Services for Schools

EU F-Gas Regulation Guidance Information Sheet 15: Fire Protection System Contractors

Information Governance in Dental Practices. Summary of findings from ICO reviews. September 2015

Cloud Enablement. Lot 4 - Specialist Cloud Services. Version: 3.0, Issue Date: 05/02/2014. Classification: Open

Firewall Managed Service. I.T. Security Specialists. Firewall Managed Service 1

Transcription:

www.ascentor.co.uk How to gain accreditation for a G-Cloud Service Demystify the process As a registered supplier of G-Cloud services you will be keenly aware that getting onto the G-Cloud framework does not automatically enable those services to be bought by your potential customers. In many cases first you will need accreditation for your service or product. The process of accreditation is documented and publically available but if you are not familiar with the world of HMG accreditation the terminology and jargon can seem confusing. More importantly if you have customers who are enquiring about your products or are keen to buy, you don t want unnecessary delays in achieving that sale. By reading this guide we hope to demystify some of the key principles and outline the critical steps required to achieve accreditation for your service or product. Following these steps will give a competitive edge over your competition and increase the likelihood of getting a return on your investment in the G-Cloud. Contents G-Cloud & the CloudStore Catalogue Three Tiers of Security Requirements 5 Steps to Accreditation Top Tips for IL1/2 Accreditation Top Tips for IL3 Accreditation About Ascentor Ascentor are independent Information Risk Management specialists who view information security as a powerful business enabler. CALL US NOW 01452 881712 1

G-Cloud and the CloudStore Catalogue The Government s G-Cloud service is open for business. To date over 1,700 information and communications services have been added to the CloudStore catalogue. At present the CloudStore catalogue is little more than a business directory; any customer selecting a product or service from the catalogue must still perform their own accreditation no different to selecting a product or service through any other mechanism. The objective of G-Cloud is to offer a catalogue of services that are fully accredited, requiring relatively little additional effort by the customer to use the service. For suppliers who wish to offer their services through G-Cloud there is a business imperative to become accredited. This will make your services more attractive to, and more likely to be selected by the public sector customer. Three Tiers of Security Requirements: G-Cloud services are divided into three tiers, which represent the security requirements of the customer s information. Your accreditation requirements vary between these tiers: IL0 IL1/2 IL3 This represents the lowest level of security requirements: There is no requirement for security accreditation. Very few services will fall into this category. This represents the baseline level of security requirements and is probably relevant for 60%-70% of public sector customers. Accreditation is based on the use of ISO 27001 certification, i.e. good commercial practice This requires enhanced security to protect sensitive information and is a common requirement for central Government departments and some agencies. Accreditation is based on HMG security standards these are based on ISO 27001, but with more stringent requirements. To get accredited for IL1/2 you need to have a suitably scoped ISO 27001 certification; the certificate must be awarded by a recognised certification body. Additional information is presented in a short document the light-weight RMADS that is used to present a collection of security information to the Accreditor. 2

5 Steps to Accreditation By breaking the process into steps you can plan your approach and make it happen at speed. PETER CURRAN, ASCENTOR Step One The first step of the process is to complete and submit the G-Cloud Service Description Security Accreditation Scope template. The initial assessment is performed by the G-Cloud programme office, which will primarily focus on your eligibility to join G-Cloud. If your application is deemed acceptable it will be submitted to the Pan Governmental Accreditor (PGA). Step Two The PGA will examine the information provided to ensure that the ISO 27001 certification is suitably scoped. Understanding what is meant by suitably scoped is important; in simple terms this means that all elements of the service must be subject to certification. In addition, the Accreditor is seeking evidence that the security controls in some key areas are robust and sufficiently comprehensive. Unsurprisingly, this is likely to be an iterative process if the information supplied is incomplete or insufficiently detailed. Step Three Once the Accreditor has agreed that the scope of the ISO 27001 certification is sufficient, he/she will specify what evidence is required along with appropriate assurance activities. In many cases the evidence will be based on independent audit reports (e.g. 6-monthly surveillance audits), but may require examples of audits of 3 rd parties, certificates for evaluated products, and so on. Assurance activities are often based around an IT Health Check (ITHC) conducted by an accredited penetration testing company, but could include information related to the use and configuration of evaluated products. In some cases specialist assurance activities may be required, especially if the use of technology, or the system architecture, are novel or unusual. 3

5 steps to accreditation Step Four All of this evidence will be submitted as a Risk Management and Accreditation Document Set (RMADS) a specific light-weight template has been developed for this purpose. Other documents that must be submitted, and agreed with the PGA, include a Statement of Residual Risk, Security Operating Procedures (SyOPs) and IA Conditions for consuming organisations. Once the PGA is content an accreditation certificate will be issued. There are specific issues around the role of personal data (and sensitive personal data) there is a separate questionnaire that must be completed to confirm that the service provider can support the customers obligations under the Data Protection Act 1998 (DPA). It is unlikely that a service provider would be accredited if their service is judged non-conformant with the DPA requirements. Step Five If the service is being offered at IL3 full accreditation is required. This is broadly the same approach as that used for IL2, except that the implementation of ISO 27001 controls using the HMG Baseline Control Set (BCS) is mandatory. It is also strongly recommended that a technical risk assessment is undertaken using the HMG IS1&2 methodology, along with a risk treatment plan that is aligned with CESG good practice guides. It is expected that IL3 services will be delivered by a G-Cloud service provider who is connected to the PSN at IL3 compliance with the PSN Code of Connection (CoCo) is required. Whilst it is theoretically possible to offer IL3 services via the Internet, it is likely that a CESG evaluated cryptographic product would be required. It is also more likely that specialist assurance services will be required to validate the configuration and use of the service providers systems. 4

Top Tips for IL1/2 Accreditation How to gain accreditation for your G-Cloud Service ➊ Check the Scope of your ISO 27001 Certificate Your certificate will say on it which of the activities of your business are within the scope of the certification this is probably a summary of the scope specified in your ISMS. If the services being offered to G-Cloud do not fall within this scope, you will need to discuss a scope change with your auditor. ➋ Prepare information for the Security Accreditation Scope document The scoping document asks some questions about your implementation of technical controls that are considered important for G- Cloud service providers. The answers to these questions are likely to inform the evidence requirements that will be subsequently specified by the PGA, so care in the wording and technical depth is important. It is a very good idea to try and use the language of HMG Information Assurance try and avoid sales speak. ➌ Define or update your Information Security Policy in an HMG friendly way If you have not yet been ISO 27001 certified, or are considering updating your security policies, it is well worth specifying policies that are compliant with HMG requirements for IL2 systems. Not only will this make it easier to prove that you meet all the requirements, but will also make it easier for you to offer your services via the PSN or at IL3. You should base your ISO 27001 control implementation around the HMG Baseline Control Set (BCS) at the DETER level. 5

Top Tips for IL1/2 Accreditation ➍ Don t forget about connecting to your customer For services offered at any impact level it is permitted to do so via the Internet. However, it is much easier to offer a service via the Public Services Network (PSN). Not only is this likely to be more attractive to public sector customers, but it avoids the problem of gaining accreditation for the customer connection mechanism. To gain approval for connecting your service to the PSN you will need to show that you are compliant with the PSN Code of Connection (CoCo) this should be relatively straightforward (but may require further adjustments to your ISO 27001 Information Security Management System). If you do decide to offer your service via the Internet you will need to include the connection method within the scope of your accreditation; SSL/TLS is a common mechanism. ➎ Think about aggregation and separation Aggregation is the term used in Information Assurance to indicate the probable rise in business impact if a collection of data is compromised. Aggregation can occur through accumulation (putting lots of data in the same place), or association (linking two relatively harmless pieces of data together). In the main accumulation is the problem for G-Cloud services; many thousands of personal data records is likely to be a more attractive target than one or two. The solution normally lies with more robust controls; better protective monitoring, increased physical security, etc. Separation is an important concept in cloud services. In most cases public sector customers will not want their data mixed up with other customers especially if those customers are also not public sector organisations. If your service does not naturally keep customers separate, you should consider the robustness of your access control mechanisms to ensure that the risk of data leakage is minimised. 6

Top Tips for IL3 Accreditation How to gain accreditation for your G-Cloud Service ➊ Review your ISO 27001 certification HMG Information Assurance is based on ISO 27001. You can use your existing ISO 27001 certification to provide key evidence to support the accreditation of your IL3 service. In general, controls should use the HMG Baseline Control Set (BCS) to define the implementation requirements. BCS is applied at three different levels (or segments) in general most controls should be implemented against the lowest segment; in some cases the middle segment may be more applicable depending on the nature of the service and the impact of aggregation, or the requirement to deliver IL4 for availability. ➋ Define your stance on protecting personal data Many IL3 systems will be storing or processing personal data usually because most public sector organisations treat aggregates (collections) of personal data at IL3. Public sector organisations are obliged by the Data Protection Act (DPA) to ensure that third party data processors are able to protect personal data. The DPA Checklist contains a number of questions that are intended to establish the basis on which the G-Cloud supplier will satisfy the legal requirements. Make sure that you understand the current guidelines issued by the Information Commissioners Office (ICO) in particular, you should note the sensitivity to offshoring data, especially outside the EEA. If you cannot provide satisfactory answers to the DPA Checklist it is unlikely that the service will be accredited. 7

Top Tips for IL3 Accreditation ➌ Consider connection to the PSN Whilst it may be possible to offer an IL3 service via the Internet, in most cases it is expected that you will do so via the PSN. You will need to comply with the PSN Code of Connection (CoCo) and contract with a company offering a PSN IL3 network service. Whilst this activity can be stand-alone, it makes sense to include PSN connectivity within the scope of the IL3 accreditation. ➍ Integration with the PSN/G-Cloud incident management process Whilst incident management procedures are important at all impact levels, IL3 requires specific activities to ensure that your incident management processes are fully integrated into those of the PSN/G-Cloud. Operation at IL3 requires a relatively pro-active approach to protective monitoring using a Security Information and Event Management (SIEM) product is a cost effective way of providing the required level of capability in this area. ➎ Supporting forensic readiness Forensic readiness is a further obligation on public sector organisations that requires a more proactive approach at IL3. G-Cloud service providers are required to support customer forensic readiness planning there are existing CESG guidelines that describe the requirements for forensic readiness at IL3. Designing your systems to incorporate this guidance will increase the likelihood that you can support the requirements of your customers. 8

G-Cloud accreditation is an art and a science; it can seem complex, confusing and daunting. The team at Ascentor is here to help. Meet Peter Curran With over 25 years in the business, and 17 years in information security, Peter is our resident G-Cloud expert. We invite you to pick his brains. All we ask in return is some decent coffee and a few biscuits. FREE 2-HOUR CONSULTATION Call Dave James to arrange a free no-obligation consultation with our G-Cloud expert, Peter Curran. CALL DAVE ON 01452 881712 More information: Ascentor Ltd 5 Wheatstone Court, Davy Way Waterwells Business Park, Quedgeley Gloucester, GL2 2AQ +44 (0)1452 881712 info@ascentor.co.uk www.ascentor.co.uk www.twitter.com/ascentor +44 (0)1452 881710

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information