IT Heath Check Scoping guidance ALPHA DRAFT

Similar documents
A. Reference information. A0. G-Cloud Programme unique ID number for the service and version number of this scoping template

PSN IA conditions supporting guidance

Cyber Essentials Scheme

Thales Service Definition for PSN Secure Gateway Service for Cloud Services

DVLA ELISE GSi Closed User Group Code of Connection

CESG ASSURED SERVICE CAS SERVICE REQUIREMENT PSN CA (IPSEC)

U06 IT Infrastructure Policy

EA-ISP-012-Network Management Policy

Service Definition (Q-D1) Penetration Testing. Overview of Service. Functional and non-functional Detail. Q-D1: Service Definition

STRATEGIC POLICY. Information Security Policy Documentation. Network Management Policy. 1. Introduction

We are Passionate about Total Security Management Architecture & Infrastructure Optimisation Review

IT Security Testing Services

Practitioner Certificate in Information Assurance Architecture (PCiIAA)

Committees Date: Subject: Public Report of: For Information Summary

Payment Card Industry (PCI) Data Security Standard ROC Reporting Instructions for PCI DSS v2.0

UNCLASSIFIED HMG IA Standard No. 1 Technical Risk Assessment

Procurement Policy Note Use of Cyber Essentials Scheme certification

A Rackspace White Paper Spring 2010

developing your potential Cyber Security Training

Appalachian Regional Commission Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement... 2

Data Access Request Service

Summary of Technical Information Security for Information Systems and Services Managed by NUIT (Newcastle University IT Service)

INFORMATION SECURITY TESTING

UK Government IA Recent Changes and Update

C015 Certification Report

Information System Audit Guide

Procuring Penetration Testing Services

AUSTRALIAN GOVERNMENT INFORMATION MANAGEMENT OFFICE CYBER SECURITY CAPABILITY FRAMEWORK & MAPPING OF ISM ROLES

---Information Technology (IT) Specialist (GS-2210) IT Security Competency Model---

Network Security & Connection Policy

Service Definition Document

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013

Service Definition (Q-D1) Vulnerability Scan (LITE Test) Overview of Service. Functional and non-functional Detail. Q-D1: Service Definition

Looking at the SANS 20 Critical Security Controls

Certification Report

G-Cloud IV Services Service Definition Accenture Cloud Security Services

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor January 23, 2014

Penetration Testing. I.T. Security Specialists. Penetration Testing 1

MEMORANDUM. Date: October 28, Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance

White Paper. Information Security -- Network Assessment

93% of large organisations and 76% of small businesses

SBL Integration, Capabilities, and Enablement in Defence

PCI Requirements Coverage Summary Table

Penetration Test Report

CESG ASSURED SERVICE CAS SERVICE REQUIREMENT TELECOMMUNICATIONS

Cyber Essentials. Test Specification

Digital Pathways. Penetration Testing

Reducing the Cyber Risk in 10 Critical Areas

THE TOP 4 CONTROLS.

Spillemyndigheden s Certification Programme Instructions on Vulnerability Scanning

ICT OPERATING SYSTEM SECURITY CONTROLS POLICY

Network Security Guidelines. e-governance

Defence Cyber Protection Partnership Cyber Risks Profile Requirements

Q&A ADDENDUM FOR INFORMATION SECURITY VULNERABILITY ASSESSMENT PUBLISHED 10/20/2015

How to gain accreditation for a G-Cloud Service

This document is a preview generated by EVS

Cyber Essentials KAMI VANIEA 2

Thales Service Definition for IL3 Encrypted Overlay for Cloud Services

CPA SECURITY CHARACTERISTIC SECURE VOIP CLIENT

EUROPASS DIPLOMA SUPPLEMENT

Government Security Classifications FAQ Sheet 2: Managing Information Risk at OFFICIAL. v2.0 March 2014

Thales Service Definition for NOC Services for Cloud

SANS Top 20 Critical Controls for Effective Cyber Defense

CenSus ICT Strategy ( )

GPG13 Protective Monitoring. Service Definition

REMOTE WORKING POLICY

RISK MANAGEMENT AND ACCREDITATION OF INFORMATION SYSTEMS ALSO RELEASED AS HMG INFOSEC STANDARD NO. 2

How To Help Your Business Succeed

Information security due diligence

LOGIIC Remote Access. Final Public Report. June LOGIIC - APPROVED FOR PUBLIC DISTRIBUTION

ISO Information Security Management Services (Lot 4)

How To Ensure The C.E.A.S.A

Guideline for department and agency implementation of the Information Security Penetration Testing standard SEC/STD/03.

Highland Council Information Security Policy

Information Security and Governance Policy

Accessing and sending data securely across security domains

After reviewing all the questions, the most common and relevant questions were chosen and the answers are below:

Securing the Service Desk in the Cloud

CONTENTS. PCI DSS Compliance Guide

PCI Requirements Coverage Summary Table

Payment Card Industry (PCI) Penetration Testing Standard

New Systems and Services Security Guidance

Additional Security Considerations and Controls for Virtual Private Networks

Citrix NetScaler Platinum Edition Load Balancer Version 10.5 running on MPX 9700-FIPS, MPX FIPS, MPX FIPS, MPX FIPS appliances

Data Network Security Policy

Payment Card Industry - Data Security Standard (PCI-DSS) Security Policy

PHILADELPHIA GAS WORKS Information Security Assessment and Testing Services RFP#30198 Questions & Answers December 4, 2015

Guideline on Auditing and Log Management

GUIDE TO INFORMATION SECURITY TESTING AND ASSESSMENT

Transcription:

IT Heath Check Scoping guidance ALPHA DRAFT Version 0.1 November 2014

Document Information Project Name: ITHC Guidance Prepared By: Mark Brett CLAS Consultant Document Version No: 0.1 Title: ITHC Guidance Document Version Date: 10/11/2014 Reviewed By: Review Date: Version History Ver. No. Ver. Date Revised By Description Filename 0.1 Nov 2014 Mark Brett Initial draft ITHC Guidance Alpha Draft Page 3 of 14

Page 4 of 14

1. Table of Contents 1. Table of Contents... 5 2. Introduction... 6 2.1. Purpose and Scope... 6 2.2. Document Structure... 6 3. Requirements... 7 4. Service Providers... 8 5. Scope of Work... 9 5.1. Introduction... 9 5.2. We have suggested the principal test targets below. A generic modular network diagram should be developed, to test against each target. Location of Internal Network Testing... 9 5.3. Network Penetration Test... 9 5.4. Network Vulnerability Assessment... 9 5.5. Web Application Security Assessment... 10 5.6. Server Security Assessment... 10 5.7. Mobile Device Security Assessment... 10 5.8. Wireless Security Assessment... 10 5.9. Home Office / Small Office Assessment... 10 6. Deliverables... 11 6.1. High Level Network Schematic... 11 6.2. ITHC Reports... 11 7. Example Heat Map showing identified vulnerabilities, by control number from the ITHC report.... 12 Annex A: References... 13 Annex B: Glossary and Abbreviations... 14 Page 5 of 14

2. Introduction 2.1. Purpose and Scope This document provides clarification and good practice guidance for performing IT Health Checks (ITHCs) at OFFICIAL for PSN. This includes expectations on ITHC service providers, their scope of work and the quality/structure of any deliverables produced as part of PSN compliance evidence. This will further assist the Corporate information Governance Group and support the remedial action plan (RAP). Furthermore this will greatly assist the PSNA compliance team to be able normalise and understand the ITHC reports received, which vary greatly in their content, style and value. The majority of Public Sector Networks are currently accredited to handle protectively marked information at OFFICIAL, but some customers may have a requirement to test their network at higher levels. This guidance apply to the ITHC testing at OFFICIAL, based around the ISO/IEC 27001 standard [8]. It is a technical standards document written under the PSN banner, and is intended to support compliance with the corresponding conditions contained in the PSN Code Template [1]. Consequently, the only baseline current requirements identified in this document are those currently contained in the PSN Code Template [1]. Moreover, it should be noted that this standard does not explicitly provide a description of any ITHC requirements for those organisations bound by the HMG Security Policy Framework (SPF) [2]; such organisations must still continue to comply with HMG IA Policy, including relevant controls from the Baseline Countermeasure Set (BCS) and supporting CESG guidance publications. Similarly, other community-specific requirements (e.g. IGSoC for NHS) should also be followed in those communities in addition to those defined in the PSN Code Template [1]. 2.2. Document Structure This document is structured as follows: Section 1 (this section) the introduction; Section 3 requirements and guidance for ITHC service providers; Section 4 requirements and guidance for ITHC scopes of work; Section 5 requirements and guidance for ITHC deliverables; Annex A the references cited in this document; Annex B abbreviations and glossary of terms; Page 6 of 14

3. Requirements The IT Health Check is more than a vulnerability scan, The check is to cover the scope of the consuming and connected network, clearly identifying and testing all relevant network equipment and facilities. This must cover the physical security aspects, equipment rooms, racks and offices, where the PSN is connected and consumed. The ITHC is required by the customer, to provide an overview highlighting deficiencies and those areas which require improvement. The ITHC is also required by GDS, as part of the IA Compliance documentation set. The ITHC is used by the PSN compliance team as an objective overview of the organisations physical and technical protection of the PSN connections and interfacing to the customers corporate network. The ITHC needs to cover the entire range of network segments which interface with the PSN, not just individual IP addresses. The scope of the ITHC, should be defined by the scope of the network diagram under control DIA.1. We need to clearly see ITHC results for all components on the diagram. CHE1. Requires that a technical vulnerability assessment, which covers all of the customer equipment, that means, the from the connection of the CPE (Customer Premises Equipment, to the PCs, laptop and mobile devices, all network equipment, interfacing between the PSN connected corporate network and ant web connections into the PSN connected network are all in scope. Any boundary devices (routers, gateways and firewalls at the boundary are in scope. Network equipment and devices on the other side of the boundary devices are out of scope. The diagram and ITHC need to clearly show the scope and exclusions. PSN IA conditions controls: Condition No. DIA DIA.1 CHE CHE.1 Subject Network Diagrams & Scope Network Diagrams & Scope Compliance Checking Compliance Checking Obligation A high level logical network schematic shall be provided to accompany this IA Conditions document. The diagram shall be used to describe the scope for the IA Conditions it is therefore important to include where possible the following information: - Diagrammatical representation of services and functionality in place including defining which ones are PSN services and those that are not. - Onward connectivity including remote access services and connectivity overseas/offshore -Gateway/boundaries functionality - Third party connectivity Organisations shall implement an annual programme of IT Health Checks to validate equipment not provided as part of a PSN service that interacts with PSN services. Page 7 of 14

4. Service Providers It is not necessary for an ITHC testing organisation to be CHECK approved to perform an ITHC OFFICIAL ICT infrastructure. However, PSN has an expectation that such organisations should deploy testers who are CREST or TIGER SCHEME accredited, with have a proven track record in this field. We would also urge organisations to seek example reports to ensure that the scope, format and deliverables will be suitable for meeting the PSN IA Conditions at OFFICIAL. They should be able to demonstrate this through reference sites and redacted customer reports. We would recommend; Clear executive summary. Clearly annotated network diagram (provided by the customer per control DIA1.), this will have the 10 ToI s listed and colour coded annotation showing: RED: Deficient AMBER: Deficient but simple fix GREEN: Compliant. Clearly prioritised list of deficiencies with a non-technical explanation. (RED/AMBER) Clear diagrams to and charts to support the customer and the PSN Compliance team in GDS. A remedial action plan to meet the deficiencies (RED/AMBER). We do not consider output from automated testing tools, without a clear business led explanation to be sufficient or appropriate. CREST: http://crest-approved.org/ TIGERSCHEME: http://www.tigerscheme.org Page 8 of 14

5. Scope of Work 5.1. Introduction The requirement is to meet the relevant controls detailed in the PSN IA Requirements pertaining to services at OFFICIAL. The ITHC will include an external penetration test for all Internet facing IP addresses and internal network hosts. We recognise each customer site has a different network infrastructure and varying requirements, so that it will be necessary to construct a modular pricing structure which will be based on the elements of the Scope of Work 5.2. We have suggested the principal test targets below. A generic modular network diagram should be developed, to test against each target. Location of Internal Network Testing Internal network testing should be completed from within the client s principal locations, and also, where specified from Public Access locations such as Libraries, contact centres etc. The principal Targets of Interest (ToI) for testing should include: ToI1 External Firewall, Gateway and Boundary Security Assessment ToI2 External Network Penetration Test (websites, access control, remote access, VPN Servers, DMZ servers) ToI3 Onsite Network Penetration Test (Intranet, email gateways, router and firewall access. access control) ToI4 Operating System Assessment (Patching, configuration and malware protection), of key servers affecting PSN services and network. ToI5 Mobile Device Security Assessment ToI6 SSL VPN Assessment ToI7 Wireless Infrastructure Assessment ToI8 IDS/IDP Assessment ToI9 Application Security Assessment (including websites and Intranets/Extranets) ToI10 Physical security assessment server room and network equipment racks. 5.3. Network Penetration Test This will be conducted from outside the client s network, with the intention of assessing the vulnerabilities which an unauthenticated attacker could use to penetrate the network. Typically, this will be on the public facing elements of the network, e.g. web servers. Remote access gateway and wireless networks. 5.4. Network Vulnerability Assessment This Assessment will identify the vulnerabilities within the client organisation s internal network and is typically conducted from within the Local Area Network or Wide Area Network. It will incorporate Page 9 of 14

both manual and automated security testing techniques to identify vulnerabilities within desktops, servers and network infrastructure, which could be exploited from within the organisation. The Network Vulnerability Assessment, will also report, where appropriate, on the organisation s firewalled connection to the Public Services Network (PSN), IA Conditions especially in relation to remote, home and mobile connections. 5.5. Web Application Security Assessment This will measure the resilience of an application to withstand attack from unauthorised users and the potential for valid users to abuse their privileges and access rights. This must include all websites, which draw their data and responses from infrastructure within the PSN ITHC scope. 5.6. Server Security Assessment The Server Security Assessment will provide information as to the resilience of a server system to withstand attack from unauthorised users and the potential for valid users to abuse their privileges and access rights. This will also include the configuration and server patching regime. 5.7. Mobile Device Security Assessment This will establish the resilience of mobile devices which connect to the client network, i.e. authentication, resident applications and security software, to withstand attack from unauthorised users and the potential for valid users to abuse their privileges and access rights. The organisations policy covering mobile device usage and access to the PSN network and services should be included. 5.8. Wireless Security Assessment This will assess the client network s wireless infrastructure to identify potential vulnerabilities within the wireless network, and therefore any internal wired networks, against unauthorised access, whilst maintaining appropriate access control for authorised users. 5.9. Home Office / Small Office Assessment This will assess the suitability and security vulnerabilities of access to the client network from home offices and small remote locations, typically using ADSL. This will include checking the policy and the patching regime for end point devices. Page 10 of 14

6. Deliverables 6.1. High Level Network Schematic As part of PSN compliance evidence, there should be a high level network schematic. This should contain enough detail to enable a compliance assessor to understand the customers network environment, which is either connected to or consuming a PSN connection or service. The scope of the diagram will be the PSN connected or consuming environment and the interfaces and inter-connected network boundaries. We would ask the ITHC report annotates the network diagram prepared as part of control DIA1. To show which components and ranges were tested and referenced against the findings to help the customer and the PSN Compliance Team. 6.2. ITHC Reports The ITHC is expected to produce the following: A colour annotated network heat map diagram showing the principal targets of interest (ToI), described previously and their determined status. This should be consistent with the High Level Network Schematic. An executive summary that gives a business level summary of the findings and their impact A technical summary that prioritises the key areas of risk found An analysis of the findings against relevant security good practice Details of all testing conducted and the tools and techniques used Detailed descriptions of findings for all vulnerabilities identified and an indicative level of risk to the client and/or system assessed along with recommended remedial action Additionally screenshots and tool outputs and other supporting evidence for each vulnerability could be included as an appendix to the report. Each component will then at the end of the test be colour coded to give an instant visual and numeric representation of the network as a heat map, to assist the SIRO and senior management in understanding the current network status, All outputs from testing tools are to be separately provided as annexes, not part of the main report. Page 11 of 14

7. Example Heat Map showing identified vulnerabilities, by control number from the ITHC report. Page 12 of 14

Annex A: References The following references are used in this document: [1] PSN Code Template for Code of Interconnection, Code of Practice, Code of Connection [2] HMG Security Policy Framework [3] PSN Operating Model [4] PSN Document Management and Change Control [5] PSN Compliance [6] PSN Security Model [7] HMG Information Assurance Standards No. 1 and 2 (IAS1&2), Information Risk Management [8] ISO/IEC 27001, Information Security Management Systems Requirements Page 13 of 14

Annex B: Glossary and Abbreviations CESG ITHC GCN GDS IA IAS ICT IGSoC IL ISMS ISO MOD NHS PSN The National Technical Authority for Information Assurance IT Health Check Government Conveyance Network Government Digital Service Information Assurance Information Assurance Standard Information and Communications Technology Information Governance Statement of Compliance Impact Level Information Security Management System International Standards Organisation Ministry of Defence National Health Service Public Services Network Page 14 of 14

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information