9/17/2013 8:45:39 AM. 1

SECURITY ACCREDITATION FOR THE PSN

Red Island Consulting

9/17/2013 8:45:39 AM

Dave Duke Head of Business Development

Red Island Consulting

9/17/2013 8:45:39 AM. 2

1. A bit about Red Island Consulting

2. PSN Accreditation First Steps

3. PSN Accreditation – Impact Levels

4. PSN Accreditation – IL2

5. ISO27001 Certification Process

6. IL2 and IL3 Accreditation process

7. PSN Accreditation – Things to Consider

Agenda

9/17/2013 8:45:39 AM. 3

Who are we?

Global Information Security / ISO27001

Specialists

28% of all UK ISO27001 certs

HMG / CLAS / NHS N3 / GPG

Numerous telco’s and ISPs

Management System &

Technology Specialists

Enterprise Risk Management,

Compliance and

Governance Services

BCP / ISO22301 (BS25999)

Global Business Continuity Specialist

-1st Major Middle East Energy Co to

UKAS certification

Bespoke Training

Industry Leading E-

Learning

On-site training

Client Sizes 7 – 26,000

3rd Party Information Assurance

and Risk Management

Off-site Analysis

On-site Audit

PCI DSS QSA Since 2008

Sole QSA to BT, EE, o2

De-Scoping and Process Experts

Experienced Consultants

Only Experienced Consultants

Technical people turned Consultants

Business focused

9/17/2013 8:45:39 AM. 4

• PSN = Public Services Network

• Intended to unify the provision of network infrastructure across the

public sector into an interconnected "network of networks“

• Designed to enable you to get accredited once and then enable you

to continue to deal with the public sector.

• Designed to make it easier for SMEs to do business with public

sector. (e.g. You become certified once rather than by contract)

• To initiate accreditation suppliers need to formally apply through the

government procurement process so you’ll need a sponsor.

PSN – Accreditation First Steps

9/17/2013 8:45:39 AM. 5

PSN – Accreditation First Steps

Network

Diagrams

IT Health Check

Assurance

PSN Code

9/17/2013 8:45:39 AM. 6

PSN Accreditation – Impact Levels (IL)

IL2 • Protect

IL3 • Restricted

9/17/2013 8:45:39 AM. 7

PSN Accreditation – IL2 ISO27001 process

Asset Identification

Business Impact Analysis

Risk Assessment

Risk Treatment Plan

Documentation

Implementation

On-going Monitoring

9/17/2013 8:45:39 AM. 8

Certification involves 2 audits

Stage 1

• Review Asset ID, BIA and RA Methodology

• Review RTP

• Review Roles & Responsibilities

• Review ISMS Maturity

Stage 2

• Evidence of Implementation & Awareness

Certificate is valid for 3 years, subject to regular

surveillance audits

ISO27001 Certification Process

9/17/2013 8:45:39 AM. 9

PSN Accreditation – IL3

Greater protection

and segregation

Airgap

RMADS

Reviewed by CLAS

9/17/2013 8:45:39 AM. 10

RMADS Lightweight RMADS required for BIL2 / Full RMADS required for IL3

Residual Risk Statement Required for both IL2 and IL3 systems/services

Risk Register Required for both IL2 and IL3 systems/services

Security Operating Procedures (relevant to the consumer and/or

supplier)

Required for both IL2 and IL3 systems/services

Other Security Related documentation such as IA conditions consumers

are expected to meet

Required for both IL2 and IL3 systems/services

Statement on personal data and a completed DPA questionnaire Required for both IL2 and IL3 systems/services

ITHC (scope and results) and other evidence of assurance (e.g. CPA

certificate)

Required for both IL2 and IL3 systems/services, though the extent will

be less for the IL2 systems/services.

ISO/IEC 27001 Certificate, report & improvement notice Required for IL2systems/services

IL2 & IL3 Evidence Sets

9/17/2013 8:45:39 AM. 11

PSN Accreditation – Things to consider

Functional description of

Services Required (No marketing info!)

IS1

technical risk assessment

Mapping between system

components and ISO 27001

certifications

(for IL2)

Is my assurance evidence sufficient for accreditation?

9/17/2013 8:45:39 AM. 12

Who can I use to provide independent assurance?

• ISO27001 certification consultants

• CLAS consultants

• ISO27001 certification bodies

• CHECK testers

PSN Accreditation – Help?

9/17/2013 8:45:39 AM. 13

Gap Analysis

Phase 1

Implement

Controls

Phase 2

PSN

Application

Phase 3

Accreditation

Phase 4

SAPMA Physical Security

assessment of all sites 1 day

per site

Scope and deliver

Accreditation Plan based on

phase 1 post objectives

CHECK Penetration Testing,

(Scope, test, resolve risks)

Agree next stage objectives

with Client

Agree next stage objectives

with Client

Client brief on services to be

accredited and confirm future

PSN scope

Agree phase 1 objectives with

client Update Design documents

Submit PSN Application to

PSNA Accreditation achieved

Document new controls into

documentation

Respond to PSNA requests for

change

Implement audit strategy to

maintain accreditation

Review & assess current

documentation against scope

Update Procedure documents

Develop resulting RMADS to

support approved application

Implement annual re-

accreditation activities as

business as usual

Document Gaps against

ISO/IEC27001:2005 and

CESG GPG 32 (Telecoms

Audit Standards) Procedure planning /

scheduling

CLAS consultant to review and

approve RMADS prior to

formal submission to CESG

Submit annual accreditation

self assessment

PSN Application planning

Update RMADS Review all changes either

client or 3rd Parties for impact

to accreditation

Management summary report

Populate PSN CoCo and

Annex B Submit RMADS to CESG

Agree next stage objectives

with Client

Approve initial PSN application

(CoCo (spreadsheet) and

Annex B (word document))

with Client

Update RMADS based on

CESG comments

Risk Treatment Plan

Acti

vit

ies

9/17/2013 8:45:39 AM. 14

Find out more about Security

Accreditation for PSN

Friday 20th September

9.00am to 12.30pm

HMS Belfast, London

A date for your diaries!

9/17/2013 8:45:39 AM. 15

Thank you!

Red Island Consulting

9/17/2013 8:45:41 AM

Dave Duke Head of Business Development

Red Island Consulting

M: 07818 064130