red island consulting - federation of communication … files/fcs_pdfs/events/comms...
TRANSCRIPT
9/17/2013 8:45:39 AM. 1
SECURITY ACCREDITATION FOR THE PSN
Red Island Consulting
9/17/2013 8:45:39 AM
Dave Duke Head of Business Development
Red Island Consulting
9/17/2013 8:45:39 AM. 2
1. A bit about Red Island Consulting
2. PSN Accreditation First Steps
3. PSN Accreditation – Impact Levels
4. PSN Accreditation – IL2
5. ISO27001 Certification Process
6. IL2 and IL3 Accreditation process
7. PSN Accreditation – Things to Consider
Agenda
9/17/2013 8:45:39 AM. 3
Who are we?
Global Information Security / ISO27001
Specialists
28% of all UK ISO27001 certs
HMG / CLAS / NHS N3 / GPG
Numerous telco’s and ISPs
Management System &
Technology Specialists
Enterprise Risk Management,
Compliance and
Governance Services
BCP / ISO22301 (BS25999)
Global Business Continuity Specialist
-1st Major Middle East Energy Co to
UKAS certification
Bespoke Training
Industry Leading E-
Learning
On-site training
Client Sizes 7 – 26,000
3rd Party Information Assurance
and Risk Management
Off-site Analysis
On-site Audit
PCI DSS QSA Since 2008
Sole QSA to BT, EE, o2
De-Scoping and Process Experts
Experienced Consultants
Only Experienced Consultants
Technical people turned Consultants
Business focused
9/17/2013 8:45:39 AM. 4
• PSN = Public Services Network
• Intended to unify the provision of network infrastructure across the
public sector into an interconnected "network of networks“
• Designed to enable you to get accredited once and then enable you
to continue to deal with the public sector.
• Designed to make it easier for SMEs to do business with public
sector. (e.g. You become certified once rather than by contract)
• To initiate accreditation suppliers need to formally apply through the
government procurement process so you’ll need a sponsor.
PSN – Accreditation First Steps
9/17/2013 8:45:39 AM. 5
PSN – Accreditation First Steps
Network
Diagrams
IT Health Check
Assurance
PSN Code
9/17/2013 8:45:39 AM. 6
PSN Accreditation – Impact Levels (IL)
IL2 • Protect
IL3 • Restricted
9/17/2013 8:45:39 AM. 7
PSN Accreditation – IL2 ISO27001 process
Asset Identification
Business Impact Analysis
Risk Assessment
Risk Treatment Plan
Documentation
Implementation
On-going Monitoring
9/17/2013 8:45:39 AM. 8
Certification involves 2 audits
Stage 1
• Review Asset ID, BIA and RA Methodology
• Review RTP
• Review Roles & Responsibilities
• Review ISMS Maturity
Stage 2
• Evidence of Implementation & Awareness
Certificate is valid for 3 years, subject to regular
surveillance audits
ISO27001 Certification Process
9/17/2013 8:45:39 AM. 9
PSN Accreditation – IL3
Greater protection
and segregation
Airgap
RMADS
Reviewed by CLAS
9/17/2013 8:45:39 AM. 10
RMADS Lightweight RMADS required for BIL2 / Full RMADS required for IL3
Residual Risk Statement Required for both IL2 and IL3 systems/services
Risk Register Required for both IL2 and IL3 systems/services
Security Operating Procedures (relevant to the consumer and/or
supplier)
Required for both IL2 and IL3 systems/services
Other Security Related documentation such as IA conditions consumers
are expected to meet
Required for both IL2 and IL3 systems/services
Statement on personal data and a completed DPA questionnaire Required for both IL2 and IL3 systems/services
ITHC (scope and results) and other evidence of assurance (e.g. CPA
certificate)
Required for both IL2 and IL3 systems/services, though the extent will
be less for the IL2 systems/services.
ISO/IEC 27001 Certificate, report & improvement notice Required for IL2systems/services
IL2 & IL3 Evidence Sets
9/17/2013 8:45:39 AM. 11
PSN Accreditation – Things to consider
Functional description of
Services Required (No marketing info!)
IS1
technical risk assessment
Mapping between system
components and ISO 27001
certifications
(for IL2)
Is my assurance evidence sufficient for accreditation?
9/17/2013 8:45:39 AM. 12
Who can I use to provide independent assurance?
• ISO27001 certification consultants
• CLAS consultants
• ISO27001 certification bodies
• CHECK testers
PSN Accreditation – Help?
9/17/2013 8:45:39 AM. 13
Gap Analysis
Phase 1
Implement
Controls
Phase 2
PSN
Application
Phase 3
Accreditation
Phase 4
SAPMA Physical Security
assessment of all sites 1 day
per site
Scope and deliver
Accreditation Plan based on
phase 1 post objectives
CHECK Penetration Testing,
(Scope, test, resolve risks)
Agree next stage objectives
with Client
Agree next stage objectives
with Client
Client brief on services to be
accredited and confirm future
PSN scope
Agree phase 1 objectives with
client Update Design documents
Submit PSN Application to
PSNA Accreditation achieved
Document new controls into
documentation
Respond to PSNA requests for
change
Implement audit strategy to
maintain accreditation
Review & assess current
documentation against scope
Update Procedure documents
Develop resulting RMADS to
support approved application
Implement annual re-
accreditation activities as
business as usual
Document Gaps against
ISO/IEC27001:2005 and
CESG GPG 32 (Telecoms
Audit Standards) Procedure planning /
scheduling
CLAS consultant to review and
approve RMADS prior to
formal submission to CESG
Submit annual accreditation
self assessment
PSN Application planning
Update RMADS Review all changes either
client or 3rd Parties for impact
to accreditation
Management summary report
Populate PSN CoCo and
Annex B Submit RMADS to CESG
Agree next stage objectives
with Client
Approve initial PSN application
(CoCo (spreadsheet) and
Annex B (word document))
with Client
Update RMADS based on
CESG comments
Risk Treatment Plan
Acti
vit
ies
9/17/2013 8:45:39 AM. 14
Find out more about Security
Accreditation for PSN
Friday 20th September
9.00am to 12.30pm
HMS Belfast, London
A date for your diaries!
9/17/2013 8:45:39 AM. 15
Thank you!
Red Island Consulting
9/17/2013 8:45:41 AM
Dave Duke Head of Business Development
Red Island Consulting
M: 07818 064130