Des Ward shares some valuable tips on giving your local authority the best chance of getting PSN accreditation.
The Public Services Network (PSN) is, arguably, one of the largest change management programmes currently being undertaken anywhere in the world.
All public sector organisations will need to have their networks accredited to the PSN standard by spring 2014, when the arrangement with Vodafone to provide the Government’s current connection standards – GCSX and GSI – will cease.
At best, this will mean that those still planning to connect to the legacy services (if they are still available) will no longer enjoy the current prices that they pay. At worst, it may mean that the legacy services are not there at all.
PSN is not simply a replacement to the GSi Convergence Framework (GCF) – it is a procurement framework providing a fully meshed infrastructure that far exceeds the scope of the hub and spoke GSi community system.
It also offers the opportunity for organisations to benefit from accessing and using shared services right across central government as well as the wider public sector.
The new infrastructure is seen as essential in reducing the overall cost of IT across government and in delivering the capability for more citizen-centric services to be handled at council level.
However, a greater ability to share requires more accountability to be placed on connected organisations and a much greater focus on compliance.
The secure and economic sharing of information and services relies on public sector organisations implementing their information assurance (IA) controls effectively.
A code of connection (CoCo) submission, and an end user’s implementation of its controls, remains a cornerstone of the PSN.
This proves to other organisations with which you share information that you have implemented appropriate IA controls.
To ensure end users remain connected to PSN, they will need to complete and return their CoCo and other requirements (e.g. IT health check, ancillary requirements) annually in advance of expiry.
Before your organisation can be connected to PSN, or use it to receive PSN services, you must be accredited and achieve PSN compliance.
Current guidance from the Cabinet Office makes it clear that no remedial action plans or weak compliance positions will be imported into PSN.
The Government is ceasing the issue of remedial action plans and any oversight of actions arising from an on-site assessment or IT health check – you will either be assessed as compliant or rejected.
Whilst compliance and accreditation is a large undertaking, end users should focus on asking themselves some very straightforward questions. This will pay dividends when, ultimately, they are assessed for compliance.
Define the flow of PSN data
One of the most common actions which can benefit the PSN customer and also the assessor, is to define the flow of PSN data.
If you do so, an assessor’s rationale to approve the approaches within a CoCo are increased, whereas a lack of available information can mean that the CoCo gets rejected merely due to not having enough evidence available at the time.
To avoid rejection, organisations should:
- Start with the applications that you consume from government partners. If in doubt, look at the PSN transition guides. We have extracted all the relevant information from these guides relating to the applications available for consumption from the GCF for our customers, and you should have something similar from your PSN suppliers;
- Next, determine the business areas that use this information. Firewall rules can be a good source if you’re unsure, and can also allow you identify the internal systems involved;
- Once you find the internal systems involved, then you should be able to identify not only how the data is accessed, but where it’s stored;
- Document the controls that you have in place to ensure that access to PSN data is constrained to those who need it.
All of the above will allow you to quantify the boundary controls you have for your PSN, and to create flows of PSN data within your organisation.
PSN-derived data (is the data really sensitive?)
An area of concern to many people is their belief that they are accessing PSN-derived data, but take the time to determine what exactly it is that you are accessing.
A team leader remotely accessing management information relating to call volumes of a call centre has a wholly different risk profile to one accessing revenues and benefits data from the Department of Work and Pensions.
Talk to your tester
Whilst IT health checks (ITHCs) are very useful for both the customer and assessor to reference technical issues, it is important to ensure that they don’t cause more confusion than necessary.
I would recommend the following:
- Consider the CHECK/CREST assessment company you use – there is little benefit employing someone who can’t explain the issues to both the technical team and your chief executive in manners that they can understand;
- Submit plans to decommission legacy equipment, if relevant. There’s always a danger of trying to resolve issues on a system that’s being replaced within six months, that would take resources away from resolving enduring systems;
- Ensure that you communicate any compensating controls to issues found within the ITHC. Allowing full network access to a system that has a well maintained firewall or similar controls can often skew the perception of the compliance assessor;
- Work with the ITHC assessor to communicate key issues as they are found. If the issue can be addressed during the assessment then it allows validation that the issues have been addressed and saves time and effort for all parties;
- Show you’re in control of managing the risks.
The above areas will show that you understand the information important to the central government agencies, and what the risks are. These are all important in the development of trust across the PSN.
Another key component in building the trust model, is showing the management of risk.
Whilst the management of risk is mature at a technical level, the key is a merging of technical control maintenance into a wider information governance structure.
The impact of failing to comply with the PSN codes of practice pails in significance compared to the legal and regulatory obligations required.
I would always recommend looking towards maximising the worth of the PSN compliance spend towards compliance with other obligations (e.g. payment card industry data security standards (PCI DSS) or the NHS information governance toolkit).
With the location of adult social care in local authorities, the need to comply with the information governance (UG) toolkit is increasing.
This should be embraced, as the structure required by the IG toolkit is complimentary to the PSN CoCo.
The Public Services Network is is a huge undertaking in a relatively compounded timeframe.
The amount of information to be consumed by those people assessing the CoCo has to negatively impact the veracity that can be undertaken during the assessment.
Therefore, make it as easy as possible to allow the assessor to accredit your approach.
This effort will not only allow you to achieve compliance now, but create the structures to prepare you for the compliance challenges of the future.
Des Ward is information risk manager at public sector communications firm Updata Infrastructure