37 organisations at “significant risk” of missing PSN security deadline

The government has flagged 37 organisations at “significant risk” of failing to achieve security compliance for the Public Services Network (PSN)

The government has identified 37 organisations at “significant risk” of failing to achieve security compliance for the Public Services Network (PSN) by the deadline at the end of this month.

Computer Weekly has seen a copy of the unreleased PSN Programme Directors Update from February 2014 which states 60 out of 588 organisations are yet to achieve PSN compliance, ahead of the 31 March 2014 deadline.

Of those 60 organisations - which include local councils, government agencies and government departments - 37 have been specifically flagged as “being significantly at risk of failing to achieve 2013 PSN Compliance.”

The documents stated the government anticipates this number to drop to 20, which will then be transferred to an audit process run by the Office of the Government Senior Information Risk Owner (OGSIRO).

Computer Weekly asked the Cabinet Office what would happen to organisations that fail to achieve compliance, but officials said they would not comment on a leaked document.

The Cabinet Office has officially taken a "zero tolerance" approach to compliance with the PSN Code of Connection.

The government is in the process of migrating councils and other public bodies on to the Public Services Network to create a single "network of networks" for government IT. But existing customers on the transitional Government Secure Intranet Convergence Framework (GCF) have been finding it difficult to meet security requirements to allow them to connect to the PSN.

In December last year, one London council was just hours away from being disconnected from PSN

Being disconnected from PSN could mean a local authority is unable to fully carry out its public duties. Connection to PSN is required for public services that are centrally and locally managed or delivered, such as housing benefits. If a council lost connection to PSN, it would be unable to electronically exchange benefits data with the Department for Work and Pensions, for example.

“Councils are taking compliance seriously and having a difficult time,” said John Jackson, CIO at Camden Council. “Councils are working towards it at different speeds, with different capacities and capabilities.”

Jackson said he has recently seen more willingness from central government to work in partnership with councils to achieve PSN compliance, and he doubts the Cabinet Office would actually cut off organisations from PSN who have not met compliance by the deadline.

“I think it would be crazy to be cutting people off,” he said. “It would be putting front-line [council] services at risk, and putting vulnerable people at risk.”

But while the government has become more willing to help organisations meet the PSN compliance deadline, they still need to ensure that the security and controls they are enforcing are proportionate to risk, said Jackson.

“Some of the controls are disproportionate to the likelihood of them happening,” he said.

Nick Roberts, president-elect of local government user group Socitm, said a recent PSN review meeting which was chaired by government chief operating officer Stephen Kelly was very productive. 

“It was not just focused on getting any remaining authorities over the line and working hard to enable that to happen, but also looking ahead to the next round of compliance to seek to ensure the process is in the best possible state to support the ongoing and evolving requirements.”

Last year, the government issued security approval for public sector organisations to offer bring your own device (BYOD) schemes. But the policy places a number of restrictions on how staff-owned devices must be used, especially for data likely to travel over PSN – and implicitly acknowledges that the government security group CESG would prefer public bodies not to offer BYOD if possible.

Read more on IT for government and public sector