tiero - Fotolia

More responsive PSN security compliance regime goes live

Following a successful public beta of the updated Public Services Network compliance regime, the process has now gone live

The Government Digital Service (GDS) has formally launched a new compliance regime for the Public Services Network (PSN) following a successful public beta process.

Organisations looking to renew their PSN compliance certificate will need to use the updated process, although a grace period until the end of June 2015 has been put in place for in-progress applications.

The regime has been designed to be more responsive to the varying and increasingly dynamic needs of public sector bodies around security, with particular reference to bring your own device (BYOD), which has been a sticking point in the past and one which is now being taken into account at the compliance stage.

GDS has also tweaked compliance requirements for suppliers in an attempt to make the market more accessible and easier for a wider range of suppliers, particularly small and medium-sized enterprises (SMEs), to offer their services.

Public sector bodies will now need to take five steps towards completing an application for a PSN connection compliance certificate. These involve completing a Code of Connection (CoCo); providing a network diagram; providing an IT Health Check (ITHC) report; updating contact details; and, finally, submission.

Of these steps, CoCo completion remains the heaviest burden, and will cover the nature of the infrastructure that the council wishes to connect.

This includes information such as network size, user numbers, number of sites and number of IP addresses on the network.

CoCo will also cover the steps taken to mitigate risk, such as vulnerability management, monitoring and intrusion detection, incident response, authentication and access control, boundary protection and interfaces, user and admin separation of data, and security testing.

The CoCo stage will be signed off by the senior information risk owner (SIRO) for central government departments, or the chief executive for local authorities and other public sector organisations.

Read more about PSN

The network diagram, which must be under six months old, will show aspects such as local connections with approximate user numbers and details of PSN and non-PSN service remote connections, external and third-party connections, security device locations, wireless devices and off-shore infrastructure and connections.

The ITHC, which must be under 12 months old, will give insight into what vulnerabilities exist in the applicant’s infrastructure and what action has been taken, or is planned, to fix or mitigate them.

On the Government Technology blog, GDS said there had been great progress towards implementing the new regime, with a good deal of helpful feedback received and incorporated during the lengthy beta process.

“We made a commitment at the end of 2014 to make the PSN compliance process simpler, clearer and faster. Getting to this point wouldn’t have been possible without the co-operation, support and feedback we’ve had right across the PSN community,” said GDS.

Old regime jeopardised cost-cutting initiatives

PSN compliance was the subject of much debate in the past, with many public sector bodies complaining that onerous CoCo requirements might put in jeopardy initiatives deployed primarily to cut costs as demanded by the government’s programme of austerity, such as remote working and BYOD.

At the height of the controversy in December 2013 it emerged that at least one London council came within hours of being disconnected from the PSN entirely as the row reached a head.

After GDS took control of PSN in 2014, director of common technology services Andy Beale took the unprecedented step of apologising to local government IT chiefs at a PSN Summit, conceding that the Cabinet Office had not done the best job of handling compliance issues.

In November 2014, government CTO Liam Maxwell told Computer Weekly that the old CoCo requirements had been a “one-size-fits-all, blunt instrument”.

Maxwell said the old regime had been too prescriptive, and a simpler, proportionally user-focused approach was needed to keep organisations connected.

Des Ward, information governance director at PSN trade association Innopsis, formerly known as PSNGB, said the former regime had increased cost on customers with no tangible benefits. He welcomed the introduction of the updated system.

“We hope that GDS works collaboratively to build on the successful delivery of open service management and technical interoperability standards that underpin the network platform; a reliable network platform being crucial to deliver on the user needs of both the public and third sectors as we continue the efforts to deliver better, lower-cost public services.”

Ward cautioned, however, that there was still much work to be done to demolish the barriers to inter-agency information sharing.

“Given the reinforcement of risk and governance on the public sector customers in the new regimes, we need to learn from the past and leverage the maturity of existing governance frameworks that has originated from government as it grappled with the aftermath of dot com over a decade ago,” said Ward.

Read more on Network security strategy