Information Assurance for PSN – the PSN CoCo

Update on the use of the Public Service Network (PSN)

This post was originally published in June 2012. In January 2017 the Government Digital Service statedthat use of the PSN will be phased out but clarified the position in March, saying that Government bodies still need to be PSN compliant – at least for the immediate future. For up to date clarification on the PSN, please contact Dave James, MD at Ascentor. In the meantime, we hope you’ll find the original post of help.

There wasa change to the Public Services Network (PSN) compliance process at the end of 2014 which is covered in a new article on the Ascentor site here .

This originalblog posting provides a brief overview of what the PSN CoCo is all about, and where it fits in to the Public Services Network Information Assurance (IA) story.

So what is a CoCo?

A Code of Connection (CoCo) is an Information Assurance (IA) mechanism to support the connection of a (normally accredited) network to another accredited network, without increasing or substantially changing the risks to the network that has issued the CoCo. In the case of the PSN, the risks are not just to the PSN itself, but also to all of the other organisations connected to the PSN. A CoCo is simply a list of conditions that should be met before connection can be approved.

Public sector organisations with an existing connection to the GSI family of networks (e.g., GSi, GSX, GSE. GCSx), or to the NHS N3 network, or to the PNN or CJSx, will be familiar with the concept.

What is in the PSN CoCo?

The current version of the PSN CoCo (Version 2.0) is available on the Cabinet Office website in an Excel spreadsheet titled ” PSN Code Template – Annex B – version 2.0 “. This document combines together the Code of Interconnection (CoICo) (for use by network providers), the Code of Practice (CoP) (for service providers) and the Code of Connection (CoCo)(for PSN customers).

You will note that there are four principle areas:

  1. Governance
  2. Technical interoperability
  3. Commercial
  4. Information assurance

These are the four basic requirements that must be satisfied before approval is granted by the PSN Authority (see my previous blog post – Public Services Network (PSN) Accreditation – the process explained ).

So far as the IA section is concerned, this is largely an update to the GSi CoCo that most public sector organisations already comply with. In most areas there is improved flexibility – the PSN CoCo is less prescriptive than its predecessors and is more focused on the outcome.

Who does the CoCo apply to?

The CoCo applies to any organisation connecting to the PSN as a ‘customer’ – a consumer of PSN services. For all practical purposes, this can be considered to be any public sector organisation connecting to the PSN, but also includes other organisations that currently have connections to the various extranets (e.g., charities and Government contractors).

How do I prove compliance?

The process for this is not yet fully defined. Ultimately, it is the Pan Governmental Accreditor (PGA) who will advise the PSN Authority that a customer is compliant with the CoCo. The sheer size of the public sector, along with the relatively short timescales for migration to the PSN, suggests that 3rd party independent verifiers will determine compliance and provide recommendations to the PGA. My experience with the connection of over 300 Local Authorities in England & Wales to the GCSx (under the Government Connect programme) suggests that this is both efficient, and effective.

It is quite likely that CLAS consultants will provide a knowledgeable source of independent verifiers, as well as a pool of advisors on meeting the CoCo requirements.

Is there an audit regime?

There will be an audit regime, this is not yet fully defined, but it is anticipated that a proportion of PSN customers will be subject to an external audit to ensure that they meet the CoCo requirements and have the required systems in place to maintain compliance.

One of the benefits of ISO 27001 certification is that the ongoing audit process for this can easily meet the PSN CoCo requirements – my experience on the Government Connect programme was that ISO 27001 certified organisations found it very easy to meet the GCSx CoCo requirements and were almost always approved for connection with minimum fuss.

Further information

PSN documentation is available from the Cabinet Office site:

Article by Peter Curran , Principal IA Consultant and PSN specialist at Ascentor


Other articles you might like:

You may also be interested in:

Building business resilience

Building business resilience - through Information Security, Business Continuity and Disaster Recovery

How strong is your business resilience to threats to IT, information and physical security? And how can security standards like ISO 27001 and ISO 22301 help?

Ascentor's cyber security review 2020

Ascentor’s cyber security review of 2020

It was the year a different kind of virus dominated. But that didn’t stop cyber criminals exploiting it. We look back at 2020.

Cyber security myths of SMEs

Cyber security myths putting SMEs at risk

SMEs have long been a favourite hunting ground for cyber criminals and, in the worst case scenario, may not survive. We look at some of the myths that put SMEs at risk of cyber crime.