Information Assurance for PSN – the PSN CoCo

Update on the use of the Public Service Network (PSN)

This post was originally published in June 2012. In January 2017 the Government Digital Service statedthat use of the PSN will be phased out but clarified the position in March, saying that Government bodies still need to be PSN compliant – at least for the immediate future. For up to date clarification on the PSN, please contact Dave James, MD at Ascentor. In the meantime, we hope you’ll find the original post of help.

There wasa change to the Public Services Network (PSN) compliance process at the end of 2014 which is covered in a new article on the Ascentor site here .

This originalblog posting provides a brief overview of what the PSN CoCo is all about, and where it fits in to the Public Services Network Information Assurance (IA) story.

So what is a CoCo?

A Code of Connection (CoCo) is an Information Assurance (IA) mechanism to support the connection of a (normally accredited) network to another accredited network, without increasing or substantially changing the risks to the network that has issued the CoCo. In the case of the PSN, the risks are not just to the PSN itself, but also to all of the other organisations connected to the PSN. A CoCo is simply a list of conditions that should be met before connection can be approved.

Public sector organisations with an existing connection to the GSI family of networks (e.g., GSi, GSX, GSE. GCSx), or to the NHS N3 network, or to the PNN or CJSx, will be familiar with the concept.

What is in the PSN CoCo?

The current version of the PSN CoCo (Version 2.0) is available on the Cabinet Office website in an Excel spreadsheet titled ” PSN Code Template – Annex B – version 2.0 “. This document combines together the Code of Interconnection (CoICo) (for use by network providers), the Code of Practice (CoP) (for service providers) and the Code of Connection (CoCo)(for PSN customers).

You will note that there are four principle areas:

  1. Governance
  2. Technical interoperability
  3. Commercial
  4. Information assurance

These are the four basic requirements that must be satisfied before approval is granted by the PSN Authority (see my previous blog post – Public Services Network (PSN) Accreditation – the process explained ).

So far as the IA section is concerned, this is largely an update to the GSi CoCo that most public sector organisations already comply with. In most areas there is improved flexibility – the PSN CoCo is less prescriptive than its predecessors and is more focused on the outcome.

Who does the CoCo apply to?

The CoCo applies to any organisation connecting to the PSN as a ‘customer’ – a consumer of PSN services. For all practical purposes, this can be considered to be any public sector organisation connecting to the PSN, but also includes other organisations that currently have connections to the various extranets (e.g., charities and Government contractors).

How do I prove compliance?

The process for this is not yet fully defined. Ultimately, it is the Pan Governmental Accreditor (PGA) who will advise the PSN Authority that a customer is compliant with the CoCo. The sheer size of the public sector, along with the relatively short timescales for migration to the PSN, suggests that 3rd party independent verifiers will determine compliance and provide recommendations to the PGA. My experience with the connection of over 300 Local Authorities in England & Wales to the GCSx (under the Government Connect programme) suggests that this is both efficient, and effective.

It is quite likely that CLAS consultants will provide a knowledgeable source of independent verifiers, as well as a pool of advisors on meeting the CoCo requirements.

Is there an audit regime?

There will be an audit regime, this is not yet fully defined, but it is anticipated that a proportion of PSN customers will be subject to an external audit to ensure that they meet the CoCo requirements and have the required systems in place to maintain compliance.

One of the benefits of ISO 27001 certification is that the ongoing audit process for this can easily meet the PSN CoCo requirements – my experience on the Government Connect programme was that ISO 27001 certified organisations found it very easy to meet the GCSx CoCo requirements and were almost always approved for connection with minimum fuss.

Further information

PSN documentation is available from the Cabinet Office site:

Article by Peter Curran , Principal IA Consultant and PSN specialist at Ascentor


Other articles you might like:

You may also be interested in:

Work from home cyber security myths

Cyber security myths home workers fall for

Home workers are a growing gateway to your data and systems. If they believe any of these popular cyber security myths, your security is at serious risk.

Cyber security working from home

Managing good cyber security when working from home - what employers need to know

Home working carries increased security risks, but it doesn’t have to be open season for cyber criminals. These tips will help you put together a robust level of cyber security for your home based employees.

Cyber Essentials is changing - our overview

As the IASME Consortium takes over the management of the certification of Cyber Essentials (CE) Scheme, we look at what the changes will involve and why the scheme is still very much needed.