UPDATE June 2015: Since the original publication of this article, the Government’s approach to G-Cloud security has significantly changed. Please refer to this article instead – it explains the new security assertions process introduced with G-Cloud 6. To keep in touch with future developments why not sign-up to receive our regular news .
If you are a supplier looking to get your product or service accredited for the Government’s G-Cloud service you’ll need to undergo a security accreditation process. As we set out in our previous blog post , G-Cloud services are divided into three tiers. Here are a few useful tips for those who require IL3 level of accreditation – requiring enhanced security to protect sensitive information – to ensure your product or service passes muster.
1. Review your ISO 27001 certification. HMG Information Assurance is based on ISO 27001. You can use your existing ISO 27001 certification to provide key evidence to support the accreditation of your IL3 service. In general, controls should use the HMG Baseline Control Set (BCS) to define the implementation requirements. BCS is applied at three different levels (or segments) – in general most controls should be implemented against the lowest segment; in some cases the middle segment may be more applicable – depending on the nature of the service and the impact of aggregation, or the requirement to deliver IL4 for availability.
2. Define your stance on protecting personal data. Many IL3 systems will be storing or processing personal data – usually because most public sector organisations treat aggregates (collections) of personal data at IL3. Public sector organisations are obliged by the Data Protection Act (DPA) to ensure that third party data processors are able to protect personal data. The “DPA Checklist” contains a number of questions that are intended to establish the basis on which the G-Cloud supplier will satisfy the legal requirements. Make sure that you understand the current guidelines issued by the Information Commissioners Office (ICO) – in particular, you should note the sensitivity to offshoring data, especially outside the EEA. If you cannot provide satisfactory answers to the DPA Checklist it is unlikely that the service will be accredited.
3. Consider connection to the PSN. Whilst it may be possible to offer an IL3 service via the Internet, in most cases it is expected that you will do so via the PSN. You will need to comply with the PSN Code of Connection (CoCo) and contract with a company offering a PSN IL3 network service. Whilst this activity can be stand-alone, it makes sense to include PSN connectivity within the scope of the IL3 accreditation.
4. Integration with the PSN/G-Cloud incident management process. Whilst incident management procedures are important at all impact levels, IL3 requires specific activities to ensure that your incident management processes are fully integrated into those of the PSN/G-Cloud. Operation at IL3 requires a relatively pro-active approach to protective monitoring – using a Security Information and Event Management (SIEM) product is a cost effective way of providing the required level of capability in this area.
5. Supporting forensic readiness. Forensic readiness is a further obligation on public sector organisations that requires a more proactive approach at IL3. G-Cloud service providers are required to support customer forensic readiness planning – there are existing CESG guidelines that describe the requirements for forensic readiness at IL3. Designing your systems to incorporate this guidance will increase the likelihood that you can support the requirements of your customers.
We hope these five tips help to make the G-Cloud security accreditation process clearer. Look out for more G-Cloud accreditation tips here .