UPDATE June 2015: Since the original publication of this article, the Government’s approach to G-Cloud security has significantly changed. Please refer to this article instead – it explains the new security assertions process introduced with G-Cloud 6. To keep in touch with future developments why not sign-up to receive our regular news .
If you are a supplier looking to get your product or service accredited for the Government’s G-Cloud service you’ll need to undergo a security accreditation process. As we set out in our previous blog post , G-Cloud services are divided into three tiers. Here are a few useful tips for those who require IL1/2 level of accreditation – the baseline security requirement – to ensure your product or service passes muster.
1. Check the Scope of your ISO 27001 Certificate.
Your certificate will say on it which of the activities of your business are within the scope of the certification – this is probably a summary of the scope specified in your ISMS. If the services being offered to G-Cloud do not fall within this scope, you will need to discuss a scope change with your auditor.
2. Prepare information for the Security Accreditation Scope document.
The scoping document asks some questions about your implementation of technical controls that are considered important for G-Cloud service providers. The answers to these questions are likely to inform the evidence requirements that will be subsequently specified by the PGA, so care in the wording and technical depth is important. It is a good idea to try and use the language of HMG Information Assurance – try and avoid ‘sales speak’.
3. Define or update your Information Security Policy in an HMG-friendly way.
If you have not yet been ISO 27001 certified, or are considering updating your security policies, it is well worth specifying policies that are compliant with HMG requirements for IL2 systems. Not only will this make it easier to prove that you meet all the requirements, but will also make it easier for you to offer your services via the PSN or at IL3. You should base your ISO 27001 control implementation around the HMG Baseline Control Set (BCS) at the DETER level.
4. Don’t forget about connecting to your customer.
For services offered at any impact level it is permitted to do so via the Internet. However, it is much easier to offer a service via the Public Services Network (PSN): Not only is this likely to be more attractive to public sector customers, but it avoids the problem of gaining accreditation for the customer connection mechanism. To gain approval for connecting your service to the PSN you will need to show that you are compliant with the PSN Code of Connection (CoCo) – this should be relatively straight forward (but may require further adjustments to your ISO 27001 ISMS).If you do decide to offer your service via the Internet you will need to include the connection method within the scope of your accreditation: SSL/TLS is a common mechanism.
5. Think about aggregation and separation.
Aggregation is the term used in Information Assurance to indicate the probable rise in business impact if a collection of data is compromised: Aggregation can occur through accumulation (putting lots of data in the same place), or association (linking two relatively harmless pieces of data together). In the main accumulation is the problem for G-Cloud services â€”many thousands of personal data records are likely to be a more attractive target than one or two. The solution normally lies with more robust controls: better protective monitoring, increased physical security, etc. Separation is an important concept in cloud services. In most cases public sector customers will not want their data mixed up with other customers’ data – especially if those customers are also not public sector organisations. If your service does not naturally keep customer separate, you should consider the robustness of your access control mechanisms to ensure that the risk of data leakage is minimised.
We hope these five tips help to make the G-Cloud security accreditation process clearer. Look out for more G-Cloud accreditation tips, here .
Article by Peter Curran ,Principal IA Consultantat Ascentor.
Looking for support for your G-Cloud project? Find out how we can help.
Other articles you might like:
- IL1, IL2, IL3? Busting the G-Cloud Security Jargon
- Useful tips for the enhanced 1L3 Accreditation
- Five steps to G-Cloud Accreditation