The GCSX Code of Connection is an important step along the journey to provide a secure infrastructure for public sector business. At the time of writing most, if not all, work in local authorities to achieve compliance with the Code of Connection has been completed. In isolation, GCSX Code of Connection compliance may be seen to deliver little extra value back to the organisation, so it is important that a successful implementation be used as a catalyst for an improvement in overall organisational compliance.
Practical Steps to Ensure GCSX Code of Connection Compliance and BeyondA White Paper by Bloor ResearchAuthor : Nigel StanleyPublish date : March 2010Untitled DocumentWith the looming demands they now face, it makes sense for public sector organisations to plan now for a more compliant future Nigel StanleyFree copies of this publication have been sponsored byUntitled Document1 2010 Bloor ResearchA Bloor White PaperPractical steps to ensure GCSX Code of Connection compliance and beyond Executive summaryThe GCSX Code of Connection is an important step along the journey to provide a secure infrastructure for public sector business. At the time of writing most, if not all, work in local authorities to achieve com-pliance with the Code of Connection has been completed. In isolation, GCSX Code of Connection compliance may be seen to deliver little ex-tra value back to the organisation, so it is important that a successful implementation be used as a catalyst for an improvement in overall organisational compliance. This white paper discusses the importance of the GCSX Code of Connec-tion and then addresses the larger issue of compliance management and how this can be effected using a structured approach.Untitled Document2 2010 Bloor ResearchA Bloor White PaperPractical steps to ensure GCSX Code of Connection compliance and beyond About the Code of ConnectionThe GCSX Code of Connection, often referred to as CoCo, is a set of IT security rules and con-trols that need to be adhered to by local au-thorities across England and Wales who wish to connect to the Government Secure Extranet (GCSX). If an authority fails to meet the secu-rity requirements of the Code of Connection then their access to GCSX can be terminated, which, in turn, could hamper the way in which a local authority conducts their business with other authorities and agencies. Authorities are audited annually to ensure they are compliant with the Code of Connection.A new version of the GCSX Code of Connection, 4.1, was approved for introduction mid-2009 and includes some new areas of compliance, including the secure support of mobile work-ers, the control of unauthorised software and the labelling of emails with UK government protective markings to indicate the nature of the content. Why bother with GCSX Code of Connection?The past 10 15 years has seen the widespread adoption of internet-based IT systems and web sites in support of the delivery of services to citizens across the UK. This range of serv-ices is huge, and can span the booking of local authority football pitches through to the pay-ment of parking fines and to the application for planning permission. In support of service provision, there is a need for inter-agency and inter-departmental working; for example the sharing of appropri-ate data with a local police force or maybe the sharing of confidential financial data with a central government department. Whilst much of this data may be mundane, a lot of it is high-ly sensitive and, if made public, could result in personal, political and financial damage. The GCSX Code of Connection has been cre-ated to standardise the level of security imple-mented by local authorities and agencies in an attempt to ensure a uniform level of internet-working security. Much in the way that the Payment Card Industry Data Security Stand-ard (PCI DSS) has created a uniform level of security for credit card merchants, the Code of Connection should provide citizens with a degree of comfort that their data is being se-cured across organisational boundaries. The introduction of the GCSX Code of Connec-tion has acted as a catalyst for a number of local authorities. Simply adhering to the GCSX Code of Connection requirements to achieve a tick in the box from an auditor is somewhat na-ive, and misses the opportunity that the Code of Connection presents that of improving the overall organisational compliance posture.Untitled Document3 2010 Bloor ResearchA Bloor White PaperPractical steps to ensure GCSX Code of Connection compliance and beyond The importance of complianceCompliance is a fact of life for each and every local authority and public sector organisa-tion. Irrespective of their information security compliance requirements there are a host of legal and regulatory demands they need to manage each day. Inevitably, there are some compliance requirements that take more time and effort than others and, indeed, some re-quirements present a larger political issue than others. From a citizen s perspective, there is a high level of expectation that their private informa-tion will be kept secure and only accessed on a need-to-know basis; this expectation can be supported by demonstrating that organisa-tional data is stored, maintained and used in accordance with regulatory and compliance requirements. Of course it is vital that organi-sations understand the difference between compliance and information security achiev-ing a level of compliance may be a require-ment, but in itself is not a guarantee that data will be secure. With public sector services, citizens will nor-mally have no choice of service provider. In ex-tremis, a resident can only opt to be serviced by a different local council by moving house. This monopoly of service provision may lead to complacency on behalf of such a local au-thority. To mitigate this, local politicians are in place to ensure that service provision meets the needs of local residents. This, in turn, puts political focus on any incident where data se-curity may be compromised. An information security breach, data loss or compliance-re-lated incident can rapidly turn into an election issue and ultimately cost political posts. The financial impact of a data loss incident, in terms of the level of fine imposed by the Infor-mation Commissioner, has historically been fairly low. As of April 2010, the level of fines the Information Commissioner is able to im-pose have been dramatically increased to a maximum of 500,000 per data loss incident, reflecting the seriousness that these incidents are now viewed. Clearly compliance is now more important than ever. Other compliance requirementsThe GCSX Code of Connection is only one of a number of information security compliance and legal requirements facing local authorities.PCI DSS, the Payment Card Industry Data Security Standards, are applicable to all or-ganisations that accept credit card payments. Most local authorities provide this facility for the payment of services and penalty fees, such as parking offences, and therefore need to comply with PCI security standards. These standards are quite proscriptive and require authorities to provide a number of controls and safeguards to protect credit card informa-tion. Failure to comply with PCI DSS can re-sult in fines or the termination of a merchant agreement.A law that uniquely affects public sector or-ganisations is the Freedom of Information Act. This allows access to recorded information held by public authorities. Under the Act any individual can make a request for information and have the necessary data sent to them. Any refusal to supply the information needs to be justified in writing to the applicant, making the reasons for the refusal clear. Disputes are in-dependently arbitrated.Data that is subject to the Freedom of Infor-mation Act can reside in a variety of forms throughout an organisation. This could include emails, word processor documents, spread-sheets or written notes. Computerised data can be secured using data loss prevention technol-ogies such as data encryption, but it is impera-tive that decryption keys be made available so that data can be retrieved in its original form.The Information Commissioner can serve an enforcement notice on a body that fails to provide data covered by the Freedom of Infor-mation Act. Failure to comply with an enforce-ment notice may result in the Commissioner referring the matter to the High Court, which, in turn, can deal with the public authority as if it had committed contempt of court. A public authority may appeal against an enforcement notice to the Information Tribunal.Untitled Document4 2010 Bloor ResearchA Bloor White PaperPractical steps to ensure GCSX Code of Connection compliance and beyond The importance of complianceIt could be argued that the Freedom of Infor-mation Act is not a compliance requirement per se; instead it is a law that requires an au-thority to respond to request for data. On the other hand access to data under the Freedom of Information Act must be facilitated quickly and easily, something that would be very dif-fcult with non-compliant and insecure IT sys-tems. Degrees of ambiguity can often further complicate a compliance requirement.In addition to externally driven compliance and regulatory requirements, many organisations are subject to their own internal standards for information security that may be subject to a regular audit process. These are often derived from published standards such as ISO 27002 and may attract an internal sanction if they are not complied with.These examples demonstrate how it makes sense to harmonise compliance and regula-tory requirements under a single control set that can be routinely updated and managed to provide a consistent view of an authority s in-formation risk profile. This will enable the or-ganisation to demonstrate compliance at any time, whilst streamlining the audit experience.Untitled Document5 2010 Bloor ResearchA Bloor White PaperPractical steps to ensure GCSX Code of Connection compliance and beyond Practical complianceMany organisations have learnt to their cost that scrabbling around at the last minute to update systems, paperwork and processes to meet the needs of an imminent IT compliance audit is far too high. The additional stress it places on an organisation is unacceptable and it is a very inefficient working practice.It makes sense that organisations are audit ready 24x7, or as close to that as is practical. With the availability of sophisticated tools, the workflows behind supporting compliance re-quirements can be significantly reduced and continuous monitoring can be put in place to support an audit-ready organisation. The typical process of undertaking practical compliance can be broken down into 4 steps:" Step 1 will be to identify what IT assets an organisation has and what role and impact they have on key parts of the work the or-ganisation undertakes. This will provide a view of the IT risk profile alongside the key business processes that it supports. " Step 2 looks at the various processes, pro-cedures and technical controls that are in place to assist with compliance objectives. Ideally there should be an automated as-sessment of these controls, if necessary using third party tools to help with the as-sessment process. " Step 3 is the chance to prioritise and then fx issues that have been found that can pre-vent a compliance objective being met. More advanced risk management systems will allow incremental updates to a compliance requirement to be incorporated, automati-cally, into an assessment process by high-lighting appropriate changes rather than forcing a complete re-audit. " Step 4 enables the management of a com-pliance posture across an organisation with appropriate reports to managers and execu-tive teams. Ideally any reporting should be role-based and easily accessible, maybe us-ing a digital dashboard-type interface. By following a sensible and logical approach to implementing a practical IT compliance solu-tion, public authorities can significantly reduce the time and cost required to meet their statu-tory compliance requirements.Risk management toolsIn addition to providing an audit-ready envi-ronment, a good risk management tool will also provide further enhanced information security benefits, such as the ability to identify best practice controls across physical assets. Other typical attributes of a good risk manage-ment tool include:" The ability to align an organisation and how it is structured with the people, processes and IT systems that support them." Support for a broad view of IT best practic-es and how they map onto procedural and physical controls." The provision of automated workfow-based surveys to assess procedural controls." An ability to identify roles and individuals responsible for IT technical and associated procedural controls." A system to prioritise, assign and track re-mediation tasks. " Interfaces that provide a top-down view of all relevant compliance rules, laws and reg-ulations affecting a business enabling quick identification of potential compliance issues. Untitled Document6 2010 Bloor ResearchA Bloor White PaperPractical steps to ensure GCSX Code of Connection compliance and beyond SummaryUndoubtedly, compliance requirements on public sector organisations are only going to become greater. Fuelled by demands to tighten up financial management, public sec-tor organisations are bound to be covered by new rules to demonstrate better management of public funds. As public expenditure comes under increased scrutiny, the accounting for every last penny spent may become the order of the day, coupled with increased media at-tention for any failings.The GCSX Code of Connection has been used by a number of local authorities as a catalyst for improving management of their informa-tion security compliance requirements. With the looming demands they now face, it makes sense for public sector organisations to plan now for a more compliant future. This can only be achieved by the use of a well-designed and implemented risk management tool. Further InformationFurther information is available from http://www.BloorResearch.com/update/1098Untitled Document7 2010 Bloor ResearchA Bloor White PaperPractical steps to ensure GCSX Code of Connection compliance and beyond Appendix 1: key compliance and regulations for the UK public sectorGCSX Code of Connection Scope of coveragePublic authorities SummaryThe GCSX Code of Connection was introduced to provide an agreed security standard for local authorities and other public sector agencies that needed to share data securely.GCSX Code of Connection applies to all local authorities that have a requirement to connect to the secure government extranet and access other services or agencies securely such as:" National Health Service (N3)" Police National Network (PNN)" Criminal Justice Extranet (CJX)" Government Secure Intranet (GSI) Only once all relevant security controls have been implemented can a connection to the GCSX network be authorised. These security controls are subject to an annual audit.Non-compliance penaltiesIf an authority fails to meet the GCSX Code of Connection standard then their access to the gov-ernment secure extranet (GCSX) can be terminated, resulting in disruption to their business.Untitled Document8 2010 Bloor ResearchA Bloor White PaperPractical steps to ensure GCSX Code of Connection compliance and beyond Appendix 1: key compliance and regulations for the UK public sectorPayment Card Industry Data Security Standards (PCI DSS) Scope of coverageAny organisation, public or private, that processes card paymentsSummaryThe use of payment cards has increased massively with the popularity of online purchasing. PCI DSS was introduced by the PCI Standards Council, which was founded by the major pay-ment card brands in order to enhance the security of payment accounts. At the foundation of the PCI DSS are 12 requirements that specify how payment data should be managed:" Install and maintain a frewall confguration to protect cardholder data." Do not use vendor-supplied defaults for system passwords and other security parameters. " Protect stored cardholder data." Encrypt transmission of cardholder data across open, public networks. " Use and regularly update anti-virus software." Develop and maintain secure systems and applications. " Restrict access to cardholder data by business need-to-know." Assign a unique ID to each person with computer access." Restrict physical access to cardholder data. " Track and monitor all access to network resources and cardholder data." Regularly test security systems and processes. " Maintain a policy that addresses information security. PCI DSS only applies if the payment card primary account number is stored by the organisa-tion. PCI DSS is managed by the payment card industry, which conduct audits and checks dependent on the volume of card transactions. Smaller volume retailers are expected to self-audit/self-certify that their systems adhere to the PCI DSS requirements. Version 1.2 of PCI DSS was released in October 2008 and further clarified the requirements on card processing organisations. Non-compliance penaltiesFines and withdrawal of payment card facilities.Untitled Document9 2010 Bloor ResearchA Bloor White PaperPractical steps to ensure GCSX Code of Connection compliance and beyond Appendix 1: key compliance and regulations for the UK public sectorData Protection Act 1984, amended 1988 Scope of coverageAny organisation, public or private, that collects personal dataSummaryThe UK Data Protection Act imposes legal obligations on anyone processing personal data to ensure there is good practice and management of that data. In part 1 of the Act there are 8 enforceable principles of good personal information handling. Data must be: " Accurate and up to date." Fairly and lawfully processed." Secured." Not allowed to leave the UK unless the destination countries have similar legislation." Processed in line with a person s rights." Only kept for as long as necessary." Processed for limited purposes." Adequate, relevant and not excessive.Part 2 of the act gives individuals rights to find out what personal information is held about them on computers and most paper records. Non-compliance penaltiesThe UK Information Commissioner s Office (ICO) has legal powers to ensure that organisations comply with the requirements of the Data Protection Act. A data controller who persistently breaches the Act and has been served with an enforcement notice can be prosecuted for fail-ing to comply with a notice. This offence carries a maximum penalty of a 5,000 fine in the magistrates court and an unlimited fine in the Crown Court. In November 2009 the ICO responded to a consultation paper from the UK Ministry of Justice by calling for an increase in these penalties and the ability for courts to sentence offenders to a custodial punishment. From April 2010 the maximum penalty will rise to 500,000 for sig-nificant data loss incidents.Untitled Document10 2010 Bloor ResearchA Bloor White PaperPractical steps to ensure GCSX Code of Connection compliance and beyond Appendix 1: key compliance and regulations for the UK public sectorFreedom of Information Act Scope of coverageInformation held by authorities, excluding personal dataSummaryThe Freedom of Information Act allows access to recorded information such as notes from meetings, research reports and emails held by public authorities. Under the Act any individual can make a request for information and have the necessary data sent to them. Any refusal to supply the information needs to be justified in writing to the applicant, making the reasons for the refusal clear. Non-compliance penaltiesThe Information Commissioner can serve an enforcement notice on a body that fails to provide information. Failure to comply with an enforcement notice may result in the Commissioner referring the matter to the High Court. The High Court can deal with the public authority as if it had committed contempt of court. A public authority may appeal against an enforcement notice to the Information Tribunal.Untitled Document11 2010 Bloor ResearchA Bloor White PaperPractical steps to ensure GCSX Code of Connection compliance and beyond Appendix 1: key compliance and regulations for the UK public sectorRegulation of Investigatory Powers Act 2000 (RIP or RIPA) (UK)Scope of coverageAll electronic dataSummaryRIPA allows government organisations to access an individual s electronic communications. This can range from access to Internet Service Provider records through to telephone and email data. ISP records can be demanded from service providers who are under a legal obli-gation to provide them. Part III of the act allows certain government agencies to demand the cryptographic key to be supplied if the actual decrypted data was not available. Non-compliance penaltiesFailure to provide a cryptographic key can result in a 2 year jail term.Untitled DocumentBloor Research overviewBloor Research is one of Europe s leading IT re-search, analysis and consultancy organisations. We explain how to bring greater Agility to corporate IT systems through the effective governance, manage-ment and leverage of Information. We have built a reputation for telling the right story with independ-ent, intelligent, well-articulated communications content and publications on all aspects of the ICT industry. We believe the objective of telling the right story is to:" Describe the technology in context to its busi-ness value and the other systems and processes it interacts with." Understand how new and innovative technolo-gies fit in with existing ICT investments." Look at the whole market and explain all the so-lutions available and how they can be more ef-fectively evaluated." Filter noise and make it easier to find the ad-ditional information or news that supports both investment and implementation." Ensure all our content is available through the most appropriate channel.Founded in 1989, we have spent over two decades distributing research and analysis to IT user and vendor organisations throughout the world via on-line subscriptions, tailored research services, events and consultancy projects. We are committed to turn-ing our knowledge into business value for you.About the authorNigel StanleyPractice Leader SecurityNigel Stanley is a specialist in business technology and IT security and now heads up Bloor s IT Security practice.IT security comprehensively covers the whole remit of protecting and defending business or organisa-tional systems and data from unwelcome attacks or intrusions. This large area includes protection from the outer edges of the se-curity domain such as handheld devices through to the network perimeter, in-side threats and local defences. It looks at the ever-growing threats, many of them new and innovative. It includes use of firewalls, data loss prevention, data encryption, anti-malware, database protection, identity management, intrusion detection/prevention, content management/filtering and security policies and standards.For a number of years Nigel was technical director of a leading UK Microsoft partner where he led a team of consultants and engineers providing secure busi-ness IT solutions. This included data warehouses, client server applications and intelligent web based solutions. Many of these solutions required additional se-curity due to their sensitive nature. From 1995 until 2003 Nigel was a Microsoft regional director, an advisory role to Microsoft Corporation in Redmond, which was in recognition of his expertise in Microsoft technologies and software devel-opment tools.Nigel had previously worked for Microsoft as a systems engineer and product manager specialising in databases and developer technologies. He was active throughout Europe as a leading expert on database design and implementation.He has written three books on database and development technologies including Microsoft .NET. He is working on a number of business-led IT assignments and is an executive board member of a number of privately held companies including Incoming Thought Limited, a partner company to Bloor Research that specialises in security consultancy and education.Nigel is a member of the Institution of Engineering and Technology, the British Computer Society and the Institute of Directors.Untitled DocumentCopyright & disclaimerThis document is copyright 2010 Bloor Research. No part of this publication may be reproduced by any method whatsoever without the prior consent of Bloor Research.Due to the nature of this material, numerous hardware and software products have been mentioned by name. In the majority, if not all, of the cases, these product names are claimed as trademarks by the companies that manufacture the products. It is not Bloor Research s intent to claim these names or trademarks as our own. Likewise, company logos, graphics or screen shots have been repro-duced with the consent of the owner and are subject to that owner s copyright.Whilst every care has been taken in the preparation of this document to ensure that the information is correct, the publishers cannot accept responsibility for any errors or omissions.Untitled Document2nd Floor, 145 157 St John Street LONDON, EC1V 4PY, United Kingdom Tel: +44 (0)207 043 9750 Fax: +44 (0)207 043 9748 Web: www.BloorResearch.com email: info@BloorResearch.com