1 / 31

Code of Connection Compliance

Agenda. CoCo IntroductionThe importance of CoCoCoCo Guidance and Assessment CriteriaCoCo Compliance ProcessQuestions. 1. Introduction. Introduction: GCSx, GSi and CoCo:. Government Connect Secure eXtranet (GCSx): Secure private Wide-Area Network (WAN) Government Secure Intranet (GSi)

Thomas
Download Presentation

Code of Connection Compliance

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. Code of Connection Compliance Steven Snaith Information Systems Assurance Director

    2. Agenda CoCo Introduction The importance of CoCo CoCo Guidance and Assessment Criteria CoCo Compliance Process Questions

    3. 1. Introduction

    4. Introduction: GCSx, GSi and CoCo: Government Connect Secure eXtranet (GCSx): Secure private Wide-Area Network (WAN) Government Secure Intranet (GSi) – designed to enable secure interactions between local authorities and central government departments and national bodies. Code of Connection (CoCo) requirements have been defined for connecting onto the GCSx.

    5. What is a CoCo? “Provides a minimum set of security standards that organisations must adhere to when joining the GSi.” To develop the trust required both within and between communities, which then allows more effective use of shared systems and services. Organisations wishing to join the GSi must prove that they meet the requirements laid down in the CoCo. Local Authorities need to sign up to the stipulated CoCo standards and processes before connection.

    6. Connectivity

    7. Levels of Security

    8. 2. The Importance of CoCo

    9. Complexity: The Importance of Security

    10. Complexity: The Importance of Security

    11. Importance of Controls

    12. 3. CoCo Guidance and Assessment Criteria

    13. GCSx / GSi Connectivity - Getting there

    14. CoCo and ISO 27001 LA complying or in the process of complying to ISO 27001 will be addressing a significant number of the GC CoCo controls. The CoCo and 27001 complement one another: Best practice for configuration control Patch management User education etc Best practice for incident reporting

    15. Security Themes Throughout the CoCo (1) Defence In Depth - Not all Eggs in One Basket There is little point in having the most up to date technological solution if attackers can physically remove, damage or destroy systems and information All about sufficient risk mitigation e.g. physical security can sometimes be used as a replacement for technology e.g. If you have strong physical controls that only allow one person to gain access to a computer do you still need a password on the computer?

    16. Security Themes Throughout the CoCo (2) Start with a secure system Lockdown all services Only unlock those services which your users require and for which there is a valid business case Leads to an inherently more secure system, but requires a culture change from the standard ‘leave it all open and lock it down if there is a known vulnerability’.

    17. CoCo Controls Areas v3.2 2.1 - Physical Security 2.2 - User Education 2.3 - Incident Response 2.4 - Compliance Checking 2.5 - Access Control 2.6 - Network Schematic 2.7 - IP Addressing 2.8 - Firewalls 2.9 - Intrusion Detection 2.10 - Mobile Working 2.11 - Proxies 2.12 - Service Obfuscation 2.13 - Protective Marking 2.14 - Operating System 2.15 - Configuration

    18. CoCo Challenge Areas

    19. CoCo 2.1 Physical Security Perform a review of Physical Security to include: Electronic or key-coded access controls at perimeter Door closures to prevent doors remaining open Regular review of who has access Change of access codes monthly Eye-level signage that area is RESTRICTED All equipment must be secured prior to GCSx connection can “Go Live”.

    20. CoCo 2.2 User Education Information Security Policy Policies and Procedures Training - employees and contractors A personal commitment statement or acceptable usage policy MUST be in place, or users MUST have otherwise positively confirmed their acceptance that communications sent or received by means of the GSi may be intercepted or monitored. Employees of the organisation who handle information carrying a protective marking of RESTRICTED MUST be made of aware of the impact of loss of such material and the actions to take in the event of any loss. Security Policy should include: - Definition of Information Security Statement of Management Intent Brief Explanation of security policies, principles, standards and compliance requirements of particular importance to the organisation Definition of General and Specific Security Responsibilities References to supporting documents ISO 27001 provides comprehensive detail on policy areas that may need to be included: Security policy Organising information security Asset management Human resources security Physical and environmental security Communications and operations management Access control Information systems acquisition, development and maintenance Information security incident management (new clause) Business continuity management Compliance. Security Policy should include: - Definition of Information Security Statement of Management Intent Brief Explanation of security policies, principles, standards and compliance requirements of particular importance to the organisation Definition of General and Specific Security Responsibilities References to supporting documents ISO 27001 provides comprehensive detail on policy areas that may need to be included: Security policy Organising information security Asset management Human resources security Physical and environmental security Communications and operations management Access control Information systems acquisition, development and maintenance Information security incident management (new clause) Business continuity management Compliance.

    21. CoCo 2.3 Incident Response

    22. CoCo 2.4 Compliance Checking Although a SHOULD this control is expected to become a MUST in future versions of the Coco. Requires an annual IT Health Check to be carried out as part of the annual GSI re-authorisation submission and in short the health check is the preparation and submission of this Code of Connection annually.

    23. CoCo 2.5 Access Control Each user of the GCSX connected network MUST be allocated a unique user ID. Each user of the network connected to GCSX who has regular access to RESTRICTED information or information that originates from the GSi MUST be at least cleared to the 'Baseline Personnel Security Standard'. Each user of the network connected to GCSX MUST be reliably authenticated by means of a sufficiently complex password: 7 character minimum Alpha-numeric with at least one digit Changed periodically (60 – 90 days) Not reused within 20 password changes Can be done by the use of one or a combination of the following documents produced (Photocopies are not acceptable) and held on HR or personnel file: Full 10 year passport Or two from the below list (2). British driving licence (3). Form P45 (4). Birth Certificate (5). Proof of residence i.e. council tax or utility bill Attach the Basic Check verification record form References should be attached for new applicants Other information relevant to security i.e. CRB check CRB check should be undertake if the role required needs CRB, not a requirement for GCSx. Can be done by the use of one or a combination of the following documents produced (Photocopies are not acceptable) and held on HR or personnel file: Full 10 year passport Or two from the below list (2). British driving licence (3). Form P45 (4). Birth Certificate (5). Proof of residence i.e. council tax or utility bill Attach the Basic Check verification record form References should be attached for new applicants Other information relevant to security i.e. CRB check CRB check should be undertake if the role required needs CRB, not a requirement for GCSx.

    24. CoCo 2.6 Network Schematic The connecting organisation MUST submit a network schematic that details the networks that will utilise the GCSX connection. This diagram MUST document all onward connections and remote access. High Level Network Schematic: Number of servers and total numbers of clients Do not need IP addresses Onward Sites and connections: External sites connection to Local Authority servers Other Government department (NHS, PNN, etc) Internet security measures Local authority connection to ISP, firewalls, DMZs etc.

    25. CoCo 2.8 Firewalls A firewall MUST be installed between the organisation and the GCSX. A firewall MUST be installed between the organisation and any third party networks it connects to. The firewall MUST be configured according to the guidance referenced from the Guidance Notes to this document to minimise the likelihood of successful attack against the network. Preferred solution is a dedicated GC firewall but Local authority can utilise existing physical channel on existing firewall chassis if they can demonstrate strong configuration control and management of the entire chassis New Firewall / Firewall Channel will be locked down (Ports and services) in accordance with the “Take on Guide” Summary Rule Base Ports SMTP Port 25 DNS Port 53 NTP Port 123 Configuration control of the New Firewall (GC) / Firewall Channel is under GC control. All changes to GC enabled firewall / channel are under GC configuration control. Preferred solution is a dedicated GC firewall but Local authority can utilise existing physical channel on existing firewall chassis if they can demonstrate strong configuration control and management of the entire chassis New Firewall / Firewall Channel will be locked down (Ports and services) in accordance with the “Take on Guide” Summary Rule Base Ports SMTP Port 25 DNS Port 53 NTP Port 123 Configuration control of the New Firewall (GC) / Firewall Channel is under GC control. All changes to GC enabled firewall / channel are under GC configuration control.

    26. CoCo 2.13 Protective Monitoring Audit logs recording user activities, exceptions and information security events MUST be produced to assist in future investigations and access control monitoring. All logs MUST be retained for a minimum of six months. Organisations MUST also be aware of any additional legislation that may require them to hold logs for longer periods. As a minimum, logs of the following to be kept: Successful Login/Logoff Unsuccessful Login/Logoff Unauthorised Application Access File Access (?) System Changes Retained for 6 months on the system or readily available from backup devices i.e. tape drives etc. As a minimum, logs of the following to be kept: Successful Login/Logoff Unsuccessful Login/Logoff Unauthorised Application Access File Access (?) System Changes Retained for 6 months on the system or readily available from backup devices i.e. tape drives etc.

    27. CoCo 2.17 Patch Management A patch management scheme MUST be established for all software used on the network. Vendors' web sites and GovCertUK alerts MUST be monitored and relevant software and service packs MUST be applied where practicable. Policy in place for both patching of corporate servers and rollout to all clients, to include: All software to be used on the network should be patchable Regular monitoring of major vendor websites and WARP alerts Identify upgrade path for any unpatchable software still on the network Provide business case for retention of obsolete and un-patchable software.Policy in place for both patching of corporate servers and rollout to all clients, to include: All software to be used on the network should be patchable Regular monitoring of major vendor websites and WARP alerts Identify upgrade path for any unpatchable software still on the network Provide business case for retention of obsolete and un-patchable software.

    28. 4. Connection Process

    29. The Process

    30. Current State of CoCo Approval

    31. CoCo Related Resources… GC FAQs (www.govconnect.gov.uk) OGCbs Overview (CoCo explanatory docs) - NPM OGCbs CoCo Guidance Notes- NPM CESG Bookstore, RESTRICTED - available on request and from RAMS CESG Claims Tested Mark (CCTM) www.cctmark.gov.uk CESG Certified Products www.cesg.gov.uk SOCITM GovX Forum www.socitm.gov.uk Centre for Protection of National Infrastructure (CPNI) www.cpni.gov.uk Cabinet Office Security Matters www.cabinetoffice.gov.uk Microsoft Security Advice (security hardening etc) www.msdn.microsoft.com Tiger Scheme www.tigerscheme.org ISO27001/2 Information Security Portal www.17799.com

    32. Questions

More Related