180 likes | 341 Views
PSN Governance and Security. Mike Thomas – 28 th January 2011. About Global Crossing. Trusted and Experienced Communications Integrator to the UK Government Offering proven, flexible and secure services First Integrated Global IP Network >7Tbps per day 64% of the world’s internet traffic
E N D
PSN Governance and Security Mike Thomas – 28th January 2011
About Global Crossing • Trusted and Experienced Communications Integrator to the UK Government • Offering proven, flexible and secure services • First Integrated Global IP Network • >7Tbps per day • 64% of the world’s internet traffic • Third largest Network in UK • Security focused • Pan Gov - IL3 Network • Pan Gov – IL3 Hosted Voice • Provider of MTS
What is Governance for? Define Expectations • Ensure equality for all Review Performance • Maintain Standards Grant Power • Dispute Resolution
PSN In-Service Governance XGEA CIO Council ARB ICT OCB CTOC PSN Operating Board Participating SIROs PSN SIRO PSN Authority Contracting Authorities Risk & Accreditation Compliance Consultation Compliance Consultation Dispute Management Regulation PSNGB Communication Consultation Framework Authorities GCN Governing Board Customer Board
Interconnected Codes and Contracts • GCN commitments in a Deed of Undertaking (DoU) • Direct Network Service Provider (DNSP) commitments in Code of Interconnection (CoICo) • Other PSN Service Providers commitments in a Code of Practice (CoP) • Customer commitments are in a signed Code of Connection (CoCo) • Adherence is baked into supply chain through contracts
Security Video Voice One Connection..... Multiple Security levels............. Multiple Users....... Endless Applications................... Data Video Voice Data Encryption Base Level of PSN/GCN Gateways
For a customer, PSN Compliance means..... Commercial compliance Demonstrate VFM; comply with public sector procurement regulations Not exclusive to a single vendor, and keep the market open to other vendors Are sharable with other parts of the public sector Procure services, not networks: funded by revenue, not capital expenditure Recognise the authority of the PSN Governance bodies Maximise the degree to which ICT is commoditised Specify that suppliers comply with the requirements of a CoP/CoICo Technical Interoperability Compliance Compliance with a set of technical and security standards to allow interoperability with other PSN services Security Compliance • Compliance with a set of security requirements to ensure behaviours Service Management Compliance • Agreement to comply with the Service Management Framework. • Agreement to co-operate in resolving Incidents that span across service providers/customers
PSN Service Certification All Services must be Certified • Combines Accreditation plus compliance verification • Services are certified, not companies • Direct or Indirect access to the GCN must be included • There are no PSN Certified products available as today’s date The Customer environment must be certified for usage. PSN Certification is for a defined period Self verified each year 20% of Services will be externally verified each year.
Security Compliance - summary • Standardised IA Conditions for each: • Impact Level: IL2, IL3, IL4 • Service Type: Connectivity, Web, Email, Telephony and Video • More Impact Levels and Service Types will be developed, driven by demand • Accreditation process should • Take the PSN IA Conditions (not re-invent) • Consider any additional threats and countermeasures • Centre on shared models for Threat Profiles and Risk Appetites • Ability to give “Fit for Consumption” Accreditation (and hence PSN Compliance Certification) for PSN Services before they have customers
Accreditation Challenge • Do the Condition once, do it well and re-use • Accreditation Scope, boundaries • Think of layers and end-points, not higher walls and strongholds • Who is managing the service? • Some Service Providers provide outsourcing use off-shoring, but are the risks understood and managed today? • Understand the Reliance picture (upstream) • What underlying services do the Service Provider use to create their service • Do SLAs flow through the supply chain? • What Risk appetite and Threat Profile are the services engineered to • Understand the Liability picture (downstream) • The Service Provider may not know how much customers depend on them • Impact Assessments
Common standards build trust • There must always be an accountable entity which may be liable • Who appears before any enquiry? • A Departmental SIRO’s accountability for Information does not change • To enable savings, Accreditations will be built on • Overseen by PGA and Infrastructure SIRO • Infrastructure SIRO, on behalf of all participating SIROs, will be responsible for approving services to operate across the pan government infrastructure • Think of layers and end-points, not higher walls and strongholds • Need to trust each others’ IA processes and assurance. • Both Public Sector and Industry • The use of common IA standards for shared models for Threat Profiles and Risk Appetites is the foundation
Thank You Mike Thomas Global Crossing 0203 356 4774 mike.thomas@globalcrossing.com