In September, Andy Beale, director of Common Technology Services at GDS, proposed a change from external accreditation of services by CESG for G-Cloud services to a supplier made assertion of capability - statements asserting how services meet certain security principles.
Announcements from GDS last week confirmed that G-Cloud [V6] suppliers will now be subject to self-assertion and this may be extended to present a consistent approach to the base level of security throughout the Government’s supply chain.
PSNGB supports initiatives from GDS that make the public sector marketplace more accessible; as we stated in an earlier piece self assertion
What it also does is bring appropriate security, public sector data, shared services and citizen confidentiality front and centre – exactly where it should be. This is an area I have been keen to explore for sometime because I believe security is an essential pillar of a transformed public sector.
It’s a given that some public sector business should be carried out on the Internet as well as via PSN; it’s an essential channel for public communications and digital engagement; and it’s critical to reducing the cost of delivering services.
With public sector to citizen communications and cost transformation increasingly dependent on the Internet, understanding and managing the risks is vital.
A recent report from PSNGB member, BT, suggests that more than one-third (36%) of public sector IT decision makers admit their organisation was hit by Distributed Denial of Service (DDoS) attacks over the past year, with three-quarters (75%) hit more than once.
DDoS protection is a prerequisite to ensuring access to information and services is unimpeded; though only around a third of businesses have taken this measure –according to the same BT survey. Adequately protected, more use can be made of the Internet in public service delivery.
At this point it is worth drawing attention to a report from CSC. It concluded that the increasing digitisation of public services is putting more citizens’ data at risk of cyber attacks.
While protection can help identify the worst repercussions of vulnerabilities, it cannot prevent them altogether. It is PSNGB’s view that no information or application that is mission critical to an organisation should reside on the public Internet.
Public sector organisations, therefore, need to consider optimum use of the Internet, what’s essential to keep within the private or shared private WAN (PSN) and how the gateway between them is protected, especially where a third party provides this and the information provider may have little or none of the control, but all the responsibility.
In the commercial sector, board level understanding of the threat posed by Internet-borne attacks is at a much higher level than in the public sector. Banks and pharmaceutical companies, for example, faced with significant threat to their operations, are now realising the need for additional protection even within virtual private networks in order to defend themselves from attacks.
So, to the question – what is the purpose of brakes on a car? The purpose of brakes on a car is to enable you to go faster and be more agile, knowing that you can avert dangers; and not just to slow you down or stop. Good security should be the same; not intended to be a hindrance, but to enable organisations to deliver services, compete and transform in a trusted environment – faster, better and cheaper.
There’s no ‘one size fits all’ for public sector networks and security. Users need to know they can depend on and trust the network over which they hold and share business-critical information and applications in light of the risks involved.
PSN provides that assurance, but to continue to improve the quality and cost efficiency of citizen communications and interaction, the Internet too has a big part to play. Good security is critical to both.
Neil Mellor is director of PSNGB
