Update on the use of the Public Service Network (PSN)
This post was originally published in August 2012. In January 2017 the Government Digital Service stated that use of the PSN will be phased out but clarified the position in March, saying that Government bodies still need to be PSN compliant at least for the immediate future. For up-to-date clarification on the PSN, please contact Dave James, MD at Ascentor. In the meantime, we hope you’ll find the original post of help.
There was a change to the Public Services Network (PSN) compliance process at the end of 2014, which is covered in a new article on the Ascentor site here.
This original post is for those involved with the delivery of the Government’s Public Services Network (PSN). In this article I am going to provide a brief overview of what CAS(T) is all about, and where it fits into the PSN Information Assurance (IA) story.
So what is CAS(T)?
CESG Assured Service (Telecoms) is a CESG assurance scheme for so-called “Next Generation Networks”. It is unusual because CESG normally provides assurance mechanisms for products – it is recognition that Government increasingly buys services and, although these services may employ assured products, the way these are managed and operated is equally important. It is quite likely that we will see a number of CAS(<service>) assured services being defined in a manner that is broadly complementary to the new CESG Commercial Product Assurance (CPA) mechanism.
What does it assure?
CAS(T) provides assurance that a network is built, operated and managed sufficiently for it to be used for handling public sector data at Business Impact Level (BIL) IL2 for confidentiality and integrity and IL4 for availability (this is usually shortened to 2-2-4). IL2 for confidentiality and integrity is important for two reasons: Most public sector data has an IL2 profile (corresponding to the PROTECT security marking) and the underlying PSN network operates at 2-2-4. IL4 for availability represents an availability target of 99.95% – apart from being the PSN target, this value represents a pragmatic target that can be achieved readily at an acceptable cost.
How does it work?
CAS(T) is built on ISO 27001:2005. The requirements are documented in “Security Procedures: Telecommunications Systems and Services”, which is available from CESG. For each ISO 27001 control, guidance on the control implementation is provided – in the main this guidance is drawn from ISO 27002 and/or ISO 27011.
CAS(T) certification is conducted by existing ISO 27001 audit companies that are approved by CESG – who provide a training course for auditors as part of the approval process. The audit process is “just” a standard ISO 27001 certification audit and successful completion results in the award of a CAS(T) certificate (and, arguably, an ISO 27001 certificate).
The key difference between CAS(T) and the normal approach to ISO 27001 certification lies in the mandatory aspects of the CAS(T) scheme. These spell out what must be included in the ISMS scope, which controls must be included in the Statement of Applicability (SoA) and identifies minimum standards and best practice implementation targets for controls.
How do I use it?
If you are a telecoms provider who wishes to offer services to the public sector, then CAS(T) is the only realistic assurance mechanism available to have your network approved by the PSN Authority as a Direct Network Service Provider (DNSP).
If you are a public sector organisation with a network that you wish to share with other public sector organisations in your region, then one approach is to have the entire network approved by the PSN Authority as a DNSP. An alternative approach is to act as an “aggregator” for other organisations where you provide the access to the PSN. Either way, CAS(T) is the main option for providing assurance, although formal accreditation would be an alternative in some cases.
What else do I need?
It is important to understand that your network must be accredited before it can be approved by the PSN Authority (see my previous blog posting on this). CAS(T) is an assurance mechanism – it provides confidence to the Accreditor that risk management is in place and operating correctly, but it is not accreditation itself. The PSN process defines a “light-weight process for gaining accreditation for CAS(T) certified networks “the PSN” Risk Management and Accreditation Requirements Document” explains the process.
PSN documentation is available from the Cabinet Office site: http://www.cabinetoffice.gov.uk/resource-library/public-services-network
The CAS(T) scheme is described on the CESG site: http://www.cesg.gov.uk/servicecatalogue/CAS-T/Pages/CAS-T.aspx
Article by Peter Curran , Principal IA Consultant and PSN specialist at Ascentor