In our first post of this series we looked at a short history of PSN. If we step away from the implementation of PSN and get back to the root reasons the UK government created the PSN, we recall that it was originally about ensuring the safety and appropriate handling of sensitive data shared between multiple parties.
In this sense, the accreditation process does make some sense. CAS(T) or the CESG Assured Service (Telecoms) is the process most service providers will undertake to achieve certification as a Direct Network Service Provider under the PSN. Still, it’s a bit unusual in that the CESG is usually responsible for providing assurance for products, that they are now involved in providing assurances for what are absolutely
What CESG did in fact is build upon the internationally recognised standards ISO 27001:2005 together with the control implementation drawn from ISO 27002 and / or ISO 27011. If we step back, what the PSN is really trying to do is enforce a minimum set of standards not on how the services are delivered, but on how they are managed.
We can all intuitively understand that when it comes to cyber-security, the effective security is determined mostly by things like customer service, support, maintenance and correct usage. There are no magic bullets, or impenetrable defences, the issues with security more often than not come down to people and processes. With this in mind, no business should be buying ANY connectivity services from any organisation without important ISO certifications like 27001 to begin with! It’s only because there is not common ground here that the PSN felt they had to “create” their own assurance and accreditation scheme. The real issue behind the PSN was to ensure security, confidentiality and integrity for sensitive data while it is still allowed to be shared and accessed between different government agencies and partners. If this was always the point, then surely PSN isn’t the only way!
What about the post-PSN era? Are things any better?
If your organisation previously procured services under the PSN then the new Network Services Framework is something you definitely need to look into! Many of the mistakes of the PSN have been corrected so that in the new framework there are far more suppliers, and importantly the suppliers are able to work together in concert to achieve higher levels of accreditation and certification. Whereas before the supplier would have to do all of the work themselves, the new framework allows for providers to each provide one element like a series of building blocks until the final assurance level desired has been reached. This means that one provider could offer the CAS(T) assurance level while another provider supplied the underlying connectivity. Likewise, a full solution of voice, data, colocation and hosting (cloud) services can be delivered from an ecosystem of partners with each element meeting the appropriate level of security.
What also makes this far easier than in the past is that the previous Business Impact Levels (IL-2, IL-3, IL-4) have also been retired and replaced with a simpler scheme of OFFICIAL, SECRET, TOP SECRET. Information assets that previously were classified up to RESTRICTED would all fall under the new OFFICIAL designation. There’s even a lovely new guidance paper from the UK government to help staff understand the new classifications.
So what communication services should I buy in the public sector?
What you need to think about when purchasing services for your public sector business is that the suppliers are listed on the appropriate frameworks however we also need to be aware that suppliers on the frameworks are now able to offer both PSN compliant and non-compliant services to customers.
Ultimately when purchasing any services, the important thing is to analyse the actual security requirements for confidentiality, integrity and availability from the point of view of the data not of the systems or technology. Once your organisation has a solid handle on how to appropriately classify and handle all of its data the new frameworks should allow suppliers a far greater degree of flexibility in how they provision services to your organisation to ensure maximum value.
Remember also that partnerships are a good thing. In technology, as in any other profession (law, finance, medicine) specialisation is key to success. Understanding what your supplier specialises in, and then asking them if they have other partners who can work together with them from within their own areas of specialisation means you’ll end up with a best of breed solution without having to directly contract with each partner. Once they are all present on the appropriate frameworks, there’s no requirement for you to have a direct contractual relationship with each one individually.
Even more interesting is that suppliers no-longer have to provide everything to be included, so there are many more SME suppliers offering a core of services in one or more lots, perfect for building supplier ecosystems. This increases competition and ultimately ensures that the new frameworks deliver far better value, if used correctly.
George Orwell said “Sometimes the first duty of intelligent men is the restatement of the obvious” so I’ll say it again, the former PSN delivered poor value to UK public sector. If you think you’re still somehow trapped in the PSN and its corresponding IL-2 and IL-3 style services, think again. All of your services procured under the old frameworks are in dire need of a complete rethink. Start over, consider every option, look at some of the smaller more agile and customer service oriented suppliers and be willing to embrace radical changes in how your connectivity and communication services are delivered.
For the bold, there’s real advantage in 2016 to moving away from PSN and onto the new framework and getting much more out of your technology spend.