PSN Compliance in Local Authorities

Download Report

Transcript PSN Compliance in Local Authorities 

PSN Compliance
in
Local Authorities
ADDRESSING THE CHALLENGES
What is going on?

PSN CoCo submissions have just become more painful!

Affects all UK PSN users

Councils…….are especially affected,



Accredited individually

fundamental differences in our “digital landscape”

The Scottish Angle – Education and Registration – Mobile and Flexible.
Last 6 months

4 Councils pre-Zero Tolerance

4 now passed post-Zero Tolerance
Others going through the “Red Letters”
What’s the Key points?

“PSN-originated data” must be housed on a trusted network.

Zero Tolerance!

Timescales – Short-term pain, Long-term pain.

Limit/eliminate shared PSN/Non-PSN infrastructure

Unmanaged devices are “assumed compromised” – BYOD RIP

Previously (assumed) ”acceptable” remote access approaches
now in question – thin client/zero data, sandboxing, even distros.

There will be unplanned cost and resource implications!
Getting there? The process…..

Sequential – not helpful

Signatories

ITHC requirements

Must get the two above right – before you pass to “validation”

Get to know your Cabinet Office PM!

Get some CLAS time?

Advice – know the process, avoid the ping-backs, speak to the CO,
keep up with the Guidance, consider CLAS time
What might need done in the shortterm?

ITHC Major/Critical and Significant mediums!

Get Patching!

Tighten Segmentation of networks – esp. if completely flat

Email……potentially more inboxes?

Remote Access – different passwords from internal network logins?

Unmanaged device access – closed off/restricted

Disclosure checks? GSX staff initially? Not clear!

Affected groups :- GSX users, Remote Access, BYOD

Advice: Know your PSN “footprint”, be pro-active, manage the comms
with your customers
…but don’t breathe a sigh of relief
for too long!

Long-Term Architecture

No clear “design patterns” – clarification imminent?

“Clearing House” approach?

Will need to look hard at whether “remote access (or PSN) is worth the
pain…”

Partner and third party access = “unmanaged”?

Separation of infrastructure – web, servers, etc for PSN data

Windows XP ……. a case of bad timing

More disclosures?

NEED FOR COLLABORATION in 2014?
Questions needing answers?

Is the PSN approach tenable for Councils?

Will this ultimately limit the usefulness and adoption of PSN?

Do we know where the future pressures will be?

What are the costs? Who bears them? And is it worth it?

Should Councils collaborate on “long term” compliance work?

Will this mean IT is back in the role of “Information Preventor”?

Lobby and/or comply?

Strategic response – Segment and separate to allow unmanaged?
100% managed? Which strategy should you adopt?