Code of Connection Compliance by djy18697


									Code of Connection Compliance

             Steven Snaith
Information Systems Assurance Director

 1.   CoCo Introduction
 2.   The importance of CoCo
 3.   CoCo Guidance and Assessment Criteria
 4.   CoCo Compliance Process
 5.   Questions
1. Introduction
Introduction: GCSx, GSi and CoCo:

  Government Connect Secure eXtranet (GCSx): Secure
   private Wide-Area Network (WAN)
  Government Secure Intranet (GSi) – designed to enable
   secure interactions between local authorities and central
   government departments and national bodies.
  Code of Connection (CoCo) requirements have been
   defined for connecting onto the GCSx.
What is a CoCo?

  “Provides a minimum set of security standards that
   organisations must adhere to when joining the GSi.”
  To develop the trust required both within and between
   communities, which then allows more effective use of
   shared systems and services.
  Organisations wishing to join the GSi must prove that they
   meet the requirements laid down in the CoCo.
  Local Authorities need to sign up to the stipulated CoCo
   standards and processes before connection.
Levels of Security

                                     xGSI (CONFIDENTIAL, MPS)

                                 GSI (RESTRICTED, MPS)

                          GSX/GCSx (“RESTRICTED”, non-MPS)

                     GSE (Non-Government, non-MPS)
2. The Importance of CoCo
       Complexity: The Importance of Security

                                      Domain controller
                                       DNS / DHCP
                                                          Application Server            Database Server
Computer system (Users)                   WINS
                                                               Application                   Application
                                    Operating System        Operating System            Operating System
  Operating System                     Hardware                 Hardware                   Hardware

                          Network                                  Application System
                                                                     Operating             More users
                                                                  Operating System
                                                                Operating System

       Complexity: The Importance of Security

  The more complex
  a system, the
  more potential for
  PROBLEMS                            Domain controller
                                                          Application Server            Database Server
                                       DNS / DHCP
Computer system (Users)                   WINS
                                                               Application                   Application
                                    Operating System        Operating System            Operating System
  Operating System                     Hardware                 Hardware                   Hardware

                          Network                                  Application System
                                                                     Operating             More users
                                                                  Operating System
                                                                Operating System

Importance of Controls

       Network                 User accounts set
  schematics have             to lock indefinitely      IT policies &
  been designed to               after 3 invalid         procedures
  outline all related         attempts until reset   outlining security
       network                  by administrator     requirements and
    connectivity                                         obligations

                        CoCo Control Activities
Firewall controls
   have been
  configured to
                                Formal incident        Management
 reduce the risk
                            response procedures          control
of unauthorised
                              are in operation to    framework is in
    access to
                             control, report and         place.
  systems and
      data.                    escalate security
3. CoCo Guidance and
  Assessment Criteria
GCSx / GSi Connectivity - Getting there

 GCSx Connectivity

 Baseline assessment against the primary
 CoCo Criteria

 Primary Code of Connection Requirements – MUST and SHOULD
CoCo and ISO 27001

 LA complying or in the process of complying to ISO
  27001 will be addressing a significant number of the GC
  CoCo controls. The CoCo and 27001 complement one
   – Best practice for configuration control
      – Patch management
      – User education
      – etc
   – Best practice for incident reporting
Security Themes Throughout the CoCo (1)

 Defence In Depth - Not all Eggs in One Basket
   – There is little point in having the most up to date
     technological solution if attackers can physically
     remove, damage or destroy systems and information
   – All about sufficient risk mitigation e.g. physical
     security can sometimes be used as a replacement
     for technology
       – e.g. If you have strong physical controls that only
         allow one person to gain access to a computer do
         you still need a password on the computer?
Security Themes Throughout the CoCo (2)

 Start with a secure system
   – Lockdown all services
   – Only unlock those services which your users require
     and for which there is a valid business case
 Leads to an inherently more secure system, but requires
  a culture change from the standard „leave it all open and
  lock it down if there is a known vulnerability‟.
    CoCo Controls Areas v3.2

   2.1    -   Physical Security        2.16   -   Software Policies
   2.2    -   User Education           2.17   -   Patch Management
   2.3    -   Incident Response        2.18   -   Vulnerability Scanning
                                        2.19   -   Web Browsers
   2.4    -   Compliance Checking      2.20   -   Content Analysis
   2.5    -   Access Control           2.21   -   Personal Firewalls
   2.6    -   Network Schematic        2.22   -   Macros
   2.7    -   IP Addressing            2.23   -   Removable Media
   2.8    -   Firewalls                2.24   -   E-Mail
                                        2.25   -   Mail Servers
   2.9    -   Intrusion Detection      2.26   -   Mail Labelling
   2.10   -   Mobile Working           2.27   -   Multi-Domains
   2.11   -   Proxies                  2.28   -   Voice Over IP
   2.12   -   Service Obfuscation
   2.13   -   Protective Marking
   2.14   -   Operating System
   2.15   -   Configuration
CoCo Challenge Areas

CoCo Challenge Area           Solutions

Mobile Working Arrangements      Restrict Data Storage on Mobile Devices
                                 Encryption
                                 Prohibit Mobile Access
Audit Logging                    Improve ability to log, retain, store and analyse network
Improving user security       Improved system administrator control
                              Improved user authentication and controlled public access
                              Enforcement of more complex passwords
User education                Improving understanding of data handling requirements
                              Introduction of Acceptable Usage Policy/ Personal
                              Commitment Statements
Software usage                Introduction of centrally managed, lower risk software and
                              prohibition of rogue software not controlled from centre
Baseline Personal Security    Improved HR policies to enforce personal security checking
Checking                      Centralised HR approval to access GCSx
CoCo 2.1 Physical Security

 Perform a review of Physical Security to include:
   – Electronic or key-coded access controls at perimeter
   – Door closures to prevent doors remaining open
   – Regular review of who has access
   – Change of access codes monthly
   – Eye-level signage that area is RESTRICTED

 All equipment must be secured prior to GCSx
  connection can “Go Live”.
CoCo 2.2 User Education

 Information Security Policy
 Policies and Procedures Training - employees and
 A personal commitment statement or acceptable usage
  policy MUST be in place, or users MUST have otherwise
  positively confirmed their acceptance that
  communications sent or received by means of the GSi
  may be intercepted or monitored.
 Employees of the organisation who handle information
  carrying a protective marking of RESTRICTED MUST
  be made of aware of the impact of loss of such material
  and the actions to take in the event of any loss.
CoCo 2.3 Incident Response

  Policy for an LA User to report security incidents to
   local service desk or help desk to inform LA
   management of incidents
 Information Security events MUST be reported through
   appropriate internal management channels as quickly
   as possible.
 Policy for LA Management to handle and manage
   incidents both locally
  – Timely manner
  – External relationship with Gov bodies
CoCo 2.4 Compliance Checking

  Although a SHOULD this control is expected to become a
   MUST in future versions of the Coco.
  Requires an annual IT Health Check to be carried out as
   part of the annual GSI re-authorisation submission and in
   short the health check is the preparation and submission
   of this Code of Connection annually.
CoCo 2.5 Access Control

 Each user of the GCSX connected network MUST be
  allocated a unique user ID.
 Each user of the network connected to GCSX who has
  regular access to RESTRICTED information or
  information that originates from the GSi MUST be at
  least cleared to the 'Baseline Personnel Security
 Each user of the network connected to GCSX MUST be
  reliably authenticated by means of a sufficiently complex
   – 7 character minimum
   – Alpha-numeric with at least one digit
   – Changed periodically (60 – 90 days)
   – Not reused within 20 password changes
CoCo 2.6 Network Schematic

 The connecting organisation MUST submit a network
  schematic that details the networks that will utilise the
  GCSX connection. This diagram MUST document all
  onward connections and remote access.
 High Level Network Schematic:
   – Number of servers and total numbers of clients
   – Do not need IP addresses
 Onward Sites and connections:
   – External sites connection to Local Authority servers
   – Other Government department (NHS, PNN, etc)
 Internet security measures
   – Local authority connection to ISP, firewalls, DMZs
CoCo 2.8 Firewalls

 A firewall MUST be installed between the organisation
  and the GCSX.
 A firewall MUST be installed between the organisation
  and any third party networks it connects to.
 The firewall MUST be configured according to the
  guidance referenced from the Guidance Notes to this
  document to minimise the likelihood of successful attack
  against the network.
CoCo 2.13 Protective Monitoring

 Audit logs recording user activities, exceptions and
  information security events MUST be produced to assist in
  future investigations and access control monitoring.
 All logs MUST be retained for a minimum of six months.
  Organisations MUST also be aware of any additional
  legislation that may require them to hold logs for longer
CoCo 2.17 Patch Management

 A patch management scheme MUST be established for
  all software used on the network.
 Vendors' web sites and GovCertUK alerts MUST be
  monitored and relevant software and service packs
  MUST be applied where practicable.
4. Connection Process
The Process
Current State of CoCo Approval

CoCo Approval In     In Month        Cumulative Total

Achieved in August              20           320

Predicted in                    55           375
September 2009
CoCo Related Resources…

    GC FAQs (
    OGCbs Overview (CoCo explanatory docs) - NPM
    OGCbs CoCo Guidance Notes- NPM
    CESG Bookstore, RESTRICTED - available on request and from
    CESG Claims Tested Mark (CCTM)
    CESG Certified Products
    SOCITM GovX Forum
    Centre for Protection of National Infrastructure (CPNI)
    Cabinet Office Security Matters
    Microsoft Security Advice (security hardening etc)
    Tiger Scheme
    ISO27001/2 Information Security Portal

To top