| The UK Government's initiative to prescribe a security | | | | Intrusion Protection technology and with particular |
| standard to any organization accessing the | | | | focus on Mobile/Remote Worker security. |
| Government Connect Secure Extranet is a move | | | | Policies and Procedures, in particular Change |
| designed to keep government organisations one step | | | | Management Processes, approvals and |
| ahead of the inexorable increase in security threats. | | | | documentation. |
| There have been too many high profile data thefts | | | | Configuration 'hardening', to ensure that known threats |
| and losses by Government organizations, highlighting | | | | and vulnerabilities are eliminated from all systems, with |
| both the risk to, and the importance of, ICT Security | | | | a zealous patch management process combined with |
| and the governance of citizens' data. | | | | anti-virus technology, regularly tested and verified as |
| The result is the Government Connect Secure | | | | secure. |
| Extranet (GCSx). HM Government has mandated the | | | | Strong Monitoring for security incidents and events, |
| way in which public authorities and government | | | | with all event logs being retained for 6 months |
| departments can securely transfer data between | | | | In fact, the scope of the standard is quite similar in |
| each other. | | | | respect of its approach and its measures to the PCI |
| So, for example, how does a local authority needing | | | | DSS (The Payment Card Industry Data Security |
| Housing Benefits data access the Department for | | | | Standard), which is another security standard all local |
| Works and Pensions (DWP) database? Via the GCSx | | | | authorities will now be familiar with. The PCI DSS is |
| of course! | | | | concerned with the secure governance of Payment |
| Similarly, Job Centre Plus communications with local | | | | Card data, and any 'card merchant' ie an organisation |
| authorities will only accept communications via the | | | | handling payment card transactions, such as a District |
| GCSx, and likewise, communications with the Police | | | | council collecting Council Tax, must comply with the |
| and the NHS will only be provided through this | | | | details of the security standard. |
| connection. | | | | Therefore it makes sense to consider measures for |
| The concept is a "community of trust" and the GCSx | | | | CoCo compliance in the context as PCI DSS, since the |
| is one of a number of secure Government extranets, | | | | same technology that helps deliver CoCo compliance |
| including GSx, GSi and GCJx. See our Glossary of | | | | should be relevant for PCI DSS. |
| Terms at the end for details of these other networks. | | | | Is there a way to automate and simplify compliance? |
| So how does a district council access the GCSx? Via | | | | Configuration Change Tracking - once your firewalls, |
| a secure connection, the security of which is governed | | | | servers, switches, routers etc are all in a compliant |
| by the Code of Connection, or 'CoCo'. | | | | state you need to ensure they remain so. The only |
| The GCSx CoCo | | | | way to do this is to routinely verify the configuration |
| In England and Wales it is referred to as the GCSX | | | | settings have not changed because unplanned, |
| Code of Connection (CoCo). In Scotland it is referred | | | | undocumented changes will always be made while |
| to as the GSX Code of Connection (CoCo). | | | | somebody has the admin rights to do so! We will alert |
| Through GCSx, local authorities can connect to the | | | | when any unplanned changes are detected to the |
| Government Secure Extranet (GSX) and Intranet(GSI), | | | | firewall, and any other network device within your |
| the National Health Service (NHS), Criminal Justice | | | | 'Compliant Infrastructure' |
| Extranet (CJX), and the Police National Network (PNN). | | | | Planned Change Audit Trail - when changes do need |
| The Code of Connection takes into consideration how | | | | to be made to a device then you need to ensure that |
| best to protect the "community of trust" taking into | | | | changes are approved and documented - ideally, you |
| account all potential threats, including: | | | | need an automated solution that make this |
| Attack from the GCSx itself | | | | straightforward, reconciling all changes made with the |
| Attack from the Internet | | | | RFC or Change Approval record |
| Mobile data theft and loss | | | | Device 'Hardening' to be enforced and audited - The |
| Attack from the internal user | | | | best solutions available today provide automated |
| Code of Connection (CoCo) for the Government | | | | templates for a hardened configuration for servers |
| Secure Intranet (GSI) and GCSx, Memorandum | | | | and desktops and network devices to show where |
| Number 22. According to CESG Infosec Memorandum | | | | work is needed to get compliant, thereafter tracking all |
| Number 22, protective monitoring has traditionally been | | | | planned and unplanned changes that affect the |
| the most underrated and least effectively used | | | | hardened status of your infrastructure. Specifically, the |
| security measure. | | | | state of the art in compliance auditing technology |
| The scope of the GCSx Code of Connection can be | | | | covers registry keys and values, file integrity, service |
| summarised as follows | | | | and process are whitelisting/blacklisting, user accounts, |
| Physical Security and Access Control, restrict and | | | | and installed software. |
| control access to the GCSx, including use of Firewalls, | | | | |