rances Hipple, a senior consultant for NCC Group, explains how housing providers will need to improve their security in order to exchange information with and connect to local authority networks and systems.
In order for local authorities (LAs) to securely communicate and transmit information with the government, they will be required to connect to the Government Connect Secure Extranet (GCSx). In order to do so, they are likely to need to improve the security of their IT architecture and implement a range of controls within a Code of Connection (CoCo) covering a variety of areas to achieve a minimum level of security.
What does this have to do with housing providers? Well, if you are using a shared network with your LA, you will almost certainly have to fully comply as well.
Indeed, if you access any LA systems or networks, you will need to comply with the requirements. This may mean that you have to access systems from LA networks or premises only or you may have to ensure that your networks and systems are of an equivalent security level in order to exchange information. Possible areas where this may occur will include some choice-based lettings schemes or possibly interfaces such as housing benefit.
These controls include, but are not limited to:
Ensuring the physical security of premises is sufficient;
Educating users in how to preserve security, the requirements of security and their expected behaviour;
Ensuring that all devices accessing the network are patched and hardened to prevent potential compromise;
Having a secure network architecture in line with Government requirements;
Having anti-virus software installed throughout the network and updated regularly;
Having a controlled and secure remote access and home working solution;
Controlling the use of media devices on the network;
Monitoring and having the ability to react to security incidents.
If you receive any information from LAs, they may require you to handle that information in a secure manner and the information might be subject to the following controls:
Information must be encrypted prior to email;
Media must not be used or information must be stored encrypted on media;
Only certain personnel are permitted to handle information.
If you are asked to comply with any of these requirements you must do so otherwise LAs could refuse to exchange information with you. For example, we are already aware of at least one ALMO where the use of BlackBerries has been restricted by the LA so that passwords and logins are required and email, cameras and Bluetooth have been disabled. This is to prevent the accidental storage of sensitive data on an unencrypted device. This type of issue could have a wide-ranging impact on the ways in which staff carry out their jobs and needs to be discussed with the LA so that a workable and compliant solution can be found.
If you are accessing operational software that is hosted by a supplier or third party then you will need to be sure that these have good information security and software development practices in place. There is no such thing as ‘GCSx-compliant software’ as the GCSx applies to the network connected to the GCSx. However as long as the software works within the GCSx requirements such as VPNs, then there are no particular requirements that the software applications have to comply with. You do need to be careful though that if the software somehow negates security controls (e.g. requires a web browser in a ‘privileged mode’) then it may result in non-compliance to the CoCo. In general, it is the remote connections that need to be secure rather than the software.
The list of requirements above is an overview of information and IT security best practice. All organisations, regardless of the information they handle, their business profile or the industry they work in, should be considering how they secure their information and IT assets and what risks are posed if they don’t.
The ISO/IEC 27001 standard is now considered the best way of achieving information security best practice. The standard covers physical security, access control, incident management and business continuity, security policies and governance, IT security and operations management.
Implementing a standard such as ISO 27001 or adhering to best practice controls will put your organisation in a better position to adhere to any requirements from the local authorities around the GCSx Code of Connection and also ensure that all your information and systems are secure and well protected.
Frances Hipple is a senior consultant for NCC Group.
