Document filename:
Directorate / Programme / HSCN / Project / HSCN Security
Document Reference
Programme / Project Manager / Paul Evans / Status / Draft for Discussion
Owner / HSCN Security Sub-Board / Version / V0.1
Author / Paul Evans / Issue date / [13/06/16]

Document Management

Revision History

Version / Date / Summary of Changes
V0.1 / 13/06/2016 / First draft incorporating the position agreed by Des Ward, Michael Bowyer and Paul Evans

Reviewers

This document has beensent to for review and/or reviewed by the following people (please include nil returns):

Reviewer Name / Title / Role / Directorate / Version / Date Sent to Reviewer / Date Feedback Received / Feedback Actioned (Y/N?)
Tony Beadle
Kate Gill
Innopsis Security Working Group
Innopsis Technical Working Group
Nick Schlanker
Terry Brown

Approved by

This document must be approved by the following people:

Name / Signature / Title / Date / Version
HSCN Security Sub-Board

Document Control:

The controlled copy of this document is maintained in the HSCIC corporate network. Any copies of this document held outside of that area, in whatever format (e.g. paper, email attachment), are considered to have passed out of control and should be checked for currency and validity.

Contents

0Status of this paper

1Purpose of Submission

2Summary

3Security Compliance Proposals

3.1Standards

3.2Accreditation and Assurance

0Status of this paper

This paper is provided for discussion within the potential HSCN Supplier community. Positions are not confirmed and so should not be acted on by any party until approved by the HSCN Security Sub-Board.

1Purpose of Submission

This paper sets out proposals for the arrangements for Security Compliance for HSCN Suppliers. Proposals were arrived at through discussions between Paul Evans (HSCN Programme, HSCIC), and Des Ward and Michael Bowyer (both Innopsis).

2Summary

The HSCN Programme needs to develop and agree, in conjunction with the potential HSCN Supplier community (via Innopsis), the minimum requirements for security and the arrangements through which HSCN Consumers can be assured that those requirements are met.

3Security Compliance Proposals

3.1Standards

The minimum security standard for HSCN Suppliers is the CAS(T) requirements.

The ‘Critical’ CAS(T) requirements are requirements that one would reasonably expect any organisation offering network services to be meeting.

3.2Accreditation and Assurance

HSCN does not want to operate its own accreditation or assurance scheme for security with the security requirements set out under the CAS(T) scheme.

3.2.1To become an HSCN Supplier

In order to become an HSCN Supplier, the supplier must either:

  1. Hold a valid CAS(T) accreditation, or
  2. (Recognising that the costs of CAS(T) accreditation can be prohibitive for smaller suppliers who already meet the requirements):
  3. self-assert compliance with the CAS(T) requirements marked as ‘Critical’ at the time of becoming an HSCN Supplier, and
  4. agree to achieve CAS(T) accreditation within a 2 year period of becoming a HSCN Supplier, and
  5. Have an independent party carry out an IT Health Check and make available the results of this ITHC to the HSCN Authority and to prospective customers and current consumers

3.2.2Remaining an HSCN Supplier

  1. Once CAS(T) accreditation has been achieved, the HSCN must maintain that accreditation in order to remain an HSCN Supplier, or
  2. Achieve CAS(T) accreditation within 2 years of first becoming an HSCN Supplier
  3. Annually, have an independent party carry out an IT Health Check and make available the results of this ITHC to the HSCN Authority and to prospective customers and current consumers

3.2.3Supplier Status

Self-assertion of compliance is not a lower of security accreditation in terms of HSCN Supplier status than CAS(T) accreditation. A HSCN supplier either meets the (minimum) bar or they don’t.

It is entirely HSCN Consumer choice as to whether to contract with any HSCN Supplier or to require full CAS(T) accreditation.

3.2.4What does self-assertion of compliance mean?

The HSCN Supplier is declaring that they meet at least the CAS(T) requirements marked as ‘Critical’ and have agreed to work towards CAS(T) accreditation within 2 years to becoming an HSCN supplier.

HSCN or HSCIC have not verified that the HSCN Supplier does meet the requirements, neither are HSCIC or HSCN monitoring progress towards compliance.

It is up to HSCN Consumers to determine whether they want further accreditation or assurance or progress towards CAS(T), and should they do so, to obtain it from the HSCN Supplier.

We expect that the Consumer market will drive HSCN Supplier behaviour.

3.2.5Failure to meet CAS(T) compliance within 2 years of becoming an HSCN Supplier

Where an HSCN Supplier self-asserts compliance and fails to achieve CAS(T) accreditationwithin the two-year period, HSCN can terminate the approved supplier status and remove the party from the HSCN Supplier list. This means:

  • The party can no longer accept new orders for HSCN Services, or continue to process orders placed but not fulfilled
  • HSCN Consumers who already contract with the party may terminate their contract without penalty

3.2.6Auditing of Compliance

The HSCN Authority reserves the right to audit through an independent body should there be reasonable grounds to suspect that the HSCN Supplier was not meeting requirements despite declaring that they did through self-assertion of compliance.Such audit would be at the Authority’s expense

However, if confirmed through the independent check hat the HSCN Supplier was not meeting requirements when declared that they were or failed to deliver on an agreed remediation plan, costs would be met by the HSCN Supplier.

Should this arise, the HSCN Supplier would also be removed from the approved supplier list, can take no further orders, and its customers permitted to cancel service contract without penalty with that supplier.

Page 1 of 6