G-Cloud #AccreditCamp


Published on

These are the slides and a recording of the audio of #AccreditCamp held on the 13th February 2012.

This recording was been taken from the live SlideShare Zipcast stream and is of medium quality, the recording has been edited for brevity and to remove extraneous sounds.

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • You can start sending questions through straight away
  • G-Cloud Framework (RM) CloudStore  - Keep an eye on the website and the twitter account for news #BuyCamp How to book a place? Assurance Ongoing in parallel with accreditation.
  • Add something about giving confidence to the customer?
  • through the programme and the Pan Government Accreditors (PGAs)   Customers will still need to ensure that the accreditation and assurance activities are suitable to meet their risk profiles and will need to consider the service as part of their internal accreditation process, perhaps considering the service in the reliance scope of their internal accreditation. 
  • FROM PSN RMARD The service provider manages and is accountable for the schedule and cost of compliance for their service(s)  The process as far as possible ensures that government resources (the PSNA, PGA and CESG Security Architects) are involved only as really needed and are not engaged by a service provider who is speculatively putting up a service for accreditation and haven‟t really done the work that is needed to take them successfully through the process.  The same on-boarding process is applied for services across all impact levels TEMPLATE AVAILABLE ON THE SUPPLIER ZONE. Check you have the latest version - we may revise the guidance notes. Same applies if a service has already been accredited.
  • For IL2 could include.....  For IL3 could include....
  • CESG!
  • The T&C’s allow the supplier the option of using an independent auditor instead of a site visit with certain restrictions.  The IA guidance says that in certain exceptional circumstances a site visit may be required as part of ‘ISO/IEC 27001 audit and certification’.  If the latter is the case this will be discussed with the supplier during the accreditation process. 
  • G-Cloud #AccreditCamp

    1. 1. #AccreditCamp G-Cloud
    2. 2. Agenda <ul><ul><li>Welcome & introductions </li></ul></ul><ul><ul><li>G-Cloud overview </li></ul></ul><ul><ul><li>What is accreditation for? </li></ul></ul><ul><ul><li>The process </li></ul></ul><ul><ul><li>Are you ready for accreditation? </li></ul></ul><ul><ul><li>Scoping </li></ul></ul><ul><ul><li>Accredation and recommendation </li></ul></ul><ul><ul><li>Scenarios </li></ul></ul><ul><ul><li>Questions </li></ul></ul>
    3. 3. #accreditcamp @g_cloud_uk gcloud.civilservice.gov.uk [email_address]
    4. 4. G-Cloud overview <ul><li>G-Cloud Framework </li></ul><ul><li>-  Intention to award notifications have been issued </li></ul><ul><li>-  Around 1700 services from just under 300 suppliers </li></ul><ul><li>-  Currently in standstill period </li></ul><ul><li>CloudStore </li></ul><ul><li>-  The catalogue of services and suppliers on the framework will launch later this week </li></ul><ul><li>#Buycamp </li></ul><ul><li>-  2pm 1/3/12 HM Treasury Building, for potential consumers of G-Cloud services </li></ul><ul><li>Assurance of commercial, service management and functional aspects of the services is ongoing </li></ul>
    5. 5. Concept of operations
    6. 6. What is accreditation for? <ul><li>Government must make sure the information systems we use will protect the information they handle, and function as and when they need to.  We need to manage the risk to our information assets. </li></ul><ul><li>Accreditation is the formal assessment of the system against its information assurance requirements. </li></ul>
    7. 7. Why? <ul><li>Central accreditation will result in a service which can be procured by multiple customers. </li></ul><ul><li>We want to do it once, get it right first time, and share the benefits across government. </li></ul><ul><li>For suppliers this will mean a reduced time to market and higher return on investment if multiple customers procure the service. </li></ul>
    8. 8. The process
    9. 9. Stop!  Is your service ready for accreditation? <ul><li>Before any formal assurance activity is undertaken the service design is expected to be in a mature design state or at least developed to a state that means any security testing carried out is on a design that represents the final service. </li></ul><ul><li>If your service is not ready let us know .  You will not be penalised; we will get back in touch when you are ready. </li></ul>
    10. 10. Scoping <ul><li>We will request completion of a 'Security Accreditation Scope' document from suppliers </li></ul><ul><ul><li>Same on-boarding for services across all impact levels </li></ul></ul><ul><ul><li>Ensures supplier and government resources are not engaged when the service is not ready </li></ul></ul><ul><ul><li>Allows PGAs to agree the appropriate/proportionate scope of your accreditation activities </li></ul></ul><ul><li>Suppliers will be contacted in tranches.  When we make contact you should respond within 10 working days, or your service will be moved down the programme work queue.  This is so we can manage our work and maximise use of the CESG team. </li></ul>
    11. 11. Security Accreditation Scope (p1)
    12. 12. Scoping
    13. 13. Accreditation & recommedation
    14. 14. Scenarios      <ul><li>1.  An IL3 service which has been already accredited (but not by PGAs) </li></ul><ul><li>2.  An IL3 service with no accreditation </li></ul><ul><li>3.  IL2 service, not previously accredited </li></ul>
    15. 15. Questions:   <ul><li>1. Does the data need to be UK hosted? </li></ul><ul><li>See the Government ICT Offshoring (International Sourcing) Guidance . There is nothing that prohibits the off-shoring of IL2 information, but there a number of areas for CIOs to consider when reaching their decisions such as DPA compliance. Such areas will be considered during the accreditation process. </li></ul>
    16. 16. 2. Does our datacentre really need to be inspected - will an independent audit certificate do?   <ul><li>IL2:  The expectation is that the only site visits required will be as for the ISO/IEC27001 audit and certification.  Any site visits and audit by the PGA or their agents at IL22x will only be used when absolutely required and it is intended that these will be very much the exception rather than the rule. </li></ul><ul><li>At IL3 site visits by the accreditor will be required. </li></ul><ul><li>In both cases, the aim is to reduce the requirement and need for multiple public sector organisations to carry out such site visits but this cannot be excluded as a possibility.   </li></ul><ul><li>  </li></ul>
    17. 17. <ul><li>? </li></ul>
    18. 18. References      <ul><ul><li>G-Cloud IA guidance (will be available on the supplier zone) </li></ul></ul><ul><ul><li>Scoping template </li></ul></ul><ul><ul><li>PSN RMARD </li></ul></ul><ul><ul><li>Government ICT Offshoring (International Sourcing) Guidance     </li></ul></ul>
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.