IL0 IaaS and PaaS focused SaaS to follow Source documents for controls / best practice

IL2 (2-2-4) IaaS and PaaS focused SaaS to follow

NGN Standard Security Level, ISMS Requirements and Good Practice Guide v 0.8, 19 November, 2008 IA Developers Notes Telecommunications Systems and Services: Interim Guidance on Assurance. Version 1.0, January 2009

IL3 (3-3-4) IaaS and PaaS focused SaaS to follow

HMG Infosec standards part 1 and 2 IS4 Part 1 - Management of Cryptographic Systems

Type of data Aggregation1

Unmarked No change

Protect Personal data Substantial personal data could be IL3

Restricted Heavy aggregation could drive to IL4 or above (so the database might be IL5 even though access is via an IL3 network)

There is not yet a definition of aggregation and its impact i.e. when sets of data bundled together in a single service might bump up the level of protection required (from e.g. IL2 to IL3 or IL3 to IL5); for example one biometric photo is IL3 but the entire nations biometrics might easily be IL6.
1

A subset of this issue relates to the marking of data at the outset, that is, is data classified as restricted actually restricted (given FoI, transparency etc exists as a default). Some suppliers have talked about IL3-low and IL3-high where low would trend data towards IL2 and high would move it towards IL4 and confidential that could effectively remove IL3 as a marking The aggregation issue gets more complicated when data across multiple services sharing the same servers or storage is considered and suppliers will want us to be clear about how we deal with that

Location of Data Centre (including failover or DR)

IL0 Global & Unspecified

IL2 (2-2-4) IL3 (3-3-4) Within EU & specified (that is UK only & specified data is in a specific data centre) (any exclusions within EU? Some talk about some Eastern European countries?) None EU Or no restrictions? 2-4 ISO27001 ISO9001 ISO14001 OHSAS 18001 PCI DSS (where credit card data stored) ITU X.1051

Staff Clearance Staff location

None No restrictions

BC or CTC (Note: SC clears to occasional handling of Secret or IL5) UK for data access EU or US for code access provided no production data visible 3-4 CPNI PCI DSS (where credit card data stored)

Tier (TIA 942) for example Standards Compliance Expected

1-4

IL0 Encryption None

IL2 (2-2-4) None at rest May have to encrypt in transit? HTTPS or link encryption?

IL3 (3-3-4) For those outside of GSI: Commercial grade encryption overlay (e.g. FIPS140-2); possible need for CAPS approved devices What will PSN provide? o Two factor access authentication o All passwords encrypted o Personnel gaining only the access needed to perform their role o Use of one-time access passes for supplier personnel o Collection and review of audit log files Individual departmental accreditation moving to single pangovernment2 Specific pen test commissioned and reviewed by government accreditor prior to use

Log on controls for administrator/support staff

What will PSN provide? - All passwords encrypted - Collection and review of audit log files

Compliance Process

Self-certification (including pen-test)

No accreditation visit expected relevant reports (to be specified) made available to departmental accreditors Pen test conducted by supplier; results made available to customers

Pan-government accreditation for a one-time, reasonable, supplier-borne cost is an important consideration for suppliers; we need to explain how that will work
2

Common

Criteria3

Service Management Processes 4 Multi-tenancy5

IL0 IL2 (2-2-4) IL3 (3-3-4) Current and well maintained (TM) versions of all software and hardware from a manufacturer with a process that includes security as part of its development lifecycle ITIL or equivalent (ISO ITIL 20000, COBIT, eTOM, FITS etc) No restrictions No restrictions (that is - Physical separation between IL2 multiple clients can share the and IL3 at server and storage level same physical and logical as well as management network; infrastructure at IL2) chassis can be shared - No separation (physical or logical) between customers at the same impact level

Whilst we often use e.g. EAL4 for a given component many existing public clouds are yet to fully (i.e. through the whole stack) certify at that (or any other) level the words in the table are, then, a placeholder pending something clearer
3

UK gov would historically require (and contractually specify) ITIL compliant processes, it is individuals who are certified in ITIL, not the operation itself. It would be hard to say anything other than X% of staff should be ITIL certified but given one of the points of a cloud is not to have to worry about individuals, there would be little way of verifying that short of a spot check of those on shift at a given time
4

Multi-tenancy masks a series of issues about virtualisation and separation between CPU, network and storage that need to be explained succinctly
5