UK Security Standards

29 November 2013
By Roman Denisenko, Senior QA

In the previous part of this article we spoke about International security standards. In this part, we’ll talk about the ones which are adopted in the United Kingdom.

IS1

What is it

HMG Information Assurance Standard No.1, usually abbreviated to IS1, is a security standard applied to government computer systems in the UK. Accreditation covers all processes in an organization, not only the IT side.

Who has to comply

All government organizations and connected third-parties.

Who confirms compliance

An auditor who has been certified by HMG.

Consequences of non-compliance

Administrative sanctions for governments organizations and refusal of cooperation for third-party companies.

How often to confirm compliance

Departments and Agencies must conduct an annual technical risk assessment (using HMG IA Standard No.1) for all HMG ICT Projects and Programmes, and also when there is a significant change in a risk component (Threat, Vulnerability, Impact etc.) to existing HMG ICT Systems in operation. The assessment and the risk management decisions made must be recorded in the Risk Management and Accreditation Documentation Set (RMADS), using HMG IA Standard No.2 – Risk Management and Accreditation of Information Systems.

Useful links

CoCo

What is it

CoCo is a set of requirements that must be met before local authorities in England and Wales can connect an organization to the Government Secure Intranet (GSI).

Who has to comply

Any organization to joined to GSI.

Who confirms compliance

Her Majesty’s Government (HMG) – Government of the United Kingdom.

Consequences of non-compliance

Disconnect from the GSI.

How often to confirm compliance

CoCo compliance is assessed annually and a local authority can conduct an audit any time.

Useful links

Data Protection Act

What is it

The Data Protection Act 1998 (DAP) controls how the personal information of UK subjects may be used by organizations, businesses or the government. The purpose of the Act is to protect the rights and privacy of individuals, and to ensure that data about them is not processed without their knowledge and is processed with their consent wherever possible.

Who has to comply

The Data Protection Act requires every data controller (eg. organization, sole trader) who is processing personal information to register with the Information Commissioner’s Office (ICO), unless they are exempt.

The standard requires that technical and organizational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

Who confirms compliance

Compliance with the Act is regulated and enforced by an independent authority, the ICO, which maintains guidance relating to the Act.

Consequences of non-compliance

Processing without a registration or unlawful obtaining of personal data is currently punishable by a fine of up to £500000. In some limited areas the Act creates criminal offences for which the Commissioner can prosecute.

Useful links

Commercial Product Assurance

What is it

Commercial Product Assurance (CPA) certifies commercial security products (such as firewalls, virtualization products and cryptography) for use by the UK government, the wider public sector and industry. It is intended to supplant other approaches such as Common Criteria (CC) and CCT Mark for UK government use.

Who has to comply

All security products which are used by the UK government. The product should also be covered by one or more of published Security Characteristics. What is important, the product developer has a UK sales presence.

Who confirms compliance

CPA Test Labs which are described in official site. Lab fees include a charge of 4000 pounds per evaluation by Communications-Electronics Security Group (CESG).

How often to confirm compliance

Two-yearly recertification or after significant changes.

Useful links

See also:

http://blog.dataart.com/us-security-standards/

Tags: ,


Add Comment

Name Mail Website Comment