In the previous part of this article we spoke about International security standards. In this part, we’ll talk about the ones which are adopted in the United Kingdom.
What is itHMG Information Assurance Standard No.1, usually abbreviated to IS1, is a security standard applied to government computer systems in the UK. Accreditation covers all processes in an organization, not only the IT side.
Who has to complyAll government organizations and connected third-parties.
Who confirms complianceAn auditor who has been certified by HMG.
Consequences of non-complianceAdministrative sanctions for governments organizations and refusal of cooperation for third-party companies.
How often to confirm complianceDepartments and Agencies must conduct an annual technical risk assessment (using HMG IA Standard No.1) for all HMG ICT Projects and Programmes, and also when there is a significant change in a risk component (Threat, Vulnerability, Impact etc.) to existing HMG ICT Systems in operation. The assessment and the risk management decisions made must be recorded in the Risk Management and Accreditation Documentation Set (RMADS), using HMG IA Standard No.2 – Risk Management and Accreditation of Information Systems.
What is itCoCo is a set of requirements that must be met before local authorities in England and Wales can connect an organization to the Government Secure Intranet ( GSI).
Who has to complyAny organization to joined to GSI.
Who confirms complianceHer Majesty's Government (HMG) - Government of the United Kingdom.
Consequences of non-complianceDisconnect from the GSI.
How often to confirm complianceCoCo compliance is assessed annually and a local authority can conduct an audit any time.
Data Protection Act
What is itThe Data Protection Act 1998 (DAP) controls how the personal information of UK subjects may be used by organizations, businesses or the government. The purpose of the Act is to protect the rights and privacy of individuals, and to ensure that data about them is not processed without their knowledge and is processed with their consent wherever possible.
Who has to complyThe Data Protection Act requires every data controller (eg. organization, sole trader) who is processing personal information to register with the Information Commissioner's Office ( ICO), unless they are exempt. The standard requires that technical and organizational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
Who confirms complianceCompliance with the Act is regulated and enforced by an independent authority, the ICO, which maintains guidance relating to the Act.
Consequences of non-complianceProcessing without a registration or unlawful obtaining of personal data is currently punishable by a fine of up to £500000. In some limited areas the Act creates criminal offences for which the Commissioner can prosecute.
Commercial Product Assurance
What is itCommercial Product Assurance (CPA) certifies commercial security products (such as firewalls, virtualization products and cryptography) for use by the UK government, the wider public sector and industry. It is intended to supplant other approaches such as Common Criteria (CC) and CCT Mark for UK government use.
Who has to complyAll security products which are used by the UK government. The product should also be covered by one or more of published Security Characteristics. What is important, the product developer has a UK sales presence.
Who confirms complianceCPA Test Labs which are described in official site. Lab fees include a charge of 4000 pounds per evaluation by Communications-Electronics Security Group (CESG).
How often to confirm complianceTwo-yearly recertification or after significant changes.