A local government cyber security group is exploring alternative assurance processes to replace those used within the Public Services Network (PSN).
Geoff Connell, chair of the national Cyber Technical Advisory Group (CTAG) and director of information management and technology at Norfolk County Council, told UKAuthority’s Resilience and Cyber4Good conference yesterday that is looking at how different approaches could improve the security assurance that has come with using the PSN.
The network is due to be closed next year with the Government Digital Service having indicated in 2017 that there are now secure routes for communication through the internet – although a question around this was raised by the publication of a procurement notice in August.
“It will be more secure but does mean we will be losing something that has been painfully implemented but quite beneficial, that is independent assurance around PSN,” Connell said.
“It’s important because the different public sector organisations, rightly or wrongly believe they can trust each other to share information. It means that when we interact we can interact with lots of bits of central government and different agencies we have a tick that says we have a PSN assurance accreditation.
“We need to think about how we replace that.”
CAF potential
He indicated that a local government version of the Cyber Assessment Framework (CAF), currently being explored by the Local Digital team in the Department for Levelling Up, Housing and Communities, could play an important role.
Norfolk County Council has been involved in one of the pilot projects, and Connell said the experience had been encouraging. It deals with the issues of security, privacy and trust which are currently largely covered by PSN accreditation.
“It’s much broader that what we’ve done on PSN,” he said. “It really does look at the risk management and governance side of things.
“So it does look good and if you talk to NCSC (National Cyber Security Centre) and look at the government strategy it is the direction of travel.”
He said there is also scope for the NHS to adopt a similar model, and that for both that and local government a CAF could provide consistency in going through an assurance process once to cover a range of requirements.
Cyber Essentials alternative
Connell added that CTAG is also looking at an alternative to the NCSC’s Cyber Essentials Plus framework, saying it is more appropriate for the private sector than local government, and the possibility of regional or a national security operations centre as a resource for councils.
“It’s too expensive for a single local authority but there’s an opportunity if we work together,” he said of the latter.
