The latest update from David Mead on the alpha PSN Service Security Standards (PSSS)
(March 4, 2015)
Please view a glossary of related terms below:
Accreditation is the formal assessment of the information system against its IA requirements, resulting in the acceptance of residual risks in the context of the business requirement. It is a prerequisite to approval to operate.
The role of the accreditor is to act as an impartial assessor of the risks that an information system may be exposed to in the course of meeting the business requirement and to formally accredit that system on behalf of the board.
Agreed Service Time
The time during which a PSN Service is to be available, as agreed between the PSN Customer and the PSN Service Provider.
The PSN Customer or the PSN Service Provider identified in a Code.
Business Impact Level
See Impact Level.
See Change Advisory Body.
The UK Government’s National Technical Authority for Information Assurance.
CESG Tailored Assurance Service
An independent, technical security evaluation of a system or product for a government department customer. CTAS is carried out by approved evaluation companies with support from CESG and results in advice on the extent to which technical risks have been addressed.
The addition, modification or removal of anything that could have an effect on PSN Services.
Change Advisory Body
A group of people that advises on the assessment, prioritisation and scheduling of Changes.
The process responsible for controlling the lifecycle of all Changes. The primary objective of Change Management is to enable beneficial Changes to be made, with minimum disruption to services.
The party responsible for managing and implementing the Change.
See Code of Connection.
A completed and signed Code of Practice, Code of Interconnection, or Code of Connection.
Code Of Connection
The agreement, as set out in the Code Template, setting out the obligations and requirements for PSN Customers wanting to participate in the PSN, together with all documents annexed to it and referenced within it.
Code Of Interconnection
The agreement, as set out in the Code Template, setting out the obligations and requirements for DNSPs connecting directly to the GCN, together with all documents annexed to it and referenced within it.
Code Of Practice
The agreement, as set out in the Code Template, setting out the obligations and requirements for PSN Service Providers wanting to participate in the PSN, but not wanting to connect directly to the GCN, together with all documents annexed to it and referenced within it.
The Code Template initially serves as an application form for PSN Compliance Certification. It subsequently serves as the set of obligations and requirements against which PSN Compliance is verified.
See Code of Interconnection.
A public and detailed assertion made by an Applicant to achieve and maintain PSN Compliance Certification, written into a Code.
For organisations following the HMG Security Policy Framework, the Compliance Officer will normally be the Accreditor. For organisations not following the HMG Security Policy Framework (and not doing formal accreditation) the Compliance Officer will be the individual responsible for decisions on the suitability of risk mitigation measures; this may be the Risk Manager.
Compliance Warning Notice
A written notice from the PSNA to the PSN Service Provider or PSN Customer warning that its PSN Compliance Certificate is under threat of being rescinded.
The individual obligations underpinning PSN Compliance. These cover the areas of: Governance; Technical Interoperability; Service Management; Commercial; and Information Assurance and Accreditation.
All personal data and any information, however it is conveyed, that relates to the business, affairs, developments, trade secrets, know-how, personnel, and suppliers of the Pubic Services Network Authority, any Crown Body, or any other Contracting Authority, including all Intellectual Property Rights, together with all information derived from any of the above, and any other information clearly designated as being confidential (whether or not it is marked “confidential”) or which ought reasonably be considered to be confidential.
Contracting Authority or Contracting Authorities
Any contracting authority as defined in Regulation 5(2) of the Public Contracts (Works, Services and Supply) (Amendment) Regulations 2000 other than the Authority.
See Code of Practice.
Critical National Infrastructure
Within the nine national infrastructure sectors (energy, food, water, transport, communications, government, emergency services, health and finance) there are critical elements (these may be physical or electronic), the loss or compromise of which would have a major detrimental impact on the availability or integrity of essential services, leading to severe economic or social consequences or to loss of life. These critical elements of infrastructure comprise the nation’s critical national infrastructure.
Any department, office or agency of the Crown.
See CESG Tailored Assurance Service.
The situation in which the PSN Services will be consumed. This encompasses the networks, systems, processes and staff of the PSN Customer’s and its PSN Service Consumers’ organisations.
Deed of Undertakings
The agreements of the same title between a Candidate GCNSP or a GCN Service Provider and the Cabinet Office in relation to the provision of GCN services.
A device that is attached to a communication network and can use services provided by the network to exchange data with other attached systems. This includes both clients and servers.
Direct Network Service
A PSN Compliant network with direct connectivity to the GCN.
Direct Network Service Providers
PSN Service Providers that have fulfilled the terms of the PSN Code of Interconnection, and which may as a result connect directly to the GCN.
See Direct Network Service Provider.
See Deed of Undertakings.
A Change that must be introduced as soon as possible.
Any detectable or discernible occurrence that has significance for the management or delivery of PSN Services.
The process responsible for managing Events throughout their lifecycle.
Forward Schedule of Change
A document that lists the upcoming Changes that will be implemented in the next period.
See Government Conveyance Network.
GCN Service Agreement
The agreement between the GCNSP and Direct Network Service Providers for the provision of access to and use of the GCN Services.
GCN Service Provider
An entity that intends to or currently provides GCN services, and that has a current GCN Compliance Certificate for its GCN services (including GCN Services).
The GCNSP’s services relating to its provision of the GCN.
See GCN Service Provider.
Government Conveyance Network
The total network of all GCN services provided by all GCN Service Providers.
Government Secure Intranet.
A computer that is attached to a communication network and can use services provided by the network to exchange data with other attached systems. This includes both clients and servers.
See Information Assurance.
IA Conditions Compliance Group
The body responsible for: (1) Setting and Maintaining IA Conditions on behalf of the PSNA and the PSN AP; and (2) conducting/overseeing of IA related PSN Compliance Verification activities.
See Impact Level.
Impact Levels are the UK Government’s standard method of assessing the impact of possible compromises to the Confidentiality, Integrity or Availability of information throughout the public sector and Critical National Infrastructure (CNI), as mandated by Requirements 11 and 33 of the Security Policy Framework – www.cabinetoffice.gov.uk/spf.aspx. They are defined in Business Impact Level Tables contained in document “HMG Information Assurance Standard No. 1”, the relevant extract from which may be obtained from the CESG website at www.cesg.gov.uk/policy_technologies/policy/policy.shtml.
An unplanned interruption to a service or a reduction in the quality of a service.
The process responsible for managing the lifecycle of all Incidents. The primary objective of Incident Management is to return the service to operation as quickly as possible.
Information Asset Owner
The role of the Information Asset Owner is to understand what information is held and in what form, how it is added and removed, who had access to it, and why. They are tasked with ensuring that the best use is made of information received, and receive and respond to requests from others for access to information.
The confidence that information systems will protect the information they handle and will function as they need to, when they need to, under the control of legitimate users.
Member of Cabinet Office Board most likely at Permanent Secretary level with responsibility for IA governance and risk ownership for the whole of the Public Services Network on behalf of Government. The person who is accountable to the Cabinet Office for Information Assurance and Risk Management of the Public Services Network.
Joint Academic Network.
See Joint Major Incident Team.
Joint Major Incident Team
A virtual team comprising PSN Customers, PSN Service Providers and the Service Bridge, instigated to manage Major Incidents, Incidents spanning several PSN Service Providers or Incidents for which no PSN Service Provider accepts responsibility.
No terms listed
No terms listed
An Incident that results in significant disruption to the public sector organisations.
A collection of hosts together with the network through which they can exchange data as part of a single security domain.
All changes are classified as Normal, unless a decision is taken that they should be Standard or Emergency.
8am to 5pm, Monday to Friday, excluding English Public Bank holidays.
Pan Government Accreditor
An Accreditor, independent of any department that takes a pan Government perspective.
Portable Electronic Device. Any portable electronic device that has the ability to transmit, record, or store information. It may be a laptop, mobile telephone or other wireless data/information transmission device, or a Personal Digital Assistant.
See Pan Government Accreditor.
Point of Connection.
Point of Interconnection
The root cause of one or more Incidents.
The process responsible for managing the lifecycle of all Problems. The primary objectives of Problem Management are to prevent Incidents from happening and to minimise the impact of Incidents that cannot be prevented.
See Public Services Network.
PSN Accreditation Panel
The PSN Information Assurance Accreditation Panel is the accreditation authority for the PSN and forms part of the PSN Authority.
PSN Aggregated Network
A PSN Aggregated Network exists where a number of organisations providing or consuming network services form a single legal entity co-operate to share onward connections to the GCN or a DNSP, and therefore, together, become a PSNSP or a DNSP.
PSN AP or PSNAP
See PSN Accreditation Panel.
See Public Services Network Authority.
The process to ensure adherence to the rules, conditions and obligations identified in the PSN Codes.
PSN Compliance Certificate
The certificate awarded to the individual PSN Customer Environments, GCN Services and PSN Services (data and business services plus communications infrastructure) that make up the PSN.
PSN Compliance Certification
The process of certifying a PSN Customer Environment, GCN Service or PSN Service.
PSN Compliance Verification
The processes of review and assurance to verify that the PSN Service or Customer Environment satisfies the criteria set out in a Code.
A state describing ongoing adherence to the rules, conditions and obligations identified in a signed Code.
The PSN Service Consumer who has achieved PSN Compliance Certification for their PSN Customer Environments and who holds PSN Supply Agreement(s) with PSN Service Providers for the services concerned.
PSN Design Authority
The PSN Design Authority is an element of the PSNA and provides assurance that all approved changes to the PSN are consistent with the PSN vision and principles.
PSN Framework Agreement
An agreement between a PSN Framework Authority and PSN Service Providers, the purpose of which is to establish the terms governing contracts to be awarded during a given period, in particular with regard to price and quality.
PSN Framework Authority
The body that develops and subsequently manages PSN Framework Agreements.
A service which is offered by a PSN Service Provider and for which a PSN Compliance Certification has been awarded by the Public Services Network Authority.
PSN Service Bridge
A central, operational service management function that falls under the remit of the PSNA. Its main purpose is the co-ordination of the response to Major Incidents and Changes.
PSN Service Consumer
An organisation which uses PSN Services (including PSN Customers).
PSN Service Provider
An organisation that is supplying or is approved to supply PSN Services in accordance with the CoP or CoICo. This includes DNSPs but not GCNSPs.
PSN Supply Agreement
Either a contract or – if it is between Public Sector bodies – a Memorandum of Understanding to deliver PSN Services.
See Public Services Network Authority.
PSNGB Limited, a UK registered company (company registration number 07525501) that acts as a trade association for PSN Service Providers to promote the use of the PSN.
See PSN Service Provider.
Public Sector Network
Previous name for the PSN, now superseded by Public Services Network.
Public Services Network
The network of networks delivered through multiple service providers, as further detailed in the PSN Operating Model.
Public Services Network Authority
An office of the Cabinet Office.
No terms listed
A collection of hardware, software, documentation, process or other components required to implement one or more approved Changes to PSN Services. The contents of each Release are managed, tested and deployed as a single entity.
The process responsible for planning, scheduling and controlling the movement of Releases to test and live environments. The primary objective of Release Management is to ensure that the integrity of the live environment is protected and that the correct components are released.
Request for Change
A formal proposal for a Change to be made.
Process of coordinating activities to direct and control an organisation with regard to risk.
The Risk Manager is responsible for the evaluation of an organisation’s exposure to risk and for controlling these exposures through such means as mitigation, avoidance, management or transference.
The Risk Owner accepts responsibility for ensuring that Information Systems (IS) risk within an organisation is managed appropriately. The Risk Owner should hold a position at Board level and understand how the strategic business goals of the organisation may be impacted by IS failures. Within central government, this role is taken by the Senior Information Risk Owner (SIRO).
Risk Management and Accreditation Document Set.
Risk Management & Accreditation Reference Document.
A business domain (network or environment) operating at a common, defined and consistent Impact Level profile (e.g. IL224). A Security Domain may contain data at all levels up to and including the defined Impact Level profile; it may also contain areas separated by ‘need-to-know’ requirements.
Any adverse event whereby some aspect of computer security could be threatened: loss of data confidentiality, disruption of data or system integrity, or loss or denial of availability.
Senior Information Risk Owner
The individual with specific responsibility for security and information assurance/risk matters, and who leads a department’s response to Data Handling Procedures in Government: Final Report [A] and is responsible for approving any deviation from a department’s information risk policy.
A network entity that provides a service to other network entities.
A PSN Service Provider or a GCN Service Provider.
The state of a PSN Service, in relation to thresholds defined in the Service Level Agreement for that PSN Service. Possible states are: ‘up’, ‘down’, ‘impacted’, ‘degraded’, ‘oversubscribed’ and ‘investigating’.
A number between 1 and 4 used to categorise the urgency and impact of an Incident. It is determined by the PSN Customer who holds the supply agreement for the PSN Service that is affected. They are expected to take account of any other PSN Service Consumers who may be using the service, as well as their own users.
An Event that results in a change of Service State, or a Security Incident.
From an IA perspective, a Public Sector sponsor (SIRO or equivalent) required to take responsibility for PSN connections provided to commercial or other non-Public Sector organisation.
A pre-authorised Change of low impact and low probability that has previously been carried out successfully with no impact on service.
Technical Domain Description.
A person, organisation, or automated process that accesses a network.
Virtual Points of Connection
Restricted geographic environments where a DNSP can access the GCN, the locations of which are provided in the GCN Service Description.
See Virtual Points of Connection.
Any day from Monday to Friday, excluding English Public Bank holidays.
No terms listed
No terms listed
No terms listed